Commit graph

4798 commits

Author SHA1 Message Date
Giuseppe Graziano
b46fab2308 Remove root auth session after backchannel logout
Closes #32197

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-10-01 11:56:57 +02:00
mposolda
e582a17a7c Fix client-attributes condition configuration
closes #33390

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-01 10:12:28 +02:00
Stian Thorgersen
4a2fbf5339
Refactor loading of theme resources (#33326)
Closes #33325

Signed-off-by: stianst <stianst@gmail.com>
2024-10-01 08:02:05 +02:00
Alexander Schwartz
5c503a55e9 Optimize caching and use of DB connections when Organisations are enabled
Closes #33353

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-30 18:35:45 -03:00
rmartinc
8bbae59b60 Add LOGIN_WEBAUTHN as possible initial login page for locale bean
Closes #33336

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-30 18:59:39 +02:00
Steven Hawkins
5d99d91818
fix: allows for the detection of a master realm with --import-realms (#32914)
also moving initial bootstrapping after import

closes: #32689

Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-09-30 14:40:16 +02:00
Steven Hawkins
f1a7a4804e
fix: adds additional info / warnings to hostname v2 (#33261)
* fix: adds additional info / warnings to hostname v2

closes: #24815

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* refining the proxy-headers language from #33209

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* adding hostname-strict-https

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* moving removed property check to the quarkus side

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HostnameV2PropertyMappers.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

* Update docs/guides/server/hostname.adoc

Signed-off-by: Steven Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-09-28 08:48:09 +00:00
Steven Hawkins
9064d5159a
fix: validate that a full hostname url is expected (#33348)
closes: #33347

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-27 13:57:14 +00:00
Manish Mehta
d57050656e Fix for Issue# 32622 (https://github.com/keycloak/keycloak/issues/32622)
The expected Destination Path needs to properly point to the client that is created for IDP-initiated SSO flow. This is especially an issue when Keycloak is behind a reverse proxy that terminates TLS.

Signed-off-by: Manish Mehta <ManishMehta@users.noreply.github.com>
2024-09-27 09:20:09 +02:00
rmartinc
1d23c3c720 Use note to detect the IDP verify email action is already done
Closes #31563

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-27 09:16:53 +02:00
Maksim Zvankovich
90dc7c168c Add organization admin crud events
Closes #31421

Signed-off-by: Maksim Zvankovich <m.zvankovich@rheagroup.com>
Co-authored-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-27 09:09:28 +02:00
Stefan Guilhen
6424708695 Ensure organization id is preserved on export/import
- Also fixes issues with description, enabled, and custom attributes missing when re-importing the orgs.

Closes #33207

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-25 16:07:44 +02:00
Stian Thorgersen
af5eef57bf
Improve handling for loopback redirect-uri validation (#195) (#33189)
Closes #33116

Signed-off-by: stianst <stianst@gmail.com>
2024-09-23 13:51:02 +02:00
keshavprashantdeshpande
402aa42201
Add subgroup count to groupByPath (#33161)
Closes #31410

Signed-off-by: Keshav Deshpande <keshavprashantdeshpande@gmail.com>
2024-09-23 08:28:06 +02:00
Erik Jan de Wit
d01f531b82
removed server side translation in favour of client side (#32985)
fixes: #32984

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-09-23 07:42:07 +02:00
Jon Koops
5e2f09f66d
Remove statically served Keycloak JS from the server (#33083)
Closes #32827

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-09-22 19:05:01 +02:00
Stefan Guilhen
900c496ffe
Remove the kc.org.broker.public attribute and use hideOnLogin in the IDP instead
Closes #32209

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-09-20 16:08:55 +02:00
Stefan Guilhen
e065070751 Set realm when importing users via keycloak-add-user.json
Closes #33060

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-20 15:24:41 +02:00
Steve Hawkins
493252befd fix: include debug logging for init
closes: #33109

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-20 15:21:50 +02:00
Stefan Guilhen
42cde0cfdd
Fix various issues holding up CI (#33086)
- Disables the remote operator tests, which will have to be fixed later.
- Fixes the action expired error which occurs when accessing regular registration page with Organizations enabled.
- Fixes a race condition in the test suite causing sporadic failures.

Closes #33064

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-09-19 21:23:21 +02:00
vramik
fcb31a5aa6 Implement invitation-only self-registration for realm users
Closes #31643

Signed-off-by: vramik <vramik@redhat.com>
2024-09-18 13:50:23 +02:00
Alexander Schwartz
2a95d0abfa
Sort order of updates for user properties (#32853)
This should reduce deadlocks on the user property table if the users are updated concurrently.

Closes #32852

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-18 12:37:42 +02:00
Alexander Schwartz
8ef7007e3c
Avoid using plain log messages in ServiceLogger (#32893)
Closes #32891

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-18 12:36:58 +02:00
stianst
c137482d77 Improve FolderThemeProvider
Closes #33015

Signed-off-by: stianst <stianst@gmail.com>
2024-09-18 12:17:23 +02:00
Stefan Guilhen
3e597722a9
Add cache for IdentityProviderStorageProvider.getForLogin (#32918)
Closes #32573

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-18 09:05:57 +02:00
Stian Thorgersen
76307872f6
Update bootstrap admin client to use lightweight access token, and disable standard flow (#33014)
Closes #33010, closes #33011

Signed-off-by: stianst <stianst@gmail.com>
2024-09-17 12:23:19 +00:00
rmartinc
5fe916861d Return 404 on invalid theme type
Closes #32798

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-17 09:09:34 +02:00
Giuseppe Graziano
e6c5ee31e4 Admin API with Lightweight access token and transient session
Closes #32802

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-09-16 09:30:15 +02:00
Nate Drake
75973157aa
Fix a few typos (#32929)
Signed-off-by: Nate Drake <ndrake@gmail.com>
2024-09-15 10:12:26 +00:00
Pedro Ruivo
f67bec0417 Rename remote-cache Feature
Renamed to "clusterless"

Closes #32596

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
2024-09-13 13:03:13 +02:00
Stian Thorgersen
40049f31fa
Remove ProxyClassLoader and PlatformProvider returning script classloader (#32806)
Closes #32804

Signed-off-by: stianst <stianst@gmail.com>
2024-09-11 17:11:26 +02:00
rmartinc
b60621d819 Allow brute force to have http request/response and send emails
Closes #29542

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-11 08:35:03 +02:00
cgeorgilakis-grnet
f8b1b3ee03 Search Identity Providers by alias or display name
Closes #32588

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-09-10 21:52:59 +02:00
Thomas Darimont
6b83a45b2e
Propagate locale when using app initiated registration URL
Fixes #13505

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-10 12:25:17 +02:00
Garth
7988f026e0 Add a PasswordPoliciesBean to the FreeMarker context.
Closes #32553

Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
2024-09-10 12:19:53 +02:00
Alexander Schwartz
b88ecc0237
Removing the extra two-minute Window for persistent user sessions (#32660)
Closes #28418

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-09-09 09:28:48 +02:00
Steven Hawkins
58d742bb5c
fix: refining v2 hostname validation (#32659)
closes: #32643

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-06 17:49:25 +02:00
Thomas Darimont
211224f613
Use correct error value in Token Exchange error responses
The Token Exchange [RFC8693 Section-2.2.2](https://datatracker.ietf.org/doc/html/rfc8693#section-2.2.2) requires
that the error code for invalid requests is `invalid_request`.
Previously, Keycloak used `invalid_token` as the error code.

Fixes #31547

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-05 18:35:36 +02:00
keshavprashantdeshpande
9f5f8e017e
Improve message for failing partial import of realm (#32667)
Closes #28017
Signed-off-by: Keshav Deshpande <keshavprashantdeshpande@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 15:12:37 +02:00
mposolda
866101e72e Optimize LogoutEndpoint.backchannelLogout endpoint
closes #32683

Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-05 13:49:31 +02:00
Thomas Darimont
693a63b532
Handle ClientData parsing errors in SessionCodeChecks gracefully
- Move ClientData parsing out of SessionCodeChecks ctor
- Respond with a bad request if invalid client data is presented

Closes #32515

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-05 10:50:27 +02:00
Giuseppe Graziano
a14548a7a2
Lightweight access tokens for Admin REST API (#32347)
* Lightweight access tokens for Admin REST API

Closes #31513


Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-09-04 18:04:23 +02:00
cgeorgilakis-grnet
e6b271895e Make update IdentityProvider admin REST API more efficient
Closes #32388

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-09-04 11:49:32 -03:00
Alexander Schwartz
0e1a7c6f8e Add information about token expiry to events
Closes #28311

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-04 14:44:51 +02:00
Stefan Guilhen
e7a4635620 Filter out org brokers from the account console
- org-linked brokers should not be available for login
- prepare the endpoint for search/pagination

Closes #31944

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-09-04 09:00:52 -03:00
Alexander Schwartz
4d1e1e0bcb
Show details for error messages where they were missing (#32534)
Closes #32533

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-09-04 07:23:54 -04:00
Theresa Henze
a1c23fef8c introduce event types to update/remove credentials
Closes #10114

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
2024-09-03 18:27:27 +02:00
Pedro Igor
079242c398 Binding brokering OIDC user sessions with the issuer of the ID Token to avoid looking up sessions by iterating over all brokers in a realm
Closes #32091

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-09-03 17:51:20 +02:00
Thomas Darimont
88a5c96fff
Add kc_action to redirect URI after a required action is cancelled (#31925)
Closes #31894

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-09-03 14:26:23 +00:00
mposolda
dad4477995 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17
closes #32586

Signed-off-by: mposolda <mposolda@gmail.com>
2024-09-03 15:58:57 +02:00