Commit graph

4188 commits

Author SHA1 Message Date
Daniel Fesenmeyer
dd37e02140 Improve logging in case of OIDC Identity provider errors:
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response

Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9 UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537)
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c Remove backward compatibility for ECDSA tokens
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. (#22317)
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830 Fix client assertion with invalid ES256, ES384, ES512 signatures
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14 Aligns the logic in the welcome resources
as a result the quarkus one can be removed

closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie (#23393) 2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service (#23293)
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d Client roles should be mapped to any claim name
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3 Change email checkserveridentity prop as angus mail sets it to true by default
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f fix(Closes #21236): Adding client-id to logout event 2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c Allow updating email when email as username is set and edit username disabed
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989 Use new findGroupByPath implementation and remove the old one
Closes #23344

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76 Allow public clients to use PAR endpoint
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308 verifyRedirectUri should return null when the passed redirectUri is invalid
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2 Remove P3P header from authentication flow
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9 Allow duplicated keys in advanced claim mappers
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46 Switch to Resteasy Reactive
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170 Prevent NPE in AuthenticationManager.backchannelLogout (#23306)
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.

Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048 KEYCLOAK-15985 Add Brute Force Detection Lockout Event 2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45 Registration page not showing username when edit username is not enabled
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f Send Client ID in token request with JWT Authentication
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix (#23184)
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37 Support to define compatible mappers for (new) Identity Providers
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers

Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87 Add regex support in 'Condition - User attribute' execution
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview (#22641)
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console (#23025)
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… (#23148)
closes #23066


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch (#23078)
fixes: #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612 Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address (#23109)
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd Add old LinkedIn provider to the deprecated profile
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed (#23064)
Closes #21514


Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0 Broker claim mapper not recognizing claims from user info endpoint
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb Remove use of Guava in services
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372 Added tests 2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102 Fixed Regex 2023-09-07 08:43:35 +02:00
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f Role mappers must return a single value when they are not multivalued
Closes #20218
2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55 Parsing response from user info rather than the access token
Closes #22581
2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30 RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing
Closes https://github.com/keycloak/keycloak/issues/22424
2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default (#22460) 2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f Switch Trusted Host policy redirect verification to URI
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.

Closes #22309
2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1 Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts
Closes #21751
2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm (#21554)
fixes: #21553
2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f DPoP verification in UserInfo endpoint
closes #22215
2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405 Using DPoP token type in the access-token and as token_type in introspection response
closes #21919
2023-08-07 10:40:18 +02:00