Commit graph

3981 commits

Author SHA1 Message Date
Bastian
5ddb79cbe6
fix(account): do not leak into messages (#16212)
Closes #16211
2023-01-18 13:06:36 +01:00
Konstantinos Georgilakis
c73859794e Short verification_uri for Device Authorization Request
Closes #16107
2023-01-18 08:34:52 +01:00
stianst
dceb2f96b2 Fix REST API header showing product.name.full
Closes #16067
2023-01-16 13:14:26 +01:00
mposolda
79fa6bb3c9 Initial support for running testsuite in BCFIPS approved mode
Closes #16429
2023-01-13 02:59:06 -08:00
Pedro Igor
9945135861
Verify if token is revoked when validating bearer tokens (#16394)
Closes #16388
2023-01-11 14:42:29 +01:00
mposolda
ac490a666c Fix KcSamlSignedBrokerTest in FIPS. Support for choosing realm encryption key for decrypt SAML assertions instead of realm signature key
Closes #16324
2023-01-10 20:39:59 +01:00
Pedro Igor
d797d07d8f Ignore user profile attributes for service accounts
Closes #13236
2023-01-10 16:26:53 +01:00
Karim Boukari
bcc23b6330
Fix (keycloak#15493): make nginx certificate-lookup thread safe (#15480)
Closes #15493
2023-01-10 11:56:40 +01:00
Mark Andreev
d900540034 Fix NPE if user not exists
Check "userSession.getId().equals(clientUser.getId())" fails if getUserFromToken return non existed user. It is happens when AccessToken.subject relates to non existed user.

Closes #16297
2023-01-09 06:43:39 -08:00
Pedro Igor
522bf1c0b0 Keep consistency when importing realms at startup when they are exported via the export command
Closes #16281

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-01-06 18:53:01 +01:00
Pedro Igor
53ee95764e Do not show username field when updating profile if UPDATE_EMAIL feature is enabled and email as username is enabled
Closes #16263
2023-01-06 14:12:47 +01:00
Réda Housni Alaoui
141c9dd803
update-email: email change does not affect the username when "Email as username" option is checked (#15583)
Closes #13988
2023-01-06 14:04:48 +01:00
Réda Housni Alaoui
dbe0c27bcf Allowing client registration access token rotation deactivation 2023-01-05 20:53:57 +01:00
Michal Hajas
6566b58be1 Introduce Infinispan GlobalLock implementation
Closes #14721
2023-01-05 16:58:44 +01:00
Hynek Mlnarik
071fc03f41 Move transaction processing into session close
Fixes: #15223
2023-01-05 16:12:32 +01:00
Pedro Igor
dbe225715d
Wrong auth session id being used when validating auth session id cookies (#16253)
Closes #16252
Closes #16132
2023-01-05 10:13:25 +01:00
cknoblauch
ae74cadcfc Add missing < to Javadoc 2023-01-04 14:06:53 +01:00
ムハマドザクワンビンムハマドザヒド / MOHDZAHID,BIN MUHAMMADZAKWAN
ce6b737e33 NPE in userinfo endpoint
Closes #15429
2023-01-02 13:53:29 +01:00
Pedro Igor
857b02be63 Allow managing the required settigs for the email attribute
Closes #15026
2022-12-15 13:11:06 -08:00
Pedro Igor
782d145cef Allow updating authz settings via default client registration provider
Closes #9008
2022-12-15 20:43:43 +01:00
Stian Thorgersen
a5670af745
Keycloak CI workflow refactoring (#15968)
* Keycloak CI workflow refactoring

Closes #15861

* Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update CodeQL actions

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2022-12-14 16:12:23 +01:00
Stian Thorgersen
0f2ca3bfdd
fixes from release/20 (#15982)
* Avoid path traversal vis double-url encoding of redirect URI (#8)

(cherry picked from commit a2128fb9e940d96c2f9a64edcd4fbcc768eedb4f)

* Do not resolve user session if corresponding auth session does not exist (#7)

* Stabilizing the ConcurrentLoginTest when running with JPA map storage by locking user sessions (#9)

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2022-12-14 07:46:17 +01:00
Stan Silvert
5ced20e1ee
Allow any admin role on GET profile call (#15967) 2022-12-13 15:56:22 -05:00
zak905
993d910520 avoid NPE in LegacyAttributes when using federated storage
Closes #https://github.com/keycloak/keycloak/issues/15482
2022-12-07 14:25:08 -03:00
Michal Hajas
de7dd77aeb Change id of TermsAndConditions required actions to uppercase
Closes #9991
2022-12-07 10:51:37 -03:00
mposolda
f4e91a5312 The redirect URI cannot be verified during logout in the case when client was removed
closes #15866
2022-12-07 08:20:30 +01:00
Pedro Igor
022d2864a6 Make sure JAX-RS resource methods are advertizing the media type they support
Closes #15811
Closes #15810
2022-12-06 08:13:43 -03:00
Václav Muzikář
7a0ad6ff21 Handle null in HttpRequestImpl 2022-12-02 12:17:10 +01:00
Pedro Igor
168734b817 Removing references to request and response from Resteasy
Closes #15374
2022-12-01 08:38:24 -03:00
mposolda
3e9c729f9e X.509 authentication fixes for FIPS
Closes #14967
2022-11-25 11:50:30 +01:00
Stefan Guilhen
5c2a5fac31 Enable all test methods in ConcurrentLoginTest for JPA Map Storage
- Tests still disabled for Hotrod and CHM
- Fixes concurrent login issues with CRDB. Verified with both PostgreSQL and CockroachDB.

Closes #12707
Closes #13210
2022-11-24 13:36:22 +01:00
Alexander Schwartz
fd152e8a3e Modify RealmAdminResource.partialImport to work with InputStream
Rework existing PartialImportManager to not interfere with transaction handling, and bundle everything related to AdminEventBuild and JAX-RS Repsonses inside the Resource.

Closes #13611
2022-11-24 11:45:11 +01:00
Lex Cao
dd03137ea7 Strip secret of user when creating from admin API
Closes #14843
2022-11-24 11:38:42 +01:00
Pedro Igor
9e042b06b4 Avoid creating proxies at runtime for Rest-based SPIs
Closes #15605
2022-11-23 12:42:13 +01:00
Nagy Vilmos
4b6b607fe9
Should not hide IDP from login page (#14174)
Closes #14173
2022-11-23 10:49:21 +01:00
cgeorgilakis-grnet
085dd24875 Client registration service do not check client protocol for Bearer token
Closes #15612
2022-11-23 08:49:13 +01:00
Pedro Igor
28fc5b4574 Removing injection points for Resteasy objects and resolving instances from keycloak context instead
Relates #15374
2022-11-21 19:47:25 +01:00
Pedro Igor
6f7c62fc73 Remove unnecessary endpoints from our JAX-RS entensions
Closes #15525
2022-11-16 16:25:33 +01:00
Michal Hajas
6d683824a4 Deprecate DBLockProvider and replace it with new GlobalLockProvider
Closes #9388
2022-11-16 16:13:25 +01:00
Pedro Igor
10b7475b04 Removing unnecessary injection points from JAX-RS (sub)resources
Closes #15450
2022-11-16 08:55:55 -03:00
Alexander Schwartz
b6b6d01a8a Importing a representation by first creating the defaults, importing a representation and then copying it over to the real store.
This is the foundation for a setup that's needed when importing the new file store for which importing the representation serves as a placeholder.

Closes #14583
2022-11-16 09:56:13 +01:00
Douglas Palmer
9f532eecaf Weird export/re-import behaviour regarding post.logout.redirect.uris
Closes #14884
2022-11-15 09:24:32 +01:00
Stefan Guilhen
667f1f989f Fix ConcurrentLoginTest.concurrentCodeReuseShouldFail on CockroachDB
- processGrantRequest in TokenManager is now executed in a separate retriable transaction.

Closes #13210
2022-11-11 13:34:29 +01:00
stianst
eb17157e44 Stop adding .v2 to default theme if set in server config
Closes #15392
2022-11-11 08:49:41 -03:00
Pedro Igor
13b39cf48a Marking nested classes in brokering endpoints as static
Closes #15443
2022-11-10 16:10:09 -03:00
stianst
1de9c201c6 Refactor Profile
Closes #15206
2022-11-07 07:28:11 -03:00
Marek Posolda
f616495b05
Fixing UserFederationLdapConnectionTest,LDAPUserLoginTest to work with FIPS (#15299)
closes #14965
2022-11-03 16:35:57 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS (#15114)
Closes #14794
2022-11-03 09:32:45 +01:00
Stian Thorgersen
cf913af823
Add support for Microsoft Authenticator (#15272)
Closes #15271
2022-11-02 12:56:07 +01:00
Alexander Schwartz
dd5a60c321 Allow a partial import to overwrite the default role
Closes #9891
2022-11-01 15:35:02 -03:00
Pedro Igor
f6985949b6
Close the session within resteasy boundaries (#15193)
Closes #15192
2022-11-01 11:06:34 +01:00
Michal Hajas
883e83e625 Remove deprecated methods from data providers and models
Closes #14720
2022-10-25 09:01:33 +02:00
mposolda
55c514ad56 More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS
Closes #14964
2022-10-24 08:36:37 +02:00
Alexander Schwartz
440077de42 Reduce number of calls to the storage for clients and realms
Closes #15038
2022-10-21 15:08:39 +02:00
Stefan Guilhen
acaf1724dd Fix ComponentsTest failures with CockroachDB
- Component addition/edition/removal is now executed in a retriable transaction.

Closes #13209
2022-10-21 10:48:08 +02:00
Klaus Betz
76d9125c3f
feat: add DisplayIconClasses to IdentityProviderModel for third-party IDPs https://github.com/klausbetz/apple-identity-provider-keycloak/issues/10 (#14826)
Closes #14974
2022-10-18 15:54:06 +02:00
Stian Thorgersen
97ae90de88
Remove Red Hat Single Sign-On product profile from upstream (#14697)
* Remove Red Hat Single Sign-On product profile from upstream

Closes #14916

* review suggestions: Remove Red Hat Single Sign-On product profile from upstream

Closes #14916

Co-authored-by: Peter Skopek <pskopek@redhat.com>
2022-10-18 14:43:04 +02:00
Stian Thorgersen
31aefd1489
OTP Application SPI (#14800)
Closes #14800
2022-10-18 14:42:35 +02:00
Marek Posolda
0756ef9a75
Initial integration tests with BCFIPS distribution (#14895)
Closes #14886
2022-10-17 23:33:22 +02:00
Stian Thorgersen
f7490b7f7c
Fix issue where admin2 was not enabled by default if account2 was disabled (#14914)
Refactoring ThemeSelector and DefaultThemeManager to re-use the same logic for selecting default theme as there used to be two places where one had a broken implementation

Closes #14889
2022-10-17 15:17:54 +02:00
vramik
f49582cf63 MapUserProvider in KC20 needs to store username compatible with KC19 to be no-downtime-upgradable
Closes #14678
2022-10-14 09:32:38 +02:00
danielFesenmeyer
f80a8fbed0 Avoid login failures in case of non-existing group or role references and update references in case of renaming or moving
- no longer throw an exception, when a role or group cannot be found, log a warning instead
- update mapper references in case of the following events:
   - moving a group
   - renaming a group
   - renaming a role
   - renaming a client's Client ID (may affect role qualifiers)
- in case a role or group is removed, the reference still will not be changed
- extend and refactor integration tests in order to check the new behavior

Closes #11236
2022-10-13 13:23:29 +02:00
Martin Kanis
761929d174
Merge ActionTokenStoreProvider and SingleUseObjectProvider (#13677)
Closes #13334
2022-10-13 09:26:44 +02:00
Stian Thorgersen
ded52c6228
Move session iframe pages (#14769)
Closes #14767
2022-10-13 08:16:20 +02:00
Lex Cao
8ea3f30d82 Support profile projection parameter for LinkedIn IDP
Closes #13384
2022-10-11 15:22:00 -03:00
Alexander Schwartz
b67ce73227 Cleanup MapUserSessionAdapter.getAuthenticatedClientSessions()
Closes #14743
2022-10-10 13:01:14 +02:00
Stian Thorgersen
fda26385ec
Add profile feature for hosting keycloak.js on the server (#14771)
* Add profile feature for hosting keycloak.js on the server

Closes #14770

* Updated txt files for HelpCommandTest
2022-10-10 08:00:50 +02:00
Takashi Norimatsu
148c7695ff Pluggable Features of Token Manager
Closes #12065
2022-10-07 08:43:34 +02:00
Hynek Mlnarik
36a1ce6a1a Ensure map storage providers are closed upon session close
Fixes: #14730
2022-10-05 14:16:19 +02:00
Marek Posolda
425b6b8df2
Parameters 'client_id' and 'response_type' not strictly required in O… (#14679)
* Parameters 'client_id' and 'response_type' not strictly required in OIDC request object
Closes #14255
2022-10-05 11:20:15 +02:00
Douglas Palmer
44aae52fb4
Fixed locale switcher on error page (#14728)
Closes #14205
2022-10-05 10:30:07 +02:00
Marek Posolda
c59660ca86
KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars (#14560)
closes #14354
2022-10-05 08:59:30 +02:00
Alice Wood
1eb7e95b97 enhance existing group search functionality allow exact name search keycloak/keycloak#13973
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
2022-09-30 10:37:52 +02:00
Marcelo Daniel Silva Sales
22713bc144
Incorrect error message OIDC client authentication (#14656)
closes #12162


Co-authored-by: Pedro Hos <pedro-hos@outlook.com>
2022-09-30 09:40:05 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron (#14415)
Closes #12702
2022-09-27 08:53:46 +02:00
Alexander Schwartz
be2deb0517 Modify RealmsAdminResource.importRealm to work with InputStream
Closes #13609
2022-09-26 20:58:08 +02:00
Ivan Atanasov
4016dd95d2
Use temporary file to reduce the chance of serving partial gzipped resource (#14511)
Closes #14510
2022-09-23 07:51:41 +02:00
Alice Wood
55a660f50b enhance group search to allow searching for groups via attribute keycloak/keycloak#12964
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-09-19 15:19:36 +02:00
Takashi Norimatsu
0a832fc744 Intent support before issuing tokens (UK OpenBanking)
Closes #12883
2022-09-19 12:15:00 +02:00
Dmitry Telegin
cc2117bf7c UserInfo endpoint not fully standards compliant
Closes #14184
2022-09-16 10:15:08 +02:00
danielFesenmeyer
3af1134975 Update IDP link username when sync mode is "force"
Closes #13049
2022-09-14 08:02:17 -03:00
Václav Muzikář
e999aeeab8 Fix DefaultHostnameTest on Undertow 2022-09-13 14:41:23 -03:00
Christoph Leistert
7e5b45f999 Issue #8749: Add an option to control the order of the event query and admin event query 2022-09-11 21:30:12 +02:00
Alexander Schwartz
1d2d3e5ca5 Move UserFederatedStorageProvider into legacy module
Closes #13627
2022-09-11 18:37:45 +02:00
Thomas Darimont
962a685b7b KEYCLOAK-15773 Control availability of admin api and admin-console via feature flags
Inline profile checks for enabled admin-console to avoid issues during
static initialization with quarkus.

Potentially Re-enable admin-api feature if admin-console is enabled
via the admin/admin2 feature flag.

Add legacy admin console as deprecated feature flag
Throw exception if admin-api feature is disabled but admin-console is enabled

Adapt ProfileTest

Consider adminConsoleEnabled flag in QuarkusWelcomeResource
Fix check for Admin-Console / Admin-API feature dependency.

Add new features to approved help output files

Co-authored-by: Stian Thorgersen <stian@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2022-09-09 18:18:51 -03:00
Pedro Igor
3518362002 Validate auth time when max_age is sent to brokered OPs
Closes #14146
2022-09-09 10:30:51 -03:00
Martin Bartoš
0fcf5d3936 Reuse of token in TOTP is possible
Fixes #13607
2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default (#14293)
Closes #14292
2022-09-09 13:47:51 +02:00
Dominik Guhr
f2b02f19e6 Closes #13786 2022-09-07 18:29:26 +02:00
cgeorgilakis
07b0df8f62
View groups from account console (#7933)
Closes #8748
2022-09-07 11:25:31 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 (#14179)
Closes #14179
2022-09-07 10:09:30 +02:00
evtr
4469bdc0a9
RelayState max length not respected
Fixes: #10227
2022-09-06 22:01:14 +02:00
Stu Tomlinson
f57560afd3 Improve error messages for invalid SAML responses
Closes #13534
2022-09-06 21:49:14 +02:00
Christoph Leistert
cc2bb96abc Fixes #9482: A user could be assigned to a parent group if he is already assigned to a subgroup. 2022-09-06 21:31:31 +02:00
Pedro Igor
a6137b9b86 Do not empty attributes if they are not provided when user profile is enabled
Closes #11096
2022-09-06 12:59:05 +02:00
Michal Hajas
f69497eb28 KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants
Closes #14018
2022-09-06 10:38:28 +02:00
Youssef El Houti
7f58c1c570 KEYCLOAK-19138 nginx x509 client trusted certificate lookup 2022-09-01 15:02:56 -03:00
Thomas Darimont
43623ea9d0 KEYCLOAK-18499 Add max_age support to oauth2 brokered logins
Revise KcOidcBrokerPassMaxAgeTest to use setTimeOffset(...)
2022-09-01 09:24:44 -03:00
Joerg Matysiak
a8019d78e7 Fixed handling of required setting for email in user profile.
Resolves #13923
2022-08-31 17:19:19 -03:00
Nagy Vilmos
f6db484172
Keep the locale related authNotes through the IdentityBroker flow. (#10444)
Closes #8827
2022-08-31 09:37:26 +02:00