libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions
23767 commits 4 branches 9 tags 483 MiB
Commit graph

4323 commits

Author SHA1 Message Date
mposolda
90bf88c540 Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers 
closes #24718

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-12-08 12:26:35 +01:00
saumeen prajapati
d829534237
Remove single quote from log string 
Closes #25060

Signed-off-by: saumeen prajapati <psaumeen@gmail.com>
 2023-12-07 20:08:07 +00:00
wojnarfilip
925c5572ad Re-enable Federated Access Token in user sessions 
Closes #25290

Signed-off-by: wojnarfilip <fwojnar@redhat.com>
 2023-12-07 19:55:20 +01:00
Vlasta Ramik
df465456b8
Map Store Removal: Remove LockObjectsForModification (#25323) 
Signed-off-by: vramik <vramik@redhat.com>

Closes #24793
 2023-12-07 12:43:43 +00:00
Fouad Almalki
0e535d2bbe Retrieve ClientConnection by invoking getConnection() instead of getContextObject() 
Signed-off-by: Fouad Almalki <me@fouad.io>
 2023-12-07 13:11:54 +01:00
Stefan Guilhen
7b63d6d500 Remove ResponseSessionTask 
- this was tightly related to retriable transactions added to map store and is no longer needed.

Closes #25309

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2023-12-06 19:53:53 +01:00
Stefan Guilhen
8e918c2ebf Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction. 
Closes #25308

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2023-12-06 19:47:04 +01:00
rmartinc
522e8d2887 Workaround to allow percent chars in getGroupByPath via PathSegment 
Closes #25111

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-06 14:22:34 -03:00
rmartinc
d004e9295f Do not allow remove a credential in account endpoint if provider marks it as not removable 
Closes #25220

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-05 17:11:57 +01:00
Michal Hajas
ec061e77ed
Remove GlobalLockProviderSpi (#25206) 
Closes #24103

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2023-12-01 16:40:56 +00:00
Ricardo Martin
3b26e5d489
Add active RSA key to decryption if deprecated mode (#25205) 
Closes https://github.com/keycloak/keycloak/issues/24652

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-01 13:40:47 +00:00
mposolda
3fa2d155ca Decouple factory methods from the provider methods on UserProfileProvider implementation 
closes #25146

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-12-01 10:30:57 -03:00
Pedro Igor
c7f63d5843 Add options to change behavior on how unmanaged attributes are managed 
Closes #24934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-11-30 06:58:21 -03:00
Steven Hawkins
8c3df19722
feature: add option for creating a global truststore (#24473) 
closes #24148

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2023-11-30 08:57:17 +01:00
Douglas Palmer
d0b86d2f64 Register event not triggered on external to internal token exchange 
Closes #9684

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-29 15:30:47 -03:00
mposolda
479e6bc86b Update Kerberos provider for user-profile 
closes #25074

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-11-29 15:21:26 -03:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider 
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-29 18:03:31 +01:00
rmartinc
3bc028fe2d Remove lowercase for the hostname as recommended/advised by OAuth spec 
Closes https://github.com/keycloak/keycloak/issues/25001

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-29 10:26:00 -03:00
rmartinc
b6cdcb3c27 Revert "Fix lowerCaseHostname to lower-case scheme and host properly" 
This reverts commit 1241bd2919.

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-29 10:26:00 -03:00
Douglas Palmer
5ce41a462b NPE in HardcodedUserSessionAttributeMapper on Token Exchange 
Closes #11996

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-29 09:35:49 -03:00
Douglas Palmer
7e78d29f8d NPE in User Session Note mapper on Token Exchange 
Closes #24200

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-29 09:35:49 -03:00
hokuda
a83b9d11fa Fix typo in the balloon help of SAML Username Template Importer 
closes #25033

Signed-off-by: hokuda <hisanobu.okuda@gmail.com>
 2023-11-29 09:32:16 -03:00
Douglas Palmer
e99bd4aa3a External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange) 
Closes #16059

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-29 09:16:14 -03:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled 
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2023-11-29 11:06:41 +00:00
Jon Koops
0b9dd21b0a
Attempt to request storage access for cookies (#25055) 
Closes #23872

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2023-11-27 18:23:40 +00:00
Pedro Igor
2c611cb8fc User profile configuration scoped to user-federation provider 
closes #23878

Co-Authored-By: mposolda <mposolda@gmail.com>

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-11-27 14:45:44 +01:00
Stian Thorgersen
a32b58d337
Escape ldap id when using normal attribute syntax (#25) (#25036) 
Closes https://github.com/keycloak/security/issues/46

Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
 2023-11-27 11:38:14 +01:00
Takashi Norimatsu
1f5ee9bf80 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token 
closes #25022

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2023-11-27 08:49:48 +01:00
Sophie Tauchert
855aebabc2 Rename clientUuid path parameter to client-uuid for consistency 
Closes #24960

Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
 2023-11-23 16:08:58 +01:00
Sophie Tauchert
496c0e7f03 Rename some path parameter placeholders to avoid duplicating {id} in the path 
Closes #24960

Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
 2023-11-23 16:08:58 +01:00
Sophie Tauchert
3e17cb0452 Add correct annotation for 204 responses to POST methods returning void 
Closes #24960

Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
 2023-11-23 16:08:58 +01:00
Douglas Palmer
efde3adf60 Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange 
Closes #23985

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-23 11:52:37 -03:00
Douglas Palmer
2ec1d2f7ea Fix logic error in AbstractOAuth2IdentityProvider 
Closes #24943

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2023-11-23 11:43:42 -03:00
Tero Saarni
fd58cb1bec Attempt to remove warning about not using inference 
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2023-11-23 10:49:58 -03:00
Tero Saarni
e35f3d7e87 Fix compilation error with ServerInfoAdminResource 
This change fixes following type inference error:
* Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>>

The error comes when opening and compiling on vscode or Eclipse, which uses
Eclipse JDT compiler.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2023-11-23 10:49:58 -03:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings 
Closes #23404

Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
 2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335 Introduce MaxAuthAge Password policy (#12943) 
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.

Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin

Fixes #12943

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919 Fix lowerCaseHostname to lower-case scheme and host properly 
Closes https://github.com/keycloak/keycloak/issues/24792

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805 added theme name as parameter 
moved messages to theme bundle

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience 
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5 Use session ID rather than broker session ID 
Closes: #24455

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB 
Closes #24095

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3 Avoid NPE if RelayState is null and return a proper error 
Closes https://github.com/keycloak/keycloak/issues/24079

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared (#23600) 
* move account ui user profile to shared

* use ui-shared on admin same error handling

also introduce optional renderer for added component

* move scroll form to ui-shared

* merged with main

* fix lock file

* fixed merge error

* fixed merge errors

* fixed tests

* moved user profile types to admin client

* fixed more types

* pr comments

* fixed some types
 2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles (#24316) 
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents (#24496) 
closes #24494
 2023-11-10 11:18:27 +01:00
mposolda
7863c3e563 Moving UPConfig and related classes from keycloak-services 
closes #24535

Signed-off-by: mposolda <mposolda@gmail.com>
 2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4 Feature flag DPoP metadata in OIDC Well Known endpoint 
Closes keycloak/keycloak#24547

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
 2023-11-06 03:13:57 -08:00
Oliver
563ae104fd [issue-14134] test partial import user with id 
Fix #14134
 2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d Escape $ sign when replacing clientId in the role mappers 
Closes https://github.com/keycloak/keycloak/issues/23692
 2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * (#24174) 
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
 2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689 Make sure optional default attributes are removed when decorating the user-define user profile configuration 
Closes #24420
 2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7 Update per review 2023-10-31 12:56:46 -07:00
mposolda
6f992915d7 Move some UserProfile and Validation classes into keycloak-server-spi 
closes #24387
 2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3 Allow customization of aud claim with JWT Authentication 
Closes #21445
 2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545 Group count and PartialExport permission fixes 
Closes https://github.com/keycloak/keycloak/issues/12171
 2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705 Add userProfileEnabled attribute to realm response if admin can view users 
closes https://github.com/keycloak/keycloak/issues/19093
 2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades (#22700) 
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af Fix KcOidcBrokerTransientSessionsTest 
Closes: #24313
 2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3 Add openapi annotations to the UserProfileResource 
Closes https://github.com/keycloak/keycloak/issues/9318
 2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b Support for transient brokering in admin console 
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
 2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e Support for transient sessions via lightweight users 
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
 2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5 Verification of iss at refresh token request 
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.

Closes #22191
 2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration (#24215) 
closes #24182


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow (#23892) 
Closes #23891
 2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78 move to theme resource 2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e changed to realm, because that is the source 2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab add new locale endpoint that returns the messages 2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be Declarative User Profile export 
Closes #12062
Resolves #20885
 2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199 Username now shown when creating a user and edit username is not allowed 
Closes #24183
 2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb Ignore custom attributes when processing attributes in verify profile action 
Closes #24077
 2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535 User profile tweaks in registration forms 
closes #24024
 2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name (#24113) 
closes #16379
 2023-10-20 10:00:46 +02:00
mposolda
04777299b0 After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly 
closes #23880
 2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias (#24070) 
closes #24072
 2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2 The username in account is required and don't change when email as username is enabled 
Closes #23976
 2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148) 
Closes #21183
 2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b Removing the default cache metadata 
Closes #23910
 2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156) 
Closes #23155
 2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500 Do not return empty scope field in token introspection response 
Closes #16526
 2023-10-13 08:36:12 +02:00
duckboy81
197b39492e Update TokenManager.java 
Fixed minor spelling typos
 2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await for storage access checks (#23793) 
Closes #23743
 2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider (#20699) 
* Add support for single-tenant mode to Microsoft Identity Provider

Fixes #20695
Closes #11207

* Add SocialLoginTest for Microsoft single-tenant variant
 2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517) 
Closes #12406


Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7 Avoid creating the component when there is no component and configuration is not provided 
Closes #20970

Co-authored-by: Pedro Igor <psilva@redhat.com>
 2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140 Improve logging in case of OIDC Identity provider errors: 
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response

Closes #23690
 2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9 UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed 
closes #23749
 2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537) 
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-10-06 10:15:39 -03:00
rmartinc
890600c33c Remove backward compatibility for ECDSA tokens 
Closes https://github.com/keycloak/keycloak/issues/23734
 2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. (#22317) 
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
 2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830 Fix client assertion with invalid ES256, ES384, ES512 signatures 
Closes #23721
 2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14 Aligns the logic in the welcome resources 
as a result the quarkus one can be removed

closes keycloak#23243
 2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie (#23393) 2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service (#23293) 
Closes #14009
 2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d Client roles should be mapped to any claim name 
Closes https://github.com/keycloak/keycloak/issues/22349
 2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3 Change email checkserveridentity prop as angus mail sets it to true by default 
Closes https://github.com/keycloak/keycloak/issues/22395
 2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f fix(Closes #21236): Adding client-id to logout event 2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c Allow updating email when email as username is set and edit username disabed 
#23438
 2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989 Use new findGroupByPath implementation and remove the old one 
Closes #23344

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76 Allow public clients to use PAR endpoint 
Closes #8939
 2023-09-21 13:57:42 +02:00