libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
23608 commits 4 branches 5 tags 480 MiB
Commit graph

4299 commits

Author SHA1 Message Date
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC 
Closes https://github.com/keycloak/keycloak/issues/22383
 2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f Role mappers must return a single value when they are not multivalued 
Closes #20218
 2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api 
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55 Parsing response from user info rather than the access token 
Closes #22581
 2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30 RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing 
Closes https://github.com/keycloak/keycloak/issues/22424
 2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default (#22460) 2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f Switch Trusted Host policy redirect verification to URI 
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.

Closes #22309
 2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1 Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts 
Closes #21751
 2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm (#21554) 
fixes: #21553
 2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f DPoP verification in UserInfo endpoint 
closes #22215
 2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405 Using DPoP token type in the access-token and as token_type in introspection response 
closes #21919
 2023-08-07 10:40:18 +02:00
Erik Jan de Wit
339619816a
lazy populate the treeview for groups (#21520) 
* added lazy parameter

fixes: #19954

* changed to only have the parameter

* fixed merge errors

* removed the `lazy` and now add subgroups on select

* lint

* fixed prettier

* fixed nullpointer

* fixed member tab
 2023-08-04 20:19:34 +00:00
Rishabh Dixit
d73298aab6 Add getStatus() to response obj 
Closes #22241
 2023-08-04 18:43:50 +02:00
Marek Posolda
4dc929abb3
Missing client_id validation match when authenticating client with JW… (#22178) 
Closes #22177
 2023-08-03 11:47:55 +02:00
Takashi Norimatsu
ee998fee66 Add FAPI 2.0 security profile as default profile of client policies 
closes #21181
 2023-08-03 09:26:16 +02:00
Ricardo Martin
a8bca522c1
Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers (#21627) 
Closes #9004


Co-authored-by: Armel Soro <armel@rm3l.org>
 2023-08-02 09:36:50 +02:00
Thomas Darimont
82269f789a Avoid using deprecated junit APIs in tests 
- Replaced usage of Assert.assertThat with static import
- Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat

Fixes: #22111
 2023-08-01 11:44:25 +02:00
Alexander Schwartz
748c53df7f
Use Java mechanisms to read language files and default to UTF-8 (#21755) 
Closes #21753
 2023-08-01 11:27:10 +02:00
mposolda
6f6b5e8e84 Fix authenticatorConfig for javascript providers 
Closes #20005
 2023-07-31 19:28:25 +02:00
rmartinc
0a7fcf43fd Initial pagination in the admin REST API for identity providers 
Closes https://github.com/keycloak/keycloak/issues/21073
 2023-07-27 14:48:02 +02:00
Takashi Norimatsu
9a921441cc Adjustements to the behaviour of dpop_bound_access_tokens switch 
closes #21920
 2023-07-27 11:30:01 +02:00
Alexander Schwartz
1ec8d3a9a4 Convert LinkExpirationFormatterMethod to Java's ChoiceFormat pattern 
Closes #21887
 2023-07-27 10:30:37 +02:00
Takashi Norimatsu
6498b5baf3 DPoP: OIDC client registration support 
closes #21918
 2023-07-26 13:00:35 +02:00
Ricardo Martin
ee35cfe478
Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages (#21897) 
* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes #10232
 2023-07-26 11:34:19 +02:00
Hunor Kovács
5eb505aba5
Handle error when Microsoft Graph API /me returns not successful (#21696) 
* Response from Microsoft Graph API /me can be error too. So if that happens, throw an exception instead of trying to extract the user id.

* Update services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java

Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>

---------

Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>
 2023-07-26 07:22:52 +00:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase (#21202) 
closes #21200


Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2023-07-24 16:44:24 +02:00
Takashi Norimatsu
05b8b9ee51 Enhancing Pluggable Features of Token Manager 
closes #21182
 2023-07-24 09:16:29 +02:00
Takashi Norimatsu
2efd79f982 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification 
Closes #20584
 2023-07-24 09:11:30 +02:00
ali_dandach
ef19e08814
Fix String comparisona (#21752) 
Closes #21773
 2023-07-21 10:37:24 +02:00
mposolda
03716ed452 Keycloak forgets ui_locales parameter when using reset password 
closes #10981
 2023-07-18 09:24:12 +02:00
rmartinc
630e3b2312 Revert emailVerified to false if email modified on force-sync non-trusted broker 
Closes https://github.com/keycloak/security/issues/48
 2023-07-17 13:13:47 +02:00
vramik
47eeece827 Update javadoc for user search in UserResource 
Closes #21053
 2023-07-11 11:14:29 +02:00
Pedro Igor
376d20c285
Remove user credentials from admin event representation (#21561) 
Closes #17470
 2023-07-11 08:26:29 +02:00
rmartinc
13870f3a69 Improve error management in the github provider 
Closes https://github.com/keycloak/keycloak/issues/9429
 2023-07-10 16:09:08 -03:00
Václav Muzikář
97a37f565e
Align guava dependency with the Quarkus Platform BOM (#21544) 
Closes #21364
 2023-07-10 16:13:13 +02:00
Daniele Martinoli
1644432df3 Reviewed solution as per reviewer's comments 2023-07-10 08:31:47 -03:00
Daniele Martinoli
d148a789f7 added clientNote to show the sign out option 2023-07-10 08:31:47 -03:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA (#21160) 
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-07-10 13:28:55 +02:00
Daniele Martinoli
817f129484
fix: closes #21095 (#21289) 
* fix: closes #21095

* Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.
 2023-07-10 12:13:26 +02:00
Daniele Martinoli
7b8dcb42ea Using "Account is disabled" message (and also added new test case) 2023-07-07 12:16:38 -03:00
Daniele Martinoli
13e2075ceb Applying reviewer comments 2023-07-07 09:00:51 -03:00
Daniele Martinoli
e6d7749cbf fix for 21476 2023-07-07 09:00:51 -03:00
Daniele Martinoli
b458356aa9 integrated reviewer comments 2023-07-07 08:59:36 -03:00
Daniele Martinoli
c9a226e220 Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java 
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-07-07 08:59:36 -03:00
Daniele Martinoli
96f09fcd90 Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java 
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-07-07 08:59:36 -03:00
Daniele Martinoli
83d88f6bb5 added Hardcoded Group mapper to IDP configuration 2023-07-07 08:59:36 -03:00
Erik Jan de Wit
2f5040f565 added locale selector for account console 
fixes: #20941
 2023-07-06 11:14:39 -03:00
Douglas Palmer
8cc04a6724 NullPointerException on reading auth.attemptedUsername in terms template 
closes #21294
 2023-07-04 16:07:44 -03:00
rmartinc
09e30b3c99 Support for JWE IDToken and UserInfo tokens in OIDC brokers 
Closes https://github.com/keycloak/keycloak/issues/21254
 2023-07-03 21:25:46 -03:00
mposolda
ccbddb2258 Fix updating locale on info/error page after authenticationSession was already removed 
Closes #13922
 2023-07-03 18:57:36 -03:00
Jon Koops
c0b0a25f71
Handle exceptions thrown when requesting storage-access permission (#21325) 2023-06-30 00:35:10 +00:00
Daniele Martinoli
e2ac9487f7
Conditional login through identity provider (#20188) 
Closes #20191


Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-06-29 18:44:15 +02:00
Joshua Sorah
f695eeaa44 Refactor Admin REST API Documentation to use OpenAPI annotations. 
Removes dependencies on swagger-doclet
Adds dependencies on microprofile-openapi-api
Plugins for smallrye-open-api-maven-plugin, openapi-generator-maven-plugin

Customized ascii doc template for openapi-generator-maven-plugin, to give similar feel to previous documentation.

OpenAPI annotations added to Admin REST API resources.

Closes keycloak/keycloak#20433
 2023-06-29 17:03:38 +02:00
Fouad Almalki
b336732251
Add iat to JWT passed to CIBA HttpAuthenticationChannel (#21280) 
Closes #21283
 2023-06-29 07:55:57 +02:00
Marek Posolda
51a9712e59 Improper Client Certificate Validation for OAuth/OpenID clients (#20) 
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2023-06-28 17:52:48 -03:00
Ricardo Martin
1973d0f0d4 Check the redirect URI is http(s) when used for a form Post (#22) 
Closes https://github.com/keycloak/security/issues/22

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Signed-off-by: Peter Skopek <pskopek@redhat.com>
 2023-06-28 17:52:48 -03:00
Pedro Igor
28aa1d730d Verify holder of the device code (#21) 
Closes https://github.com/keycloak/security/issues/32

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Conflicts:
    services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java
 2023-06-28 15:45:26 +02:00
rmartinc
4bc11bdf7f Do not return an error when moving a group to the current parent 
Closes https://github.com/keycloak/keycloak/issues/21242
 2023-06-28 10:34:15 +02:00
rmartinc
a5a2753d11 Don't allow impersonate disabled users or service accounts 
Closes https://github.com/keycloak/keycloak/issues/21106
 2023-06-28 10:18:21 +02:00
Douglas Palmer
59e1a5d992 Custom theme - url.resourcesCommonPath references wrong theme 
closes #20085
 2023-06-28 08:25:44 +02:00
Douglas Palmer
c75bf31398 Empty shortVerificationUri not the same with default (null) value 
closes #20851
 2023-06-27 14:57:24 +02:00
Pedro Igor
d0691b0884 Support for the locale user attribute 
Closes #21163
 2023-06-27 09:21:08 -03:00
Erik Jan de Wit
3a3907ab15
changed to use ConfiguredProvider instead (#21097) 
fixes: #15344
 2023-06-27 08:00:32 -04:00
eatik
0cc464695e Allowing users with view-users permission to call configured-user-storage-credential-types endpoint as per issue #20783 
Closes #20783
 2023-06-26 11:05:35 -03:00
Takashi Norimatsu
f6ecc3f3f8 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request 
closes #20710
 2023-06-26 12:09:25 +02:00
vramik
7fe7dfc529 ResourceType lost during clonning 
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>

Closes #20947
 2023-06-23 09:31:44 +02:00
Douglas Palmer
a0d1ac6baa processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager 
closes #20978
 2023-06-23 08:12:44 +02:00
Pedro Igor
aff6cc1cbd Running mappers during account linking 
Closes #11195

Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: toddkazakov
 2023-06-22 17:41:31 +02:00
Sazzad Hossain
41e253c054 Check whether CREATE_REALM role exists in realm role mappings before hasRole check for user. 
Closes #20332
 2023-06-22 15:35:50 +02:00
Douglas Palmer
f526f7a091 Emails with non-ascii characters are not allowed since v21.0.0 
closes #20878
 2023-06-22 10:27:48 -03:00
Pedro Igor
eb5edb3a9b Support reading base32 encoded OTP secret 
Closes #9434
Closes #11561
 2023-06-22 08:08:13 -03:00
mposolda
137f8d807a Account Console II doesn't remove TOTP from UserStorage 
closes #19575
 2023-06-22 07:56:44 +02:00
Gilvan Filho
2493f11331 count users by custom user attribute 
closes #14747
 2023-06-21 11:56:22 -03:00
mposolda
dc3b037e3a Incorrect Signature algorithms presented by Client Authenticator 
closes #15853

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-06-21 08:55:58 +02:00
Stan Silvert
513c00bcd9
Remove unused feature flags. (#21039) 
* Remove unused feature flags.
Fixes #20944
Fixes #20943

* Update release notes.

* Update docs/documentation/release_notes/topics/22_0_0.adoc

Co-authored-by: Jon Koops <jonkoops@gmail.com>

---------

Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2023-06-20 15:02:22 -04:00
Stian Thorgersen
f82577a7f3
Removed old account console (#21098) 
Co-authored-by: Jon Koops <jonkoops@gmail.com>

Closes #9864
 2023-06-20 20:46:57 +02:00
Daniele Martinoli
d9b271c22a
Extends the conditional user attribute authenticator to check the attributes of the joined groups (#20189) 
Closes #20007
 2023-06-19 15:22:35 +02:00
Jon Koops
c998193797
Pass client id for Account and Admin consoles through environment (#20961) 2023-06-13 16:29:37 +00:00
rmartinc
ecf52285bc Simplify TokenManager expiration calculations using SessionExpirationUtils 
Closes https://github.com/keycloak/keycloak/issues/20794
 2023-06-13 10:09:47 +02:00
Pedro Igor
af975d20f1 Avoid iterating indefinetly when checking CRLs 
Closes #20725
 2023-06-12 17:50:16 +02:00
Alexander Schwartz
9425432f2c Handle HTTP response codes when retrieving data from remote endpoints 
Closes #20895
 2023-06-12 13:37:59 +02:00
rmartinc
f3fcf1f8c5 Session cross-reference / transaction mismatch 
Closes https://github.com/keycloak/keycloak/issues/20855
 2023-06-12 13:18:39 +02:00
Vlasta Ramik
ed473da22b
Clean-up of deprecated methods and interfaces 
Fixes #20877

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2023-06-09 17:11:20 +00:00
rmartinc
61968bf747 Use OIDCAttributeMapperHelper.mapClaim in the GroupMembershipMapper 
Closes https://github.com/keycloak/keycloak/issues/19767
 2023-06-08 11:12:24 -03:00
Réda Housni Alaoui
eb9bb281ec Require user to agree to 'terms and conditions' during registration 2023-06-08 10:39:00 -03:00
Marek Posolda
8080085cc1
Removing 'http challenge' authentication flow and related authenticators (#20731) 
closes #20497


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2023-06-08 14:52:34 +02:00
Saman-jafari
31db84e924 fix: issuedFor added to token to get client id into the token also redirect uri added to token and then passed to info template for "back to application" functionality 
test also added to check the availability of issueFor(azp) and redirect uri in Action
Fixes #14860
Fixes #15136
 2023-06-07 12:19:46 -03:00
Zvi Grinberg
b29ce53f6e Fix bug in regex policy evaluation that it ignored flatted user claims that are mapped by protocol mappers to complex JSON structure in access token( in the access token JWT it's key and value is a JSON by itself) 
fixes: #20436
Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>
 2023-06-07 10:18:10 -03:00
Alice Wood
7e56938b74 Extend group search attribute functionality to account for use case where only the leaf group is required 2023-06-07 08:52:23 -03:00
ComplexSpaces
1af4a7a532
Pass webauthn signature algorithm IDs as integers instead of strings (#20832) 
closes #20831
 2023-06-07 11:46:16 +02:00
Pedro Hos
9ebd94a3a8 Userinfo endpoint doesn't accept charset #20671 
Closes 20671
 2023-06-07 08:08:05 +02:00
Bruno Sanches
ecf4dbfb18
Check if formData is empty before putting login hint (#20733) 
closes keycloak#20732
 2023-06-06 17:14:08 -04:00
Artur Baltabayev
041441f48f
Improved Reset OTP authenticator (#20572) 
* ResetOTP authenticator can now be configured, so that one or all existing OTP configurations are deleted upon reset.

Closes #8753
---------

Co-authored-by: bal1imb <Artur.Baltabayev@bosch.com>
 2023-06-06 08:30:44 -03:00
rmartinc
81aa588ddc Fix and correlate session timeout calculations in legacy and new map implementations 
Closes https://github.com/keycloak/keycloak/issues/14854
Closes https://github.com/keycloak/keycloak/issues/11990
 2023-06-05 18:46:23 +02:00
Alexander Schwartz
cd9e0be9f0 Filter first, then sort, and avoid atomics 
Closes #20394
 2023-06-05 11:23:54 +02:00
Pedro Igor
f69ff5d270 Execution config not duplicated when duplicating flows 
Closes #12012
 2023-06-01 16:12:06 +02:00
Erik Jan de Wit
f3c393f53e
use the "remember me" max time if set for expires (#20413) 
fixes: #9264
 2023-05-31 15:25:20 -04:00
Pedro Igor
53dfb44a8f
Migration guide for JAX-RS changes (#20659) 
Closes #keycloak/keycloak#15454
 2023-05-31 13:50:34 +00:00
mposolda
bf9c5821cb Fix for certificate revalidation 
closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542
 2023-05-31 15:42:37 +02:00
Takashi Norimatsu
a29c30ccd5 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request 
closes #20623
 2023-05-31 14:02:44 +02:00
Takashi Norimatsu
6b42c2b4d0 FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error 
Closes #20622
 2023-05-30 18:24:50 +02:00
stianst
0832992e59 Removing OpenShift integration and moving to separate extension 
closes #20496

Co-authored-by: mposolda <mposolda@gmail.com>
 2023-05-30 17:39:32 +02:00
Pedro Igor
c22972af9c Avoid using user property mapper when resolving root user attributes 
Closes #20613
 2023-05-29 14:30:05 +02:00
Yoshiyuki Tabata
bd37875a66 allow specifying format of "permission" parameter in the UMA grant token 
endpoint (#15947)
 2023-05-29 08:56:39 -03:00
Jon Koops
98e5e9799b Improve third-party storage access detection and cookie fallback 2023-05-25 22:16:59 -03:00
Douglas Palmer
1b8901f5a2 Changing the email address has no impact at username regardless "Email as username" toggle 
closes #20459
 2023-05-25 07:54:03 -03:00
Peter Zaoral
72b238fb48
Keystore vault (#19644) 
* KeystoreVault SPI

* added KeystoreVault - a Vault SPI implementation (#19281)

Closes #17252

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2023-05-24 16:20:30 +00:00
Stefan Guilhen
2252b09949 Remove deprecated default roles methods 
Closes #15046
 2023-05-23 22:32:52 +02:00
i7a7467
e41e1a971a SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata 
Closes #11079
 2023-05-22 10:05:17 +02:00
Artur Baltabayev
33215ab6f4
Added User-Session Note Idp mapper. (#19062) 
Closes #17659


Co-authored-by: bal1imb <Artur.Baltabayev@bosch.com>
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
Co-authored-by: Sebastian Schuster <sebastian.schuster@bosch.io>
 2023-05-18 13:47:10 +02:00
mkrueger92
256bb84cc4
Avoid NPE while fetching offline sessions (#17577) 2023-05-18 13:32:02 +02:00
Pedro Hos
c939b5b5ac NPE when updating a subflow in an authentication flow 
closes #19844
 2023-05-17 18:35:40 +02:00
danielFesenmeyer
d543ba5b56 Consistent message resolving regarding language fallbacks for all themes 
- the prio of messages is now as follows for all themes (RL = realm localization, T = Theme i18n files): RL <variant> > T <variant> > RL <region> > T <region> > RL <language> > T <language> > RL en > T en
- centralize the message resolving logic in helper methods in LocaleUtil and use it for all themes, add unit tests in LocaleUtilTest
- add basic integration tests to check whether realm localization can be used in all supported contexts:
  - Account UI V2: org.keycloak.testsuite.ui.account2.InternationalizationTest
  - Login theme: LoginPageTest
  - Email theme: EmailTest
- deprecate the param useRealmDefaultLocaleFallback=true of endpoint /admin/realms/{realm}/localization/{locale}, because it does not resolve fallbacks as expected and is no longer used in admin-ui v2
- fix locale selection in DefaultLocaleSelectorProvider that a supported region (like "de-CH") will no longer selected instead of a supported language (like "de"), when just the language is requested, add corresponding unit tests
- improvements regarding message resolving in Admin UI V2:
  - add cypress test i18n_test.spec.ts, which checks the fallback implementation
  - log a warning instead of an error, when messages for some languages/namespaces cannot be loaded (the page will probably work with fallbacks in that case)

Closes #15845
 2023-05-17 15:00:32 +02:00
Dominik Schlosser
8c58f39a49 Updates Datastore provider to contain full data model 
Closes #15490
 2023-05-16 15:05:10 +02:00
Takashi Norimatsu
7f5e94db87 KEYCLOAK-19539 FAPI 2.0 Baseline : Reject Implicit Grant 2023-05-16 14:17:29 +02:00
Alexander Schwartz
bd7f62acc3 Use retry-logic only for the map storage 
This is a performance optimization that the retry doesn't affect the legacy store.

Closes #20176
 2023-05-15 10:20:35 +02:00
Alexander Schwartz
754aac2f4e Avoid creating a NPE when closing 
This is a performance optimization and improved logging so it doesn't hide problems in the future.

Closes #20176
 2023-05-15 10:20:35 +02:00
Alexander Schwartz
0f481da77f Avoid creating instances of HashMap to generate a single MapEntry 
This is a performance optimization.

Closes #20176
 2023-05-15 10:20:35 +02:00
Alexander Schwartz
93373b9398 Cache theme root URI 
This is a performance optimization.

Closes #20176
 2023-05-15 10:20:35 +02:00
Martin Bartoš
5a96efad11 Do not display error log for initial admin creation 
Closes #15789

Co-authored-by: Steve Weixel <steve.weixel@quantum.com>
 2023-04-28 14:36:05 +02:00
Martin Bartoš
dcb7c498a4
Cannot find Generated annotation for ServicesLogger (#20021) 
Fixes #20020
 2023-04-28 11:37:44 +00:00
Peter Zaoral
a020d3f6df Quarkus3 branch sync no. 12 
31.3.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2023-04-27 13:36:54 +02:00
Martin Bartoš
bc43e4f435 Integrate Jakarta Mail API 2.1.0 2023-04-27 13:36:54 +02:00
Peter Zaoral
0b4f40f89b Quarkus3 branch sync no. 8 
3.3.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2023-04-27 13:36:54 +02:00
Peter Zaoral
c2d1cade8d Quarkus3 branch sync no. 7 
27.2.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2023-04-27 13:36:54 +02:00
Martin Bartoš
64738ea708 Fix issues with JakartaEE Mail dependencies 
This reverts commit da4644844ed88818c05d777460624403326ab01c

---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
 2023-04-27 13:36:54 +02:00
Peter Zaoral
946eacd5b6 Quarkus3 branch sync no. 5 
10.2.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE
* fixed Undertow server not starting due to ClassNotFoundException: javax.transaction.TransactionManager

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2023-04-27 13:36:54 +02:00
vramik
f18f356a0b Update attribute name in HttpRequestImpl to jakarta. 
Closes #16721
 2023-04-27 13:36:54 +02:00
Martin Bartoš
b1da7bd613 Revert Mail API 
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/quarkus/pom.xml - Modified
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
 2023-04-27 13:36:54 +02:00
Martin Bartoš
1f126647fe Update dependencies 2023-04-27 13:36:54 +02:00
Martin Bartoš
124591ce1a Adapters can still use Java EE 
- Provided all JavaEE dependencies for adapters
- Automatically build Undertow Jakarta EE for testsuite (missing SAML)
---
Quarkus3 branch sync no. 11 (24.3.2023)
Resolved conflicts:
keycloak/adapters/oidc/spring-security/pom.xml - Modified
---
Quarkus3 branch sync no. 7 (27.2.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/pom.xml - Modified
 2023-04-27 13:36:54 +02:00
Martin Bartoš
6118e5cfb7 Use JakartaEE dependencies 
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
 2023-04-27 13:36:54 +02:00
Martin Bartoš
7cff857238 Migrate packages from javax.* to jakarta.* 
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ComponentExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/DeclarativeUserTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/FederatedStorageExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/FlowTest.java - Modified
keycloak/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java	- Modified
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AccountTotpPage.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/BackwardsCompatibilityUserStorageTest.java - Modified
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/services/resources/QuarkusWelcomeResource.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/profile/util/Soap.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/UserInfoClientUtil.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
---
Quarkus3 branch sync no. 10 (17.3.2023)
Resolved conflicts:
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java -	Modified
---
Quarkus3 branch sync no. 9 (10.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosSingleRealmTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java - Modified
---
Quarkus3 branch sync no. 8 (3.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/SamlClient.java	Modified - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java - Modified
keycloak/examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionAuthenticator.java - Modified
---
Quarkus3 branch sync no. 6 (17.2.2023)
Resolved conflicts:
keycloak/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ComponentsResource.java - Modified
keycloak/testsuite/utils/src/main/java/org/keycloak/testsuite/KeycloakServer.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/installation/SamlSPDescriptorClientInstallation.java - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
/keycloak/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java	Modified - Modified
keycloak/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java - Modified
---
Quarkus3 branch sync no. 4 (3.2.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/jaxrs/QuarkusKeycloakApplication.java - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/testsuite/client/ClientPoliciesTest.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java - Modified
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaModelCriteriaBuilder.java - Modified
 2023-04-27 13:36:54 +02:00
rmartinc
04ac3a64ee Adding support for rsa-oaep for SAML encryption 
Closes https://github.com/keycloak/keycloak/issues/19689
 2023-04-26 10:46:10 +02:00
mposolda
a3f2ebb193 Ability to override default/built-in providers with same providerId. Using ProviderFactory.order() for choosing priority providers 
Closes #19867
 2023-04-25 18:04:58 +02:00
Hynek Mlnarik
3161c4424c Fix export / import tests relict 
Closes: #19812
 2023-04-19 22:17:49 +02:00
rmartinc
8e55a63f31 Do not allow add sub-flow to built-in workflow 
Closes https://github.com/keycloak/keycloak/issues/15536
 2023-04-19 11:12:49 +02:00
rmartinc
f051a0cdb3 Improve SessionCodeChecks to detect better the ALREADY_LOGGED_IN situation 
Closes https://github.com/keycloak/keycloak/issues/19677
 2023-04-18 10:35:47 -03:00
Marek Posolda
8d01109158
Invalid parameter redirect_uri when using an invalid client_id (#19731) 
closes #19662
 2023-04-17 15:12:59 +02:00
danielFesenmeyer
5554c62bea Change locale of user profile validation message to be resolved from authenticated user instead of validated user 
Closes #19707
 2023-04-14 11:51:15 -03:00
Stian Thorgersen
f4cabea08c
Make sure the code is bound to the user session (#18) (#17380) (#17389) 
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-04-14 14:42:12 +02:00
Jon Koops
a2eb619e0e
Include Account Console version 3 as a theme (#19641) 2023-04-13 09:41:40 -04:00
eatikrh
396e2ba931
Allow users with 'view-users' permission to see the 'credentials' tab (#19587) 
Closes #17174
 2023-04-07 14:13:43 +02:00
alwibrm
9f15cf432b
Respecting key use of EC keys in JWKS 2023-04-03 19:06:25 -03:00
rmartinc
99330dbb6d Manage JsonProcessingException to not return error 500 when json data is wrong 
Closes https://github.com/keycloak/keycloak/issues/11517
 2023-04-03 18:07:34 +02:00
Hynek Mlnarik
0d5363d0d5 Throw an exception rather than returning response 
Closes: #17644
 2023-04-03 14:43:50 +02:00
Stan Silvert
c595e3430e
Add access to full group tree. Fix access for members tab. Add missing (#19423) 
props to Access object.
Fixes #17589
 2023-03-31 15:11:13 -04:00
mposolda
17c1b853e0 Custom implemention of OIDC Login Protocol doesn't get executed 
closes #19335
 2023-03-31 11:54:32 -03:00
rmartinc
c6a1820a47 Use SimpleHttp for SOAP calls 
Closes https://github.com/keycloak/keycloak/issues/17139
 2023-03-31 10:57:47 -03:00
Pedro Igor
6086201fe0 Do not verify identity cookie when processing required actions 
Closes #17539
 2023-03-31 09:56:27 +02:00
Robert Dey
044aca0863 Use replacePath() instead of path() 2023-03-30 12:03:43 -03:00
Robert Dey
4df73714e0 Fix totp manual link for proxy mode 
Closes #11774
 2023-03-30 12:03:43 -03:00
mposolda
709c6b5a47 Regressions in redirect URL verification when redirect_uri has encoded path or default port 
closes #16851
closes #16587
 2023-03-30 14:20:10 +02:00
Pedro Igor
48082d08ec Email visible on registration page when edit username is not allowed 
Closes #17439
 2023-03-30 08:11:30 +02:00
Michal Hajas
e49dfe534e Fix missing migration when reading TERMS_AND_CONDITIONS required action in legacy store 
Closes #17277
 2023-03-29 16:43:01 +02:00
Daniel Kobras
a45b5dcd90 Prefer cert over pubkey in SAML metadata 
If SAML key material was given as a certificate, consistently
expose the certificate rather than just the public key when
presenting SAML metadata info. This change ensures that the
client obtains sufficient information (eg. issuer) to close
the trust chain.

Closes: #17549

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
 2023-03-29 11:17:24 +02:00
Marek Posolda
032ece9f7b
Clarify user session limits documentation and test SSO scenario (#19372) 
Closes #17374


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2023-03-29 10:08:45 +02:00
rmartinc
2bb9de1a8c Allow application/jwt media type for userinfo endpoint 
Closes: https://github.com/keycloak/keycloak/issues/19346
 2023-03-28 08:47:35 -03:00
Pedro Igor
a9c605750d Returning email as username setting for admins 
Fixes #17591
 2023-03-27 16:33:44 -03:00
Alexander Schwartz
ccec3639ff Update provider to create documentation entries for its properties 
Closes #17565
 2023-03-27 09:03:41 -03:00
Alexander Schwartz
251f6151e8 Rework the Import SPI to be configurable via the Config API 
Also rework the export/import CLI for Quarkus, so that runtime options are available.

Closes #17663
 2023-03-24 15:28:55 -03:00
Klajdi Paja
cf61a65198 Return a user friendly message when a group name already exists on the same level. 
Closes #16888
 2023-03-24 08:13:49 +01:00
Douglas Palmer
a48db930fe Theme resource common path is always /keycloak/common 
Closes #17569
 2023-03-24 08:11:21 +01:00
Ayrat Hudaygulov
f578f91a0b Fix ID token not being sent after expiration for OIDC logout 
Closes #10164
 2023-03-23 13:01:02 +01:00
Konstantinos Georgilakis
fd28cd2d4b Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id 
closes #16329
 2023-03-23 11:45:34 +01:00
tomjo
705d20d4a2 AllowAllDockerProtocolMapper now allows multiple resourceScopes delimited by spaces as specified by the docker auth token spec. 
Closes #17187
 2023-03-23 09:43:43 +01:00
rmartinc
bef0a4a6f1 Check frontendUrl in the hostname providers 
Closes https://github.com/keycloak/keycloak/issues/17686
 2023-03-20 18:54:58 -03:00
rmartinc
cab7e50410 Better handling for SAML signatures in POST and REDIRECT bindings 
Closes https://github.com/keycloak/keycloak/issues/17456
 2023-03-15 09:06:59 -03:00
vramik
25d6161ebd Remove ClearExpiredUserSessions, ClearExpiredClientInitialAccessTokens and ClearExpiredEvents from services module 
Closes #13835
 2023-03-10 09:09:51 +01:00
Douglas Palmer
4a382752aa Reverted back to Parser from CachingParser due to thread safety concerns 
closes #16729
 2023-03-09 17:50:39 +01:00
Douglas Palmer
181e1b914f Update to UA Parser 1.5.4 and use CachingParser 
closes #16729
 2023-03-08 11:46:39 +01:00
Tero Saarni
9052ec2b02
Add admin events for realm create/delete. (#10831) 
Closes #10733
 2023-03-07 15:57:06 +01:00
Simon Levermann
96c1cf3c49 Allow mapping of UserSessionNotes into UserInfo 
Fixes #15369
 2023-03-07 15:25:14 +01:00
rmartinc
a56b38c5a6 Don't remove session and don't reset restart cookie if passive check error 
Closes https://github.com/keycloak/keycloak/issues/11340
 2023-03-07 15:10:09 +01:00
rmartinc
06ff8b016c Don't set REMEMBER_ME if it's disabled at realm level 
Closes https://github.com/keycloak/keycloak/issues/11330
 2023-03-07 15:01:58 +01:00
Alexander Schwartz
f6f179eaca Rework the export to use CLI options and property mappers 
Also, adding the wiring to support Model tests for the export.

Closes #13613
 2023-03-07 08:22:12 +01:00
mposolda
a0192d61cc Redirect loop with authentication success but access denied at default identity provider 
closes #17441
 2023-03-06 10:45:01 +01:00
Michal Hajas
465019bec4 Extract attachDevice outside of storage layer 
Closes #17336
 2023-03-03 17:58:34 +01:00
Zakaria Amine
fb5a7f654b
trigger IDENTITY_PROVIDER_FIRST_LOGIN (and UPDATE_PROFILE ) event when identity provider flow succeeds (#15100) 
closes #15098
 2023-03-03 17:49:27 +01:00
Jon Koops
972ebb9650
Use a valid SemVer format for the SNAPSHOT version (#17334) 
* Use a valid SemVer format for the SNAPSHOT version

* Update pom.xml

* Update pom.xml

---------

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-03-03 11:11:44 +01:00
mposolda
b28bde542f referrer_url is not correctly computed in account console 
closes #16484
 2023-03-01 20:49:15 +01:00
Marek Posolda
59f4fe1c60
NPE on Theme after upgrade to 21 when parent or import theme not exists (#17350) 
* NPE on Theme after upgrade to 21 when parent or import theme not exists
closes #17313

* Update per review
 2023-03-01 15:46:37 +00:00
mghalbi
e19e7bef2d fix error in check mediaType 2023-02-27 14:34:32 -03:00
mghalbi
116b2fed0c Added check for the presence of Content-Type header in the request 2023-02-27 14:34:32 -03:00
Pedro Igor
fbf5541802 Remove duplicated set-cookie header from response when expiring cookies 
Closes #17192
 2023-02-27 14:17:27 -03:00
lpa
3cd413dee1 SOAP backchannel logout for SAML protocol 
Closes #16293
 2023-02-27 14:24:12 +01:00
rmartinc
38a46726e4 Implement UserInfoTokenMapper in HardcodedRole and RoleNameMapper mappers 
Closes https://github.com/keycloak/keycloak/issues/15624
 2023-02-27 10:14:48 -03:00
mposolda
f180115d27 Log some details if error happens in CIBA authentication request 
Closes #14650
 2023-02-23 14:36:28 +01:00
Yohan Siguret
82423f38a1 Add user id to TOKEN_EXCHANGE events 
Co-authored-by: thaDude <ogdude@googlemail.com>
 2023-02-22 17:13:48 -03:00
Hynek Mlnarik
878debd2ab Forbid changing ID 
Closes: #16881
 2023-02-22 17:19:22 +01:00
Marek Posolda
b9ab942ef8
FIPS related docs (#17196) 
* FIPS related docs
Closes #16444 #12432 #12429

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2023-02-22 12:47:15 +01:00
Alexander Schwartz
54048f1e6c Callers need to indicate if cookies need to be set at the end of the transaction 
Closes #17141
 2023-02-21 11:54:32 +01:00
Douglas Palmer
1d75000a0e Create an SPI for DeviceActivityManager 
closes #17134
 2023-02-20 09:29:11 +01:00
Zakaria Amine
0972edd6a5
Fix label for IdpReviewProfileAuthenticatorFactory (take 2) (#17062) 
Use static english text for IdpReviewProfileAuthenticatorFactory label config
Closes #16658
 2023-02-16 19:16:00 +01:00
drohwer89
4ff180da64
Terminating all sessions above the session limit (#16068) 
Adjusts implementation of UserSessionLimitsAuthenticator to terminate all sessions above the session limit.

Closes #14689

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-02-16 17:56:59 +01:00
summersab
a64f6dcfc2 Update TotpBean.java 
Add a `getUsername()` method to the `TotpBean` class so usernames can be used in the TOTP templates.
 2023-02-16 08:13:39 -03:00
sui.jieqiang
1f6fa0501c Fix search user groups without limit 
Closes #12649
 2023-02-15 15:50:46 +01:00
Pedro Igor
9e46b9e43f Handling events after transaction completion using a separate session 
Closes #15656
 2023-02-14 13:10:57 +01:00
Alexander Schwartz
d4604984d0
Compatibility with Maven4 and parallel builds (#16312) 
Closes #16308
 2023-02-14 11:44:53 +01:00
laskasn
dc8b759c3d Use encryption keys rather than sig for crypto in SAML 
Closes #13606

Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: hmlnarik <hmlnarik@redhat.com>
 2023-02-10 12:06:49 +01:00