Commit graph

4038 commits

Author SHA1 Message Date
k-tamura
221aad9877 KEYCLOAK-11511 Improve exception handling of REST user creation 2020-01-14 13:34:34 +01:00
mhajas
a79d6289de KEYCLOAK-11416 Fix nil AttributeValue handling 2020-01-10 12:47:09 +01:00
Viswa Teja Nariboina
5082ed2fcb [ KEYCLOAK-12606 ] Passing email in login_hint query parameter during Identity brokering fails when an account already exists 2020-01-09 10:40:42 +01:00
Pedro Igor
03bbf77b35 [KEYCLOAK-12511] - Mapper not visible in client's mapper list 2020-01-09 10:25:06 +01:00
Thomas Darimont
062cbf4e0a KEYCLOAK-9925 Use Client WebOrigins in UserInfoEndpoint
We now use the allowed WebOrigins configured for the client
for which the user info is requested.

Previously, Web Origins defined on the Client were not being recognized
by the /userinfo endpoint unless you apply the "Allowed Web Origins"
protocol mapper.
This was an inconsistency with how the Web Origins work compared
with the /token endpoint.
2020-01-09 10:10:59 +01:00
Pedro Igor
709cbfd4b7 [KEYCLOAK-10705] - Return full resource representation when querying policies by id 2020-01-09 10:00:24 +01:00
Pedro Igor
9fd7ab81f0 [KEYCLOAK-10407] - Avoiding redundant calls on identity.getid 2020-01-09 09:56:48 +01:00
Manfred Duchrow
f926529767 KEYCLOAK-12616 Vault unit test always failes on Windows 2020-01-07 20:55:50 +01:00
Hynek Mlnarik
f7379086e0 KEYCLOAK-12619 Improve mapped byte buffer cleanup 2020-01-07 16:07:43 +01:00
Thomas Darimont
54b69bd1dc KEYCLOAK-10190 Fix NPE on missing clientSession in TokenEndpoint.codeToToken
In certain scenarios, e.g. when an auth code from another realm login is
used to perform the code to token exchange, it can happen that the
ClientSession is null which triggered an NPE when the userSession field is accessed.

Added null check for clientSession in TokenEndpoint.codeToToken to prevent an NPE.
2020-01-06 14:45:20 +01:00
Thomas Darimont
1a7aeb9b20 KEYCLOAK-8249 Improve extraction of Bearer tokens from Authorization headers (#6624)
We now provide a simple way to extract the Bearer token string from
Authorization header with a null fallback.

This allows us to have more fine grained error handling for the
various endpoints.
2020-01-06 13:58:52 +01:00
rmartinc
401d36b446 KEYCLOAK-8779: Partial export and import to an existing realm is breaking clients with service accounts 2019-12-27 15:59:38 -03:00
Thomas Darimont
0219d62f09 KEYCLOAK-6867 UserInfoEndpoint should return WWW-Authenticate header for Invalid tokens
As required by the OIDC spec (1) we now return a proper WWW-Authenticate
response header if the given token is invalid.

1) https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
2019-12-23 07:42:06 -03:00
Andrei Arlou
eed4847469 KEYCLOAK-12311 Fix minor warnings with collections in packages: forms, keys, partialimport, protocol from module "services" 2019-12-20 13:31:38 +01:00
Peter Skopek
7a14661fce KEYCLOAK-6115 Login fails if federated user is read-only and has selected a locale on the login screen 2019-12-19 14:36:50 +01:00
Andrei Arlou
aceb123242 KEYCLOAK-12417 Fix minor warnings in tests from module "services" 2019-12-19 10:51:37 +01:00
Andrei Arlou
697eaa4f36 KEYCLOAK-12309 Fix warnings with collections in packages:
authentification, authorization, broker, email, events, exportimport from module "services"
2019-12-18 14:02:27 +01:00
Andrei Arlou
bb156fb2fd KEYCLOAK-12317 Fix minor warnings with modificators in packages: authentication, authorization, keys, partialimport, protocol from module "services" 2019-12-18 13:26:27 +01:00
Andrei Arlou
c61cc1a493 KEYCLOAK-12316 Simplify conditions in packages: authentication, broker, credential, protocol from module "services" 2019-12-18 13:22:36 +01:00
Stefan Guilhen
9f69386a53 [KEYCLOAK-11707] Add support for Elytron credential store vault
- Adds the elytron-cs-keystore provider that reads secrets from a keystore-backed elytron credential store
 - Introduces an abstract provider and factory that unifies code that is common to the existing implementations
 - Introduces a VaultKeyResolver interface to allow the creation of different algorithms to combine the realm
   and key names when constructing the vault entry id
 - Introduces a keyResolvers property to the existing implementation via superclass that allows for the
   configuration of one or more VaultKeyResolvers, creating a fallback mechanism in which different key formats
   are tried in the order they were declared when retrieving a secret from the vault
 - Adds more tests for the files-plaintext provider using the new key resolvers
 - Adds a VaultTestExecutionDecider to skip the elytron-cs-keystore tests when running in Undertow. This is
   needed because the new provider is available only as a Wildfly extension
2019-12-18 11:54:06 +01:00
harture
26458125cb [KEYCLOAK-12254] Fix re-evaluation of conditional flow (#6558) 2019-12-18 08:45:11 +01:00
Douglas Palmer
106e6e15a9 [KEYCLOAK-11859] Added option to always display a client in the accounts console 2019-12-17 17:12:49 -03:00
jacac
3ae508e1b9 KEYCLOAK-12425 Encode userid with Base64Url. (#6585) 2019-12-16 20:40:27 +01:00
Douglas Palmer
af0594b58d [KEYCLOAK-12463] Fixed missing consents 2019-12-12 17:27:54 -03:00
Douglas Palmer
f9fa5b551d [KEYCLOAK-5628] Added application endpoint 2019-12-11 13:06:04 -03:00
Martin Bartoš
2cf6483cdf [KEYCLOAK-12044] Fix messages in the UsernameForm (#6548) 2019-12-11 10:59:46 +01:00
Dmitry Telegin
56aa14ffab KEYCLOAK-11347 - MicroProfile-Config 2019-12-10 12:08:22 +01:00
Denis Richtárik
48bddc37ae KEYCLOAK-12011 Remove cancel button from OTP form (#6511)
* KEYCLOAK-12011 Remove cancel button from OTP form

* Remove back button
2019-12-09 19:23:26 +01:00
Dmitry Telegin
e2144d6aec KEYCLOAK-12175 - Platform SPI 2019-12-09 09:55:04 +01:00
Yoshiyuki Tabata
b2664c7ef9 KEYCLOAK-12094 "client-session-stats" not search null client information (#6554) 2019-12-06 10:37:25 +01:00
Martin Bartoš
e405ce6e97 [KEYCLOAK-11824] Fix bug with only one value of the authentication model execution requirement (#6570) 2019-12-05 18:28:00 +01:00
Andrei Arlou
fb421d3086 KEYCLOAK-12262 Remove unused imports from packages "authorization" and "authentification" in module "services" (#6547) 2019-12-05 14:39:03 +01:00
Andrei Arlou
da7e0ba403 KEYCLOAK-12310 Remove unused imports from packages: exportimport, forms, jose, partialimport, protocol in module "services" (#6560) 2019-12-05 14:28:47 +01:00
Cristian Schuszter
5c7ce775cf KEYCLOAK-11472 Pagination support for clients
Co-authored-by: stianst <stianst@gmail.com>
2019-12-05 08:17:17 +01:00
vmuzikar
072cd9f93f KEYCLOAK-12329 Fix linking accounts in the new Account Console 2019-12-03 18:49:40 -03:00
Martin Kanis
73d1a26040 KEYCLOAK-11773 Front-channel logout with identity brokering does not work after browser restart 2019-12-03 08:17:54 +01:00
harture
129c689855 [KEYCLOAK-12253] Fix conditional authenticators are evaluated even if they are disabled (#6553) 2019-11-28 09:30:31 +01:00
Stan Silvert
de6f90b43b KEYCLOAK-11550: Single page for credentials (initial commit) 2019-11-27 07:32:13 -03:00
rmartinc
82ef5b7927 KEYCLOAK-12000: Allow overriding time lifespans on a SAML client 2019-11-26 10:02:34 +01:00
Dmitry Telegin
79074aa380 KEYCLOAK-12162 Modularize config backends (#6499)
* KEYCLOAK-12162 - Modularize configuration backends

* - Use JsonSerialization
- simplify backend selection (no fallbacks)

* Remove unused org.wildfly.core:wildfly-controller dependency
2019-11-22 15:23:04 +01:00
Yoshiyuki Tabata
0a9d058b81 KEYCLOAK-12150 change error response from invalid_request to unsupported_grant_type 2019-11-22 11:11:07 +01:00
Yoshiyuki Tabata
a36cfee84b KEYCLOAK-12149 change error response from invalid_grant to unauthorized_client 2019-11-22 11:10:16 +01:00
Yoshiyuki Tabata
4117710379 KEYCLOAK-12019 change error response from unsupported_response_type to unauthorized_client 2019-11-22 11:03:02 +01:00
Vidhyadharan Deivamani
9e366f0453 KEYCLOAK-8162 review comment adopted 2019-11-22 10:37:50 +01:00
Vidhyadharan Deivamani
318b290f55 KEYCLOAK-8162 Added resourcesPath 2019-11-22 10:37:50 +01:00
Fuxin Hao
ff4c94506f use reCAPTCHA globally 2019-11-22 10:22:15 +01:00
Stan Silvert
ea268af511 KEYCLOAK-12159: AIA and Logout broken in new acct console 2019-11-21 09:35:46 -03:00
stianst
3731e36ece KEYCLOAK-12069 Add account-console client for new account console 2019-11-20 08:48:40 -05:00
keycloak-bot
76aa199fee Set version to 9.0.0-SNAPSHOT 2019-11-15 20:43:21 +01:00
Stefan Guilhen
9a7c1a91a5 KEYCLOAK-10780 Stop creating placeholder e-mails for service accounts (#228) 2019-11-15 15:08:29 +01:00
k-tamura
43e2370f21 KEYCLOAK-11772 Fix temporary credential property to work correctly 2019-11-15 08:48:12 +01:00
AlistairDoswald
4553234f64 KEYCLOAK-11745 Multi-factor authentication (#6459)
Co-authored-by: Christophe Frattino <christophe.frattino@elca.ch>
Co-authored-by: Francis PEROT <francis.perot@elca.ch>
Co-authored-by: rpo <harture414@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Denis <drichtar@redhat.com>
Co-authored-by: Tomas Kyjovsky <tkyjovsk@redhat.com>
2019-11-14 14:45:05 +01:00
Stan Silvert
d439f4181a KEYCLOAK-6503: Linked Accounts Page 2019-11-14 07:39:43 -03:00
Martin Kanis
25511d4dbf KEYCLOAK-9651 Wrong ECDSA signature R and S encoding 2019-11-13 15:32:51 +01:00
stianst
b8881b8ea0 KEYCLOAK-11728 New default hostname provider
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2019-11-11 12:25:44 +01:00
stianst
062841a059 KEYCLOAK-11898 Refactor AIA implementation 2019-11-08 16:03:07 -03:00
stianst
63abebd993 KEYCLOAK-11627 Require users to re-authenticate before invoking AIA 2019-11-08 16:03:07 -03:00
stianst
bc5113053d KEYCLOAK-11897 Change kc_action parameter to proper built-in parameter 2019-11-08 16:03:07 -03:00
stianst
1e66660fd0 KEYCLOAK-11896 Remove initiate-action role 2019-11-08 16:03:07 -03:00
Takashi Norimatsu
4574d37d8d KEYCLOAK-11372 Support for attestation statement verification (#6449) 2019-11-08 09:15:28 +01:00
Stian Thorgersen
f14f92ab0b KEYCLOAK-6073 Make adapters use discovery endpoint for URLs instead of hardcoding (#6412) 2019-11-06 10:34:35 +01:00
Stan Silvert
041229f9ca KEYCLOAK-7429: Linked Accounts REST API 2019-11-05 16:03:21 -05:00
Takashi Norimatsu
ecae2c5772 KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0 dependency (#6401) 2019-11-05 09:23:09 +01:00
Miguel Paulos Nunes
aa44579a02 KEYCLOAK-9553 Performance optimization on role mappings retrieval. 2019-11-05 08:59:53 +01:00
Dmitry Telegin
203646627f Use global bootstrap flag 2019-11-01 10:56:06 +01:00
Dmitry Telegin
b68e8323ed KEYCLOAK-11785 - Support for deferred initialization 2019-11-01 10:56:06 +01:00
Gideon Caranzo
e07fd9ffa3 KEYCLOAK-9936 Added optional hooks for preprocessing SAML authentication
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-10-29 13:06:59 +01:00
Helge Olav Aarstein
d7a0597b1d KEYCLOAK-9091 Fix for claims with dots from userInfo (#6312)
* KEYCLOAK-9091 Unable to map claim attributes with dots (.) in them when claims are retrieved from userInfo endpoint
2019-10-24 21:41:38 +02:00
pkokush
ff551c5545 KEYCLOAK-10307: check password history length in password verification (#6058) 2019-10-24 21:33:21 +02:00
Takashi Norimatsu
1905260eac KEYCLOAK-11251 ES256 or PS256 support for Client Authentication by Signed JWT (#6414) 2019-10-24 17:58:54 +02:00
Pedro Igor
bb4ff55229 [KEYCLOAK-10868] - Deploy JavaScript code directly to Keycloak server
Conflicts:
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java

(cherry picked from commit 338fe2ae47a1494e786030eb39f908c964ea76c4)
2019-10-22 10:34:24 +02:00
Pedro Igor
bad9e29c15 [KEYCLOAK-10870] - Deprecate support for JavaScript policy support from UMA policy endpoint
Conflicts:
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java

(cherry picked from commit 13923a7683cb666d2842bc61429c23409c1493b6)
2019-10-22 10:34:24 +02:00
Martin Kanis
0e0177136c KEYCLOAK-9984 Remove org.apache.commons.* usages from the code 2019-10-22 09:48:15 +02:00
Martin Kanis
37304fdd7d KEYCLOAK-10728 Upgrade to WildFly 18 Final 2019-10-21 14:06:44 +02:00
Martin Reinhardt
28748ebf3f [KEYCLOAK-6376] Fix NPE and test setup 2019-10-21 10:41:04 +02:00
Martin Reinhardt
f18c8b9da5 [KEYCLOAK-6376] Switching to arquillian end2end tests 2019-10-21 10:41:04 +02:00
Martin Reinhardt
eed4449f8d [KEYCLOAK-6376] Fixing Conditional OTP by reusing existing API for role checks 2019-10-21 10:41:04 +02:00
Kohei Tamura
59ba874e1d KEYCLOAK-10945 Avoid lockout when clicking login twice 2019-10-21 10:36:16 +02:00
Pedro Igor
17785dac08 [KEYCLOAK-10714] - Add filtering support in My Resources endpoint by name 2019-10-16 16:26:55 +02:00
Sebastian Laskawiec
b6b7c11517 KEYCLOAK-11725 Removed VaultRealmModel from tests 2019-10-15 10:59:05 +02:00
stianst
c16cfe9696 Fixes for Quarkus 2019-10-15 10:57:54 +02:00
Sebastian Laskawiec
ea1b22daa7 KEYCLOAK-11227 Removed enabled/disabled flag from FileTruststoreProvider 2019-10-15 05:24:28 +02:00
stianst
52085da520 KEYCLOAK-11702 Remove RestEasy 4 dependencies from core codebase 2019-10-11 15:03:34 +02:00
mhajas
2f44c58a0d KEYCLOAK-11495 Change name of PlaintextVaultProvider to FilesPlaintextVaultProvider 2019-10-09 14:48:00 +02:00
Pedro Igor
f0fb48fb76 [KEYCLOAK-11326] - Refactoring to support different versions of resteasy 2019-10-09 12:01:34 +02:00
Pedro Igor
a2e98b57f4 [KEYCLOAK-11326] - Refactoring to use types from JAX-RS API 2019-10-09 12:01:34 +02:00
Hisanobu Okuda
75a44696a2 KEYCLOAK-10636 Large Login timeout causes login failure
KEYCLOAK-10637 Large Login Action timeout causes login failure
2019-10-07 13:27:20 +02:00
vmuzikar
434ea0965c KEYCLOAK-11632 Don't cache server info endpoint 2019-10-07 10:29:52 +02:00
Axel Messinese
f3607fd74d KEYCLOAK-10712 get groups full representation endpoint 2019-10-03 11:26:30 +02:00
Takashi Norimatsu
66de87a211 KEYCLOAK-11253 Advertise acr claim in claims_supported Server Metadata 2019-10-03 11:25:45 +02:00
Niko Köbler
d0324d8098 KEYCLOAK-11566 add attribute resourceType to log output of admin events 2019-10-02 13:18:30 +02:00
Vincent Letarouilly
6b36e57593 KEYCLOAK-6698 - Add substitution of system properties and environment variables in theme.properties file 2019-10-01 16:34:54 +02:00
Takashi Norimatsu
6c9cf346c6 KEYCLOAK-11252 Implement Server Metadata of OAuth 2.0 Mutual TLS Client Authentication 2019-10-01 15:27:59 +02:00
Takashi Norimatsu
7c75546eac KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
* KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
2019-10-01 15:17:38 +02:00
Jess Thrysoee
3b58692d7c KEYCLOAK-11596 Enable template cache when cacheTemplates attribute is true 2019-10-01 14:37:48 +02:00
David Festal
d73a2b821c Fix a NPE when using token-exchange
When using the preview token-exchange feature with the `openshit-v3` identity provider, a NPE is triggered, because it tries to extract the `metadata` field twice from the user profile:

```
13:17:13,667 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
.....
13:17:28,916 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
......
13:17:53,492 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
```
2019-10-01 14:23:46 +02:00
Mathieu CLAUDEL
2fb507e170 KEYCLOAK-10802 add support of SAMLv2 ForceAuthn 2019-09-27 09:55:54 +02:00
Yaroslav Kvasetskiy
622d049207 KEYCLOAK-10837 Add possibility to disable certificate verification for outgoing https connections 2019-09-26 08:12:09 -03:00
madgaet
0d12b8dd5a [KEYCLOAK-11497] OIDC Idp authentication with private_key_jwt may not always work (#6337) 2019-09-25 23:10:07 +02:00
Hisanobu Okuda
da49dbce2b KEYCLOAK-10770 user-storage/{id}/sync should return 400 instead of 404 2019-09-20 11:17:09 +02:00
mhajas
37b7b595a5 KEYCLOAK-11410 Do not throw exception in PlaintextVaultProvider if unconfigured 2019-09-19 14:56:19 +02:00
rradillen
b71198af9f [KEYCLOAK-8575] oidc idp basic auth (#6268)
* [KEYCLOAK-8575] Allow to choose between basic auth and form auth for oidc idp

* uncomment ui and add tests

* move basic auth to abstract identity provider (except for getting refresh tokens)

* removed duplications
2019-09-19 14:36:16 +02:00
rmartinc
7f54a57271 KEYCLOAK-10757: Replaying assertion with signature in SAML adapters 2019-09-18 16:49:00 +02:00
farmersmurf
515727c944 fix: as discussed changed to NOT_ACCEPTABLE rather than OK to prevent INTERNAL SERVER ERROR on validation 2019-09-17 16:35:42 +02:00
farmersmurf
ae74335760 KEYCLOAK-10944 Fix 500 Error Code on Update Password 2019-09-17 16:35:42 +02:00
farmersmurf
b443c8186d KEYCLOAK-10944 Fix 500 Error Code on Update Password 2019-09-17 16:35:42 +02:00
madgaet
c35718cb87 [KEYCLOAK-9809] Support private_key_jwt authentication for external IdP 2019-09-17 16:04:23 +02:00
Kohei Tamura
09671aa480 KEYCLOAK-11178 Suppress incorrect warnings 2019-09-13 10:21:20 +02:00
Shiva Prasad Thagadur Prakash
ff8b790549 KEYCLOAK-10022 Fixing few admin events not raised bug 2019-09-11 18:01:10 -03:00
Cédric Couralet
9c37da0ee9 KEYCLOAK-8818 Support message bundle in theme resources 2019-09-11 08:03:16 +02:00
mhajas
2703388946 KEYCLOAK-11245 Adapt LDAPConnectionTestManager to use newly introduced LDAPContextManager 2019-09-10 22:51:19 +02:00
mhajas
9c2525ec1a KEYCLOAK-11245 Use transcription object for LDAP bindCredential 2019-09-09 19:39:53 +02:00
Martin Kanis
4235422798 KEYCLOAK-11246 Use the transcription object for SMTP password 2019-09-09 13:27:11 +02:00
Hynek Mlnarik
9eb2e1d845 KEYCLOAK-11028 Use pessimistic locks to prevent DB deadlock when deleting objects 2019-09-09 10:57:49 +02:00
rmartinc
a726e625e9 KEYCLOAK-10782: Credentials tab on clients can only be displayed with view-realm 2019-09-06 16:45:08 -03:00
Martin Kanis
b1be6c2bdd KEYCLOAK-11247 Use the transcription object for Identity providers password 2019-09-06 15:29:11 +02:00
Cédric Couralet
aadd5331bc [KEYCLOAK-11219] log an explicit error message when state is null 2019-09-06 10:59:28 +02:00
Pedro Igor
a1d8850373 [KEYCLOAK-7416] - Device Activity 2019-09-05 11:43:27 -03:00
Sebastian Laskawiec
69d6613ab6 KEYCLOAK-10169 OpenShift 4 Identity Provider 2019-09-05 16:33:59 +02:00
Stefan Guilhen
bb9c811a65 [KEYCLOAK-10935] Add a vault transcriber implementation that can be obtained from the session.
- automatically parses ${vault.<KEY>} expressions to obtain the key that contains the secret in the vault.
 - enchances the capabilities of the VaultProvider by offering methods to convert the raw secrets into other types.
2019-09-04 22:34:08 +02:00
Kohei Tamura
6ae0773e09 KEYCLOAK-11006 Add method to log catched exception 2019-09-02 10:11:20 +02:00
Sebastian Laskawiec
3afbdd3ea3 KEYCLOAK-10934 PlainTextVaultProvider 2019-08-20 21:46:47 +02:00
Pedro Igor
e12c245355 [KEYCLOAK-10779] - CSRF check to My Resources
(cherry picked from commit dbaba6f1b8c043da4a37c906dc0d1700956a0869)
2019-08-20 06:35:00 -03:00
Hynek Mlnarik
97811fdd51 KEYCLOAK-10786 Check signature presence in SAML broker
(cherry picked from commit ba9f73aaff22eb34c7dec16f4b76d36d855d569b)
2019-08-20 06:35:00 -03:00
Leon Graser
0ce10a3249 [KEYCLOAK-10653] Manage Consent via the Account API 2019-08-20 06:24:44 -03:00
Nemanja Hiršl
411ea331f6 KEYCLOAK-10785 X.509 Authenticator - Update user identity source mappers
Update user identity sources and the way how X.509 certificates are mapped to the user to:
1. Include "Serial number + Issuer DN" as described in RFC 5280
2. Include "Certificate's SHA256-Thumbprint"
3. Exclude "Issuer DN"
4. Exclude "Issuer Email"

Add an option to represent serial number in hexadecimal format.

Documentation PR created: https://github.com/keycloak/keycloak-documentation/pull/714
KEYCLOAK-10785 - Documentation for new user identity source mappers
2019-08-16 11:35:50 -03:00
Takashi Norimatsu
8225157a1c KEYCLOAK-6768 Signed and Encrypted ID Token Support 2019-08-15 15:57:35 +02:00
Hynek Mlnarik
d2da206d6b KEYCLOAK-10933 Interfaces for vault SPI 2019-08-13 08:50:29 +02:00
Kohei Tamura
c0f73c0df4 KEYCLOAK-10817 Set referrer on error 2019-08-02 10:02:23 -03:00
Vlastimil Elias
4571f65d1e KEYCLOAK-10209 - AuthenticationSessionModel made available through
KeycloakContext in KeycloakSession
2019-07-30 12:36:57 +02:00
Pedro Igor
8b203d48ce [KEYCLOAK-10949] - Proper error messages when failing to authenticate the request 2019-07-29 17:01:42 -03:00
Pedro Igor
967d21dbb5 [KEYCLOAK-10713] - Pagination to resources rest api 2019-07-29 16:19:22 -03:00
k-tamura
fe0d6f4583 KEYCLOAK-10665 Fix incorrect client link on my resources page 2019-07-26 15:36:06 -03:00
k-tamura
2dceda3f50 KEYCLOAK-10807 Fix incorrect RS link on my resources page 2019-07-26 15:29:25 -03:00
Stan Silvert
bc818367a1 KEYCLOAK-10854: App-initiated actions Phase I 2019-07-26 14:56:29 -03:00
Stan Silvert
6c79bdee41 KEYCLOAK-10854: App initiated actions phase I 2019-07-26 14:56:29 -03:00
mhajas
57a8fcb669 KEYCLOAK-10776 Add session expiration to Keycloak saml login response 2019-07-24 13:35:07 +02:00
keycloak-bot
17e9832dc6 Set version to 8.0.0-SNAPSHOT 2019-07-19 19:05:03 +02:00
Pedro Igor
5f5cb6cb7b [KEYCLOAK-10808] - Do not show authorization tab when client is not confidential 2019-07-15 10:07:31 -03:00
rmartinc
1d2d6591b2 KEYCLOAK-10826: Provide the locale name in the LocaleBean to be used in themes 2019-07-13 07:18:40 +02:00
rmartinc
6d6db1f3e5 KEYCLOAK-10345: OCSP validation fails if there is no intermediate CA in the client certificate 2019-07-12 15:16:00 +02:00
Takashi Norimatsu
2e850b6d4a KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings 2019-07-12 08:33:20 +02:00
Martin Kanis
efdf0f1bd8 KEYCLOAK-6839 You took too long to login after SSO idle 2019-07-10 10:15:26 +02:00
Kohei Tamura
55a6141bff KEYCLOAK-10783 Fix internal server error when logging out after sharing my resource 2019-07-09 09:06:58 -03:00
mposolda
5f9feee3f8 KEYCLOAK-9846 Verifying signatures on CRL during X509 authentication 2019-07-08 20:20:38 +02:00
Tomasz Prętki
0376e7241a KEYCLOAK-10251 New Claim JSON Type - JSON 2019-07-08 11:59:57 +02:00
Sven-Torben Janus
c883c11e7e KEYCLOAK-10158 Use PEM cert as X.509 user identity
Allows to use the full PEM encoded X.509 certificate from client cert
authentication as a user identity. Also allows to validate that user's
identity against LDAP in PEM (String and binary format). In addition,
a new custom attribute mapper allows to validate against LDAP when
certificate is stored in DER format (binay, Octet-String).

KEYCLOAK-10158 Allow lookup of certs in binary adn DER format from LDAP
2019-07-08 11:58:26 +02:00
Hynek Mlnarik
ca4e14fbfa KEYCLOAK-7852 Use original NameId value in logout requests 2019-07-04 19:30:21 +02:00
Sebastian Laskawiec
b5d8f70cc7 KEYCLOAK-8224 Client not found error message 2019-07-03 18:34:56 +02:00
Asier Aguado
bed22b9b8d [KEYCLOAK-10710] Make social providers compatible with OIDC UsernameTemplateMappers 2019-07-03 15:01:46 +02:00
rmartinc
bd5dec1830 KEYCLOAK-10112: Issues in loading offline session in a cluster environment during startup 2019-07-03 13:17:45 +02:00
Axel Messinese
b32d52e62b KEYCLOAK-10750 Check if role exist on get user/group in role endpoint 2019-07-03 08:46:36 +02:00
Pedro Igor
0cdd23763c [KEYCLOAK-10443] - Define a global decision strategy for resource servers 2019-07-02 09:14:37 -03:00
Jeroen ter Voorde
7518692c0d [KEYCLOAK-10419] Added briefRepresentation parameter support to the admin client interface
And added a aquillian test for it.
2019-06-21 11:31:01 +02:00
Jeroen ter Voorde
a2099cff39 [KEYCLOAK-10419] Added support for briefRepresentation param on the GroupResource members endpoint. 2019-06-21 11:31:01 +02:00
k-tamura
542333a0dd KEYCLOAK-10660 Fix internal server error when re-logging in from my resources page 2019-06-18 06:18:36 -03:00
Hisanobu Okuda
1ac51611d3 KEYCLOAK-10664 correct the error message when no SAML request provided 2019-06-18 08:47:35 +02:00
Pedro Igor
fdc0943a92 [KEYCLOAK-8060] - My Resources REST API 2019-06-11 14:23:26 -03:00
Pedro Igor
61eb94c674 [KEYCLOAK-8915] - Support resource type in authorization requests 2019-06-04 21:02:54 -03:00
Stefan Guilhen
40ec46b79b [KEYCLOAK-8043] Allow prompt=none query parameter to be propagated to default IdP 2019-05-29 09:22:46 +02:00
Pedro Igor
e9ea1f0e36 [KEYCLOAK-10279] - Do not limit results when fetching resources 2019-05-28 15:35:29 -03:00
Ian Duffy
de0ee474dd Review feedback 2019-05-27 21:30:01 +02:00
Ian Duffy
54909d3ef4 [KEYCLOAK-10230] Support for LDAP with Start TLS
This commit sends the STARTTLS on LDAP 389 connections is specified.
STARTTLS doesn't work with connection pooling so connection pooling will
be disabled should TLS be enabled.
2019-05-27 21:30:01 +02:00
vramik
d64f716a20 KEYCLOAK-2709 SAML Identity Provider POST Binding request page shown to user is comletely blank with nonsense title 2019-05-20 09:51:04 +02:00
Sebastian Loesch
76a6e82173 Fix log message
Single quotes need to be represented by double single quotes throughout a String.
See: https://docs.oracle.com/javase/7/docs/api/java/text/MessageFormat.html
2019-05-15 15:33:43 +02:00
Kohei Tamura
8bee7ec542 KEYCLOAK-9983 - Fix the P3P header corruption in Japanese and Turkish (#6006) 2019-05-15 15:23:45 +02:00
Tomohiro Nagai
d593ac3e6f KEYCLOAK-9711 REQUIRED authentictor in ALTERNATIVE subflow throws AuthenticationFlowException when the authentictor returns ATTEMPTED. 2019-05-15 12:45:50 +02:00
Hynek Mlnarik
b8aa1916d8 KEYCLOAK-10195 Fix role lookup to address roles with dots 2019-05-14 13:00:04 +02:00
Kohei Tamura
43bda455bc KEYCLOAK-10106 - Fix typos in default scripts (#6010) 2019-05-07 10:20:04 +02:00
Stefan Guilhen
f1acdc000e [KEYCLOAK-10168] Handle microprofile-jwt client scope migration 2019-05-06 15:14:27 -03:00
Jan Lieskovsky
9eb400262f KEYCLOAK-6055 Include X.509 certificate data in audit logs
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2019-04-30 11:31:04 +02:00
Sebastian Loesch
96250c9685 [KEYCLOAK-9573] Allow AdminEvents for custom resource types 2019-04-26 09:57:28 +01:00
Hynek Mlnarik
65326ce16a KEYCLOAK-9629 Update cookie type 2019-04-24 07:18:41 +01:00
Sebastian Loesch
43393220bf Add X.509 authenticator option for canonical DN
Because the current distinguished name determination is security provider
dependent, a new authenticator option is added to use the canonical format
of the distinguished name, as descriped in
javax.security.auth.x500.X500Principal.getName(String format).
2019-04-23 21:04:18 +02:00
keycloak-bot
49d4e935cb Set version to 7.0.0-SNAPSHOT 2019-04-17 09:48:07 +01:00
Bekh-Ivanov George
ebcfeb20a3 [KEYCLOAK-10020] - Add ability to request user-managed (ticket) permissions by name 2019-04-12 08:44:57 -03:00
Takashi Norimatsu
9b3e297cd0 KEYCLOAK-9756 PS256 algorithm support for token signing and validation 2019-04-09 20:52:02 +02:00
Francesco Degrassi
1bf19ada7e KEYCLOAK-9825: keep existing refresh token on token exchange requiring refresh if new one not provided in response 2019-04-09 15:21:56 -03:00
Francesco Degrassi
5b78063dce KEYCLOAK-6614: Support requesting refresh tokens from Google using access_type=offline 2019-04-08 15:06:03 -03:00
Stefan Guilhen
2fa2437555 KEYCLOAK-5613 Add built-in optional client scope for MicroProfile-JWT 2019-04-02 08:40:19 -03:00
Hisanobu Okuda
b44c86bd26 KEYCLOAK-9833 Large SSO Session Idle/SSO Session Max causes login failure 2019-03-27 11:42:40 +01:00
vramik
b7c5ca8b38 KEYCLOAK-8535 Inconsistent SAML Logout endpoint handling 2019-03-22 14:09:31 +01:00
Pedro Igor
d2275ca563 [KEYCLOAK-7939] - Startup logs warning instead of error when admin user already exists 2019-03-21 11:44:17 -03:00
mposolda
db271f7150 KEYCLOAK-9572 Support for multiple CRLs with X509 authentication 2019-03-20 15:00:44 +01:00
Hynek Mlnarik
25c07f78bc KEYCLOAK-9578 Fix typo in SAML attribute name format 2019-03-19 11:45:38 +01:00
Hynek Mlnarik
1c906c834b KEYCLOAK-3373 Remove SAML IdP descriptor from client installation and publicize it in realm endpoint instead 2019-03-19 11:37:15 +01:00
fisache
a868b8b22a [KEYCLOAK-9772] Permissions are duplicated
- when resource server is current user
2019-03-18 16:37:54 -03:00
stianst
8d42c9193b KEYCLOAK-9838 Trim username in admin welcome page 2019-03-18 09:20:38 +01:00
vramik
3cc405b1c5 KEYCLOAK-8542 Remove resteasy workaround - KeycloakStringEntityFilter 2019-03-16 13:53:54 +01:00
mposolda
a48698caa3 KEYCLOAK-6056 Map user by Subject Alternative Name (otherName) when authenticating user with X509 2019-03-15 23:11:47 +01:00
Yaser Abouelenein
404ac1d050 KEYCLOAK-8701 changes needed to include x5c property in jwks 2019-03-15 06:01:15 +01:00
Axel Messinese
e18fb56389 KEYCLOAK-4978 Add endpoint to get groups by role 2019-03-15 06:00:17 +01:00
Corey McGregor
be77fd9459 KEYCLOAK-2339 Adding impersonator details to user session notes and supporting built-in protocol mappers. 2019-03-08 09:14:42 +01:00
rmartinc
231db059b2 KEYCLOAK-8996: Provide a way to set a responder certificate in OCSP/X509 Authenticator 2019-03-07 07:57:20 +01:00
keycloak-bot
e843d84f6e Set version to 6.0.0-SNAPSHOT 2019-03-06 15:54:08 +01:00
Gilles
f295a2e303 [KEYCLOAK-3723] Fixed updated of protocol mappers within client updates in clients-registrations resource 2019-03-04 11:57:59 +01:00
vramik
5d205d16e8 KEYCLOAK-9167 Using kcadm to update an identity-provider instance via a json file does not work without an "internalId" present in the json 2019-02-27 14:56:36 +01:00
Stan Silvert
fe5966d224 KEYCLOAK-8602: PatternFly 4 integration 2019-02-25 08:26:54 -03:00
Simon Neaves
b5fbc04e5e KEYCLOAK-9376 Add "aud" to DEFAULT_CLAIMS_SUPPORTED
See https://issues.jboss.org/browse/KEYCLOAK-9376?_sscc=t
2019-02-25 10:21:49 +01:00
Pedro Igor
99f8e5f808 [KEYCLOAK-9489] - Fixing fine-grained permission functionality 2019-02-22 09:22:14 -03:00
Steven Aerts
d36cb27bd9 KEYCLOAK-9526 admin console auth-url with hostname SPI 2019-02-21 11:55:11 +01:00
Guilhem Lucas
b666756b8f KEYCLOAK-9320 Make theme properties available in email templates 2019-02-21 11:19:17 +01:00
stianst
e06c705ca8 Set version 5.0.0 2019-02-21 09:35:14 +01:00
Pedro Igor
34d8974e7f [KEYCLOAK-9489] - User not able to log in to admin console when using query-* roles 2019-02-20 18:09:36 +01:00
Hynek Mlnarik
52840533c9 KEYCLOAK-9111 Fix for unhandled exception 2019-02-13 15:49:49 +01:00
Hynek Mlnarik
37e6b6ffc6 KEYCLOAK-9113 Add support for inspecting log messages for uncaught errors 2019-02-13 15:49:49 +01:00
stianst
7c9f15778a Set version to 4.8.3.Final 2019-01-09 20:39:30 +01:00
Pedro Igor
382f6b0c2c [KEYCLOAK-9185] - Update LinkedIn broker to LinkedIn API v2 2019-01-09 15:29:40 +01:00
stianst
7c4890152c Set version to 4.8.2 2019-01-03 14:43:22 +01:00
Hynek Mlnarik
ca76f943c1 KEYCLOAK-9190 Update GoogleIdentityProvider endpoints
per https://accounts.google.com/.well-known/openid-configuration
2019-01-03 14:32:57 +01:00
stianst
07ccbdc3db KEYCLOAK-9182 2019-01-03 14:28:35 +01:00
Hynek Mlnarik
2e52093ac5 KEYCLOAK-9123 Fix content-type check 2018-12-19 10:43:33 +01:00
mposolda
061693a8c9 KEYCLOAK-9089 IllegalArgumentException when trying to use ES256 as OIDC access token signature 2018-12-14 21:01:03 +01:00
mposolda
1237986fd0 KEYCLOAK-8838 Incorrect resource_access in accessToken when clientId contains dots 2018-12-13 10:31:27 +01:00
rmartinc
3c44e6c377 KEYCLOAK-9068: IDP-initiated-flow is not working with REDIRECT binding 2018-12-13 06:28:38 -02:00
mposolda
c51c492996 KEYCLOAK-9050 Change LoginProtocol.authenticated to read most of the values from authenticationSession 2018-12-12 13:30:03 +01:00
Stan Silvert
3ed77825a2 KEYCLOAK-8495: Account REST Svc doesn't require acct roles 2018-12-12 12:07:29 +01:00
mposolda
a7f57c7e23 KEYCLOAK-9021 2018-12-12 07:09:14 +01:00
mposolda
10eb13854e KEYCLOAK-9028 Fix another NPE in Cors debug logging 2018-12-11 21:24:32 +01:00
Hynek Mlnarik
cea9e877ad KEYCLOAK-9036 Fix NPE 2018-12-11 15:35:19 +01:00
MICHEL Arnault (UA 2118)
3f13df81ab [KEYCLOAK-8580] Fixes and log improvements :
- fix  buildChain method (return value)
- method setJVMDebuggingForCertPathBuilder removed as it doesn't output anything in server.log
- Performance : don't reload truststore on each authentication request
- Don't generate stacktrace while detecting intermediate CA's
- review log levels and messages : no log if
- log if truststore is not properly configured in standalone[-ha].xml
2018-12-10 13:58:58 +01:00
Hynek Mlnarik
dad12635f6 KEYCLOAK-9014 Fix displayed applications 2018-12-10 09:59:46 +01:00
Pedro Igor
0c39eda8d2 [KECLOAK-8237] - Openshift Client Storage 2018-12-06 10:57:53 -02:00
Hynek Mlnarik
27f145969f KEYCLOAK-7936 Prevent registration of the same node
The root cause is that NodesRegistrationManagement.tryRegister can be
called from multiple threads on the same node, so it can require
registration of the same node multiple times. Hence once it turns to
tasks that invoke sendRegistrationEvent (called sequentially), the same
check has been added to that method to prevent multiple invocations on
server side, or invocation upon undeployment/termination.
2018-12-05 12:34:17 +01:00
Pedro Igor
e798c3bca2 [KEYCLOAK-8901] - Identity Provider : UserInfo response as JWT Token not supported 2018-12-05 09:28:12 -02:00
stianst
b674c0d4d9 Prepare for 4.8.0.Final 2018-12-04 13:54:25 +01:00
Pedro Igor
4355c89b9d [KEYCLOAK-7365] - No need to check roles when refreshing tokens 2018-11-29 08:51:25 -02:00
rmartinc
1b37394276 KEYCLOAK-7242: LDAPS not working with truststore SPI and connection timeout 2018-11-29 11:21:46 +01:00
mposolda
6db1f60e27 KEYCLOAK-7774 KEYCLOAK-8438 Errors when SSO authenticating to same client multiple times concurrently in more browser tabs 2018-11-21 21:51:32 +01:00
Cédric Couralet
dc06a8cee3 Fix KEYCLOAK-8832 (#5735)
Avoid NullPointerException when browser sends "Origin" header and
allowedOrigin is null. This happens on chrome with admin console
2018-11-19 17:53:05 +01:00
Stian Thorgersen
f3bf1456ab
KEYCLOAK-8781 Mark OpenShift integration as preview. Fix issue in Profile where preview features was not enabled in preview mode. (#5738) 2018-11-19 17:32:21 +01:00
Hynek Mlnarik
548950ed8e KEYCLOAK-8756 Consider also required actions of AuthenticationSession 2018-11-19 16:04:43 +01:00
Marek Posolda
f67d6f9660 KEYCLOAK-8482 Access token should never contain azp as an audience (#5719) 2018-11-19 14:38:41 +01:00
Stian Thorgersen
3756cf629b
KEYCLOAK-7081 Fixes for manual/qr mode switches on login config otp page (#5717) 2018-11-19 14:32:28 +01:00
Takashi Norimatsu
0793234c19 KEYCLOAK-8460 Request Object Signature Verification Other Than RS256 (#5603)
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

also support client signed signature verification by refactored token
verification mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

incorporate feedbacks and refactor client public key loading mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

unsigned request object not allowed

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

revert to re-support "none"
2018-11-19 14:28:32 +01:00
Hynek Mlnarik
461dae20de KEYCLOAK-8731 Ensure password history is kept in line with password policy 2018-11-19 12:48:51 +01:00
mposolda
0533782d90 KEYCLOAK-7275 KEYCLOAK-5479 Faster offline sessions preloading at startup. Track lastSessionRefresh timestamps more properly by support bulk update to DB 2018-11-16 14:23:28 +01:00
Stan Silvert
0b36020bf5 KEYCLOAK-8759: Wrong RH-SSO name on Welcome Page 2018-11-15 13:00:55 -05:00
Leon Graser
85f11873c3 KEYCLOAK-8613 Group Membership Pagination 2018-11-15 17:54:07 +01:00
Gideon Caranzo
39bf08e1b9 KEYCLOAK-8783 also checked admin roles when realm admin client is specified 2018-11-15 14:23:18 +01:00
Gideon Caranzo
9f88abb022 KEYCLOAK-8783 only checked master and realm admin roles when roles are specified in imported realm 2018-11-15 14:23:18 +01:00
Thomas Darimont
cf57a1bc4b KEYCLOAK-1267 Add dedicated SSO timeouts for Remember-Me
Previously remember-me sessions where tied to the SSO max session
timeout which could lead to unexpected early session timeouts.
We now allow SSO timeouts to be configured separately for sessions
with enabled remember-me. This enables users to opt-in for longer
session timeouts.

SSO session timeouts for remember-me can now be configured in the
tokens tab in the realm admin console. This new configuration is
optional and will tipically host values larger than the regular
max SSO timeouts. If no value is specified for remember-me timeouts
then the regular max SSO timeouts will be used.

Work based on PR https://github.com/keycloak/keycloak/pull/3161 by
Thomas Darimont <thomas.darimont@gmail.com>
2018-11-15 06:11:22 +01:00
Pedro Igor
f5ae76d8e3 [KEYCLOAK-8768] - Policy evaluation tool failing when client is used and identity.getId is called 2018-11-14 19:16:41 -02:00
stianst
ecd476fb10 Prepare for 4.7.0.Final 2018-11-14 20:10:59 +01:00
Hynek Mlnarik
c3778e66db KEYCLOAK-8260 Improve SAML conditions handling 2018-11-14 20:09:22 +01:00
Martin Kanis
6a23eb19f5 KEYCLOAK-8166 2018-11-14 20:09:22 +01:00
Martin Kanis
72b23c1357 KEYCLOAK-8160 2018-11-14 20:09:22 +01:00
Martin Kanis
0cb6053699 KEYCLOAK-8125 2018-11-14 20:09:22 +01:00
vramik
6564cebc0f KEYCLOAK-7707 2018-11-14 20:09:22 +01:00
Bruno Oliveira da Silva
a957e118e6 Redirect URLs are not normalized 2018-11-14 20:09:22 +01:00
mposolda
0897d969b1 KEYCLOAK-7340 2018-11-14 20:09:22 +01:00
mposolda
1b5a83c4f1 KEYCLOAK-6980 Check if client_assertion was already used during signed JWT client authentication 2018-11-14 20:09:22 +01:00
Pedro Igor
cd96d6cc35 [KEYCLOAK-8694] - Mark Drools policy as tech preview 2018-11-09 11:08:49 -02:00
Pedro Igor
bce2aee144 [KEYCLOAK-8646] - Error deleting policies when admin events are enabled 2018-11-06 11:27:32 -02:00
rmartinc
cbe59f03b7 KEYCLOAK-8708: Provide aggregation of group attributes for mappers 2018-11-06 13:42:38 +01:00
Torbjørn Skyberg Knutsen
36b0d8b80e KEYCLOAK-7166 Added the possibility of not logging out of remote idp on browser logout, by passing a query param containing the id of the identity provider 2018-11-06 13:39:19 +01:00
Pedro Igor
327991bd73 [KEYCLOAK-8716] - Issue with caching resolved roles in KeycloakSession 2018-11-06 10:27:04 -02:00
mposolda
ffcd8e09e7 KEYCLOAK-8175 Possibility of clientScope not being used if user doesn't have a role 2018-10-31 18:04:41 +01:00
mposolda
cfeb56e18a KEYCLOAK-8641 Remove aud from the authorization tickets 2018-10-31 13:31:26 +01:00
mposolda
9652748ba9 KEYCLOAK-8484 Remove audience client scope template 2018-10-31 11:11:02 +01:00
Pedro Igor
f6943296c7 [KEYCLOAK-8489] - RPT request: Authorized Party's protocol mappers are being applied instead of the Audience's ones 2018-10-26 09:40:32 -03:00
Graser Leon
9ef4c7fffd KEYCLOAK-8377 Role Attributes 2018-10-24 22:04:28 +02:00
Pedro Igor
2af9d002b6 [KEYCLOAK-8172] - Evaluation not considering scopes inherited from parent resources 2018-10-24 12:50:27 -03:00
Pedro Igor
a2b13715ed [KEYCLOAK-8625] - Saving client settings will cause always adding default authorization settings 2018-10-24 10:18:04 -03:00
mposolda
c36b577566 KEYCLOAK-8483 Remove application from the aud claim of accessToken and refreshToken 2018-10-23 13:52:09 +02:00
Gideon Caranzo
7d85ce93bb KEYCLOAK-8555 queried only realms with user storage provider to speed up user storage sync bootstrap 2018-10-19 09:53:58 +02:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
MICHEL Arnault (UA 2118)
ab8789739f [KEYCLOAK-8580] Add Nginx certificate lookup provider 2018-10-16 07:53:18 +02:00
stianst
5f0424fb11 KEYCLOAK-8310 Change scheme option to alwaysHttps option 2018-10-15 14:00:00 +02:00
Stefan Guilhen
68a54abb09 KEYCLOAK-6757 Update MicrosoftIdentityProvider to use the Microsoft Graph endpoints 2018-10-15 12:46:15 +02:00
stianst
11374a2707 KEYCLOAK-8556 Improvements to profile 2018-10-12 12:26:37 +02:00
Gideon Caranzo
0e8d79bbfb KEYCLOAK-8554 checked if master realm exist instead of number of realms for new installation check 2018-10-12 09:43:41 +02:00
stianst
aaa33ad883 KEYCLOAK-8509 Improvements to session iframe 2018-10-10 21:01:05 +02:00
rmartinc
0a6f43c1a1 KEYCLOAK-8490: Direct grants returns invalid credentials when user has pending actions 2018-10-10 20:18:20 +02:00
Toni Ristola
22d64368a6 KEYCLOAK-8191 Fixed DI that was not working 2018-10-09 08:22:43 -03:00
Pedro Igor
79ca722b49 [KEYCLOAK-7605] - Make sure Evaluation API is read-only 2018-10-09 08:09:29 -03:00
Moritz Becker
f17b5f0f49 fix KEYCLOAK-7572 consistently perform duplicate user checks during account update only if email changes
Fix test
2018-10-05 09:35:05 +02:00
stianst
86a2f28561 KEYCLOAK-8310 Add support to set fixed scheme on fixed hostname provider 2018-10-05 09:34:17 +02:00
gbtec-igormartens
c41bcddd8d Update UserResource.java
In my opinion, the old documentation does not match the actual behaviour of the resetPassword method.
2018-10-04 12:54:49 +02:00
mposolda
2a4cee6044 KEYCLOAK-6884 KEYCLOAK-3454 KEYCLOAK-8298 Default 'roles' and 'web-origins' client scopes. Add roles and allowed-origins to the token through protocol mappers 2018-10-04 12:00:38 +02:00
Stan Silvert
dba513c921 KEYCLOAK-8419: Make most act mgt APIs only active in preview mode 2018-10-02 16:32:56 -04:00
Pedro Igor
b4b3527df7 [KEYCLOAK-7950] - Fixes user pagination when using filtering users members of groups 2018-10-02 15:44:23 -03:00
mposolda
4b9b189016 KEYCLOAK-8008 Ensure InputStream are closed 2018-10-01 16:06:32 +02:00
Martin Kanis
efe6a38648 KEYCLOAK-6718 Auth Flow does not Check Client Protocol 2018-09-26 21:00:02 +02:00
stianst
c3fc9e9815 Set version to 4.6.0.Final-SNAPSHOT 2018-09-26 20:58:41 +02:00
Pedro Igor
43f5983613 [KEYCLOAK-8289] - Remove authorization services from product preview profile 2018-09-26 18:27:27 +02:00
mposolda
3777dc45d0 KEYCLOAK-3058 Support for validation of "aud" in adapters through verify-token-audience configuration switch 2018-09-21 11:17:05 +02:00
Douglas Palmer
b748e269ec [KEYCLOAK-7435] Added code to delete a specific session and tests for session deletion 2018-09-20 15:57:58 +02:00
Pedro Igor
6b0bc0b3be [KEYCLOAK-8308] - Deprecate token_introspection_endpoint claim from OIDC discovery document 2018-09-19 09:46:50 -03:00
Rafael Weingärtner
3dd6f9cb85 Enable "DockerComposeYamlInstallationProviderTest" to run on Windows 2018-09-19 11:22:57 +02:00
Pedro Igor
aaf78297c9 [KEYCLOAK-7987] - Can't set authorization enabled when using kcreg 2018-09-18 10:00:16 -03:00
mposolda
99a16dcc1f KEYCLOAK-6638 Support for adding audiences to tokens 2018-09-13 21:40:16 +02:00
slominskir
c4a651bcac KEYCLOAK-7270 - Support for automatically linking brokered identities 2018-09-12 18:50:35 +02:00
Johannes Knutsen
d4a5c81034 KEYCLOAK-8146: Extract LocaleSelectorSPI to allow custom overrides of locale selection 2018-09-11 20:35:48 +02:00
stianst
26f257a6ac KEYCLOAK-8264 Update OpenShift Token Review endpoint to support additional algorithms and to update session last refresh on token introspection 2018-09-11 19:57:38 +02:00
stianst
12f3d2115d KEYCLOAK-8263 Add option to client to override access token timeout 2018-09-11 12:40:51 +02:00
stianst
24e60747b6 KEYCLOAK-7560 Refactor token signature SPI PR
Also incorporates:
KEYCLOAK-6770 ES256/384/512 providers
KEYCLOAK-4622 Use HS256 for refresh tokens
KEYCLOAK-4623 Use HS256 for client reg tokens
2018-09-11 08:14:10 +02:00
Takashi Norimatsu
5b6036525c KEYCLOAK-7560 Refactor Token Sign and Verify by Token Signature SPI 2018-09-11 08:14:10 +02:00
Pedro Igor
0561d73ae2 [KEYCLOAK-6285] - HTTP Challenge Authentication Flow 2018-09-10 19:02:49 +02:00
stianst
bf758809ba KEYCLOAK-6229 OpenShift Token Review interface 2018-09-07 08:21:28 +02:00
stianst
1fb4ca4525 Set version to 4.5.0.Final 2018-09-06 20:08:02 +02:00
stianst
c56e171f3a KEYCLOAK-7608 Check if themes dir is null in FolderThemeProvider 2018-09-06 08:52:17 +02:00
Hynek Mlnarik
812e76c39b KEYCLOAK-8163 Improve SAML validations 2018-09-05 15:47:03 +02:00
Pedro Igor
47066e1b89 [KEYCLOAK-8012] - Fix offline session support in authorization services 2018-09-04 15:07:49 -03:00
Pedro Igor
6a0a1031a1 [KEYCLOAK-7754] - Fixing compat issues with UMA spec in RPT Introspection Provider 2018-09-04 11:41:09 -03:00
June Zhang
237318dfd3 KEYCLOAK-7751 Auth welcome page 2018-09-04 07:55:08 +02:00
Hynek Mlnarik
54b5ec206e KEYCLOAK-8183 Improve authz caching for negative cases 2018-08-31 18:31:55 +02:00
Hynek Mlnarik
bee3894cdf KEYCLOAK-8150 Improve loading user list 2018-08-30 13:03:49 +02:00
mposolda
b70468341e KEYCLOAK-7470 Ability to order client scopes 2018-08-29 14:37:27 +02:00
Jani
42553cdc44 [KEYCLOAK-7695] Restore token_type and expires_in for implicit flow
As KEYCLOAK-6585 concerns only hybrid flow, this commit restores the behavior for implicit flow.

This commit partially reverts #5041 (061049e41a6b0e6fb45c75f05748023ad7ab7d92).
2018-08-29 13:00:57 +02:00
AlistairDoswald
36837ae4b6 Added a ScriptMapper for SAML for KEYCLOAK-5520
Added mapper, tests and entry in the ProtocolMapper file.
This code is adapted from the following module: https://github.com/cloudtrust/keycloak-client-mappers
2018-08-29 09:39:30 +02:00
mposolda
31270e2f52 KEYCLOAK-7437 Support for prompt=consent 2018-08-29 08:35:29 +02:00
Johannes Knutsen
56c97407d4 KEYCLOAK-8152: Allow passing the current locale to OAuth2 identity providers 2018-08-28 15:52:23 +02:00
mposolda
6fc99cd749 KEYCLOAK-7594 Upgrade to Wildfly 13. Cross-DC: Upgrade to infinispan server 9.2.4 and JDG 7.2
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2018-08-27 12:52:53 +02:00
Martin Kanis
59082e0b5f KEYCLOAK-7943 NPE when SAML User Property mapper is empty 2018-08-24 14:39:24 +02:00
Pedro Igor
9882341ecf [KEYCLOAK-7725] - CORS should be set based on client making the request 2018-08-24 09:35:38 -03:00
Martin Kanis
248654a75e KEYCLOAK-6706 E-mail verification won't let user back into the app 2018-08-21 16:30:15 +02:00
rmartinc
1b88eaf817 KEYCLOAK-8080 Audit the realm event configuration change 2018-08-20 21:01:38 +02:00
Corentin Dupont
b80701589c [KEYCLOAK-7804] - Option to return resource body 2018-08-20 13:07:29 -03:00
Martin Kanis
d04791243c KEYCLOAK-7970-KEYCLOAK-7222 Add clientId to action tokens 2018-08-20 15:25:24 +02:00
Pedro Igor
625f613128 [KEYCLOAK-4902] - Using streams to process requested permissions and limit support for scope responses 2018-08-17 11:00:53 -03:00
stianst
e406e8f1f0 KEYCLOAK-8069 Simplify config for fixed hostname provider 2018-08-17 14:47:14 +02:00
Hiroyuki Wada
730377a843 KEYCLOAK-7528 Set Cache-Control and Pragma header in token endpoint 2018-08-14 11:41:12 +02:00
Stefan Guilhen
f36e45cb10 [KEYCLOAK-4902] - Using streams to process scopes and cache improvements 2018-08-14 06:29:10 -03:00
Steffen Kreutz
ed72097862 KEYCLOAK-5289 Add support for Google's hd parameter 2018-08-14 11:08:57 +02:00
Stefan Guilhen
1912a8acf4 [KEYCLOAK-7885] Fix javadoc/log message typos 2018-08-13 22:09:17 -03:00
Sebastian Laskawiec
3449401ae2 KEYCLOAK-7635: Subject DN validation for x509ClientAuthenticator 2018-08-13 09:36:02 +02:00
sebastienblanc
02b2a8aab0 KEYCLOAK-7635 : Authenticate clients with x509 certificate 2018-08-13 09:36:02 +02:00
Stefan Guilhen
060b3b8d0f [KEYCLOAK-4902] - Using streams when fetching resources 2018-08-09 16:28:31 -03:00
Hynek Mlnarik
a8a9631d4f KEYCLOAK-6832 Unify Destination attribute handling 2018-08-09 10:30:30 +02:00
Pedro Igor
80e5227bcd [KEYCLOAK-4902] - Refactoring and improvements to processing of authz requests 2018-08-07 10:53:40 -03:00
Richard Kolkovich
72750b9882 KEYCLOAK-7954 treat empty string as null for skipping token verification 2018-08-07 11:13:15 +02:00
mposolda
959cd035ba Set version to 4.3.0.Final-SNAPSHOT 2018-08-01 22:40:05 +02:00
ssilvert@win.redhat.com
e7e15652cf KEYCLOAK-7479: Sanitize 2018-08-01 14:22:39 -04:00
Hynek Mlnarik
f57cc3a9c0 KEYCLOAK-5257 Clarify usage of TokenVerifier 2018-08-01 13:38:31 +02:00
mposolda
29da7d3d90 KEYCLOAK-7562 Fix ClientInitiatedAccountLinkTest#testErrorConditions 2018-08-01 13:33:23 +02:00
stianst
f99299ee39 KEYCLOAK-7967 Introduce Hostname SPI 2018-08-01 11:57:45 +02:00
stianst
ae47b7fa80 KEYCLOAK-7967 Remove injection of UriInfo 2018-08-01 11:57:45 +02:00
Takashi Norimatsu
665bcaebbb KEYCLOAK-7959 OAuth 2.0 Certificate Bound Access Tokens in Rev Proxy 2018-07-31 21:53:46 +02:00
Hiroyuki Wada
398f7d950f KEYCLOAK-7910 Store credentials when updating user via Admin REST API 2018-07-31 15:36:21 +02:00
Takashi Mogi
959e7b1b01 KEYCLOAK-7201 OIDC Identity Brokering with Client parameter forward
Forward "custom" (non-standard) query parameters to external IDP
2018-07-31 10:18:29 +02:00
ssilvert@win.redhat.com
6c593bab5a Check credential confirmation on server side. 2018-07-30 13:15:02 -04:00
Hynek Mlnarik
f43519a16e KEYCLOAK-6708 Fix NPE when email not set for email NameIDFormat 2018-07-27 11:10:35 +02:00
fisache
771d7f1724 [KEYCLOAK-7872] Fix. Remove Identity Provider Mapper when remove identity provider 2018-07-26 08:45:26 +02:00
ssilvert@win.redhat.com
0844aa8d68 KEYCLOAK-7857: Fix notifications 2018-07-25 08:59:25 -04:00
ssilvert@win.redhat.com
d73c4288ae KEYCLOAK-7294: Password page - Angular 2018-07-25 08:59:25 -04:00
vramik
524ab44160 KEYCLOAK-6866 Error 404 after changing locale while authenticating using X.509 2018-07-24 17:24:32 +02:00
Daniil Filippov
af72c1374a KEYCLOAK-7823 Fix HTTP status returned during SPNEGO auth 2018-07-24 10:38:42 +02:00
Hiroyuki Wada
7c0ca9aad2 KEYCLOAK-6313 Add required action's priority for customizing the execution order 2018-07-23 22:21:04 +02:00
Hynek Mlnarik
b43392bac8 KEYCLOAK-6577 KEYCLOAK-5609 Support dot in claim names by escaping with backslash 2018-07-23 14:46:25 +02:00
Pedro Igor
acc5f5c6d1 [KEYCLOAK-7864] - Authorization claim not set in refresh token when issuing a new refresh token 2018-07-19 09:56:59 -03:00
Pedro Igor
8b6979ac18 [KEYCLOAK-7849] - Improvements to RPT upgrade 2018-07-18 16:40:55 -03:00
Martin Kanis
34407957b9 KEYCLOAK-6314 Internal server error after T&C rejection 2018-07-18 15:05:22 +02:00
ssilvert@win.redhat.com
3e158c0321 KEYCLOAK-7846: Turn off disallowed features 2018-07-17 12:44:06 -04:00
Pedro Igor
90bfa2bff5 [KEYCLOAK-7781] - More validations to authorization requests 2018-07-13 09:18:05 -03:00
stianst
f022bc1269 [KEYCLOAK-5629] Add credential endpoints to account service 2018-07-12 13:00:25 -04:00
mhajas
5aebc74f8c KEYCLOAK-7269 Setting more uris for Authorization Resource 2018-07-11 17:48:34 -03:00
mposolda
d0a824dde4 Updating version to 4.2.0.Final-SNAPSHOT 2018-07-05 07:42:48 -04:00
mposolda
8c66f520af KEYCLOAK-7745 JTA error if offline sessions can't be preloaded at startup within 5 minutes 2018-07-04 10:22:13 +02:00
Pedro Igor
dafd567e68 [KEYCLOAK-7763] - NPE when enabling authorization to security-admin-console 2018-07-03 13:18:53 -03:00
ssilvert@win.redhat.com
d55ccf5312 KEYCLOAK-7015: Not allowing two users to have empty string emails addrs. 2018-07-03 11:04:36 -04:00
Pedro Igor
871be4ad87 [KEYCLOAK-7764] - Error when processing resource-less permissions 2018-07-03 10:35:11 -03:00
vramik
742a280f5d KEYCLOAK-5556 support for POST for AuthorizationEndpoint 2018-07-03 10:38:10 +02:00
wyvie
1450a7fad4 [KEYCLOAK-7569] support for authentication flow update
Added support for the PUT method of the authentication flow endpoint in
the admin API.

Now it's possible to run the 'update' method for authentication/flows in
kcadm.sh.
2018-07-03 10:31:23 +02:00
stianst
3c5027de3c KEYCLOAK-7701 Refactor key providers to support additional algorithms 2018-06-29 14:14:25 +02:00
Johannes Knutsen
fc3ca33033 Set hardcoded user session attribute after IDP first login flow 2018-06-26 10:31:55 +02:00
Takashi Norimatsu
2fb022e501 KEYCLOAK-7688 Offline Session Max for Offline Token 2018-06-26 08:25:06 +02:00
vramik
b478472b35 KEYCLOAK-7478 Add key query param to change locale url 2018-06-26 08:19:25 +02:00
Hynek Mlnarik
6b968796ce KEYCLOAK-7667 Fix namespace handling when decrypting assertion 2018-06-21 13:09:18 +02:00
Hiroyuki Wada
c2012a595b KEYCLOAK-7650 Don't display disabled identity providers 2018-06-19 08:55:24 -04:00
stianst
e1a0e581b9 Update to 4.1.0.Final-SNAPSHOT 2018-06-14 14:22:28 +02:00
Marek Posolda
49407c2e4f
KEYCLOAK-6630 Client scopes initial support (#5076)
* KEYCLOAK-6630 KEYCLOAK-349 Client Scopes

Co-authored-by: vramik <vramik@redhat.com>

* KEYCLOAK-6630 Change some clientTemplate occurences to clientScope
2018-06-08 15:38:38 +02:00
Pedro Igor
aa128d6c07
Merge pull request #5240 from pedroigor/KEYCLOAK-7353
[KEYCLOAK-7353] Support Policy Management in Protection API
2018-06-07 11:05:49 -03:00
Ola Bergefall
c8c76cc03f KEYCLOAK-7316: Default back to false if isPassive is missing in request. 2018-06-07 08:50:32 +02:00
Federico M. Facca
5a9bfea419 [KEYCLOAK-7353] Support Policy Management in Protection API
See https://issues.jboss.org/browse/KEYCLOAK-7353
2018-06-06 19:36:42 -03:00
Hynek Mlnarik
7ff18ca14b KEYCLOAK-7331 Fix NPE when SAML Issuer not set in AuthnRequest 2018-06-06 16:21:18 +02:00
Takashi Norimatsu
c586c63533 KEYCLOAK-6771 Holder of Key mechanism
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access
Tokens
2018-06-05 08:18:29 +02:00
Pedro Igor
f8919f8baa
Merge pull request #5211 from pedroigor/KEYCLOAK-7367
[KEYCLOAK-7367] - User-Managed Policy Provider
2018-06-04 09:35:13 -03:00
Jared Blashka
65c39763eb KEYCLOAK-7356 Code to Token flow fails if initial redirect_uri contains a session_state parameter 2018-05-31 08:53:11 +02:00
Martin Kanis
f429469fc8 KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106) 2018-05-31 08:44:34 +02:00
Takashi Norimatsu
eb97151476 KEYCLOAK-7451 OAuth Authorization Server Metadata for Proof Key for Code Exchange 2018-05-28 22:15:43 +02:00
Pedro Igor
2b6597e9f1 [KEYCLOAK-7367] - User-Managed Policy Provider 2018-05-25 16:18:15 -03:00
Stian Thorgersen
dbf5c395b0
Bump version to 4.0.0.Final (#5224) 2018-05-24 19:02:30 +02:00
Pedro Igor
e5d997a6c0
Merge pull request #5203 from martel-innovate/separate-ticket-permission-and-uma-permission-API
[KEYCLOAK-7354] - Split ticket management and permission endpoint
2018-05-17 15:22:55 -03:00
Federico M. Facca
76076cdb3c [KEYCLOAK-7354] split ticket management and permission endpoint
see (https://issues.jboss.org/browse/KEYCLOAK-7354)

* created new endpoint for ticket management /permission/ticket
* removed unused class
* support for direct creation of ticket by resource owner
* fix DELETE ticket
2018-05-16 15:10:39 +02:00
Timo Knapp
487539542a KEYCLOAK-7325: Fix Issue regarding HTTP 500 Server Error for resource_set Endpoint in ProtectionService (#5196)
* KEYCLOAK-7325: Fix Issue regarding HTTP 500 Server Error for resource_set Endpoint in ProctectionService
2018-05-15 14:57:33 -03:00
Federico M. Facca
5cbe595fe3 This commit implement feature KEYCLOAK-7337
* return requester

when returnNames=true

* return requesterName
* return owernName
2018-05-11 21:08:16 +02:00
Pedro Igor
e84acd9898
Merge pull request #5177 from pedroigor/KEYCLOAK-7206
[KEYCLOAK-7206] - Search by user id on admin console
2018-05-04 09:11:49 -03:00
Stian Thorgersen
90e5c7f3eb
Bump version to 4.0.0.Beta3-SNAPSHOT (#5185) 2018-05-02 14:32:20 +02:00
Martin Kanis
9505925363 Revert "KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106)" (#5183)
This reverts commit a67da7bc59.
2018-05-02 09:31:42 +02:00
pedroigor
ddceaaf3d5 [KEYCLOAK-7206] - Search by user id on admin console 2018-04-30 11:44:33 -03:00
Pedro Igor
e960642399
Merge pull request #5144 from pedroigor/KEYCLOAK-4903
[KEYCLOAK-4903] - Pushed Claims
2018-04-26 15:59:13 -03:00
Stan Silvert
35154db50f
KEYCLOAK-7123: l10n dropdowns (#5170)
* KEYCLOAK-7196: Add kc_locale to keycloak.js

* KEYCLOAK-7123: Localization dropdowns

* Update keycloak-service to latest keycloak.js
2018-04-25 15:04:12 -04:00
pedroigor
035ebc881a [KEYCLOAK-4903] - Claim Information point Provider SPI and configuration 2018-04-25 10:16:41 -03:00
pedroigor
e813fcd9c8 [KEYCLOAK-4903] - Pushing claims when obtaining a permission ticket 2018-04-24 19:47:28 -03:00
mposolda
634e7170e3 KEYCLOAK-7158 RestartLoginCookie throws error when KC_RESTART cookie created by Keycloak 1.9 2018-04-23 21:56:13 +02:00
Martin Kanis
7efa45126c KEYCLOAK-6991 NPE when importing realm from file 2018-04-19 14:26:50 +02:00
Oskars
3bef6d5066 KEYCLOAK-4538 Configurable clock skew when validating tokens (#5014)
* [master]: fix type for checkLoginIframeInterval

* [master]: KEYCLOAK-4538 Feature to tolerate a configurable amount of seconds of clock skew when validating tokens

* [master]: KEYCLOAK-4538 Fix unit test scenarios for token clock skew

* [master]: KEYCLOAK-4538 Reverted wildcard imports

* [master]: fix unit test to use longer intervals to make test less fragile.
2018-04-16 11:09:25 +02:00
Vlastimil Eliáš
c1311e4619 KEYCLOAK-6849 - LinkedIn social login provider updated to new LinkedIn OAuth2 endpoint (#5125)
* KEYCLOAK-6849 - LinkedIn social login provider updated to new LinkedIn
OAuth2 endpoint

* KEYCLOAK-6849 - LinkedIn social login provider test updated

* KEYCLOAK-6849 - LinkedIn social login provider test updated to
conditionally handle consent page when shown only

* Simplify the LinkedIn app authorization

This reverts commit c12359e7a13d9ff231fe2e25cddba66ad679a9cd.
2018-04-13 08:09:27 +02:00
Stan Silvert
095fec95e5
KEYCLOAK-7022 Fix l10n on Welcome page (#5143) 2018-04-11 12:05:07 -04:00
Hugo Guerrero
fac3118b0a KEYCLOAK-6448 - implement instagram social broker (#4963)
* KEYCLOAK-6448 - implement instagram social broker

* Instagram SocialLogin Tests
2018-04-09 17:30:27 +02:00
Martin Kanis
a67da7bc59 KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106) 2018-04-06 09:26:29 +02:00
Bill Burke
ffd9d957f4
Merge pull request #5123 from patriot1burke/kcadm-token
KEYCLOAK-7044 KEYCLOAK-7046
2018-04-04 17:22:17 -04:00
Stefan Guilhen
87abe5e648 [KEYCLOAK-6853] Make TimePolicyProvider use the kc.date.time_date contextual attribute when evaluating policies 2018-04-04 14:37:03 -03:00
Stan Silvert
701c318b60
KEYCLOAK-7047: Fix RegistrationEmailAsUsername and EditUserNameAllowed (#5122)
on personal info page.
2018-04-04 09:31:38 -04:00
Bill Burke
8a5428808e KEYCLOAK-7044 KEYCLOAK-7046 2018-04-03 21:29:31 -04:00
Bill Burke
4078e84fb6 server driven success page 2018-03-31 10:16:44 -04:00
Bill Burke
f4a5e49b63 initial 2018-03-29 17:14:36 -04:00
Pedro Igor
5cae1bb134
Merge pull request #5093 from pedroigor/KEYCLOAK-4102
[KEYCLOAK-4102] - Support lazy load paths
2018-03-29 09:16:34 -03:00
Bill Burke
8d3dc790df
Merge pull request #5087 from patriot1burke/kcinit
KEYCLOAK-6813
2018-03-28 17:35:33 -04:00
Bill Burke
f5bacb79c1 review changes 2018-03-28 16:45:52 -04:00
pedroigor
4a425c2674 [KEYCLOAK-4102] - Support lazy loading of paths via policy enforcer config 2018-03-28 09:23:59 -03:00
Bill Burke
c38b6d585e KEYCLOAK-528 (#5103) 2018-03-28 11:15:37 +02:00
Bill Burke
ad5f3fefc5 Merge remote-tracking branch 'upstream/master' into kcinit 2018-03-27 16:38:35 -04:00
Stan Silvert
80feb67fc2
KEYCLOAK-6494: Address load time of new acct mgt console (#5100)
* Optimize loading. min bundles, stop double-loading, rxjs-system instead of
plain rxjs, clean up 404's

* Create module loading hierarchy.  Allows for lazy loading.

* Upgrade NG, remove jquery, load keycloak.js only from auth/js

* Delay systemjs loading.  Load home page instead of account.

* KEYCLOAK-6496: Cleanup and polish code after optimizations.

* Fix message bundle to be back the way it was.

* Remove unused png's. Remove comments in index.ftl. Remove javaMessages.
2018-03-27 12:42:13 -04:00
pedroigor
e9e376419d [KEYCLOAK-4102] - Removing create-resources configuration option 2018-03-27 09:51:13 -03:00
Pedro Igor
ffeb0420bf
Merge pull request #5079 from pedroigor/KEYCLOAK-6529
[KEYCLOAK-6529] - Resource Attributes
2018-03-27 09:30:38 -03:00
stianst
07fea02146 Bump versions to 4.0.0.Beta2-SNAPSHOT 2018-03-26 18:17:38 +02:00
wyvie
d40e9bd3c1 [KEYCLOAK-6814] check if HMAC exists during session restart 2018-03-26 10:05:39 +02:00
Bill Burke
f000cedcbb Merge remote-tracking branch 'upstream/master' into kcinit 2018-03-20 16:49:43 -04:00
Jérôme Blanchard
f11c24e359 [KEYCLOAK-6147] Include Nonce in OIDC authentication 2018-03-20 10:51:44 +01:00
Bill Burke
8926837a3e tests 2018-03-19 16:47:13 -04:00
Áron Bustya
82ba2b1b0d remove changes from standard OIDC client registration, move constants 2018-03-19 19:31:22 +01:00
Áron Bustya
57f57f5c75 set request object mandatory for client, restrict delivery mode
handle new attribute in client representation


add to UI
2018-03-19 19:31:22 +01:00
pedroigor
08896ee9c9 [KEYCLOAK-6529] - Resource Attributes 2018-03-19 13:21:39 -03:00
Bill Burke
4bba11cd94 kcinit 2018-03-16 12:11:57 -04:00
Alex Szczuczko
e4781b8aa3 KEYCLOAK-6828 Drop jcenter repository from services/pom.xml
swagger2markup-maven-plugin depends transitively on markdown_to_asciidoc, which
is inexplicably not in Central. This causes issues during productisation, as
it's reasonably assumed that all third party artifacts will be in Central.

Stian has already asked the community project to get their artifacts in Central
( bodiam/markdown-to-asciidoc#26 ), and they haven't done anything in almost a
year. So, I've added the artifacts under my own namespace, and changed the pom
to use those instead. The artifacts are unchanged from the ones on jcenter,
except the pom was expanded slightly to meet the minimum requirements of
Central.

I'm making this change now, as I hit the problem when trying to set up
continuous productization builds from master.
2018-03-16 08:36:04 +01:00
Douglas Palmer
fed1b62c5d [KEYCLOAK-6301] Remove service account when it is disabled from the client 2018-03-14 15:09:42 +01:00
Takashi Norimatsu
5b1e65c23e KEYCLOAK-6700 Financial API Read and Write API Security Profile : state
hash value (s_hash) to protect state parameter
2018-03-13 16:40:34 +01:00
Takashi Norimatsu
e72756d01a KEYCLOAK-6700 Financial API Read and Write API Security Profile : state hash value (s_hash) to protect state parameter 2018-03-13 16:40:34 +01:00
Pedro Igor
2aa71d1737
Merge pull request #5051 from pedroigor/KEYCLOAK-6787
[KEYCLOAK-6787] - Wrong validation of resources with same name and different owners
2018-03-12 11:41:49 -03:00
pedroigor
0a4fd79b22 [KEYCLOAK-6116] - Get email attribute from 'subject alternative name' using X509 certificate 2018-03-09 10:56:35 -03:00
Martin Hardselius
8549bd70b7 Add pairwise sub support to authorization services
Identity token verification will now fetch the user from the session
state instead of relying on the sub provided in the token. Also done in
KeycloakIdentity.

Resolves: KEYCLOAK-6659
2018-03-02 13:08:27 +01:00
pedroigor
1e1de85685 [KEYCLOAK-6787] - Wrong validation of resources with same name and different owners 2018-03-01 16:50:05 -03:00
pedroigor
cb531056a6 [KEYCLOAK-6621] - Fixing cache and queries of policies with type scope 2018-02-28 16:33:45 -03:00
Pedro Igor
91bdc4bde2 [KEYCLOAK-3169] - UMA 2.0 (#4368)
* [KEYCLOAK-3169] - UMA 2.0 Support

* [KEYCLOAK-3169] - Changes to account service and more tests

* [KEYCLOAK-3169] - Code cleanup and tests

* [KEYCLOAK-3169] - Changes to account service and tests

* [KEYCLOAK-3169] - Changes to account service and tests

* [KEYCLOAK-3169] - More tests

* [KEYCLOAK-3169] - Changes to adapter configuration

* [KEYCLOAK-3169] - Reviewing UMA specs and more tests

* [KEYCLOAK-3169] - Reviewing UMA specs and more tests

* [KEYCLOAK-3169] - Changes to UMA Grant Type and refactoring

* [KEYCLOAK-3169] - Refresh tokens for RPT responses and tests

* [KEYCLOAK-3169] - Changes to account my resources and policy enforcers

* [KEYCLOAK-3169] - Realm settings flag to enable/disable user-managed access in account mgmt console

* [KEYCLOAK-3169] - More changes to my resource pages in account mgmt console

* [KEYCLOAK-3169] - Need to enable user-managed on realm to run tests

* [KEYCLOAK-3169] - Removing more UMA 1.0 related code

* [KEYCLOAK-3169] - Only submit requests if ticket exists

* [KEYCLOAK-3169] - Returning UMA 401 response when not authenticated

* [KEYCLOAK-3169] - Removing unused code

* [KEYCLOAK-3169] - Removing unused code

* [KEYCLOAK-3169] - 403 response in case ticket is not created

* [KEYCLOAK-3169] - Fixing AbstractPhotozExampleAdapterTest#testClientRoleRepresentingUserConsent

* [KEYCLOAK-3169] - 403 status code only returned for non-bearer clients
2018-02-28 08:53:10 +01:00
wyvie
f8022a5c2f [KEYCLOAK-6585] hybrid flow: removed token_type and expires_in paramters from oidc auth response 2018-02-27 15:31:12 +01:00
vmuzikar
a2cc7bd4b9 KEYCLOAK-6709 Fix OpenShift IdP doesn't fetch user's full name 2018-02-27 12:28:42 +01:00
wyvie
52acd959e0 [KEYCLOAK-6584] removed not-before-policy parameter from authorization response 2018-02-26 17:41:18 +01:00
Josh Cain
24132c8f5b Return location for execution and flow creation in admin interface. Also allow for retrieval of execution by ID 2018-02-26 17:00:17 +01:00
Hynek Mlnarik
e7cdb8ad54 KEYCLOAK-6473 KEYCLOAK-6472 SAML parser refactor + protocol parsers 2018-02-23 08:16:14 +01:00
Stian Thorgersen
9ef1f1b73c KEYCLOAK-3482 2018-02-22 09:42:45 -03:00
Erlend Hamnaberg
208ecbc3f7 KEYCLOAK-6676: Fix NPE if the redirect_uri parameter is missing 2018-02-21 19:44:22 +01:00
mposolda
fc463ae50b KEYCLOAK-6617 Offline token logout did not invalidate user session 2018-02-19 08:49:05 +01:00
cgol
86a8addf49 KEYCLOAK-6615 Remove offline session from database on offline token logout
remove offline token from database on offline session logout
2018-02-19 08:49:05 +01:00
stianst
9b63cd35f0 KEYCLOAK-6431 2018-02-13 19:38:46 +01:00
Hynek Mlnarik
84ea3f8cb1 KEYCLOAK-4315 Remove some dead/duplicate classes 2018-02-13 15:41:36 +01:00
Bill Burke
5d5373454c
Merge pull request #4991 from patriot1burke/challenge-support
KEYCLOAK-6355
2018-02-13 09:38:45 -05:00
Bill Burke
87ee15a081 fix 2018-02-12 16:52:55 -05:00
Bill Burke
d6788a0839 finish 2018-02-10 13:38:39 -05:00
stianst
505cf5b251 KEYCLOAK-6519 Theme resource provider 2018-02-09 08:28:59 +01:00
Bill Burke
5ea4ef9e55 change code query params to session_code 2018-02-08 17:37:27 -05:00
Douglas Palmer
e8de4655ac KEYCLOAK-6344 Use POST instead of GET for LDAP connection tests 2018-02-08 21:18:03 +01:00
Jochen Preusche
8325151e16
Extract findLocale to LocaleNegotiator, add tests
* Improve Testability of Locale Negotiation
 * Add test for Locale Negotiation
 * Fix Locale Negotiation for omitted Country Code
2018-02-06 09:50:04 +01:00
Serhii Shymkiv
c2fe500eb8 [KEYCLOAK-4721] Consider Session Language of Realm Also In ReCaptcha 2018-02-02 13:57:03 +01:00
vramik
019c3c9ef9 KEYCLOAK-6146 realm import fails when password policy is specified 2018-02-02 08:30:06 +01:00
Thomas Darimont
77334af34e KEYCLOAK-6222 Check syntax for errors on ScriptBasedOIDCProtocolMapper validation
We now explicitly check for syntax errors
during validation of ScriptBasedOIDCProtocolMappers.
2018-02-02 08:28:27 +01:00
Bill Burke
8f09efab9d
Merge pull request #4949 from patriot1burke/client-storage-spi
KEYCLOAK-6228
2018-02-01 08:59:02 -05:00
Bill Burke
126dd70efc client stat improvement 2018-01-31 13:05:13 -05:00
Bill Burke
a571781240 hynek db changes 2018-01-30 17:00:55 -05:00
Vlastimil Elias
a5f675d693 KEYCLOAK-4937 - convert time units in emails into human-friendly format 2018-01-30 06:38:57 +01:00
Bill Burke
1d8e38f0c6 admin console 2018-01-27 13:05:02 -05:00
Bill Burke
dd4c0d448c Merge remote-tracking branch 'upstream/master' into client-storage-spi 2018-01-27 09:47:41 -05:00
Bill Burke
6b84b9b4b6 done 1st iteration 2018-01-27 09:47:16 -05:00
Takashi Norimatsu
502627f590 KEYCLOAK-5811 Client Authentication by JWS Client Assertion in client secret 2018-01-26 10:59:40 +01:00
gregoirew
13261b52db Use the github /user/emails api endpoint if the github user did not set any public email.
Github can send a null email on the user info endpoint if there is no public email on the user profile.
This commit look for email on the /user/emails endpoint, selecting the primary email.
2018-01-25 20:56:24 +01:00
Bill Burke
ddad1cb8af Merge remote-tracking branch 'upstream/master' into client-storage-spi 2018-01-25 10:08:37 -05:00
Bill Burke
8a17b61f4e initial work 2018-01-25 10:08:26 -05:00
Bill Burke
7c66f76858
Merge pull request #4932 from patriot1burke/per-client-flow
KEYCLOAK-6335
2018-01-25 09:55:11 -05:00
Thomas Darimont
3d12bf7d14 KEYCLOAK-4743 Revise proxy support for HttpClient SPI
Polishing & more tests.
2018-01-25 09:31:32 +01:00
Thomas Darimont
851d0192ad KEYCLOAK-4743 Add proxy support to HttpClient SPI
We now provide a configurable way for dynamic proxy route selection
for the default HttpClient based on regex based targetHostname patterns.

Introduced `ProxyMapping` to describe a regex based mapping
between target hosts and the proxy URL to use.

A `ProxyMapping` can be build from an ordered list of string based
mapping representations, e.g:
```
   ^.*.(google.com|googleapis.com)$;http://localhost:8080
```
If the targetHost does not match a configured proxy mapping,
no proxy is used.

This can be configured via standalone.xml / jboss-cli, e.g.:
```
   echo SETUP: Configure proxy routes for HttpClient SPI
   /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:add(enabled=true)
   /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=["^.*.(google.com|googleapis.com)$;http://www-proxy1:8080","^.*.facebook.com$;http://www-proxy2:8080"])
```
The new `ProxyMappingWareRoutePlanner` uses a configured `ProxyMapping`
to decide which proxy to use for a given request based on the target host
denoted by the HTTP request to execute.

I verified this manually with the BurpProxy Suite.
2018-01-25 09:31:32 +01:00
mposolda
6369c26671 KEYCLOAK-6286 Adding 'Exclude Session State From Authentication Response' switch to fix backwards compatibility with Keycloak 2.X adapters 2018-01-24 11:35:13 +01:00
Bill Burke
7b2e72d395 Merge remote-tracking branch 'upstream/master' into per-client-flow 2018-01-23 12:10:11 -05:00
Bill Burke
a9297df89c KEYCLOAK-6335 2018-01-23 12:09:49 -05:00
Hynek Mlnarik
4ba72e2d2d KEYCLOAK-5976 Fix client setting in brokered IdP-initiated scenario 2018-01-23 09:34:11 +01:00
stianst
f762173eb0 KEYCLOAK-3370 Add option to override theme in client template and client 2018-01-18 09:14:13 +01:00
stianst
35ada9d636 KEYCLOAK-6289 Add ThemeSelectorSPI 2018-01-18 09:14:13 +01:00
Thomas Darimont
bae4d4c673 KEYCLOAK-5791 Allow multi-valued ScriptBasedOIDCProtocolMapper
We now support multi-valued attribute values for the
`ScriptBasedOIDCProtocolMapper`.
Previously the `ScriptBasedOIDCProtocolMapper` only supported
single valued output. If a script returned a list of
output values then only the first value was emitted to the token.

By default multi-valued is set to `false` / `off`.
2018-01-11 08:52:24 +01:00
stianst
d8c0cc447f KEYCLOAK-6090 Add missing cors headers with invalid username/password and resource owner grant 2018-01-02 15:15:15 +01:00
stianst
0bedbb4dd3 Bump version to 4.0.0.CR1-SNAPSHOT 2017-12-21 15:06:00 +01:00
Marko Strukelj
23d0afbfd8 KEYCLOAK-6058 Partial import should ignore built-in clients 2017-12-21 13:52:58 +01:00
stianst
f0c5752ef9 KEYCLOAK-5443 Fix update user account when both email as username and edit username are enabled 2017-12-20 14:40:03 +01:00
Bruno Oliveira
811cd3a04a KEYCLOAK-6011 2017-12-20 13:37:11 +01:00
stianst
e96c6a4bcb KEYCLOAK-6068 Fix preflight request on admin endpoints 2017-12-20 10:19:34 +01:00
stianst
465675ac28 KEYCLOAK-5019 Fixes for password managers 2017-12-19 16:13:16 +01:00
mposolda
5a66f577eb KEYCLOAK-5982 Fix NPEs when client 'account' was renamed/removed 2017-12-18 21:47:17 +01:00
stianst
27b5e1aae2 KEYCLOAK-6050 Fix export doesn't export internal realm rep 2017-12-18 13:15:42 +01:00
stianst
b303acaaba KEYCLOAK-2120 Added manual setup page for OTP 2017-12-18 11:20:20 +01:00
Bill Burke
118e998570
Merge pull request #4834 from pedroigor/KEYCLOAK-5806
[KEYCLOAK-5806] - Create policy button to associated policies
2017-12-16 23:44:35 -05:00
Bill Burke
80be4c9dbc fix more 2017-12-16 07:12:32 -05:00
pedroigor
5d7ba39e0c [KEYCLOAK-5806] - Create policy component to permission pages 2017-12-15 23:41:52 -02:00
Bill Burke
7cb39c2dfc KEYCLOAK-5420 2017-12-15 12:16:24 -05:00
Hynek Mlnarik
e4a91c0706 KEYCLOAK-6042 Encode user ID before storing in auth session 2017-12-15 15:16:26 +01:00
stianst
a8943fb323 KEYCLOAK-6043 Use same urls for get and posts in account 2017-12-15 08:31:04 +01:00
Bruno Oliveira
1a541889f4 [KEYCLOAK-6015] replyTo can be empty string in DB 2017-12-15 07:01:15 +01:00
stianst
b672229efc KEYCLOAK-6032 Fix error page when internationalization is enabled 2017-12-15 06:32:00 +01:00
Vlastimil Elias
7e20a65989 KEYCLOAK-6040 AuthenticationSessionModel pushing into
EmailTemplateProvider
2017-12-14 15:51:04 +01:00
Hynek Mlnarik
2a2e6c839b KEYCLOAK-5635 2017-12-13 21:07:46 +01:00
Hynek Mlnarik
7174c0b4ec KEYCLOAK-6025 Simplify easy access to current session in action token handlers 2017-12-12 17:53:44 +01:00
stianst
f939818252 KEYCLOAK-5907 Use client manager to delete clients in client registration services 2017-12-12 14:25:05 +01:00
mposolda
63efee6e15 KEYCLOAK-5938 Authentication sessions: Support for logins of multiple tabs of same client 2017-12-12 08:01:02 +01:00
stianst
867de9de50 KEYCLOAK-6010 Add CORS headers to keycloak.js 2017-12-11 14:24:12 +01:00
k-tamura
d7a90817f2 KEYCLOAK-6009 Fix incorrect String.format usage 2017-12-10 20:56:36 +01:00
Bill Burke
c9b218db71
Merge pull request #4823 from patriot1burke/master
KEYCLOAK-5724
2017-12-08 20:03:05 -05:00
Bill Burke
ce9f4bf97a KEYCLOAK-5724 2017-12-08 10:25:30 -05:00
Bill Burke
5d5a200413
Merge pull request #4818 from patriot1burke/master
KEYCLOAK-5926
2017-12-08 09:59:32 -05:00
Hynek Mlnarik
00fb36437d KEYCLOAK-5861 Remove AUTH_SESSION_ID when END_AFTER_REQUIRED_ACTIONS set 2017-12-08 09:52:14 +01:00
Hynek Mlnarik
4a012b73ea KEYCLOAK-4998 Fix NPE in AttributeToRoleMapper 2017-12-08 09:21:21 +01:00
Bill Burke
49ba71fd8f add logic for sync 2017-12-07 20:03:10 -05:00
Bill Burke
0dee393071 KEYCLOAK-5926 2017-12-07 19:49:10 -05:00
stianst
c055ffb083 KEYCLOAK-4215 Consider session expiration when setting token timeouts 2017-12-07 10:45:02 +01:00
stianst
cccddebfd0 KEYCLOAK-5984 Fix error message in client initiated 2017-12-06 19:46:11 +01:00
mposolda
8a0fa521c4 KEYCLOAK-5915 Support for sticky sessions managed by loadbalancer. Support for KeyAffinityService 2017-12-06 13:06:54 +01:00
Bill Burke
f669fdf0df
Merge pull request #4797 from stianst/KEYCLOAK-5734
KEYCLOAK-5734
2017-12-05 17:31:36 -05:00
stianst
94ce97b972 KEYCLOAK-5734 2017-12-05 21:22:47 +01:00
stianst
c3d9f4704e KEYCLOAK-5946 Make sure wildcard origin is never returned 2017-12-04 19:55:34 +01:00
stianst
4541acc628 KEYCLOAK-5176 Strip headers from PEM when uploading to client 2017-12-04 19:54:15 +01:00
mposolda
ff6fcd30d9 KEYCLOAK-4478 OIDC auth response lacks session_state in some cases 2017-12-04 16:13:22 +01:00
stianst
37de8e9f69 Bump version to 3.4.2.Final-SNAPSHOT 2017-12-01 09:34:48 +01:00
mposolda
7b03eed9c8 KEYCLOAK-5797 Refactoring authenticationSessions to support login in multiple browser tabs with different clients 2017-11-30 12:56:45 +01:00
Peter Nalyvayko
b8e5fd2b99 KC-4335: working on adding a reverse proxy support to allow X.509 client certificate authentication when running keycloak behind a reverse proxy
KC-4335: reverse proxy => a swtich to change a type of reverse proxy when running the X509 integration tests; changes to the names of the reverse proxy providers

KC-4335: updated the migration scripts to add x509 spi to standalone and domain configurations; removed the HAproxy and apache x509 spi configuration
2017-11-30 11:00:32 +01:00
pedroigor
17748d5ba8 [KEYCLOAK-5660] - Adding UserQueryProvider.getUsersCount(realm, includeServiceAccount) method 2017-11-30 10:45:54 +01:00
Marko Strukelj
c5d9301951 KEYCLOAK-4920 NPE when exporting configuration without alias 2017-11-30 10:40:25 +01:00
Bruno Oliveira
6a528a3ee6 [KEYCLOAK-2645] Reset password page says 'You need to change your password to activate your account.' 2017-11-30 10:37:21 +01:00
stianst
2be78a0239 KEYCLOAK-5924 Add error handler for uncaught errors 2017-11-30 10:33:13 +01:00
Bruno Oliveira
af66c5dbd2 [KEYCLOAK-5483] X.509 Auth - log in attempt is not sometimes logged in the Login Events 2017-11-29 20:08:22 +01:00
Pedro Igor
d22c58ee30
Merge pull request #4760 from pedroigor/KEYCLOAK-5900
[KEYCLOAK-5900] - Returning error response when resource does not exist
2017-11-29 10:38:44 -02:00
pedroigor
c5b06f23e9 [KEYCLOAK-5900] - Returning error response when resource does not exist 2017-11-28 19:46:18 -02:00
pedroigor
bf73375a5c [KEYCLOAK-5901] - Changing response to return a 400 in case scope is invalid 2017-11-28 19:32:41 -02:00
stianst
36314c51d6 KEYCLOAK-5856 Fix infinite loop 2017-11-28 07:54:49 +01:00
pedroigor
e3c9fa25a3 [KEYCLOAK-5770] - Global Saml Logout doesn't create logout event 2017-11-23 21:08:07 +01:00
Bill Burke
2117db5e6d
Merge pull request #4730 from patriot1burke/master
KEYCLOAK-4715
2017-11-22 12:45:23 -05:00
mposolda
bd1072d2eb KEYCLOAK-5747 Ensure refreshToken doesn't need to send request to the other DC. Other fixes and polishing 2017-11-22 11:55:12 +01:00
Bill Burke
8993ca08ad KEYCLOAK-4715 2017-11-21 17:46:48 -05:00
Bill Burke
06762ba13d KEYCLOAK-5878 2017-11-20 17:03:28 -05:00
Marek Posolda
8e53ccf5ab
Merge pull request #4706 from stianst/KEYCLOAK-5383
KEYCLOAK-5383 Fix creating password in LDAP through admin create user…
2017-11-20 09:17:45 +01:00
Bill Burke
7c0c48da01
Merge pull request #4717 from patriot1burke/master
KEYCLOAK-5715
2017-11-17 12:59:36 -05:00
Bill Burke
ff5010cdd0
Merge pull request #4663 from mstruk/KEYCLOAK-5702
KEYCLOAK-5702 kcadm delete realm fails with nullpointer
2017-11-17 11:57:58 -05:00
Bill Burke
c66ff60c58 KEYCLOAK-5715 2017-11-17 11:34:32 -05:00
Stian Thorgersen
86fb18395e KEYCLOAK-5383 Fix creating password in LDAP through admin create user endpoint 2017-11-15 21:20:00 +01:00
Pedro Igor
1bd2f0e98f
Merge pull request #4674 from thomasdarimont/issue/fix-npe-in-userpermissions
KEYCLOAK-5841 Fix NPE in deletePermissionSetup in UserPermissions
2017-11-15 10:22:44 -02:00
Pedro Igor
eebf0b0499
Merge pull request #4690 from pedroigor/KEYCLOAK-5824
[KEYCLOAK-5824] - Keycloak throws "Error while evaluating permissions" exception often
2017-11-14 18:35:56 -02:00
Pedro Igor
b0ccce397a [KEYCLOAK-5824] - Fixing logging of error mesages 2017-11-14 11:28:21 -02:00
Stian Thorgersen
89f4b87038 KEYCLOAK-5567 Set correct status code on login error pages 2017-11-14 12:33:29 +01:00
Bruno Oliveira
03d0488335 [KEYCLOAK-2052] Allows independently set timeouts for e-mail verification link and rest e.g. forgot password link
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2017-11-13 19:57:04 -02:00
Stian Thorgersen
925d5e1dea KEYCLOAK-3173 enable logout offline refresh token using OIDC logout endpoint 2017-11-13 18:23:39 +01:00
Stian Thorgersen
51c7917853 KEYCLOAK-5772 Missing produces type on welcome resource post 2017-11-13 16:38:42 +01:00
Stian Thorgersen
d02ffd33b3 KEYCLOAK-5721 Moved state checker from separate cookie to claim on identity cookie 2017-11-13 14:11:28 +01:00
Thomas Darimont
a5b73a365d KEYCLOAK-5841 Fix NPE in deletePermissionSetup in UserPermissions
Previously a call to `UserPermissions#deletePermissionSetup`
always resulted in a NPE if the usersResource was null.

We now only try to delete the resourceStore information if
the given usersResource is not null.
2017-11-13 13:35:40 +01:00
Stian Thorgersen
90900b1a1f KEYCLOAK-5825 Clear state checker for welcome on form submit 2017-11-10 13:40:29 +01:00
Stian Thorgersen
4295f4ec31 KEYCLOAK-1886 Added cors headers to errors in token endpoint 2017-11-10 12:01:21 +01:00
Marko Strukelj
7035a4647d KEYCLOAK-5702 kcadm delete realm fails with nullpointer 2017-11-09 20:57:49 +01:00
Stian Thorgersen
128ff12f8f Bump versions 2017-11-09 15:37:21 +01:00
Xiaojian Liu
19eed51582 KEYCLOAK-5352 Basic Auth fails if password contains a ':' 2017-11-09 13:56:02 +01:00
Xiaojian Liu
9ff22f596d KEYCLOAK-5352 Basic Auth fails if password contains a ':' 2017-11-09 13:56:02 +01:00
Xiaojian Liu
e1af9f133f KEYCLOAK-5352 Basic Auth fails if password contains a ':' 2017-11-09 13:56:02 +01:00
Bruno Oliveira
26e253f4a5 [KEYCLOAK-5284] 2017-11-09 13:45:06 +01:00
mposolda
701b7acd80 KEYCLOAK-5371 More stable cross-dc tests 2017-11-08 10:03:04 +01:00
Stian Thorgersen
b1a05dfce2
KEYCLOAK-5664 (#4604) 2017-11-07 10:09:34 +01:00
Hynek Mlnarik
fe2f65daac KEYCLOAK-5581 Fix SAML identity broker context serialization 2017-11-03 21:09:18 +01:00
Pedro Igor
3716fa44ac [KEYCLOAK-5728] - Permission Claims support 2017-10-27 12:40:30 -02:00
Pedro Igor
57d3c44bb7 [KEYCLOAK-4901] - New policy mgmt rest api should return specific representations for a policy type 2017-10-26 15:26:40 -02:00
Pedro Igor
a70cab502c [KEYCLOAK-4901] - Reviewing methods on provider spis 2017-10-26 13:39:57 -02:00
Hynek Mlnařík
248da4687a Merge pull request #4610 from hmlnarik/KEYCLOAK-5745-Extract-client-sessions-from-user-sessions
KEYCLOAK-5745 Separate user and client sessions in infinispan
2017-10-26 13:09:06 +02:00
Hynek Mlnarik
75c354fd94 KEYCLOAK-5745 Separate user and client sessions in infinispan 2017-10-26 10:39:41 +02:00
Bruno Oliveira da Silva
375e01a074 KEYCLOAK-5278 (#4606) 2017-10-25 15:27:24 +02:00
Stian Thorgersen
f0bbcbf0fd KEYCLOAK-5487 (#4603) 2017-10-24 10:49:08 +02:00
Stan Silvert
9083e5fe5c KEYCLOAK-5298: Enable autoescaping in Freemarker (#4561)
* KEYCLOAK-5298: Enable autoescaping in Freemarker

* Fix several of the failing tests.

* Fix broken tests in integration-deprecated

* Fix last failing test.
2017-10-23 12:03:00 -04:00
Stian Thorgersen
9b75b603e3 KEYCLOAK-5234 (#4585) 2017-10-23 16:13:22 +02:00
Stian Thorgersen
d9ffc4fa21 KEYCLOAK-5225 (#4577)
KEYCLOAK-5225 fix test

Fix
2017-10-19 08:23:16 +02:00
Stian Thorgersen
fea4c54adc KEYCLOAK-5280 (#4576) 2017-10-19 08:02:23 +02:00
Bill Burke
649bca7618 KEYCLOAK-4328 2017-10-18 09:37:17 -04:00
Hynek Mlnarik
056ba75a72 KEYCLOAK-5656 Use standard infinispan remote-store 2017-10-16 21:49:42 +02:00
Bruno Oliveira da Silva
b6ab2852c2 Remove unused imports (#4558) 2017-10-16 14:23:42 +02:00
Bill Burke
31dccc9a5e Merge pull request #4509 from TeliaSoneraNorge/KEYCLOAK-5032
KEYCLOAK-5032 Forward request parameters to another IdP
2017-10-13 18:47:05 -04:00
Bill Burke
46d3ed7832 Merge remote-tracking branch 'upstream/master' 2017-10-13 17:00:57 -04:00
Bill Burke
d9af93850c KEYCLOAK-5683, KEYCLOAK-5684, KEYCLOAK-5682, KEYCLOAK-5612, KEYCLOAK-5611 2017-10-13 16:51:56 -04:00
mposolda
26f11078dc KEYCLOAK-5371 Use managed executors on Wildfly 2017-10-11 11:09:53 +02:00
mposolda
f5ff24ccdb KEYCLOAK-5371 Fix SessionExpirationCrossDCTest, Added ExecutorsProvider. Debug support for cache-servers in tests 2017-10-10 22:30:44 +02:00
Bill Burke
b0464f1751 Merge remote-tracking branch 'upstream/master' 2017-10-10 09:10:04 -04:00
Bill Burke
5bd4ea30ad rev 2017-10-10 09:09:51 -04:00
Marek Posolda
d336667972 Merge pull request #4527 from Hitachi/master
OIDC Financial API Read Only Profile : scope MUST be returned in the response from Token Endpoint
2017-10-10 11:37:45 +02:00
Carl Kristian Eriksen
50dd07217d KEYCLOAK-5032 Forward request parameters to another IdP
Forwarding of prompt and acr_values, if provided in the authorization request.
If prompt is set in the configuration for the identity provider, the configuration overrules the request parameter.
2017-10-09 16:15:27 +02:00
Marek Posolda
c6483f8b1e Merge pull request #4523 from abustya/master
KEYCLOAK-5616 Processing of claims parameter
2017-10-09 11:14:23 +02:00
Bill Burke
c8516c2349 support social external exchange 2017-10-06 16:44:26 -04:00
Vlastimil Eliáš
c9da02912e KEYCLOAK-2671 - FreeMarker form providers refactored for better (#4533)
extensibility
2017-10-05 13:37:32 +02:00
Takashi Norimatsu
6f6a467c7b OIDC Financial API Read Only Profile : scope MUST be returned in the
response from Token Endpoint
2017-10-04 12:59:49 +09:00
Václav Muzikář
da146f13c1 KEYCLOAK-5566 Google IdP doesn't reliably fetch user's full name (#4503) 2017-10-03 20:56:25 +02:00
Áron Bustya
c2ffaa0777 Merge remote-tracking branch 'keycloak/master' 2017-10-03 14:53:40 +02:00
Áron Bustya
632414cc92 process claims parameter
also support parsing from request object
2017-10-03 14:51:46 +02:00
Bruno Oliveira da Silva
da72968085 KEYCLOAK-4401: Wrong message when a temporarily disabled user requests password reset (#4506) 2017-10-03 06:28:34 +02:00
mposolda
4a7013d550 KEYCLOAK-5440 RestartLoginCookie field 'cs' not marked ignorable 2017-10-02 14:19:27 +02:00
Bruno Oliveira da Silva
bb0bccc3c0 [KEYCLOAK-5486] Test email connection feature does not work the second time (#4517) 2017-10-02 13:14:50 +02:00
Marek Posolda
13fe9e7cf8 Merge pull request #4510 from glavoie/KEYCLOAK-3303
KEYCLOAK-3303: Allow reuse of refresh tokens.
2017-09-29 17:07:45 +02:00
mposolda
3b6e1f4e93 KEYCLOAK-5007 Used single-use cache for tracke OAuth code. OAuth code changed to be encrypted and signed JWT 2017-09-29 13:20:22 +02:00
Gabriel Lavoie
134daeac7f KEYCLOAK-3303: Allow reuse of refresh tokens.
- Configurable max reuse count.
2017-09-28 15:30:40 -04:00
Bill Burke
fd025ae76b Merge pull request #4209 from guitaro/feature/group-search-and-pagination
[KEYCLOAK-2538] - groups pagination and group search
2017-09-23 20:52:19 -04:00
Bill Burke
9db6a5e0df Merge pull request #4497 from thomasdarimont/issue/KEYCLOAK-3599-add-script-based-protocol-mapper
KEYCLOAK-3599 Revise Script based OIDC ProtocolMapper
2017-09-23 20:38:51 -04:00
Thomas Darimont
57c633967a KEYCLOAK-3599 Revise Script based OIDC ProtocolMapper
We now use the `ScriptingProvider` API instead of
using the `ScriptEngineManager` because dynamic
`ScriptEngineManager` lookups might fail in some
environments like JBoss EAP.

Refactored `AbstractOIDCProtocolMapper` to provide
a new version of the `setClaim(..)` method which takes a
`KeycloakSession` as additional argument.
The old `setClaim(..)` method is marked as deprecated and
should be scheduled for removal in a later release.
To ensure backwards compatibility we call the old `setClaim(..)`
from the new `setClaim(..,keycloakSession)` method in order
to not break user implementations of OIDC ProtocolMappers.

The existing OIDC ProtocolMappers which override the old
`setClaim(..)` method should be updated to use the new version
`setClaim(..,keycloakSession)`.

This was necessary to be able to lookup a `ScriptingProvider`.
2017-09-22 22:57:07 +02:00
Bill Burke
1599e6db6e KEYCLOAK-5518 2017-09-22 16:38:50 -04:00
Bill Burke
537081ec9d Merge pull request #4494 from patriot1burke/master
KEYCLOAK-5516
2017-09-22 16:38:13 -04:00
Bill Burke
3020a04a8b Merge pull request #4490 from Fiercely/master
Keycloak 2035
2017-09-22 16:13:22 -04:00
Bill Burke
790e2dc69f fix compiler bug 2017-09-22 15:43:13 -04:00
Thomas Darimont
236b2b9273 KEYCLOAK-3599 Add Script based OIDC ProtocolMapper 2017-09-22 21:24:20 +02:00
Bill Burke
eb4f7f3b21 KEYCLOAK-5516 2017-09-22 11:48:30 -04:00
howcroft
e78bf5f876 Keycloak 2035
This PR adds:
* an endpoint to Role that lists users with the Role
* a tab "Users in Role" in Admin console Role page
* it is applicable to Realm and Client Roles
* Extends UserQueryProvider with default methods (throwing Runtime Exception if not overriden)
* Testing in base testsuite and Console
2017-09-22 15:05:49 +01:00
Bill Burke
8ace0e68c3 KEYCLOAK-910 KEYCLOAK-5455 2017-09-21 17:15:18 -04:00
Bill Burke
ab58052a4c Merge pull request #4482 from patriot1burke/master
KEYCLOAK-5491 KEYCLOAK-5492 KEYCLOAK-5490
2017-09-19 14:01:40 -04:00
Marek Posolda
fa35249afd Merge pull request #4480 from TeliaSoneraNorge/KEYCLOAK-5494
Fix introspection error for pairwise access tokens
2017-09-18 16:44:24 +02:00
Pedro Igor
e8ef050093 Merge pull request #4471 from pedroigor/KEYCLOAK-5095
[KEYCLOAK-5095] - RPT should contain the RS as audience
2017-09-18 09:32:47 -03:00
Martin Hardselius
6b687c4318 Fix offline validation errors
Refactored token validation method to run user checks only if the user
session is valid.
2017-09-18 11:26:57 +02:00
Bill Burke
f927ee7b4e KEYCLOAK-5491 KEYCLOAK-5492 2017-09-15 16:30:45 -04:00
Bill Burke
3e6adbc904 KEYCLOAK-5490 (#4477) 2017-09-15 11:36:48 +02:00
Martin Hardselius
a4315f4076 Fix introspection error for pairwise access tokens
When access tokens containing a pairwise sub are introspected, user
related checks are using that sub to fetch the UserModel instead of
fetching the user from the UserSession. No corresponding user is found
(or possibly even another user) and the token is reported inactive.

Resolves: KEYCLOAK-5494
2017-09-15 10:31:47 +02:00
Bill Burke
c999a0d8f9 Merge remote-tracking branch 'upstream/master' 2017-09-14 21:17:12 -04:00
Bill Burke
affeadf4f3 KEYCLOAK-5490 2017-09-14 21:16:50 -04:00
Stian Thorgersen
ee35673615 KEYCLOAK-1250 Profile and console loader for new account management console 2017-09-14 19:53:02 +02:00
Levente NAGY
d18aa44fb4 Merge branch 'feature/group-search-and-pagination' of https://github.com/guitaro/keycloak into feature/group-search-and-pagination 2017-09-13 16:48:24 +02:00
Levente NAGY
e907da77d7 KEYCLOAK 2538 - UI group pagination - Remove junit mocked TUs, add arquillian Tests, delete mockito from poms, fix groups sorting when get result from cache 2017-09-13 16:45:45 +02:00
Léventé NAGY
503ce3a47f Merge branch 'master' into feature/group-search-and-pagination 2017-09-13 10:27:38 +02:00
Hisanobu Okuda
b7af96aa4d KEYCLOAK-5315 Conditional OTP enforcement does not work (#4399) 2017-09-13 06:58:59 +02:00
Martin Kanis
550e5f752a KEYCLOAK-5146 TokenEndpoint returns wrong methods for preflight requests (#4455) 2017-09-13 06:23:11 +02:00
Pedro Igor
cdb3c159c5 [KEYCLOAK-5095] - RPT should contain the RS as audience 2017-09-12 16:59:20 -03:00
Pedro Igor
90db6654d3 Merge pull request #4451 from glavoie/KEYCLOAK-4858-ResourceServer
KEYCLOAK-4858: Slow query performance for client with large data volume
2017-09-12 15:54:16 -03:00
Levente NAGY
c8c88dd58c KEYCLOAK 2538 - UI group pagination - TU + some code improvement + add mockito dependency 2017-09-12 15:09:08 +02:00
Petter Lysne
7f8b5e032a feat: added PayPal IDP (#4449) 2017-09-12 11:57:59 +02:00
Hynek Mlnarik
24e9cbb292 KEYCLOAK-4899 Replace updates to user session with temporary auth session 2017-09-11 21:43:49 +02:00
Levente NAGY
2c24b39268 KEYCLOAK 2538 - UI group pagination 2017-09-07 19:39:06 +02:00
Gabriel Lavoie
c1664478d9 KEYCLOAK-4858: Slow query performance for client with large data volume
- Changing RESOURCE_SERVER PK to the client ID.
- Changing FK on children of RESOURCE_SERVER.
- Use direct fetch of ResourceServer through ID/PK to avoid a lot of implicit Hibernate flush.
2017-09-06 09:55:53 -03:00
mposolda
fe43c26829 KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with 'login=prompt' 2017-09-05 12:22:30 +02:00
Pedro Igor
fa6d5f0ee2 [KEYCLOAK-4653] - Identity.hasClientRole(String) and Identity.hasRole(String) break role namespaces and should be removed 2017-09-01 16:08:34 -03:00
filipelautert
e055589448 [KEYCLOAK-4778] Fix for Oracle null value when having an empty String as attribute value (#4406)
* Add client.name as a second parameter to the title expressions in login template

* Fixing tooltip.

* pt_BR localization for admin screens.

* Reverting login.ftl

* Added all tooltip messages - even the ones not translated.
Translated around 150 messages todas.

* More translations.

* Fixing wrong edit.

* [KEYCLOAK-4778] Null check on Attribute value. This value can be null when retrieved from an Oracle database.

* [KEYCLOAK-4778] Create unit tests for empty and null values.

* [KEYCLOAK-4778] Move empty and null attributes tests to a separated test method; change tests to empty or null Strings.

* [KEYCLOAK-4778] Check if value is null and set it as empty array. In the former code if null was received it would generate an array with 1 string element ["null"]. Also if we set value as null instead of ArrayList, later when the rest call is executed it will generate the same incorrect array again.

* [KEYCLOAK-4778] Tests clean up.
2017-08-31 06:09:41 +02:00
Wim Vandenhaute
924b4f651a KEYCLOAK-5186 createUser: set federationLink (#4316) 2017-08-31 06:07:43 +02:00
Hynek Mlnařík
e36b94d905 KEYCLOAK-5318 Verify signature on raw query parameters (#4445) 2017-08-31 05:46:26 +02:00
Stian Thorgersen
d3dc26181e KEYCLOAK-3481 (#4441) 2017-08-30 08:00:22 +02:00
Stian Thorgersen
dcfa4aca8c KEYCLOAK-943 Started account rest service. Profile and sessions completed. (#4439) 2017-08-29 20:12:09 +02:00
Stian Thorgersen
463661b051 Set version to 3.4.0.CR1-SNAPSHOT 2017-08-28 15:46:22 +02:00
Stian Thorgersen
8cc1d02d46 KEYCLOAK-5342 (#4431) 2017-08-28 14:35:58 +02:00
Hynek Mlnařík
9ee8f72be9 \KEYCLOAK-5335 Destination attr in SAML requests is optional (#4424) 2017-08-28 08:06:48 +02:00
Stian Thorgersen
d58c6ad4e0 [KEYCLOAK-4900] Pass login_hint parameter to idp & review (#4421) 2017-08-25 10:14:38 +02:00
w9n
e173bf33ba auth is already part of the serverBaseUri (#4418) 2017-08-25 08:16:01 +02:00
John Ament
30ea556a7a KEYCLOAK-5285: Adding protected access. (#4405)
Allows FreemarkerEmailTemplateProvider to be more extensible.
2017-08-25 07:30:26 +02:00
Bill Burke
6696c44dc0 Merge remote-tracking branch 'upstream/master' 2017-08-24 15:19:48 -04:00
Bill Burke
7a57723c01 more token exchange 2017-08-24 15:19:38 -04:00
mposolda
fe5891fbdb KEYCLOAK-5293 Add notBefore to user 2017-08-23 08:58:26 +02:00
Stian Thorgersen
20ac70d3fd KEYCLOAK-5119 (#4400) 2017-08-22 08:07:36 +02:00
John Ament
5b179420fd KEYCLOAK-5274: Check that authenticator config id is null before attempting to fetch it. (#4404) 2017-08-22 06:57:49 +02:00
mposolda
a6a6a62dc0 KEYCLOAK-5260 kc_idp_hint was only working first time 2017-08-18 11:09:17 +02:00
mposolda
089514d8a6 KEYCLOAK-4634 Cross-dc support for UserLoginFailures 2017-08-17 10:22:12 +02:00
Bill Burke
16954fc370 fix 2017-08-10 14:58:09 -04:00
Levente NAGY
c8aa708cff Merge remote-tracking branch 'upstream/master' 2017-08-10 18:14:49 +02:00
Bill Burke
41cdd9db70 KEYCLOAK-5268 2017-08-10 09:36:45 -04:00
Bill Burke
fbeef3e75f manageMembership not deleted 2017-08-10 09:25:44 -04:00
Bill Burke
45eac1093d show permissions 2017-08-09 10:39:59 -04:00
Bill Burke
3470b1839d Merge remote-tracking branch 'upstream/master' 2017-08-09 10:25:25 -04:00
Bill Burke
2fa55550f3 token exchange permissions 2017-08-09 10:04:14 -04:00
mposolda
a72c297d5d KEYCLOAK-4187 Fix LoginCrossDCTest 2017-08-08 14:02:48 +02:00
Hynek Mlnarik
9ca72dc5c6 KEYCLOAK-4189 Improve logging and concurrency/cross-DC testing 2017-08-08 10:11:51 +02:00
Bill Burke
430fe60533 Merge pull request #4374 from patriot1burke/master
KEYCLOAK-5190
2017-08-07 14:19:23 -04:00
Bill Burke
ed5e880931 Merge remote-tracking branch 'upstream/master' 2017-08-07 12:02:50 -04:00
Bill Burke
c9b7504e3f KEYCLOAK-5190 2017-08-07 12:02:18 -04:00
Bill Burke
3fce14d9ce Merge pull request #4369 from patriot1burke/master
KEYCLOAK-5249
2017-08-03 09:57:55 -04:00
Bill Burke
3b5ca2bac0 Merge pull request #4366 from hmlnarik/KEYCLOAK-4694-null
KEYCLOAK-4694
2017-08-02 19:47:34 -04:00
Bill Burke
cf0ee31bc5 KEYCLOAK-5249 2017-08-02 19:42:35 -04:00
Hynek Mlnarik
4583a45e78 KEYCLOAK-4694 2017-08-01 09:57:12 +02:00
Bill Burke
8f542618f7 KEYCLOAK-4748 2017-07-31 10:36:04 -04:00
Bill Burke
486a0c9528 remove restriction 2017-07-28 16:25:32 -04:00
Bill Burke
6b991b850e change role name 2017-07-28 16:20:23 -04:00
Bill Burke
852e9274d4 Merge remote-tracking branch 'upstream/master' 2017-07-28 16:15:53 -04:00
Bill Burke
db9b1bcb21 token exchange 2017-07-28 16:15:39 -04:00
mposolda
07e2136b3b KEYCLOAK-4187 Added UserSession support for cross-dc 2017-07-27 22:32:58 +02:00
Hynek Mlnarik
ab05216730 KEYCLOAK-4775 Added encryption certificate to SAML metadata 2017-07-27 08:18:10 +02:00
Hynek Mlnarik
3c537f5f28 KEYCLOAK-4446 Do not encrypt SAML status messages
SAML status messages are not encryptable per Chapter 6 of
saml-core-2.0-os.pdf. Only assertions, attributes, base ID and name ID
can be encrypted.
2017-07-26 11:22:56 +02:00
Hynek Mlnarik
c7046b6325 KEYCLOAK-4189 Preparation for cross-DC SAML testing 2017-07-25 09:44:36 +02:00
Marek Posolda
79a64657f7 Merge pull request #4331 from hmlnarik/KEYCLOAK-5209-IdpEmailVerificationAuthenticator-should-use-user-action-timeout
KEYCLOAK-5209 Make IdpEmailVerificationAuthenticator use user action …
2017-07-21 15:32:40 +02:00
Hynek Mlnarik
a192b6f50a KEYCLOAK-5209 Make IdpEmailVerificationAuthenticator use user action timeout 2017-07-19 15:25:20 +02:00
Hynek Mlnarik
d52d685161 KEYCLOAK-4818 Fix undeclared namespace error in context serialization 2017-07-19 15:18:53 +02:00
Hynek Mlnarik
c36074c7f3 KEYCLOAK-4187 Minor updates (abstraction) 2017-07-18 15:08:06 +02:00
Bill Burke
27b4f0e25d Merge pull request #4324 from patriot1burke/master
KEYCLOAK-5194
2017-07-15 09:26:51 -04:00
Bill Burke
a7940c6ffa KEYCLOAK-5194 2017-07-14 18:29:48 -04:00
Bill Burke
1e059e3fa3 Merge pull request #4282 from cargosoft/KEYCLOAK-5131
KEYCLOAK-5131 ProviderFactory::postInit not called with hot deployment
2017-07-14 15:53:34 -04:00
Bill Burke
01152144bb Merge pull request #4321 from hmlnarik/KEYCLOAK-4187-Minor-updates
KEYCLOAK-4187 Minor updates in API
2017-07-14 15:48:53 -04:00
Bill Burke
f68754290f KEYCLOAK-5152 2017-07-14 14:14:38 -04:00
Hynek Mlnarik
ddcbee2bff KEYCLOAK-4187 Minor updates in API 2017-07-14 15:40:43 +02:00
Bill Burke
b0a33c9765 KEYCLOAK-5155 2017-07-13 14:51:27 -04:00
mposolda
3fca731395 KEYCLOAK-5136 Improve browser refresh button after switch to different flow 2017-07-11 13:03:18 +02:00
mposolda
936efe872a KEYCLOAK-5061 Process correct initial flow when action expired 2017-07-10 22:52:54 +02:00
mposolda
7be2c55f61 KEYCLOAK-5061 Better error messages when action expired 2017-07-10 19:50:28 +02:00
Marek Posolda
48eaebf1c3 Merge pull request #4293 from TeliaSoneraNorge/KEYCLOAK-5139
KEYCLOAK-5139 refresh token does not work with pairwise subject ident…
2017-07-10 11:21:34 +02:00
Pedro Igor
65251748c7 [KEYCLOAK-5148] - Create authorization settings when creating a new client using a config file 2017-07-05 18:19:00 -03:00
Pedro Igor
4b7c61111c Merge pull request #4288 from pedroigor/KEYCLOAK-5135
[KEYCLOAK-5135] - Wrong comparison when checking for duplicate resources during creation
2017-07-05 08:22:23 -03:00
Martin Hardselius
8cb8678525 KEYCLOAK-5139 refresh token does not work with pairwise subject identifiers 2017-07-05 12:32:43 +02:00
Stian Thorgersen
c95aace6e0 KEYCLOAK-5141 Return '*' in Cors requests when '*' is in list of permitted origins. Stop caching well-known information as it can change. (#4290) 2017-07-05 09:25:21 +02:00
Stian Thorgersen
9a9f4137e5 KEYCLOAK-4556 KEYCLOAK-5022 Only cache keycloak.js and iframe if specific version is requested (#4289) 2017-07-04 21:18:34 +02:00
Pedro Igor
adffe16cb8 [KEYCLOAK-5135] - Wrong comparison when checking for duplicate resources during creation 2017-07-04 10:16:55 -03:00
Stan Silvert
32b16717a7 KEYCLOAK-4234: Link to app in acct mgt doesn't use root url (#4285)
* KEYCLOAK-4234: Link to app in acct mgt not use root url

* Add tests.
2017-07-04 07:01:58 +02:00
Dmitry Telegin
fba264433a KEYCLOAK-5131 ProviderFactory::postInit not called with hot deployment 2017-07-03 12:20:29 +03:00
Stian Thorgersen
454c5f4d83 Set version to 3.3.0.CR1-SNAPSHOT 2017-06-30 09:47:11 +02:00
Bill Burke
999dff353c Merge remote-tracking branch 'upstream/master' 2017-06-29 17:37:45 -04:00
Bill Burke
f5389b0e17 don't clean up properly 2017-06-29 17:36:45 -04:00
Sebastien Blanc
500a21685f KEYCLOAK-5082 : Add new redirect-rewrite-rule parameters for the adapters (#4255)
* add rewrite rule config property

* add subsystem support for redirect rewrite

* update deployment unit test

* add license headers

* Optimize rewrite method
2017-06-29 12:50:42 +02:00
Stian Thorgersen
5e225c2bd5 Merge pull request #4266 from CoreFiling/FullNameMapper
Fallback to using username in FullNameMapper
2017-06-29 07:28:42 +02:00
Stian Thorgersen
c9bc321d2a Merge pull request #4269 from stianst/dockerdockerdocker
KEYCLOAK-3592 Docker auth implementation
2017-06-29 07:23:47 +02:00
Stian Thorgersen
74fe9249d5 Merge pull request #4216 from machielg/master
KEYCLOAK-5026 Store credentials
2017-06-29 06:52:16 +02:00
Josh Cain
89fcddd605 KEYCLOAK-3592 Docker auth implementation 2017-06-29 06:37:34 +02:00
Stian Thorgersen
e964b156cc Merge pull request #4264 from stianst/KEYCLOAK-5074
KEYCLOAK-5074 Allow updating client secret through client registratio…
2017-06-28 11:40:04 +02:00
Jay Anslow
bdc9e8d2c3 Omit empty name claim in FullNameMapper
If a user has no first or last name, don't add the `name` claim.
2017-06-28 09:40:57 +01:00
Stian Thorgersen
ce4506f367 Merge pull request #4261 from hmlnarik/KEYCLOAK-4377-null
KEYCLOAK-4377
2017-06-28 08:21:20 +02:00
Stian Thorgersen
1220d7f898 KEYCLOAK-5074 Allow updating client secret through client registration service 2017-06-28 08:11:51 +02:00
Hynek Mlnarik
a3ccac2012 KEYCLOAK-4377 2017-06-27 14:34:47 +02:00
Stian Thorgersen
4be0e36306 Merge pull request #4208 from ASzc/KEYCLOAK-4758
KEYCLOAK-4758
2017-06-27 11:35:43 +02:00
Stian Thorgersen
56c5996aff Merge pull request #4259 from stianst/abstractj-KEYCLOAK-4444
KEYCLOAK-4444
2017-06-27 10:44:30 +02:00
Machiel Groeneveld
7849191ec7 Merge branch 'master' into master 2017-06-27 10:27:07 +02:00
Stian Thorgersen
06a318d7d5 KEYCLOAK-4444 Update for fine grained permissions 2017-06-27 08:38:51 +02:00
Bruno Oliveira
361ab1c988 [KEYCLOAK-4444] Allow sending test email 2017-06-27 08:38:36 +02:00
Stian Thorgersen
b4d39ca061 KEYCLOAK-4984 Don't update client registration access token on read 2017-06-27 08:29:03 +02:00
Léventé NAGY
1a50e77a4d Merge branch 'master' into feature/group-search-and-pagination 2017-06-26 20:36:36 +02:00
Bill Burke
bc05560d4d Merge remote-tracking branch 'upstream/master' 2017-06-26 11:41:12 -04:00
Bill Burke
28b3ef9aa9 admin console work 2017-06-26 11:40:32 -04:00
Bill Burke
22987bb90b Merge pull request #4250 from mposolda/RHSSO-1027
KEYCLOAK-5085 Easy fix to just handle the exception
2017-06-26 10:04:02 -04:00
Bill Burke
f1807aead4 impersonate 2017-06-25 11:28:37 -04:00
mposolda
756d996a4a KEYCLOAK-5085 RHSSO-1027 Fix to handle the exception thrown from alternative flow 2017-06-23 19:13:43 +02:00
Bill Burke
3ee86fedc7 Merge remote-tracking branch 'upstream/master' 2017-06-23 09:57:35 -04:00
Bill Burke
e7f781df5a fix 2017-06-23 09:57:25 -04:00
Hynek Mlnarik
8f9ed32a66 KEYCLOAK-5078 ConcurrencyTest fails intermittently
This commit fixes 401 Unauthorized issues
2017-06-23 15:16:23 +02:00
Bill Burke
39dea4b078 restricting admin role mapping 2017-06-22 16:51:46 -04:00
Léventé NAGY
41d8d17062 Merge branch 'master' into feature/group-search-and-pagination 2017-06-22 17:41:30 +02:00
Levente NAGY
124bf43a27 [KEYCLOAK-2538] - groups count for pagination 2017-06-22 17:32:38 +02:00
Stian Thorgersen
6f731dfee9 Merge pull request #4118 from skjolber/feature/KEYCLOAK-3056-verify-signature-2
Some adjustments for KEYCLOAK-3056 / PR #3893
2017-06-22 08:44:32 +02:00
Marek Posolda
ab7a0c2252 Merge pull request #4248 from mposolda/client-initial-access-db
KEYCLOAK-4631 Move ClientInitialAccessModel from userSession model to…
2017-06-22 06:27:25 +02:00
Bill Burke
d08ddade2e merge 2017-06-21 17:43:54 -04:00
Bill Burke
52e40922bc removal 2017-06-21 17:42:57 -04:00
Bill Burke
2b1613d36b Merge pull request #4064 from frelibert/KEYCLOAK-4781
KEYCLOAK-4781 Support for an AttributeStatement Mapper
2017-06-21 17:06:16 -04:00
Bill Burke
f1132ffabe Merge pull request #4175 from mrezai/fix-pkce-s256-code-challenge
KEYCLOAK-4956: Fix incorrect PKCE S256 code challenge generation
2017-06-21 17:04:31 -04:00
mposolda
fc61a4e89f KEYCLOAK-4631 Move ClientInitialAccessModel from userSession model to realm model 2017-06-21 22:14:20 +02:00
Marek Posolda
eae0360eb1 Merge pull request #4243 from mposolda/KEYCLOAK-3316
KEYCLOAK-3316 Fixes for OAuth2 requests without 'scope=openid'
2017-06-20 22:05:23 +02:00
Pedro Igor
93d57c7d00 Merge pull request #4236 from CoreFiling/js-policy-performance
[KEYCLOAK-5072] - Improve performance of JSPolicyProvider
2017-06-20 15:11:40 -03:00
mposolda
32cf8b7cad KEYCLOAK-3316 Fixes for OAuth2 requests without 'scope=openid' 2017-06-20 17:17:43 +02:00
mposolda
f363dbcad0 KEYCLOAK-4327 Switching language on User consent gives error 2017-06-20 09:21:41 +02:00
Bill Burke
57cb46148f tests 2017-06-19 11:21:59 -04:00
Jay Anslow
7614ff8c6f Extract EvaluatebleScriptAdapter
Precursor for InvocableScriptAdapter, which compiles/evaluates a script without affecting the engine's bindings. This allows the same script to be compiled once and then evaluated multiple times (with the same ScriptEngine).
2017-06-19 15:32:14 +01:00
Bill Burke
a994af9010 remove scope 2017-06-16 11:26:43 -04:00
Pedro Igor
93105a2182 [KEYCLOAK-5056] - @NoCache to scope admin api 2017-06-15 09:49:20 -03:00
Martin Hardselius
60942346f3 KEYCLOAK-4924: pairwise clients get duplicate subs in tokens 2017-06-14 10:47:40 +02:00
Hynek Mlnarik
a0f3a6469f KEYCLOAK-4189 - Cross DC testing 2017-06-12 11:14:28 +02:00
Pedro Igor
f12cef2c86 [KEYCLOAK-4904] - Authorization Audit - Part 1 2017-06-09 13:31:06 -03:00
Machiel Keizer-Groeneveld
80f8815b9a KEYCLOAK-5026 Store credentials
Credentials are stored with user creation if they are present in the UserRepresentation.
2017-06-09 09:32:33 +02:00
Bill Burke
94528976d4 console work 2017-06-07 16:29:43 -04:00
Levente NAGY
f377a45c4e [KEYCLOAK-2538] - groups count for pagination limits 2017-06-07 20:52:22 +02:00
Levente NAGY
c4da7637d6 [KEYCLOAK-2538] - groups pagination and group search 2017-06-06 18:32:48 +02:00
Bill Burke
536a57a514 ui for permission reference 2017-06-05 19:52:51 -04:00
Alex Szczuczko
5d88c2b8be KEYCLOAK-4758 Update Encode class using latest resteasy. Use encodeQueryParamAsIs instead of encodeQueryParam when encoding key=value pairs for URI query sections. Also fix a few callers who were relying on the bad behaviour of queryParam. 2017-06-05 16:24:38 -06:00
Pedro Igor
9be9e30ad6 Merge pull request #4206 from pedroigor/KEYCLOAK-4983
[KEYCLOAK-4983] - Authz settings export of role base policy generates json where are just role-names
2017-06-05 16:19:58 -03:00
Pedro Igor
23887f4031 Fixing tests and more client policy tests 2017-06-05 11:26:33 -03:00
Pedro Igor
3760f2753b [KEYCLOAK-4983] - Authz settings export of role base policy generates json where are just role-names 2017-06-02 20:09:33 -03:00
Pedro Igor
d0f505455d [KEYCLOAK-4991] - Allow clients to limit the number of permission in a RPT when using entitlements 2017-06-02 19:06:40 -03:00
Bill Burke
a41d282e92 client permission tests 2017-06-02 15:49:20 -04:00
Pedro Igor
813af5d757 [KEYCLOAK-4992] - Using query parameter metadata for GET requests 2017-06-02 16:13:04 -03:00
Thomas Skjølberg
241c58dd61 Add unit tests related to signatures, check that a signature is present when want assertion signing. 2017-06-02 15:36:52 +02:00
Bill Burke
b9f7a43a72 group permissions 2017-06-01 20:16:35 -04:00
Pedro Igor
dcd1a68d95 [KEYCLOAK-4992] - Allow clients to exclude resource_set_name from RPT 2017-05-31 19:33:34 -03:00
Pedro Igor
c4a0470a37 [KEYCLOAK-4987] - Remove async support from AuthZ Token Endpoints 2017-05-30 12:48:18 -03:00
Stian Thorgersen
a6e4245185 Merge pull request #4194 from stianst/KEYCLOAK-4888
KEYCLOAK-4888
2017-05-30 14:49:22 +02:00
Stian Thorgersen
8c53c5a90e KEYCLOAK-4888
Change default hashing provider for realm
2017-05-30 09:54:05 +02:00
Thomas Darimont
7d0b461683 KEYCLOAK-4975 Use authenticationSession binding name in ScriptBasedAuthenticator
We now use authenticationSession instead of clientSession to reflect
the renaming of ClientSessionModel to AuthenticationSessionModel.

Note that this is a breaking change which needs to be mentioned in
the upgrade notes!
2017-05-29 18:14:02 +02:00
Bill Burke
c3ea847b3e auth changes 2017-05-29 09:53:17 -04:00
mposolda
5560175888 KEYCLOAK-4626 Changed javadoc. Remove unused ClientSessionModel class 2017-05-25 18:51:05 +02:00
Pedro Igor
81f1a5b145 Merge pull request #4183 from pedroigor/stan-ui-fixes
[KEYCLOAK-4915] - Fixes to evaluation tool UI
2017-05-24 09:32:42 -03:00
mposolda
2b59db71a8 KEYCLOAK-3316 Remove the IDToken if scope=openid is not used 2017-05-24 09:23:14 +02:00
Pedro Igor
829bcf5eaf Fix to evaluation tool 2017-05-23 17:50:06 -03:00
Pedro Igor
554e692d8f Merge pull request #4171 from pedroigor/KEYCLOAK-4913
[KEYCLOAK-4913] - Caching more query methods
2017-05-23 17:40:51 -03:00
Stian Thorgersen
c442bcd8d3 Merge pull request #4174 from stianst/KEYCLOAK-4889
KEYCLOAK-4889
2017-05-23 14:26:15 +02:00
Stian Thorgersen
1b6405a28f Merge pull request #4173 from hmlnarik/KEYCLOAK-4941
KEYCLOAK-4941
2017-05-23 14:00:43 +02:00
Stian Thorgersen
ef29097679 Merge pull request #4172 from hmlnarik/KEYCLOAK-4813-Destination-Validation-should-ignore-whether-default-port-is-explicitly-specified
KEYCLOAK-4813 Destination validation counts on port being not specified
2017-05-23 13:59:36 +02:00
Mohammad Rezai
acd78ee407 KEYCLOAK-4956: Fix incorrect PKCE S256 code challenge generation 2017-05-23 16:15:44 +04:30
Stian Thorgersen
130452f6c3 Merge pull request #4085 from mstruk/RHSSO-402
RHSSO-402 need a way to dump configuration (including ldap provider config) to a file
2017-05-23 13:29:32 +02:00
Stian Thorgersen
097a2267f5 KEYCLOAK-4889
Improve error messages for password policies
2017-05-23 13:18:06 +02:00
Hynek Mlnarik
f47283f61a KEYCLOAK-4813 Destination validation counts on port being not specified 2017-05-23 12:52:48 +02:00
Hynek Mlnarik
03b1dff1bd KEYCLOAK-4941 2017-05-23 11:15:51 +02:00
mposolda
8adde64e2c KEYCLOAK-4016 Provide a Link to go Back to The Application on a Timeout 2017-05-23 09:08:58 +02:00
Pedro Igor
37a98fba20 [KEYCLOAK-4913] - Caching more query methods 2017-05-22 19:08:24 -03:00
Pedro Igor
62ffab7239 Exporting a client is updating policy config 2017-05-19 19:45:47 -03:00
Bill Burke
ab763e7c5b fixes after merge 2017-05-19 15:54:36 -04:00
Bill Burke
f114895cd2 for merge 2017-05-19 11:29:26 -04:00
Bill Burke
2cac8b1bb7 KEYCLOAK-4929 2017-05-18 16:53:31 -04:00
Bill Burke
c291748f43 KEYCLOAK-4929 2017-05-18 16:48:04 -04:00
Marko Strukelj
7d0ca42c6c RHSSO-402 need a way to dump configuration (including ldap provider config) to a file 2017-05-15 12:13:58 +02:00
Bill Burke
954ef99f22 Merge remote-tracking branch 'upstream/master' 2017-05-12 10:10:29 -04:00
mposolda
7d8796e614 KEYCLOAK-4626 Support for sticky sessions with AUTH_SESSION_ID cookie. Clustering tests with embedded undertow. Last fixes. 2017-05-11 22:24:07 +02:00
Hynek Mlnarik
b8262a9f02 KEYCLOAK-4628 Single-use cache + its functionality incorporated into reset password token. Utilize single-use cache for relevant actions in execute-actions token 2017-05-11 22:16:26 +02:00
mposolda
db8b733610 KEYCLOAK-4626 Fix TrustStoreEmailTest and PolicyEvaluationCompositeRoleTest. Distribution update 2017-05-11 22:16:26 +02:00
Hynek Mlnarik
c431cc1b01 KEYCLOAK-4627 IdP email account verification + code cleanup. Fix for concurrent access to auth session notes 2017-05-11 22:16:26 +02:00
mposolda
168153c6e7 KEYCLOAK-4626 Authentication sessions - SAML, offline tokens, broker logout and other fixes 2017-05-11 22:16:26 +02:00
Hynek Mlnarik
47aaa5a636 KEYCLOAK-4627 reset credentials and admin e-mails use action tokens. E-mail verification via action tokens. 2017-05-11 22:16:26 +02:00
mposolda
e7272dc05a KEYCLOAK-4626 AuthenticationSessions - brokering works. Few other fixes and tests added 2017-05-11 22:16:26 +02:00
Hynek Mlnarik
b55b089355 KEYCLOAK-4627 Changes in TokenVerifier to include token in exceptions. Reset credentials uses checks to validate individual token aspects 2017-05-11 22:16:26 +02:00
mposolda
a9ec69e424 KEYCLOAK-4626: AuthenticationSessions - working login, registration, resetPassword flows 2017-05-11 22:16:26 +02:00
Hynek Mlnarik
19a41c8704 KEYCLOAK-4627 Refactor TokenVerifier to support more than just access token checks. Action tokens implementation with reset e-mail action converted to AT 2017-05-11 22:16:26 +02:00
mposolda
83b29c5080 KEYCLOAK-4626 AuthenticationSessions: start 2017-05-11 22:16:26 +02:00
mposolda
e4aba9e471 KEYCLOAK-4829 Access token from offline token falsely reported as inactive by token introspection 2017-05-11 21:17:04 +02:00
Stian Thorgersen
c3a2b3a6b6 KEYCLOAK-4523 PBKDF2WithHmacSHA256 and PBKDF2WithHmacSHA512 providers 2017-05-11 11:58:22 +02:00
Bill Burke
46ec12c41c fixes 2017-05-10 14:19:10 -04:00
Bill Burke
a8a8ea4bcd Merge remote-tracking branch 'upstream/master' 2017-05-08 13:49:03 -04:00
Bill Burke
f760427c5c fine grain tests 2017-05-08 13:48:51 -04:00
Johannes Knutsen
47a8077426 KEYCLOAK-4862: Expose client description in ClientBean 2017-05-05 15:06:21 +02:00
Bill Burke
e1b6ba13cc Merge pull request #3893 from anderius/feature/KEYCLOAK-3056-verify-signature
[WIP] Saml broker: Added wantAssertionsSigned and wantAssertionsEncrypted
2017-05-05 09:04:41 -04:00
Stian Thorgersen
8da766e02e Merge pull request #4104 from sjvs/master
Fix three lgtm.com alerts: two possible NPEs, one possible int overflow
2017-05-05 13:13:02 +02:00
Marc Heide
d5c643eaf9 KEYCLOAK-4521: consider offline sessions if no active user session was found for user info endpoint 2017-05-04 15:25:09 +02:00
Bill Burke
c3b44e61d4 Merge remote-tracking branch 'upstream/master' 2017-05-01 14:51:07 -04:00
Bas van Schaik
2df1175315 Fix lgtm.com alert: potential NPE due to non-short circuit logic
The logical-AND operator '&&' evaluates its operands in order, which is
what is required here. The bitwise-AND operator '&' always evaluates all
operands, which will in some cases result in a NPE in the second
operand.

Details:
https://lgtm.com/projects/g/keycloak/keycloak/snapshot/dist-7900299-1490802114895/files/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java#V543
2017-04-28 14:51:51 +01:00
Eriksson Fabian
ca1152c3e5 KEYCLOAK-4204 Extend brute force protection with permanent lockout on failed attempts
- Can still use temporary brute force protection.
- After X-1 failed login attempt, if the user successfully logs in his/her fail login count is reset.
2017-04-28 09:02:10 +02:00
Stian Thorgersen
87dedb56e5 Set version to 3.2.0.CR1-SNAPSHOT 2017-04-27 14:23:03 +02:00
Bill Burke
c7bdb489ee Merge remote-tracking branch 'upstream/master' 2017-04-26 18:57:56 -04:00
Pedro Igor
0cad34abbe Merge pull request #4087 from pedroigor/master
Checking realm role directly
2017-04-26 16:51:14 -03:00
Bill Burke
2276f99d54 Merge remote-tracking branch 'upstream/master' 2017-04-26 14:39:45 -04:00
Bill Burke
f67013bcb6 fix 2017-04-26 14:39:41 -04:00
Pedro Igor
4e43518b2a Checking realm role directly 2017-04-26 15:39:37 -03:00
Johannes Knutsen
0809033924 KEYCLOAK-4780 Ensure Base64 encoded HMAC secret key is decoded before use 2017-04-26 16:04:44 +02:00
Stian Thorgersen
2913ee8e23 Merge pull request #4081 from stianst/KEYCLOAK-4785
KEYCLOAK-4785 Use realm name when creating admin console base url
2017-04-26 13:12:31 +02:00
Stian Thorgersen
f68b28db20 KEYCLOAK-4785 Use realm name when creating admin console base url 2017-04-26 12:39:56 +02:00
Pedro Igor
79c9078caa [KEYCLOAK-4792] - Client credentials provider support and making easier to obtain authz client 2017-04-25 14:51:45 -03:00
Stian Thorgersen
84f5df4814 Merge pull request #4070 from stianst/KEYCLOAK-4671
KEYCLOAK-4671 Add server-private-spi to dependency deployer
2017-04-25 10:36:22 +02:00
Stian Thorgersen
54ee055bd8 KEYCLOAK-4671 Add server-private-spi to dependency deployer 2017-04-25 10:16:24 +02:00
Hynek Mlnarik
e8a65017fa KEYCLOAK-4779 Fix NPE 2017-04-24 23:09:27 +02:00
Bill Burke
12cb295a35 Merge remote-tracking branch 'upstream/master' 2017-04-24 10:05:46 -04:00
Bill Burke
58868ca99f prototype 2017-04-24 10:05:39 -04:00
Frederik Libert
b84f6d306d KEYCLOAK-4781 Support for an AttributeStatement Mapper 2017-04-24 11:29:55 +02:00
Stian Thorgersen
f92ad70ff0 KEYCLOAK-4774 redirect_fragment doesn't work in Admin Console 2017-04-21 14:03:05 +02:00
Pedro Igor
df163d86e8 Merge pull request #4052 from pedroigor/KEYCLOAK-4754
[KEYCLOAK-4754] - Unable to delete realm when using aggregated policies
2017-04-20 13:23:09 -03:00
Pedro Igor
bf69bc94bb [KEYCLOAK-4754] - Unable to delete realm when using aggregated policies 2017-04-20 12:10:52 -03:00
Stian Thorgersen
2a8b2aabb9 Merge pull request #4049 from stianst/KEYCLOAK-4738
KEYCLOAK-4738 Make sure script engine always uses correct classloader
2017-04-20 10:02:23 +02:00
Stian Thorgersen
1d03eb5f2b Merge pull request #4045 from stianst/KEYCLOAK-4737
KEYCLOAK-4737 Admin Console redirect loop when hostname contains console
2017-04-20 09:29:41 +02:00
Stian Thorgersen
4da07474fa KEYCLOAK-4738 Make sure script engine always uses correct classloader 2017-04-20 09:28:46 +02:00
Stian Thorgersen
8919015f74 KEYCLOAK-4287 Remove deprecated session iframe endpoint 2017-04-19 15:01:15 +02:00
Stian Thorgersen
0a0d2174e4 KEYCLOAK-4737 Admin Console redirect loop when hostname contains console 2017-04-19 14:43:56 +02:00
Pedro Igor
8e877a7f6c [KEYCLOAK-3135] - More tests 2017-04-12 14:34:27 -03:00
Pedro Igor
eec712a259 [KEYCLOAK-3135] - Role and user policies apis 2017-04-12 00:52:14 -03:00
Pedro Igor
54ebc1918c [KEYCLOAK-3135] - Using abstract policy representation when creating policies and updating tests 2017-04-12 00:52:13 -03:00
Pedro Igor
d60dcb4c62 [KEYCLOAK-3135] - Some more tests and making policy type rest api more generic 2017-04-12 00:52:13 -03:00
Pedro Igor
8e64bc3e4d Tests for new permission management rest api 2017-04-12 00:52:13 -03:00
Pedro Igor
0b8fc3d6e1 [KEYCLOAK-3135] - Fixing permission test 2017-04-12 00:52:13 -03:00
Pedro Igor
55f747ecd0 [KEYCLOAK-3135] - Part 1: Permission Management API 2017-04-12 00:52:13 -03:00
Bill Burke
9452d37926 Merge remote-tracking branch 'upstream/master' 2017-04-06 18:33:50 -04:00
Bill Burke
2e284bdd9b fix protocol mappers 2017-04-06 18:33:06 -04:00
Bill Burke
54cd41c955 Revert "KEYCLOAK-4727 KEYCLOAK-4652 - Fixing protocol mappers when evaluating policies using the tool" 2017-04-06 18:24:31 -04:00
Pedro Igor
6a959b32fc KEYCLOAK-4727 KEYCLOAK-4652 - Fixing protocol mappers when evaluating policies using the tool 2017-04-06 18:43:54 -03:00
Bill Burke
3ce0c57e17 Merge pull request #3831 from Hitachi/master
KEYCLOAK-2604 Proof Key for Code Exchange by OAuth Public Clients
2017-04-06 15:36:08 -04:00
Bill Burke
0fd11d16ee Merge pull request #3983 from bartoszmajsak/oso_typo_fix
Fixes misspelled config class in Openshift provider
2017-04-06 15:29:44 -04:00
Bill Burke
6ca5b7de03 Merge pull request #3998 from cainj13/fixNullProtocols
Fix null protocols for default clients
2017-04-06 15:29:21 -04:00
Bill Burke
13afc0147e close user/client session later 2017-04-06 15:07:40 -04:00
Bill Burke
201d2c6aac Merge remote-tracking branch 'upstream/master' 2017-04-06 10:44:43 -04:00
Bill Burke
31074c3c8d KEYCLOAK-4727 KEYCLOAK-4652 2017-04-06 10:44:33 -04:00
Stian Thorgersen
af4c74f1d9 Merge pull request #3718 from thomasdarimont/issue/KEYCLOAK-4163-improve-support-for-email-addresses
KEYCLOAK-4163 Improve support for e-mail addresses
2017-04-06 15:34:30 +02:00
Stian Thorgersen
6201257f76 KEYCLOAK-4549 [RH-SSO] EAP 7.1.0 Alpha16 2017-04-05 11:55:21 +02:00
Josh Cain
0482ec40fd Fix null protocols in default realm applications 2017-03-31 16:13:38 -05:00
Pedro Igor
838a045239 [KEYCLOAK-4650] - Adding scope filter and fixing cancel buttons 2017-03-29 12:59:41 -03:00
Takashi Norimatsu
ef3aef9381 Merge branch 'master' into master 2017-03-28 16:21:40 +09:00
Stian Thorgersen
6b21b4d87b KEYCLOAK-4657 Sort out REST API for prod profile 2017-03-27 20:50:13 +02:00
Bartosz Majsak
0197600565 Fixes misspelled config class 2017-03-27 09:38:47 +02:00
Bill Burke
71f0c01d4f Merge pull request #3980 from patriot1burke/master
KEYCLOAK-4664 KEYCLOAK-4665
2017-03-25 20:12:22 -04:00
Bill Burke
8c2e756732 fix 2017-03-25 19:21:50 -04:00
Bill Burke
d8e98d1de6 KEYCLOAK-4665 2017-03-25 12:47:32 -04:00
Bill Burke
dd8a64f30c KEYCLOAK-4664 2017-03-25 11:21:11 -04:00
Bartosz Majsak
63e8e7f842 Alings SimpleHttp API with new version 2017-03-23 13:51:14 +01:00
Bartosz Majsak
210143738e Merge branch 'master' into oso_provider 2017-03-23 13:45:07 +01:00
Peter Nalyvayko
b2f10359c8 KEYCLOAK-4335: x509 client certificate authentication
Started on implementing cert thumbprint validation as a part of x509 auth flow. Added a prompt screen to give users a choice to either log in based on the identity extracted from X509 cert or to continue with normal browser login flow authentication; clean up some of the comments

x509 authentication for browser and direct grant flows. Implemented certificate to user mapping based on user attribute

Implemented CRL and OCSP certificate revocation checking and added corresponding configuration settings to set up responderURI (OCSP), a location of a file containing X509CRL entries and switiches to enable/disable revocation checking; reworked the certificate validation; removed superflous logging; changed the certificate authentication prompt page to automatically log in the user after 10 seconds if no response from user is received

Support for loading CRL from LDAP directory; finished the CRL checking using the distribution points in the certificate; updated the instructions how to add X509 authentication to keycloak authentication flows; minor styling changes

Stashing x509 unit test related changes; added the steps to configure mutual SSL in WildFly to the summary document

A minor fix to throw a security exception when unable to check cert revocation status using OCSP; continue working on README

Changes to the formating of the readme

Added a list of features to readme

Fixed a potential bug in X509 cert user authenticator that may cause NPE if the client certificate does not define keyusage or extended key usage extensions

Fixed compile time errors in X509 validators caused by the changes to the user credentials model in upstream master

Removed a superfluous file created when merging x509 and main branches

X509 authentication: removed the PKIX path validation as superflous

Reverted changes to the AbstractAttributeMapper introduced during merging of x509 branch into main

Merge the unit tests from x509 branch

added mockito dependency to services project; changes to the x509 authenticators to expose methods in order to support unit tests; added a default ctor to CertificateValidator class to support unit testing; updated the direct grant and browser x509 authenticators to report consistent status messages; unit tests to validate X509 direct grant and browser authenticators; fixed OCSP validation to throw an exception if the certificate chain contains a single certificate; fixed the CRL revocation validation to only use CRL distribution point validation only if configured

CRL and OSCP mock tests using mock netty server. Changed the certificate validator to better support unit testing.

changes to the mockserver dependency to explicitly exclude xercesImpl that was causing SAMLParsingTest to fail

Added a utility class to build v3 certificates with optional extensions to facilitate X509 unit testing; removed supoerfluous certificate date validity check (undertow should be checking the certificate dates during PKIX path validation anyway)

X509: changes to make configuring the user identity extraction simplier for users - new identity sources to map certificate CN and email (E) attributes from X500 subject and issuer names directly rather than using regular expressions to parse them

X509 fixed a compile error caused by the changes to the user model in master

Integration tests to validate X509 client certificate authentication

Minor tweaks to X509 client auth related integration tests

CRLs to support x509 client cert auth integration tests

X509: reverted the changes to testrealm.json and updated the test to configure the realm at runtime

X509 - changes to the testsuite project configuration to specify a path to a trust store used to test x509 direct grant flow; integration tests to validate x509 authentication in browser and direct grant flows; updated the client certificate to extend its validatity dates; x509 integration tests and authenticators have been refactored to use a common configuration class

X509 separated the browser and direct grant x509 authenction integration tests

x509 updated the authenticator provider test to remove no longer supported cert thumbprint authenticator

x509 removed the dependency on mockito

x509 re-implemented OCSP certificate revocation client used to check revocation status when logging in with x509 certificate to work around the dependency on Sun OCSP implementation; integration tests to verify OCSP revocation requests

index.txt.attr is needed by openssl to run a simple OCSP server

x509: minor grammar fixes

Add OCSP stub responder to integration tests

This commit adds OCSP stub responder needed for the integration tests,
and eliminates the need to run external OCSP responder in order to run
the OCSP in X509OCSPResponderTest.

Replace printStackTrece with logging

This commit replaces call to printStackTrace that will end up going to
the stderr with logging statement of WARN severity.

Remove unused imports

Removed unused imports in
org.keycloak.authentication.authenticators.x509 package.

Parameterized Hashtable variable

Removed unused CertificateFactory variable

Declared serialVersionUID for Serializable class

Removed unused CertificateBuilder class

The CertificateBuilder was not used anywhere in the code, removing it to
prevent technical debt.

Removing unused variable declaration

`response` variable is not used in the test, removed it.

Made sure InputStreams are closed

Even though the InputStreams are memory based, added try-with-resources
to make sure that they are closed.

Removed deprecated usage of URLEncoder

Replaced invocation of deprecated method from URLEncoder with Encode
from Keycloak util package.

Made it more clear how to control OCSP stub responder in the tests

X509 Certificate user authentication: moved the integration unit tests into their own directory to fix a failing travis test job

KEYCLOAK-4335: reduced the logging level; added the instructions how to run X.509 related tests to HOW-TO-RUN.md doc; removed README.md from x509 folder; removed no longer used ocsp profile and fixed the exclusion filter; refactored the x509 base test class that was broken by the recent changes to the integration tests

KEYCLOAK-4335: fixed a few issues after rebasing
2017-03-17 05:24:57 -04:00
Stian Thorgersen
a87ee04024 Bump to 3.1.0.CR1-SNAPSHOT 2017-03-16 14:21:40 +01:00
Bartosz Majsak
a250f08b6c Removes trailing slash from the base url 2017-03-15 22:27:24 +01:00
Stian Thorgersen
feeac69197 Merge pull request #3888 from daklassen/KEYCLOAK-4421
KEYCLOAK-4421 Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-15 09:54:21 +01:00
Stian Thorgersen
2aa93d7d55 Merge pull request #3924 from daklassen/KEYCLOAK-2486
KEYCLOAK-2486: Update SimpleHTTP to use Apache HTTP Client
2017-03-15 09:50:06 +01:00
Thomas Darimont
b782892769 KEYCLOAK-4163 Improve support for e-mail addresses
Added support for user friendly email addresses as well as dedicated
reply-to addresses for emails being sent by Keycloak.
Both can be customized via the email settings per realm in
the admin-console.
User friendly email addresses use the format:
"Friendly Name"<email@example.org> and provide way to add a meaning
full name to an e-mail address.

We also allow to specify an optional envelope from bounce address.
If a mail sent to a user could not be delivered the email-provider
will sent a notification to that address.

See: https://en.wikipedia.org/wiki/Bounce_address

Add test for proper email headers in sent messages
2017-03-14 18:22:54 +01:00
Bill Burke
6d51862057 Merge pull request #3897 from anderius/feature/KEYCLOAK-4504-redirect-logout
[WIP] Saml broker: Option to specify logout request binding
2017-03-14 11:32:26 -04:00
David Klassen
32d3f760ec KEYCLOAK-4421: Change http url to https
Change any http maven urls to https to reduce build-time MITM vulnerability
2017-03-14 10:18:40 +01:00
Pedro Igor
9d1d22565c Merge pull request #3938 from pedroigor/authz-fixes
AuthZ Services Fixes
2017-03-13 15:20:41 -03:00
Pedro Igor
e7e6314146 [KEYCLOAK-4555] - Fixes and improvements to evaluation code 2017-03-13 14:08:54 -03:00
Alexey Kazakov
063f5303dd KEYCLOAK-4568 Identity broker service may fail to validate client session if there is more then one active session 2017-03-11 12:59:25 -08:00
Mark Pardijs
c78c0b73d3 KEYCLOAK-4360: Add OneTimeUse condition to SAMLResponse
Add OneTimeUse Condition to SAMLResponse when configured in client settings
2017-03-09 13:01:05 +01:00
David Klassen
7029ef80f8 KEYCLOAK-2486: Update SimpleHTTP to use Apache HTTP Client
Update SimpleHTTP to use Apache HTTP client under the covers.
2017-03-09 09:23:09 +01:00
Thomas Darimont
1dea38bdbb KEYCLOAK-4205 Allow to return json arrays in Client and Realm Role Mappers
Previously the ClientRoleMapper and RealmRoleMapper returned
roles as a comma delimited String in OIDC tokens which
needed to be parsed by client applications.
We now support to generate the role information as JSON
arrays by setting "multi valued" to "true" in the
client role mapper or realm role mappers respectively
which makes it easier for clients to consume.

The default setting for "multi valued" is "false" to
remain backwards compatible.

An example AccessToken that shows the two modes can be found here:
https://gist.github.com/thomasdarimont/dff0cd691cd6e0b5e33c2eb4c76ae5e8
2017-03-08 20:56:56 +01:00
Bill Burke
efffcc5f41 Merge pull request #3915 from TeliaSoneraNorge/KEYCLOAK-4524
KEYCLOAK-4524
2017-03-08 10:08:04 -05:00
Bill Burke
c6dc59f63e Merge remote-tracking branch 'upstream/master' 2017-03-03 11:00:32 -05:00
Martin Hardselius
a0a85f62c6 KEYCLOAK-4524 possible to add identity prover mappers with same name into single identity provider
- unique name enforcement working
- test added
2017-03-03 16:40:49 +01:00
Bill Burke
3bb29e033b KEYCLOAK-4501, KEYCLOAK-4511, KEYCLOAK-4513 2017-03-03 09:48:52 -05:00
Bartosz Majsak
1a6bb2fedb Adds Openshift Identity Provider as part of social brokers 2017-03-02 15:14:57 +01:00
Marek Posolda
cfb8d25ff2 Merge pull request #3900 from KillerDiller/wellknownprovider-four-oh-four
KEYCLOAK-4519: Avoid NPE for unknown paths under .../.well-known/.
2017-03-02 12:22:35 +01:00
Marek Posolda
4f4ae44a16 Merge pull request #3896 from thomasdarimont/issue/KEYCLOAK-4505-expose-clientSession-binding-to-ScriptBasedAuthenticator
KEYCLOAK-4505 Expose current clientSession binding to ScriptBasedAuthenticator
2017-03-01 12:17:29 +01:00
mposolda
091b376624 KEYCLOAK-1590 Realm import per test class 2017-03-01 09:38:44 +01:00
Anders Båtstrand
8d82390843 KEYCLOAK-4504 New configuration option for SAML Broker:
* postBindingLogout: Indicates if POST or redirect should be used for the logout requests.

This applies to both IdP-initiated logout, and Keycloak-initiated logout. If unset (for example when upgrading Keycloak), the setting is initially set to the same as postBindingResponse.

The flag is also set when importing IdP metadata.
2017-02-28 12:08:22 +01:00
Bill Burke
0765b01189 Merge remote-tracking branch 'upstream/master' 2017-02-27 18:46:09 -05:00
Bill Burke
b4f625e1ce KEYCLOAK-4501 2017-02-27 18:46:00 -05:00
Stefan Paletta
bcbde3fdf0 Avoid NPE for unknown paths under .../.well-known/. 2017-02-27 02:42:02 +01:00
Anders Båtstrand
89c6cda2ac Two new configuration options for the Saml broker:
* wantAssertionsSigned: This will toggle the flag in the SP Metadata Descriptor, and validate the signature if and only if "Validate signature" is selected.
 * wantAssertionsEncrypted: This will simply require that the assertion is encrypted.

 Default behavior is unchanged. The signature validation uses the original XML, and supports therefore an IdP that adds whitespace and line breaks between tags (for example OpenAM).
2017-02-24 15:08:57 +01:00
Thomas Darimont
18a8ed3e95 KEYCLOAK-4505 Expose current clientSession binding to ScriptBasedAuthenticator.
Previously the ScriptBasedAuthenticator did not expose the current
clientSession from the AuthenticationFlowContext.
In order to implement client specific authentications with javascript
one needs information about the current client.
2017-02-24 14:01:10 +01:00
Stian Thorgersen
e2b1c97e26 KEYCLOAK-943 Added initial implementation for update profile 2017-02-24 13:19:29 +01:00
Stian Thorgersen
faf0e98665 Merge pull request #3736 from guusdk/api-documentation
Improving the generated REST API documentation
2017-02-20 15:30:32 +01:00
Stian Thorgersen
3653d7ed9a Merge pull request #3762 from sldab/hide-providers
KEYCLOAK-4224 Allow hiding identity providers on login page
2017-02-17 12:04:35 +01:00
Bill Burke
c3e72b11db KEYCLOAK-4382 2017-02-13 10:51:10 -05:00
Bill Burke
d9633dc20c Merge remote-tracking branch 'upstream/master' 2017-02-09 09:13:00 -05:00
Stian Thorgersen
44180a68e6 Merge pull request #3845 from frelibert/KEYCLOAK-4378
KEYCLOAK-4378 New user attribute is not added after first login from …
2017-02-09 10:02:09 +01:00
Bill Burke
cf5e2a1d20 unlink/remoteimported 2017-02-08 19:48:22 -05:00
Frederik Libert
f3a552ac9d KEYCLOAK-4378 New user attribute is not added after first login from broker 2017-02-07 15:37:16 +01:00
mposolda
8a16ab52a9 KEYCLOAK-4371 Offline Tokens still useless When SSO Session Max is Reached and normal userSession expired 2017-02-03 11:55:58 +01:00
Takashi Norimatsu
88bfa563df KEYCLOAK-2604 Proof Key for Code Exchange by OAuth Public Clients - RFC
7636 - Server Side Implementation
2017-02-03 10:38:54 +09:00
Bill Burke
1d04d56bdb Merge pull request #3816 from patriot1burke/master
KEYCLOAK-4218
2017-02-01 08:55:10 -05:00
Bill Burke
0d308e2b69 KEYCLOAK-4218 2017-01-31 15:15:49 -05:00
Pedro Igor
57c74e3f39 [KEYCLOAK-4341] - Resources are not properly exported when exporting authorization settings 2017-01-31 13:10:25 -02:00
Stian Thorgersen
6f22f88d85 Bump version to 3.0.0.CR1 2017-01-26 06:18:11 +01:00
Stian Thorgersen
d1e491d57d KEYCLOAK-4286 Add deprecated support for old keycloak.js 2017-01-25 15:59:43 +01:00
mposolda
2de2df3a41 KEYCLOAK-4282 Fix authorization import in DirImportProvider 2017-01-24 21:57:35 +01:00
mposolda
194a63cc71 KEYCLOAK-4282 Import authorization after users are imported 2017-01-24 17:32:34 +01:00
Stian Thorgersen
94ffeda62a Merge pull request #3773 from hmlnarik/KEYCLOAK-4181-SAML-Response-without-any-assertion-leads-to-an-exception
KEYCLOAK-4181 Fix handling of SAML error code in broker
2017-01-24 10:33:05 +01:00
Marek Posolda
29c0fe564c Merge pull request #3752 from mposolda/master
KEYCLOAK-4024 Migration of old offline tokens
2017-01-23 16:25:35 +01:00
Stian Thorgersen
15d0a116ac Merge pull request #3769 from hmlnarik/KEYCLOAK-4167-Unable-to-validate-access-token-for-OIDC-External-IDP-using-configured-public-key
KEYCLOAK-4167 Always use preset key for verification if key ID not set
2017-01-23 13:59:35 +01:00
Hynek Mlnarik
5da491c270 KEYCLOAK-4181 Fix handling of SAML error code in broker 2017-01-19 16:30:06 +01:00
Hynek Mlnarik
f289b281a0 KEYCLOAK-4262 2017-01-19 16:00:03 +01:00
Stian Thorgersen
536b88790e Merge pull request #3757 from mstruk/KEYCLOAK-4150
KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client
2017-01-19 13:55:36 +01:00
Bill Burke
73d3e8afd9 Merge pull request #3770 from patriot1burke/master
KEYCLOAK-4077
2017-01-19 07:35:10 -05:00
Hynek Mlnarik
df4f1e7129 KEYCLOAK-4167 Always use preset key for verification if key ID not set 2017-01-18 10:29:06 +01:00
Stian Thorgersen
5a0504b5d9 Merge pull request #3753 from hmlnarik/KEYCLOAK-4216-mod-auth-mellon-logout-failed-when-using-SSO
KEYCLOAK-4216 Fix NPE and logout binding choice
2017-01-18 08:40:02 +01:00
Stian Thorgersen
e364680792 Merge pull request #3721 from hmlnarik/KEYCLOAK-3399-End-session-endpoint-returns-error-when-keycloak-session-is-expired
KEYCLOAK-3399 Ignore user session expiration on OIDC logout
2017-01-18 08:38:53 +01:00
mposolda
843b4b470b KEYCLOAK-2333 LDAP/MSAD password policies are not used when user changes password 2017-01-17 21:06:09 +01:00
Bill Burke
dcf6da2a51 KEYCLOAK-4077 2017-01-17 09:20:44 -05:00
Slawomir Dabek
9bb65ba9b7 KEYCLOAK-4224 Allow hiding identity providers on login page 2017-01-17 14:32:59 +01:00
Stian Thorgersen
1913f801b9 Merge pull request #3739 from hmlnarik/KEYCLOAK-2847-Unexpected-error-when-trying-to-update-clientTemplate-to-already-existing-name
KEYCLOAK-2847 Fix for client template duplicate name
2017-01-16 09:45:39 +01:00
Stian Thorgersen
5842f7c837 Merge pull request #3751 from stianst/KEYCLOAK-4192
KEYCLOAK-4192 Added missing produces annotations for update methods
2017-01-16 09:41:29 +01:00
Stian Thorgersen
178625d3f2 Merge pull request #3745 from velias/master
KEYCLOAK-4202 - Attribute importer of Social Identity providers doesn't handle JSON 'null' values correctly
2017-01-16 08:22:04 +01:00
Marko Strukelj
d68f6bbc42 KEYCLOAK-4150 Unresolved variable ${cliane_security-admin-console} in admin web client 2017-01-13 17:48:21 +01:00
Bill Burke
ffb688b393 Merge remote-tracking branch 'upstream/master' 2017-01-13 11:45:55 -05:00
Bill Burke
6aee6b0c46 KEYCLOAK-4220 2017-01-13 11:45:48 -05:00
Hynek Mlnarik
02eda8943c KEYCLOAK-4216 Fix NPE and logout binding choice 2017-01-13 14:30:32 +01:00
mposolda
9ad14d991c KEYCLOAK-4140 Migration of old offline tokens 2017-01-13 11:35:19 +01:00
Stian Thorgersen
ac9268bd48 KEYCLOAK-4192 Added missing produces annotations for update methods 2017-01-13 09:56:20 +01:00
Hynek Mlnarik
0b58bebc90 KEYCLOAK-2847 Fix for client template duplicate name 2017-01-13 09:32:28 +01:00
mposolda
93157e49d5 KEYCLOAK-4201 Offline tokens become useless when accessing admin REST API 2017-01-13 09:06:53 +01:00
Vlastimil Elias
f13deab812 KEYCLOAK-4202 - Attribute importer of Social Identity providers doesn't
handle JSON 'null' values correctly
2017-01-12 14:14:09 +01:00
Hynek Mlnarik
e11957ecf3 KEYCLOAK-4167 Make OIDC identity provider key ID configurable 2017-01-11 18:24:22 +01:00
Guus der Kinderen
ba73ab1c2a API documentation: Overview to left-hand side 2017-01-10 17:08:32 +01:00
Guus der Kinderen
45f5fa6a74 API documentation: Introduce and group by tags.
This commit introduces grouping of the documented REST resources. The grouping is based
on a free-form name of a resource (a 'tag' in Swagger terminology), which is introduced
by adding a @resource javadoc tag to every Resource class.
2017-01-10 17:08:27 +01:00
Guus der Kinderen
50b7dbe7b2 API documentation: Update dependencies. 2017-01-10 17:08:14 +01:00
Marek Posolda
227900f288 Merge pull request #3731 from mposolda/master
KEYCLOAK-4175 Provide a way to set the connect and read timeout for l…
2017-01-10 09:49:18 +01:00
Stian Thorgersen
7eeebff874 Merge pull request #3720 from hmlnarik/KEYCLOAK-4091-Possible-NullPointerExceptions-with-disabled-cache
KEYCLOAK-4091 Prevent NPE with disabled cache
2017-01-10 06:23:10 +01:00
Bill Burke
452611242c Merge remote-tracking branch 'upstream/master' 2017-01-09 17:14:34 -05:00
Bill Burke
d075172fd2 KEYCLOAK-3617 KEYCLOAK-4117 KEYCLOAK-4118 2017-01-09 17:14:20 -05:00
mposolda
c32620b718 KEYCLOAK-4175 Provide a way to set the connect and read timeout for ldap connections 2017-01-09 21:35:58 +01:00
Pedro Igor
0b5b27ea3a [KEYCLOAK-4166] - Export/Import clients functionality not working as expected 2017-01-06 16:07:10 -02:00
Hynek Mlnarik
9fb3201c8b KEYCLOAK-3399 Ignore user session expiration on OIDC logout 2017-01-06 15:15:46 +01:00
Hynek Mlnarik
377fbced4a KEYCLOAK-4091 Prevent NPE with disabled cache 2017-01-06 10:00:11 +01:00
Bill Burke
f9eeecf836 test KEYCLOAK-4013 2017-01-05 11:27:17 -05:00
Pedro Igor
4044b39ab7 [KEYCLOAK-3517] - Filtering SAML ECP flow 2017-01-04 11:17:39 -02:00
Stian Thorgersen
f2ee9df600 KEYCLOAK-4116 Trim username on recover password page 2017-01-03 11:50:08 +01:00
Stian Thorgersen
45411b1199 KEYCLOAK-4090 2017-01-03 07:53:08 +01:00
Stian Thorgersen
902332c5ae Merge pull request #3696 from stianst/KEYCLOAK-4038
KEYCLOAK-4038 Get bind credential from component if stored
2017-01-02 15:44:59 +01:00
Stian Thorgersen
08d7211a93 KEYCLOAK-4038 Get bind credential from component if stored 2017-01-02 14:40:12 +01:00
Stian Thorgersen
1c0e204f50 Merge pull request #3690 from stianst/master
Bump version to 2.5.1.Final-SNAPSHOT
2017-01-02 08:52:04 +01:00
Stian Thorgersen
d6e620a266 Merge pull request #3689 from stianst/KEYCLOAK-4133
KEYCLOAK-4133
2017-01-02 08:51:37 +01:00
Pedro Igor
31ed69a970 [KEYCLOAK-4136] - Missing update on resource_set endpoint 2016-12-29 11:59:42 -02:00
Stian Thorgersen
e805ffd945 Bump version to 2.5.1.Final-SNAPSHOT 2016-12-22 08:22:18 +01:00
Stian Thorgersen
40b5731198 KEYCLOAK-4133
Login status iframe endpoint doesn't set encoding
2016-12-22 08:20:55 +01:00
Stian Thorgersen
04179c5681 Merge branch 'KEYCLOAK-4004' of https://github.com/l-robinson/keycloak into l-robinson-KEYCLOAK-4004 2016-12-22 06:13:41 +01:00
Stian Thorgersen
d365d9d784 Merge pull request #3649 from sldab/bearer-client-credentials
KEYCLOAK-4086 Client credentials missing in bearer-only JSON config
2016-12-20 12:32:03 +01:00
Stian Thorgersen
f6323d94ec Merge pull request #3676 from stianst/KEYCLOAK-4109
KEYCLOAK-4109 Ability to disable impersonation
2016-12-20 09:35:03 +01:00
Stian Thorgersen
eb7ad07e31 KEYCLOAK-4109 Ability to disable impersonation 2016-12-20 08:46:21 +01:00
Pedro Igor
0b3e867362 [KEYCLOAK-4034] - Minor changes to policy enforcer 2016-12-19 23:44:51 -02:00
Pedro Igor
c9c8acd029 [KEYCLOAK-4034] - Invalidating policy cache when creating resources and scopes 2016-12-19 20:28:49 -02:00
Pedro Igor
40591cff25 Merge pull request #3662 from pedroigor/KEYCLOAK-4034
[KEYCLOAK-4034] - Improvements to UI, performance and some code cleanup
2016-12-19 16:49:10 -02:00
Pedro Igor
5cf5168770 [KEYCLOAK-4034] - Improvements to UI, performance and some code cleanup 2016-12-19 16:48:16 -02:00
Slawomir Dabek
16fb1e2078 KEYCLOAK-4086 Client credentials missing in bearer-only Keycloak OIDC JSON 2016-12-19 16:55:19 +01:00
mposolda
ac00f7fee2 KEYCLOAK-4087 LDAP group mapping should be possible via uidNumber in memberUid mode 2016-12-19 16:27:57 +01:00
Marek Posolda
c6363aa146 Merge pull request #3630 from sldab/duplicate-email-support
KEYCLOAK-4059 Support for duplicate emails
2016-12-19 15:37:18 +01:00
Pedro Igor
c9c9f05e29 [KEYCLOAK-4034] - Improvements to UI, performance and some code cleanup 2016-12-19 11:22:37 -02:00
Stian Thorgersen
3bd3d0285d Merge branch 'duplicate-groups' of https://github.com/ssilvert/keycloak into ssilvert-duplicate-groups 2016-12-19 13:07:39 +01:00
Stian Thorgersen
b8adfcad87 Merge pull request #3658 from hmlnarik/KEYCLOAK-4095--Not-Recently-Used-Password-Policy-with-value-set-to-1-doesn-t-work
KEYCLOAK-4095 Fix for expiring passwords
2016-12-19 12:15:26 +01:00
Slawomir Dabek
93cec9b3ee KEYCLOAK-4059 Support for duplicate emails 2016-12-19 10:55:12 +01:00
Stian Thorgersen
f29bb7d501 KEYCLOAK-4092 key provider for HMAC signatures 2016-12-19 10:50:43 +01:00
Hynek Mlnarik
787a3f8fcc KEYCLOAK-4095 Fix for expiring passwords 2016-12-16 14:45:05 +01:00
Bill Burke
a4cbf130b4 Merge pull request #3592 from sldab/default-hooks
KEYCLOAK-4074 Decoupling of default provider implementations
2016-12-16 08:42:55 -05:00
Hynek Mlnarik
5453bec1bf KEYCLOAK-4079, KEYCLOAK-4080 Fix for single-valued claims 2016-12-16 10:00:36 +01:00
Stian Thorgersen
9be9d3f580 Merge pull request #3651 from stianst/KEYCLOAK-4081
KEYCLOAK-4081
2016-12-15 15:53:39 +01:00
Bill Burke
3c2a12d019 Merge pull request #3648 from patriot1burke/master
KEYCLOAK-3451
2016-12-14 15:46:24 -05:00
Bill Burke
56f9aa41d0 KEYCLOAK-3451 2016-12-14 15:04:53 -05:00
Stian Thorgersen
394676222f Merge pull request #3616 from sldab/fix-cors
KEYCLOAK-4047 WebOrigins not expanded in CORS handling of token endpoints
2016-12-14 15:13:49 +01:00
Stian Thorgersen
e316037910 KEYCLOAK-4081 2016-12-14 11:22:10 +01:00
Stian Thorgersen
97a08a1d99 Merge pull request #3644 from stianst/KEYCLOAK-4071
KEYCLOAK-4071
2016-12-14 09:55:55 +01:00
Stian Thorgersen
480d4e6f4f KEYCLOAK-4071 2016-12-14 07:01:54 +01:00
mposolda
40216b5e7d KEYCLOAK-3921 LDAP binary attributes 2016-12-13 18:31:26 +01:00
Slawomir Dabek
7ad028fcb1 KEYCLOAK-4074 Added hooks to default implementations of direct grant authenticators
and email sender.
2016-12-13 15:32:39 +01:00
Bill Burke
62029e8a33 KEYCLOAK-3506 2016-12-10 11:59:29 -05:00
Bill Burke
10fc7302eb Merge pull request #3632 from hmlnarik/KEYCLOAK-4057-MS-AD-FS-does-not-recognize-certificate-for-POST-signed-AuthnRequest-for-brokering
KEYCLOAK-4057 Do not include KeyName for brokered IdPs
2016-12-09 09:09:13 -05:00
Hynek Mlnarik
24a36e6848 KEYCLOAK-4057 Do not include KeyName for brokered IdPs
Active Directory Federation Services require that the subject name
matches KeyName element when present. While KeyName is beneficial for
Keycloak adapters, it breaks functionality for AD FS as the name
included there is a key ID, not certificate subject expected by AD FS.

This patch contains functionality that excludes KeyName from SAML
messages to identity providers. This behaviour should be made
configurable per client/identity provider and is prepared to do so,
however actual GUI changes are left for a separate patch.
2016-12-09 14:33:40 +01:00
Bill Burke
1f0600044a KEYCLOAK-3967 2016-12-08 19:29:02 -05:00
Bill Burke
d3e3990d77 Merge pull request #3629 from patriot1burke/master
KEYCLOAK-2806
2016-12-08 17:36:28 -05:00
Bill Burke
4a80f1e913 Merge remote-tracking branch 'upstream/master' 2016-12-08 17:05:46 -05:00
Bill Burke
0550bdb467 KEYCLOAK-3214 2016-12-08 16:47:17 -05:00
Bill Burke
5f07fa8057 KEYCLOAK-2806 2016-12-08 16:28:22 -05:00
mposolda
e7f6c780e2 KEYCLOAK-4058 Improve LDAPStorageMapper and remove LDAPStorageMapperBridge 2016-12-08 18:35:56 +01:00
Bill Burke
75e2b404c8 Merge pull request #3618 from abstractj/KEYCLOAK-3685
[KEYCLOAK-3685]: Username not updated when "Email as username" is enabled
2016-12-06 22:06:55 -05:00
Bill Burke
7271fdaaaa KEYCLOAK-3509 2016-12-06 18:52:37 -05:00
Bill Burke
68c8bfa0e1 KEYCLOAK-2705 2016-12-06 17:32:41 -05:00
Bruno Oliveira
ddb201db6c [KEYCLOAK-3685]: Username not updated when "Email as username" is enabled 2016-12-06 19:46:31 -02:00
Slawomir Dabek
4069be3ff6 KEYCLOAK-4047 Expand + to valid WebOrigins in Cors class 2016-12-06 20:22:35 +01:00
Bill Burke
77d17de14d Merge pull request #3611 from patriot1burke/master
KEYCLOAK-3620
2016-12-06 08:18:36 -05:00
Bill Burke
bab08bf8f0 Merge remote-tracking branch 'upstream/master' 2016-12-06 08:18:05 -05:00
Bill Burke
6587cd2478 KEYCLOAK-3620 2016-12-05 17:51:06 -05:00
Bill Burke
693d6c0e5d Merge pull request #3608 from hmlnarik/KEYCLOAK-4035
KEYCLOAK-4035 Composite roles need to be expanded in SAML attribute mapper
2016-12-05 14:44:21 -05:00
Bill Burke
952c1decf0 Merge pull request #3607 from patriot1burke/master
KEYCLOAK-4033
2016-12-05 14:44:07 -05:00
Bill Burke
f03d79c7d3 Merge pull request #3603 from thomasdarimont/issue/KEYCLOAK-3969-Allow-authentication-via-ScriptAuthenticator-without-user
KEYCLOAK-3969 Allow use of ScriptAuthenticator without user
2016-12-05 10:19:02 -05:00
Hynek Mlnarik
3c4114091f KEYCLOAK-4035 Composite roles need to be expanded in SAML attribute mapper 2016-12-05 16:16:08 +01:00
Bill Burke
d354aa1f62 KEYCLOAK-4033 2016-12-05 10:15:55 -05:00
Hynek Mlnarik
197f51e50f KEYCLOAK-3950 Fix NPE on request for NameIDPolicy without format
... and two more one-line issues
2016-12-05 07:24:38 +01:00
l-robinson
1c66ce7dd7 Additional test case added to check the text in the 'Back to application' link 2016-12-05 12:13:30 +10:30
Thomas Darimont
8610a02d72 KEYCLOAK-3969 Allow use of ScriptAuthenticator without user
Previously ScriptAuthenticator required a user to be authenticated
before it could be used as an additional authentication step which
limited the scenarios the authenticator could be used.

We now allow ScriptAuthenticators to be used without requiring an
user to be authenticated before.
Adapted the authenticator-template.js with a null safe username check.

Note that existing custom ScriptAuthenticators might need some additional
null checks since the user can now be undefined.
2016-12-04 23:15:53 +01:00
Bill Burke
0ab352706b Merge pull request #3554 from hassaneinaltememyictu/2.3.0-ictu-change-role-attributeToRoleMapper
grant the new role from the saml token if it exist
2016-12-03 13:43:40 -05:00
Bill Burke
88d08c4f38 component query and remove provider alis fix 2016-12-03 11:34:48 -05:00
Bill Burke
8fd7091068 KEYCLOAK-3986 2016-12-03 09:33:52 -05:00
Bill Burke
ce50b0ed29 Merge remote-tracking branch 'upstream/master' 2016-12-02 19:26:34 -05:00
Bill Burke
e88af874ca finish 2016-12-02 19:25:17 -05:00
mposolda
17d8394ab6 KEYCLOAK-3340 Service Account user not renamed when renaming client-id 2016-12-02 18:13:29 +01:00
mposolda
cccb532a21 KEYCLOAK-3701 NullPointerException when trying to get access token from offline token 2016-12-02 16:35:21 +01:00
Stian Thorgersen
8842d88058 Merge pull request #3562 from ssilvert/overwrite-client-role-fails
KEYCLOAK-3042: NPE when trying to overwrite client role
2016-12-02 14:06:27 +01:00
Stian Thorgersen
209f8155d1 KEYCLOAK-3835 Remove redirect on flow and return not modified if page is refreshed 2016-12-02 06:29:59 +01:00
Manuel Palacio
bfec073457 KEYCLOAK-3648 2016-12-01 19:34:33 +01:00
l-robinson
c72ceadfce KEYCLOAK-4004 Pass the client name in the ReferrerBean instead of the referrer parameter 2016-12-01 17:17:57 +10:30
Stian Thorgersen
1e7f1b1e54 Merge pull request #3570 from stianst/master
Bump to 2.5.0.Final-SNAPSHOT
2016-12-01 06:36:37 +01:00
Stian Thorgersen
433f373f60 KEYCLOAK-3889 Add produces to server info endpoint 2016-11-30 15:46:01 +01:00
Stian Thorgersen
b771b84f56 Bump to 2.5.0.Final-SNAPSHOT 2016-11-30 15:44:51 +01:00
mposolda
d0a96d463d KEYCLOAK-3831 Improve AddressMapper configurability. Support for 'formatted' subclaim 2016-11-30 13:04:45 +01:00
Bill Burke
9e50a45b4c UserBulkUpdateProvider interface 2016-11-29 18:43:22 -05:00
Stan Silvert
83063a5740 KEYCLOAK-3042: NPE when trying to overwrite client role 2016-11-29 15:43:48 -05:00
Bill Burke
7efa3a3ddf Merge remote-tracking branch 'upstream/master' 2016-11-29 11:34:04 -05:00
Marek Posolda
80c4b2aa31 Merge pull request #3556 from mposolda/master
KEYCLOAK-3822 Changing signature validation settings of an external I…
2016-11-28 22:37:44 +01:00
Bill Burke
63458a7de7 Merge pull request #3559 from patriot1burke/master
KEYCLOAK-3980
2016-11-28 13:36:52 -05:00
Bill Burke
f6a080729a javadoc 2016-11-28 12:25:54 -05:00
Bill Burke
1dacddb7e3 KEYCLOAK-3980 2016-11-28 12:20:40 -05:00
mposolda
69ce1e05f0 KEYCLOAK-3822 Changing signature validation settings of an external IdP is not sometimes reflected 2016-11-28 15:27:25 +01:00
Hynek Mlnarik
65b269cd54 KEYCLOAK-3731 Provide functionality for IdP-initiated SSO for broker
A SAML brokered IdP can send unsolicited login response to the broker.
This commit adds a new GET/POST endpoint under [broker SAML
endpoint]/clients/{client_id}. Broken will respond to  submission to
this new endpoint by looking up a SAML client with URL name equal to
client_id, and if found, it performs IdP-initiated SSO to that client.
2016-11-28 13:54:04 +01:00
mposolda
7c6032cc84 KEYCLOAK-3825 Ability to expire publicKeys cache. Migrated OIDCBrokerWithSignatureTest to new testsuite 2016-11-25 17:45:37 +01:00
Bill Burke
ccbd8e8c70 remove User Fed SPI 2016-11-23 16:06:44 -05:00
Bill Burke
d5925b8ccf remove realm UserFed SPI methods 2016-11-23 08:31:20 -05:00
Stian Thorgersen
6ec82865d3 Bump version to 2.4.1.Final-SNAPSHOT 2016-11-22 14:56:21 +01:00
mposolda
d8c8afe070 KEYCLOAK-3943 Admin console issues when updating LDAP Storage provider 2016-11-21 14:22:45 +01:00
mposolda
da52a5c9cf KEYCLOAK-3930 KEYCLOAK-3931 LDAP and Mongo fixes 2016-11-18 20:02:02 +01:00
Stian Thorgersen
7043ecc21b KEYCLOAK-3881 Fix login status iframe with * origin 2016-11-18 12:50:52 +01:00
Marek Posolda
3e71aeddf3 Merge pull request #3479 from hmlnarik/KEYCLOAK-3469-UserRealmRoleMapper
KEYCLOAK-3469 Make role mappers account for user groups
2016-11-18 09:21:56 +01:00
Marek Posolda
b434c2b9cf Merge pull request #3510 from ssilvert/delete-subflows
KEYCLOAK-3681: Delete top flow doesn't remove all subflows
2016-11-18 08:50:13 +01:00
mposolda
a27be0cee7 KEYCLOAK-3857 Clustered invalidation cache fixes and refactoring. Support for cross-DC for invalidation caches. 2016-11-16 22:29:23 +01:00
Stan Silvert
55556fc63c KEYCLOAK-3681: Delete top flow doesn't remove all subflows 2016-11-16 12:43:11 -05:00
Stian Thorgersen
26b1541f4a Merge pull request #3476 from abstractj/KEYCLOAK-3875
[KEYCLOAK-3875] - Conditional OTP Forms not working as expected
2016-11-16 12:44:50 +01:00
Stian Thorgersen
1c3a475d1e Merge pull request #3485 from hmlnarik/KEYCLOAK-3071
KEYCLOAK-3071 Add SOAP and PAOS endpoints to valid redirect URIs on SP import
2016-11-16 12:38:45 +01:00
Bill Burke
cc0eb47814 merge 2016-11-14 15:09:41 -05:00
Bill Burke
c280634bfa fix tests 2016-11-14 15:06:17 -05:00
Hynek Mlnarik
750e942267 KEYCLOAK-3469 Make role mappers account for user groups 2016-11-14 11:38:00 +01:00
Bruno Oliveira
39f40bc005 [KEYCLOAK-3875] - Conditional OTP Forms not working as expected 2016-11-11 15:16:08 -02:00
Stian Thorgersen
a86b5988b5 Merge pull request #3484 from hmlnarik/KEYCLOAK-3658
KEYCLOAK-3658 Fixed typo in condition
2016-11-11 09:41:48 +01:00
Stian Thorgersen
088f0ea630 Merge pull request #3490 from stianst/KEYCLOAK-3086
[KEYCLOAK-3086] -  NPE when accessing Account with invalid clientId s…
2016-11-11 09:35:45 +01:00
Bruno Oliveira
675faee593 [KEYCLOAK-3086] - NPE when accessing Account with invalid clientId set as ?referrer, and additional referrer_uri set 2016-11-10 13:49:40 +01:00
Stian Thorgersen
7e33f4a7d1 KEYCLOAK-3882 Split server-spi into server-spi and server-spi-private 2016-11-10 13:28:42 +01:00
Bill Burke
94076a3b24 admin console ui 2016-11-09 17:34:07 -05:00
Hynek Mlnarik
8816b55843 KEYCLOAK-3071 Add SOAP and PAOS endpoints to valid redirect URIs on SP import 2016-11-09 14:13:53 +01:00
Hynek Mlnarik
9c724b616d KEYCLOAK-3658 Fixed typo in condition 2016-11-09 11:27:33 +01:00
Vlasta Ramik
6f1b8e1fee remove KEYCLOAK_REMEMBERME when user logs in without rememberme checked + tests 2016-11-09 10:33:46 +01:00
Bill Burke
4880c0443c ldap port admin console 2016-11-08 12:30:20 -05:00
Stian Thorgersen
292777259e Merge pull request #3472 from hmlnarik/KEYCLOAK-1881-saml-key-rotation
Keycloak 1881 - SAML key/cert rotation for IdP
2016-11-08 07:56:25 +01:00
Stian Thorgersen
db4f3561a5 Merge pull request #3454 from ssilvert/keystore-error-messages
KEYCLOAK-3817: More detailed errors when loading keys from JKS
2016-11-08 07:33:43 +01:00
Bill Burke
5a86623c88 merge 2016-11-06 08:52:10 -05:00
Bill Burke
14dc0ff92f Merge remote-tracking branch 'upstream/master' 2016-11-05 20:05:01 -04:00
Bill Burke
4302b440ee ldap port 2016-11-05 20:04:53 -04:00
Bill Burke
c75dcb90c2 ldap port 2016-11-04 21:25:47 -04:00
Hynek Mlnarik
8ae1b1740d KEYCLOAK-1881 Client installers 2016-11-04 21:53:43 +01:00
Hynek Mlnarik
4f9e35c0a1 KEYCLOAK-1881 Support for multiple certificates in broker (hardcoded at the moment) 2016-11-04 21:53:43 +01:00
Hynek Mlnarik
67bb9aef3d KEYCLOAK-1881 Add switch to enable/disable generation of <Extensions>
Some SP clients might be confused by using a standard SAML protocol tag
<Extensions> which is used for signed REDIRECT binding messages to
specify signing key ID. To enable the interoperability, generation of
the tag is disabled by default and can be enabled for individual
clients.
2016-11-04 21:53:43 +01:00
Hynek Mlnarik
1ae268ec6f KEYCLOAK-1881 Include key ID for REDIRECT and use it for validation
Contrary to POST binding, signature of SAML protocol message sent using
REDIRECT binding is contained in query parameters and not in the
message. This renders <dsig:KeyName> key ID hint unusable. This commit
adds <Extensions> element in SAML protocol message containing key ID so
that key ID is present in the SAML protocol message.
2016-11-04 21:53:43 +01:00
Hynek Mlnarik
d5c3bde0af KEYCLOAK-1881 Make SAML descriptor endpoint return all certificates 2016-11-04 21:53:43 +01:00
Hynek Mlnarik
5d840500af KEYCLOAK-1881 Include key ID in <ds:KeyInfo> in SAML assertions and protocol message
Changes of SAML assertion creation/parsing that are required to allow
for validation of rotating realm key: signed SAML assertions and signed
SAML protocol message now contain signing key ID in XML <dsig:KeyName>
element.
2016-11-04 21:53:43 +01:00
Pedro Igor
706c1e2660 [KEYCLOAK-3704] - Registering UserSinchronizer to remove resources when the owner is removed 2016-11-02 21:40:58 -02:00
Pedro Igor
95d2130405 [KEYCLOAK-3704] - Checkign if owner is a valid user 2016-11-02 21:01:24 -02:00
Stan Silvert
facdd586a3 KEYCLOAK-2720: Should not allow two groups with the same path. 2016-11-01 16:08:30 -04:00
Stan Silvert
a5e5f4cf9c KEYCLOAK-3817: More detailed errors when loading keys from JKS 2016-11-01 13:54:34 -04:00
Bill Burke
ccaac40863 Merge pull request #3437 from patriot1burke/master
disable credential type REST and admin ui
2016-10-28 11:33:16 -04:00
Stian Thorgersen
f4a77c3d06 Merge pull request #3444 from stianst/KEYCLOAK-3225
KEYCLOAK-3225
2016-10-28 11:51:35 +02:00
Stian Thorgersen
b6b567f948 Merge pull request #3441 from stianst/KEYCLOAK-3733
KEYCLOAK-3733 Set default max results for paginated endpoints
2016-10-28 10:36:24 +02:00
Stian Thorgersen
479295cfd2 KEYCLOAK-3225
Modifying user's Identity Provider Links requires manage-realm client role
2016-10-28 10:25:41 +02:00
Stian Thorgersen
a78cfa4b2c Merge pull request #3440 from stianst/KEYCLOAK-3667
KEYCLOAK-3667
2016-10-28 10:13:06 +02:00
Stian Thorgersen
c6caeb3bec Merge pull request #3439 from stianst/KEYCLOAK-3828
KEYCLOAK-3828
2016-10-28 10:12:51 +02:00
Stian Thorgersen
a9d47287ee KEYCLOAK-3733 Set default max results for paginated endpoints 2016-10-28 09:15:05 +02:00
Stian Thorgersen
3d46b4c425 KEYCLOAK-3667 2016-10-28 08:43:24 +02:00
Stian Thorgersen
db428dad1d KEYCLOAK-3828
Component uses wrong role
2016-10-28 07:56:44 +02:00
Stian Thorgersen
e958bd254a Merge pull request #3435 from stianst/KEYCLOAK-3331
KEYCLOAK-3331 Reset password leads to 400 bad request when link is op…
2016-10-28 06:40:48 +02:00
Stian Thorgersen
0c6b47b9f2 Merge pull request #3433 from stianst/KEYCLOAK-3641
KEYCLOAK-3641 Clicking an invalid verification link due to re-send re…
2016-10-28 06:40:27 +02:00
Bill Burke
91da6a47d7 disable cred types ui 2016-10-27 16:17:02 -04:00
Stian Thorgersen
c6ac3266f0 KEYCLOAK-3641 Clicking an invalid verification link due to re-send removes the email verification key from the session 2016-10-27 16:16:52 +02:00
Stian Thorgersen
ab72b2b141 KEYCLOAK-3331 Reset password leads to 400 bad request when link is opened in a different browser session 2016-10-27 16:04:45 +02:00
Bill Burke
73e3f2a89b REST API for disable cred type 2016-10-26 15:48:45 -04:00
Bill Burke
68e853b4bd Merge remote-tracking branch 'upstream/master' 2016-10-25 13:40:32 -04:00
Bill Burke
b67cb0e97a Merge remote-tracking branch 'upstream/master' 2016-10-25 11:44:22 -04:00
Stian Thorgersen
4b27e66714 KEYCLOAK-3782 Keysize for rsa-generated should be a dropdown 2016-10-25 08:52:02 +02:00
Bill Burke
3e28ac1e46 user spi cache policy 2016-10-24 15:36:37 -04:00
hassaneinaltememyictu
a119a46495 grant the new role from the saml token if it exist
grant the user with the new role from the saml token if it is a realm role in keycloak
2016-10-24 17:17:22 +02:00
Stian Thorgersen
4d47f758fc Merge pull request #3405 from stianst/master
Bump version
2016-10-21 10:11:59 +02:00
Stian Thorgersen
c615674cbb Bump version 2016-10-21 07:03:15 +02:00
Stian Thorgersen
1a4f9e656d Merge pull request #3398 from stianst/KEYCLOAK-3774
KEYCLOAK-3774 Fix keycloak.js with prompt=none and new stricter redir…
2016-10-21 06:34:43 +02:00
Stian Thorgersen
9801f09a93 KEYCLOAK-3774 Fix keycloak.js with prompt=none and new stricter redirect_uri 2016-10-20 21:31:25 +02:00
Stian Thorgersen
5a00aaefa8 KEYCLOAK-2594
bind credential being leaked in admin tool JSON response

KEYCLOAK-2972
Keycloak leaks configuration passwords in Admin Event logs
2016-10-20 19:30:59 +02:00
Stian Thorgersen
1bf24d26a4 Merge pull request #3395 from stianst/master
KEYCLOAK-3772
2016-10-20 19:27:03 +02:00
Stian Thorgersen
839c4e8ede KEYCLOAK-3772
Login with Twitter is not working
2016-10-20 15:05:07 +02:00
mposolda
072ccb5c61 KEYCLOAK-3770 OIDC registration with id_token grant type should set publicClient flag to true 2016-10-20 14:10:53 +02:00
Stian Thorgersen
dfc09b69a8 Merge pull request #3380 from stianst/KEYCLOAK-3364
KEYCLOAK-3364 Fix for dns that ends with digit
2016-10-20 06:24:50 +02:00
Stian Thorgersen
d2e0432afb Merge pull request #3389 from patriot1burke/master
KEYCLOAK-3651
2016-10-20 06:24:15 +02:00
Bill Burke
34d80c9083 KEYCLOAK-3651 2016-10-19 20:28:33 -04:00
Bill Burke
9f00f693c6 Merge pull request #3387 from ssilvert/spelling-represenation
KEYCLOAK-3496: Spelling Error in Admin GUI Documentation
2016-10-19 19:59:41 -04:00
Stan Silvert
ad59cd618e Merge pull request #3383 from ssilvert/duplicate-fed-provider
KEYCLOAK-2892: Bad error when create fed provider w/ same name.
2016-10-19 16:40:58 -04:00
Stan Silvert
ac80f99e8c KEYCLOAK-3496: Spelling Error in Admin GUI Documentation 2016-10-19 16:33:59 -04:00
Bill Burke
cdf7dd3a6c Merge pull request #3372 from patriot1burke/master
onCreate for Components
2016-10-19 16:21:20 -04:00
Bill Burke
934ea1c33c KEYCLOAK-3562 2016-10-19 14:01:21 -04:00
Stan Silvert
9d098e9068 KEYCLOAK-2892: Bad error when create fed provider w/ same name. 2016-10-19 13:32:28 -04:00
Stian Thorgersen
ffce2023c0 KEYCLOAK-3364 Fix for dns that ends with digit 2016-10-19 18:41:43 +02:00
mposolda
3779bfb6b4 KEYCLOAK-3666 client registration policies - polishing 2016-10-19 17:45:23 +02:00
mposolda
964cd50f1d KEYCLOAK-3666 Added client reg policies for maxClients and clientDisabled 2016-10-19 17:45:23 +02:00
Stian Thorgersen
36c367a3bc Merge pull request #3369 from stianst/KEYCLOAK-3625
KEYCLOAK-3625
2016-10-19 15:56:57 +02:00
Stian Thorgersen
1b24d2edd8 KEYCLOAK-3625 More work on the issue 2016-10-19 14:21:50 +02:00
Stian Thorgersen
bbc1d26b72 Merge pull request #3367 from stianst/KEYCLOAK-3745
KEYCLOAK-3745 Change attributes in user rep
2016-10-19 14:01:39 +02:00
Stian Thorgersen
4efe12cb93 KEYCLOAK-3745 Change attributes in user rep 2016-10-19 12:15:13 +02:00
Stian Thorgersen
f2f508ac2e Merge pull request #3357 from stianst/KEYCLOAK-3107
KEYCLOAK-3017 Expose Location header in cors request to admin endpoint
2016-10-19 08:45:18 +02:00
Stian Thorgersen
13220e1d38 Merge pull request #3355 from stianst/KEYCLOAK-2699
KEYCLOAK-2699 Potential for NPE in DirImportProvider.getRealmsToImport
2016-10-19 07:35:54 +02:00
Stian Thorgersen
116027bd7b Merge pull request #3354 from stianst/KEYCLOAK-2488
KEYCLOAK-2488 Token introspection returns wrong response for invalid …
2016-10-19 07:33:25 +02:00
Stian Thorgersen
a33997976f KEYCLOAK-3017 Expose Location header in cors request to admin endpoint 2016-10-18 21:27:46 +02:00
Stian Thorgersen
0a8d1e28f1 KEYCLOAK-2699 Potential for NPE in DirImportProvider.getRealmsToImport 2016-10-18 20:31:51 +02:00
Stian Thorgersen
29538332d9 KEYCLOAK-2488 Token introspection returns wrong response for invalid token 2016-10-18 20:28:14 +02:00
Bill Burke
d941e07169 Merge pull request #3350 from patriot1burke/master
federated import/export to json
2016-10-18 14:15:25 -04:00
Stian Thorgersen
e41d11877f Merge pull request #3349 from stianst/KEYCLOAK-2741
KEYCLOAK-2741
2016-10-18 19:39:54 +02:00
mposolda
b62e6e2751 KEYCLOAK-3653 CORS headers not sent in certs endpoint 2016-10-18 16:57:06 +02:00
Stian Thorgersen
74dad004e3 KEYCLOAK-2741
Don't remove KEYCLOAK_REMEMBERME cookie when sso session expires.
2016-10-18 16:14:36 +02:00
Bill Burke
2199df71bf Merge remote-tracking branch 'upstream/master' 2016-10-18 10:14:00 -04:00
Bill Burke
4182e4d92a federated import/export 2016-10-18 10:13:51 -04:00
Marek Posolda
3986ce2ce0 Merge pull request #3345 from mposolda/master
KEYCLOAK-3499 Fixes in OIDCProtocolMapper support for includeInUserInfo
2016-10-18 14:28:29 +02:00
Stian Thorgersen
4b56743788 Merge pull request #3343 from stianst/KEYCLOAK-2884
KEYCLOAK-2884 Remove ClientTemplateResource.getKeycloakApplication()
2016-10-18 14:08:50 +02:00
mposolda
a7287aad36 KEYCLOAK-3499 More fixes for IncludeInUserInfo. Fixing tests and migration 2016-10-18 13:09:30 +02:00
Thomas Darimont
c3b577de11 KEYCLOAK-3499 Revise OIDCProtocolMapper support
Moved methods `transformUserInfoToken`, `transformAccessToken`,
`transformIDToken` to the `AbstractOIDCProtocolMapper` base class
in order to reduce code duplication.
Previously every mapper implemented at least one or two of those
methods with exactly the same code.
Having those methods in the base class ensures that the code is the
same for all mappers. Since the mentioned methods are declared
on the `OIDCIDTokenMapper`, `OIDCAccessTokenMapper` and `UserInfoTokenMapper`
interfaces `AbstractOIDCProtocolMapper` implementations can now choose
how they should be handled by the `TokenManager`
by implementing the desired set of interfaces `*TokenMapper`-interfaces.

I think this provides a good balance between ease of use, reduced code duplication
and ensured backwards compatiblity.
Existing protocol mapper implementations will still work since they just implement
their own logic for `transformUserInfoToken`, `transformAccessToken`,
`transformIDToken`.

The "claim" information provided by a `ProtocolMapper` to a `*Token` can now
be provided by overriding the `AbstractOIDCProtocolMapper.setClaim` method.

Adapted all eligible ProtocolMapper implementations within the
`org.keycloak.protocol.oidc.mappers` package accordingly.
2016-10-18 13:09:30 +02:00
Stian Thorgersen
e157a60a23 KEYCLOAK-2884 Remove ClientTemplateResource.getKeycloakApplication() 2016-10-18 09:01:24 +02:00
Marek Posolda
2fd680092a Merge pull request #3336 from mposolda/master
KEYCLOAK-3719 Add 'options' to ProviderConfigProperty and use it for …
2016-10-18 08:33:26 +02:00
mposolda
00879b39b7 KEYCLOAK-3719 Add 'options' to ProviderConfigProperty and use it for 'List' type instead of defaultValue 2016-10-17 21:34:21 +02:00
Stian Thorgersen
77499be8d2 KEYCLOAK-3728
Disable script based authenticator in product profile
2016-10-17 21:16:51 +02:00
Stian Thorgersen
64339aaca7 Merge pull request #3317 from stianst/KEY-ROTATION
Updated labels for java keystore provider config
2016-10-17 19:39:47 +02:00
Stian Thorgersen
2ed6067de0 Merge pull request #3290 from hmlnarik/KEYCLOAK-3655
KEYCLOAK-3655: Fix for unexpected server error when adding duplicate auth flow
2016-10-17 19:31:43 +02:00
Stian Thorgersen
d22f45f0d2 Merge pull request #3335 from stianst/KEYCLOAK-3635
KEYCLOAK-3635 Not possible to filter debug/trace logging
2016-10-17 18:50:10 +02:00
Stian Thorgersen
b320eb8fc7 KEYCLOAK-3635 Not possible to filter debug/trace logging 2016-10-17 16:12:14 +02:00
Geir Ole Hiåsen Stevning
95f62c6aeb KEYCLOAK-3626 - CreatedDate and lastUpdatedDate on user consent 2016-10-17 13:53:12 +02:00
mposolda
5732b2c58f KEYCLOAK-3716 Unable to start Keycloak on wildfly 2016-10-17 12:22:33 +02:00
mposolda
18e0c0277f KEYCLOAK-3666 Dynamic client registration policies 2016-10-14 20:20:40 +02:00
Bill Burke
1c0abbd722 Merge pull request #3315 from patriot1burke/master
import and sync spi
2016-10-14 10:12:42 -04:00
Stian Thorgersen
422805b511 Updated labels for java keystore provider config 2016-10-14 10:36:17 +02:00