Commit graph

722 commits

Author SHA1 Message Date
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-04-12 10:53:39 +02:00
Douglas Palmer
69ba92808d DefaultBruteForceProtector leverages a single thread to write success/failed events
Closes #14084

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-04-12 09:53:40 +02:00
Michal Hajas
1bb5e14134 Use ReentrantLock instead of synchronized to avoid thread pinning
+ since the runSerialized mechanism is currently on the best effort basis it is possible there are concurrent executions if T1 obtained a lock T2 removed the lock and T3 created a new lock before T1 called putIfAbsent therefore I added a debug log detecting this situation

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
355901dfd8 Add a back-off period when replacing cache entries fails
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
63e7523a6d Avoid unnecessary updates to the sessions during refreshes of tokens
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
Alexander Schwartz
dc18bd4efb Avoid conflicts when writing to session stores by checking for concurrent requests within the JVM
Closes #28388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-04-09 14:55:21 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-04-08 09:05:16 -03:00
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977)
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-03-28 09:17:07 +01:00
Alexander Schwartz
62d24216e3 Remove offline session preloading
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-15 15:19:27 +01:00
Alexander Schwartz
f168b8cce9 Avoid invalidating the cache if removing an entry doesn't exist
Closes #27852

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-03-13 13:36:07 +01:00
Pedro Igor
326d63ce74 Make sure group searches are cached and entries invalidate accordingly
Closes #26983

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-29 05:06:36 +09:00
Vlasta Ramik
ade3b31a91
Introduce new CLI config options for Infinispan remote store
Closes #25676

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-28 15:49:19 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-02-28 16:17:51 +01:00
Alexander Schwartz
ee3a4a6e4f
Set expiry and maxidle when loading entries from the remote store (#26942)
Closes #26941

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2024-02-27 17:56:17 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-22 09:34:51 +01:00
Michal Hajas
f7f7f1bd10 Add caching for subGroupsCount
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
Thomas Darimont
93fc6a6c54 Shorter lifespan for offline session cache entries in memory
Closes #26810

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-02-09 19:44:04 +01:00
Stian Thorgersen
3e08a1713b
Ignore empty attribute values when retriveing boolean/int/long (#26729) (#26737)
Resolves #26597, resolves #26665

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:29:34 +01:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
Václav Muzikář
4096a2657e
Supported option to specify site name for multi-site deployments
Closes #26460

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-31 11:52:19 +00:00
Martin Kanis
7797f778d1 Map Store Removal: Rename legacy modules
Closes #24107

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Martin Kanis
84603a9363
Map Store Removal: Rename Legacy* classes (#26273)
Closes #24105

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-23 13:50:31 +00:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading (#26160)
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
Alexander Schwartz
a8eca6add0
Changing to the Infinispan BOM to avoid mis-aligned Infinispan dependencies (#26137)
Closes #22922

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
2024-01-15 09:20:47 +01:00
Alexander Schwartz
01939bcf34
Remove concurrent loading of remote sessions as at startup time only one node is up anyway. (#25709)
Closes #22082

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Martin Kanis <martin-kanis@users.noreply.github.com>
2024-01-09 16:55:22 +01:00
Alexander Schwartz
9e4fc3f491 Keep workaround permanently for concurrent shutdowns of embedded Infinispan
Closes #9871

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-15 10:58:22 +01:00
Alexander Schwartz
e01827693a Avoid shutdown of Infinispan when using cache
Closes #24508

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-13 15:46:37 +01:00
Alexander Schwartz
a8cff72ed0
Avoid logged warning about objects not present in the cache for tasks (#25324)
Closes #25322

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-08 13:10:14 +01:00
Alexander Schwartz
5b1b3ca11b
Allow concurrent remote cache operations (#25390)
Closes #25388

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-08 10:07:25 +01:00
Alexander Schwartz
e4be3ed244
Prevent client cache stampede after invalidation of a client or on startup (#25217)
Closes #24202

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-05 16:01:37 +01:00
vramik
587cef7de4 Delete Profile.Feature.MAP_STORAGE
Signed-off-by: vramik <vramik@redhat.com>

Closes #24102
2023-11-30 13:04:39 +01:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-29 18:03:31 +01:00
Michal Hajas
2b2207af93
Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-29 11:06:41 +00:00
Pedro Igor
2c611cb8fc User profile configuration scoped to user-federation provider
closes #23878

Co-Authored-By: mposolda <mposolda@gmail.com>

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-27 14:45:44 +01:00
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
Closes #23404

Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Alexander Schwartz
a45934a762 Disable cache store and load only if a remote store is used
Closes #10803
Closes #24766

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: daviddelannoy <16318239+daviddelannoy@users.noreply.github.com>
2023-11-20 18:50:02 +01:00
Réda Housni Alaoui
3f014c7299
Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients (#21058)
closes #21010 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2023-11-13 19:13:01 +01:00
Alexander Schwartz
26e2fde115
Avoid reseting cachemanger to null to avoid a re-initialization (#24086)
Also follow best practices of using volatile variables for double-locking, and not using shutdown caches.

Closes #24085
2023-11-08 11:33:44 -05:00
Alice
69497382d8
Group scalability upgrades (#22700)
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
c036980c37 Add TRANSIENT_USERS feature flag 2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e Support for transient sessions via lightweight users
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
JesseEstum
71777df3d9
Prevent stampede after realm cache invalidation
Closes #22988 

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-10-21 18:47:13 +02:00
Marek Posolda
829b7090fa
Avoid breaking change in UserSessionModel (#24134)
closes #24096


Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-20 18:06:07 +02:00
mposolda
04777299b0 After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
closes #23880
2023-10-19 19:23:50 +02:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148)
Closes #21183
2023-10-17 13:12:36 +02:00
Lex Cao
eedc4ceb18 Fix unexpected expiration when import offline client session
Closes #23397
2023-10-13 15:45:07 +02:00
Martin Kanis
0853d484ec
Remove transaction in InfinispanSingleUseObjectProvider#remove (#23708)
Co-authored-by: mposolda <mposolda@gmail.com>
2023-10-06 10:00:04 +02:00
mkrueger92
498be3d928
Reuse already fixed code to fetch offline user (#22429)
The problem is again the wrap(...) function.
In case the user is not found, then null is
returned. This can happen when a federated user
is deleted on the federation side but Keycloak
is not informed about it. In that case, the
session is still present but no UserModel can
be created.

Without this patch the stream contains null
values. Some downstream users can not cope well
with that.

The adjustment of the function getUserSessionsCount(...)
is slightly more expensive in execution, but
returns the correct number.

Closes #22428

Co-authored-by: Martin Krüger <mkrueger@mkru.de>
2023-09-21 20:19:09 +00:00
Bernd Bohmann
bb2f59df87
Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted (#8430)
Closes #14820 
---------
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-09-20 17:20:43 +02:00
Alexander Schwartz
798846df6f
Remove legacy code which isn't used anymore and was deprecated for some time (#23264)
Closes #23263
2023-09-18 11:04:02 +02:00
Peter Skopek
ef272f7668 SAML Adapter fix for EAP8 and WF29
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2023-09-07 13:32:25 +02:00
Alexander Schwartz
dfc8c80264
Upgrade to Infinispan 14.0.14 (#22386)
Closes #21092
2023-08-16 14:43:03 +02:00
Todor Staykovski
dffa7a31cb
Add subgroups sorting (#22295)
* Review comments to add a test, update the API description and adjust the map storage.

Closes #19348

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-08-07 21:18:09 +02:00
Alexander Schwartz
cf911075af
Re-adding Infinispan workarounds to prevent deadlocks (#22058)
Relates to #9871
Closes #22057
2023-07-31 10:37:28 +02:00
Alexander Schwartz
bd0f87fc4d
Remove Infinispan workarounds introduced to prevent deadlocks (#21862)
This should no longer be necessary after the upgrade to Infinispan 14.0.13.Final and ISPN-13666 being resolved.

Closes #9871
2023-07-24 09:50:32 +02:00
William Burns
de04684dd0
Do not cache a session that is already expired in listener (#21684)
Fixes part of #20983
2023-07-18 12:04:04 +02:00
Alexander Schwartz
9b3effb4b8 Prevent cache stampede on realms
Closes #21521
2023-07-15 09:03:53 +02:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA (#21160)
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-07-10 13:28:55 +02:00
Martin Kanis
db9b6c2152 Make awaitInitialTransfer for ISPN configurable
Closes #16671
2023-06-27 14:04:03 +02:00
Alexander Schwartz
e410a76c42 Avoid caching the list of clientscopes in two places
Closes #20426

Co-authored-by: Martin Kanis <mkanis@redhat.com>
2023-06-13 21:33:21 +02:00
Vlasta Ramik
ed473da22b
Clean-up of deprecated methods and interfaces
Fixes #20877

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-06-09 17:11:20 +00:00
Hynek Mlnarik
12dd3edb10 Fix pagination issue with H6
With Hibernate ORM 6, pagination started to be unreliable: When
setting the max results only if the first row was 0 has randomly
affected other threads where first row was greater than 0. The
latter thread sometimes produced query which did *not* account
for the offset (cf. threads `-t1` and `-t2` below, while `-t2`
missed the `offset ? rows` part whic `-t3` has).

This has been fixed by setting the first row offset unconditionally.

Closes: #20202
Closes: #16570

```
2023-06-02 10:19:03.855000 TRACE [org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker] (blocking-thread-node-2-p8-t1) Running computation for segment 0 with worker 0
2023-06-02 10:19:03.856000 TRACE [org.keycloak.models.sessions.infinispan.initializer.OfflinePersistentUserSessionLoader] (blocking-thread-node-2-p8-t1) Loading sessions for segment=0 lastSessionId=00000000-0000-0000-0000-000000000000 first=0
2023-06-02 10:19:03.856000 DEBUG [org.keycloak.models.jpa.PaginationUtils] (blocking-thread-node-2-p8-t1) Set max to 64 in org.hibernate.query.sqm.internal.QuerySqmImpl@2fb60f8b
2023-06-02 10:19:03.856000 DEBUG [org.keycloak.models.jpa.PaginationUtils] (blocking-thread-node-2-p8-t1) After pagination: 0, 64
2023-06-02 10:19:03.857000 TRACE [org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker] (blocking-thread-node-2-p8-t2) Running computation for segment 1 with worker 1
2023-06-02 10:19:03.857000 TRACE [org.keycloak.models.sessions.infinispan.initializer.OfflinePersistentUserSessionLoader] (blocking-thread-node-2-p8-t2) Loading sessions for segment=1 lastSessionId=00000000-0000-0000-0000-000000000000 first=64
2023-06-02 10:19:03.857000 TRACE [org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker] (blocking-thread-node-2-p8-t3) Running computation for segment 2 with worker 2
2023-06-02 10:19:03.857000 DEBUG [org.keycloak.models.jpa.PaginationUtils] (blocking-thread-node-2-p8-t2) Set first to 64 in org.hibernate.query.sqm.internal.QuerySqmImpl@71464e9f
2023-06-02 10:19:03.857000 DEBUG [org.keycloak.models.jpa.PaginationUtils] (blocking-thread-node-2-p8-t2) Set max to 64 in org.hibernate.query.sqm.internal.QuerySqmImpl@71464e9f
2023-06-02 10:19:03.857000 DEBUG [org.keycloak.models.jpa.PaginationUtils] (blocking-thread-node-2-p8-t2) After pagination: 64, 64
2023-06-02 10:19:03.857000 TRACE [org.keycloak.models.sessions.infinispan.initializer.OfflinePersistentUserSessionLoader] (blocking-thread-node-2-p8-t3) Loading sessions for segment=2 lastSessionId=00000000-0000-0000-0000-000000000000 first=128
10:19:03,859 DEBUG [org.hibernate.SQL] (blocking-thread-node-2-p8-t1)
    select
        p1_0.OFFLINE_FLAG,
        p1_0.USER_SESSION_ID,
        p1_0.CREATED_ON,
        p1_0.DATA,
        p1_0.LAST_SESSION_REFRESH,
        p1_0.REALM_ID,
        p1_0.USER_ID
    from
        OFFLINE_USER_SESSION p1_0,
        REALM r1_0
    where
        r1_0.ID=p1_0.REALM_ID
        and p1_0.OFFLINE_FLAG=?
        and p1_0.USER_SESSION_ID>?
    order by
        p1_0.USER_SESSION_ID fetch first ? rows only
10:19:03,859 DEBUG [org.hibernate.SQL] (blocking-thread-node-2-p8-t2)
    select
        p1_0.OFFLINE_FLAG,
        p1_0.USER_SESSION_ID,
        p1_0.CREATED_ON,
        p1_0.DATA,
        p1_0.LAST_SESSION_REFRESH,
        p1_0.REALM_ID,
        p1_0.USER_ID
    from
        OFFLINE_USER_SESSION p1_0,
        REALM r1_0
    where
        r1_0.ID=p1_0.REALM_ID
        and p1_0.OFFLINE_FLAG=?
        and p1_0.USER_SESSION_ID>?
    order by
        p1_0.USER_SESSION_ID fetch first ? rows only
2023-06-02 10:19:03.860000 TRACE [org.hibernate.orm.jdbc.bind] (blocking-thread-node-2-p8-t1) binding parameter [1] as [VARCHAR] - [1]
2023-06-02 10:19:03.860000 TRACE [org.hibernate.orm.jdbc.bind] (blocking-thread-node-2-p8-t1) binding parameter [2] as [VARCHAR] - [00000000-0000-0000-0000-000000000000]
2023-06-02 10:19:03.860000 TRACE [org.hibernate.orm.jdbc.bind] (blocking-thread-node-2-p8-t1) binding parameter [3] as [INTEGER] - [64]
10:19:03,860 DEBUG [org.hibernate.SQL] (blocking-thread-node-2-p8-t3)
    select
        p1_0.OFFLINE_FLAG,
        p1_0.USER_SESSION_ID,
        p1_0.CREATED_ON,
        p1_0.DATA,
        p1_0.LAST_SESSION_REFRESH,
        p1_0.REALM_ID,
        p1_0.USER_ID
    from
        OFFLINE_USER_SESSION p1_0,
        REALM r1_0
    where
        r1_0.ID=p1_0.REALM_ID
        and p1_0.OFFLINE_FLAG=?
        and p1_0.USER_SESSION_ID>?
    order by
        p1_0.USER_SESSION_ID offset ? rows fetch first ? rows only
2023-06-02 10:19:03.861000 TRACE [org.hibernate.orm.jdbc.bind] (blocking-thread-node-2-p8-t3) binding parameter [3] as [INTEGER] - [128]
2023-06-02 10:19:03.861000 TRACE [org.hibernate.orm.jdbc.bind] (blocking-thread-node-2-p8-t3) binding parameter [4] as [INTEGER] - [64]
```

Co-authored-by: mkanis <mkanis@redhat.com>
2023-06-07 20:45:34 +02:00
rmartinc
81aa588ddc Fix and correlate session timeout calculations in legacy and new map implementations
Closes https://github.com/keycloak/keycloak/issues/14854
Closes https://github.com/keycloak/keycloak/issues/11990
2023-06-05 18:46:23 +02:00
Tomas Slusny
1b06c4cf6c
Use cached policy store in Infinispan PolicyAdapter (#20566) 2023-05-29 10:39:24 -03:00
Alexander Schwartz
5cd0d51fa6 Don't remove an element from the cache that was queued to be created during the current request
This avoids a remove Infinispan call in multi-node and cross-DC setups.

Closes #20404
2023-05-25 10:33:23 +02:00
Pedro Ruivo
abd75a786f Enable simple-cache for local-cache
Closes #20486
2023-05-24 09:47:20 +02:00
Stefan Guilhen
2252b09949 Remove deprecated default roles methods
Closes #15046
2023-05-23 22:32:52 +02:00
mkrueger92
256bb84cc4
Avoid NPE while fetching offline sessions (#17577) 2023-05-18 13:32:02 +02:00
Alexander Schwartz
c2c5012cfb Upgrade to latest Infinispan version 14.0.8
Closes #20067
2023-05-02 13:45:05 +02:00
Hynek Mlnarik
4189edc9f1 Fix dependency
Fixes: #16538
2023-04-27 13:36:54 +02:00
Stefan Guilhen
e505021681 Model upgrade Hibernate/JPA
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaMapStorageProviderFactory.java - Modified
---
Quarkus3 branch sync no. 11 (24.3.2023)
Resolved conflicts:
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaMapStorageProviderFactory.java - Modified
---
Quarkus3 branch sync no. 7 (27.2.2023)
Resolved conflicts:
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/client/entity/JpaClientEntity.java - Modified
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/clientScope/entity/JpaClientScopeEntity.java - Modified
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 6 (17.2.2023)
Resolved conflicts:
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaMapStorageProviderFactory.java - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/hibernate/dialect/JsonbPostgreSQL95Dialect.java - Modified
2023-04-27 13:36:54 +02:00
Martin Bartoš
7cff857238 Migrate packages from javax.* to jakarta.*
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ComponentExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/DeclarativeUserTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/FederatedStorageExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/FlowTest.java - Modified
keycloak/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java	- Modified
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AccountTotpPage.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/BackwardsCompatibilityUserStorageTest.java - Modified
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/services/resources/QuarkusWelcomeResource.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/profile/util/Soap.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/UserInfoClientUtil.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
---
Quarkus3 branch sync no. 10 (17.3.2023)
Resolved conflicts:
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java -	Modified
---
Quarkus3 branch sync no. 9 (10.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosSingleRealmTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java - Modified
---
Quarkus3 branch sync no. 8 (3.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/SamlClient.java	Modified - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java - Modified
keycloak/examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionAuthenticator.java - Modified
---
Quarkus3 branch sync no. 6 (17.2.2023)
Resolved conflicts:
keycloak/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ComponentsResource.java - Modified
keycloak/testsuite/utils/src/main/java/org/keycloak/testsuite/KeycloakServer.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/installation/SamlSPDescriptorClientInstallation.java - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
/keycloak/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java	Modified - Modified
keycloak/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java - Modified
---
Quarkus3 branch sync no. 4 (3.2.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/jaxrs/QuarkusKeycloakApplication.java - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/testsuite/client/ClientPoliciesTest.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java - Modified
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaModelCriteriaBuilder.java - Modified
2023-04-27 13:36:54 +02:00
Martin Kanis
5e7793b64d Unexpected invalid_grant error on offline session refresh when client session is not in the cache
Closes #9959

Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Lex Cao <lexcao@foxmail.com>
2023-03-15 12:39:43 +01:00
Michal Hajas
465019bec4 Extract attachDevice outside of storage layer
Closes #17336
2023-03-03 17:58:34 +01:00
Jon Koops
972ebb9650
Use a valid SemVer format for the SNAPSHOT version (#17334)
* Use a valid SemVer format for the SNAPSHOT version

* Update pom.xml

* Update pom.xml

---------

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
2023-03-03 11:11:44 +01:00
Hynek Mlnarik
3119566407 Prevent endless loop in case of split-brain
Fixes: #16427
2023-01-13 16:23:18 +01:00
Hynek Mlnarik
7708e2cc5c Fix putAll issues
Closes: #16287
2023-01-06 12:01:19 +01:00
Pedro Igor
fb554c09db Incrementally cache consents on a per client basis
Closes #16224
2023-01-03 14:28:41 -08:00
Martin Kanis
5aae3842c4 Upgrade to Infinispan 14.0.4.Final 2022-12-22 10:09:05 +01:00
Martin Kanis
08061afbd4
Replace operation set wrong lifespan in remote infinispan database and leads to session eviction (#15619)
Closes #10755
2022-11-23 12:03:50 +01:00
Martin Kanis
5e891951f5 Update Infinispan version to 14.0.2.Final 2022-11-16 14:56:45 +01:00
Michal Hajas
d9dcb6c60a Fix Infinispan adapter not checking updated value in getAttribute methods
Closes #12819
2022-11-07 20:44:43 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS (#15114)
Closes #14794
2022-11-03 09:32:45 +01:00
Alexander Schwartz
dd5a60c321 Allow a partial import to overwrite the default role
Closes #9891
2022-11-01 15:35:02 -03:00
Michal Hajas
883e83e625 Remove deprecated methods from data providers and models
Closes #14720
2022-10-25 09:01:33 +02:00
Martin Kanis
761929d174
Merge ActionTokenStoreProvider and SingleUseObjectProvider (#13677)
Closes #13334
2022-10-13 09:26:44 +02:00
Alice Wood
1eb7e95b97 enhance existing group search functionality allow exact name search keycloak/keycloak#13973
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
2022-09-30 10:37:52 +02:00
Alice Wood
55a660f50b enhance group search to allow searching for groups via attribute keycloak/keycloak#12964
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-09-19 15:19:36 +02:00
Pedro Igor
aea6d7da27 Avoid updating offline session refresh time during creation
Closes #14384
2022-09-14 07:36:23 -03:00
Alexander Schwartz
621da7b803 Credential validation shouldn't invalidate the user in the cache
Instead create a new instance of LegacyUserCredentialManager to ensure all calls are routed via the CacheAdapter and its SubjectCredentialManagerCacheAdapter.

Closes #14309
2022-09-13 09:36:19 -03:00
Michal Hajas
f69497eb28 KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants
Closes #14018
2022-09-06 10:38:28 +02:00
Alexander Schwartz
bb6b5abfa1 Remove Infinispan workarounds after upgrading to 13.x
Closes #13962
2022-08-30 07:32:19 -03:00
Tero Saarni
4f199c7245 Fix compilation errors with Eclipse Java compiler 2022-08-29 19:33:12 +02:00
Pedro Igor
2cc4b54404
Do not cache policies if they no longer exist (#12797)
Closes #12657

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-08-25 13:52:30 +02:00
mposolda
254483bc5d Use separate transactions for each bulk update of offline sessions in PersisterLastSessionRefreshStore to avoid deadlocks
closes #13684
2022-08-23 13:52:11 +02:00
Sebastian Schuster
1445646e77 Fixed n+1 query retrieving user with brief user representation by allowing explicit eager caching of user attributese 2022-08-11 10:51:07 +02:00
Martin Kanis
57f2f4654a Add limit for authSessions per rootAuthSession in map storage 2022-08-10 12:56:37 +02:00
Alexander Schwartz
cb81a17611 Disable Infinispan for map storage and avoid the component factory when creating a realm independent provider factory
Provide startup time in UserSessionProvider independent of Infinispan,
cleanup code that is not necessary for the map storage as it isn't using Clustering.
Move classes to the legacy module.

Closes #12972
2022-07-22 08:20:00 +02:00
Alexander Schwartz
098d4dda0e
Split PublicKeyStorageProvider (#12897)
Split PublicKeyStorageProvider

- Extract clearCache() method to separate interface and move it to the legacy module
- Make PublicKeyProvider factories environment dependent
- Simple map storage for public keys that just delegates

Resolves #12763

Co-authored-by: Martin Kanis <mkanis@redhat.com>
2022-07-05 09:57:51 -03:00
Tero Saarni
3170efd3ad Removed unused imports with double semicolons 2022-06-30 09:34:30 -03:00
Alexander Schwartz
7855b93390 Moving the UserCache interface to the legacy module
Co-Authored-By: hmlnarik@redhat.com
2022-06-21 08:53:06 +02:00
Alexander Schwartz
cb0c881821 rename SingleEntityCredentialManager to SubjectCredentialManager 2022-06-21 08:53:06 +02:00
Alexander Schwartz
84d21f0230 for all added files in the PR, update the copyright header or add it if it was missing 2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b Inline deprecated methods in legacy code 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1 Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager():
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()

Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
2022-06-21 08:53:06 +02:00
Alexander Schwartz
14a369a8cc Added LegacySessionSupport SPI
While some methods around onCache() are still called from the legacy code, all other methods log a warning with a stacktrace.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded Avoid using methods on UserCredentialStoreManager 2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6 SingleUserCredentialManager moving in
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51 Preparation for moving User Storage SPI
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
  IMPORTANT: Broken as UserStorageSyncManager is not yet moved
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
36f76a37ad Move realms, clients, groups, roles, clientscopes into legacy module
- Introduces Datastore SPI for isolating data store methods
- Introduces implementation of the datastore for legacy storage
- Updates DefaultKeycloakSession to leverage Datastore SPI instead
  of direct creating of area providers by the session
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
247ff52187 Introduce legacy datastore module and update dependencies 2022-06-21 08:53:06 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Pedro Igor
26c87af9f4 Avoiding unnecessary roundtrips to the database when evaluating permissions
Closes #12148

Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2022-05-25 12:23:15 +02:00
Alexander Schwartz
1a95a58893 Graceful handling if composite roles have been removed concurrently.
Closes #12003
2022-05-17 13:29:15 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one
Fixes first part of: #11173

* Merge single-use token providers into one

* Remove PushedAuthzRequestStoreProvider

* Remove OAuth2DeviceTokenStoreProvider

* Delete SamlArtifactSessionMappingStoreProvider

* SingleUseTokenStoreProvider cleanup

* Addressing Michal's comments

* Add contains method

* Add revoked suffix

* Rename to SingleUseObjectProvider
2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59 Make sure there is always Realm or ResourceServer when searching for authz entities
Closes #11817
2022-05-11 07:20:01 -03:00
vramik
0d83b51b20 Enhance Map authz entities with REALM_ID (ResourceServer with CLIENT_ID) searchable field
Co-authored-by Michal Hajas <mhajas@redhat.com>

Closes #10883
2022-05-03 12:56:27 +02:00
Sven-Torben Janus
0efa4afd49 Evaluate composite roles for hardcoded LDAP roles/groups
Closes: 11771

see also KEYCLOAK-18308
2022-05-02 14:13:37 +02:00
vramik
2ecf250e37 Deletion of all objects when realm is being removed
Closes #11076
2022-04-28 11:09:17 +02:00
Stefan Guilhen
b29b27d731 Ensure code does not rely on a particular format for the realm id or component id 2022-04-20 14:40:38 +02:00
Pedro Igor
52d205ca91
Allow exposing some initial provider config options via web site (#10572)
* Allow exposing some initial provider config options via web site

Co-authored-by: Stian Thorgersen <stian@redhat.com>

Closes #10571

* Include type to provider options, and hide build-icon column as it's not relevant

Co-authored-by: stianst <stianst@gmail.com>
2022-04-19 08:01:42 +02:00
Pedro Igor
834a276767 NPE when caching policies based on scopes without a resource
Closes #11180
2022-04-08 08:43:08 -03:00
Martin Kanis
e493b08fa7 Add expiration field to root authentication session 2022-03-23 07:47:47 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring
Closes: #10447 

* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
2022-03-22 20:49:40 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT (#10784) 2022-03-22 09:22:48 +01:00
Alexander Schwartz
ebfc24d6c1 Ensure that Infinispan shutdowns correctly at the end of the tests. Report any exceptions within another thread as a test failure.
Adding additional information like a thread dump when it doesn't shutdown as expected.

Closes #10016
2022-03-04 10:47:01 +01:00
giacomo.altiero
91d37b5686 Single offlineSession imported in Infinispan with correctly calculated lifespan and maxIdle parameters
Close #8776
2022-03-01 14:51:29 +01:00
Martin Kanis
6249e34177 Hot Rod map storage: Client scope no-downtime store 2022-02-24 13:30:27 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore
Closes #10442
2022-02-24 12:46:26 +01:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT (#10165) 2022-02-11 21:28:06 +01:00
Martin Kanis
0471ec4941 Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded 2022-02-03 21:43:47 +01:00
Alexander Schwartz
2b81e62b6b Adding workaround for deadlock in tests for Infinispan 12.1.7
Closes #9648
2022-01-28 15:29:50 +01:00
Martin Kanis
9d5355b7ad Upgrade Infinispan to 12.1.7.Final 2022-01-08 17:29:09 +01:00
keycloak-bot
9f3d4a7d42 Set version to 17.0.0-SNAPSHOT 2021-12-20 10:50:39 +01:00
vramik
e61da278ba When ternary conditional operator uses primitive type it could throw NPE in some cases
Closes #9137
2021-12-15 10:25:54 +01:00
Alec Henninger
cec6a8a884 KEYCLOAK-19700: Attempt to reuse denied device authorization code results in server error 2021-11-08 11:37:51 +01:00
Martin Kanis
af97849feb KEYCLOAK-19030 Implement HotRodConnectionProvider 2021-10-27 14:07:19 +02:00
Martin Kanis
d069ec7949 KEYCLOAK-18737 Show sessions functionality does not work consistently
Co-authored-by: Pavel Bezdienezhnykh
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2021-10-13 14:04:14 +02:00
Martin Kanis
30b3caee9f KEYCLOAK-18445 Add support for cross-site model tests 2021-10-06 14:37:06 +02:00
Michal Hajas
da0c945475 KEYCLOAK-18940 Add support for searching composite roles 2021-10-01 12:41:19 +02:00
Daniel Fesenmeyer
0a2f8f5b63 KEYCLOAK-17887 fix endpoint for creating or updating realm localization texts for a given locale (UnsupportedOperation was thrown because RealmAdapter tried to change unmodifiable map):
- fix RealmAdapter to create a new map instead of trying to change unmodifiable map
- only provide POST endpoints for creating or updating the texts (to have the endpoints consistent with other Admin API endpoints)
- add tests
2021-09-30 15:07:56 +02:00
stianst
f471a110cd KEYCLOAK-19408 Better client secrets 2021-09-29 18:19:43 +02:00
Martin Kanis
d606da9065 KEYCLOAK-18981 Infinispan: prevent fetching all sessions from remotes 2021-09-29 14:53:07 +02:00
Sven-Torben Janus
7c0d10130e KEYCLOAK-18981 Infinispan: prevent fetching all sessions from remotes 2021-09-24 17:34:01 +02:00
Daniel Fesenmeyer
339224578e KEYCLOAK-10603 adjust assignments to roles (user-role and group-role assignments, client-scope and client "scope mappings"): allow assignments of roles which are already indirectly assigned (e.g. by composite role)
- extend RoleMapperModel with method hasDirectRole(RoleModel), which only checks for direct assignment in contrast to the existing method hasRole(RoleModel)
- extend ScopeContainerModel with method hasDirectScope(RoleModel), which only checks for direct scope mapping in contrast to the existing method hasScope(RoleModel)
- use the new hasDirectRole and hasDirectScope methods to check whether a role is in the "available" list and whether it can be assigned (previously, the hasRole method was used for this purpose)
- add hint to UI that available roles contain effectively assigned roles which are not directly assigned
- adjust and extend tests
2021-09-22 13:56:29 +02:00
keycloak-bot
262ec3d031 Set version to 16.0.0-SNAPSHOT 2021-07-30 14:56:10 +02:00
Pedro Igor
d29d945cc4 [KEYCLOAK-18857] - Do not force default to RS256 when verifying tokens sent by clients and JWK does not hold an algorithm 2021-07-21 11:09:02 +02:00
Hryhorii Hevorkian
2803685cd7 KEYCLOAK-18353 Implement Pushed Authorization Request inside the Keycloak
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2021-07-03 08:47:42 +02:00