Commit graph

994 commits

Author SHA1 Message Date
Steven Hawkins
4697cc956b
further refinement of context handling (#28182)
* fully removing providers and moving the keycloaksession creation / final
cleanup

also deprecated Resteasy utility methods

closes: #29223

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-02 11:21:01 -04:00
Stefan Guilhen
45e5e6cbbf Introduce filtered (and paginated) search for organization members
Closes #28844

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-02 11:25:43 -03:00
Patrick Jennings
64824bb77f
Client type service account default type (#29037)
* Adding additional non-applicable client fields to the default service-account client type configuration.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.

Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Removing reflection use for client types.

Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

More updates

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Update client utilzes type aware client property update method.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Cleaning up RepresentationToModel

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue when updating client secret.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issues with redirectUri and weborigins defaults in type aware clients.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to allow client attributes the ability to clear out values during update.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Renaming interface based on PR feedback.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Shall be able to override URI sets with an empty set.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

---------

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-02 12:22:02 +02:00
Pedro Igor
51352622aa Allow adding realm users as an organization member
Closes #29023

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-29 08:37:47 -03:00
Stefan Guilhen
d34e700fef Update server-spi-private/src/main/java/org/keycloak/organization/OrganizationProvider.java
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2024-04-25 12:38:20 -03:00
Stefan Guilhen
bfabc291cc 28843 - Introduce filtered (and paginated) searches for organizations
Closes #28843

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-25 12:38:20 -03:00
mposolda
337a337bf9 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled
closes #28968

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-22 18:31:46 +02:00
Tero Saarni
64862d568e Convert database errors to 500 instead of 400.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2024-04-22 11:42:18 -03:00
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393)
Closes #26201.

Signed-off-by: Lex Cao <lexcao@foxmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-04-22 11:30:14 +02:00
Pedro Ruivo
3de5357091 CLI options to disable encryption and authentication to external Infinispan
Closes #28750

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-20 18:30:24 +02:00
etiksouma
1afd20e4c3 return proper error message for admin users endpoint
closes #28416

Signed-off-by: etiksouma <al@mouskite.com>
2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070 Remove deprecated EnvironmentDependentProviderFactory.isSupported method
Closes #26280

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-04-19 16:36:49 +02:00
mposolda
c427e65354 Secondary factor bypass in step-up authentication
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
2024-04-19 14:43:53 +02:00
Thomas Darimont
68617180a2 Show indicator for transient user in user sessions list in admin ui (28879)
For transient users a transient label is now shown in the realm sessions and client sessions list in the admin ui.

Fixes #28879

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-04-19 09:48:41 +02:00
Joerg Matysiak
76a5a27082 Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it
Don't mask secrets at realm export

Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130 Make sure admin events are not referencing sensitive data from their representation
Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
2024-04-18 18:26:47 -03:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-17 07:24:01 -03:00
Christopher Miles
1646315939 Deny list lower cases all passwords when loading from file
Closes #28381

We always lower case the inbound password before comparing against the deny list
yet the deny list may contain passwords that contain upper case letters. With
this change we will now convert passwords from the deny list into lower case
while loading, ensuring that more passwords match the deny list.

Signed-off-by: Christopher Miles <twitch@nervestaple.com>
2024-04-15 08:49:37 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-12 08:33:18 -03:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Giuseppe Graziano
33b747286e Changed userId value for refresh token events
Closes #28567

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization.
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-04-10 13:18:12 -03:00
vramik
00ce3e34bd Manage a single identity provider for an organization
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
2024-04-10 09:47:51 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-10 11:19:56 +02:00
mposolda
aa619f0170 Redirect error to client right-away when browser tab detects that another browser tab authenticated
closes #27880

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-09 17:59:34 +02:00
Stian Thorgersen
a499512f35
Set SameSite for all cookies (#28467)
Closes #28465

Signed-off-by: stianst <stianst@gmail.com>
2024-04-09 12:29:19 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
rmartinc
2b769e5129 Better management of the CSP header
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-08 08:19:57 +02:00
Gilvan Filho
96db7e3154 fix NotContainsUsernamePasswordPolicyProvider: reversed check
closes #28389

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-04-05 10:39:07 -03:00
Pedro Igor
8fb6d43e07 Do not export ids when exporting authorization settings
Closes #25975

Co-authored-by: 박시준 <sjpark@logblack.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-04 19:26:03 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions (#27793)
closes #24112

Signed-off-by: mposolda <mposolda@gmail.com>
2024-04-04 10:41:03 +02:00
Hynek Mlnarik
8ef3423f4a Present effective sync mode value
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).

This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.

Fixes: #26019

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-04-03 15:49:18 +02:00
Pedro Igor
fefeb83588 Changes the contract to make it simpler and rely on the realm available from the current session
Closes #28403

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-03 14:45:31 +02:00
Garth
91a6fda69c
removed deprecated annotations from ClusterProvider
Closes #27515

Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
2024-04-02 20:10:46 +02:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-04-02 08:44:28 +02:00
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977)
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-03-28 09:17:07 +01:00
Gilvan Filho
757c524cc5 Password policy for not having username in the password
closes #27643

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
2024-03-28 08:29:03 +01:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658)
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-03-27 11:13:48 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150)
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
2024-03-26 13:43:41 -04:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider (#28128)
Closes #28120

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 12:44:11 +01:00
Stian Thorgersen
cae92cbe8c
Argon2 password hashing provider (#28031)
Closes #28030

Signed-off-by: stianst <stianst@gmail.com>
2024-03-22 07:08:09 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-21 10:26:30 -03:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
2024-03-15 11:06:43 -03:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 16:43:03 +01:00
Pedro Igor
9ad447390a Only remove attributes with empty values when updating user profile
Closes #27797

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-03-13 15:03:08 +01:00
vramik
a81d6bb618 Organizations SPI
Closes #27829

Signed-off-by: vramik <vramik@redhat.com>
2024-03-13 10:57:02 -03:00
Steve Hawkins
4091baf4c2 fix: accounting for the possibility of null flows from existing realms
closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-03-08 14:25:23 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-03-07 14:43:23 +01:00
Alexander Schwartz
595959398b
Instead of an InputStream that doesn't know about its encoding, use a String
Closes #20916

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-07 10:24:36 +00:00