Commit graph

4872 commits

Author SHA1 Message Date
vramik
b1ff9511d1 Fine grained admin permissions feature V2
Closes #34563

Signed-off-by: vramik <vramik@redhat.com>
2024-11-07 10:55:42 +01:00
Ricardo Martin
226daa41c7
Add service account mappers via client scope instead of dedicated scope (#34664)
Closes #10417

Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Ricardo Martin <rmartinc@redhat.com>
2024-11-07 08:45:11 +01:00
Thomas Darimont
fec661cf10 Allow OIDCIdentityProvider implementations to override isTokenTypeSupported
Fixes #34695

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-11-06 16:28:44 +01:00
Ricardo Martin
ce454bda47
Remove online session when offline access is requested as the first request (#34346)
Closes #34001

Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>

---------

Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-11-06 08:33:12 +01:00
Jonas Suter
35b425736a Strip Double Quotes from Request Content in Organization API
Closes #34401

Signed-off-by: Jonas Suter <jonas_suter@gmx.ch>
2024-11-05 11:24:08 -03:00
Giuseppe Graziano
612e2caae1 Refresh the login page when root auth session changes
Closes #32658

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-11-04 18:31:42 +01:00
Thomas Darimont
3315ea718a Add ability to enable OID4VCI Verifiable Credentials per realm (#34524)
- Added new realm property verifiableCredentialsEnabled
- Updated RealmRepresentation
- Guarded route to Oid4VCI page
- Add boolean switch to Realm settings page to control Verifiable Credentials enablement
- We now only show the Verifiable Credentials page in the nave if the "Verifiable Credentials" realm setting is enabled.

Fixes #34524

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-11-04 14:58:30 +01:00
Douglas Palmer
f229790ba5 Allow custom message for brute force temporary lockout
Closes #17014

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-11-04 14:49:32 +01:00
kqq
822d3fde32
Microsoft login - add prompt param configure
Closes #34583

Signed-off-by: kqq <971340511@qq.com>
Co-authored-by: kqq <971340511@qq.com>
2024-11-04 13:17:05 +01:00
Bernd Bohmann
7681687e0a
Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak micrometer event listener
inspired by
https://github.com/aerogear/keycloak-metrics-spi
https://github.com/please-openit/keycloak-native-metrics

Closes #33043

Signed-off-by: Bernd Bohmann <bommel@apache.org>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-11-04 08:56:24 +01:00
Stefan Guilhen
2e51775acc Remove Provider annotation along with default constructors from org resources
Closes #34335

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-11-01 15:37:52 -03:00
vramik
d853dcab7d Use specific error message from required actions for SamlProtocol if available
Closes #34514

Signed-off-by: vramik <vramik@redhat.com>
2024-10-31 15:45:19 -03:00
Thomas Darimont
36b01cbea0 Revise PAR request object parameter handlig (#34352)
We now store the original parameter value as-is, in case only a single parameter value is provided. In case multiple parameter values are provided
for the same parameter, we only retain the first parameter.
This ensures that the original value is retained. Previously the value list from the
`decodedFormParameters` `MultivaluedMap` was converted to a String while replacing '[' and ']'
with an empty string, which corrupted the original parameter values stored.

Fixes #34352

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-31 16:26:31 +01:00
rmartinc
78aa08941a Fix NPE in ConditionalOtpFormAuthenticator if no configuration
Closes #34298

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-31 07:48:07 -03:00
Erik Jan de Wit
19ef0a608b
Add switch to toggle dark mode (#33822)
Closes #33821

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-10-31 10:19:03 +00:00
Pedro Igor
f9f9a313b3 make sure error dialog is shown at the account console when declining terms
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-30 12:26:03 -03:00
vramik
7368104e43 Keep error and error_description query params in login url.
Signed-off-by: vramik <vramik@redhat.com>
2024-10-30 12:26:03 -03:00
vramik
3d91df42d8 Declining terms and conditions in account-console results in error
Closes #28328

Signed-off-by: vramik <vramik@redhat.com>
2024-10-30 12:26:03 -03:00
Erik Jan de Wit
eb5afeeabb added description to denied consent and show on ErrorPage
fixes: #28328
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-10-30 12:26:03 -03:00
BrunoSampaioDTx
de973de800 Use the response_permissions_limit value, if provided, to set the maximum number of results when retrieving resources by URI
Signed-off-by: BrunoSampaioDTx <bruno.sampaio@dtx-colab.pt>
2024-10-29 16:40:44 -03:00
rmartinc
b52256facc Set client in context for dynamic scopes calculation
Closes #33684

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-28 17:32:06 -03:00
Erik Jan de Wit
4d25128018
add brute force enabled so we can render switch (#34282)
fixes: #34065

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-10-25 09:25:03 -04:00
Andy
f994cc54d5
Remove robots.txt entirely
* remove robots.txt entirely, as blocking page-
crawling prevents the `X-Robots-Tag` headers
(and similar meta tags) from working as intended.

Closes #17433

Signed-off-by: Andy <andy@slice.is>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-25 12:09:50 +00:00
rmartinc
e41553bcfb Create a new logout session when initiating it for another client
Closes #34207

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-25 10:02:23 +02:00
Steven Hawkins
964f6b9aac
fix: refines the provider caching logic (#34220)
closes: #34219

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 15:00:00 -04:00
rmartinc
f548517f5b Catch model exception when creating the admin user
Closes #32356

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-23 13:32:58 +02:00
Steven Hawkins
bd499755a2
fix: providing a separate session for each file (#34210)
closes: #34095

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-23 13:11:42 +02:00
Laurids Møller Jepsen
21da25e146 Support RAR (Rich Authorization Request) for ClientCredentialsGrantType via protocol mapper until RAR is fully implemented.
Set authorization_details in a client note in ClientCredentialsGrantType so it can be accessed from a protocol mapper.

Closes #32488

Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
2024-10-23 09:26:49 +02:00
Ryan Emerson
902abfdae4
JDBC_PING as default discovery protocol
Closes #29399

- Add ProviderFactory#dependsOn to allow dependencies between
  ProviderFactories to be explicitly defined
- Disable Infinispan default shutdownhook disabled to ensure lifecycle
  is managed exclusively by Keycloak
- Remove Infinispan shutdown hook in KeycloakRecorder and manage
  EmbeddedCacheManager lifecycle only in DefaultInfinispanConnectionProviderFactory#close

Signed-off-by: Ryan Emerson <remerson@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-10-22 20:19:19 +00:00
Martin Kanis
77f83d7f65 Grant type urn:ietf:params:oauth:grant-type:uma-ticket token service endpoint returns NullPointerException
Closes #34176

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-22 15:28:26 -03:00
Steven Hawkins
af1a5ea2a8
fix: refining https file type detection (#33703)
also making common trustore logic align

closes: #33649

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 13:05:56 -04:00
Steven Hawkins
307041c021
fix: encapsulating where static import/export state is set/used (#33690)
closes: #33596

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-22 16:03:39 +02:00
Gilvan Filho
c4005d29f0 add linear strategy to brute force
closes #25917

Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
2024-10-22 10:33:22 -03:00
rmartinc
6d52520730 Load client keys using SubjectPublicKeyInfo and upload jwks type into the jwks attributes for OIDC ones
Closes #33820

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 14:24:15 +02:00
Ricardo Martin
a84a2c2ac2
Change order of absolute path and normalize in the theme folder (#34153)
Closes #34028

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 09:53:30 +02:00
Stefan Guilhen
b03ce0047c Add explicit getter method for organizations in RealmAdminResource
- makes OrganizationsResource reachable to OpenAPI generator

Closes #30832

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-21 15:55:06 -03:00
rmartinc
2004467749 Check alias is unique for authenticator config when it is created
Closes #31727

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-21 15:25:32 +02:00
Simon Levermann
dcf1d83199
Enable enforcement of a minimum ACR at the client level (#16884) (#33205)
closes #16884 

Signed-off-by: Simon Levermann <github@simon.slevermann.de>
2024-10-21 13:54:02 +02:00
Pedro Igor
3a9bab35b6 Fixing action token lifespan information in the invitation email
Closes #34049

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:10:14 +02:00
Pedro Igor
d1dba15964 Do not show domain match message in the identity-first login when no login hint is provided
Closes #34069

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:05:27 +02:00
Pedro Igor
ee38d551ce Respect the locale set to a user when redering verify email pages
Closes #34063

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:04:38 +02:00
Stefan Guilhen
7d8ff710c2 Invalidate user session when associated IdP is missing (previously removed)
Closes #31724

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-17 16:30:51 -03:00
Krzysztof Szafrański
731274f39e Fix errors when code, clientId, or tabId are null
Calling parseSessionCode inside the try-catch would result in
ErrorPageException thrown by redirectToErrorPage being caught and
re-reported, resulting in one log entry with `invalidRequestMessage`
and another one with `unexpectedErrorHandlingRequestMessage`.

Additionally, one of ErrorPageException constructors didn't pass the
status to super(), resulting in the logger error message being
"HTTP 500 Internal Server Error" even though the status was actually
something else, like 400. I noticed that ErrorPageException can be
simplified by just passing the response to super(), which is one way of
fixing the problem.

Closes #33232

Signed-off-by: Krzysztof Szafrański <k.p.szafranski@gmail.com>
2024-10-17 14:37:40 -03:00
Pascal Knüppel
41ee68611f
Allow to create EC certificates if new EC-key-provider is created (#31843)
Closes #31842

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-10-17 16:05:59 +02:00
Thomas Darimont
f99c5f6df3 Ensure referrer and referrer_uri params are carried over to account-console
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
40bdc902f0 Use account-console client for server-side auth check
Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
729417b20a Use account-console client for server-side auth check
- Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
c400eff9b0 Account console backend should redirect to login on missing auth (#31469)
Adapted the login redirect logic from the old account console.

Fixes #31469

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
rmartinc
13655007a6 Remove online session for offline access in direct access grants and client credentials
Closes #32650

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-17 10:49:05 +02:00
Martin Kanis
8fb5ecaa6c Auth not possible for auth session where user was enabled in the meantime
Closes #33883

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-15 14:28:36 -03:00