Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.
Closes#24361
Signed-off-by: graziang <g.graziano94@gmail.com>
Closes#25676
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes#27238
Signed-off-by: graziang <g.graziano94@gmail.com>
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload
Closes#26052
Signed-off-by: graziang <g.graziano94@gmail.com>
Closes#23539
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* chore: expose display name and locales when user has view-realm
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: supportedlocales are available as stream
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: tests
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
* fix: remove unnecessarily added ignore
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
---------
Signed-off-by: Peter Keuter <github@peterkeuter.nl>
`UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`.
Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method.
Closes#17155
Signed-off-by: graziang <g.graziano94@gmail.com>
Closes#9758
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Closes#26810
Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
* elevating wildfly-elytron-http-oidc version management
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* removing testing dependency overrides
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* further version aligment with quarkus
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* adding a resteay-core-spi that can be overriden
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* removing hamcrest override
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* aligning with 3.7.1
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
This change adds event for brute force protector when user account is
temporarily disabled.
It also lowers the priority of free-text log for failed login attempts.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.
Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.
Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
there are several downgrades from the quarkus versions, and some
additional logic needed to handle changes with re-creating the
configuration
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Closes#13368
These changes introduce a new error handler for building error based on the media type.
- It should create error form response when it is valid HTML request
- It could create error response with JSON if content type matches
Signed-off-by: Lex Cao <lexcao@foxmail.com>
Closes#26460
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE.
Added proposed test case.
Closes#11178
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Chris Dolphy <cdolphy@redhat.com>
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.
This commit does not attempt to fetch the existing user if we don't have this info set.
Closes#26323
Signed-off-by: Chris Tanaskoski <chris@devristo.com>
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):
- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly
Fixes#16629
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
closes#15714
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
Closes#22922
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Closes#15190
Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl`
Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
Throw ModelException if name is empty when creating/updating a realm
Closes#17449
Signed-off-by: atharva kshirsagar <atharva4894@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.
This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.
The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.
Closes#19190
Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
also adding a common PropertyMapper validation method
closes#24668
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.
As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.
resolves#25753
Signed-off-by: Niko Köbler <niko@n-k.de>
Parameter name briefRepresentation should mean briefRepresentation,
not full. This way callers will by default get the full
representation, unless true is passed as value for
briefRepresentation.
Fixes#25096
Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>