Commit graph

3975 commits

Author SHA1 Message Date
Takashi Norimatsu
a10eef882f DeviceTokenRequestContext.getEvent returns a wrong ClientPolicyEvent
Closes #12455
2022-06-22 13:01:35 +02:00
Takashi Norimatsu
d396ee7d30 CIBA flow : no error on invalid scope
Closes #12589
2022-06-22 12:55:55 +02:00
rmartinc
711440e513 [#11036] Identity Providers: Add support for elliptic curve signatures (ES256/ES384/ES512) using JWKS URL 2022-06-21 10:52:25 -03:00
Stefan Guilhen
7d96f3ad5a Events Map JPA implementation
Closes #9667
2022-06-21 13:53:48 +02:00
Hynek Mlnarik
26198e4b0b Disable tests irrelevant for map storage 2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b Inline deprecated methods in legacy code 2022-06-21 08:53:06 +02:00
Alexander Schwartz
08bbb1fb92 Move LDAP REST Endpoints to LDAP package
- Thus remove implicit dependency on services on the legacy modules
- Disable tests for LDAP/Kerberos that won't work when map storage is enabled
2022-06-21 08:53:06 +02:00
Alexander Schwartz
1bc6133e4e redirect calls to userLocalStorage from legacy modules (federation, ldap, sssd, kerberos) 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1 Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager():
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()

Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded Avoid using methods on UserCredentialStoreManager 2022-06-21 08:53:06 +02:00
Alexander Schwartz
82094d113e Move User Storage SPI, introduce ExportImportManager 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51 Preparation for moving User Storage SPI
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
  IMPORTANT: Broken as UserStorageSyncManager is not yet moved
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
247ff52187 Introduce legacy datastore module and update dependencies 2022-06-21 08:53:06 +02:00
Martin Bartoš
d8112d7b7e
DB migration tests execution for Quarkus (#12525)
Closes #12524
2022-06-20 10:12:37 +02:00
Alexander Schwartz
71e7982a49 Adding central time offset reset in model tests as it was missing for AuthenticationSessionTest and UserSessionPersisterProviderTest
Also adding try/finally in other places in the integration tests where it was missing.

Closes #12530
2022-06-16 13:42:55 +02:00
nehachopra27
39cff0750c
[Fix keycloak#12385] Update option to run kc.bat on windows instead of kc.sh (#12386)
Co-authored-by: nchopra <nchopra@redhat.com>

Resolves #12385
2022-06-15 11:29:11 -03:00
Martin Bartoš
0fef4305b6 Logout confirm page is failing to log the user out on auth-server-wildfly
Fixes #11753
2022-06-14 10:46:02 +02:00
mposolda
3aefb59d40 Fix test failure in X509BrowserCRLTest on IBM JDK. Don't display details of exception message to the end user
Closes #12458
2022-06-14 10:44:31 +02:00
Alexander Schwartz
c2043da78e When asserting a URL, allow for some time for any redirect to complete.
Closes #12446
2022-06-14 07:30:31 +02:00
Christoph Leistert
442eff0169
Closes #11851: Apply localization text from realm default locale when it is not defined for the requested language. (#11852) 2022-06-10 14:36:11 -04:00
Alexander Schwartz
361a813d81 Keep a list of model instances in the JPA map session.
This allows removing them from the persistence context on bulk delete.

Closes #12384
2022-06-09 12:39:04 -03:00
Joerg Matysiak
3c19ad627f Repsect permissions configured to firstName and lastName when configured in user profile
Resolves #12109
2022-06-09 10:10:15 -03:00
Pedro Igor
8aecba1795 Fixing how realm frontendurl is cached when resolving the hostname
Closes #11894
2022-06-08 16:41:25 -03:00
Alexander Schwartz
9272c7a5ec Allow for the backend to return granted scopes in any order.
Closes #12395
2022-06-08 08:39:14 -03:00
Pedro Igor
243e63c9f3 Do not set empty permissions to username and email attributes
Closes #11647
2022-06-07 10:59:35 -03:00
Sebastian Schuster
a0c402b93a
11198 added event information to consent granting and revocation via REST API (#11199) 2022-06-07 11:29:20 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration (#12244)
Closes #12243
2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Takashi Norimatsu
3889eeda30 Client Policies: pkce-enforcer executor with client-access-type condition is not applied on client change via Admin API
Closes #12295
2022-06-06 11:30:48 +02:00
mposolda
f90fbb9c71 Changing locale on logout confirmation did not work
Closes #11951
2022-05-31 16:03:58 +02:00
Takashi Norimatsu
d083b6c484 ciba http auth channel sends client_id and client_secret via delegation request
Closes #10993
2022-05-31 08:22:50 +02:00
vramik
be28e866b9 JPA map storage: Authorization services no-downtime store
Closes #9669
2022-05-30 21:05:34 +02:00
Pedro Igor
ea22989d89 Fixing ClientTokenExchangeTest to also run when TLS is disabled
Closes #11818
2022-05-30 11:23:46 -03:00
Pedro Hos
e121371401 /clients-registrations API doesn't return secret anymore and is not coherent #11116
/clients-registrations API doesn't return secret anymore and is not coherent

fixing merge

/clients-registrations API doesn't return secret anymore and is not coherent

fixing test that was failing

Replace tabs with regular spaces

fixing identation

/clients-registrations API doesn't return secret anymore and is not coherent. Closes #11116

fixing test that was failing
2022-05-30 15:18:56 +02:00
mposolda
4222de8f41 OIDC RP-Initiated Logout POST method support
Closes #11958
2022-05-30 14:10:58 +02:00
Marek Posolda
cf386efa40
Support for client_id parameter in OIDC RP-Initiated logout endpoint (#12202)
Closes #12002


Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-05-27 14:12:37 +02:00
Luca Leonardo Scorcia
27650ab816 Fix #10982 SAML Client - Introduce SAML Issuer validation 2022-05-27 10:58:10 +02:00
Michal Hajas
bc59fad85b Unify way how expirable entities are handled in the new store
Closes #11947
2022-05-26 13:17:27 +02:00
Martin Kanis
0cb3c95ed5 Map storage: Single-use objects (action token) 2022-05-25 16:47:10 +02:00
Martin Bartoš
86f31e8df5 Fix BlacklistPasswordPolicyDefaultPath Failures on Windows
Fixes #11967
2022-05-24 17:26:19 -03:00
vramik
24171d2e47 Rename providers from jpa-map-storage to jpa
Closes #12098
2022-05-23 16:47:51 +02:00
vramik
0c3aa597f9 JPA map storage: test failures after cache was disabled
Closes #12118
2022-05-23 13:01:30 +02:00
vramik
f8ca25d4a4 Add a profiles testsuite for jpa-map storage
Closes #12045
2022-05-20 09:17:33 +02:00
Stian Thorgersen
075e284455
Remove legacy (non-Elytron) WildFly adapter (#11789)
Closes #11683
2022-05-18 10:34:47 +02:00
Michal Hajas
0bda7e6038 Introduce map event store with CHM implementation
Closes #11189
2022-05-17 12:57:35 +02:00
Michal Hajas
b86f205cda Make KeycloakServer runnable with external Infinispan server
Closes #12011
Closes #12014
2022-05-16 21:50:35 +02:00
Takashi Norimatsu
9541852a9b ID token encryption without specifying id_token_encrypted_response_enc does not follow OIDC Dynamic Client Registration specification
Closes #11392
2022-05-16 09:05:22 +02:00
Takashi Norimatsu
7fa24d247a Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper
Closes #11394
2022-05-16 08:56:57 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one
Fixes first part of: #11173

* Merge single-use token providers into one

* Remove PushedAuthzRequestStoreProvider

* Remove OAuth2DeviceTokenStoreProvider

* Delete SamlArtifactSessionMappingStoreProvider

* SingleUseTokenStoreProvider cleanup

* Addressing Michal's comments

* Add contains method

* Add revoked suffix

* Rename to SingleUseObjectProvider
2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59 Make sure there is always Realm or ResourceServer when searching for authz entities
Closes #11817
2022-05-11 07:20:01 -03:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing (#7943)
Closes #11875
2022-05-09 18:52:22 +02:00
Michal Hajas
6b5c417742 Add HotRod store for authorization services
Closes #9679
2022-05-06 15:31:38 +02:00
Stian Thorgersen
491b3262de
Remove Jetty 9.2 and 9.3 adapters (#11792)
Closes #11791
2022-05-04 15:24:46 +02:00
Sven-Torben Janus
0efa4afd49 Evaluate composite roles for hardcoded LDAP roles/groups
Closes: 11771

see also KEYCLOAK-18308
2022-05-02 14:13:37 +02:00
Stian Thorgersen
52ca546cfa
Remove Fuse adapters (#11740)
Closes #11677
2022-05-02 09:55:52 +02:00
Stian Thorgersen
b65d76edab
Remove EAP6 and AS7 adapters (#11605)
Closes #11604
2022-04-28 11:20:44 +02:00
vramik
2ecf250e37 Deletion of all objects when realm is being removed
Closes #11076
2022-04-28 11:09:17 +02:00
Alexander Schwartz
29233f33c8 Clear import/export properties at the end of the test
This avoids the pollution of system properties that might lead to failures following tests.

Closes #11670
2022-04-28 11:02:16 +02:00
Douglas Palmer
fdcbc9b27b
Automated test for session-limits authenticator with identity brokering (post-broker login flow) (#11723)
Closes #11004
2022-04-28 10:29:41 +02:00
vramik
5248815091 Disable infinispan realm and user cache for map storage tests
Closes #11213
2022-04-25 09:38:49 +02:00
Martin Bartoš
53ea60b8d5
Remove support for IE (#11271)
Closes #11268
2022-04-22 10:38:41 +02:00
Pedro Igor
76d83f46fa
Avoid clients exchanging tokens using tokens issued to other clients (#11542) 2022-04-20 19:14:55 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames (#11531)
Closes #11532

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-04-20 15:53:15 +02:00
Stefan Guilhen
b29b27d731 Ensure code does not rely on a particular format for the realm id or component id 2022-04-20 14:40:38 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117)
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-04-20 14:25:16 +02:00
Martin Bartoš
3aa3db16ea
Fix error response for invalid characters (#11533)
Fixes #11530
2022-04-20 11:26:08 +02:00
Pedro Igor
f1fd7af758
Remove policies when user is deleted (#11385)
Closes #11284
2022-04-20 09:23:46 +02:00
m-takai
5f0e27a792 Add duplicate parameters check process in Device Authz Endpoint.
AuthorizationEndpointRequest class already checks duplicated parameters but DeviceEndpoint class has not checked its error. Thus a check process is added in handleDeviceRequest()

Closes #11294
2022-04-19 14:20:39 +02:00
Pedro Igor
c5e4dc8cec
Associated permissions should only add resource type permissions if the resource is an instance (#11220)
Closes #11148
2022-04-19 09:10:14 +02:00
Martin Kanis
a2d7cd7a5c Hot Rod map storage: User / client session no-downtime store 2022-04-14 15:34:22 +02:00
msvechla
820ab52dce
Add support for filtering by enabled attribute on users count endpoint (#9842)
Resolves #10896
2022-04-13 13:57:22 -03:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted (#10519)
Close #10517
2022-04-12 14:01:14 +02:00
Alexander Schwartz
a6dd9dc0f1 Avoiding AvlPartitionFactory and using JdbmPartitionFactory for the embedded LDAP to work around unstable tests.
Fix for #11171 didn't turn out to cover the root cause. Also improved transaction handling in LDAP Map storage.

Closes #11211
2022-04-12 09:12:21 +02:00
Alexander Schwartz
5c810ad0e5 Avoid short-lived connections for ApacheDS to avoid messages around "ignoring the message MessageType UNBIND_REQUEST"
The comment in LdapRequestHandler.java in ApacheDS notes just before discarding an unbind request: "in some cases the session is becoming null though the client is sending the UnbindRequest before closing".

Also implementing a retry logic for all remaining errors regarding LDAP.

Closes #11171
2022-04-11 10:03:15 +02:00
Pedro Igor
834a276767 NPE when caching policies based on scopes without a resource
Closes #11180
2022-04-08 08:43:08 -03:00
Michal Hajas
1f2ebf4cba Add HotRod no downtime store for Realms
Closes #9670
2022-04-08 09:36:01 +02:00
Pedro Igor
b4770c30fd Fixing NPE when querying resources by type
Closes #11137
2022-04-07 15:10:20 -03:00
Tyler Andor
caebe50d7e
Updates patternfly libs and fixes breaking changes (#10748)
adding nvmrc

CIAM-1048 Device Activity screen PF updates

CIAM-1046: Personal Info sub-header update

Updates SigningInPage to use EmptyState component when there are no credentials.

rearanged some components used in signing in page

Displays ApplicationPage content in description list.

Updates refresh link on ContentPage, updates Resources screen.

CIAM-1049 Linked Accounts screen PF updates

CIAM-1043-General upstream updates

Updates AccountPage to display form errors.

fix: display Set up Authenticator Application link on large viewport

fix(page structure): rearranges page sections

CIAM-1254/Personal info PF4 updates & Sidebar text updates

updating layouts

updating layout on Signing in and Linked acounts

adding patternfly-additions

adding patternfly-addons styles

Updates Application page based on designs feedback.

moving page description

Updates status label on Applications page to be capitalized.

Updates the copy-fonts script for keycloak.v2 to copy all font directories instead of one.

update Personal info screen - set max width of 600px for form input fields

update Personal info - remove required indicator from input fields

General updates (#2)

* removed the extra lines being shown

* tweaked general spacing

* general alignment and spacer application

* refactor to get proper alignments without css globals

* forgot to add the conditional on displaying the set up buttons

* try and adjust the alignments

Co-authored-by: zwitter <zwitter@redhat.com>

resolve merge conflicts

Device activity updates (#4)

* update text to sentence case

* update device info columns to be dynamic across various viewport sizes

* update signed in device layout

* update based on feedback

Co-authored-by: Jon Szeto <jszeto@redhat.com>

Linked accounts update (#3)

* linked accounts screen - updated icons & Linked/Unlinked Login Providers layout & update text to sentence case

Co-authored-by: Jon Szeto <jszeto@redhat.com>

fixing ts errors

cleaning up fonts and messages

final review updates

message update for Back to admin console link

fixing capitalization on 2fa

updating landing page welcome message

fix: reposition Back to... link

adjusting size for confirm modal

updating spacing and alignment issues

updating resources page

removing unused header class

fixes ts issues and updates node version to match the themes install

npm updates

fixing pf addons

adding chokidar to get babel:watch working

fixing issues from pull request feedback

fixing tests

fixes signingin page test

fixing tests

Co-authored-by: Tyler Andor <tandor@highereducation.com>
2022-04-06 13:00:38 +02:00
Stian Thorgersen
7c64f28934
Change admin console to load keycloak.js using a relative URL (#11109)
* Change admin console to load keycloak.js using a relative URL

Closes #11108

* fix tests

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-04-06 09:35:26 +02:00
Michal Hajas
4c20388eb7 Remove SOAPException from SOAPBindingTest as RunOnServer cannot load it
Closes #11090
2022-04-04 15:53:55 +02:00
Martin Kanis
395bd447f2 Hot Rod map storage: Login failure no-downtime store 2022-04-01 20:43:18 +02:00
Douglas Palmer
f57d0dd100
Automated tests for session limits authenticator (browser, direct grant, reset password) (#11046)
Closes #11003
2022-04-01 18:44:38 +02:00
Michal Hajas
44000caaf5 KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp flow creates only transient users sessions 2022-03-31 16:06:44 +02:00
Teubner, Malte
b5f70d8a32 Add scope parameter to admin-client TokenManager.
Closes #10759
2022-03-31 10:56:08 -03:00
iingawal
6016b461db
Fix for "updatedAt" user attribute in "profile" client scope should use number instead of String (#11020)
Closes #10081


Co-authored-by: Indrajit Ingawale <iingawal@iingawal.pnq.csb>
2022-03-31 14:33:03 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter (#11009)
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint (#10887)
* OIDC RP-Initiated logout endpoint
Closes #10885

Co-Authored-By: Marek Posolda <mposolda@gmail.com>

* Review feedback

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-03-30 11:55:26 +02:00
Andrea Peruffo
da5db5a813
Fix NPEs during realm import (#10962)
Closes #10961
2022-03-29 21:48:37 +02:00
Marcelo Daniel Silva Sales
091b1472ce
Introduce client secret rotation dynamic registration (#10952)
Closes #10609
2022-03-28 20:39:11 +02:00
Konstantinos Georgilakis
99fa6275c1 KEYCLOAK-19313 configure the name format in Attribute Importer IdP Mapper 2022-03-25 09:42:22 +01:00
Takashi Norimatsu
9c01d819cb Client Policies : An executor rejecting all requests
Closes #9097
2022-03-23 12:45:38 +01:00
Marcelo Daniel Silva Sales
6efa45f93e
Update secret rotation when the policy is enabled using jwt (#10853)
Closes #10666
2022-03-23 08:25:58 +01:00
Martin Kanis
e493b08fa7 Add expiration field to root authentication session 2022-03-23 07:47:47 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring
Closes: #10447 

* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
2022-03-22 20:49:40 +01:00
Alexander Schwartz
fb92b95c33 Revert from getParameterCount() to getParameterTypes().length to be Java 1.7 compatible.
This reverts commit bc27c7c464.

Closes #10840
2022-03-22 10:23:25 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT (#10784) 2022-03-22 09:22:48 +01:00
Martin Kanis
0faf3987f6 Hot Rod map storage: Authentication session no-downtime store 2022-03-22 09:05:52 +01:00
Pedro Igor
ffa6df5547
Fixes to hostname (#10820)
Closes #10627
Closes #10331
2022-03-22 08:11:50 +01:00
Joaquim Fellmann
92c4e6d585
KEYCLOAK-16134 Allow webauthn idless login flow (#7860)
Closes #10832
2022-03-21 11:37:33 +01:00
Clara Fang
bc27c7c464 Replace occurrences of getParameterTypes().length and getParameters().length with getParameterCount()
Closes #10333
2022-03-18 11:20:52 +01:00
Michal Hajas
c18a682f50 Do not store undefined values in store
Closes #10744
2022-03-17 16:44:33 +01:00
mposolda
9e12587181 Protocol mapper and client scope for 'acr' claim
Closes #10161
2022-03-11 09:23:25 +01:00
Martin Bartoš
8ee7ae24de Make WebAuthn feature default for the product version
Closes #10695
2022-03-10 19:00:54 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes (#8730)
Closes #9540


Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
2022-03-10 15:49:25 +01:00
Martin Bartoš
8a0f1ccb34 Properly execute AuthenticationFlowCallbackProviderTest with Map storage
Closes #10268, Closes #10225
2022-03-10 15:00:23 +01:00
rmartinc
a7c8aa1dd3
[#10616] Incorrect username logged for federated accounts (#10662)
Closes #10616
2022-03-10 13:21:39 +01:00
Marcelo Daniel Silva Sales
0c25da542c
Update secret rotation when the policy is disabled (#10674)
Closes #10667
2022-03-10 13:03:09 +01:00
Alexander Schwartz
18f391d8c4 Fix spelling error in field and classname
It's always a converter, unless electricity is involved.

Closes #10573
2022-03-09 08:28:52 -03:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation (#10603)
Closes #10602
2022-03-09 00:05:14 +01:00
mposolda
d394e51674 Introduce profile 'feature' for step-up authentication enabled by default
Closes #10315
2022-03-08 14:42:46 +01:00
rmartinc
48565832d4 [#10608] Password blacklists folder 2022-03-08 08:22:34 -03:00
mposolda
93bba8e338 Replace 'Store LoA in User Session' with 'Max Age'. Refactoring of step-up authentications related to that.
Closes #10205
2022-03-08 10:41:05 +01:00
Martin Bartoš
02d0fe82bc Auth execution 'Condition - User Attribute' missing
Closes #9895
2022-03-08 08:24:48 +01:00
Michal Hajas
f77ce315bb Disable Authz caching for new storage tests
Closes #10500
2022-03-07 10:22:55 -03:00
Michael Parlee
722ce950bf Improve user search performance
Removes bulder.lower() from user search queries on email and username.

Closes #8893
2022-03-04 14:15:14 +01:00
Takashi Norimatsu
201277b897 Handle OIDC authz request with "response_type" missing and "response_mode=form_post"
Closes #10144
2022-03-04 13:31:40 +01:00
Takashi Norimatsu
92f6c75328 Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type
Closes #10143
2022-03-03 13:26:39 +01:00
Daniel Gozalo
76101e3591 [fixes #9225] - Get scopeIds from the AuthorizationRequestContext instead of session if DYNAMIC_SCOPES are enabled
Add a test to make sure ProtocolMappers run with Dynamic Scopes

Change the way we create the DefaultClientSessionContext with respect to OAuth2 scopes, and standardize the way we obtain them from the parameter
2022-03-01 13:47:58 +01:00
stianst
5ef8265b75 Remove Tomcat 7 adapter
Closes #9428
2022-02-28 07:50:36 +01:00
mposolda
52712d2c82 ACR support in the javascript adapter
Closes #10154
2022-02-24 20:07:50 +01:00
Martin Kanis
6249e34177 Hot Rod map storage: Client scope no-downtime store 2022-02-24 13:30:27 +01:00
Michal Hajas
b4281468d0 Convert Map Realm Entities into interfaces
Closes #9736
2022-02-24 13:23:19 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore
Closes #10442
2022-02-24 12:46:26 +01:00
Pedro Igor
209df44641
Fixing responses when unexpected errors occurs (#10383)
Closes #10338
2022-02-23 07:44:25 +01:00
Marek Posolda
8c3fc5a60e
Option for client to specify default acr level (#10364)
Closes #10160
2022-02-22 07:54:30 +01:00
Marek Posolda
caf37b1f70
Support for acr_values_supported in OIDC well-known endpoint (#10265)
* Support for acr_values_supported in OIDC well-known endpoint
closes #10159
2022-02-18 11:33:31 +01:00
Filipe Bojikian Rissi
323c08c8cc
KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM (#8553)
Closes #10300
2022-02-17 17:41:54 +01:00
Martin Bartoš
314d303a99 Possibility to ignore tests for particular browsers
Closes #10213
2022-02-17 09:02:11 +01:00
Pedro Igor
a9668d14ce Proper error response when handing unexpected errors
Closes #10176
2022-02-16 15:35:38 -03:00
Martin Bartoš
bbe9ab38bc Unstable AuthenticationFlowCallbackProviderTest for undertow-map
Closes #10225
2022-02-16 15:49:08 +01:00
Pedro Igor
7da3953435 Path parameter is missing in the get account endpoint
Closes #10055
2022-02-15 15:44:05 -03:00
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… (#10088)
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724

Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-02-15 09:02:05 +01:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT (#10165) 2022-02-11 21:28:06 +01:00
Martin Kanis
26ac142b99 Hot Rod map storage: Roles no-downtime store 2022-02-11 14:31:34 +01:00
Michal Hajas
b50b8f883b Implement HotRod storage for Users
Closes #9671
2022-02-11 10:20:36 +01:00
Martin Bartoš
6c09ec6de6 Hide 'unknown' transport media type label for WebAuthn authenticators
Closes #10036
2022-02-11 08:28:50 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature (#8260)
Closes #10077
2022-02-08 19:16:06 +01:00
Martin Bartoš
8573ea5fb2 KEYCLOAK-17690 Add missing test case for user email update 2022-02-07 10:56:11 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate (#9580) 2022-02-07 09:02:08 +01:00
Takashi Norimatsu
07d43f31f3 Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration
Closes #9371
2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941 Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded 2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82 Device Authorization Grant with PKCE
Closes #9710
2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250 [fixes #9919] - Enable Dynamic Scopes for the resource-owner-password-credentials grant
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only (#9707)
Closes #9705
2022-02-02 15:21:44 +01:00
Daniel Gozalo
3528e7ba54 [fixes #9224] - Get consented scopes from AuthorizationContext
Always show the consent screen when a dynamic scope is requested and show the requested parameter

Improve the code that handles dynamic scopes consent and add some log traces

Add a test to check how we show dynamic scope in the consent screen and added missing template file change

Fix merge problem in comment and improve other comments

Fix the Dynamic Scope test by assigning it to the client as optional instead of default

Change how dynamic scopes are represented in the consent screen and adapt test
2022-02-02 09:10:20 +01:00
Daniel Gozalo
dc814b85c7 Pass the UserId to the function that runs the inner function in the server as it was losing its value when defined globally for Wildfly and Quarkus 2022-01-31 13:02:22 +01:00
Martin Bartoš
2919342f3a Add test scenarios for Passwordless Webauthn AIA
Closes #9795
2022-01-27 11:02:43 +01:00
bal1imb
9621d513b5 KEYCLOAK-18727 Improve user search query 2022-01-26 17:03:05 +01:00
Daniel Gozalo
4136bf7700 [fixes #9750] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu 2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea [fixes #9223] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker

Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext

Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing

Move the AuthorizationRequest objects to server-spi

Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it

Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time

Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag

Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag

Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user

Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more

Test how the server genereates the AuthorizationDetails object

Fix formatting, move classes to better packages and fix parent test class by making it Abstract

Match Dynamic scopes to Optional scopes only and fix tests

Avoid running these tests on remote auth servers
2022-01-26 13:19:23 +01:00
Martin Kanis
ddcabe61b2 KEYCLOAK-19571 Add indices to HotRodClientEntity fields 2022-01-20 17:46:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4 Fix scope bug in device authorization request
Closes #9617
2022-01-19 18:13:42 +01:00
vramik
22bcdcb630 MapRoleProvider could return also client roles when searching for realm roles
Closes #9587
2022-01-19 16:39:59 +01:00
Konstantinos Georgilakis
db0b36460f KEYCLOAK-19148 correct getGroupsCountByNameContaining of MapGroupProvider 2022-01-15 20:15:27 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses (#9538)
Closes #9537
2022-01-13 08:34:45 +01:00
Jon Koops
dea123169f
KEYCLOAK-14817 Allow JS adapter to be bundled as ES module (#9351) 2022-01-13 08:28:30 +01:00
Daniel Gozalo
8ea09d3816
[fixes #9222] - Let users configure Dynamic Client Scopes (#9327) 2022-01-12 14:27:24 +01:00
Martin Bartoš
8649ca3d50
Multiple active tabs when realm name equals name of the tab in Admin console (#9438)
Closes #9421
2022-01-11 16:01:28 -05:00
Marek Posolda
8f221bb21e
Validation for CIBA binding_message parameter (#9470)
closes #9469
2022-01-11 11:19:15 +01:00
Martin Bartoš
d75d28468e
KEYCLOAK-19490 Add more details about 2FA to authenticate page (#9252)
Closes #9494
2022-01-11 09:16:22 +01:00
vramik
dd3d7be2b4 Make JpaClientMapStorage generic
Closes #9244
2022-01-05 07:04:05 +01:00
Martin Bartoš
422ae0b3db CIAM-1693 WebAuthn tests failures on JBoss 2021-12-23 02:43:25 -08:00
Martin Bartoš
6d0b551b5e
CIAM-1692 OfflineTokenSpringBootTest is failing in pipeline due to Hamcrest dependency (#9300) 2021-12-22 13:59:29 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication (#7897)
KEYCLOAK-847 Fix behavior of unknown not essential acr claim

Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2021-12-22 12:43:12 +01:00
Ben Tatham
f201760a4a Fixed #8892 "does not exists" language 2021-12-21 20:24:13 +01:00
Pedro Igor
15d5a074b0 Avoid building configuration all the time when running tests
Closes #9262
2021-12-21 07:10:15 -08:00
keycloak-bot
9f3d4a7d42 Set version to 17.0.0-SNAPSHOT 2021-12-20 10:50:39 +01:00
Michal Hajas
30cef7aa68 Fix app-server addHttpListener failure 2021-12-20 10:40:42 +01:00
Stian Thorgersen
45e9243054
Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users (#9211)
* Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users

Co-authored-by: stianst <stianst@gmail.com>

* fixing test

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 14:45:56 +01:00
Stian Thorgersen
31345c49b1
Server-only upgrade to WildFly 25.0.1 (#9190)
* WF 25.0.1 upgrade light

* Re-enable adapters with old WF versions

* Put server-overlay and server-legacy-dist back to reduce size of PR changes

* Remove some more changes that are not needed

* Fix issues adding to provider properties

* Fix user-profile updates for tests

* tls fixes

* Set WF to 23 for adapter tests

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 12:12:41 +01:00
Michal Hajas
5f0b65e854 Fix Cross DC test failures caused by Keycloak not increasing failure counter for blocked users
Closes #9157
2021-12-15 19:13:54 +01:00
vramik
c6312e3308 KEYCLOAK-18717 KEYCLOAK-18716 KEYCLOAK-18715 KEYCLOAK-18713 KEYCLOAK-18712 KEYCLOAK-18711 JPA clients no-downtime store 2021-12-15 13:32:49 +01:00
Marcelo Sales
afeaa6f593 KEYCLOAK-19391: Fix ldap query search adding custom serach filter 2021-12-15 08:54:52 +01:00
stianst
85240c9606 Remove deprecated kcinit from keycloak
Closes #9106
2021-12-13 15:51:51 +01:00
thomasmicro
c474e770fe Clarify Admin UI Name of NoCookieFlowRedirectAuthenticator
In the Admin UI, the Authenticator was simply called Browser Redirect/Refresh which gives the impression that it is a generic redirector (which would be a cool validator).

This Quick Fix changes the Name to "Browser Redirect for Cookie free authentication" which should bring more clarity.
2021-12-13 13:14:49 +01:00
Martin Bartoš
8e8fab857e KEYCLOAK-19486 Verify the WebAuthn registration functionality 2021-12-13 09:46:07 +01:00
Pedro Igor
bf0f3d605c [fixes #9052] - Renaming cluster options to cache 2021-12-10 08:20:53 +01:00
Martin Bartoš
4f66087bf4 Fix for WebAuthn tests 2021-12-08 10:12:48 +01:00
Martin Bartoš
7dc01a5a6e KEYCLOAK-13319 Use newest WebDriver/Selenium for the WebAuthn testing 2021-12-06 09:42:10 +01:00
Alfredo Boullosa
a0b9e4f3eb KEYCLOAK-19853 Update Arquillian version 2021-12-04 06:45:43 +01:00
Pedro Igor
9a4ab82d08 [KEYCLOAK-19847] - Optimizations and refactoring for better/stable startup time 2021-12-02 08:57:23 -08:00
Pedro Igor
7bef534392 [KEYCLOAK-19859] - Patching request filter to properly end responses 2021-12-01 09:18:56 -08:00
Yoshiyuki Tabata
b1eeb0626e KEYCLOAK-13847 fix offline token refresh date 2021-12-01 08:30:08 +01:00
Nemanja Hiršl
c9e1e00b95 KEYCLOAK-19773 BFD and Direct Grant - inconsistent number of failures
Do not "failure" on temporary or permanently locked users, but "forceChallenge"
Failure increments number of failures, and forceChallenge doesn't

Test cases cover:
1. Already disabled users
2. Temporarily disabled users by BFD
3. Permanently disabled users by BFD
2021-11-24 15:28:18 +01:00
Martin Bartoš
1e1a6779be Issue 8814: Replace deprecated hamcrest-all dependencies 2021-11-23 13:56:28 +01:00
bal1imb
661aca4452 KEYCLOAK-19283 Implemented new identity provider mapper "Advanced claim to group mapper" alongside tests. 2021-11-19 16:54:39 +01:00
Hiroyuki Wada
884471c729 KEYCLOAK-19237 Avoid using stream that has been operated 2021-11-18 17:46:35 +01:00
Takashi Norimatsu
10c3e149d3 KEYCLOAK-19699 RSA key provider with key use = enc cannot select corresponding algorithm on Admin Console 2021-11-18 13:24:50 +01:00
Olivier Boudet
ed6eea26ea KEYCLOAK-19413 Allows to set login_hint on registration and reset-credentials pages 2021-11-18 13:17:10 +01:00
Konstantinos Georgilakis
63c9845cb9 KEYCLOAK-18276 client content screen enhancement 2021-11-18 13:15:02 +01:00
Pedro Igor
e14e56e0f3 [KEYCLOAK-19798] - Hostname support for Dist.X
Co-authored-by: Stian Thorgersen <stian@redhat.com>
2021-11-17 10:51:58 -03:00
Martin Bartoš
b17f0695ee 8793 User Profile multiple implementations 2021-11-15 08:46:34 +01:00
Michal Hajas
2f9a5aae0f KEYCLOAK-19028 Add HotRod Map storage implementation 2021-11-11 14:10:00 +01:00
David Perrenoud
36da2d20e9 KEYCLOAK-17039 Local file in a webview fails when requesting with "Origin: null" since 11.0.2 2021-11-11 10:55:33 +01:00
rmartinc
a4c4c00d00 [KEYCLOAK-14309] Duplicate sub claim at JSON level 2021-11-08 11:54:39 +01:00
Alec Henninger
cec6a8a884 KEYCLOAK-19700: Attempt to reuse denied device authorization code results in server error 2021-11-08 11:37:51 +01:00
Takashi Norimatsu
d0493b4306 KEYCLOAK-19723 Existing ECDSA key provider's key pair is not regenerated when its curve is changed on Admin Console 2021-11-05 10:05:40 +01:00
mposolda
5740e158e3 KEYCLOAK-18744 OpenBanking Brasil fix for X509 client authentication. More flexibility in Subject DN comparison. 2021-11-05 09:10:50 +01:00
Pedro Igor
3c00dba8ad [KEYCLOAK-19767] - Fixing testsuite to point to right persisted config 2021-11-04 15:06:49 -03:00
Dominik Guhr
579c5462b2 KEYCLOAK-19308 Grouping for help commands and refactoring of Propertymapper usage to provida a fluid API 2021-11-04 08:59:56 -03:00
Luca Leonardo Scorcia
e99b363ba0 KEYCLOAK-18879 Generate RequestedAttribute SP metadata for SAML Attribute Role Mappers 2021-11-04 11:15:32 +01:00
Bruno Oliveira da Silva
16db810b03 [KEYCLOAK-19754] - Update documentation files to remove problematic language in the main repository 2021-11-04 10:08:56 +01:00
Pedro Igor
eaa96f6147 [KEYCLOAK-18255] - Vault Support in Dist.X 2021-11-03 09:23:33 -03:00
Leonardo Brancalhão
a2a788ec39 KEYCLOAK-18401 Oracle test fixes 2021-11-02 11:55:38 +01:00
Joerg Matysiak
afc5cb4d14 KEYCLOAK-19617 Simplify creation of custom user profiles
* DeclarativeUserProfileProvider passes its ID to DeclarativeUserProfileModel, so this also works for derived classes.
* Moved creation of declarative user profile model to a protected factory method to allow subclasses to provide their own implementation.
* Added integration tests for custom user profile
* configured declarative-user-profile as default user profile provider in test servers
* Restore previously configured default provider after test with special provider settings
* Some refactoring in SpiProviderSwitchingUtils
2021-10-28 08:26:11 -03:00
Martin Kanis
af97849feb KEYCLOAK-19030 Implement HotRodConnectionProvider 2021-10-27 14:07:19 +02:00
Konstantinos Georgilakis
a5c8c45551 KEYCLOAK-19388 correct AttributeConsumingService bug in SAML SP metadata 2021-10-21 20:24:46 +02:00
Takashi Norimatsu
263161ff66 KEYCLOAK-19540 FAPI 2.0 Baseline : Reject Resource Owner Password Credentials Grant 2021-10-21 09:13:12 +02:00
Thomas Darimont
9857a04895 KEYCLOAK-16107 Enable ScriptBasedOIDCProtocolMapper to return JSON objects directly
We now allow to return JSON objects directly from a ScriptBasedOIDCProtocolMapper, by
adding support to turn objects that implement the java.util.Map into JsonNodes.

Previously returning JSON objects directly caused an exception during runtime.
2021-10-19 11:21:26 -03:00
Dominik Guhr
7b135c4dfc KEYCLOAK-19461 Unignore OpenShiftTokenReviewEndpointTest 2021-10-18 08:56:43 -03:00
Dominik Guhr
c45a6fde12
KEYCLOAK-19547 Switch arquillian quarkus container to use autobuild to prevent timeo… (#8576)
* KEYCLOAK-19547 Switch arquillian quarkus container to use autobuild to prevent timeouts when reaugmentation is longer than 10s

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2021-10-18 08:53:12 -03:00
Douglas Palmer
73f0474008 [KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader 2021-10-18 10:23:06 +02:00
mposolda
7010017e0e KEYCLOAK-19555 Improvements in ConsentRequiredExecutor of client policies 2021-10-16 14:11:18 +02:00
Thomas Darimont
b1bcd5d66e
KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API (#7097)
* KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API
  - Validate composite roles when creating roles via REST API
2021-10-15 10:33:19 -03:00
Pedro Igor
982f0f93b4 [KEYCLOAK-19559] - Support for custom JPA model 2021-10-15 08:48:30 -03:00
mposolda
acd00a492b KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients 2021-10-15 11:17:59 +02:00
Pedro Igor
27e74c41ff [KEYCLOAK-19459] - Enabling ClientSearchTest to Dist.X 2021-10-14 17:08:06 -03:00
Dominik
8f3940032e KEYCLOAK-19461 Add dependency for openshift restclient to quarkus dist to make the OpenShiftClientStorageTest work. 2021-10-13 14:52:19 -03:00
Takashi Norimatsu
a4f83c569d KEYCLOAK-19510 Nested JWT JOSE header needs to set JWT to cty field 2021-10-12 16:58:15 +02:00
Bart Monhemius
5b0986e490 [KEYCLOAK-18891] Add support for searching users by custom user attributes
Users can now be searched by custom attributes using 'q' in the query parameters. The implementation is roughly the same as search clients by custom attributes.
2021-10-12 13:08:47 +02:00
Dominik
ce0070508f KEYCLOAK-19457 Unignore JsonFileImportTests now that KEYCLOAK-19521 is done 2021-10-11 16:41:07 -03:00
Dominik
00feef4dbe KEYCLOAK-19496 Unignore ArtifactBindingCustomResolverTest and make SetDefaultProvider Annotation usable for Quarkus-based distribution 2021-10-08 15:50:59 -03:00
R Yamada
891c8e1a12 [KEYCLOAK-17653] - OIDC Frontchannel logout support 2021-10-07 15:27:19 -03:00
Dominik
97ee8832a3 KEYCLOAK-19079 Add special case for kubeadmin without uid and OCP4 2021-10-07 14:29:00 -03:00
Dominik
12d4837fa9 KEYCLOAK-19484_BasicSamlTest 2021-10-06 12:04:05 -03:00
Martin Kanis
30b3caee9f KEYCLOAK-18445 Add support for cross-site model tests 2021-10-06 14:37:06 +02:00
Dominik
cd7a22c174 KEYCLOAK-19476: Unignore LoginTest.loginWithLongRedirectUri by adding property to authserver-quarkus 2021-10-06 08:03:34 -03:00
Tomas Kyjovsky
01a0e11c8f KEYCLOAK-19392 pass infinispan javaVmArguments via JAVA_OPTS instead of CLI parameters 2021-10-05 09:06:50 +02:00
Dominik
021245a330 KEYCLOAK-19463 fix PasswordPolicyTest for Quarkus 2021-10-04 15:32:18 -03:00
Dominik
8cf35c9b7b KEYCLOAK-13770 - Working DefaultThemeManagerTest 2021-10-01 11:25:17 -03:00
Michal Hajas
da0c945475 KEYCLOAK-18940 Add support for searching composite roles 2021-10-01 12:41:19 +02:00
Nathan Strobbe
64717f650b KEYCLOAK-15167 Retrieve email from Twitter IdP 2021-10-01 09:45:20 +02:00
Pedro Igor
0210acadad [KEYCLOAK-19424] - Rename the config command to build 2021-10-01 08:39:50 +02:00
Luca Leonardo Scorcia
43a3c676f7 KEYCLOAK-16456 X509 Auth: add option for OCSP fail-open behavior 2021-10-01 08:37:01 +02:00
Daniel Fesenmeyer
0a2f8f5b63 KEYCLOAK-17887 fix endpoint for creating or updating realm localization texts for a given locale (UnsupportedOperation was thrown because RealmAdapter tried to change unmodifiable map):
- fix RealmAdapter to create a new map instead of trying to change unmodifiable map
- only provide POST endpoints for creating or updating the texts (to have the endpoints consistent with other Admin API endpoints)
- add tests
2021-09-30 15:07:56 +02:00
stianst
f471a110cd KEYCLOAK-19408 Better client secrets 2021-09-29 18:19:43 +02:00
Dominik
82964f7460 KEYCLOAK-13770 Working FixedHostnameTest for Quarkus 2021-09-28 11:48:50 -03:00
stianst
12c7bc7350 KEYCLOAK-19410 Compile issues in IntelliJ due to imports of sun packages 2021-09-28 14:59:33 +02:00
Dominik
20b91c7d4f KEYCLOAK-13770 Fix Quarkus ScriptDeploymentTests, Hostnametests and tests relying on user attribute config 2021-09-27 15:19:45 -03:00
Václav Muzikář
69a146db7e KEYCLOAK-18128 Keycloak cannot fetch group claims from openshift 2021-09-27 08:05:43 -03:00
Daniel Fesenmeyer
339224578e KEYCLOAK-10603 adjust assignments to roles (user-role and group-role assignments, client-scope and client "scope mappings"): allow assignments of roles which are already indirectly assigned (e.g. by composite role)
- extend RoleMapperModel with method hasDirectRole(RoleModel), which only checks for direct assignment in contrast to the existing method hasRole(RoleModel)
- extend ScopeContainerModel with method hasDirectScope(RoleModel), which only checks for direct scope mapping in contrast to the existing method hasScope(RoleModel)
- use the new hasDirectRole and hasDirectScope methods to check whether a role is in the "available" list and whether it can be assigned (previously, the hasRole method was used for this purpose)
- add hint to UI that available roles contain effectively assigned roles which are not directly assigned
- adjust and extend tests
2021-09-22 13:56:29 +02:00
Vlastimil Elias
28e220fa6d KEYCLOAK-18497 - Support different input types in built-in dynamic forms 2021-09-20 09:14:49 -03:00
Takashi Norimatsu
375e47877e KEYCLOAK-18558 Client Policy - Endpoint : support Device Authorization Endpoint 2021-09-20 11:22:58 +02:00
chen kqing
c9809f0151 KEYCLOAK-18873 href attribute of a "Unable to scan?" tag is wrong in "Configure TOTP" page 2021-09-20 10:09:58 +02:00
Dominik
6d036a4647 KEYCLOAK-13770 Already working Tests after upgrade to Quarkus2 2021-09-17 10:03:26 -03:00
Dominik
4090114398 KEYCLOAK-16246 Revert changes from workaround made in KEYCLOAK-16244 after upgrading to quarkus 2
Also fixed a small type in testclass.
This reverts commit 9b2f2015f7.
2021-09-16 15:42:48 -03:00
Sophie Tauchert
b5d477c421 [KEYCLOAK-18556] Check for federated credentials when resolving authenticators 2021-09-15 16:54:56 +02:00
Vlastimil Elias
2be5f528e4 KEYCLOAK-18700 - consistently record User profile attribute changes in
UPDATE_PROFILE event
2021-09-15 08:26:01 -03:00
Marek Posolda
11e5f66c60
KEYCLOAK-19056 EDIT MODE field should not be leave empty (#8380) 2021-09-14 20:27:09 +02:00
Luca Leonardo Scorcia
6d0708d263
KEYCLOAK-17368 Show forwarded errors when a default remote IdP is configured (#7838) 2021-09-14 09:44:59 +02:00
Luca Leonardo Scorcia
af8354267b
KEYCLOAK-16462 X509 Auth: add option to revalidate certificate trust 2021-09-13 12:12:38 +02:00
David Hellwig
a6cd80c933
KEYCLOAK-16076 added new warining when cookies are disabled -with new branch- (#7632)
* KEYCLOAK-16076 added new warining when cookies are disabled

Co-authored-by: David Hellwig <david.hellwig@bosch.com>
Co-authored-by: Christoph Leistert <christoph.leistert@bosch-si.com>
2021-09-13 11:30:11 +02:00
Pedro Igor
aa018295c4 [KEYCLOAK-17866] - Upgrade to Quarkus v2 2021-09-10 11:21:09 -03:00
Hynek Mlnarik
4518b3d3d1 KEYCLOAK-19143 Split note for broker and SP SAML request ID 2021-09-07 17:04:30 +02:00
Olivier Boudet
c7f8544b0c KEYCLOAK-18454 Reset password : wrong email instructions when duplicates email is allowed 2021-09-02 14:44:18 +02:00
Martin Bartoš
a25a0d513e KEYCLOAK-19159 KcSamlEncryptedIdTest failure for undertow 2021-09-02 11:22:53 +02:00
vramik
5fe675b612 KEYCLOAK-18841 prevent deletion of default role using RoleContainerResource 2021-08-20 12:02:07 +02:00
Martin Bartos
18cef60bbd KEYCLOAK-19037 Problems with validation of Email field that contains uppercase character 2021-08-19 11:13:42 +02:00
mposolda
418d1e3471 KEYCLOAK-19039 Sync UPDATE_PASSWORD required action to only to MSAD with WRITABLE edit mode. Add tests for MSAD mapper 2021-08-18 17:39:19 +02:00
Thomas Darimont
a7fd1bc3a9 KEYCLOAK-18954 Add test for user consent retrieval with offline access consents
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2021-08-18 10:39:44 +02:00
bal1imb
269b661b8a KEYCLOAK-16633 Prevent deletion of internal clients. 2021-08-09 11:45:03 -03:00
Martin Kanis
b42f765c2a KEYCLOAK-18982 Token OIDC introspection endpoint should not update any of the timestamps 2021-08-05 18:21:16 +02:00
Simen Heggestøyl
624a9a3ed7 KEYCLOAK-18509 Fix permission error when deleting client 2021-08-05 11:55:24 -03:00
Yoshiyuki Tabata
b31b60fffe KEYCLOAK-18341 Support JWKS OAuth2 Client Metadata in the "by value" key loading method 2021-08-05 16:52:55 +02:00
Martin Bartoš
3c19fae88b KEYCLOAK-18964 MetricsRestServiceTest contains wrong health check message 2021-08-05 16:01:01 +02:00
Hynek Mlnarik
2acb43a627 KEYCLOAK-18617 Fix index on client attributes 2021-08-05 15:35:55 +02:00
Sebastian Rose
5d9d749fbd KEYCLOAK-18380 Fix Groups search by name returns unwanted groups
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2021-08-05 11:43:56 +02:00
Sebastian Rose
565251d5a6 KEYCLOAK-18380 Fix Groups search by name returns unwanted groups, cleanup test, skip tests on map storage provider feature 2021-08-05 11:43:56 +02:00
Thomas Darimont
17da3ee8d9 KEYCLOAK-18380 Fix Groups search by name returns unwanted groups
Previously the group search did not apply a given search query as filter
for groups along the group path.

We now filter the found groups with the given group search query if present.
2021-08-05 11:43:56 +02:00
mposolda
b1d39aa136 KEYCLOAK-18949 DirectGrant login should fail if authenticationSession contains some required actions 2021-08-04 08:50:27 +02:00
Yang Xie
d8cb279bc4 KEYCLOAK-17693 add config for loading custom IdMapper class 2021-08-03 17:44:47 +02:00
carlChen
a0b01b6ef4 KEYCLOAK-16703 The username returned by token introspect endpoint is null when remove or modify username mapper 2021-08-03 17:38:37 +02:00
Sebastian Kanzow
4e8e4592ca [KEYCLOAK-18419] Support SAML 2.0 Encrypted IDs in Assertion 2021-08-03 11:55:36 +02:00
keycloak-bot
262ec3d031 Set version to 16.0.0-SNAPSHOT 2021-07-30 14:56:10 +02:00
Pedro Igor
afb0b16e43 [KEYCLOAK-18922] - Ignore empty values for internal attributes not set to user 2021-07-30 12:30:43 +02:00
Martin Bartoš
56888911b0 KEYCLOAK-18691 CIBATest.testTokenRequestAfterIntervalButNotYetAuthenticated wrong expiration 2021-07-29 17:01:51 +02:00
Pedro Igor
ff70e2e04b [KEYCLOAK-18916] - Do not consider empty values when checking read-only attributes 2021-07-29 08:46:16 +02:00
Vlastimil Elias
32f2f095fe KEYCLOAK-7724 User Profile default validations 2021-07-29 08:42:37 +02:00
mposolda
4dacbb9e0b KEYCLOAK-16996 User not able to revoke his offline token for directGrant clients 2021-07-29 08:04:16 +02:00
mposolda
9b0e1fff8d KEYCLOAK-18903 More customizable OIDC WellKnown provider 2021-07-28 18:03:23 +02:00
mposolda
05dfed721a KEYCLOAK-18636 The mtls_endpoint_aliases claim is not advertized in the discovery document 2021-07-28 13:32:31 +02:00
Pedro Igor
ef72343a6a [KEYCLOAK-18882] - User Profile still tech preview 2021-07-28 08:45:35 +02:00
mposolda
4520cbd38c KEYCLOAK-18904 Support cert-bound tokens when doing client credentials grant. Client policies support for client credentials grant 2021-07-28 07:24:30 +02:00
mposolda
ce80a3ba9b KEYCLOAK-18901 Test for update clientNotificationEndpoint to 'http' URL should fail 2021-07-27 16:22:49 +02:00
mposolda
643b3c4c5a KEYCLOAK-18594 CIBA Ping Mode 2021-07-27 08:33:17 +02:00
Takashi Norimatsu
9018fe9fad KEYCLOAK-18863 Global client profile for FAPI CIBA 2021-07-23 14:30:26 +02:00
Joerg Matysiak
9dff21d0a7 KEYCLOAK-18552
* added group as attribute metadata
* validation for groups and references to groups
* adapted template to use show attribute groups
* test and integration tests for attribute groups
2021-07-23 09:26:21 -03:00
Takashi Norimatsu
6436716514 KEYCLOAK-18834 Client Policies : ClientScopesCondition needs to be evaluated on CIBA backchannel authentication request and token request 2021-07-23 10:06:02 +02:00
Hynek Mlnarik
6b9040d18a KEYCLOAK-18876 Fix intermittent LoginTest failures 2021-07-23 08:44:50 +02:00
Takashi Norimatsu
84e19f1c57 KEYCLOAK-18833 FAPI-CIBA-ID1 : need to only accept confidential client on Backchannel Authentication endpoint 2021-07-23 08:26:36 +02:00
Luca Leonardo Scorcia
6bd7420907 KEYCLOAK-17290 SAML Client - Generate AttributeConsumingService SP metadata section 2021-07-22 21:53:16 +02:00
Pedro Igor
8260c3c623 [KEYCLOAK-18860] - Fixing attributes returned from user api 2021-07-22 15:09:30 -03:00
Vlastimil Elias
fff27f8bd6 KEYCLOAK-18812 fixing Account REST API tests under User Profile enabled 2021-07-22 13:43:21 -03:00
Vlastimil Elias
f307c56fe1 KEYCLOAK-18812 UserProfile metadata in Account REST API 2021-07-22 08:46:30 -03:00
Pedro Igor
b4c940fe3f [KEYCLOAK-18860] - Return attributes defined in user profile from user api 2021-07-22 08:32:47 -03:00
mposolda
3993b73625 KEYCLOAK-18865 CIBATests failing for auth-server-remote 2021-07-21 14:14:01 +02:00
Pedro Igor
d29d945cc4 [KEYCLOAK-18857] - Do not force default to RS256 when verifying tokens sent by clients and JWK does not hold an algorithm 2021-07-21 11:09:02 +02:00
Takashi Norimatsu
2c019c9ce5 KEYCLOAK-18832 FAPI-CIBA-ID1 conformance test : need to return 401 error=invalid_client if client authentication is not successfully completed on Backchannel Authentication endpoint 2021-07-21 10:13:55 +02:00
Takashi Norimatsu
8df36fbf28 KEYCLOAK-18828 FAPI-CIBA-ID1 conformance test : Additional checks of signed authentication request 2021-07-21 08:19:19 +02:00
Takashi Norimatsu
61fcbb307b KEYCLOAK-18830 FAPI-CIBA-ID1 conformance test : HolderOfKeyEnforcerExecutor needs to be executed on CIBA token request 2021-07-21 08:07:50 +02:00
Pedro Igor
54a0e84070 [KEYCLOAK-18741] - Review error messages when validating PAR requests 2021-07-20 14:08:49 -03:00
Pedro Igor
7f34af4016 Revert "[KEYCLOAK-18425] - Allow mapping user profile attributes"
This reverts commit 3e07ca3c
2021-07-20 14:08:09 -03:00
mposolda
db7e247f7b KEYCLOAK-18848 KEYCLOAK-18850 Enable CIBA and PAR by default 2021-07-20 15:59:06 +02:00
Takashi Norimatsu
f154b0b209 KEYCLOAK-18831 FAPI-CIBA-ID1 conformance test : need to return 400 if user authentication is not successfully completed 2021-07-20 10:46:16 +02:00
Takashi Norimatsu
e2c5fa20a2 KEYCLOAK-18849 Client Policy - Condition : ClientRolesCondition needs to be evaluated on PAR endpoint 2021-07-20 09:41:48 +02:00
Pedro Igor
396a78bcc4 [KEYCLOAK-18723] - Configurable constraints for request object encryption 2021-07-20 09:28:09 +02:00
Pedro Igor
730d4e8ac9 [KEYCLOAK-18807] - Fixing claims in JARM responses 2021-07-20 08:23:33 +02:00
Pedro Igor
13a08362d4 [KEYCLOAK-18819] - SecureResponseType executor shall allow response_type=code when using JARM and response_mode=jwt 2021-07-20 08:16:19 +02:00
Takashi Norimatsu
f76c07476c KEYCLOAK-18827 FAPI-CIBA-ID1 conformance test : Client JWT authentication should allow Backchannel Authentication endpoint as audience 2021-07-20 06:39:28 +02:00
Takashi Norimatsu
02a9eb442d KEYCLOAK-18829 FAPI-CIBA-ID1 conformance test : ClientRolesCondition needs to be evaluated on CIBA backchannel authentication request and token request 2021-07-20 06:31:10 +02:00
Pedro Igor
fe4e089e81 [KEYCLOAK-18745] - Client JWT authentication should allow PAR endpoint as audience 2021-07-19 14:23:53 -03:00
Vlastimil Elias
61aa4e6a70 KEYCLOAK-18750 - Set "Email Verified" to false when email changed in
UserProfile Provider
2021-07-19 11:19:29 -03:00
Takashi Norimatsu
f188f02d03 KEYCLOAK-18826 FAPI-CIBA-ID1 conformance test : ID Token needs to include auth_time claim 2021-07-19 15:11:23 +02:00
Takashi Norimatsu
63f04c1118 KEYCLOAK-18683 Client policy executor for check Backchannel signed request algorithms matching FAPI compliant algorithms 2021-07-19 14:48:31 +02:00
Pedro Igor
a79d28f115 [KEYCLOAK-18729] - Support JAR when using PAR 2021-07-19 11:42:20 +02:00
bal1imb
2c8d4ad9b4 KEYCLOAK-18590 Realm localizations of one realm must not affect themes displayed in context of other realms. 2021-07-16 16:12:58 +02:00
Pedro Igor
f1face6973 [KEYCLOAK-18748] - Do not remove attributes when declarative provider is enabled 2021-07-15 12:00:39 -03:00
Daniel Fesenmeyer
a25c70784c KEYCLOAK-18467 support unicode for realm localization texts 2021-07-15 10:30:42 +02:00
vramik
a07f3f9608 KEYCLOAK-18688 Add testing composite roles in RoleInvalidationClusterTest 2021-07-15 10:18:57 +02:00
Vlastimil Elias
7618e66136 [KEYCLOAK-18541] separate template for IDP review page 2021-07-13 21:43:52 -03:00
vramik
00017b44a3 KEYCLOAK-18311 fix creation of roles during client registration 2021-07-12 11:39:47 +02:00
Pedro Igor
1baab67f3b [KEYCLOAK-18630] - Request object encryption support 2021-07-09 11:27:30 -03:00
Vlastimil Elias
6686482ba5 [KEYCLOAK-18591] - Support a dynamic IDP user review form 2021-07-09 10:05:26 -03:00
Takashi Norimatsu
7cdcf0f93e KEYCLOAK-18654 Client Policy - Endpoint : support Token Request by CIBA Backchannel Authentication 2021-07-09 11:24:12 +02:00
Takashi Norimatsu
43eb2b7c90 KEYCLOAK-18123 Client Policy - Executor : Enforce Backchannel Authentication Request satisfying high security level 2021-07-09 09:11:13 +02:00
Takashi Norimatsu
63b737545f KEYCLOAK-18653 Client Policy - Endpoint : support Pushed Authorization Request Endpoint 2021-07-09 09:06:38 +02:00
Pedro Igor
4099833be8 [KEYCLOAK-18693] - Declarative profile validating read-only attribute if it exists 2021-07-08 15:22:02 -03:00
Takashi Norimatsu
dce163d3e2 KEYCLOAK-18587 CIBA signed request: Client must configure the algorithm 2021-07-08 10:16:22 +02:00
Benjamin Weimer
8c1ea60b04 * Add sid claim to ID Token
* deprecate session state parameter in ID Token
* remove charset=UTF-8 from backchannel logout post request Content-Type header
2021-07-06 15:30:53 -03:00
Takashi Norimatsu
2b1624390a KEYCLOAK-17937 Client Policy - Endpoint : support CIBA Backchannel Authentication Endpoint 2021-07-03 08:57:20 +02:00
Hryhorii Hevorkian
2803685cd7 KEYCLOAK-18353 Implement Pushed Authorization Request inside the Keycloak
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-07-03 08:47:42 +02:00
lbortoli
e5ae113453 KEYCLOAK-18452 FAPI JARM: JWT Secured Authorization Response Mode for OAuth 2.0 2021-07-03 00:00:32 +02:00
Vlastimil Elias
04ff2c327b [KEYCLOAK-18429] Support a dynamic update profile form 2021-07-02 10:22:47 -03:00
Vlastimil Elias
f32447bcc1 [KEYCLOAK-18424] GUI order for user profile attributes 2021-07-02 08:37:24 -03:00
Pedro Igor
b26b41332e [KEYCLOAK-18626] - Avoid changing username when registration as email is enabled 2021-07-02 08:07:04 -03:00
Pedro Igor
3e07ca3c22 [KEYCLOAK-18425] - Allow mapping user profile attributes 2021-07-01 10:19:28 -03:00
vramik
2b9b50d50a KEYCLOAK-18194 fix migration of default role when realm id contains apostrophe 2021-07-01 11:22:11 +02:00
lbortoli
164f3df080 KEYCLOAK-18502 - Support for additional parameters from the backchannel authentication request and backchannel authentication callback. 2021-07-01 00:31:26 +02:00
Luca Leonardo Scorcia
ae98d8ea28 KEYCLOAK-18315 SAML Client - Add parameter to request specific AttributeConsumingServiceIndex 2021-06-29 16:22:38 +02:00
Martin Bartoš
9dc7300178 KEYCLOAK-18391 CIBATest failures 2021-06-29 16:15:12 +02:00
Sebastian Rose
ca6b78b730 KEYCLOAK-18390 GroupProvider search implementation of JPA and Map delivers different results 2021-06-29 14:59:01 +02:00
Takashi Norimatsu
57c80483bb KEYCLOAK-17936 FAPI-CIBA : support Signed Authentication Request
Co-authored-by: Pritish Joshi <pritish@banfico.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-06-29 08:07:40 +02:00
Pedro Igor
948f453e2d [KEYCLOAK-18427] - Allowing switching to declarative provider 2021-06-28 15:50:04 -03:00
Vlastimil Elias
512bcd14f7 [KEYCLOAK-18428] - dynamic registration form 2021-06-25 17:11:15 -03:00
Pedro Igor
faadb896ea [KEYCLOAK-18426] - Support required by role and scopes in Admin UI 2021-06-24 10:43:49 -03:00
Yoshiyuki Tabata
52ced98f92 KEYCLOAK-18503 Regex Policy for authorization service 2021-06-24 08:49:41 -03:00
Vlastimil Elias
b7a4fd8745 KEYCLOAK-18423 - Support a user-friendly name property for user profile
attributes
2021-06-24 08:17:06 -03:00
Michal Hajas
ccf9456bdf KEYCLOAK-18534 Fix js tests timeout failure 2021-06-23 14:12:02 -03:00
Luca Leonardo Scorcia
cdf9621257 KEYCLOAK-18450 Add basic tests for the Identity Provider Redirector Default IdP feature 2021-06-23 08:42:14 +02:00
Andy Fedotov
17b374f53a [KEYCLOAK-16455][Adapter - JavaScript] Propagate 3rd party cookies check
errors outside of JS adapter
2021-06-23 08:36:26 +02:00
Vlastimil Elias
458c841c39 [KEYCLOAK-18447] Dynamically select attributes based on requested scopes 2021-06-22 08:54:03 -03:00
Vlastimil Elias
b87d764137 [KEYCLOAK-17443] Username and email form fields kept in registration
form when duplicate
2021-06-22 08:46:42 -03:00
rmartinc
b8452374d2 [KEYCLOAK-18473] Add max length to password policy 2021-06-22 10:15:48 +02:00
Luca Leonardo Scorcia
f5123cb51b KEYCLOAK-17935 SAML Client - Validate InResponseTo attribute 2021-06-21 12:25:18 +02:00
keycloak-bot
13f7831a77 Set version to 15.0.0-SNAPSHOT 2021-06-18 10:42:27 +02:00
Pedro Igor
6bb7a8894d [KEYCLOAK-18464] - Failures when running without tls and remote 2021-06-17 14:33:35 +02:00
Martin Bartoš
333d279d7a KEYCLOAK-18406 SAMLServletAdapterTest failures 2021-06-17 11:30:39 +02:00
Tomas Kyjovsky
6db1c8204a KEYCLOAK-18393 SAMLAdapterCrossDCTest failures 2021-06-16 18:46:38 +02:00
Martin Bartoš
78b6762326 KEYCLOAK-18442 LifespanAdapterTest - duplicate resources 2021-06-15 15:32:59 +02:00
Pedro Igor
ef3a0ee06c [KEYCLOAK-17399] - Declarative User Profile and UI
Co-authored-by: Vlastimil Elias <velias@redhat.com>
2021-06-14 11:28:32 +02:00
Václav Muzikář
9854f21ace KEYCLOAK-18332 Client Scopes are reset to realm's default when Client is updated 2021-06-11 07:41:18 +02:00
mposolda
070c68e18a KEYCLOAK-18069 Migration of client policies JSON from Keycloak 13 2021-06-10 10:40:14 +02:00
Douglas Palmer
aac0b6ec5f [KEYCLOAK-17602] Email account verification link is wrongly encoded 2021-06-10 08:34:53 +02:00
Martin Bartoš
8ea2551d25 KEYCLOAK-18247 LifespanAdapterTest fails due to validation error on EAP 2021-06-10 07:07:35 +02:00
Martin Bartoš
07d57ca30f KEYCLOAK-17179 IdP mappers with MultiValued property can't be saved 2021-06-10 07:02:21 +02:00
mposolda
91865fa93e KEYCLOAK-18368 Invalidate client session after refresh token re-use 2021-06-09 14:43:29 +02:00
vramik
95bf912dc9 KEYCLOAK-18035 Fix update client with default default scope assigned as optional 2021-06-07 16:22:55 +02:00
Tomas Kyjovsky
b071be7799 KEYCLOAK-18260 ClientSearchTest.testQuerySearch failure on MSSQL2019
- removed Central European characters from the test
2021-06-07 16:20:53 +02:00
Tomas Kyjovsky
80eabcb7eb KEYCLOAK-18249 WelcomePageTest fails on MSSQL 2019
- removed reference to `FK_P56CTINXXB9GSK57FO49F9TAC` from the `DropAllServlet`
2021-06-07 16:18:32 +02:00
vramik
5c007420ef KEYCLOAK-18367 fix compilation failure 2021-06-07 12:50:23 +02:00
Martin Bartoš
4b009ebf5e KEYCLOAK-14540 Determine project/product name 2021-06-07 11:24:29 +02:00
Václav Muzikář
6b365d7c12 KEYCLOAK-18044 Client Policy: UI tests (old Admin Console) 2021-06-07 06:43:35 +02:00
mposolda
3d16a1e8d3 KEYCLOAK-16811 Add executor for disable 'Full Scope Allowed' and add it to FAPI profiles 2021-06-04 15:46:33 +02:00
Tomas Kyjovsky
1033b272e8 KEYCLOAK-13757 fix for KEYCLOAK-18267_KEYCLOAK-17254 2021-06-03 13:52:25 +02:00
Tomas Kyjovsky
2802740101 KEYCLOAK-13757 update JDG version to 8.1 - testsuite updates 2021-06-03 13:52:25 +02:00
Jan Lieskovsky
cbd4288205 [KEYCLOAK-17254] Adaptively add the default modular JVM options
to the "javaVmArguments" to start the cache server container with,
if the JVM used to run the cache server is modular (JDK 9+)

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2021-06-03 10:36:53 +02:00
mposolda
12c47150e7 KEYCLOAK-18337 FAPI1Test fails in pipeline with auth-server-undertow-non-tls 2021-06-03 10:09:40 +02:00
vramik
0959475099 KEYCLOAK-18305 revisit tests - authz disabled 2021-06-02 14:26:22 +02:00
Douglas Palmer
986b69c03f [KEYCLOAK-17405] Session auth time updated when user has not re-authenticated 2021-06-01 19:35:42 +02:00
Miquel Simon
ccad4653d8 KEYCLOAK-18324. Exclude FAPI tests for remote auth server. 2021-06-01 11:47:13 +02:00
mposolda
73a38997d8 KEYCLOAK-14208 Default client profiles for FAPI 2021-05-31 12:31:52 +02:00
mposolda
ab13e3e4fe KEYCLOAK-17939 Enable Client policies feature by default 2021-05-31 12:31:52 +02:00
Michito Okai
bc6a746780 KEYCLOAK-18112 Token introspection of the revoked refresh token 2021-05-31 11:01:01 +02:00
vramik
2bf727d408 KEYCLOAK-17753 remove KeycloakModelUtils.isClientScopeUsed method 2021-05-28 21:07:14 +02:00
rmartinc
38101d01c2 [KEYCLOAK-18250] LDAPSyncTest.test09MembershipUsingDifferentAttributes fails on MySQL 8 and MariaDB 10.3 2021-05-28 00:01:57 +02:00
Michal Hajas
b216b9579c KEYCLOAK-18264 Fix SamlLogoutTest with different consumer and provider url 2021-05-27 23:23:46 +02:00
Michal Hajas
4dcb69596b KEYCLOAK-18146 Search for clients by client attribute when doing saml artifact resolution 2021-05-27 23:02:22 +02:00
Stian Thorgersen
2cb59e2503
KEYCLOAK-17844 Add option to disable authorization services to workaround issues with many clients 2021-05-27 22:28:56 +02:00
Martin Kanis
23aee6c210 KEYCLOAK-16616 Limit number of authSessios per rootAuthSession 2021-05-27 22:10:36 +02:00
Takashi Norimatsu
669556af71 KEYCLOAK-18296 RefreshTokenRequest returns incorrect error code during failed HoK request 2021-05-27 15:28:29 +02:00
Martin Bartoš
2096a0f5cc KEYCLOAK-18246 DemoFilterServletAdapterTest fails for app servers with TLS 2021-05-27 13:06:35 +02:00
vramik
3aa06c2721 KEYCLOAK-18073 avoid ModelDuplicateException during parallel starup of servers 2021-05-27 07:10:35 +02:00
Stefan Guilhen
eb631bf63b [KEYCLOAK-8730] Ensure role mappers don't remove roles already granted by another mapper when updating a brokered user 2021-05-26 17:21:54 +02:00
Michal Hajas
5c71c3d97f
KEYCLOAK-17764 Remove all clients querying fallback (#8077) 2021-05-26 13:18:58 +02:00
Martin Bartoš
77fe3e9bed KEYCLOAK-18054 EAP6Fuse6HawtioAdapterTest fails due to wrong port without TLS 2021-05-26 08:58:03 +02:00
Pedro Igor
b7e5db6534 [KEYCLOAK-18007] - Configure resolved paths with the method config from configuration 2021-05-25 09:48:30 -03:00
Luca Leonardo Scorcia
478319348b KEYCLOAK-16450 X509 Direct Grant Auth does not verify certificate timestamp validity 2021-05-25 10:32:17 +02:00
Takashi Norimatsu
6e7898039b KEYCLOAK-18139 SecureResponseTypeExecutor: polishing for FAPI 1 final 2021-05-25 08:32:43 +02:00
mposolda
d4374f37ae KEYCLOAK-18258 Not possible to login with public client, which was confidential with custom client authenticator set 2021-05-24 13:17:14 +02:00
Lukas Hanusovsky
afb8da7ff0 KEYCLOAK-18056 exclude test for remote testsuite. 2021-05-24 11:27:44 +02:00
Takashi Norimatsu
6532baa9a7 KEYCLOAK-18127 Option for skip return user's claims in the ID Token for hybrid flow 2021-05-24 08:02:34 +02:00
Michito Okai
cc2d6f0741 KEYCLOAK-18235 Display of options about device grant when selecting
"public" as the access type
2021-05-21 08:24:27 +02:00
Vlastimil Elias
4ad1687f2b [KEYCLOAK-17399] UserProfile SPI - Validation SPI integration 2021-05-20 15:26:17 -03:00
Pedro Igor
9ebbc7673c [KEYCLOAK-18111] - Error when processing path without associated resource 2021-05-20 11:15:11 -03:00
Thomas Darimont
c49dbd66fa KEYCLOAK-15437 Ensure at_hash is generated for IDTokens on token-refresh 2021-05-20 16:05:11 +02:00
Pedro Igor
a0f8d2bc0e [KEYCLOAK-17399] - Review User Profile SPI
Co-Authored-By: Vlastimil Elias <vlastimil.elias@worldonline.cz>
2021-05-20 08:44:24 -03:00
rmartinc
b97f177f26 [KEYCLOAK-14696] Unable to fetch list of members from a group through keycloak admin console. 2021-05-20 11:32:23 +02:00
Michal Hajas
3bb5bff8e0 KEYCLOAK-17495 Do not include principal in the reference to broker sessionId 2021-05-20 11:32:11 +02:00
mposolda
d3e9e21abd KEYCLOAK-17906 Use auto-configure instead of is-augment. Use default-client-authenticator option in SecureClientAuthenticatorExecutor 2021-05-19 12:18:11 +02:00
vramik
4d776cd780 KEYCLOAK-18137 Fix introduced SPI name 2021-05-18 20:30:21 +02:00
Mathieu CLAUDEL
df714506cc KEYCLOAK-17655 - Can't impersonate 2021-05-18 14:16:01 +02:00
mposolda
71dcbec642 KEYCLOAK-18108 Refactoring retrieve of condition/executor providers. Make sure correct configuration of executor/condition is used for particular provider 2021-05-18 12:20:47 +02:00
mposolda
b8a7750000 KEYCLOAK-18113 Refactor some executor/condition provider IDs 2021-05-18 09:17:41 +02:00
Václav Muzikář
62e6883524 KEYCLOAK-17084 KEYCLOAK-17434 Support querying clients by client attributes 2021-05-14 13:58:53 +02:00
Tomas Kyjovsky
1292135729 KEYCLOAK-17322 Align tested databases with EAP 7.4 support matrix 2021-05-14 09:27:00 +02:00
Peter Flintholm
919899b994 KEYCLOAK-18039: Optimise offline session load on startup
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2021-05-13 16:26:26 +02:00
Marek Posolda
a6d4316084
KEYCLOAK-14209 Client policies admin console support. Changing of format of JSON for client policies and profiles. Remove support for default policies (#7969)
* KEYCLOAK-14209 KEYCLOAK-17988 Client policies admin console support. Changing of format of JSON for client policies and profiles. Refactoring based on feedback and remove builtin policies
2021-05-12 16:19:55 +02:00
Takashi Norimatsu
355a5d65fb KEYCLOAK-18052 Client Policies : Revise SecureRequestObjectExecutor to have an option for checking nbf claim 2021-05-11 14:29:33 +02:00
rmartinc
2539bd9ed3 [KEYCLOAK-17903] idp metadata describing one entity MUST have EntityDescriptor root element 2021-05-11 13:02:13 +02:00
Takashi Norimatsu
5dced05591 KEYCLOAK-18050 Client Policies : Rename "secure-redirecturi-enforce-executor" to indicate what this executor does 2021-05-11 07:42:18 +02:00
Pedro Igor
6397671c88 [KEYCLOAK-17885] - Delete user-managed policies when removing groups 2021-05-10 16:33:23 -03:00
Takashi Norimatsu
b4e4e75743 KEYCLOAK-17928 Determine public client based on token_endpoint_auth_method during OIDC dynamic client registration 2021-05-10 08:24:18 +02:00
Takashi Norimatsu
624d300a55 KEYCLOAK-17938 Not possible to create client in the admin console when client policy with "secure-redirecturi-enforce-executor" condition is used 2021-05-07 17:52:09 +02:00
Takashi Norimatsu
b38b1eb782 KEYCLOAK-17895 SecureSigningAlgorithmEnforceExecutor: Ability to auto-configure default algorithm 2021-05-07 12:37:39 +02:00
Takashi Norimatsu
faab3183e0 KEYCLOAK-18034 Enforce SecureSigningAlgorithmForSignedJwtEnforceExecutor to private-key-jwt clients regardless their option 2021-05-07 12:26:46 +02:00
keycloak-bot
4b44f7d566 Set version to 14.0.0-SNAPSHOT 2021-05-06 14:55:01 +02:00
Hynek Mlnarik
98a88e3e8b KEYCLOAK-17991 Introduce preview feature for map storage 2021-05-06 11:38:41 +02:00
Hynek Mlnarik
6d97a573e6 KEYCLOAK-17696 Make MapStorageFactory amphibian 2021-05-06 11:38:41 +02:00
Takashi Norimatsu
0a4fdc64f3 KEYCLOAK-17929 SecureSigningAlgorithmForSignedJwtEnforceExecutor polishing for FAPI 2021-05-06 08:41:05 +02:00
Takashi Norimatsu
b78d151a23 KEYCLOAK-16808 Client Policy : Implement existing ConsentRequiredClientRegistrationPolicy as Client Policies' executor
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-05-06 08:36:34 +02:00
Peter Skopek
b2ed99c70d KEYCLOAK-16928 Fix typo in authenticatorFlow representation 2021-05-06 08:33:19 +02:00
mposolda
20fc430be0 KEYCLOAK-17874 Server cannot be started with oracle19cRAC 2021-05-05 13:12:07 +02:00
Václav Muzikář
57fca2a34f KEYCLOAK-15170 Reset password link is not invalidated if email address is changed 2021-05-05 08:45:47 +02:00
Martin Bartoš
c2c1b482ea KEYCLOAK-17734 LifespanAdapterTest fails due to header check 2021-05-04 12:36:33 +02:00
Christoph Leistert
61bdc92ad9
KEYCLOAK-17387: 403 response on localization endpoint for cross realm users
- add ForbiddenPage class for the assertion at the selenium test
- add assertion to selenium test
- GET requests for localization texts require at least one role for the realm
- Make GET requests for localization texts public, to display the admin UI correctly, even if the role view-realm is missing
2021-05-03 13:29:11 -03:00
Václav Muzikář
315b9e3c29 KEYCLOAK-17835 Account Permanent Lockout and login error messages 2021-05-03 09:39:34 +02:00
Takashi Norimatsu
65c48a4183
KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA) (#7679)
* KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA)

Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
Co-authored-by: Christophe Lannoy <c4r1570p4e@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-04-29 15:56:39 +02:00
Jan Lieskovsky
6df5ba0f1c [KEYCLOAK-17227] Wildfly 23 upgrade
Base fixes:
    * [KEYCLOAK-17228] Upgrade Keycloak to Wildfly 23.0.0.Final / Wildfly Core 15.0.0.Final

    Other (related) fixes:
    * [KEYCLOAK-17477] Update org.wildfly.common to 1.5.4.Final
    * [KEYCLOAK-17478] Update wildfly-galleon-maven-plugin to 5.1.0.Final
    * [KEYCLOAK-17479] Keycloak Galleon Feature Pack: Adapter fails to build on top of Wildfly 23
    * [KEYCLOAK-17482] Sync Wildfly 23 model changes to Keycloak
    * [KEYCLOAK-17508] Apply workaround for WFCORE-5335
    * [KEYCLOAK-17231] Update org.keycloak.testsuite.metrics.MetricsRestServiceTest
      to work with org.wildfly.extension.health
    * [KEYCLOAK-17585] Fix Quarkus startup failure post applying Wildfly 23 upgrade changes
    * [KEYCLOAK-17583] Fix ConfigMigrationTest post applying Wildfly 23 model changes
    * [KEYCLOAK-17584] Fix ActionTokenCrossDCTest#sendResetPasswordEmailSuccessWorksInCrossDc
      test failure post applying Wildfly 23 upgrade changes

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2021-04-29 12:36:03 +02:00
vramik
de79493294 KEYCLOAK-17896 Add maven profile for map storage 2021-04-28 21:05:42 +02:00
vramik
162043beec KEYCLOAK-17615 Move database initialization from KeycloakApplication to JpaConnectionProviderFactory 2021-04-28 13:43:48 +02:00
Martin Kanis
515bfb5064 KEYCLOAK-16378 User / client session map store
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2021-04-28 09:09:15 +02:00
Yoshiyuki Tabata
45202bd49a KEYCLOAK-17637 Client Scope Policy for authorization service 2021-04-26 08:58:33 -03:00
Ayat Bouchouareb
8255cba930 KEYCLOAK-17612- Invalid SAML Response : Invalid Destination 2021-04-26 11:15:28 +02:00
Pedro Igor
068a1811f2 [KEYCLOAK-17452] - Removing policies created from a user-managed policy 2021-04-21 11:30:57 -03:00
Pedro Igor
228de42859 [KEYCLOAK-17598] - Changing root path check when resolving resource by uri 2021-04-21 11:30:07 -03:00
Takashi Norimatsu
190b60c5cd KEYCLOAK-17827 Client Policy - Condition : Client - Client Host : Removing Option 2021-04-21 15:16:00 +02:00
i7a7467
ada7f37430 KEYCLOAK-16918 Set custom user attribute to Name ID Format for a SAML client
https://issues.redhat.com/browse/KEYCLOAK-16918

Co-authored-by: Michal Hajas <mhajas@redhat.com>
2021-04-20 10:29:17 +02:00
Martin Bartoš
ca019c36e8 KEYCLOAK-17457 Failed OfflineServletsAdapterTest 2021-04-19 16:58:38 -03:00
AlistairDoswald
8b3e77bf81 KEYCLOAK-9992 Support for ARTIFACT binding in server to client communication
Co-authored-by: AlistairDoswald <alistair.doswald@elca.ch>
Co-authored-by: harture <harture414@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2021-04-16 12:15:59 +02:00
Michal Hajas
64ccbda5d5 KEYCLOAK-17323 Compute token expiration using Time.currentTime() instead of userSession.getStarted() 2021-04-14 12:58:45 +02:00
Martin Bartoš
b237c503ba KEYCLOAK-16913 Fix failed FuseAdapterTest 2021-04-14 09:51:02 +02:00
Martin Bartoš
5a9068e732 KEYCLOAK-16401 Deny/Allow access in a conditional context 2021-04-09 12:04:45 +02:00
Michito Okai
d9ebbe4958 KEYCLOAK-17202 Restrict Issuance of Refresh tokens to specific clients 2021-04-08 11:51:25 +02:00
Takashi Norimatsu
8b0b657a8f KEYCLOAK-17682 Client Policy - Executor : remove inner config class for executor without any config 2021-04-08 09:22:16 +02:00
Takashi Norimatsu
3221708499 KEYCLOAK-17667 Client Policy - Executor : Only Accept Confidential Client 2021-04-08 09:17:10 +02:00
Takashi Norimatsu
e9035bb7b3 KEYCLOAK-17681 Client Policy - Executor : Limiting available period of Request Object with its configuration 2021-04-08 09:12:20 +02:00
Daniel Fesenmeyer
a48d04bfe0 KEYCLOAK-16082 save attributes when role is created (with REST POST request)
- add missing mapping code to RoleContainerResource#createRole
- extend ClientRolesTest and RealmRolesTest to check that now the attributes are saved when a role is created
- remove no longer needed code which updated roles because attributes were not saved on creation
2021-04-07 14:08:49 -03:00
Lukas Hanusovsky
e0d660d815 KEYCLOAK-17311 - exclude for Remote testsuite 2021-04-07 13:37:38 +02:00
Lukas Hanusovsky
17b19b2e36 KEYCLOAK-17302 - exclude for Remote testsuite 2021-04-07 13:35:47 +02:00
Takashi Norimatsu
7b227ae47c KEYCLOAK-17666 Client Policy - Executor : Limiting available period of Request Object 2021-04-07 08:36:26 +02:00
Takashi Norimatsu
42dec08f3c
KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation) (#7780)
* KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation)

* support tests using auth-server-quarkus

* Configuration changes for ClientPolicyExecutorProvider

* Change VALUE of table REALM_ATTRIBUTES to NCLOB

* add author tag

* incorporate all review comments

Co-authored-by: mposolda <mposolda@gmail.com>
2021-04-06 16:31:10 +02:00
vramik
d1ad905407 KEYCLOAK-17640 fix MultiVersionClusterTest.verifyFailureOn* tests 2021-04-06 12:55:26 +02:00
Miquel Simon
5f551e018d
KEYCLOAK-17310. Disabled test in remote environment. (#7898) 2021-04-06 09:03:04 +02:00
vramik
185075d373 KEYCLOAK-14552 Realm Map Store 2021-03-31 15:49:03 +02:00
Konstantinos Georgilakis
ec5c256562 KEYCLOAK-5657 Support for transient NameIDPolicy and AllowCreate in SAML IdP 2021-03-31 14:45:39 +02:00
rmartinc
0a0caa07d6 KEYCLOAK-17215 Slowness issue while hitting /auth/admin/realms/$REALM/clients?viewableOnly=true after DELETE a role 2021-03-31 12:57:17 +02:00
vramik
c3b9c66941 KEYCLOAK-17460 invalidate client when assigning scope 2021-03-30 10:58:16 +02:00
sma1212
e10f3b3672
[KEYCLOAK-17484] OIDC Conformance - Authorization response with Hybrid flow does not contain token_type (#7872)
* [KEYCLOAK-17484] fix oidc conformance for hybrid-flow

* [KEYCLOAK-17484] add TokenType & ExpiresIn to OAuth2Constants

* [KEYCLOAK-17484] add request validation for oidc-flows automated tests
2021-03-30 08:59:30 +02:00
devopsix
590ee1b1a2
KEYCLOAK-15459 Fix serialization of locale in admin console's “whoami” (#7397)
call.
2021-03-29 18:37:26 -04:00
Bodo Graumann
0033b7daf7 [KEYCLOAK-17166] Use radio buttons for otp select 2021-03-29 15:46:34 +02:00
Thomas Darimont
7ec6a54e22 KEYCLOAK-17581 Prevent empty group names
Create / Update operations in `GroupResource ` and `GroupsResource#addTopLevelGroup`
did not validate the given group name. This allowed the creation of groups with empty names.

We now prevent the creation of groups with empty names.
2021-03-25 19:10:38 -03:00
Hynek Mlnarik
a36fafe04e KEYCLOAK-17409 Support for amphibian (both component and standalone) provider 2021-03-25 13:28:20 +01:00
Jan Lieskovsky
5fac80b05e [KEYCLOAK-17100] Testsuite Wildfly initialization error on Windows
[KEYCLOAK-17392] Java CLASSPATH is wrongly parsed on Windows

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-Authored-By: Peter Zaoral <pzaoral@redhat.com>
2021-03-25 09:21:34 +01:00
Pedro Igor
fca65ac644 Adding a test when custom policies are used 2021-03-24 08:24:43 -03:00
Xiangjiaox
ca81e6ae8c
KEYCLOAK-15015 Extend KeyWrapper to add whole certificate chain in x5c parameter (#7643)
* [KEYCLOAK-15015] - Publishing the x5c for JWK

Co-authored-by: Vetle Bergstad <vetle.bergstad@evry.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-03-23 08:37:50 -03:00
cgeorgilakis
18afdea392
KEYCLOAK-16048 SAML Client import - add md:RequestedAttribute as "User Attribute" ProtocolMapper 2021-03-22 21:55:32 +01:00
Clement Cureau
0b68f24a09
[KEYCLOAK-14046] Include groups in user creation via Admin Console (#7035)
* [KEYCLOAK-14046] Include groups in user creation via Admin Console

Since the POST /users API now supports providing groups membership, here is the UI
part!

- Added a field in the user creation UI to specify groups the newly created user
will be joining
- Added associated messages in english language

* Added UI integration tests

* Fixed UI tests

* Flatten nested groups in user creation groups searchbox

* Filtering out searched groups

* Removed unused injection

* Fixed UI tests

Co-authored-by: Clement Cureau <clement.cureau@cdiscount.com>
2021-03-19 13:55:45 +01:00
mposolda
853a6d7327 KEYCLOAK-17000 Adding server tmp directory inside the auth-server home directory 2021-03-17 10:06:48 +01:00
Pascal Euhus
82fc401298 [KEYCLOAK-9841] use LDAPUser UUID as an identifier instead of username 2021-03-16 17:55:24 +01:00
Andrew Elwell
c76ca4ad13
Correct "doesn't exists" typos - fixes KEYCLOAK-14986 (#7316)
* Correct "doesn't exists" typos

* Revert changes to imported package

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2021-03-16 11:52:36 +01:00
Yang Xie
db30b470c4 KEYCLOAK-17342 Make the default value of default signature algorithm show up in the admin console 2021-03-16 09:15:22 +01:00
Michito Okai
298ab0bc3e KEYCLOAK-7675 Support for Device Authorization Grant 2021-03-15 10:09:20 -03:00
Łukasz Dywicki
319195236b Fix failing test, cause oauth device flow is encoded using realm attributes. 2021-03-15 10:09:20 -03:00
Hiroyuki Wada
9d57b88dba KEYCLOAK-7675 Prototype Implementation of Device Authorization Grant.
Author:    Hiroyuki Wada <h2-wada@nri.co.jp>
Date:      Thu May 2 00:22:24 2019 +0900

Signed-off-by: Łukasz Dywicki <luke@code-house.org>
2021-03-15 10:09:20 -03:00
Thomas Darimont
d2060913be KEYCLOAK-14412 Fixed compiler error in JavascriptAdapterTests 2021-03-11 13:03:08 -03:00
Thomas Darimont
b926cd20f1 KEYCLOAK-14412 Keycloak.js should honor scopes configured in initOptions and loginOptions 2021-03-11 13:03:08 -03:00
Hynek Mlnarik
4946484cb6 KEYCLOAK-17377 Fix invalidation cluster tests (do not hide failures) 2021-03-11 16:14:59 +01:00
Lukas Hanusovsky
b3ea6f74be KEYCLOAK-16212 - Exclude Remote execution for the LDAPVaultCredentialsTest, fixed broken exclude Remote execution for the LDAPUserLoginTest. 2021-03-10 07:27:43 +01:00
Yang Xie
2605eddbe7 KEYCLOAK-17300 Add a method to check if the token revocation request has duplicate parameters 2021-03-09 18:27:38 +01:00
Lukas Hanusovsky
ef57714eaa KEYCLOAK-17301 - fix -> added org.infinispan.commons module into jboss-deployment-structure.xml 2021-03-09 11:05:17 +01:00
vramik
6e501946b1 KEYCLOAK-17021 Client Scope map store 2021-03-08 21:59:28 +01:00
Michal Hajas
fc29a39e5a KEYCLOAK-16592 Do not require destination with SOAP binding 2021-03-05 19:52:00 +01:00
mposolda
99c1ee7f5a KEYCLOAK-16793 KEYCLOAK-16948 Cors on error responses for logoutEndpoint and tokenEndpoint 2021-03-05 14:14:53 +01:00
Martin Bartoš
d452041d7d KEYCLOAK-17304 ClientPoliciesTest - exclude mTLS tests for non-required SSL 2021-03-05 12:24:37 +01:00
Martin Bartoš
da6a017e86 KEYCLOAK-17307 ResetPasswordTest - wrong redirect URIs 2021-03-05 08:49:34 +01:00
Pavel Drozd
8203c4451e KEYCLOAK-14766 - Removed setting default password for LDAPRule configuration 2021-03-04 12:56:45 +01:00
Denis
23bfaef4bb KEYCLOAK-15535 Account Log of user login with realm not available details when update profile 2021-03-04 08:06:36 +01:00
Yang Xie
78754d1127 KEYCLOAK-17259 Add a method to check if the introspection request has duplicate parameters 2021-03-03 16:23:27 +01:00
Pedro Igor
0f30b3118a [KEYCLOAK-16676] - Client attributes should not be stored if null or empty 2021-03-03 15:37:05 +01:00
Pedro Igor
40efbb0f9c [KEYCLOAK-13942] - Invalidate pre-defined paths when paths are invalidated 2021-03-02 15:01:42 +01:00
Takashi Norimatsu
882f5ffea4 KEYCLOAK-15533 Client Policy : Extends Policy Interface to Migrate Client Registration Policies
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-03-02 09:26:04 +01:00
i7a7467
b83064b142 KEYCLOAK-16679 Add algorithm settings for client assertion signature in OIDC identity broker 2021-03-01 18:11:25 +01:00
Takashi Norimatsu
c4bf8ecdf0 KEYCLOAK-16880 Client Policy - Condition : Negative Logic Support 2021-03-01 14:27:39 +01:00
mposolda
41dc94fead KEYCLOAK-14483 Broker state param fix 2021-02-24 19:07:58 -03:00
mposolda
6f409d088a KEYCLOAK-15239 Reset Password Success Message not shown when Kerberos is Enabled 2021-02-23 16:15:50 -03:00
Pedro Igor
dbc6514bfc [KEYCLOAK-17206] - Avoid removing attributes when updating user and profile 2021-02-23 08:41:41 +01:00
Juan Manuel Rodriguez Alvarado
6255ebe6b5 [KEYCLOAK-16536] Implement Audit Events for Authorization Services requests 2021-02-22 17:28:59 -03:00
mposolda
ed8d5a257f KEYCLOAK-16517 Make sure that just real clients with standardFlow or implicitFlow enabled are considered for redirectUri during logout 2021-02-22 14:30:32 +01:00
mposolda
0058011265 KEYCLOAK-16006 User should not be required to re-authenticate after revoking consent to an application 2021-02-22 14:29:42 +01:00
Pedro Igor
1dc0b005fe [KEYCLOAK-17087] - X509 OCSP Validation Not Checking Intermediate CAs 2021-02-22 13:50:19 +01:00
Lukas Hanusovsky
4a2830bc2e KEYCLOAK-15849 : auth-remote-server exclude -> removed duplicated annotation, fixed @Test(timeout) bug -> replaced by lambda expression. 2021-02-22 13:40:47 +01:00
Pedro Igor
9356843c6c [KEYCLOAK-16521] - Fixing secret for non-confidential clients 2021-02-19 08:38:49 +01:00
Torsten Roemer
750f5fdb0a KEYCLOAK-14577 OIDCIdentityProvider incorrectly sets firstName and lastName in BrokeredIdentityContext 2021-02-18 19:50:27 +01:00
Torsten Roemer
00ee6bb9fa KEYCLOAK-14577 OIDCIdentityProvider incorrectly sets firstName and lastName in BrokeredIdentityContext 2021-02-18 19:50:27 +01:00
rmartinc
056b52fbbe KEYCLOAK-16800 userinfo fails with 500 Internal Server Error for service account token 2021-02-18 19:37:52 +01:00
Pedro Igor
431f137c37 [KEYCLOAK-17123] - Avoid validation and updates for read-only attributes during updates 2021-02-17 17:57:46 +01:00
stefvdwel
b97f5eb128 Added PermissionTicket count test. 2021-02-17 09:40:19 -03:00
Pedro Igor
2593c3dbc4 [KEYCLOAK-15893] - Incorrect resource match is returned for some cases when using wildcard in uri 2021-02-17 12:51:26 +01:00
mposolda
80bf0b6bad KEYCLOAK-16708 Unexpected exceptions during client authentication 2021-02-12 18:27:54 +01:00
Pedro Igor
ca2a761d4b [KEYCLOAK-16886] - Updating user account removes attributes 2021-02-12 12:01:50 -03:00
Michito Okai
33bb1fda38 KEYCLOAK-16931 Authorization Server Metadata of
introspection_endpoint_auth_methods_supported and
introspection_endpoint_auth_signing_alg_values_supported
2021-02-11 14:53:49 +01:00
Pedro Igor
7a4733acc9 [KEYCLOAK-14034] - Adding tests for matching uris once updated 2021-02-11 09:44:43 -03:00
mposolda
456cdc51f2 KEYCLOAK-15719 CORS headers missing on userinfo error response 2021-02-11 13:37:42 +01:00
diodfr
cb12fed96e KEYCLOAK-4544 Detect existing user before granting user autolink 2021-02-11 11:06:49 +01:00
Lukas Hanusovsky
223d0ea456 KEYCLOAK-16625 : Testsuite -> auth.server.remote: adding keystore file to a build directory. 2021-02-09 15:22:43 +01:00
Pedro Igor
f6c3ec5d9e [KEYCLOAK-14366] - Missing check for iss claim in JWT validation on Client Authentication (Token Endpoint) 2021-02-09 13:54:06 +01:00
Pedro Igor
ab9a38ec27 [KEYCLOAK-13115] - Unable to add a role to a user if username query matches multiple acounts 2021-02-09 13:49:25 +01:00
Pedro Igor
eb37a1ed69 [KEYCLOAK-17031] - ClientInvalidationClusterTest failing on Quarkus due to unreliable comparison 2021-02-05 16:09:27 +01:00
mposolda
f4b5942c6c KEYCLOAK-16755 ClearExpiredUserSessions optimization. Rely on infinispan expiration rather than Keycloak own background task. 2021-02-04 08:49:42 +01:00
Yang Xie
cffe24f815 KECLOAK-16009 Add a method to check if the token request has duplicate parameters 2021-02-03 16:10:41 +01:00
Florian Apolloner
eeec82dea3 KEYCLOAK-16656 Only set execution authenticator for form flows. 2021-01-29 17:19:15 +01:00
Martin Kanis
8432513daa KEYCLOAK-16908 Refactor UserSessionPersisterProvider 2021-01-29 09:29:00 +01:00
Pedro Igor
922d7da3ae [KEYCLOAK-16497] - AuthzClient.create() fails when env variables are used in auth-server-url 2021-01-28 12:07:58 -03:00
Hynek Mlnarik
60e4bd622f KEYCLOAK-16828 Fix HttpClient failures and close HttpResponses 2021-01-28 08:38:34 +01:00
rmartinc
f3a4991b6a KEYCLOAK-15975 NPE in DefaultThemeManager.loadTheme() if theme directory is absent 2021-01-27 22:05:19 +01:00
Pedro Igor
0c501f8302 [KEYCLOAK-16837] - Authz client still relying on refresh tokens when doing client credentials 2021-01-27 12:23:32 -03:00
mposolda
99a70267d9 KEYCLOAK-16801 Improve performance of ClearExpiredEvents background task 2021-01-27 09:57:46 +01:00
Takashi Norimatsu
b89edabcfc KEYCLOAK-16889 Client Policy : Refactor Test Class 2021-01-27 09:06:08 +01:00
Martin Kanis
9f580e3ed8 KEYCLOAK-15695 Streamification cleanup 2021-01-20 14:39:53 +01:00
Thomas Darimont
6315fe5d22 KEYCLOAK-16464 Test mapping of enabled and emailVerified user model attribute to LDAP attributes 2021-01-20 09:24:06 +01:00
Takashi Norimatsu
bcf313f321 KEYCLOAK-16858 Client Policy - Improper retainAll operation in Client Scope Condition and other minor bugs 2021-01-20 09:10:21 +01:00
Martin Bartoš
9df7fdbc55 KEYCLOAK-14718 Adding test case for User Client Role Mapper 2021-01-19 17:49:36 +01:00
Michal Hajas
ba8e2fef6b KEYCLOAK-15524 Cleanup user related interfaces 2021-01-18 16:56:10 +01:00
mposolda
dae4a3eaf2 KEYCLOAK-16468 Support for deny list of metadata attributes not updateable by account REST and admin REST
(cherry picked from commit 79db549c9d561b8d5efe3596370190c4da47e4e1)
(cherry picked from commit bf4401cddd5d3b0033820b1cb4904bd1c8b56db9)
2021-01-18 13:17:51 +01:00
mposolda
eac3329d22 KEYCLOAK-14019 Improvements for request_uri parameter
(cherry picked from commit da38b36297a5bd9890f7df031696b516268d6cff)
2021-01-18 13:05:09 +01:00
Pedro Igor
c631013031 [KEYCLOAK-16515] - Scope permissions not added to result if previous permission is granted 2021-01-14 17:08:05 +01:00
Takashi Norimatsu
5f445ec18e KEYCLOAK-14200 Client Policy - Executor : Enforce Holder-of-Key Token
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
2021-01-12 11:21:41 +01:00
Takashi Norimatsu
f423c0dc51 KEYCLOAK-16249 Client Policy - Condition : Client - Any Client 2021-01-08 17:29:50 +01:00
vramik
1402d021de KEYCLOAK-14846 Default roles processing 2021-01-08 13:55:48 +01:00
Takashi Norimatsu
05dfac75ca KEYCLOAK-14202 Client Policy - Executor : Enforce secure signature algorithm for Signed JWT client authentication
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-01-06 08:58:20 +01:00
Thomas Darimont
1a7600e356
KEYCLOAK-13923 Support PKCE for OIDC based Identity Providers (#7381)
* KEYCLOAK-13923 - Support PKCE for Identity Provider

We now support usage of PKCE for OIDC based Identity Providers.

* KEYCLOAK-13923 Warn if PKCE information cannot be found code-to-token request in OIDCIdentityProvider

* KEYCLOAK-13923 Pull up PKCE handling from OIDC to OAuth IdentityProvider infrastructure

* KEYCLOAK-13923 Adding test for PKCE support for OAuth Identity providers

* KEYCLOAK-13923 Use URI from KeycloakContext instead of HttpRequest

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-01-05 10:59:59 -03:00
mposolda
d4a36d0d9c KEYCLOAK-16350 invalid_scope error response should be displayed for openid-connect/auth 2021-01-05 12:55:53 +01:00
vramik
dfa27b9f0f KEYCLOAK-14856 fix migration, add ssl for migration server 2021-01-05 11:05:18 +01:00
keycloak-bot
75be33ccad Set version to 13.0.0-SNAPSHOT 2020-12-16 17:31:55 +01:00
Stefan Guilhen
d6422e415c [KEYCLOAK-16508] Complement methods for accessing user sessions with Stream variants 2020-12-15 19:52:31 +01:00
Takashi Norimatsu
edabbc9449 KEYCLOAK-14203 Client Policy - Executor : Enforce HTTPS URIs 2020-12-15 09:31:20 +01:00
Martin Bartoš
24f1a9c5c4 KEYCLOAK-16583 Ignore tests which directly use WebAuthn Chrome testing feature 2020-12-14 16:39:32 +01:00
Martin Bartoš
cfc035ee42 KEYCLOAK-15066 Internal Server error when calling random idp endpoint 2020-12-14 16:37:53 +01:00
Cédric Couralet
f4abc86a66 KEYCLOAK-16112 don't remove username attribute 2020-12-14 15:46:25 +01:00
Takashi Norimatsu
200b53ed1e KEYCLOAK-14192 Client Policy - Condition : Author of a client - User Role 2020-12-14 15:37:05 +01:00
Michal Hajas
8e376aef51
KEYCLOAK-15847 Add MapUserProvider 2020-12-10 08:57:53 +01:00
Martin Kanis
3ddedc49f5 KEYCLOAK-11417 Internal server error on front channel logout with expired session 2020-12-09 14:45:04 +01:00
Martin Bartoš
873a69305f KEYCLOAK-15264 Import realm using directory provider twice with IGNORE_EXISTING will cause NPE for clientId 2020-12-08 11:28:07 +01:00
Hynek Mlnarik
8c0c542f09 KEYCLOAK-16489 Add ability to run model tests with LDAP 2020-12-07 20:54:06 +01:00
Martin Kanis
f6be378eca KEYCLOAK-14556 Authentication session map store 2020-12-07 20:48:59 +01:00
Stefan Guilhen
edef93cd49 [KEYCLOAK-16232] Streamify the UserCredentialStore and UserCredentialManager interfaces 2020-12-07 19:48:35 +01:00
Stefan Guilhen
73d0bb34c4 [KEYCLOAK-16232] Replace usages of deprecated collection-based methods with the respective stream variants 2020-12-07 19:48:35 +01:00
Takashi Norimatsu
7da5a71314 KEYCLOAK-14191 Client Policy - Condition : Author of a client - User Group 2020-12-03 17:52:06 +01:00
Ian
be4c99dfe5 KEYCLOAK-15287 Ability to add custom claims to the AccessTokenResponse 2020-12-03 17:28:03 +01:00
Peter Zaoral
c8a2f82a50 KEYCLOAK-14138 Upgrade OTP login screen
* edited related css and ftl theme resources
* added tile component
* fixed IE11 compatibility
* fixed affected tests

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-12-03 16:00:36 +01:00
Takashi Norimatsu
a51e0cc484 KEYCLOAK-14197 Client Policy - Condition : Client - Client Host 2020-12-02 09:05:42 +01:00
vramik
cd9e01af90 KEYCLOAK-16502 Migration of DELETE_ACCOUNT role 2020-12-01 13:10:20 +01:00
Peter Zaoral
ad940a861a KEYCLOAK-14137 Upgrade Authentication selector screen
* edited related css and ftl theme resources
* added IE11 compatibility support
* fixed affected tests

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-11-27 08:40:06 +01:00
Jan Lieskovsky
833bf98643 [KEYCLOAK-15692] Upgrade to Wildfly "21.0.1.Final"
Base fixes:
* [KEYCLOAK-15780]      Upgrade Keycloak to Wildfly 21.0.0.Beta1 / Wildfly Core 13.0.0.Beta6
* [KEYCLOAK-16031]      Upgrade Keycloak to Wildfly 21.0.0.Final / Wildfly Core 13.0.1.Final
* [KEYCLOAK-16442]      Upgrade Keycloak to Wildfly 21.0.1.Final / Wildfly Core 13.0.3.Final

Other (dependent) fixes:
* [KEYCLOAK-15408]      Deprecate former Wildfly and Wildfly Core versions in Arquillian's
                        testsuite pom.xml file as part of the upgrade script
* [KEYCLOAK-15442]      Update the version of 'jboss-parent' as part of the Wildfly upgrade
                        script if necessary
* [KEYCLOAK-15474]      Add --verbose and --force options to the Wildfly upgrade automated script
* [KEYCLOAK-15649]      Update "urn:jboss:domain:infinispan:10.0" version as part of the Wildfly
                        upgrade automated script
* [KEYCLOAK-15652]      Wildfly upgrade automated script - Align Python artifact version
                        comparsion algorithm with the Maven / Java one

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-11-26 09:25:29 +01:00
Hynek Mlnarik
5c2122d36f KEYCLOAK-16444 Initialize JAXP components consistently 2020-11-25 14:20:19 +01:00
zak905
4f330f4a57 KEYCLOAK-953: add allowing user to delete his own account feature 2020-11-24 15:50:07 +01:00
Stan Silvert
0afd55f32c KEYCLOAK-14547: Make New Account Console the default. 2020-11-23 20:56:05 +01:00
Takashi Norimatsu
5dd5b5bedf KEYCLOAK-16392 Client Policy - Condition : NPE without any initial configuration 2020-11-23 12:07:28 +01:00
st
a7666d4ccf KEYCLOAK-11699 add support for 127.0.0.1 for native app 2020-11-20 11:03:29 +01:00
Douglas Palmer
43e075afa5 [KEYCLOAK-14352] JavaScript injection vulnerability of Realm registration REST API 2020-11-18 10:48:11 -03:00
Martin Bartos
ab347df5ee KEYCLOAK-14915 Upgrade registration screen to PF4 2020-11-18 10:54:17 +01:00
Takashi Norimatsu
9ce2e9b1f7 KEYCLOAK-14193 Client Policy - Condition : Client - Client Access Type 2020-11-18 09:49:22 +01:00
Hynek Mlnarik
29e3d89f3a KEYCLOAK-16297 Fix HttpClient stale connections 2020-11-16 14:59:00 +01:00
Martin Bartoš
59aa31084e KEYCLOAK-16143 Login form expected, but registraion form is displayed 2020-11-13 21:36:51 +01:00
Michal Hajas
a766a1dd16 KEYCLOAK-16074 Fix check3pCookiesSupported message callback 2020-11-13 16:01:50 -03:00
Takashi Norimatsu
21c7af1c53 KEYCLOAK-14207 Client Policy - Executor : Enforce more secure client signature algorithm when client registration 2020-11-13 09:24:59 +01:00
Takashi Norimatsu
244a1b2382 KEYCLOAK-14196 Client Policy - Condition : Client - Client Scope 2020-11-12 08:40:28 +01:00
vmuzikar
01be601dbd KEYCLOAK-14306 OIDC redirect_uri allows dangerous schemes resulting in potential XSS
(cherry picked from commit e86bec81744707f270230b5da40e02a7aba17830)

Conflicts:
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
    services/src/main/java/org/keycloak/validation/DefaultClientValidationProvider.java
2020-11-12 08:21:54 +01:00
Takashi Norimatsu
e35a4bcefc KEYCLOAK-14206 Client Policy - Executor : Enforce more secure state and nonce treatment for preventing CSRF 2020-11-11 21:11:34 +01:00
Hynek Mlnarik
030a077e99 KEYCLOAK-16157 Fix Unexpected I/O error message 2020-11-11 11:12:52 +01:00
Pedro Igor
852c4a57ff [KEYCLOAK-14468] - Scope permission sometimes not removed when removing scopes 2020-11-11 08:44:28 +01:00
niwde
c69f92831b
[KEYCLOAK-16215] Typo in EventConfigTest 2020-11-10 13:54:39 -03:00
Martin Kanis
d9029b06b9 KEYCLOAK-15889 Streamification of ProtocolMappers 2020-11-10 16:40:34 +01:00
Takashi Norimatsu
a0b1710735 KEYCLOAK-14198 Client Policy - Condition : Client - Client IP 2020-11-10 15:37:26 +01:00
Stefan Guilhen
aa46735173 [KEYCLOAK-15200] Complement methods for accessing users with Stream variants 2020-11-10 15:13:11 +01:00
Takashi Norimatsu
a63814da67 KEYCLOAK-14201 Client Policy - Executor : Enforce Proof Key for Code Exchange (PKCE) 2020-11-09 08:18:05 +01:00
Thomas Darimont
de20830412 KEYCLOAK-9551 KEYCLOAK-16159 Make refresh_token generation for client_credentials optional. Support for revocation of access tokens.
Co-authored-by: mposolda <mposolda@gmail.com>
2020-11-06 09:15:34 +01:00
vmuzikar
2df62369c3 KEYCLOAK-15295 User can manage resources with just "view-profile" role using new Account Console
(cherry picked from commit 1b063825755d9f5aa13e612757e8ef7299430761)
2020-11-06 08:55:57 +01:00
stianst
6b2e1cbc5f KEYCLOAK-16167 Enable Account REST API by default 2020-11-06 08:06:03 +01:00
Takashi Norimatsu
6dc136dfc0 KEYCLOAK-14199 Client Policy - Executor : Enforce more secure client authentication method when client registration 2020-11-05 20:42:49 +01:00
Martin Bartos
7522d5ac74 KEYCLOAK-15841 Upgrade rest of the minor forms to PF4 2020-11-05 17:58:41 +01:00
Hynek Mlnarik
7b8575fa1a KEYCLOAK-16090 Work around LDAPUserLoginTest false failures 2020-11-03 08:38:54 +01:00
Christoph Leistert
e131de9574 KEYCLOAK-14855 Added realm-specific localization texts which affect texts in every part of the UI (admin console / login page / personal info page / email templates). Also new API endpoints and a new UI screen to manage the realm-specific localization texts were introduced.
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
2020-10-30 08:02:43 -03:00
vramik
785f2e78bc KEYCLOAK-14977 create MapRoleProvider 2020-10-30 08:15:22 +01:00
Johannes Knutsen
23c575c236 KEYCLOAK-15399: Wrong token type in token response. bearer vs Bearer 2020-10-28 10:38:22 -03:00
Pedro Igor
24f90ca6cb [KEYCLOAK-15406] - Grant access when evaluating user-managed permission for the owner 2020-10-28 09:59:24 -03:00
Martin Bartos
a8df7d88a1 [KEYCLOAK-14139] Upgrade login screen to PF4 2020-10-27 20:24:07 +01:00
Hynek Mlnarik
267f1797d4 KEYCLOAK-15735 Fix LDAPSamlIdPInitiatedVaryingLetterCaseTest failures on few DBs 2020-10-23 15:15:03 +02:00
Hynek Mlnarik
e80538c60c KEYCLOAK-15921 Fix auth server URL 2020-10-23 15:14:01 +02:00
Pedro Igor
b95ca30ec2 [KEYCLOAK-14255] - Minor fixes and improvements 2020-10-23 10:39:21 +02:00
Daniel Fesenmeyer
de8d2eafa3 KEYCLOAK-14781 Extend Admin REST API with search by federated identity
- Add parameters idpAlias and idpUserId to the resource /{realm}/users and allow it to be combined with the other search parameters like username, email and so on
- Add attribute "federatedIdentities" to UserEntity to allow joining on this field
- extend integration test "UserTest"
2020-10-22 08:51:26 +02:00
Sven-Torben Janus
850d3e7fef KEYCLOAK-15511 OTP registration during login with LDAP read-only
When LDAP user federation is configured in read-only mode, it is not
possible to set required actions for users from LDAP.
Keycloak credential model allows for registering OTP devices when LDAP
ist configured with "Import Users" flag enabled. Registering OTP devices
needs to be done via the account management console and works as
expecetd. However, it fails, if a user has to register aN OTP device
during login (i.e. within the authentication flow), because the OTP Form
Authenticator tries to enforce OTP registration via setting the
corresponding required action for the user. That fails, because the user
is read-only.
To work around this, the required action is set on the authentication
session instead.
2020-10-21 17:00:11 +02:00
mposolda
7891daef73 KEYCLOAK-15998 Keycloak OIDC adapter broken when Keycloak server is on http 2020-10-21 08:36:08 +02:00
mhajas
4556e858ad KEYCLOAK-15522 Use AbstractStorageManager in UserStorageManager 2020-10-15 20:41:13 +02:00
Sven-Torben Janus
eb002c7ecd KEYCLOAK-3365 Extend test case 2020-10-15 08:43:31 +02:00
Sven-Torben Janus
5918094840 KEYCLOAK-3365 Add test case 2020-10-15 08:43:31 +02:00
mhajas
d266165f63 KEYCLOAK-14871 Whitelist RefreshableKeycloakSecurityContext for KeycloakPrincipal serialization 2020-10-14 16:00:39 +02:00
Martin Kanis
086f7b4696 KEYCLOAK-15450 Complement methods for accessing realms with Stream variants 2020-10-14 08:16:49 +02:00
Hynek Mlnarik
4541a1b250 KEYCLOAK-15907 Fix new host in SAML adapter cannot restore session 2020-10-12 13:23:03 +02:00
testn
269a72d672 KEYCLOAK-15184: Use static inner class where possible 2020-10-09 23:37:08 +02:00
Luca Leonardo Scorcia
f274ec447b KEYCLOAK-15697 Make the Service Provider Entity ID user configurable 2020-10-09 22:04:02 +02:00
mposolda
ff05072c16 KEYCLOAK-15770 Skip creating session for docker protocol authentication 2020-10-09 07:53:26 +02:00
mposolda
d269af1b70 KEYCLOAK-15830 Remove authentication session after failed directGrant authentication 2020-10-07 18:13:21 +02:00
vmuzikar
bb7ce62cd5 KEYCLOAK-15332 Missing CORS headers in some endpoints in Account REST API 2020-10-07 09:07:55 -03:00
mhajas
540516c6a9 KEYCLOAK-15734 Exclude tests with testingClient in remote environment 2020-10-06 20:26:24 +02:00
dashaylan
65ecfc960a Combine UserInfo KcOidcBrokerConfiguration with OidcUserInfoClaimToRoleMapperTest 2020-10-06 08:44:02 +02:00
dashaylan
787d44be78 Reduce code duplication and test count 2020-10-06 08:44:02 +02:00
dashaylan
0d6da99844 Add UserInfo check fix and associated tests. 2020-10-06 08:44:02 +02:00
Markus Till
72f73f153a UserProfile M1 2020-10-05 09:59:44 -03:00
Michito Okai
eac3341241 KEYCLOAK-15779 Authorization Server Metadata for the URL of the
authorization server's JWK Set [JWK] document
2020-10-02 11:18:31 +02:00
Thomas Darimont
12576e339d KEYCLOAK-15146 Add support for searching users by emailVerified status
We now allow to search for users by their emailVerified status.
This enables users to easily find users and deal with incomplete user accounts.
2020-09-29 08:28:59 -03:00
vmuzikar
fbe18e67c3 KEYCLOAK-15721 KeycloakPromise sometimes doesn't work 2020-09-28 15:57:46 -03:00
Takashi Norimatsu
6596811d5d KEYCLOAK-14204 FAPI-RW Client Policy - Executor : Enforce Request Object satisfying high security level 2020-09-25 08:31:14 +02:00
mhajas
e4078933f8 KEYCLOAK-14828 Disable DTD for SAML XML parser
(cherry picked from commit 37de7de78b2ae0eebee97fe917642bb849325f86)
2020-09-24 13:35:21 +02:00
Pedro Igor
76dede0f1e [KEYCLOAK-14221] - Allow to map subject to userinfo response 2020-09-23 14:33:14 +02:00
vmuzikar
bca73fd04a KEYCLOAK-15158 Javascript adapter init() is throwing a promise error after upgrade to 11 2020-09-22 10:56:46 -03:00
Frode Ingebrigtsen
0a0b7da53e KEYCLOAK-15429 Add CORS origin on permission request with invalid access token 2020-09-22 08:56:21 -03:00
Denis
50210c4d9b KEYCLOAK-14161 Regression on custom registration process 2020-09-21 20:23:39 +02:00
mhajas
12bc84322a KEYCLOAK-14974 Map group storage provider 2020-09-21 15:56:32 +02:00
testn
2cd03569d6 KEYCLOAK-15238: Fix potential resource leak from not closing Stream/Reader 2020-09-21 13:05:03 +02:00
vmuzikar
790b549cf9 KEYCLOAK-15262 Logout all sessions after password change 2020-09-18 20:09:40 -03:00
mhajas
b75ad2fbd8 KEYCLOAK-15259 Avoid using "null" Origin header as a valid value 2020-09-17 23:21:49 -07:00
mhajas
f7e0af438d KEYCLOAK-14232 Add Referrer-Policy: no-referrer to each response from Keycloak
(cherry picked from commit 0b49640231abc6e465542bd2608e1c908c079ced)
2020-09-17 23:21:49 -07:00
Pedro Igor
0978d78a48 [KEYCLOAK-14255] - Initial changes to configuration 2020-09-16 20:03:52 +02:00
Luca Leonardo Scorcia
10077b1efe KEYCLOAK-15485 Add option to enable SAML SP metadata signature 2020-09-16 16:40:45 +02:00
Martin Kanis
5d5e56dde3 KEYCLOAK-15199 Complement methods for accessing roles with Stream variants 2020-09-16 16:29:51 +02:00
Benjamin Weimer
f874e9a43c KEYCLOAK-9874 include realm and client roles in user info response 2020-09-16 10:01:02 +02:00
Takashi Norimatsu
b670734eec KEYCLOAK-14205 FAPI-RW Client Policy - Executor : Enforce Response Type of OIDC Hybrid Flow 2020-09-14 20:58:25 +02:00
Hynek Mlnarik
a05066d567 KEYCLOAK-15477 Fix permission evaluation logic 2020-09-14 20:53:46 +02:00
vmuzikar
a9a719b88c KEYCLOAK-15270 Account REST API doesn't verify audience 2020-09-14 08:43:09 -03:00
Miquel Simon
2572b1464b KEYCLOAK-15395. Removed totp/remove (DELETE) and credentials/password (GET, POST) endpoints. 2020-09-10 18:03:03 -03:00
Takashi Norimatsu
af2f18449b KEYCLOAK-14195 FAPI-RW Client Policy - Condition : Client - Client Role 2020-09-10 18:34:19 +02:00
Clement Cureau
b19fe5c01b Finegrain admin as fallback and added some tests 2020-09-10 12:26:55 -03:00
Sebastian Laskawiec
e01159a943 KEYCLOAK-14767 OpenShift Review Endpoint audience fix 2020-09-09 11:57:24 -03:00
Takashi Norimatsu
cbb79f0430 KEYCLOAK-15448 FAPI-RW : Error Response on OIDC private_key_jwt Client Authentication Error (400 error=invalid_client) 2020-09-09 11:14:21 +02:00
Benjamin Weimer
b2934e8dd0 KEYCLOAK-15327 backchannel logout invalidate offline session even if there is no corresponding active session found 2020-09-08 11:17:20 -03:00
Martin Kanis
4e9bdd44f3 KEYCLOAK-14901 Replace deprecated ClientProvider related methods across Keycloak 2020-09-07 13:11:55 +02:00
stianst
76f7fbb984 KEYCLOAK-14548 Add support for cached gzip encoding of resources 2020-09-07 00:58:47 -07:00
Martin Bartos
e34ff6cd9c [KEYCLOAK-14326] Identity Provider force sync is not working 2020-09-07 09:42:40 +02:00
Takashi Norimatsu
1d8230d438 KEYCLOAK-14190 Client Policy - Condition : The way of creating/updating a client 2020-09-04 09:54:55 +02:00
Luca Leonardo Scorcia
67b2d5ffdd KEYCLOAK-14961 SAML Client: Add ability to request specific AuthnContexts to remote IdPs 2020-09-03 21:25:36 +02:00
Hynek Mlnarik
1c4a2db8e1 KEYCLOAK-14510 Properly close Response object 2020-09-03 11:23:05 +02:00
Konstantinos Georgilakis
1fa93db1b4 KEYCLOAK-14304 Enhance SAML Identity Provider Metadata processing 2020-09-02 20:43:09 +02:00
Takashi Norimatsu
b93a6ed19f KEYCLOAK-14919 Dynamic registration - Scope ignored 2020-09-02 13:59:22 +02:00
Takashi Norimatsu
107a429238 KEYCLOAK-15236 FAPI-RW : Error Response on OAuth 2.0 Mutual TLS Client Authentication Error (400 error=invalid_client) 2020-09-02 09:31:20 +02:00
mhajas
3928a49c77 KEYCLOAK-14816 Reset brute-force-detection data for the user after a successful password grant type flow 2020-09-01 21:45:17 +02:00
Hynek Mlnarik
583fa07bc4 KEYCLOAK-11029 Support modification of broker username / ID for identity provider linking 2020-09-01 20:40:38 +02:00
testn
0362d3a430 KEYCLOAK-15113: Move away from deprecated Promise.success()/error() 2020-09-01 14:26:44 -04:00
mhajas
bdccfef513 KEYCLOAK-14973 Create GroupStorageManager 2020-09-01 10:21:39 +02:00
Martin Bartos
9c847ab176 [KEYCLOAK-14432] Unhandled NPE in identity broker auth response 2020-08-31 14:14:42 +02:00
Martin Kanis
d59a74c364 KEYCLOAK-15102 Complement methods for accessing groups with Stream variants 2020-08-28 20:56:10 +02:00
Thomas Darimont
df94cefbc1 KEYCLOAK-12729 Revise password policy not-email tests
- Added missing cleanup to RegisterTest
- Revised test-setup for AccountFormServiceTest
2020-08-21 14:55:07 +02:00
Thomas Darimont
0f967b7acb KEYCLOAK-12729 Add password policy not-email
Added test cases and initial translations
2020-08-21 14:55:07 +02:00
mposolda
bd48d7914d KEYCLOAK-15139 Backwards compatibility for LDAP Read-only mode with IMPORT_USERS enabled 2020-08-20 14:05:21 +02:00
Hynek Mlnarik
6231b7c904 KEYCLOAK-15207 Fix map storage test failures 2020-08-20 07:53:54 +02:00
Pedro Igor
cb57c58b4b [KEYCLOAK-14730] - Consent not working when using federation storage and client is displayed on consent screen 2020-08-19 10:08:21 +02:00
mhajas
ae39760a62 KEYCLOAK-14972 Add independent GroupProvider interface 2020-08-13 21:13:12 +02:00
Benjamin Weimer
fdcfa6e13e KEYCLOAK-15156 backchannel logout offline session handling 2020-08-13 08:09:59 -03:00
David Hellwig
ddc2c25951
KEYCLOAK-2940 - draft - Backchannel Logout (#7272)
* KEYCLOAK-2940 Backchannel Logout

Co-authored-by: Benjamin Weimer <external.Benjamin.Weimer@bosch-si.com>
Co-authored-by: David Hellwig <hed4be@bosch.com>
2020-08-12 09:07:58 -03:00
Sebastian Paetzold
4ff34c1be9 KEYCLOAK-14890 Improve null handling in case of missing NameId 2020-08-06 10:45:22 -03:00
vmuzikar
b68d06f91c KEYCLOAK-13127 Update Account Console to Account REST API v1 2020-08-04 18:43:23 -03:00
vramik
6b00633c47 KEYCLOAK-14812 Create RoleStorageManager 2020-07-31 15:11:25 -03:00
vramik
bfa21c912c KEYCLOAK-14811 Create RoleProvider and make it independent of ClientProvider and RealmProvider 2020-07-31 15:11:25 -03:00
rmartinc
32bf50e037 KEYCLOAK-14336: LDAP group membership is not visible under "Users in Role" tab for users imported from LDAP 2020-07-30 16:19:22 +02:00
Dillon Sellars
25bb2e3ba2 KEYCLOAK-14529 Signed and Encrypted ID Token Support : RSA-OAEP-256 Key Management Algorithm 2020-07-30 15:20:51 +02:00
vramik
7f979ffbcf KEYCLOAK-14889 Create test for clientStorageProviderTimeout 2020-07-30 08:42:51 -03:00
Yoshiyuki Tabata
cd76ed0d74 KEYCLOAK-14289 OAuth Authorization Server Metadata for Token Revocation 2020-07-29 11:41:56 +02:00
Martin Idel
97400827d2 KEYCLOAK-14870: Fix bug where user is incorrectly imported
Bug: SerializedBrokeredIdentityContext was changed to mirror
UserModel changes. However, when creating the user in LDAP,
the username must be provided first (everything else can
be handled via attributes).
2020-07-29 11:33:41 +02:00
Takashi Norimatsu
0191f91850 KEYCLOAK-14380 Support Requesting Claims using the claims Request Parameter 2020-07-29 09:53:28 +02:00
mposolda
c4fca5895f KEYCLOAK-14892 NullPointerException when group mappings for LDAP users are accessed 2020-07-28 14:45:06 +02:00
Martin Idel
330a3d8ff5 KEYCLOAK-14904 Fix AccountRestService
- custom attributes in UserModel are removed during update
- this can break caching (doesn't break if user is written
  to database)
- also ensure that we don't accidentally change username
  and/or firstName/lastName through attributes
2020-07-28 10:03:14 +02:00
Martin Idel
bf411d7567 KEYCLOAK-14869: Fix nullpointer exception in FullNameLDAPStorageMapper
Setting an attribute should be possible with a list
containing no elements or a null list

This can happen e.g. when creating users via idps
using a UserAttributeStatementMapper.

Fix this unprotected access in other classes too
2020-07-28 09:54:37 +02:00
Lorent Lempereur
e82fe7d9e3
KEYCLOAK-13950 SAML2 Identity Provider - Send Subject in SAML requests 2020-07-24 21:41:57 +02:00
mhajas
74988a3f21 KEYCLOAK-14826 Fix non-ssl auth-server tests failures 2020-07-23 14:20:19 +02:00
keycloak-bot
afff0a5109 Set version to 12.0.0-SNAPSHOT 2020-07-22 14:36:15 +02:00
Hynek Mlnarik
8fae2997c9 KEYCLOAK-14553 Improve logging 2020-07-22 00:08:15 +02:00
Hynek Mlnarik
c566b46e8f KEYCLOAK-14549 Make ClientProvider independent of RealmProvider
Co-Authored-By: vramik <vramik@redhat.com>
2020-07-22 00:08:15 +02:00
Hynek Mlnarik
ac0011ab6f KEYCLOAK-14553 Client map store
Co-Authored-By: vramik <vramik@redhat.com>
2020-07-22 00:08:15 +02:00
Martin Kanis
c5d5423cd3 KEYCLOAK-12265 Move KerberosEmbeddedServer to testsuite 2020-07-21 18:27:09 +02:00
vmuzikar
316f9f46e2 KEYCLOAK-14825 Make adapter tests running with FF to test cookies 2020-07-21 10:25:19 -03:00
Luca Leonardo Scorcia
9204402514 KEYCLOAK-14820 Import the NameIDPolicyFormat attribute from SAML IDP metadata descriptors 2020-07-21 12:23:25 +02:00
Takashi Norimatsu
e0fbfa722e KEYCLOAK-14189 Client Policy : Basics 2020-07-21 07:50:08 +02:00
Douglas Palmer
6d5495141d [KEYCLOAK-14611] Incorrect error message shown on duplicated email registration 2020-07-20 18:17:54 -03:00
Jan Lieskovsky
969b09f530 [KEYCLOAK-13692] Upgrade to Wildfly "20.0.1.Final" and Infinispan "10.1.8.Final"
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2020-07-20 22:15:08 +02:00
Luca Leonardo Scorcia
46bf139cb4 KEYCLOAK-14741 Minor SAML specs compliance improvements 2020-07-20 21:08:12 +02:00
mhajas
93149d6b47 KEYCLOAK-14234 Adjust Adapter testsuite to work with app/auth.server.host including TLS configured 2020-07-20 11:22:16 +02:00
Thomas Vitale
4cd5ace800 KEYCLOAK-9321 Remove invalid token_introspection_endpoint
The discovery document is advertizing both token_introspection_endpoint
and introspection_endpoint. The former has been removed as it is not
defined by OAuth2/OIDC.
2020-07-17 11:41:28 +02:00
Erik Jan de Wit
ace64c1f0c KEYCLOAK-12249 added test to test that time is localized 2020-07-15 14:57:38 -04:00
Pedro Igor
582046bbfe [KEYCLOAK-13141] - Fixing filter 2020-07-15 11:00:55 -03:00
Luca Leonardo Scorcia
f8a4f66d6c
KEYCLOAK-13698 - SAML Client - Add certificate info to signature
Adds the X509Data tag to the XML Document signature in AuthnRequests
2020-07-10 23:06:37 +02:00
vmuzikar
7087c081f0 KEYCLOAK-14023 Instagram User Endpoint change
Co-authored-by: Jean-Baptiste PIN <jibet.pin@gmail.com>
2020-07-10 17:36:51 -03:00
Pedro Igor
1db1deb066 [KEYCLOAK-13141] - Supporting re-augmentation 2020-07-10 11:04:46 -03:00
Pavel Drozd
48e4432e9d KEYCLOAK-14508 - Exclude SessionNotOnOrAfterTest from remote tests 2020-07-10 14:22:11 +02:00
Luca Leonardo Scorcia
d6934c64fd Refactor SAML metadata generation to use the SAMLMetadataWriter class 2020-07-09 09:39:35 +02:00
Pedro Igor
9c4da9b3ce [KEYCLOAK-14147] - Request filter refactoring
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2020-07-07 11:26:12 -03:00
kurisumakise2011
738f24aa38 [KEYCLOAK-14570] Resolve nullpointer issue in controller
Some ProviderFactory returns null as properties instead of
Collections.emptyList() and it leads to NPE.

Fix it with using Optional.ofNullable(...).orElse(Collections.emptyList())
2020-07-07 07:46:26 +02:00
Douglas Palmer
9369c7cf4d Add filter by name to applications endpoint 2020-07-03 15:35:38 -03:00
Martin Idel
8fe25948f7 KEYCLOAK-13959 Add AdvancedAttribute mapper for SAML to allow regexes 2020-07-03 18:19:35 +02:00
Plamen Kostov
914b226d11 [KEYCLOAK-14282] Create additional filtering for GET /users endpoint for enabled/disabled users 2020-07-03 09:07:42 -03:00
Axel Messinese
f30395d535 KEYCLOAK-12687 Add briefRepresentation queryParams to get roles 'composite' endpoints 2020-07-03 09:41:53 +02:00
Bartosz Siemieńczuk
e2040f5d13 KEYCLOAK-14006 Allow administrator to add additional fields to be fetched with Facebook profile request 2020-07-01 18:27:04 -03:00
Eric Rodrigues Pires
de9a0a0a4a [KEYCLOAK-13044] Fix owner name representations of UMA tickets for client-owned resources 2020-07-01 18:15:22 -03:00
vmuzikar
dc6f7d0547 KEYCLOAK-14635 Saml tests are failing with invalid redirect urls 2020-07-01 13:46:43 +02:00
vmuzikar
001fe9eb11 KEYCLOAK-13206 Session Status iframe cannot access cookies when 3rd party cookies are blocked
Co-authored-by: mhajas <mhajas@redhat.com>
2020-06-30 17:11:20 -03:00
Douglas Palmer
5e44bb781b [KEYCLOAK-14344] Cannot revoke offline access for an app if the app doesn't require consent 2020-06-26 14:56:08 -04:00
Martin Idel
05b6ef8327 KEYCLOAK-14536 Migrate UserModel fields to attributes
- In order to make lastName/firstName/email/username field
  configurable in profile
  we need to store it as an attribute
- Keep database as is for now (no impact on performance, schema)
- Keep field names and getters and setters (no impact on FTL files)

Fix tests with logic changes

- PolicyEvaluationTest: We need to take new user attributes into account
- UserTest: We need to take into account new user attributes

Potential impact on users:

- When subclassing UserModel, consistency issues may occur since one can
  now set e.g. username via setSingleAttribute also
- When using PolicyEvaluations, the number of attributes has changed
2020-06-25 14:50:57 +02:00
Pedro Igor
337a751aaa [KEYCLOAK-11330] - Clustering tests for GA 2020-06-24 17:23:45 +02:00
Douglas Palmer
1434f14663 [KEYCLOAK-14346] Base URL for applications is broken 2020-06-23 15:26:07 -03:00
vramik
1b988cc12e KEYCLOAK-14516 app-server-eap6 tests fails due to compilation error 2020-06-22 13:43:11 +02:00
Hiroyuki Wada
f73b51818b KEYCLOAK-14113 Support for exchanging to SAML 2.0 token 2020-06-19 22:08:42 +02:00
Dirk Weinhardt
08dca9e89f KEYCLOAK-13205 Apply locale resolution strategy to admin console. 2020-06-19 10:27:13 -04:00
Peter Skopek
5f78a09db1 KEYCLOAK-13029 kcadm composite role creation fails 2020-06-18 16:37:02 +02:00
vmuzikar
662f7fbccd KEYCLOAK-14497 Compilation error in UsernameTemplateMapperTest 2020-06-18 09:15:07 -03:00
Martin Bartos
ec9bf6206e [KEYCLOAK-13202] Reset password redirects to account client 2020-06-18 13:08:36 +02:00
Erik Jan de Wit
c20766f2d7 KEYCLOAK-14140 added more test cases
Co-authored-by: vmuzikar <vmuzikar@redhat.com>
2020-06-17 13:56:11 -04:00
Thomas Darimont
92ab9c08ae KEYCLOAK-8100 Expose sub claim in OIDC IdentityBroker Mappers
We now expose the claims "sub" for use in Identity Broker mappers.
Previously claims directly mapped to `JsonWebToken` fields were not
accessible for mappings.
2020-06-17 12:56:08 -03:00
Pedro Igor
d331091c5e [KEYCLOAK-11330] - Quarkus tests 2020-06-17 17:20:55 +02:00
vmuzikar
d71e81ed5e KEYCLOAK-14235 Support for running broker tests with different hostnames for auth server and IdP 2020-06-17 14:13:00 +02:00
Pedro Igor
a8bad5b9bb [KEYCLOAK-11330] - Quarkus clustering tests 2020-06-16 10:07:24 -03:00
vramik
c403aa49f7 KEYCLOAK-14087 migration from 9.0.3 2020-06-15 14:47:13 +02:00
mhajas
5d1d75db40 KEYCLOAK-14103 Add Warn message for possibly missing SameSite configuration 2020-06-15 14:45:57 +02:00
Jan Lieskovsky
df7d85b38d [KEYCLOAK-14358] Enable StartTLS LDAP tests
Thanks to KEYCLOAK-14343 Use Truststore SPI StartTLS bug fix
they will work with Truststore SPI used by auth server Wildfly too

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-11 18:07:53 +02:00
Tero Saarni
3c82f523ff [KEYCLOAK-14343] Truststore SPI support for LDAP with StartTLS
Signed-off-by:  Tero Saarni <tero.saarni@est.tech>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-11 18:07:53 +02:00
Pedro Igor
e16f30d31f [KEYCLOAK-2343] - Allow exact user search by user attributes
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2020-06-10 12:02:50 -03:00
vramik
d63b3ceca4 KEYCLOAK-14141 0 downtime upgrade test 2020-06-10 12:45:34 +02:00
Pedro Igor
6ccde288a3 [KEYCLOAK-11330] - SSL Support 2020-06-09 08:43:52 +02:00
vmuzikar
b192ac4ea7 KEYCLOAK-14233 Support for generating SSL keystore before running testsuite
Move profile for app server to base
2020-06-08 10:51:54 -03:00
Douglas Palmer
33863ba161 KEYCLOAK-10162 Usage of ObjectInputStream without checking the object types
Co-authored-by: mposolda <mposolda@gmail.com>
2020-06-08 13:12:08 +02:00
Yoshiyuki Tabata
f03ee2ec98 KEYCLOAK-14145 OIDC support for Client "offline" session lifespan 2020-06-04 14:24:52 +02:00
Denis
8d6f8d0465 EYCLOAK-12741 Add name and description edit functionality to Authentication and Execution Flows 2020-06-04 08:08:52 +02:00
Alfredo Boullosa
2ddfc94495 KEYCLOAK-14115 Add a refresh to avoid failure 2020-06-03 20:13:08 -04:00
Pedro Igor
357982adf6 [KEYCLOAK-11330] - Initial changes to get testsuite working for Quarkus 2020-06-03 09:57:24 -03:00
Jan Lieskovsky
a121f77ea4 [KEYCLOAK-12305] [Testsuite] Check LDAP federated user (in)valid
login(s) using various authentication methods, bind credential
types, and connection encryption mechanisms

The tests cover various possible combinations of the following:
* Authentication method: Anonymous or Simple (default),
* Bind credential: Secret (default) or Vault,
* Connection encryption: Plaintext (default), SSL, or startTLS

Also, ignore the StartTLS LDAP tests for now till KEYCLOAK-14343
& KEYCLOAK-14354 are corrected (due these issues they aren't
working with auth server Wildfly). They will be re-enabled later
via KEYCLOAK-14358 once possible

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-02 14:44:17 +02:00
Pedro Igor
e8dc10b4a1 [KEYCLOAK-11330] - Properly handling POST formdata and UriInfo 2020-06-02 09:36:40 +02:00
stianst
90b29b0e31 KEYCLOAK-14107 Admin page content blocked on v10.0.0 due to content security policy 2020-05-29 13:57:38 +02:00
Benjamin Weimer
4265fdcab2 KEYCLOAK-14318 Client Empty Root URL and relative Base URL is valid 2020-05-29 11:21:28 +02:00
vmuzikar
f8dce7fc3e KEYCLOAK-13819 SAML brokering with POST binding is broken by new SameSite policies 2020-05-28 13:37:56 +02:00
Thomas Darimont
e825ec24cb KEYCLOAK-9635 Add AccessTokenHash to IDToken for OIDC Auth Code flow
Revised tests
2020-05-27 07:34:05 +02:00
Thomas Darimont
5a337d0376 KEYCLOAK-9635 Add AccessTokenHash to IDToken for OIDC Auth Code flow
Added missing test
2020-05-27 07:34:05 +02:00
Torsten Juergeleit
6005503a3d Namespace support to group-ldap-mapper
Previously, Keycloak did only support syncing groups from LDAP federation provider as top-level KC groups.

This approach has some limitations:
- If using multiple group mappers then there’s no way to isolate the KC groups synched by each group mapper.
- If the option "Drop non-existing groups during sync” is activated then all KC groups (including the manually created ones) are deleted.
- There’s no way to inherit roles from a parent KC group.

This patch introduces support to specify a prefix for the resulting group path, which effectively serves as a namespace for a group.

A path prefix can be specified via the newly introduced `Groups Path` config option on the mapper. This groups path defaults to `/` for top-level groups.

This also enables to have multiple `group-ldap-mapper`'s which can manage groups within their own namespace.

An `group-ldap-mapper` with a `Group Path` configured as `/Applications/App1` will only manage groups under that path. Other groups, either manually created or managed by other `group-ldap-mapper` are not affected.
2020-05-26 17:37:29 +02:00
Hynek Mlnarik
7deb89caab KEYCLOAK-10729 Do not serialize SAML signature 2020-05-25 15:38:17 +02:00
vmuzikar
e873c70374 KEYCLOAK-14236 Support for custom Firefox preferences 2020-05-22 09:24:41 -03:00
cachescrubber
3382682115
KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation … (#6962)
* KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation (RFC-3062).

* KEYCLOAK-10927 - Introduce getLDAPSupportedExtensions(). Use result instead of configuration.

Co-authored-by: Lars Uffmann <lars.uffmann@vitroconnect.de>
Co-authored-by: Kevin Kappen <kevin.kappen@vitroconnect.de>
Co-authored-by: mposolda <mposolda@gmail.com>
2020-05-20 21:04:45 +02:00
Denis
8c7b69fc9e KEYCLOAK-13748 Create automated test for scenario with alternative subflow for credential reset 2020-05-20 14:06:53 +02:00
Stan Silvert
13d0491ff3 KEYCLOAK-14038: Re-allow special characters for Roles only 2020-05-20 07:53:23 -04:00
Takashi Norimatsu
c057b994e7 KEYCLOAK-13104 Signed and Encrypted ID Token Support : AES 192bit and 256bit key support 2020-05-20 09:01:59 +02:00
mhajas
4b8c7dd7d7 KEYCLOAK-14048 Allow clock skew when testing refresh token actual expiration time 2020-05-20 08:12:54 +02:00
Takashi Norimatsu
be0ba79daa KEYCLOAK-7997 Implement Client Registration Metadata based on Mutual TLS 2020-05-19 17:00:41 +02:00
mposolda
12d965abf3 KEYCLOAK-13047 LDAP no-import fixes. Avoid lost updates - dont allow update attributes, which are not mapped to LDAP 2020-05-19 16:58:25 +02:00
Martin Kanis
6f43b58ccf KEYCLOAK-14074 filterIdentityProviders compares providerId instead of alias 2020-05-19 09:46:21 +02:00
Thomas Darimont
6211fa90e0 KEYCLOAK-10932 Honor given_name and family_name in OIDC brokering
Previously firstname and lastname were derived from the name claim.
We now use direct mappings to extract firstname and lastname from
given_name and family_name claims.

Added test to KcOidcFirstBrokerLoginTest

Marked org.keycloak.broker.provider.BrokeredIdentityContext#setName
as deprecated to avoid breaking existing integrations.
2020-05-19 09:10:43 +02:00
Álvaro Gómez Giménez
666832d1be KEYCLOAK-13066 Include resourceType in ScopePermissionRepresentation 2020-05-12 17:11:35 -03:00
Sven-Torben Janus
82d3251ab4 Remove *-imports 2020-05-12 20:50:18 +02:00
Sven-Torben Janus
fcb0e450a0 KEYCLOAK-13817 Return local user from LDAPStorageProvider 2020-05-12 20:50:18 +02:00
Yoshiyuki Tabata
f7d00fc2e9 KEYCLOAK-13844 "exp" claim should not be "0" when using offline token 2020-05-12 16:14:37 +02:00
stianst
49db2c13a5 KEYCLOAK-8141 Fix issue where attribute values are duplicated if updates to user are done in parallell 2020-05-12 09:06:44 +02:00
Pedro Igor
44c49d69a7 [KEYCLOAK-13071] - AuthorizationTokenService swallows Exceptions thrown by KeycloakIdentity 2020-05-08 09:21:37 +02:00
Takashi Norimatsu
3716bd96ad KEYCLOAK-14093 Specify Signature Algorithm in Signed JWT with Client Secret 2020-05-07 11:28:39 +02:00
Takashi Norimatsu
0d0617d44a KEYCLOAK-13720 Specify Signature Algorithm in Signed JWT Client Authentication 2020-05-05 17:43:00 +02:00
rmartinc
f0852fd362 KEYCLOAK-13823: "Dir" Full export/import: On import, service account roles and authorization info are not imported 2020-05-05 17:05:56 +02:00
Vanrar68
85feda3beb KEYCLOAK-13998 ConditionalRoleAuthenticator doesn't work with composite roles 2020-05-05 08:39:04 +02:00
Martin Bartos
7ebdca48d3 [KEYCLOAK-13572] Doesn't observe After events due to assume check 2020-05-04 17:31:44 +02:00
Michael Riedmann
66c7ec6b08 [KEYCLOAK-13995] added test for clientUpdate with ProtocolMappers 2020-05-04 17:13:57 +02:00
Erik Jan de Wit
435815249b KEYCLOAK-12783 changed to base account url for new console 2020-05-04 07:16:15 -04:00
Hynek Mlnarik
32f13016fa KEYCLOAK-12874 Align Destination field existence check with spec 2020-05-04 09:19:44 +02:00
Martin Kanis
aa309b96a8 KEYCLOAK-13682 NPE when refreshing token after enabling consent 2020-04-30 08:46:21 +02:00
keycloak-bot
ae20b7d3cd Set version to 11.0.0-SNAPSHOT 2020-04-29 12:57:55 +02:00
Yoshiyuki Tabata
874642fe9e KEYCLOAK-12406 Add "Client Session Max" and "Client Session Idle" for OIDC 2020-04-28 15:34:25 +02:00
stianst
5b017e930d KEYCLOAK-13128 Security Headers SPI and response filter 2020-04-28 15:28:24 +02:00
Yoshiyuki Tabata
b40c12c712 KEYCLOAK-5325 Provide OAuth token revocation capability 2020-04-28 15:25:22 +02:00
Erik Jan de Wit
ab2d1546b4 fix merge errors 2020-04-27 09:09:31 -04:00
Erik Jan de Wit
7580be8708 KEYCLOAK-13121 added the basic functionality 2020-04-27 09:09:31 -04:00
Stefan Guilhen
da1138a8d2 [KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
2020-04-27 14:25:03 +02:00
Pedro Igor
44b489b571 [KEYCLOAK-13656] - Deny request if requested scope is not associated to resource or any typed resources 2020-04-27 08:39:38 +02:00
Pedro Igor
dacbe22d53 [KEYCLOAK-9896] - Authorization Scope modified improperly when updating Resource 2020-04-27 08:38:55 +02:00
Martin Idel
7e8018c7ca KEYCLOAK-11862 Add Sync mode option
- Store in config map in database and model
- Expose the field in the OIDC-IDP
- Write logic for import, force and legacy mode
- Show how mappers can be updated keeping correct legacy mode
- Show how mappers that work correctly don't have to be modified
- Log an error if sync mode is not supported

Fix updateBrokeredUser method for all mappers

- Allow updating of username (UsernameTemplateMapper)
- Delete UserAttributeStatementMapper: mapper isn't even registered
  Was actually rejected but never cleaned up: https://github.com/keycloak/keycloak/pull/4513
  The mapper won't work as specified and it's not easy to tests here
- Fixup json mapper
- Fix ExternalKeycloakRoleToRoleMapper:
  Bug: delete cannot work - just delete it. Don't fix it in legacy mode

Rework mapper tests

- Fix old tests for Identity Broker:
  Old tests did not work at all:
  They tested that if you take a realm and assign the role,
  this role is then assigned to the user in that realm,
  which has nothing to do with identity brokering
  Simplify logic in OidcClaimToRoleMapperTests
- Add SyncMode tests to most mappers
  Added tests for UsernameTemplateMapper
  Added tests to all RoleMappers
  Add test for json attribute mapper (Github as example)
- Extract common test setup(s)
- Extend admin console tests for sync mode

Signed-off-by: Martin Idel <external.Martin.Idel@bosch.io>
2020-04-24 15:54:32 +02:00
Pedro Igor
8f5e58234e [KEYCLOAK-11317] - IDP review profile allows empty username 2020-04-24 10:52:59 -03:00
Douglas Palmer
d4eeed306b [KEYCLOAK-11764] Upgrade to Wildfly 19 2020-04-24 08:19:43 -03:00
Bart Monhemius
9389332675 [KEYCLOAK-13927] Accept only ticketId instead of the PermissionTicketRepresentation for delete in PermissionResource 2020-04-23 15:59:43 -03:00
Bart Monhemius
acc5ab9e44 [KEYCLOAK-13927] Allow deleting permission tickets with the Authz client 2020-04-23 15:59:43 -03:00