Commit graph

635 commits

Author SHA1 Message Date
Valeran86
2899375614 KeycloakRole equals only with itself
I use Keycloak Spring Adapter (KSA) to secure existing application. Today I realized that some functions didn't work anymore because of security checking like this:
```
GrantedAuthority adminRole = new MySpecialGrantedAuthority( "superadmin" );
for ( GrantedAuthority role : userRoles ) {
        if ( role.equals( adminRole ) ) {
          return true;
        }
      }
```
In this example, when I use KSA authorization fails.
I believe, that more preferable in `KeycloakRole` use this implementation of `equals` method.
2019-07-08 14:33:03 -03:00
Hynek Mlnarik
ca4e14fbfa KEYCLOAK-7852 Use original NameId value in logout requests 2019-07-04 19:30:21 +02:00
Vlasta Ramik
cc8cfd4269 KEYCLOAK-10751 Fix SAML undertow adapter not sending challenge
Co-Authored-By: mhajas <mhajas@redhat.com>
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-07-04 10:04:51 +02:00
Thomas Darimont
53d0db80c3 KEYCLOAK-10313 Only use PKCE if enable-pkce is configured for KeycloakInstalled adapter
Users who want to use PKCE support with the KeycloakInstalled adapter need to set the property
``"enable-pkce": true` in the adapter configuration / `keycloak.json`.
2019-07-03 08:49:55 +02:00
Thomas Darimont
8bd48391ca KEYCLOAK-10313 Add PKCE support to KeycloakInstalled Adpater
This adds PKCE support for Desktop Apps as
a followup to KEYCLOAK-1033 #6047.
2019-07-03 08:49:55 +02:00
vramik
d245287320 KEYCLOAK-9598 Apache Tomcat adapter 2019-06-14 10:09:13 +02:00
mhajas
12d351ae97 KEYCLOAK-10595 Make KeycloakSpringBootConfigResolver Spring bean 2019-06-14 09:41:56 +02:00
Sebastian Laskawiec
e739344556 KEYCLOAK-9640 Unify surefire versions 2019-06-13 13:26:49 +02:00
Nils Christian Ehmke
a58a0e7678 [KEYCLOAK-10334] Keycloak Spring Boot Adapter shares configuration in static field
Signed-off-by: Nils Christian Ehmke <nils-christian.ehmke@bmiag.de>
2019-06-04 07:13:13 -03:00
Pedro Igor
803e44dcb1 [KEYCLOAK-10422] - Code challenge only sent when options object argument is passed to login method 2019-05-29 15:09:01 -03:00
Thomas Darimont
2825619243 KEYCLOAK-1033 Add PKCE support for JS Adapter
This adds support for the "S256" code_challenge_method to the JS Adapter.
Note that the method "plain" was deliberately left out as is not recommended
to be used in new applications.

Note that this PR includes two libraries:
- [base64-js]{@link https://github.com/beatgammit/base64-js}
- [js-sha256]{@link https://github.com/emn178/js-sha256}

`base64-js` is needed for cross-browser support for decoding the
Uint8ArrayBuffer returned by `crypto.getRandomValues` to a PKCE
compatible base64 string.

`js-sha256` library is required because the `crypto.subtle.digest`
support is not available for all browsers.

The PKCE codeVerifier is stored in the callbackStore of the JS Adapter.

Note: This PR is based on #5255 which got messed up during a rebase.
2019-05-29 15:40:16 +02:00
Pedro Igor
e9ea1f0e36 [KEYCLOAK-10279] - Do not limit results when fetching resources 2019-05-28 15:35:29 -03:00
vramik
9a5b85910a KEYCLOAK-9599 Remove Wildfly 8 adapter 2019-05-28 14:28:09 +02:00
vramik
3bbab225c8 KEYCLOAK-9596 Remove Apache Tomcat 6.0.x adapter 2019-05-28 12:00:19 +02:00
Alan Balbo
0a67e0a89e KEYCLOAK-10097 Fix register method in javascript adatper for cordova 2019-05-24 08:49:10 -04:00
Sergio Livi
80932c07a2 KEYCLOAK-10071 check isNaN for minValidity 2019-05-20 09:18:40 -04:00
Jonas Kello
96f13e15ca Add CompatPromise conditional type 2019-05-15 07:42:06 -04:00
mhajas
429863e83b KEYCLOAK-9095 Fix NPE in AuthenticatedActionsHandler 2019-05-02 13:03:06 +02:00
Martin Kanis
e5092bb617 KEYCLOAK-10090 Fix alignment for CD 6 release in PNC 2019-04-18 09:13:02 +02:00
keycloak-bot
49d4e935cb Set version to 7.0.0-SNAPSHOT 2019-04-17 09:48:07 +01:00
Sebastian Laskawiec
0042726dd8 KEYCLOAK-9601 KEYCLOAK-9602 Jetty 8.1 and 9.1 removal
Co-Authored-By: mhajas <mhajas@redhat.com>
2019-04-16 11:21:29 +02:00
Anders Rønning
3f7d32d1ae KEYCLOAK-10026: Add missing TypeScript definition for init options 2019-04-15 07:46:05 -04:00
Pedro Igor
c8970c95d5 [KEYCLOAK-10015] - CIP not properly resolving objects from JSON request body 2019-04-11 18:19:43 -03:00
mhajas
5b47df8979 KEYCLOAK-10013 Do not reject tokens with issuedAt == notBefore 2019-04-11 21:57:11 +02:00
Hynek Mlnarik
a63efd872d KEYCLOAK-9822 Fix deadlock in OIDC adapter upon logout 2019-04-09 21:03:02 +02:00
Pedro Igor
ad9f59f9f7 [KEYCLOAK-9353] - Avoids initialization of the policy enforcer during deployment 2019-04-05 16:02:53 -03:00
mposolda
a516a795a2 KEYCLOAK-9836 Deprecate keycloak-servlet-oauth-clien 2019-04-02 10:52:18 -03:00
Martin Ball
21e2fa8784 KEYCLOAK-4249 - Make IDP URL in keycloak-saml.xml configurable
Added the metadata url as an attribute on the IDP in the keycloak saml configuration which then propagates through to the DefaultSamlDeployment where it is used on the construction of the SamlDescriptorPublicKeyLocator thereby allowing support for ADFS or other IDP which uses a path that is different to the Keycloak IDP.

To make this work when testing with ADFS a change was made to SamlDescriptorIDPKeysExtractor because it would not extract keys from metadata which contained the EntityDescriptor as the root element. The solution was to change the xpath expression in SamlDescriptorIDPKeysExtractor so that it does not require a wrapping EntitiesDescriptor but instead loads all EntityDescriptors located in the document. This allows it to handle a single EntityDescriptor or multiple descriptors wrapped in an EntitiesDescriptor in the same xpath expression. A unit test SamlDescriptorIDPKeysExtractorTest has been added which validates that keys can be loaded in both scenarios.
2019-03-27 08:04:53 +01:00
Pedro Igor
20376c9111 [KEYCLOAK-9353] - Quarkus integration 2019-03-21 11:45:35 -03:00
Grzegorz Grzybek
e01562d7cf [KEYCLOAK-9646] Increase import range for javax.servlet API to cover EAP 7.2, servlet-api 4.0
[KEYCLOAK-9646] Update HOW-TO-RUN.md for Fuse 7.1+ instructions
2019-03-12 15:14:34 +01:00
keycloak-bot
e843d84f6e Set version to 6.0.0-SNAPSHOT 2019-03-06 15:54:08 +01:00
mhajas
8a750c7fca KEYCLOAK-6750 Adapt Tomcat adapter tests to new structure 2019-03-06 08:57:46 +01:00
Sebastian Laskawiec
406097a508 KEYCLOAK-6749 Jetty App Server 2019-03-05 15:21:48 +01:00
mposolda
d5b28013d1 KEYCLOAK-8523 Remove jaxrs package from old testsuite and deprecate jaxrs filter 2019-03-04 10:25:01 +01:00
Pedro Igor
75d9847672 [KEYCLOAK-9478] - Support multiple CIP providers in the policy enforcer configuration 2019-02-27 19:08:57 -03:00
sakanaou
007c364027 Store rewritten redirect URL in adapter-core 2019-02-27 15:39:32 -03:00
Philipp Nowak
39828b2c94 [KEYCLOAK-9539] Race condition SecurityContextHolder.setAuthentication()
This is an issue with the Spring Security Keycloak Adapter relating to
 the way the Authentication is stored in the SecurityContext, causing a
 race condition in application code using that. It does not seem to
 affect actual Spring Security operation.

We had a pretty strange race condition in our application. When many
 requests were incoming at the same time, occasionally the old
 unauthenticated Authentication provided to
 KeycloakAuthenticationProvider for performing the actual authentication
 would stay the current authentication, as returned by
 SecurityContextHolder.getContext().getAuthentication(). That resulted
 in authenticated users' JavaScript requests occasionally (~1/50 given a
 large request volume) returning a 403 because the 'old' token was still
 in the context, causing Spring Security to see them as unauthenticated.

This PR resolves this issue by replacing the whole context, as suggested
 by a Spring Security contributor in jzheaux/spring-security-oauth2-resource-server#48. By default,
 SecurityContextHolder keeps the actual context object in a ThreadLocal,
 which should be safe from race-conditions. The actual Authentication
 object, however, is kept in a mere field, hence the reason for this PR.

JIRA issue: https://issues.jboss.org/browse/KEYCLOAK-9539
2019-02-27 14:58:10 -03:00
Pedro Igor
4d5dff1d64 [KEYCLOAK-9474] - Public endpoints are returning 403 with body when enforcement mode is disabled 2019-02-21 16:27:07 -03:00
stianst
e06c705ca8 Set version 5.0.0 2019-02-21 09:35:14 +01:00
Sebastian Laskawiec
ee41a0450f KEYCLOAK-8349 KEYCLOAK-8659 Use TLS for all tests in the suite 2019-02-08 08:57:48 -02:00
stianst
7c9f15778a Set version to 4.8.3.Final 2019-01-09 20:39:30 +01:00
stianst
7c4890152c Set version to 4.8.2 2019-01-03 14:43:22 +01:00
Charles Jourdan
68873c29b7 Fix on type for KeycloakInstance.realmAccess and KeycloakInstance.ressourceAccess 2018-12-13 19:03:47 +01:00
Stephane Nicoll
f739e2e2d8 KEYCLOAK-8155 Use Spring Boot autoconfigure-processor to optimize auto-configurations 2018-12-13 09:01:21 +01:00
Boudewijn van Klingeren
5354e88f60 KEYCLOAK-8243 Change error logging to debug for normal flow outcomes 2018-12-13 08:39:54 +01:00
sebastienblanc
aa89ae96a9 update and align Spring Boot versions 2018-12-11 15:34:47 +01:00
Pedro Igor
8204509b0c [KEYCLOAK-8980] - ElytronAccount not serializable 2018-12-10 08:55:00 +01:00
Hynek Mlnarik
27f145969f KEYCLOAK-7936 Prevent registration of the same node
The root cause is that NodesRegistrationManagement.tryRegister can be
called from multiple threads on the same node, so it can require
registration of the same node multiple times. Hence once it turns to
tasks that invoke sendRegistrationEvent (called sequentially), the same
check has been added to that method to prevent multiple invocations on
server side, or invocation upon undeployment/termination.
2018-12-05 12:34:17 +01:00
stianst
b674c0d4d9 Prepare for 4.8.0.Final 2018-12-04 13:54:25 +01:00
Hynek Mlnarik
c9cd060417 KEYCLOAK-8824 Fix servlet filter versions 2018-11-22 14:20:46 +01:00
stianst
ecd476fb10 Prepare for 4.7.0.Final 2018-11-14 20:10:59 +01:00
Hynek Mlnarik
7703d81389 KEYCLOAK-7421 Support SAML cluster logout for Elytron SAML adapter 2018-11-09 21:06:50 +01:00
stianst
1ee6fd7130 KEYCLOAK-8619 Fix check-sso when there is no cookie 2018-11-09 10:36:31 -02:00
vramik
560d76b7ee KEYCLOAK-6748 undertow saml adapter tests 2018-11-06 21:17:07 +01:00
Stefan Guilhen
3be2c35561 KEYCLOAK-8528 Change getRelativePath to include the servlet path followed by the path info 2018-11-06 13:43:50 +01:00
scranen
5880efe775 KEYCLOAK-4342 Make naming consistent 2018-11-06 10:28:06 -02:00
scranen
e6b9364c39 KEYCLOAK-4342 PR comments 2018-11-06 10:28:06 -02:00
scranen
0c6b20e862 [KEYCLOAK-4342] Make adapter state cookie path configurable 2018-11-06 10:28:06 -02:00
Pedro Igor
234b7a06a1 [KEYCLOAK-7798] - Spring security adapter does not renew expired tokens 2018-11-06 10:26:40 -02:00
BaHwan Han
91c4bfa81c The Keycloak JS adapter should not mutate browser history state 2018-10-29 20:08:32 +01:00
mposolda
c36b577566 KEYCLOAK-8483 Remove application from the aud claim of accessToken and refreshToken 2018-10-23 13:52:09 +02:00
Pedro Igor
6f8f8e6a28 [KEYCLOAK-8449] - Option to automatically map HTTP verbs to scopes when configuring the policy enforcer 2018-10-23 08:40:54 -03:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
vramik
623d985e7f KEYCLOAK-8454 KeycloakHttpServerAuthenticationMechanism uses wrong status code when logout page not set 2018-10-17 19:03:24 +02:00
mposolda
4483677cdd KEYCLOAK-8529 Fix most of adapter tests on EAP6 2018-10-12 12:01:33 +02:00
Tobias Gippert
c71f6e2188 The Keycloak JS adapter should not create a new browser history entry,
when it is redirecting the user, unless the user is in the admin console.
2018-10-12 09:42:26 +02:00
stianst
aaa33ad883 KEYCLOAK-8509 Improvements to session iframe 2018-10-10 21:01:05 +02:00
stianst
9be8bef575 KEYCLOAK-7920 Changes to native promises in JS adapter. Native promises have to be explicitly enabled and when they are old success/error functions are no longer supported. Internally we don't use native promises. 2018-10-10 21:00:19 +02:00
Frank Schmager
6b59c2f44c try to register node during authentication attempt in filter
* PreAuthActionsFilter registers deployment during authentication attempt to enable, well,
  node registration if filter is used by itself (if no securityConstraints when using spring boot and spring security)
* deregistering node during clean shutdown
* added unit test
2018-10-09 10:30:37 -03:00
sebastienblanc
fd0ab4a626 removing spring factories from core module 2018-10-09 14:17:33 +02:00
Pedro Igor
6fd4a02f95 [KEYCLOAK-8444] - Error when producing KeycloakSpringBootConfigResolver from spring security configuration 2018-10-08 09:29:59 -03:00
Hynek Mlnarik
211774ccbc KEYCLOAK-7810 Fix NPE in Elytron SAML adapter 2018-10-04 14:38:45 +02:00
Pedro Igor
2da758ac86 [KEYCLOAK-6928] - Selecting first bearer if multiple values exists in authorization header 2018-10-01 09:36:10 -03:00
stianst
c3fc9e9815 Set version to 4.6.0.Final-SNAPSHOT 2018-09-26 20:58:41 +02:00
Pedro Igor
081e9883e6 [KEYCLOAK-7659] - k_version not supporting cors 2018-09-25 11:50:17 -03:00
Pedro Igor
df311b60b4 [KEYCLOAK-8168] - PEP is resolving claims twice under certain circumstances 2018-09-25 11:47:50 -03:00
mposolda
3777dc45d0 KEYCLOAK-3058 Support for validation of "aud" in adapters through verify-token-audience configuration switch 2018-09-21 11:17:05 +02:00
Pedro Igor
adf0a19f9d [KEYCLOAK-8133] - Can't Sucessfully inject a custom KeycloakSpringBootConfigResolver in the Keycloak Spring Boot Security Adapter 2018-09-20 11:11:12 -03:00
Hynek Mlnarik
2bf6d75e57 KEYCLOAK-8010 Improve handling of Conditions SAML tag 2018-09-19 14:00:28 +02:00
Hynek Mlnarik
0b893d5634 KEYCLOAK-8187 Fix Undertow imports for Fuse
Co-Authored-By: wyvie <irum@redhat.com>
2018-09-18 16:54:03 +02:00
Pedro Igor
64f8fe4987 [KEYCLOAK-8070] - wrong expose headers when enable cors and policyenforcer 2018-09-17 17:02:15 -03:00
stianst
1fb4ca4525 Set version to 4.5.0.Final 2018-09-06 20:08:02 +02:00
Hynek Mlnarik
812e76c39b KEYCLOAK-8163 Improve SAML validations 2018-09-05 15:47:03 +02:00
Pedro Igor
33efcc6b93 [KEYCLOAK-8142] - Fixing regression when setting path enforcement mode to disabled 2018-09-04 10:32:06 -03:00
Dmitry Telegin
bc8763ccf3 KEYCLOAK-7858 - OIDC servlet filter adapter OSGi support 2018-09-04 11:29:45 +02:00
Jani
42553cdc44 [KEYCLOAK-7695] Restore token_type and expires_in for implicit flow
As KEYCLOAK-6585 concerns only hybrid flow, this commit restores the behavior for implicit flow.

This commit partially reverts #5041 (061049e41a6b0e6fb45c75f05748023ad7ab7d92).
2018-08-29 13:00:57 +02:00
mposolda
6fc99cd749 KEYCLOAK-7594 Upgrade to Wildfly 13. Cross-DC: Upgrade to infinispan server 9.2.4 and JDG 7.2
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2018-08-27 12:52:53 +02:00
Dan Hooper
0a8fca7ec4 Created common interface for parsed tokens in typescript declaration file 2018-08-23 16:14:17 -04:00
Frank Schmager
3e2e0ac91c Renamed factory and java doc 2018-08-22 16:39:55 +02:00
Frank Schmager
dda365e002 initial exposing of BasicAuthRequestAuthenticator to make extensible 2018-08-22 16:39:55 +02:00
Grzegorz Grzybek
fdc9882709 [KEYCLOAK-8101] Return just cached deployment to prevent NPE 2018-08-21 09:56:58 +02:00
Alex Szczuczko
a35ed671e6 KEYCLOAK-7480 Make fuse7 tomcat8 adapter community-only 2018-08-20 09:06:45 +02:00
Alex Szczuczko
f0a2f7a675 KEYCLOAK-7480 Make fuse7 adapter's jetty94 conditional on the community profile
In commit d70859ef keycloak-pax-web-jetty94 was added.

org.keycloak:keycloak-jetty94-adapter:jar is a dependency of this module, and
isn't produced outside of the community profile. So, the jetty94 module here
must be consistent with that.
2018-08-20 09:06:45 +02:00
Erin Recachinas
fa8cb004a1 KEYCLOAK-6086 Casting Jetty WebAppContext in Spring Adapter checks validity and unwraps 2018-08-13 11:16:19 +02:00
Hynek Mlnarik
a8a9631d4f KEYCLOAK-6832 Unify Destination attribute handling 2018-08-09 10:30:30 +02:00
Pedro Igor
80e5227bcd [KEYCLOAK-4902] - Refactoring and improvements to processing of authz requests 2018-08-07 10:53:40 -03:00
mposolda
959cd035ba Set version to 4.3.0.Final-SNAPSHOT 2018-08-01 22:40:05 +02:00
Tair Sabirgaliev
d88568266f KEYCLOAK-7821 Enable tomcat-specific features: * (all roles), ** (authenticated user) in authRoles constraint 2018-07-27 14:24:49 +02:00
mhajas
a6e4f4f9aa KEYCLOAK-7922 Use Time.currentTimeMillis() instead of System.currentTimeMillis() in PathCache 2018-07-24 08:52:48 -03:00
Hynek Mlnarik
c8bc0d6d7b KEYCLOAK-7400 Remove dead code
This commit can only be merged once the Camel 2.21.2 would be
released, otherwise the code won't compile due to missing dependencies.

See https://issues.apache.org/jira/browse/CAMEL-12514 for details.
2018-07-23 14:46:00 +02:00