keycloak-scim

Author	SHA1	Message	Date
Stefan Wiedemann	efa6ddc41e	Create SPI and Provider for Verifiable Credentials Signing #25937 (#26263 ) * implement oid4vci service interfaces Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add oid4vc to the disabled features test Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix test and add doc Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add the new preview feature Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add class-level doc remove wildcard imports Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * add license headers Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix year Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix teste Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * two additional test fixes Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * make the feature experimental Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * remove clock Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * remove usage of var Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> * fix tests Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> --------- Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-01-25 07:36:28 +01:00
Stian Thorgersen	cbfdae5e75	Remove support for multiple AUTH_SESSION_ID cookies (#26462 ) Closes #26457 Signed-off-by: stianst <stianst@gmail.com>	2024-01-25 06:58:42 +01:00
rmartinc	7f195acc14	Enable verify profile required action by default for new realms Closes #25985 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-24 20:28:06 +01:00
Florian Garcia	af0b9164e3	fix: hardcoded conditional rendering of client secret input field (#25776 ) Closes #22660 Signed-off-by: ImFlog <garcia.florian.perso@gmail.com> Co-authored-by: useresd <yousifmagdi@gmail.com>	2024-01-24 16:30:22 +01:00
Stian Thorgersen	85ddac26ed	Remove code that expires old cookie paths (#26444 ) Closes #26416 Signed-off-by: stianst <stianst@gmail.com>	2024-01-24 13:43:03 +01:00
Lex Cao	142c14138f	Add verify email required action for IdP email verification Closes #26418 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-24 12:15:09 +01:00
Takashi Norimatsu	b99f45ed3d	Supporting EdDSA closes #15714 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com> Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com> Co-authored-by: rmartinc <rmartinc@redhat.com>	2024-01-24 12:10:41 +01:00
Martin Kanis	84603a9363	Map Store Removal: Rename Legacy* classes (#26273 ) Closes #24105 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-01-23 13:50:31 +00:00
Douglas Palmer	ffa069a33b	Invalidate authentication session on repeated Recovery Code failures Closes #26180 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-22 11:57:47 +01:00
Stian Thorgersen	656e680019	Remove unused HttpResponse.setWriteCookiesOnTransactionComplete (#26326 ) Closes #26325 Signed-off-by: stianst <stianst@gmail.com>	2024-01-20 11:31:10 +01:00
Martin Bartoš	98be32d9ff	Parse default UserProfile configuration in the build time Closes #24890 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2024-01-19 17:05:59 -03:00
Douglas Palmer	e7d842ea32	Invalidate session secretly Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
Douglas Palmer	18d0105de0	Invalidate authentication session on repeated OTP failures Closes #26177 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
Pedro Igor	62020ffc68	Make sure the component resolves to a UPConfig before cloning it Closes #26308	2024-01-18 19:11:48 +01:00
rmartinc	2f0a0b6ad8	Remove deprecated mode for saml encryption Closes #26291 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet	ccade62289	Enhance error logs and error events during UserInfo endpoint and Token Introspection failure Closes #24344 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-16 11:26:29 +01:00
Alexander Schwartz	b9498b91cb	Deprecating the offline session preloading (#26160 ) Closes #25300 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet	a3257ce08f	OIDC Protocol Mappers with same claim Closes #25774 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-15 09:16:12 -03:00
rmartinc	e162974a8d	Integrate registration with terms and conditions required action Closes #25891 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-15 10:19:30 +01:00
MikeTangoEcho	c2b132171d	Add X509 thumbprint to JWT when using private_key_jwt Closes keycloak#12946 Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>	2024-01-12 16:01:01 +01:00
Lex Cao	47f7e3e8f1	Use email verification instead of executing action for `send-verify-email` endpoint Closes #15190 Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl` Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours) Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-11 16:28:02 -03:00
mposolda	692aeee17d	Enable user profile by default closes #25151 Signed-off-by: mposolda <mposolda@gmail.com>	2024-01-11 12:48:44 -03:00
Patrick Hamann	d36913a240	Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering Closes #25980 Signed-off-by: Patrick Hamann <patrick@fastly.com>	2024-01-10 20:46:35 +01:00
rmartinc	179ca3fa3a	Sanitize logs in JBossLoggingEventListenerProvider Closes #25078 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-10 16:50:27 +01:00
Réda Housni Alaoui	3c05c123ea	On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-09 16:04:52 -03:00
shigeyuki kabano	67e73d3d4e	Enhancing Lightweight access token M2(keycloak#25716) Closes keycloak#23724 Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>	2024-01-09 09:42:30 +01:00
Ricardo Martin	097d68c86b	Escape action in the form_post.jwt and only decode path in RedirectUtils (#93 ) (#25995 ) Closes #90 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-09 08:20:14 +01:00
Steven Hawkins	d1d1d69840	fix: adds a general error message and descriptions for some exceptions (#25806 ) closes: #25746 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-01-08 18:19:40 +00:00
Felix Gustavsson	0f47071a29	Check if UMA is enabled on resource, if not reject the request. Closes #24422 Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>	2024-01-08 11:28:57 -03:00
agagancarczyk	768231d950	Localization tabs (#25532 ) * Add new localization tabs to Administration Console Closes #23057 Signed-off-by: Agnieszka <agancarc@redhat.com> Signed-off-by: Jon Koops <jonkoops@gmail.com> * css cleanup Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> * css cleanup Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> --------- Signed-off-by: Agnieszka <agancarc@redhat.com> Signed-off-by: Jon Koops <jonkoops@gmail.com> Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>	2024-01-08 14:03:26 +00:00
atharva kshirsagar	d7542c9344	Fix for empty realm name issue Throw ModelException if name is empty when creating/updating a realm Closes #17449 Signed-off-by: atharva kshirsagar <atharva4894@gmail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-05 14:23:42 +01:00
Pedro Igor	8ff9e71eae	Do not allow verifying email from a different account Closes #14776 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:45:07 +01:00
Pedro Igor	f476a42d66	Fixing the registration_client_uri to point to a valid URI after updating a client Closes #23229 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:41:36 +01:00
Pedro Igor	986b6af4f5	Make sure the context path from the base URI is respected when building TOTP URIs Closes #21542 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 07:10:49 -03:00
Réda Housni Alaoui	a21e95c5ae	In UserProfileContext.IDP_REVIEW, NPE on UserModel#getEmail because UserModelDelegate#delegate is null Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-03 15:00:30 -03:00
Ben Cresitello-Dittmar	057d8a00ac	Implement Authentication Method Reference (AMR) claim from OIDC specification This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens. This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note. The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens. Closes #19190 Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>	2024-01-03 14:59:05 -03:00
Jon Koops	07f9ead128	Upgrade Welcome theme to PatternFly 5 Closes #21343 Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-01-03 14:46:01 -03:00
Pedro Igor	15b10f58fc	Make the user attribute available to the idp-review-user-profile.ftl template Closes #25872 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-03 13:26:33 -03:00
Réda Housni Alaoui	5287500703	@NoCache is not considered anymore Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-02 09:06:55 -03:00
Alexander Schwartz	9e890264df	Adding a test case to check that the expiration time is set on logout tokens Closes #25753 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-22 20:13:40 +01:00
Niko Köbler	5e623f42d4	add the exp claim to the backchannel logout token This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4. As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time. resolves #25753 Signed-off-by: Niko Köbler <niko@n-k.de>	2023-12-22 20:13:40 +01:00
DAHAG-ArisNourbakhsh	b52d97475a	Add raw OpenApi documentation files to rest-api documentation (#22940 ) Add raw OpenApi documentation files to rest-api documentation Closes #21559 Signed-off-by: Aris Nourbakhsh <aris.nourbakhsh@dahag.de> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-21 12:07:33 +01:00
Pedro Igor	ceb085e7b8	Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email Closes #25704 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-20 15:15:06 -03:00
rmartinc	c2e41b0eeb	Make Locale updater generate an event and use the user profile Closes #24369 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-20 15:26:45 +01:00
Konstantinos Georgilakis	cf57af1d10	scope parameter in refresh flow Closes #12009 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-20 14:00:10 +01:00
mposolda	eb184a8554	More info on UserProfileContext closes #25691 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-19 13:00:31 -03:00
Ricardo Martin	32a70cbedd	Strip off user-info from redirect URI when validating using wildcard (#61 ) Closes keycloak/keycloak-private#58 Closes https://issues.redhat.com/browse/RHBK-679 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-19 10:13:36 -03:00
Joshua Sorah	d411eafc42	Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207 Closes keycloak/keycloak#25584 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-19 10:38:05 +01:00
Ricardo Martin	2ba7a51da6	Escape action in the form_post response mode (#60 ) Closes keycloak/keycloak-private#31 Closes https://issues.redhat.com/browse/RHBK-652 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis	ba8c22eaf0	Scope parameter in Oauth 2.0 token exchange Closes #21578 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-18 15:44:26 -03:00
Pedro Igor	778847a3ce	Updating theme templates to render user attributes based on the user profile configuration Closes #25149 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-18 15:35:52 -03:00
rmartinc	d841971ff4	Updating the UP configuration needs to trigger an admin event Close #23896 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 19:24:30 +01:00
mposolda	cd154cf318	User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect closes #25475 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-18 11:32:27 +01:00
Takashi Norimatsu	59536becec	Client policies : executor for enforcing DPoP closes #25315 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata	0ca73829d0	Fix OpenAPI spec POST /admin/realms/{realm}/clients Closes #21536 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata	66ee27f413	Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access Closes #25656 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 09:12:02 +01:00
Joshua Sorah	a10149bbe9	For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs Closes keycloak#25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata	5bdadaacbc	Modify OpenAPI spec POST /admin/realms Closes #25565 Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>	2023-12-18 08:41:23 +01:00
Sophie Tauchert	3ab24afe93	Add response annotations to resourceserver Closes: #25604 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-12-15 19:45:39 +01:00
Erwin Rooijakkers	860978b15a	Change arg of getSubGroups to briefRepresentation Parameter name briefRepresentation should mean briefRepresentation, not full. This way callers will by default get the full representation, unless true is passed as value for briefRepresentation. Fixes #25096 Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>	2023-12-14 17:23:27 +01:00
Steven Hawkins	08751001db	enhance: adds truststores to the keycloak cr (#25215 ) also generally correcting the misspelling trustore closes: #24798 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2023-12-14 11:15:06 -03:00
mposolda	c81b533cf6	Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration closes #25416 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-14 14:43:28 +01:00
Douglas Palmer	4b11afa87b	NullPointerException when key is not available in the database (#25395 ) * NullPointerException when key is not available in the database Closes #24485 Signed-off-by: Douglas Palmer <dpalmer@redhat.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-12-14 09:57:53 +01:00
Václav Muzikář	e4c348e99e	Add new `--proxy-headers` option (#25178 ) * Add new `--proxy-headers` option Closes #23431 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> * Address review comments vol. 03 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Address review comments vol. 04 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> --------- Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-13 10:48:12 -03:00
Pedro Igor	fa79b686b6	Refactoring user profile interfaces and consolidating user representation for both admin and account context Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-13 08:27:55 +01:00
Pedro Igor	78ba7d4a38	Do not allow removing username and email from user profile configuration Closes #25147 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-11 08:30:28 +01:00
Sophie Tauchert	1d56e0371e	Make sure authz endpoints are documented in openapi spec Closes: #25259 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-12-08 16:45:13 +01:00
mposolda	90bf88c540	Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers closes #24718 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-12-08 12:26:35 +01:00
saumeen prajapati	d829534237	Remove single quote from log string Closes #25060 Signed-off-by: saumeen prajapati <psaumeen@gmail.com>	2023-12-07 20:08:07 +00:00
wojnarfilip	925c5572ad	Re-enable Federated Access Token in user sessions Closes #25290 Signed-off-by: wojnarfilip <fwojnar@redhat.com>	2023-12-07 19:55:20 +01:00
Vlasta Ramik	df465456b8	Map Store Removal: Remove `LockObjectsForModification` (#25323 ) Signed-off-by: vramik <vramik@redhat.com> Closes #24793	2023-12-07 12:43:43 +00:00
Fouad Almalki	0e535d2bbe	Retrieve ClientConnection by invoking getConnection() instead of getContextObject() Signed-off-by: Fouad Almalki <me@fouad.io>	2023-12-07 13:11:54 +01:00
Stefan Guilhen	7b63d6d500	Remove ResponseSessionTask - this was tightly related to retriable transactions added to map store and is no longer needed. Closes #25309 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2023-12-06 19:53:53 +01:00
Stefan Guilhen	8e918c2ebf	Revert changes to OIDCIdentityProvider that enlisted the client logout requests in a separate transaction. Closes #25308 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2023-12-06 19:47:04 +01:00
rmartinc	522e8d2887	Workaround to allow percent chars in getGroupByPath via PathSegment Closes #25111 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-06 14:22:34 -03:00
rmartinc	d004e9295f	Do not allow remove a credential in account endpoint if provider marks it as not removable Closes #25220 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-05 17:11:57 +01:00
Michal Hajas	ec061e77ed	Remove GlobalLockProviderSpi (#25206 ) Closes #24103 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-12-01 16:40:56 +00:00
Ricardo Martin	3b26e5d489	Add active RSA key to decryption if deprecated mode (#25205 ) Closes https://github.com/keycloak/keycloak/issues/24652 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-01 13:40:47 +00:00
mposolda	3fa2d155ca	Decouple factory methods from the provider methods on UserProfileProvider implementation closes #25146 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-01 10:30:57 -03:00
Pedro Igor	c7f63d5843	Add options to change behavior on how unmanaged attributes are managed Closes #24934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-11-30 06:58:21 -03:00
Steven Hawkins	8c3df19722	feature: add option for creating a global truststore (#24473 ) closes #24148 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2023-11-30 08:57:17 +01:00
Douglas Palmer	d0b86d2f64	Register event not triggered on external to internal token exchange Closes #9684 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 15:30:47 -03:00
mposolda	479e6bc86b	Update Kerberos provider for user-profile closes #25074 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-29 15:21:26 -03:00
rmartinc	16afecd6b4	Allow automatic download of SAML certificates in the identity provider Closes https://github.com/keycloak/keycloak/issues/24424 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 18:03:31 +01:00
rmartinc	3bc028fe2d	Remove lowercase for the hostname as recommended/advised by OAuth spec Closes https://github.com/keycloak/keycloak/issues/25001 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 10:26:00 -03:00
rmartinc	b6cdcb3c27	Revert "Fix lowerCaseHostname to lower-case scheme and host properly" This reverts commit `1241bd2919`. Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 10:26:00 -03:00
Douglas Palmer	5ce41a462b	NPE in HardcodedUserSessionAttributeMapper on Token Exchange Closes #11996 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:35:49 -03:00
Douglas Palmer	7e78d29f8d	NPE in User Session Note mapper on Token Exchange Closes #24200 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:35:49 -03:00
hokuda	a83b9d11fa	Fix typo in the balloon help of SAML Username Template Importer closes #25033 Signed-off-by: hokuda <hisanobu.okuda@gmail.com>	2023-11-29 09:32:16 -03:00
Douglas Palmer	e99bd4aa3a	External to Internal Token exchange fails with Null pointer Exception if the user is not yet registered (first time token exchange) Closes #16059 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 09:16:14 -03:00
Michal Hajas	2b2207af93	Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled Closes #25077 Signed-off-by: Michal Hajas <mhajas@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-11-29 11:06:41 +00:00
Jon Koops	0b9dd21b0a	Attempt to request storage access for cookies (#25055 ) Closes #23872 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2023-11-27 18:23:40 +00:00
Pedro Igor	2c611cb8fc	User profile configuration scoped to user-federation provider closes #23878 Co-Authored-By: mposolda <mposolda@gmail.com> Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-27 14:45:44 +01:00
Stian Thorgersen	a32b58d337	Escape ldap id when using normal attribute syntax (#25 ) (#25036 ) Closes https://github.com/keycloak/security/issues/46 Co-authored-by: Ricardo Martin <rmartinc@redhat.com>	2023-11-27 11:38:14 +01:00
Takashi Norimatsu	1f5ee9bf80	NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token closes #25022 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-11-27 08:49:48 +01:00
Sophie Tauchert	855aebabc2	Rename clientUuid path parameter to client-uuid for consistency Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Sophie Tauchert	496c0e7f03	Rename some path parameter placeholders to avoid duplicating {id} in the path Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Sophie Tauchert	3e17cb0452	Add correct annotation for 204 responses to POST methods returning void Closes #24960 Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>	2023-11-23 16:08:58 +01:00
Douglas Palmer	efde3adf60	Wrong value for VALIDATED_ID_TOKEN stored in the brokered identity context for external token exchange Closes #23985 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-23 11:52:37 -03:00
Douglas Palmer	2ec1d2f7ea	Fix logic error in AbstractOAuth2IdentityProvider Closes #24943 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-23 11:43:42 -03:00
Tero Saarni	fd58cb1bec	Attempt to remove warning about not using inference Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2023-11-23 10:49:58 -03:00
Tero Saarni	e35f3d7e87	Fix compilation error with ServerInfoAdminResource This change fixes following type inference error: * Type mismatch: cannot convert from Map<Boolean,Object> to Map<Boolean,List<String>> The error comes when opening and compiling on vscode or Eclipse, which uses Eclipse JDT compiler. Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2023-11-23 10:49:58 -03:00
Sebastian Schuster	030f42ec83	More efficient listing of assigned and available client role mappings Closes #23404 Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>	2023-11-22 14:10:11 +01:00
Thomas Darimont	d30d692335	Introduce MaxAuthAge Password policy (#12943 ) This policy allows to specify the maximum age of an authentication with which a password may be changed without re-authentication. Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible. A value of 0 will always require reauthentication to update the password. Add documentation for MaxAuthAgePasswordPolicy to server_admin Fixes #12943 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-11-20 14:48:17 +01:00
rmartinc	1241bd2919	Fix lowerCaseHostname to lower-case scheme and host properly Closes https://github.com/keycloak/keycloak/issues/24792 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-20 10:00:50 +01:00
Erik Jan de Wit	941457b805	added theme name as parameter moved messages to theme bundle Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-11-17 08:35:54 +01:00
rmartinc	5fad76070a	Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience Closes https://github.com/keycloak/keycloak/issues/24659 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 18:22:16 +01:00
Hynek Mlnarik	70d0f731f5	Use session ID rather than broker session ID Closes: #24455 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2023-11-16 17:01:40 +01:00
Vlasta Ramik	d86e062a0e	Removal of retry blocks introduced for CRDB Closes #24095 Signed-off-by: vramik <vramik@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-11-16 13:50:56 +01:00
rmartinc	cca33baac3	Avoid NPE if RelayState is null and return a proper error Closes https://github.com/keycloak/keycloak/issues/24079 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 12:56:49 +01:00
Erik Jan de Wit	89abc094d1	userprofile shared (#23600 ) * move account ui user profile to shared * use ui-shared on admin same error handling also introduce optional renderer for added component * move scroll form to ui-shared * merged with main * fix lock file * fixed merge error * fixed merge errors * fixed tests * moved user profile types to admin client * fixed more types * pr comments * fixed some types	2023-11-14 08:04:55 -03:00
Erik Jan de Wit	fe7833c957	Load Admin Console localizations from resource bundles (#24316 ) Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-11-13 12:39:46 -05:00
Hynek Mlnařík	0ceaed0e2e	Transient users: Consents (#24496 ) closes #24494	2023-11-10 11:18:27 +01:00
mposolda	7863c3e563	Moving UPConfig and related classes from keycloak-services closes #24535 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-07 12:41:29 +01:00
Joshua Sorah	7ca00975d4	Feature flag DPoP metadata in OIDC Well Known endpoint Closes keycloak/keycloak#24547 Signed-off-by: Joshua Sorah <jsorah@gmail.com>	2023-11-06 03:13:57 -08:00
Oliver	563ae104fd	[issue-14134] test partial import user with id Fix #14134	2023-11-02 05:56:12 -07:00
rmartinc	d7bb59461d	Escape $ sign when replacing clientId in the role mappers Closes https://github.com/keycloak/keycloak/issues/23692	2023-11-01 20:47:15 +01:00
rokkiter	e1735138cb	clean util * (#24174 ) Signed-off-by: rokkiter <yongen.pan@daocloud.io>	2023-11-01 17:14:11 +01:00
Pedro Igor	be65ba8689	Make sure optional default attributes are removed when decorating the user-define user profile configuration Closes #24420	2023-11-01 14:54:09 +01:00
mposolda	0bd2b342d7	Update per review	2023-10-31 12:56:46 -07:00
mposolda	6f992915d7	Move some UserProfile and Validation classes into keycloak-server-spi closes #24387	2023-10-31 12:56:46 -07:00
Justin Tay	3ff0476cc3	Allow customization of aud claim with JWT Authentication Closes #21445	2023-10-31 11:33:47 -07:00
rmartinc	7deb4ca545	Group count and PartialExport permission fixes Closes https://github.com/keycloak/keycloak/issues/12171	2023-10-31 01:40:21 -07:00
rmartinc	6484a3e705	Add userProfileEnabled attribute to realm response if admin can view users closes https://github.com/keycloak/keycloak/issues/19093	2023-10-30 07:39:03 -07:00
Alice	69497382d8	Group scalability upgrades (#22700 ) closes #22372 Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-26 16:50:45 +02:00
Hynek Mlnarik	2c4d58f5af	Fix KcOidcBrokerTransientSessionsTest Closes: #24313	2023-10-26 14:36:01 +02:00
rmartinc	faf398e3c3	Add openapi annotations to the UserProfileResource Closes https://github.com/keycloak/keycloak/issues/9318	2023-10-25 07:44:24 -07:00
Hynek Mlnarik	a668c2cb2b	Support for transient brokering in admin console Part-of: Add support for not importing brokered user into Keycloak database Closes: #11334	2023-10-25 12:02:35 +02:00
Hynek Mlnarik	26328a7c1e	Support for transient sessions via lightweight users Part-of: Add support for not importing brokered user into Keycloak database Closes: #11334	2023-10-25 12:02:35 +02:00
ggraziano	84112f57b5	Verification of iss at refresh token request Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method. Closes #22191	2023-10-24 23:42:11 +02:00
Marek Posolda	1bd6aca629	Remove RegistrationProfile class and handle migration (#24215 ) closes #24182 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-10-24 20:19:33 +02:00
Thomas Darimont	e567210ed1	Add dedicated feature flag for oauth device grant flow (#23892 ) Closes #23891	2023-10-24 10:09:26 +02:00
Erik Jan de Wit	e4632c9e78	move to theme resource	2023-10-23 15:17:18 -07:00
Erik Jan de Wit	f3d387172e	changed to realm, because that is the source	2023-10-23 15:17:18 -07:00
Erik Jan de Wit	0f878566ab	add new locale endpoint that returns the messages	2023-10-23 15:17:18 -07:00
vramik	a0f04fa2be	Declarative User Profile export Closes #12062 Resolves #20885	2023-10-21 19:21:20 +02:00
Pedro Igor	e47389f199	Username now shown when creating a user and edit username is not allowed Closes #24183	2023-10-20 10:22:31 -07:00
Pedro Igor	55a5a8c0eb	Ignore custom attributes when processing attributes in verify profile action Closes #24077	2023-10-20 17:51:40 +02:00
mposolda	c18e8ff535	User profile tweaks in registration forms closes #24024	2023-10-20 06:31:21 -07:00
kaustubh-rh	1ac2c0997d	Inconsistent handling of parenthesis in auth flow name (#24113 ) closes #16379	2023-10-20 10:00:46 +02:00
mposolda	04777299b0	After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly closes #23880	2023-10-19 19:23:50 +02:00
Andrew	77c3e7190c	updates to method contracts and code impl to be more specific about providerAlias (#24070 ) closes #24072	2023-10-18 08:33:06 +02:00
Pedro Igor	e91a0afca2	The username in account is required and don't change when email as username is enabled Closes #23976	2023-10-17 16:43:44 -03:00
shigeyuki kabano	6112b25648	Enhancing Light Weight Token(#22148 ) Closes #21183	2023-10-17 13:12:36 +02:00
Pedro Igor	9c19a8972b	Removing the default cache metadata Closes #23910	2023-10-13 16:32:55 +02:00
Charley Wu	31759f9c37	WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156 ) Closes #23155	2023-10-13 15:25:10 +02:00
Moritz Becker	e9f08b6500	Do not return empty scope field in token introspection response Closes #16526	2023-10-13 08:36:12 +02:00
duckboy81	197b39492e	Update TokenManager.java Fixed minor spelling typos	2023-10-12 14:56:24 +02:00
ici-dev-gb	32b373f05f	Don't use top-level `await` for storage access checks (#23793 ) Closes #23743	2023-10-12 09:28:01 +00:00
Vojtěch Boček	8871983b33	Add support for single-tenant mode to Microsoft Identity Provider (#20699 ) * Add support for single-tenant mode to Microsoft Identity Provider Fixes #20695 Closes #11207 * Add SocialLoginTest for Microsoft single-tenant variant	2023-10-10 16:35:36 -04:00
Marek Posolda	a6609bd969	Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517 ) Closes #12406 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-10 21:54:37 +02:00
Pedro Igor	7385ed56c7	Avoid creating the component when there is no component and configuration is not provided Closes #20970 Co-authored-by: Pedro Igor <psilva@redhat.com>	2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer	dd37e02140	Improve logging in case of OIDC Identity provider errors: - log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter - log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response Closes #23690	2023-10-06 19:03:41 +02:00
mposolda	cdb61215c9	UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed closes #23749	2023-10-06 11:27:48 -03:00
Pedro Igor	290bee0787	Resolve several usability issues around User Profile (#23537 ) Closes #23507, #23584, #23740, #23774 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-06 10:15:39 -03:00
rmartinc	890600c33c	Remove backward compatibility for ECDSA tokens Closes https://github.com/keycloak/keycloak/issues/23734	2023-10-06 14:24:48 +02:00
Garth	2dfbbff343	added AccountResource SPI, Provider and ProviderFactory. (#22317 ) Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.	2023-10-05 15:08:01 +02:00
Justin Tay	55751a0830	Fix client assertion with invalid ES256, ES384, ES512 signatures Closes #23721	2023-10-05 13:07:52 +02:00
Steve Hawkins	fb69936f14	Aligns the logic in the welcome resources as a result the quarkus one can be removed closes keycloak#23243	2023-09-28 19:33:12 -03:00
Jon Koops	1b6cb7b2a9	Always check storage access before placing test cookie (#23393 )	2023-09-27 13:38:53 +02:00
Lucas Hedding	de5aa2e74d	Add createTimestamp to REST service (#23293 ) Closes #14009	2023-09-27 13:38:16 +02:00
rmartinc	10c1e3ba6d	Client roles should be mapped to any claim name Closes https://github.com/keycloak/keycloak/issues/22349	2023-09-27 08:11:22 -03:00
rmartinc	d90640b5a3	Change email checkserveridentity prop as angus mail sets it to true by default Closes https://github.com/keycloak/keycloak/issues/22395	2023-09-26 09:11:16 +02:00
Maria Arias de Reyna	c15753266f	fix(Closes #21236 ): Adding client-id to logout event	2023-09-25 13:20:26 +02:00
Pedro Igor	741f76887c	Allow updating email when email as username is set and edit username disabed #23438	2023-09-25 08:19:01 -03:00
Michal Hajas	496c5ad989	Use new findGroupByPath implementation and remove the old one Closes #23344 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-09-25 10:44:24 +02:00
Justin Tay	7d3104ee76	Allow public clients to use PAR endpoint Closes #8939	2023-09-21 13:57:42 +02:00
rmartinc	082b0ed308	verifyRedirectUri should return null when the passed redirectUri is invalid Closes https://github.com/keycloak/keycloak/issues/22778	2023-09-21 08:19:00 +02:00
rmartinc	f8a9e0134a	Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML Closes https://github.com/keycloak/keycloak/issues/22974	2023-09-20 15:09:18 +02:00
Jon Koops	e86bf1f0b2	Remove `P3P` header from authentication flow Closes #23348	2023-09-19 08:50:33 -03:00
rmartinc	743bb696d9	Allow duplicated keys in advanced claim mappers Closes https://github.com/keycloak/keycloak/issues/22638	2023-09-19 07:49:34 -03:00
Pedro Igor	217a09ce46	Switch to Resteasy Reactive Closes #10713	2023-09-18 09:19:03 -03:00
Thomas Darimont	04d16ed170	Prevent NPE in AuthenticationManager.backchannelLogout (#23306 ) Previously, if the user was already removed from the userSession and the log level was set to DEBUG, then an NPE was triggered by the debug log statement during backchannelLogout. Fixes #23306	2023-09-18 08:16:51 +02:00
paul	f684a70048	KEYCLOAK-15985 Add Brute Force Detection Lockout Event	2023-09-15 10:32:07 -03:00
Pedro Igor	1442f14c45	Registration page not showing username when edit username is not enabled Closes #23185	2023-09-14 07:32:39 -03:00
Justin Tay	658c0ef19f	Send Client ID in token request with JWT Authentication Closes #21444	2023-09-14 10:57:32 +02:00
Pedro Igor	5958c7948d	Ignore attributes when they are not prefixed with user.attributes prefix (#23184 ) Co-authored-by: mposolda <mposolda@gmail.com> Co-authored-by: stianst <stianst@gmail.com>	2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer	a68ad55a37	Support to define compatible mappers for (new) Identity Providers - Also allows to use existing mappers for custom Identity Providers without having to change those mappers Closes #21154	2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis	0044472f87	Add regex support in 'Condition - User attribute' execution Closes #265	2023-09-13 08:36:45 +02:00
Erik Jan de Wit	0789d3c1cc	better features overview (#22641 ) Closes #17733	2023-09-12 16:03:13 +02:00
Thomas Darimont	3908537254	Show expiration date for certificates in Admin Console (#23025 ) Closes #17743	2023-09-12 07:56:09 -04:00
Marek Posolda	56b94148a0	Remove bearer-only occurences in the documentation when possible. Mak… (#23148 ) closes #23066 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-09-12 09:38:19 +02:00
Erik Jan de Wit	c7dcef7af8	fixed permissions for locale fetch (#23078 ) fixes: #23065	2023-09-11 15:00:40 -04:00
Adeel Ahmad	4f90124612	Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.	2023-09-11 10:45:08 -03:00
kaustubh-rh	62927433dc	Fix for Keycloak 22.0.1 unable to create user with long email address (#23109 ) Closes #22825	2023-09-11 08:56:13 +02:00
rmartinc	7da52a43bd	Add old LinkedIn provider to the deprecated profile Closes https://github.com/keycloak/keycloak/issues/23067	2023-09-08 10:05:17 +02:00
Marek Posolda	506e2537ac	Registration flow fixed (#23064 ) Closes #21514 Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Marek Posolda <mposolda@gmail.com>	2023-09-08 08:05:05 +02:00
Pedro Igor	bc31fde4c0	Broker claim mapper not recognizing claims from user info endpoint Closes #12137	2023-09-07 16:34:45 +02:00
stianst	211c027adb	Remove use of Guava in services Closes #23009	2023-09-07 08:59:02 +02:00
Kaustubh B	5ee2ba9372	Added tests	2023-09-07 08:43:35 +02:00
Kaustubh B	c57e775102	Fixed Regex	2023-09-07 08:43:35 +02:00
rmartinc	8887be7887	Add a new identity provider for LinkedIn based on OIDC Closes https://github.com/keycloak/keycloak/issues/22383	2023-09-06 16:13:31 +02:00
Pedro Igor	13e5a02b9f	Role mappers must return a single value when they are not multivalued Closes #20218	2023-08-31 19:16:12 +02:00
Pedro Igor	ea3225a6e1	Decoupling legacy and dynamic user profiles and exposing metadata from admin api Closes #22532 Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-08-29 08:14:47 -03:00
Pedro Igor	b779df6a55	Parsing response from user info rather than the access token Closes #22581	2023-08-29 12:23:56 +02:00
rmartinc	b67ede2a30	RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing Closes https://github.com/keycloak/keycloak/issues/22424	2023-08-17 09:11:08 +02:00
Erik Jan de Wit	b4650b7742	use logged in realm as default (#22460 )	2023-08-16 14:29:07 -04:00
t0xicCode	822c13ff6f	Switch Trusted Host policy redirect verification to URI Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI. The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used. In contrast, the URI class simply parses the string, ensuring the format is valid. The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs. See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation. Closes #22309	2023-08-14 10:20:23 +02:00
Pedro Igor	baac060eb1	Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts Closes #21751	2023-08-11 13:32:16 +02:00
Erik Jan de Wit	874d2063b8	only add realm access to the current realm (#21554 ) fixes: #21553	2023-08-10 12:43:15 +02:00
Takashi Norimatsu	258711ef4f	DPoP verification in UserInfo endpoint closes #22215	2023-08-07 10:49:33 +02:00
Takashi Norimatsu	9d0960d405	Using DPoP token type in the access-token and as token_type in introspection response closes #21919	2023-08-07 10:40:18 +02:00
Erik Jan de Wit	339619816a	lazy populate the treeview for groups (#21520 ) * added lazy parameter fixes: #19954 * changed to only have the parameter * fixed merge errors * removed the `lazy` and now add subgroups on select * lint * fixed prettier * fixed nullpointer * fixed member tab	2023-08-04 20:19:34 +00:00
Rishabh Dixit	d73298aab6	Add getStatus() to response obj Closes #22241	2023-08-04 18:43:50 +02:00
Marek Posolda	4dc929abb3	Missing client_id validation match when authenticating client with JW… (#22178 ) Closes #22177	2023-08-03 11:47:55 +02:00
Takashi Norimatsu	ee998fee66	Add FAPI 2.0 security profile as default profile of client policies closes #21181	2023-08-03 09:26:16 +02:00
Ricardo Martin	a8bca522c1	Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers (#21627 ) Closes #9004 Co-authored-by: Armel Soro <armel@rm3l.org>	2023-08-02 09:36:50 +02:00
Thomas Darimont	82269f789a	Avoid using deprecated junit APIs in tests - Replaced usage of Assert.assertThat with static import - Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat Fixes: #22111	2023-08-01 11:44:25 +02:00
Alexander Schwartz	748c53df7f	Use Java mechanisms to read language files and default to UTF-8 (#21755 ) Closes #21753	2023-08-01 11:27:10 +02:00
mposolda	6f6b5e8e84	Fix authenticatorConfig for javascript providers Closes #20005	2023-07-31 19:28:25 +02:00
rmartinc	0a7fcf43fd	Initial pagination in the admin REST API for identity providers Closes https://github.com/keycloak/keycloak/issues/21073	2023-07-27 14:48:02 +02:00
Takashi Norimatsu	9a921441cc	Adjustements to the behaviour of dpop_bound_access_tokens switch closes #21920	2023-07-27 11:30:01 +02:00
Alexander Schwartz	1ec8d3a9a4	Convert LinkExpirationFormatterMethod to Java's ChoiceFormat pattern Closes #21887	2023-07-27 10:30:37 +02:00
Takashi Norimatsu	6498b5baf3	DPoP: OIDC client registration support closes #21918	2023-07-26 13:00:35 +02:00
Ricardo Martin	ee35cfe478	Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages (#21897 ) * Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page Closes #10232	2023-07-26 11:34:19 +02:00
Hunor Kovács	5eb505aba5	Handle error when Microsoft Graph API /me returns not successful (#21696 ) * Response from Microsoft Graph API /me can be error too. So if that happens, throw an exception instead of trying to extract the user id. * Update services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com> --------- Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>	2023-07-26 07:22:52 +00:00
Takashi Norimatsu	0ddef5dda8	DPoP support 1st phase (#21202 ) closes #21200 Co-authored-by: Dmitry Telegin <dmitryt@backbase.com> Co-authored-by: mposolda <mposolda@gmail.com>	2023-07-24 16:44:24 +02:00
Takashi Norimatsu	05b8b9ee51	Enhancing Pluggable Features of Token Manager closes #21182	2023-07-24 09:16:29 +02:00
Takashi Norimatsu	2efd79f982	FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification Closes #20584	2023-07-24 09:11:30 +02:00
ali_dandach	ef19e08814	Fix String comparisona (#21752 ) Closes #21773	2023-07-21 10:37:24 +02:00
mposolda	03716ed452	Keycloak forgets ui_locales parameter when using reset password closes #10981	2023-07-18 09:24:12 +02:00
rmartinc	630e3b2312	Revert emailVerified to false if email modified on force-sync non-trusted broker Closes https://github.com/keycloak/security/issues/48	2023-07-17 13:13:47 +02:00
vramik	47eeece827	Update javadoc for user search in UserResource Closes #21053	2023-07-11 11:14:29 +02:00
Pedro Igor	376d20c285	Remove user credentials from admin event representation (#21561 ) Closes #17470	2023-07-11 08:26:29 +02:00
rmartinc	13870f3a69	Improve error management in the github provider Closes https://github.com/keycloak/keycloak/issues/9429	2023-07-10 16:09:08 -03:00
Václav Muzikář	97a37f565e	Align guava dependency with the Quarkus Platform BOM (#21544 ) Closes #21364	2023-07-10 16:13:13 +02:00
Daniele Martinoli	1644432df3	Reviewed solution as per reviewer's comments	2023-07-10 08:31:47 -03:00
Daniele Martinoli	d148a789f7	added clientNote to show the sign out option	2023-07-10 08:31:47 -03:00
Patrick Jennings	399a23bd56	Find an appropriate key based on the given KID and JWA (#21160 ) * keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found. Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication. * Update js/apps/admin-ui/public/locales/en/clients.json Co-authored-by: Marek Posolda <mposolda@gmail.com> * Updating boolean variable name based on suggestions by Marek. * Adding integration test specifically for the JWT parameters for regression #20847. --------- Co-authored-by: Marek Posolda <mposolda@gmail.com>	2023-07-10 13:28:55 +02:00
Daniele Martinoli	817f129484	fix: closes #21095 (#21289 ) * fix: closes #21095 * Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.	2023-07-10 12:13:26 +02:00
Daniele Martinoli	7b8dcb42ea	Using "Account is disabled" message (and also added new test case)	2023-07-07 12:16:38 -03:00
Daniele Martinoli	13e2075ceb	Applying reviewer comments	2023-07-07 09:00:51 -03:00
Daniele Martinoli	e6d7749cbf	fix for 21476	2023-07-07 09:00:51 -03:00
Daniele Martinoli	b458356aa9	integrated reviewer comments	2023-07-07 08:59:36 -03:00
Daniele Martinoli	c9a226e220	Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-07-07 08:59:36 -03:00
Daniele Martinoli	96f09fcd90	Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-07-07 08:59:36 -03:00
Daniele Martinoli	83d88f6bb5	added Hardcoded Group mapper to IDP configuration	2023-07-07 08:59:36 -03:00
Erik Jan de Wit	2f5040f565	added locale selector for account console fixes: #20941	2023-07-06 11:14:39 -03:00
Douglas Palmer	8cc04a6724	NullPointerException on reading auth.attemptedUsername in terms template closes #21294	2023-07-04 16:07:44 -03:00
rmartinc	09e30b3c99	Support for JWE IDToken and UserInfo tokens in OIDC brokers Closes https://github.com/keycloak/keycloak/issues/21254	2023-07-03 21:25:46 -03:00
mposolda	ccbddb2258	Fix updating locale on info/error page after authenticationSession was already removed Closes #13922	2023-07-03 18:57:36 -03:00
Jon Koops	c0b0a25f71	Handle exceptions thrown when requesting `storage-access` permission (#21325 )	2023-06-30 00:35:10 +00:00
Daniele Martinoli	e2ac9487f7	Conditional login through identity provider (#20188 ) Closes #20191 Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> Co-authored-by: Marek Posolda <mposolda@gmail.com>	2023-06-29 18:44:15 +02:00
Joshua Sorah	f695eeaa44	Refactor Admin REST API Documentation to use OpenAPI annotations. Removes dependencies on swagger-doclet Adds dependencies on microprofile-openapi-api Plugins for smallrye-open-api-maven-plugin, openapi-generator-maven-plugin Customized ascii doc template for openapi-generator-maven-plugin, to give similar feel to previous documentation. OpenAPI annotations added to Admin REST API resources. Closes keycloak/keycloak#20433	2023-06-29 17:03:38 +02:00
Fouad Almalki	b336732251	Add iat to JWT passed to CIBA HttpAuthenticationChannel (#21280 ) Closes #21283	2023-06-29 07:55:57 +02:00
Marek Posolda	51a9712e59	Improper Client Certificate Validation for OAuth/OpenID clients (#20 ) Co-authored-by: Stian Thorgersen <stianst@gmail.com>	2023-06-28 17:52:48 -03:00
Ricardo Martin	1973d0f0d4	Check the redirect URI is http(s) when used for a form Post (#22 ) Closes https://github.com/keycloak/security/issues/22 Co-authored-by: Stian Thorgersen <stianst@gmail.com> Signed-off-by: Peter Skopek <pskopek@redhat.com>	2023-06-28 17:52:48 -03:00
Pedro Igor	28aa1d730d	Verify holder of the device code (#21 ) Closes https://github.com/keycloak/security/issues/32 Co-authored-by: Stian Thorgersen <stianst@gmail.com> Conflicts: services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java	2023-06-28 15:45:26 +02:00
rmartinc	4bc11bdf7f	Do not return an error when moving a group to the current parent Closes https://github.com/keycloak/keycloak/issues/21242	2023-06-28 10:34:15 +02:00
rmartinc	a5a2753d11	Don't allow impersonate disabled users or service accounts Closes https://github.com/keycloak/keycloak/issues/21106	2023-06-28 10:18:21 +02:00
Douglas Palmer	59e1a5d992	Custom theme - url.resourcesCommonPath references wrong theme closes #20085	2023-06-28 08:25:44 +02:00
Douglas Palmer	c75bf31398	Empty shortVerificationUri not the same with default (null) value closes #20851	2023-06-27 14:57:24 +02:00
Pedro Igor	d0691b0884	Support for the locale user attribute Closes #21163	2023-06-27 09:21:08 -03:00
Erik Jan de Wit	3a3907ab15	changed to use `ConfiguredProvider` instead (#21097 ) fixes: #15344	2023-06-27 08:00:32 -04:00
eatik	0cc464695e	Allowing users with view-users permission to call configured-user-storage-credential-types endpoint as per issue #20783 Closes #20783	2023-06-26 11:05:35 -03:00
Takashi Norimatsu	f6ecc3f3f8	FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request closes #20710	2023-06-26 12:09:25 +02:00
vramik	7fe7dfc529	ResourceType lost during clonning Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Closes #20947	2023-06-23 09:31:44 +02:00
Douglas Palmer	a0d1ac6baa	processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager closes #20978	2023-06-23 08:12:44 +02:00
Pedro Igor	aff6cc1cbd	Running mappers during account linking Closes #11195 Co-authored-by: mposolda <mposolda@gmail.com> Co-authored-by: toddkazakov	2023-06-22 17:41:31 +02:00
Sazzad Hossain	41e253c054	Check whether CREATE_REALM role exists in realm role mappings before hasRole check for user. Closes #20332	2023-06-22 15:35:50 +02:00
Douglas Palmer	f526f7a091	Emails with non-ascii characters are not allowed since v21.0.0 closes #20878	2023-06-22 10:27:48 -03:00
Pedro Igor	eb5edb3a9b	Support reading base32 encoded OTP secret Closes #9434 Closes #11561	2023-06-22 08:08:13 -03:00
mposolda	137f8d807a	Account Console II doesn't remove TOTP from UserStorage closes #19575	2023-06-22 07:56:44 +02:00
Gilvan Filho	2493f11331	count users by custom user attribute closes #14747	2023-06-21 11:56:22 -03:00
mposolda	dc3b037e3a	Incorrect Signature algorithms presented by Client Authenticator closes #15853 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-06-21 08:55:58 +02:00
Stan Silvert	513c00bcd9	Remove unused feature flags. (#21039 ) * Remove unused feature flags. Fixes #20944 Fixes #20943 * Update release notes. * Update docs/documentation/release_notes/topics/22_0_0.adoc Co-authored-by: Jon Koops <jonkoops@gmail.com> --------- Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-06-20 15:02:22 -04:00
Stian Thorgersen	f82577a7f3	Removed old account console (#21098 ) Co-authored-by: Jon Koops <jonkoops@gmail.com> Closes #9864	2023-06-20 20:46:57 +02:00
Daniele Martinoli	d9b271c22a	Extends the conditional user attribute authenticator to check the attributes of the joined groups (#20189 ) Closes #20007	2023-06-19 15:22:35 +02:00
Jon Koops	c998193797	Pass client id for Account and Admin consoles through environment (#20961 )	2023-06-13 16:29:37 +00:00
rmartinc	ecf52285bc	Simplify TokenManager expiration calculations using SessionExpirationUtils Closes https://github.com/keycloak/keycloak/issues/20794	2023-06-13 10:09:47 +02:00
Pedro Igor	af975d20f1	Avoid iterating indefinetly when checking CRLs Closes #20725	2023-06-12 17:50:16 +02:00
Alexander Schwartz	9425432f2c	Handle HTTP response codes when retrieving data from remote endpoints Closes #20895	2023-06-12 13:37:59 +02:00
rmartinc	f3fcf1f8c5	Session cross-reference / transaction mismatch Closes https://github.com/keycloak/keycloak/issues/20855	2023-06-12 13:18:39 +02:00
Vlasta Ramik	ed473da22b	Clean-up of deprecated methods and interfaces Fixes #20877 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-06-09 17:11:20 +00:00
rmartinc	61968bf747	Use OIDCAttributeMapperHelper.mapClaim in the GroupMembershipMapper Closes https://github.com/keycloak/keycloak/issues/19767	2023-06-08 11:12:24 -03:00
Réda Housni Alaoui	eb9bb281ec	Require user to agree to 'terms and conditions' during registration	2023-06-08 10:39:00 -03:00
Marek Posolda	8080085cc1	Removing 'http challenge' authentication flow and related authenticators (#20731 ) closes #20497 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-06-08 14:52:34 +02:00
Saman-jafari	31db84e924	fix: issuedFor added to token to get client id into the token also redirect uri added to token and then passed to info template for "back to application" functionality test also added to check the availability of issueFor(azp) and redirect uri in Action Fixes #14860 Fixes #15136	2023-06-07 12:19:46 -03:00
Zvi Grinberg	b29ce53f6e	Fix bug in regex policy evaluation that it ignored flatted user claims that are mapped by protocol mappers to complex JSON structure in access token( in the access token JWT it's key and value is a JSON by itself) fixes: #20436 Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>	2023-06-07 10:18:10 -03:00
Alice Wood	7e56938b74	Extend group search attribute functionality to account for use case where only the leaf group is required	2023-06-07 08:52:23 -03:00
ComplexSpaces	1af4a7a532	Pass webauthn signature algorithm IDs as integers instead of strings (#20832 ) closes #20831	2023-06-07 11:46:16 +02:00
Pedro Hos	9ebd94a3a8	Userinfo endpoint doesn't accept charset #20671 Closes 20671	2023-06-07 08:08:05 +02:00
Bruno Sanches	ecf4dbfb18	Check if formData is empty before putting login hint (#20733 ) closes keycloak#20732	2023-06-06 17:14:08 -04:00
Artur Baltabayev	041441f48f	Improved Reset OTP authenticator (#20572 ) * ResetOTP authenticator can now be configured, so that one or all existing OTP configurations are deleted upon reset. Closes #8753 --------- Co-authored-by: bal1imb <Artur.Baltabayev@bosch.com>	2023-06-06 08:30:44 -03:00
rmartinc	81aa588ddc	Fix and correlate session timeout calculations in legacy and new map implementations Closes https://github.com/keycloak/keycloak/issues/14854 Closes https://github.com/keycloak/keycloak/issues/11990	2023-06-05 18:46:23 +02:00
Alexander Schwartz	cd9e0be9f0	Filter first, then sort, and avoid atomics Closes #20394	2023-06-05 11:23:54 +02:00
Pedro Igor	f69ff5d270	Execution config not duplicated when duplicating flows Closes #12012	2023-06-01 16:12:06 +02:00
Erik Jan de Wit	f3c393f53e	use the "remember me" max time if set for expires (#20413 ) fixes: #9264	2023-05-31 15:25:20 -04:00
Pedro Igor	53dfb44a8f	Migration guide for JAX-RS changes (#20659 ) Closes #keycloak/keycloak#15454	2023-05-31 13:50:34 +00:00
mposolda	bf9c5821cb	Fix for certificate revalidation closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542	2023-05-31 15:42:37 +02:00
Takashi Norimatsu	a29c30ccd5	FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request closes #20623	2023-05-31 14:02:44 +02:00
Takashi Norimatsu	6b42c2b4d0	FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error Closes #20622	2023-05-30 18:24:50 +02:00
stianst	0832992e59	Removing OpenShift integration and moving to separate extension closes #20496 Co-authored-by: mposolda <mposolda@gmail.com>	2023-05-30 17:39:32 +02:00
Pedro Igor	c22972af9c	Avoid using user property mapper when resolving root user attributes Closes #20613	2023-05-29 14:30:05 +02:00
Yoshiyuki Tabata	bd37875a66	allow specifying format of "permission" parameter in the UMA grant token endpoint (#15947)	2023-05-29 08:56:39 -03:00
Jon Koops	98e5e9799b	Improve third-party storage access detection and cookie fallback	2023-05-25 22:16:59 -03:00
Douglas Palmer	1b8901f5a2	Changing the email address has no impact at username regardless "Email as username" toggle closes #20459	2023-05-25 07:54:03 -03:00
Peter Zaoral	72b238fb48	Keystore vault (#19644 ) * KeystoreVault SPI * added KeystoreVault - a Vault SPI implementation (#19281) Closes #17252 Signed-off-by: Peter Zaoral <pzaoral@redhat.com>	2023-05-24 16:20:30 +00:00
Stefan Guilhen	2252b09949	Remove deprecated default roles methods Closes #15046	2023-05-23 22:32:52 +02:00
i7a7467	e41e1a971a	SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata Closes #11079	2023-05-22 10:05:17 +02:00

... 4 5 6 7 8 ...

4590 commits