Commit graph

938 commits

Author SHA1 Message Date
Dmitry Telegin
c18c4bbeb8 Remove setContext() + minor cleanup
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
87c2df0ea4 Fix UMA 2024-02-27 19:11:32 +09:00
Dmitry Telegin
be3d0b6202 Split OAuth2GrantType and OAuth2GrantTypeFactory 2024-02-27 19:11:32 +09:00
Dmitry Telegin
c73516ba5b Revert dynamic grant type resolution 2024-02-27 19:11:32 +09:00
Dmitry Telegin
5f04ce310a simplify OAuth2GrantType.Context creation 2024-02-27 19:11:32 +09:00
Dmitry Telegin
b81bf85a06 rebase 2024-02-27 19:11:32 +09:00
Dmitry Telegin
854ec17fd3 - rework grant type resolution to use supports() in addition to grant type
- replace initialize() with setContext()
- use EnvironmentDependentProviderFactory instead of runtime checks
- move OAuth2GrantTypeManager to server-spi-private
- javadocs, imports, minor fixes

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
Dmitry Telegin
983680ce0e OAuth 2.0 Grant Type SPI
Closes: #26250

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-27 19:11:32 +09:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-02-22 12:56:44 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Pedro Igor
52fe8b0feb Allow overriding the default validators added to attributes
Closes #27148

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-21 00:13:49 +09:00
Pedro Hos
6b3fa8b7a7
Invalid redirect uri when identity provider alias has spaces (#22840)
closes #22836


Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-02-19 14:40:42 +01:00
Vlasta Ramik
76453550a5
User attribute value length extension
Closes #9758

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-16 08:09:34 +01:00
mposolda
b4d289c562 Fixing UriValidator
closes #26792

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 10:30:39 +01:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
vibrown
161d03efd2 Added SPIs for ClientType and ClientTypeManager
Grabbed the SPIs for ClientType and ClientTypeManager from Marek's Client Type prototype.

Closes #26431

Signed-off-by: vibrown <vibrown@redhat.com>

Cleaned up TODOs

Signed-off-by: vibrown <vibrown@redhat.com>

Added isSupported methods

Signed-off-by: vibrown <vibrown@redhat.com>
2024-02-13 19:26:19 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630)
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Stian Thorgersen
4d9f33efe3
Add cookie type builder (#26848)
Closes #26847

Signed-off-by: stianst <stianst@gmail.com>
2024-02-07 13:16:04 +01:00
Dmitry Telegin
da69beed4d CORS SPI - code review
Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
Dmitry Telegin
b0403e2268 CORS SPI
Closes #25446

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
mposolda
f468885fdd Empty error message when validation issue due the PersonNameProhibitedValidator validation
closes #26750

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-06 12:56:50 -03:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies (#26558)
Closes #26557

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:14:04 +01:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
Lex Cao
a43ba73b93 Skip link only when client is not system when logout (#24595)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 17:50:26 +01:00
rmartinc
01be4032d8 Enable verify-profile required action by default
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-31 13:32:53 +01:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies (#26531)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Stian Thorgersen
bc3c27909e
Cookie Provider (#26499)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00
Ricardo Martin
b58f35fb47
Revert "Enable verify profile required action by default for new realms" (#26495)
This reverts commit 7f195acc14.

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-25 12:28:16 +01:00
rmartinc
7f195acc14 Enable verify profile required action by default for new realms
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-24 20:28:06 +01:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629)
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-24 18:35:51 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes (#26273)
Closes #24105

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Erik Jan de Wit
37790c7956
Add a way to extend the UI with an Java API (#23772)
* POC to see how we could extend the UI

This is very crude and there are still open issues that need to be worked out

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added saving option

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added list and recreate client form

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add tab ui

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* integrate tabs

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* remove examples

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed error messages

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added Feature for ui customization

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-01-22 08:19:58 +00:00
Douglas Palmer
e7d842ea32 Invalidate session secretly
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Steven Hawkins
74b56201c3
fix: adds hostname:v1 (#26003)
closes: #25336

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-17 21:35:23 +01:00
cgeorgilakis-grnet
ccade62289 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
Closes #24344

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-16 11:26:29 +01:00
mposolda
692aeee17d Enable user profile by default
closes #25151

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Thomas Darimont
9d429400d4
Avoid calling primitive wrapper constructors in server-spi-private (#24163)
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-11 11:54:44 +01:00
remi
b22efeec78 Add a toggle to use context attributes on the regex policy provider
Signed-off-by: remi <remi.tuveri@gmail.com>
2024-01-10 16:15:25 -03:00
shigeyuki kabano
67e73d3d4e Enhancing Lightweight access token M2(keycloak#25716)
Closes keycloak#23724

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:42:30 +01:00
Douglas Palmer
58d167fe59 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
Closes #24651
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-08 19:32:01 -03:00
Alice W
cf19c06341 Add logging to the policy providers for general debugging purposes
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
2024-01-05 11:56:00 -03:00
Pedro Igor
8ff9e71eae Do not allow verifying email from a different account
Closes #14776

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:45:07 +01:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
mposolda
eb184a8554 More info on UserProfileContext
closes #25691

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
arhine
57cbb391f3 Updates
Signed-off-by: arhine <arhine@redhat.com>
2023-12-18 19:18:18 -03:00
arhine
777b3bd410 update method visibility
Signed-off-by: arhine <arhine@redhat.com>
2023-12-18 19:18:18 -03:00
Pedro Igor
778847a3ce Updating theme templates to render user attributes based on the user profile configuration
Closes #25149

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-18 15:35:52 -03:00