Previously the scope from the token was not set available in the ClientModelIdentity attributes.
This caused the NPE in `org.keycloak.authorization.policy.provider.clientscope.ClientScopePolicyProvider.hasClientScope`(..)
when calling `identity.getAttributes().getValue("scope")`.
We now pass the provided decoded AccessToken down to the ClientModelIdentity creation
to allow to populate the required scope attribute.
We also ensure backwards compatibility for ClientPermissionManagement API.
Fixes#26435
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* feat: add Artifact Binding on brokering scenarios when Keycloak is SP
Signed-off-by: tmorin <git@morin.io>
* Adding broker test and minor improvements
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing IdentityProviderTest
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Renaming methods related to idp initiated flows
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Fixing partial_import_test.spec.ts
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: tmorin <git@morin.io>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* change to make authServerUrl the same as authUrl
fixes: #29641
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Remove `authUrl` entirely
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Remove file that is unrelated
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Split out and align environment variables between consoles
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Restore removed variables to preserve backwards compatibility
Signed-off-by: Jon Koops <jonkoops@gmail.com>
* Also deprecate the `authUrl` for the Admin Console
Signed-off-by: Jon Koops <jonkoops@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* OpenJDK 21 support
Closes#28517
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* x509 SAN UPN other name is not handled in JDK 21 (#904)
closes#29968
Signed-off-by: mposolda <mposolda@gmail.com>
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
closes#25945
Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
Co-authored-by: Erik Jan de Wit <edewit@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* initial screen
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* more screens
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added members tab
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added the backend
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added member add / invite models
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* initial version of the identity provider section
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add link and unlink providers
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* small fix
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* PR comments
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not validate broker domain when the domain is an empty string
Closes#29759
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added filter and value
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added first name last name
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* refresh menu when realm organization is changed
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to record
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* changed to form data
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed lint error
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing name of invitation parameters
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Chancing name of parameters on the client
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Enable organization at the realm before running tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Domain help message
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Handling model validation errors when creating organizations
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Message key for organizationDetails
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Do not change kc.org attribute on group
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* add realm into the context
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* tests
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Changing button in invitation model to use Send instead of Save
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Better message when validating the organization domain
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Fixing compilation error after rebase
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* removed wait as it no longer required and skip flacky test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* skip tests that are flaky
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* stabilize user create test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Previously the reason was omitted in the details because it was set after the event was already submitted.
Fixes#29948
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
- AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action
- AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation)
- add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now)
- fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80)
Closes#16873
Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata
Fixes#28400
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Frameworks like Datadog dd-trace-java java agent inspect the known WebApplicationException
and mark the exception as an HTTP 500, because that is the default for the
non argument constructor.
https://github.com/keycloak/keycloak/issues/29451
Signed-off-by: Filipe Roque <froque@premium-minds.com>
Previously an ObjectMapper was created multiple times during startup:
two times during bootstrap and one additional time for the first request sent to Keycloak.
Additionally jackson modules, e.g. support for JSR310 java.time types
were not registered event-though they are present on the classpath.
This PR revises the initialization of the ObjectMapper.
- Ensure ObjectMapper is only initialized once
- Ensure that jackson modules on the classpath are properly
Fixes#16295
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Closes#29124
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
* fully removing providers and moving the keycloaksession creation / final
cleanup
also deprecated Resteasy utility methods
closes: #29223
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* Adding additional non-applicable client fields to the default service-account client type configuration.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.
Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Removing reflection use for client types.
Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
More updates
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Update client utilzes type aware client property update method.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Cleaning up RepresentationToModel
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue when updating client secret.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Fixing issues with redirectUri and weborigins defaults in type aware clients.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Need to allow client attributes the ability to clear out values during update.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Renaming interface based on PR feedback.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Shall be able to override URI sets with an empty set.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
---------
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.
closes#25807
Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
- prevents pre-loading all groups; instead use the stream from the JPA adapter to load subgroups one by one and then filter based on the user permissions.
Closes#28935
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Closes#47
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Conflicts:
core/src/main/java/org/keycloak/util/TokenUtil.java
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: vibrown <vibrown@redhat.com>
More updates
Signed-off-by: vibrown <vibrown@redhat.com>
Added client type logic from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
updates
Signed-off-by: vibrown <vibrown@redhat.com>
Testing to see if skipRestart was cause of test failures in MR
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).
This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.
Fixes: #26019
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
