This adds support for the "S256" code_challenge_method to the JS Adapter.
Note that the method "plain" was deliberately left out as is not recommended
to be used in new applications.
Note that this PR includes two libraries:
- [base64-js]{@link https://github.com/beatgammit/base64-js}
- [js-sha256]{@link https://github.com/emn178/js-sha256}
`base64-js` is needed for cross-browser support for decoding the
Uint8ArrayBuffer returned by `crypto.getRandomValues` to a PKCE
compatible base64 string.
`js-sha256` library is required because the `crypto.subtle.digest`
support is not available for all browsers.
The PKCE codeVerifier is stored in the callbackStore of the JS Adapter.
Note: This PR is based on #5255 which got messed up during a rebase.
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
also support client signed signature verification by refactored token
verification mechanism
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
incorporate feedbacks and refactor client public key loading mechanism
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
unsigned request object not allowed
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256
revert to re-support "none"
Previously remember-me sessions where tied to the SSO max session
timeout which could lead to unexpected early session timeouts.
We now allow SSO timeouts to be configured separately for sessions
with enabled remember-me. This enables users to opt-in for longer
session timeouts.
SSO session timeouts for remember-me can now be configured in the
tokens tab in the realm admin console. This new configuration is
optional and will tipically host values larger than the regular
max SSO timeouts. If no value is specified for remember-me timeouts
then the regular max SSO timeouts will be used.
Work based on PR https://github.com/keycloak/keycloak/pull/3161 by
Thomas Darimont <thomas.darimont@gmail.com>
