libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
23500 commits 4 branches 5 tags 480 MiB
Commit graph

4535 commits

Author SHA1 Message Date
drohwer89
4ff180da64
Terminating all sessions above the session limit (#16068) 
Adjusts implementation of UserSessionLimitsAuthenticator to terminate all sessions above the session limit.

Closes #14689

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-02-16 17:56:59 +01:00
rmartinc
9995a3cdd4 lastSync value into COMPONENT_CONFIG is always updated 
Closes https://github.com/keycloak/keycloak/issues/17022
 2023-02-16 17:48:49 +01:00
mposolda
4f068fcdcc Make https-trust-store-type set to bcfks by default in strict-mode 
Closes #17119
 2023-02-16 08:00:21 -03:00
sui.jieqiang
1f6fa0501c Fix search user groups without limit 
Closes #12649
 2023-02-15 15:50:46 +01:00
rmartinc
fbc9177f27 Doublecheck if we need to override properties in java.security 
Closes https://github.com/keycloak/keycloak/issues/16702
 2023-02-15 12:33:48 +01:00
vramik
7b604d6784 Sync properties in map-storage-jpa-cocroach with other profiles 
Closes #17107
 2023-02-15 10:49:22 +01:00
Hynek Mlnarik
bb0eb899a7 Add ability to run arq testsuite with file store 
Fixes: #17032
 2023-02-15 10:17:23 +01:00
Pedro Igor
9e46b9e43f Handling events after transaction completion using a separate session 
Closes #15656
 2023-02-14 13:10:57 +01:00
Václav Muzikář
a57821ed80 Fix JDK 17 InaccessibleObjectException with infinispan 2023-02-13 17:09:36 -03:00
Miquel Simon
48a22ff2f3
Added WebAuthn integration tests to CI workflow. (#16608) 2023-02-13 12:28:25 +00:00
laskasn
dc8b759c3d Use encryption keys rather than sig for crypto in SAML 
Closes #13606

Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: hmlnarik <hmlnarik@redhat.com>
 2023-02-10 12:06:49 +01:00
Marek Posolda
9cfc1fdfa9
Reduce the redundant tests in fips-suite (#16970) 
Closes #16969
 2023-02-09 12:21:33 +01:00
Pedro Igor
017ddc670b Removing references to old admin console test artifacts 2023-02-08 17:22:45 -03:00
Pedro Igor
423fc6daba
Flaky test KcOidcBrokerTokenExchangeTest (#16914) 
Closes #16896
 2023-02-08 14:49:49 +00:00
Dmitry Telegin
5f39aeb590 Pre-authorization hook for client policies 
Closes #9017
 2023-02-08 15:06:32 +01:00
Michal Hajas
6fa62e47db Leverage HotRod client provided transaction 
Closes #13280
 2023-02-08 10:26:30 +01:00
Stian Thorgersen
d3ba2ecbed
Remove old admin console theme (#16864) 
Closes #16862
 2023-02-08 09:22:39 +01:00
Stian Thorgersen
4782a85166
Remove old admin console feature (#16861) 
* Remove old admin console feature

Closes #16860

* Update help txt files for Quarkus tests
 2023-02-07 12:59:35 +01:00
Pedro Igor
7b58783255 Allow mapping claims to user attributes when exchanging tokens 
Closes #8833
 2023-02-07 10:57:35 +01:00
Thomas Darimont
e38b7adf92 Revise blacklist password policy provider #8982 
- Reduce false positive probability from 1% to 0.01% to avoid
rejecting to many actually good passwords.
- Make false positive rate configurable via spi config
- Revised log messages

Supported syntax variant:
`passwordBlacklist(wordlistFilename)`

Fixes #8982

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2023-02-07 10:36:39 +01:00
Martin Kanis
5ba004b447 Leverage Infinispan lifespan for ExpirableEntities in HotRod storage 2023-02-07 10:01:32 +01:00
Stian Thorgersen
fc075a3d35
Remove old admin console tests (#16859) 
Closes #16858
 2023-02-07 08:51:36 +01:00
Denis Bernard
5db64133b8 Add Attribute to Group Mapper for SAML IDP 
Cleansing code as PR Comment

Add test for Advanced Attribute to Group Mapper

Closes #12950
 2023-02-06 10:58:48 -03:00
Pedro Igor
1a1ee78dbd Removing tests from base group broker mapper test classes 2023-02-06 10:58:48 -03:00
Pedro Igor
d97b9c48c4
Make sure PBKDF2 providers are using the expect size for derived keys (#16798) 
Closes #16797
 2023-02-03 15:31:25 +01:00
rmartinc
f8f112d8d2
Upgrade twitter4j (#16828) 
Closes https://github.com/keycloak/keycloak/issues/16731
 2023-02-03 15:28:37 +01:00
mposolda
0e374c7a45 Any tests using PhantomJS failing in some linux environments 
closes #16818
 2023-02-03 15:19:57 +01:00
Stian Thorgersen
0fa209c29a
WelcomeScreenTest#resourcesTest (#16761) 
* Fix WelcomeScreenTest#resourcesTest

Closes #16669

* Add one more retry
 2023-02-03 09:41:48 +01:00
Marek Posolda
51bed81814
Fixes for OOB endpoint and KeycloakSanitizer (#16773) 
(cherry picked from commit 91ac2fb9dd50808ff5c76d639594ba14a8d0d016)
 2023-02-02 08:34:50 +01:00
Pedro Igor
e3c41ec3a0 Ignoring test methods from parent classes 
Closes #15687
 2023-02-01 14:58:03 -08:00
Stian Thorgersen
d9025231f9
HTML Injection in Keycloak Admin REST API (#16765) 
Resolves #GHSA-m4fv-gm5m-4725

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2023-02-01 14:34:15 +01:00
Marek Posolda
33ff9ef17e
Fix remaining failing tests with BCFIPS approved mode (#16699) 
* Fix remaining failing tests with BCFIPS approved mode
Closes #16698
 2023-01-30 16:01:57 +01:00
mposolda
7f017f540e BCFIPS approved mode: Some tests failing due the short secret for client-secret-jwt client authentication 
Closes #16678
 2023-01-30 08:40:46 +01:00
Martin Kanis
c4255e7301 Wrong property for events in map-storage-hot-rod on Undertow 2023-01-27 14:24:34 +01:00
mposolda
5591b5198b Still test failures with BCFIPS approved mode due the hardcoded keys 
Closes #16643
 2023-01-26 15:50:29 +01:00
Pedro Igor
f6602e611b Allow managing the username idn homograph validator 
Closes #13346
 2023-01-26 04:55:43 -08:00
mposolda
a804400c84 Added KERBEROS feature. Disable it when running tests on FIPS 
closes #14966
 2023-01-25 18:38:46 +01:00
mposolda
16888eaeab Only available RSA key sizes should be shown in admin console 
Closes #16437
 2023-01-25 13:15:07 +01:00
mposolda
29888dbf1a Update realm keys in the testsuite to be generated where possible. Update other keys to be FIPS compliant 
Closes #12420
 2023-01-25 08:26:15 +01:00
Miquel Simon
83147a67a0
Added New Account Console Tests to CI workflow. (#16547) 2023-01-24 16:01:03 +01:00
Hynek Mlnarik
977cc473bb Fix linebreaks in XML / SAML signatures 
See https://bugs.openjdk.org/browse/JDK-8264194
See https://issues.apache.org/jira/browse/SANTUARIO-482

Fixes: #14529
 2023-01-23 15:39:10 +01:00
Martin Bartoš
7d6e22bedd
DateTimeParse failures in New Account Console tests (#16531) 
Fixes #16514
 2023-01-19 09:39:03 -05:00
Stian Thorgersen
8d05895adb
Move Admin REST extension to main repository (#16530) 
Closes #16529
 2023-01-19 13:06:21 +01:00
Konstantinos Georgilakis
c73859794e Short verification_uri for Device Authorization Request 
Closes #16107
 2023-01-18 08:34:52 +01:00
Pedro Igor
33cb1ad7cd Support runnning tests using an embedded distribution 
Closes #16420
 2023-01-13 12:03:36 -08:00
mposolda
79fa6bb3c9 Initial support for running testsuite in BCFIPS approved mode 
Closes #16429
 2023-01-13 02:59:06 -08:00
ムハマドザクワンビンムハマドザヒド / MOHDZAHID,BIN MUHAMMADZAKWAN
cc6597967a Refactoring ClientPoliciesTest 
Closes #14795
 2023-01-12 09:38:12 +01:00
Pedro Igor
9945135861
Verify if token is revoked when validating bearer tokens (#16394) 
Closes #16388
 2023-01-11 14:42:29 +01:00
mposolda
ac490a666c Fix KcSamlSignedBrokerTest in FIPS. Support for choosing realm encryption key for decrypt SAML assertions instead of realm signature key 
Closes #16324
 2023-01-10 20:39:59 +01:00
Miquel Simon
7bd78f604a
Added MariaDB to Legacy Store IT. (#16157) 2023-01-10 17:37:27 +01:00
Pedro Igor
d797d07d8f Ignore user profile attributes for service accounts 
Closes #13236
 2023-01-10 16:26:53 +01:00
mposolda
4d55c6a647 Adding SAML tests for FIPS - with addition of XMLDSig security provider 
Closes #14969
 2023-01-10 08:37:03 +01:00
Pedro Igor
53ee95764e Do not show username field when updating profile if UPDATE_EMAIL feature is enabled and email as username is enabled 
Closes #16263
 2023-01-06 14:12:47 +01:00
Réda Housni Alaoui
141c9dd803
update-email: email change does not affect the username when "Email as username" option is checked (#15583) 
Closes #13988
 2023-01-06 14:04:48 +01:00
Miquel Simon
c2682157fb
Added MS SQL Server to Legacy Store IT. (#16121) 
* Added MS SQL Server to Legacy Store IT.

* Update testsuite/integration-arquillian/pom.xml

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-01-06 08:55:09 +01:00
Réda Housni Alaoui
dbe0c27bcf Allowing client registration access token rotation deactivation 2023-01-05 20:53:57 +01:00
mposolda
e374e309c6 Deprecate SHA1 based algorithms for sign SAML documents and assertions 
Closes #16240
 2023-01-05 20:45:20 +01:00
Michal Hajas
6566b58be1 Introduce Infinispan GlobalLock implementation 
Closes #14721
 2023-01-05 16:58:44 +01:00
Hynek Mlnarik
071fc03f41 Move transaction processing into session close 
Fixes: #15223
 2023-01-05 16:12:32 +01:00
Stian Thorgersen
6c1f981eec
Fix UserTest.sendResetPasswordEmailWithCustomLifespan (#16233) 
Closes #16232
 2023-01-04 13:03:33 +01:00
Stian Thorgersen
7dc16c69cb
Force refreshing token for admin client if time offset is set (#16242) 
Closes #16143
 2023-01-04 13:03:10 +01:00
mposolda
496c6d598e Some authorization adapter test failing on Java 17 
Closes #16216
 2023-01-03 13:03:26 +01:00
ムハマドザクワンビンムハマドザヒド / MOHDZAHID,BIN MUHAMMADZAKWAN
ce6b737e33 NPE in userinfo endpoint 
Closes #15429
 2023-01-02 13:53:29 +01:00
Stian Thorgersen
669086acd6
Suspend scheduled tasks if time offset is set to a large value (#16144) 2022-12-21 15:12:57 +01:00
Miquel Simon
9bb5b08015
Added Oracle to Legacy Store IT. (#16097) 2022-12-21 08:15:38 +01:00
mposolda
36bd76957d Make Keycloak FIPS working with OpenJDK 17 on FIPS enabled RHEL 
Closes #15721
 2022-12-20 21:03:55 +01:00
Michal Hajas
c79d29e68c Move HotRod profile to the same pom as other map profiles and introduce map-storage-chm profile 
Closes #16046
 2022-12-20 17:51:40 +01:00
Alexander Schwartz
1d758fac2b
Adding CRDB into GHA for the new store (#16021) 
The CockroachDB database is slower than PostgreSQL, therefore it will only run branches and nightly builds.

Closes #16020
 2022-12-17 08:50:21 +01:00
Pedro Igor
857b02be63 Allow managing the required settigs for the email attribute 
Closes #15026
 2022-12-15 13:11:06 -08:00
Pedro Igor
782d145cef Allow updating authz settings via default client registration provider 
Closes #9008
 2022-12-15 20:43:43 +01:00
Stian Thorgersen
c1b0f2a6ab
Rebalanace BaseIT test groups (#16007) 2022-12-15 08:52:30 +01:00
Stian Thorgersen
a5670af745
Keycloak CI workflow refactoring (#15968) 
* Keycloak CI workflow refactoring

Closes #15861

* Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>

* Update CodeQL actions

Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
 2022-12-14 16:12:23 +01:00
Stian Thorgersen
0f2ca3bfdd
fixes from release/20 (#15982) 
* Avoid path traversal vis double-url encoding of redirect URI (#8)

(cherry picked from commit a2128fb9e940d96c2f9a64edcd4fbcc768eedb4f)

* Do not resolve user session if corresponding auth session does not exist (#7)

* Stabilizing the ConcurrentLoginTest when running with JPA map storage by locking user sessions (#9)

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2022-12-14 07:46:17 +01:00
Stian Thorgersen
30cc16e648
Move authorization tests into authz package (#15957) 
Closes #15956
 2022-12-12 18:09:11 +01:00
Peter Zaoral
1073a342cf Cleanup dependencies and align with Quarkus 
* aligned parent POM dependency versions with the Quarkus BOM

Closes #15325

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2022-12-09 09:10:30 -03:00
Michal Hajas
de7dd77aeb Change id of TermsAndConditions required actions to uppercase 
Closes #9991
 2022-12-07 10:51:37 -03:00
mposolda
f4e91a5312 The redirect URI cannot be verified during logout in the case when client was removed 
closes #15866
 2022-12-07 08:20:30 +01:00
mposolda
264c5a6cdb Support for KcReg and KcAdm CLI to use BCFIPS instead of BC on FIPS platforms 
Closes #14968
 2022-12-06 13:02:46 +01:00
Pedro Igor
022d2864a6 Make sure JAX-RS resource methods are advertizing the media type they support 
Closes #15811
Closes #15810
 2022-12-06 08:13:43 -03:00
Stian Thorgersen
2f0d8cd895
Move hok, par, and rar tests to oauth package (#15834) 
Closes #15833
 2022-12-05 15:42:20 +01:00
Michal Hajas
59ccae76cb
Fix flaky JS test (#15804) 
Closes #15761

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2022-12-05 13:16:04 +01:00
Pedro Igor
168734b817 Removing references to request and response from Resteasy 
Closes #15374
 2022-12-01 08:38:24 -03:00
Stian Thorgersen
8e6437e596
Fix Flaky test: RequiredActionTotpSetupTest.setupTotpExistingReusableCodeDisabled (#15779) 
Closes #15564
 2022-12-01 10:41:46 +01:00
Hynek Mlnařík
60ce949304 Ignore unknown clients in LDAP role mapper 
Fixes: #10958
 2022-12-01 09:51:05 +01:00
Stian Thorgersen
c24bc1bab0
Tweak time offset in RefreshTokenTest (#15760) 
Closes #15718
 2022-11-30 16:11:46 +01:00
Stian Thorgersen
c3c858c88a
Fix OpenshiftClientStorageTest.testCodeGrantFlowWithServiceAccountUsingOAuthRedirectReference (#15741) 
Closes #15565
 2022-11-29 14:20:21 +01:00
dependabot[bot]
82f08b709c Bump sshd-core in /testsuite/integration-arquillian/util 
Bumps [sshd-core](https://github.com/apache/mina-sshd) from 2.3.0 to 2.7.0.
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](https://github.com/apache/mina-sshd/compare/sshd-2.3.0...sshd-2.7.0)

---
updated-dependencies:
- dependency-name: org.apache.sshd:sshd-core
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-28 12:04:15 -03:00
dependabot[bot]
3a35b05253 Bump ant in /testsuite/integration-arquillian/tests 
Bumps ant from 1.9.15 to 1.10.11.

---
updated-dependencies:
- dependency-name: org.apache.ant:ant
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-28 12:03:47 -03:00
dependabot[bot]
17be19d4d3 Bump commons-io in /testsuite/integration-arquillian/util 
Bumps commons-io from 2.6 to 2.7.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2022-11-28 12:03:20 -03:00
Miquel Simon
88bc5e2307 Use different Postgres image in Testcontainers. Upgraded Testcontainers dependency to 1.17.5. 2022-11-28 10:57:14 +01:00
mposolda
3e9c729f9e X.509 authentication fixes for FIPS 
Closes #14967
 2022-11-25 11:50:30 +01:00
Stefan Guilhen
5c2a5fac31 Enable all test methods in ConcurrentLoginTest for JPA Map Storage 
- Tests still disabled for Hotrod and CHM
- Fixes concurrent login issues with CRDB. Verified with both PostgreSQL and CockroachDB.

Closes #12707
Closes #13210
 2022-11-24 13:36:22 +01:00
Lex Cao
dd03137ea7 Strip secret of user when creating from admin API 
Closes #14843
 2022-11-24 11:38:42 +01:00
Alexander Schwartz
410b5ab57f Make tests run on Oracle DB on the internal pipeline 
Closes #15643
 2022-11-23 13:49:01 +01:00
Nagy Vilmos
4b6b607fe9
Should not hide IDP from login page (#14174) 
Closes #14173
 2022-11-23 10:49:21 +01:00
rmartinc
b7188c3891
Unknown bind DN using LDAP anonymous bind aka bind type none (#15546) 
Closes #15497
 2022-11-23 10:23:46 +01:00
danielFesenmeyer
18381ecd2e Fix update of group mappers on certain changes of the group path 
The group reference in the mapper was not updated in the following cases:
- group rename: when an ancestor group was renamed
- (only for JpaRealmProvider, NOT for MapRealmProvider/MapGroupProvider) group move: when a group was converted from subgroup to top-level or when a subgroup's parent was changed

Closes #15614
 2022-11-23 10:12:34 +01:00
Alexander Schwartz
fb315b57c3 Use the same Oracle driver for the tests and Undertow like for Quarkus 
Closes #15576
 2022-11-23 09:26:18 +01:00
cgeorgilakis-grnet
085dd24875 Client registration service do not check client protocol for Bearer token 
Closes #15612
 2022-11-23 08:49:13 +01:00
Pedro Igor
28fc5b4574 Removing injection points for Resteasy objects and resolving instances from keycloak context instead 
Relates #15374
 2022-11-21 19:47:25 +01:00
Stefan Guilhen
f8df04b3b8 Fix UserSessionProviderTest.testOnClientRemoved on CRDB 
Closes #15558
 2022-11-21 13:05:11 +01:00
Michal Hajas
6d683824a4 Deprecate DBLockProvider and replace it with new GlobalLockProvider 
Closes #9388
 2022-11-16 16:13:25 +01:00
Martin Kanis
5e891951f5 Update Infinispan version to 14.0.2.Final 2022-11-16 14:56:45 +01:00
Douglas Palmer
9f532eecaf Weird export/re-import behaviour regarding post.logout.redirect.uris 
Closes #14884
 2022-11-15 09:24:32 +01:00
vramik
021189f190 Make GHA Map-JPA base testsuite running with Quarkus 
Co-authored-by: Martin Batros <mabartos@redhat.com>

Closes #13725
 2022-11-10 10:08:14 +01:00
Jia Chen
c3d53ae6e0 Returns an empty groups stream without querying the database if a user doesn't belong to any groups 
Closes #12567
 2022-11-09 13:07:42 +01:00
danielFesenmeyer
ec30c52a00 Fix paging on the "Users in role" endpoint, when JPA persistence is used 
- add order-by-clause to the corresponding JPA query (ordering by username ASC)
- adjust admin-client RoleResource to return a List instead of a Set, by introducing new methods #getUserMembers (instead of #getRoleUserMembers - the "Role" prefix is not needed, because it is clear from the resource name that it's about roles)
- adjust tests to use the new method and check that the expected order is returned

Closes #14772
 2022-11-07 20:44:06 +01:00
stianst
1de9c201c6 Refactor Profile 
Closes #15206
 2022-11-07 07:28:11 -03:00
Marek Posolda
c0c0d3a6ba
Short passwords with PBKDF2 mode working (#14437) 
* Short passwords with PBKDF2 mode working
Closes #14314

* Add config option to Pbkdf2 provider to control max padding

* Update according to PR review - more testing for padding and for non-fips mode
 2022-11-06 14:49:50 +01:00
Marek Posolda
f616495b05
Fixing UserFederationLdapConnectionTest,LDAPUserLoginTest to work with FIPS (#15299) 
closes #14965
 2022-11-03 16:35:57 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS (#15114) 
Closes #14794
 2022-11-03 09:32:45 +01:00
Stian Thorgersen
cf913af823
Add support for Microsoft Authenticator (#15272) 
Closes #15271
 2022-11-02 12:56:07 +01:00
Stian Thorgersen
cac4c43052
Remove AccountPasswordPage from testsuite (#15204) 
Closes #15200
 2022-11-02 06:20:39 +01:00
Alexander Schwartz
dd5a60c321 Allow a partial import to overwrite the default role 
Closes #9891
 2022-11-01 15:35:02 -03:00
Pedro Igor
f6985949b6
Close the session within resteasy boundaries (#15193) 
Closes #15192
 2022-11-01 11:06:34 +01:00
Stian Thorgersen
17117820cc
Remove AccountFormServiceTest (#15197) 
Closes #15196
 2022-10-28 12:26:59 +02:00
Master_Sky
164465861b
fix(sec): upgrade org.apache.tomcat:tomcat-catalina to 8.5.76 (#14950) 
Co-authored-by: stianst <stianst@gmail.com>
 2022-10-25 09:30:28 -03:00
Michal Hajas
883e83e625 Remove deprecated methods from data providers and models 
Closes #14720
 2022-10-25 09:01:33 +02:00
Alexander Schwartz
9b80bad391 Stabilize test testAccountManagementLinkIdentity by waiting for username to appear 
Closes #15054
 2022-10-24 19:19:27 +02:00
Stian Thorgersen
29b8294dd6
Filter list of supported OTP applications by current policy (#15113) 
Closes #15112
 2022-10-24 16:47:16 +02:00
mposolda
55c514ad56 More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS 
Closes #14964
 2022-10-24 08:36:37 +02:00
Stian Thorgersen
97ae90de88
Remove Red Hat Single Sign-On product profile from upstream (#14697) 
* Remove Red Hat Single Sign-On product profile from upstream

Closes #14916

* review suggestions: Remove Red Hat Single Sign-On product profile from upstream

Closes #14916

Co-authored-by: Peter Skopek <pskopek@redhat.com>
 2022-10-18 14:43:04 +02:00
Marek Posolda
0756ef9a75
Initial integration tests with BCFIPS distribution (#14895) 
Closes #14886
 2022-10-17 23:33:22 +02:00
Stian Thorgersen
f7490b7f7c
Fix issue where admin2 was not enabled by default if account2 was disabled (#14914) 
Refactoring ThemeSelector and DefaultThemeManager to re-use the same logic for selecting default theme as there used to be two places where one had a broken implementation

Closes #14889
 2022-10-17 15:17:54 +02:00
Alexander Schwartz
97c4495c4f Updating H2 database to 2.x 
Closes #12607

Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2022-10-14 11:52:34 +02:00
vramik
f49582cf63 MapUserProvider in KC20 needs to store username compatible with KC19 to be no-downtime-upgradable 
Closes #14678
 2022-10-14 09:32:38 +02:00
danielFesenmeyer
f80a8fbed0 Avoid login failures in case of non-existing group or role references and update references in case of renaming or moving 
- no longer throw an exception, when a role or group cannot be found, log a warning instead
- update mapper references in case of the following events:
   - moving a group
   - renaming a group
   - renaming a role
   - renaming a client's Client ID (may affect role qualifiers)
- in case a role or group is removed, the reference still will not be changed
- extend and refactor integration tests in order to check the new behavior

Closes #11236
 2022-10-13 13:23:29 +02:00
Martin Kanis
761929d174
Merge ActionTokenStoreProvider and SingleUseObjectProvider (#13677) 
Closes #13334
 2022-10-13 09:26:44 +02:00
Lex Cao
8ea3f30d82 Support profile projection parameter for LinkedIn IDP 
Closes #13384
 2022-10-11 15:22:00 -03:00
Takashi Norimatsu
148c7695ff Pluggable Features of Token Manager 
Closes #12065
 2022-10-07 08:43:34 +02:00
Marek Posolda
425b6b8df2
Parameters 'client_id' and 'response_type' not strictly required in O… (#14679) 
* Parameters 'client_id' and 'response_type' not strictly required in OIDC request object
Closes #14255
 2022-10-05 11:20:15 +02:00
Douglas Palmer
44aae52fb4
Fixed locale switcher on error page (#14728) 
Closes #14205
 2022-10-05 10:30:07 +02:00
Marek Posolda
c59660ca86
KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars (#14560) 
closes #14354
 2022-10-05 08:59:30 +02:00
Marek Posolda
fb24c86a3b
offline token issuance can cause violation of PRIMARY KEY constraint CONSTRAINT_OFFL_CL_SES_PK3 (#14658) 
closes #13706
 2022-10-03 12:54:12 +02:00
Stian Thorgersen
390c7485c7
Remove WildFly dist modules (#14675) 
Closes #14307
 2022-09-30 14:26:55 +02:00
Alice Wood
1eb7e95b97 enhance existing group search functionality allow exact name search keycloak/keycloak#13973 
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
 2022-09-30 10:37:52 +02:00
Martin Bartoš
a20d6e2f1f
Remove JBoss-based auth servers from the testsuite (#14317) 
Closes #14299
 2022-09-30 09:41:57 +02:00
Marcelo Daniel Silva Sales
22713bc144
Incorrect error message OIDC client authentication (#14656) 
closes #12162


Co-authored-by: Pedro Hos <pedro-hos@outlook.com>
 2022-09-30 09:40:05 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron (#14415) 
Closes #12702
 2022-09-27 08:53:46 +02:00
Alexander Schwartz
be2deb0517 Modify RealmsAdminResource.importRealm to work with InputStream 
Closes #13609
 2022-09-26 20:58:08 +02:00
Alice Wood
55a660f50b enhance group search to allow searching for groups via attribute keycloak/keycloak#12964 
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2022-09-19 15:19:36 +02:00
Takashi Norimatsu
0a832fc744 Intent support before issuing tokens (UK OpenBanking) 
Closes #12883
 2022-09-19 12:15:00 +02:00
Martin Bartoš
d4130b0c6b
Admin Console tests failing (#14404) 
Fixes #10997
 2022-09-17 08:23:19 +02:00
rmartinc
cc9326fcad
Delay LDAPObject creation until mandatory attributes are set (#14341) 
Closes #14286
 2022-09-16 20:35:50 +02:00
Dmitry Telegin
cc2117bf7c UserInfo endpoint not fully standards compliant 
Closes #14184
 2022-09-16 10:15:08 +02:00
danielFesenmeyer
3af1134975 Update IDP link username when sync mode is "force" 
Closes #13049
 2022-09-14 08:02:17 -03:00
Martin Bartoš
ed3d003d65
Remove Legacy migration tests from testsuite (#14310) 
Closes #14300
 2022-09-14 11:29:53 +02:00
Václav Muzikář
e999aeeab8 Fix DefaultHostnameTest on Undertow 2022-09-13 14:41:23 -03:00
Martin Bartoš
aa5a4e3d84
Remove remote WildFly server from the testsuite (#14321) 
Closes #14319
 2022-09-13 12:49:40 +02:00
fwojnar
cee69e1abc
Remove Server Config Migration tests from testsuite (#14334) 
Closes #14303

Co-authored-by: wojnarfilip <fwojnar@redhat.com>
 2022-09-13 12:47:35 +02:00
fwojnar
a58f0593a6
Remove Clean Start test from testsuite (#14345) 
Closes #14305

Co-authored-by: wojnarfilip <fwojnar@redhat.com>
 2022-09-13 12:46:55 +02:00
Václav Muzikář
490590625d Fix listApplicationsThirdParty 2022-09-13 08:33:31 +02:00
Jurjan-Paul Medema
eb0124e3e1
Mapper option 'Aggregate attribute values' is now applied to group hierarchy (#7871) 
Closes #11255
 2022-09-12 13:34:28 +02:00
Christoph Leistert
7e5b45f999 Issue #8749: Add an option to control the order of the event query and admin event query 2022-09-11 21:30:12 +02:00
Alexander Schwartz
1d2d3e5ca5 Move UserFederatedStorageProvider into legacy module 
Closes #13627
 2022-09-11 18:37:45 +02:00
Pedro Igor
3518362002 Validate auth time when max_age is sent to brokered OPs 
Closes #14146
 2022-09-09 10:30:51 -03:00
Pedro Igor
a0079b516b
Allow setting response mode (#14104) 
Closes #14083
 2022-09-09 14:28:47 +02:00
Martin Bartoš
0fcf5d3936 Reuse of token in TOTP is possible 
Fixes #13607
 2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default (#14293) 
Closes #14292
 2022-09-09 13:47:51 +02:00
vramik
869ccc82b2 Enable MapUserProvider storing username with the letter case significance 
Closes #10245
Closes #11602
 2022-09-09 11:46:11 +02:00
Dominik Guhr
f2b02f19e6 Closes #13786 2022-09-07 18:29:26 +02:00
cgeorgilakis
07b0df8f62
View groups from account console (#7933) 
Closes #8748
 2022-09-07 11:25:31 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 (#14179) 
Closes #14179
 2022-09-07 10:09:30 +02:00
Christoph Leistert
cc2bb96abc Fixes #9482: A user could be assigned to a parent group if he is already assigned to a subgroup. 2022-09-06 21:31:31 +02:00
Thomas Peter
19d69169b1 introduce expiration option for admin events 2022-09-06 16:05:53 +02:00
Pedro Igor
a6137b9b86 Do not empty attributes if they are not provided when user profile is enabled 
Closes #11096
 2022-09-06 12:59:05 +02:00
Michal Hajas
f69497eb28 KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants 
Closes #14018
 2022-09-06 10:38:28 +02:00
Sergey Ch
860c3fbbd3
KEYCLOAK-17263 Add exact searching for users (#8059) 
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2022-09-01 19:27:24 +02:00
Thomas Darimont
43623ea9d0 KEYCLOAK-18499 Add max_age support to oauth2 brokered logins 
Revise KcOidcBrokerPassMaxAgeTest to use setTimeOffset(...)
 2022-09-01 09:24:44 -03:00
Joerg Matysiak
a8019d78e7 Fixed handling of required setting for email in user profile. 
Resolves #13923
 2022-08-31 17:19:19 -03:00
Martin Bartoš
677579fce6 Environment variables for admin creation in testsuite 
Closes #14102
 2022-08-31 07:29:55 -03:00
Nagy Vilmos
f6db484172
Keep the locale related authNotes through the IdentityBroker flow. (#10444) 
Closes #8827
 2022-08-31 09:37:26 +02:00
Martin Bartoš
e6a5f9c124 Default required action providers are still available after feature disabling 
Closes #13189
 2022-08-31 08:42:47 +02:00
Martin Bartoš
94de015440
Cannot build base testsuite due to missing dependency related to WF (#14079) 
Fixes #14072
 2022-08-30 18:52:05 +02:00
Stian Thorgersen
eece543ede
Remove AddUserTest as it was specific to the WildFly distribution (#14091) 
Closes #14072
 2022-08-30 16:57:44 +02:00
Manato Takai
1cdc21f0ff
Add duplicate parameter check for UserInfo endpoint. (#14024) 
Closes #14016
 2022-08-30 14:39:15 +02:00
Pedro Igor
917e8668cb Fixing error when activating webauthn profile 
Related #14005
 2022-08-30 13:55:02 +02:00
Martin Bartoš
090f7f89d5
Cannot execute Old Admin Console tests (#13887) 
Fixes #14005
 2022-08-29 13:41:22 +02:00
Erik Jan de Wit
93f3d7bf42
Revert "Allow dependencies from keycloak-admin-ui (#13924)" (#13963) 
This reverts commit 332a0dacee.
 2022-08-26 10:04:13 +02:00
Joerg Matysiak
62790b8ce0 Allow permission configuration for username and email in user profile. 
Enhanced Account API to respect access to these attributes.

Resolves #12599
 2022-08-25 21:54:51 -03:00
Michal Hajas
05b9e6d59e
Upgrade Infinispan to 13.0.10.Final (#13910) 
Closes #12306
 2022-08-25 13:09:34 +02:00
Christoph Leistert
5408d25e09
Fixes #10656: Sub realm localization GET endpoints can be called using tokens issued by the master realm. (#10660) 
* Fixes #10656: Sub realm localization GET endpoints can be called using tokens issued by the master realm.

* Fixes #10656: Added some tests
 2022-08-25 09:02:07 +02:00
Markus Till
7f999a4629
integration.admin-client: Add exact search for all dedicated user attributes (#13361) 
Closes #13360
 2022-08-25 08:57:31 +02:00
Arnaud Martin
af0d97e534 Delete broker links for federated users when an identity provider is deleted 
Closes #13731
 2022-08-25 08:24:09 +02:00
Pedro Igor
ddcf0f45f9 Run import within the context of the realm being imported 
Closes #12289
 2022-08-25 08:18:43 +02:00
Pedro Igor
25be07be17 Allow introspecting tokens issued during token exchange with delegation semantics 
Closes #9337
 2022-08-24 09:47:04 -03:00
Tero Saarni
ea4b4b97b4
Bumped maven-war-plugin for JDK17 compatibility (#13619) 
Closes #13960
 2022-08-24 14:44:18 +02:00
Takashi Norimatsu
8c1ea4b47c mTLS binding support for password grant 
Closes #13662
 2022-08-24 11:44:48 +02:00
Alexander Schwartz
332a0dacee
Allow dependencies from keycloak-admin-ui (#13924) 
This prevents exceptions due to missing classes like kotlin/jvm/internal/Intrinsics.

Closes #13918
 2022-08-24 11:31:29 +02:00
Konstantinos Georgilakis
c5b9dc1e7b set context session client equal to clientsession client (fromClientSessionAndScopeParameter method of DefaultClientSessionContext) 
Closes #13162
 2022-08-23 17:33:07 +02:00
Konstantinos Georgilakis
baa89debd9 Correct isValidScope method of TokenManager for Dynamic scopes 
Closes #13158
 2022-08-23 16:30:04 +02:00
Lex Cao
6b1c64a1a9
Add rememberMe to a user session representation(#13408) (#13765) 
Closes #13408
 2022-08-23 15:28:52 +02:00
Konstantinos Georgilakis
2002fd983b Showing consent screen text instead of scope name in consent part of Application page in Account console 
Closes #13109
 2022-08-23 11:22:31 +02:00
rishabhsvats
c223291a1e Adds REGISTER event when new user login through first broker flow 
Updates KcOidcBrokerEventTest, AbstractFirstBrokerLoginTest to factor in REGISTER event in first broker flow

Closes #11646

Correcting Indentation of AbstractFirstBrokerLoginTest
 2022-08-23 10:43:56 +02:00
Stefan Guilhen
f84fdfa8ef
Fix UserSessionProviderTest failures with CockroachDB (#13891) 
- move assertions to a separate tx due to CRDB's SERIALIZABLE isolation level

Closes #13211
 2022-08-23 09:57:13 +02:00
Sebastian Schuster
53472e097c 13647 fixed wrong feature flag for checking admin fine-grained authz 2022-08-22 09:34:12 -03:00
Stefan Guilhen
5775e7c4ba
Fix ConcurrentTransactionsTest failure with CockroachDB (#13890) 
- realm has to be removed in a separate tx due to CRDB's SERIALIZABLE isolation level

Closes #13211
 2022-08-22 08:39:14 +02:00
Pedro Igor
eda33a0b21 Concurrency issue when caching JS policies 
Closes #12204
 2022-08-17 16:30:32 -03:00
Pedro Igor
15bbb46657 Avoid removing static path config from cache 
Closes #9855
 2022-08-17 16:29:59 -03:00
Martin Bartoš
5a2852530f Fix DB tests for Quarkus 
Fixes #13642
 2022-08-17 10:23:05 -03:00
Pedro Igor
841c65d24f Return 404 when invoking authorization endpoints in case authz settings are disabled 
Closes #10151
 2022-08-16 16:37:44 -03:00
nehachopra27
26de05fa44
Updating RestEasy for Jetty App Server (#13710) 
Co-authored-by: nchopra <nchopra@redhat.com>
 2022-08-16 11:20:24 +02:00
Michal Hajas
ab431e3bd9 Fix KeycloakQuarkusServerDeployableContainer to correctly configure map store 
Closes #13721
 2022-08-11 16:55:06 +02:00
Pedro Igor
e3af0610e2 Support running base testsuite on Windows 
Closes #12648

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
 2022-08-10 20:03:53 -03:00
Markus Till
fa383bf76c
Suppress confirmation screen for logout in oidc (#13471) 
Closes #13469
 2022-08-10 18:25:50 +02:00
Michal Hajas
d55d110ff9 Run Infinispan using Testcontainers in base testsuite 
Closes #13620
 2022-08-10 16:36:44 +02:00
Marcelo Daniel Silva Sales
e44cea587f
NullPointer during OIDC logout client disabled (#13424) 
closes #12624
 2022-08-08 12:34:09 +02:00
Michal Hajas
ec808d28bb Remove possibility to start embedded HotRod server in hotrod-map module 
Closes #13247
 2022-08-05 21:08:38 +02:00
Tero Saarni
2392af157b Forward quarkus server output to console in testsuite 2022-08-05 09:48:48 -03:00
Pedro Igor
333a4c900f Revert changes that block themes being loaded from custom providers 
Closes #13401
 2022-08-04 13:34:12 +02:00
Sebastian Knauer
21f700679f KEYCLOAK-19866 Fix user-defined- and xml-fragment-parsing/Add XPathAttributeMapper 2022-08-03 13:07:12 +02:00
nehachopra27
c7be78fade
Add admin-ui dependencies to integration-arquillian testsuite 
Co-authored-by: nchopra <nchopra@redhat.com>

Fixes: #13465
 2022-08-01 20:49:11 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup (#13406) 
Closes #13128
 2022-07-29 18:03:56 +02:00
Hynek Mlnarik
143e6bc932 Replace undertow-map with quarkus-map 
Fixes: #12652
 2022-07-27 14:08:38 +02:00
Stian Thorgersen
ae33af92d9
Promote new admin console to default (#13243) 
Closes #13242
 2022-07-27 10:13:49 +02:00
Pedro Hos
ee2c5391bd
Possible client enumeration in the authorization endpoint 
Closes #12164
 2022-07-26 09:10:06 +02:00
Douglas Palmer
c00514d659
Support for post_logout_redirect_uris in OIDC client registration (#12282) 
Closes #10135
 2022-07-25 10:57:52 +02:00
Dominik Guhr
9bb1299d89 change optimised to optimized 
also: fix kc.bat to not use autobuild in devmode anymore, fix containers.adoc to not use auto_build naming, fix build command cli help as it is not required anymore to run it beforehand.
 2022-07-22 10:29:07 -03:00
Stian Thorgersen
a251d785db
Remove text based login flows (#13249) 
* Remove text based login flows

Closes #8752

* Add display param back in case it's used by some custom authenticators
 2022-07-22 15:15:25 +02:00
Alexander Schwartz
cb81a17611 Disable Infinispan for map storage and avoid the component factory when creating a realm independent provider factory 
Provide startup time in UserSessionProvider independent of Infinispan,
cleanup code that is not necessary for the map storage as it isn't using Clustering.
Move classes to the legacy module.

Closes #12972
 2022-07-22 08:20:00 +02:00
Douglas Palmer
adeef6c2a0 Partial import feature does not import Identity Provider mappers in Keycloak #12861 2022-07-21 18:04:15 +02:00
Stefan Guilhen
e9c55f45e5 Enable action token JPA provider in map-storage-jpa profile 
Closes #13139
 2022-07-20 16:30:20 -03:00
Pedro Igor
3631a413d2 Allow token exchange when subjec_token is not associated with a session 
Closes #12596
 2022-07-20 15:42:26 -03:00
Martin Bartoš
1b9a3bf51a Cannot use WebAuthn with WildFly distribution 
Fixes #12762
 2022-07-20 09:59:44 -03:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth (#12486) 
Closes #11908
 2022-07-16 09:38:41 +02:00
Pedro Igor
89028613d8 Introducing --optimise option 
Closes #10737
 2022-07-15 15:12:17 -03:00
Marcelo Daniel Silva Sales
f7a80409a9
Add flow to generate secret length based on signature algorithm (#13107) 
Closes #9376
 2022-07-15 11:06:07 +02:00
Vlasta Ramik
ec853a6b83
JPA map storage: User / client session no-downtime store (#12241) 
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>

Closes #9666
 2022-07-14 12:07:02 -03:00
Alexander Schwartz
b8d5e01cf3
Avoid using old legacy-store API in the test suite (#13077) 2022-07-13 09:58:01 -03:00
kz-masa
d26cff270f
Delete unnecessary import statements (#12935) (#12936) 2022-07-12 19:37:15 -03:00
Martin Bartoš
216922233a
Remote base tests don't work with WildFly (#12842) 
Fixes #12841
 2022-07-12 15:14:09 +02:00
Martin Kanis
4b43612806 Disable WARN logging for Hot Rod RemoteQuery class 2022-07-11 16:48:56 -03:00
Pedro Igor
5b48d72730 Upgrade Resteasy v4 
Closes #10916

Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2022-07-11 12:17:51 -03:00
Martin Bartoš
07ab29378b Make WebAuthn required actions enabled by default 
Closes #12723
 2022-07-11 15:32:40 +02:00
Michal Hajas
0f86427dd0 Make user->client sessions relationship consistent 
Closes #12817
 2022-07-11 08:42:28 -03:00
Martin Bartoš
17f1d04960
Possibility to execute DB migration tests for Quarkus distribution (#12688) 
Closes #12685
 2022-07-11 12:23:41 +02:00
fwojnar
7fccdb10d8
Fixing ClientPoliciesTest failure (#12670) 
Closes #10633

Co-authored-by: wojnarfilip <fwojnar@redhat.com>
 2022-07-11 12:22:25 +02:00
Takashi Norimatsu
29aad9dc45 PAR logic affecting /auth endpoint 
Closes #9289
 2022-07-11 11:56:37 +02:00
Alexander Schwartz
29a501552e Disable the JpaUserFederatedStorageProvider when map storage is enabled 
Closes #12895
 2022-07-07 10:47:42 -03:00
Alexander Schwartz
d91a5eb99f Move methods from UserStorageUtil to LegacyRealmModel 
It is better suited to take methods removed from RealmModel earlier.

Closes #12805
 2022-07-07 09:57:17 -03:00
Stefan Guilhen
dc88dd5286
Users Map JPA implementation (#12871) 2022-07-05 11:19:31 -03:00
Alexander Schwartz
098d4dda0e
Split PublicKeyStorageProvider (#12897) 
Split PublicKeyStorageProvider

- Extract clearCache() method to separate interface and move it to the legacy module
- Make PublicKeyProvider factories environment dependent
- Simple map storage for public keys that just delegates

Resolves #12763

Co-authored-by: Martin Kanis <mkanis@redhat.com>
 2022-07-05 09:57:51 -03:00
Stefan Guilhen
007fa1f374 Single Use Objects Map JPA implementation 
Closes #9852
 2022-07-04 10:05:51 -03:00
Alexander Schwartz
4b20e90292 Move session persistence package to legacy-private module 
Also, disabling the jpa session persister when map storage is enabled.

Closes #12712
 2022-07-04 10:05:26 -03:00
Konstantinos Georgilakis
32f8f30f36 Include 'urn:ietf:params:oauth:grant-type:token-exchange' in grant_types_supported field of Keycloak OP metadata, if token-exchange is enabled 
closes #10888
 2022-06-30 17:13:47 -03:00
Jon Koops
06d1b4faab Restore enum variant of ResourceType 
This reverts commit 3b5a578934.
 2022-06-30 12:20:51 -03:00
Alexander Schwartz
ddeab744d0 Moving RoleStorageProviderModel to the legacy modules 
Closes #12656
 2022-06-29 20:04:32 +02:00
vramik
3b5a578934 Change enum ResourceType to interface with String constants 
Closes #12485
 2022-06-29 13:35:11 +02:00
Lex Cao
c3c8b9f0c8
Add client_secret to response when token_endpoint_auth_method is not private_key_jwt (#12609) 
Closes #12565
 2022-06-29 10:19:18 +02:00
Clara Fang
4643fd09e3 Replace occurrences of getParameterTypes().length and getParameters().length with getParameterCount() 
This should reduce GC pressure.

Closes #12644
 2022-06-29 08:53:09 +02:00
Konstantinos Georgilakis
ccc0449314 json device code flow error responses 
closes #11438
 2022-06-29 07:23:02 +02:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration (#12692) 
Closes #12625
 2022-06-29 07:17:09 +02:00
danielFesenmeyer
b6d8c27cac OIDC logout: In "legacy mode", support post_logout_redirect_uri param without requiring id_token_hint param 
Closes #12680
 2022-06-28 14:36:03 +02:00
leandrobortoli
c5d5659100 Fixed bug on client credentials grant when encryption key not found 
Closes #12348
 2022-06-27 13:00:21 +02:00
Lex Cao
f8a7c8e160
Validate name of client scope (#12571) 
Closes #12553
 2022-06-27 12:26:18 +02:00
Pedro Igor
3d2c3fbc6a Support JSON objects when evaluating claims in regex policy 
Closes #11514
 2022-06-23 14:04:09 -03:00
Pedro Igor
d3a40e8620 Use backend baseURL for UMA-related backend endpoints 
Closes #12549
 2022-06-23 10:35:26 -03:00
Takashi Norimatsu
a10eef882f DeviceTokenRequestContext.getEvent returns a wrong ClientPolicyEvent 
Closes #12455
 2022-06-22 13:01:35 +02:00
Takashi Norimatsu
d396ee7d30 CIBA flow : no error on invalid scope 
Closes #12589
 2022-06-22 12:55:55 +02:00
rmartinc
711440e513 [#11036] Identity Providers: Add support for elliptic curve signatures (ES256/ES384/ES512) using JWKS URL 2022-06-21 10:52:25 -03:00
Stefan Guilhen
7d96f3ad5a Events Map JPA implementation 
Closes #9667
 2022-06-21 13:53:48 +02:00
Alexander Schwartz
cb0c881821 rename SingleEntityCredentialManager to SubjectCredentialManager 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
26198e4b0b Disable tests irrelevant for map storage 2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b Inline deprecated methods in legacy code 2022-06-21 08:53:06 +02:00
Alexander Schwartz
1a227212de Simplify implementation of a federated storage by moving the default implementation to the abstract base class; this will also allow the quickstarts and implementations derived from that to run without changes. 2022-06-21 08:53:06 +02:00
Alexander Schwartz
08bbb1fb92 Move LDAP REST Endpoints to LDAP package 
- Thus remove implicit dependency on services on the legacy modules
- Disable tests for LDAP/Kerberos that won't work when map storage is enabled
 2022-06-21 08:53:06 +02:00
Alexander Schwartz
1bc6133e4e redirect calls to userLocalStorage from legacy modules (federation, ldap, sssd, kerberos) 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1 Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager(): 
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()

Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
 2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded Avoid using methods on UserCredentialStoreManager 2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6 SingleUserCredentialManager moving in 
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
 2022-06-21 08:53:06 +02:00
Alexander Schwartz
82094d113e Move User Storage SPI, introduce ExportImportManager 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51 Preparation for moving User Storage SPI 
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
  IMPORTANT: Broken as UserStorageSyncManager is not yet moved
 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
247ff52187 Introduce legacy datastore module and update dependencies 2022-06-21 08:53:06 +02:00
Alexander Schwartz
850af55edc Ensure that only JDK 8 APIs are used where JDK 8 is still required. 
Closes #10842
 2022-06-20 14:44:33 -03:00
Martin Bartoš
d8112d7b7e
DB migration tests execution for Quarkus (#12525) 
Closes #12524
 2022-06-20 10:12:37 +02:00
Alexander Schwartz
71e7982a49 Adding central time offset reset in model tests as it was missing for AuthenticationSessionTest and UserSessionPersisterProviderTest 
Also adding try/finally in other places in the integration tests where it was missing.

Closes #12530
 2022-06-16 13:42:55 +02:00
nehachopra27
39cff0750c
[Fix keycloak#12385] Update option to run kc.bat on windows instead of kc.sh (#12386) 
Co-authored-by: nchopra <nchopra@redhat.com>

Resolves #12385
 2022-06-15 11:29:11 -03:00
Martin Bartoš
0fef4305b6 Logout confirm page is failing to log the user out on auth-server-wildfly 
Fixes #11753
 2022-06-14 10:46:02 +02:00
mposolda
3aefb59d40 Fix test failure in X509BrowserCRLTest on IBM JDK. Don't display details of exception message to the end user 
Closes #12458
 2022-06-14 10:44:31 +02:00
Alexander Schwartz
c2043da78e When asserting a URL, allow for some time for any redirect to complete. 
Closes #12446
 2022-06-14 07:30:31 +02:00
Christoph Leistert
442eff0169
Closes #11851: Apply localization text from realm default locale when it is not defined for the requested language. (#11852) 2022-06-10 14:36:11 -04:00
Martin Bartoš
2cf089424a
ClientClientScopesTest failures in the test pipeline (#12440) 
Resolves #12439
 2022-06-10 09:13:25 -03:00
Alexander Schwartz
361a813d81 Keep a list of model instances in the JPA map session. 
This allows removing them from the persistence context on bulk delete.

Closes #12384
 2022-06-09 12:39:04 -03:00
Joerg Matysiak
3c19ad627f Repsect permissions configured to firstName and lastName when configured in user profile 
Resolves #12109
 2022-06-09 10:10:15 -03:00
Pedro Igor
8aecba1795 Fixing how realm frontendurl is cached when resolving the hostname 
Closes #11894
 2022-06-08 16:41:25 -03:00
Alexander Schwartz
9272c7a5ec Allow for the backend to return granted scopes in any order. 
Closes #12395
 2022-06-08 08:39:14 -03:00
Pedro Igor
243e63c9f3 Do not set empty permissions to username and email attributes 
Closes #11647
 2022-06-07 10:59:35 -03:00
Sebastian Schuster
a0c402b93a
11198 added event information to consent granting and revocation via REST API (#11199) 2022-06-07 11:29:20 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration (#12244) 
Closes #12243
 2022-06-07 09:02:00 +02:00
Martin Kanis
df72cf72f2 Hot Rod map storage: Single-use (action token) no-downtime store 2022-06-06 16:01:18 +02:00
rmartinc
5332a7d435 Issue #9194: Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256 2022-06-06 12:07:09 +02:00
Takashi Norimatsu
3889eeda30 Client Policies: pkce-enforcer executor with client-access-type condition is not applied on client change via Admin API 
Closes #12295
 2022-06-06 11:30:48 +02:00
Michal Hajas
09c0a69a8f Add HotRod no downtime store for events 
Closes #9676
 2022-06-02 13:30:19 +02:00
mposolda
f90fbb9c71 Changing locale on logout confirmation did not work 
Closes #11951
 2022-05-31 16:03:58 +02:00
Takashi Norimatsu
d083b6c484 ciba http auth channel sends client_id and client_secret via delegation request 
Closes #10993
 2022-05-31 08:22:50 +02:00
vramik
be28e866b9 JPA map storage: Authorization services no-downtime store 
Closes #9669
 2022-05-30 21:05:34 +02:00
Pedro Igor
ea22989d89 Fixing ClientTokenExchangeTest to also run when TLS is disabled 
Closes #11818
 2022-05-30 11:23:46 -03:00
Pedro Hos
e121371401 /clients-registrations API doesn't return secret anymore and is not coherent #11116 
/clients-registrations API doesn't return secret anymore and is not coherent

fixing merge

/clients-registrations API doesn't return secret anymore and is not coherent

fixing test that was failing

Replace tabs with regular spaces

fixing identation

/clients-registrations API doesn't return secret anymore and is not coherent. Closes #11116

fixing test that was failing
 2022-05-30 15:18:56 +02:00
mposolda
4222de8f41 OIDC RP-Initiated Logout POST method support 
Closes #11958
 2022-05-30 14:10:58 +02:00
Marek Posolda
cf386efa40
Support for client_id parameter in OIDC RP-Initiated logout endpoint (#12202) 
Closes #12002


Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2022-05-27 14:12:37 +02:00
Marek Posolda
eed944292b
Make script providers working on JDK 17 (#11322) 
Closes #9945
 2022-05-27 12:28:50 +02:00
Luca Leonardo Scorcia
27650ab816 Fix #10982 SAML Client - Introduce SAML Issuer validation 2022-05-27 10:58:10 +02:00
Martin Bartoš
d8cded994f
WebAuthn test failures in admin console (#12161) 
Resolves #12160
 2022-05-26 12:55:22 -03:00
Michal Hajas
bc59fad85b Unify way how expirable entities are handled in the new store 
Closes #11947
 2022-05-26 13:17:27 +02:00
Martin Kanis
0cb3c95ed5 Map storage: Single-use objects (action token) 2022-05-25 16:47:10 +02:00
Martin Bartoš
86f31e8df5 Fix BlacklistPasswordPolicyDefaultPath Failures on Windows 
Fixes #11967
 2022-05-24 17:26:19 -03:00
Martin Bartoš
bb3b88963b
New Account console tests failures (#12050) 
* New Account console tests failures, Fix additional tests, solve issue with headless browsers

Fixes #11323
 2022-05-24 09:36:08 +02:00
vramik
24171d2e47 Rename providers from jpa-map-storage to jpa 
Closes #12098
 2022-05-23 16:47:51 +02:00
vramik
0c3aa597f9 JPA map storage: test failures after cache was disabled 
Closes #12118
 2022-05-23 13:01:30 +02:00
vramik
f8ca25d4a4 Add a profiles testsuite for jpa-map storage 
Closes #12045
 2022-05-20 09:17:33 +02:00
Stian Thorgersen
075e284455
Remove legacy (non-Elytron) WildFly adapter (#11789) 
Closes #11683
 2022-05-18 10:34:47 +02:00
Michal Hajas
0bda7e6038 Introduce map event store with CHM implementation 
Closes #11189
 2022-05-17 12:57:35 +02:00
Michal Hajas
b86f205cda Make KeycloakServer runnable with external Infinispan server 
Closes #12011
Closes #12014
 2022-05-16 21:50:35 +02:00
Takashi Norimatsu
9541852a9b ID token encryption without specifying id_token_encrypted_response_enc does not follow OIDC Dynamic Client Registration specification 
Closes #11392
 2022-05-16 09:05:22 +02:00
Takashi Norimatsu
7fa24d247a Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper 
Closes #11394
 2022-05-16 08:56:57 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one 
Fixes first part of: #11173

* Merge single-use token providers into one

* Remove PushedAuthzRequestStoreProvider

* Remove OAuth2DeviceTokenStoreProvider

* Delete SamlArtifactSessionMappingStoreProvider

* SingleUseTokenStoreProvider cleanup

* Addressing Michal's comments

* Add contains method

* Add revoked suffix

* Rename to SingleUseObjectProvider
 2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59 Make sure there is always Realm or ResourceServer when searching for authz entities 
Closes #11817
 2022-05-11 07:20:01 -03:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing (#7943) 
Closes #11875
 2022-05-09 18:52:22 +02:00
Michal Hajas
6b5c417742 Add HotRod store for authorization services 
Closes #9679
 2022-05-06 15:31:38 +02:00
Stian Thorgersen
491b3262de
Remove Jetty 9.2 and 9.3 adapters (#11792) 
Closes #11791
 2022-05-04 15:24:46 +02:00
azilentech
f7f24c6ca3 Updated test scenarios 2022-05-03 10:59:31 -03:00
Sven-Torben Janus
0efa4afd49 Evaluate composite roles for hardcoded LDAP roles/groups 
Closes: 11771

see also KEYCLOAK-18308
 2022-05-02 14:13:37 +02:00
Stian Thorgersen
52ca546cfa
Remove Fuse adapters (#11740) 
Closes #11677
 2022-05-02 09:55:52 +02:00
Stian Thorgersen
b65d76edab
Remove EAP6 and AS7 adapters (#11605) 
Closes #11604
 2022-04-28 11:20:44 +02:00
vramik
2ecf250e37 Deletion of all objects when realm is being removed 
Closes #11076
 2022-04-28 11:09:17 +02:00
Alexander Schwartz
29233f33c8 Clear import/export properties at the end of the test 
This avoids the pollution of system properties that might lead to failures following tests.

Closes #11670
 2022-04-28 11:02:16 +02:00
Douglas Palmer
fdcbc9b27b
Automated test for session-limits authenticator with identity brokering (post-broker login flow) (#11723) 
Closes #11004
 2022-04-28 10:29:41 +02:00
Stian Thorgersen
e3f3e65ac5
Remove JDK7 support for adapters (#11607) 
Closes #11606
 2022-04-27 08:33:23 +02:00
vramik
5248815091 Disable infinispan realm and user cache for map storage tests 
Closes #11213
 2022-04-25 09:38:49 +02:00
Martin Bartoš
53ea60b8d5
Remove support for IE (#11271) 
Closes #11268
 2022-04-22 10:38:41 +02:00
Pedro Igor
76d83f46fa
Avoid clients exchanging tokens using tokens issued to other clients (#11542) 2022-04-20 19:14:55 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames (#11531) 
Closes #11532

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
 2022-04-20 15:53:15 +02:00
Stefan Guilhen
b29b27d731 Ensure code does not rely on a particular format for the realm id or component id 2022-04-20 14:40:38 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117) 
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2022-04-20 14:25:16 +02:00
Martin Bartoš
3aa3db16ea
Fix error response for invalid characters (#11533) 
Fixes #11530
 2022-04-20 11:26:08 +02:00
Pedro Igor
f1fd7af758
Remove policies when user is deleted (#11385) 
Closes #11284
 2022-04-20 09:23:46 +02:00
Stian Thorgersen
b79f01c72d
Upgrade to WildFly 26.1.0.Final (#11094) 
Closes #10999
 2022-04-20 08:38:10 +02:00
Martin Bartoš
e09f618cef
Ignore WebAuthnIdLessTest for Firefox (#11299) 
Closes #11297
 2022-04-19 14:45:24 +02:00
Martin Bartoš
2632fa7779
WebAuthnSigningInTest failures caused by different titles (#11305) 
Fixes #11298
 2022-04-19 14:44:51 +02:00
m-takai
5f0e27a792 Add duplicate parameters check process in Device Authz Endpoint. 
AuthorizationEndpointRequest class already checks duplicated parameters but DeviceEndpoint class has not checked its error. Thus a check process is added in handleDeviceRequest()

Closes #11294
 2022-04-19 14:20:39 +02:00
Pedro Igor
c5e4dc8cec
Associated permissions should only add resource type permissions if the resource is an instance (#11220) 
Closes #11148
 2022-04-19 09:10:14 +02:00
Martin Kanis
a2d7cd7a5c Hot Rod map storage: User / client session no-downtime store 2022-04-14 15:34:22 +02:00
msvechla
820ab52dce
Add support for filtering by enabled attribute on users count endpoint (#9842) 
Resolves #10896
 2022-04-13 13:57:22 -03:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted (#10519) 
Close #10517
 2022-04-12 14:01:14 +02:00
Alexander Schwartz
a6dd9dc0f1 Avoiding AvlPartitionFactory and using JdbmPartitionFactory for the embedded LDAP to work around unstable tests. 
Fix for #11171 didn't turn out to cover the root cause. Also improved transaction handling in LDAP Map storage.

Closes #11211
 2022-04-12 09:12:21 +02:00
Alexander Schwartz
5c810ad0e5 Avoid short-lived connections for ApacheDS to avoid messages around "ignoring the message MessageType UNBIND_REQUEST" 
The comment in LdapRequestHandler.java in ApacheDS notes just before discarding an unbind request: "in some cases the session is becoming null though the client is sending the UnbindRequest before closing".

Also implementing a retry logic for all remaining errors regarding LDAP.

Closes #11171
 2022-04-11 10:03:15 +02:00
Pedro Igor
834a276767 NPE when caching policies based on scopes without a resource 
Closes #11180
 2022-04-08 08:43:08 -03:00
Michal Hajas
1f2ebf4cba Add HotRod no downtime store for Realms 
Closes #9670
 2022-04-08 09:36:01 +02:00
Pedro Igor
b4770c30fd Fixing NPE when querying resources by type 
Closes #11137
 2022-04-07 15:10:20 -03:00
Tyler Andor
caebe50d7e
Updates patternfly libs and fixes breaking changes (#10748) 
adding nvmrc

CIAM-1048 Device Activity screen PF updates

CIAM-1046: Personal Info sub-header update

Updates SigningInPage to use EmptyState component when there are no credentials.

rearanged some components used in signing in page

Displays ApplicationPage content in description list.

Updates refresh link on ContentPage, updates Resources screen.

CIAM-1049 Linked Accounts screen PF updates

CIAM-1043-General upstream updates

Updates AccountPage to display form errors.

fix: display Set up Authenticator Application link on large viewport

fix(page structure): rearranges page sections

CIAM-1254/Personal info PF4 updates & Sidebar text updates

updating layouts

updating layout on Signing in and Linked acounts

adding patternfly-additions

adding patternfly-addons styles

Updates Application page based on designs feedback.

moving page description

Updates status label on Applications page to be capitalized.

Updates the copy-fonts script for keycloak.v2 to copy all font directories instead of one.

update Personal info screen - set max width of 600px for form input fields

update Personal info - remove required indicator from input fields

General updates (#2)

* removed the extra lines being shown

* tweaked general spacing

* general alignment and spacer application

* refactor to get proper alignments without css globals

* forgot to add the conditional on displaying the set up buttons

* try and adjust the alignments

Co-authored-by: zwitter <zwitter@redhat.com>

resolve merge conflicts

Device activity updates (#4)

* update text to sentence case

* update device info columns to be dynamic across various viewport sizes

* update signed in device layout

* update based on feedback

Co-authored-by: Jon Szeto <jszeto@redhat.com>

Linked accounts update (#3)

* linked accounts screen - updated icons & Linked/Unlinked Login Providers layout & update text to sentence case

Co-authored-by: Jon Szeto <jszeto@redhat.com>

fixing ts errors

cleaning up fonts and messages

final review updates

message update for Back to admin console link

fixing capitalization on 2fa

updating landing page welcome message

fix: reposition Back to... link

adjusting size for confirm modal

updating spacing and alignment issues

updating resources page

removing unused header class

fixes ts issues and updates node version to match the themes install

npm updates

fixing pf addons

adding chokidar to get babel:watch working

fixing issues from pull request feedback

fixing tests

fixes signingin page test

fixing tests

Co-authored-by: Tyler Andor <tandor@highereducation.com>
 2022-04-06 13:00:38 +02:00
Stian Thorgersen
7c64f28934
Change admin console to load keycloak.js using a relative URL (#11109) 
* Change admin console to load keycloak.js using a relative URL

Closes #11108

* fix tests

Co-authored-by: Dominik Guhr <dguhr@redhat.com>
 2022-04-06 09:35:26 +02:00
Michal Hajas
4c20388eb7 Remove SOAPException from SOAPBindingTest as RunOnServer cannot load it 
Closes #11090
 2022-04-04 15:53:55 +02:00
Martin Kanis
395bd447f2 Hot Rod map storage: Login failure no-downtime store 2022-04-01 20:43:18 +02:00
Douglas Palmer
f57d0dd100
Automated tests for session limits authenticator (browser, direct grant, reset password) (#11046) 
Closes #11003
 2022-04-01 18:44:38 +02:00
Marek Posolda
c50f09da25
Webauthn tests logout fix (#11040) 
Closes #11030
 2022-04-01 08:06:39 +02:00
Michal Hajas
44000caaf5 KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp flow creates only transient users sessions 2022-03-31 16:06:44 +02:00
Teubner, Malte
b5f70d8a32 Add scope parameter to admin-client TokenManager. 
Closes #10759
 2022-03-31 10:56:08 -03:00
iingawal
6016b461db
Fix for "updatedAt" user attribute in "profile" client scope should use number instead of String (#11020) 
Closes #10081


Co-authored-by: Indrajit Ingawale <iingawal@iingawal.pnq.csb>
 2022-03-31 14:33:03 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter (#11009) 
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
 2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint (#10887) 
* OIDC RP-Initiated logout endpoint
Closes #10885

Co-Authored-By: Marek Posolda <mposolda@gmail.com>

* Review feedback

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
 2022-03-30 11:55:26 +02:00
Andrea Peruffo
da5db5a813
Fix NPEs during realm import (#10962) 
Closes #10961
 2022-03-29 21:48:37 +02:00
Marcelo Daniel Silva Sales
091b1472ce
Introduce client secret rotation dynamic registration (#10952) 
Closes #10609
 2022-03-28 20:39:11 +02:00
Konstantinos Georgilakis
99fa6275c1 KEYCLOAK-19313 configure the name format in Attribute Importer IdP Mapper 2022-03-25 09:42:22 +01:00
Takashi Norimatsu
9c01d819cb Client Policies : An executor rejecting all requests 
Closes #9097
 2022-03-23 12:45:38 +01:00
iingawal
b773857a80
Display email address in login-verify-email.ftl (#10870) 
Closes #8873
 2022-03-23 12:44:21 +01:00
Marcelo Daniel Silva Sales
6efa45f93e
Update secret rotation when the policy is enabled using jwt (#10853) 
Closes #10666
 2022-03-23 08:25:58 +01:00
Martin Kanis
e493b08fa7 Add expiration field to root authentication session 2022-03-23 07:47:47 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring 
Closes: #10447 

* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
 2022-03-22 20:49:40 +01:00
Alexander Schwartz
fb92b95c33 Revert from getParameterCount() to getParameterTypes().length to be Java 1.7 compatible. 
This reverts commit bc27c7c464.

Closes #10840
 2022-03-22 10:23:25 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT (#10784) 2022-03-22 09:22:48 +01:00
Martin Kanis
0faf3987f6 Hot Rod map storage: Authentication session no-downtime store 2022-03-22 09:05:52 +01:00
Pedro Igor
ffa6df5547
Fixes to hostname (#10820) 
Closes #10627
Closes #10331
 2022-03-22 08:11:50 +01:00
Joaquim Fellmann
92c4e6d585
KEYCLOAK-16134 Allow webauthn idless login flow (#7860) 
Closes #10832
 2022-03-21 11:37:33 +01:00
Clara Fang
bc27c7c464 Replace occurrences of getParameterTypes().length and getParameters().length with getParameterCount() 
Closes #10333
 2022-03-18 11:20:52 +01:00
Michal Hajas
c18a682f50 Do not store undefined values in store 
Closes #10744
 2022-03-17 16:44:33 +01:00
mposolda
9e12587181 Protocol mapper and client scope for 'acr' claim 
Closes #10161
 2022-03-11 09:23:25 +01:00
Martin Bartoš
8ee7ae24de Make WebAuthn feature default for the product version 
Closes #10695
 2022-03-10 19:00:54 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes (#8730) 
Closes #9540


Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
 2022-03-10 15:49:25 +01:00
Martin Bartoš
8a0f1ccb34 Properly execute AuthenticationFlowCallbackProviderTest with Map storage 
Closes #10268, Closes #10225
 2022-03-10 15:00:23 +01:00
rmartinc
a7c8aa1dd3
[#10616] Incorrect username logged for federated accounts (#10662) 
Closes #10616
 2022-03-10 13:21:39 +01:00
Marcelo Daniel Silva Sales
0c25da542c
Update secret rotation when the policy is disabled (#10674) 
Closes #10667
 2022-03-10 13:03:09 +01:00
Alexander Schwartz
18f391d8c4 Fix spelling error in field and classname 
It's always a converter, unless electricity is involved.

Closes #10573
 2022-03-09 08:28:52 -03:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation (#10603) 
Closes #10602
 2022-03-09 00:05:14 +01:00
mposolda
d394e51674 Introduce profile 'feature' for step-up authentication enabled by default 
Closes #10315
 2022-03-08 14:42:46 +01:00
rmartinc
48565832d4 [#10608] Password blacklists folder 2022-03-08 08:22:34 -03:00
mposolda
93bba8e338 Replace 'Store LoA in User Session' with 'Max Age'. Refactoring of step-up authentications related to that. 
Closes #10205
 2022-03-08 10:41:05 +01:00
Martin Bartoš
2bae2d2167 DeleteAccountTest failure in the test pipeline 
Closes #10630
 2022-03-08 08:33:31 +01:00
Martin Bartoš
02d0fe82bc Auth execution 'Condition - User Attribute' missing 
Closes #9895
 2022-03-08 08:24:48 +01:00
Michal Hajas
f77ce315bb Disable Authz caching for new storage tests 
Closes #10500
 2022-03-07 10:22:55 -03:00
Michael Parlee
722ce950bf Improve user search performance 
Removes bulder.lower() from user search queries on email and username.

Closes #8893
 2022-03-04 14:15:14 +01:00
Takashi Norimatsu
201277b897 Handle OIDC authz request with "response_type" missing and "response_mode=form_post" 
Closes #10144
 2022-03-04 13:31:40 +01:00
Takashi Norimatsu
92f6c75328 Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type 
Closes #10143
 2022-03-03 13:26:39 +01:00
Alfredo Boullosa
6801688dd4 Allow Edge tests in Admin Console 
Closes #10539
 2022-03-03 07:14:01 +01:00
wojnarfilip
700ceb77ec Removal of invalid(depricated) SpringBootTest 
Closes #10218
 2022-03-02 09:04:47 +01:00
Daniel Gozalo
76101e3591 [fixes #9225] - Get scopeIds from the AuthorizationRequestContext instead of session if DYNAMIC_SCOPES are enabled 
Add a test to make sure ProtocolMappers run with Dynamic Scopes

Change the way we create the DefaultClientSessionContext with respect to OAuth2 scopes, and standardize the way we obtain them from the parameter
 2022-03-01 13:47:58 +01:00
Martin Bartoš
e2514ea2e6 Test WebAuthn with multiple browsers 
Closes #10062
 2022-02-28 09:10:39 +01:00
stianst
5ef8265b75 Remove Tomcat 7 adapter 
Closes #9428
 2022-02-28 07:50:36 +01:00
mposolda
52712d2c82 ACR support in the javascript adapter 
Closes #10154
 2022-02-24 20:07:50 +01:00
Martin Kanis
6249e34177 Hot Rod map storage: Client scope no-downtime store 2022-02-24 13:30:27 +01:00
Michal Hajas
b4281468d0 Convert Map Realm Entities into interfaces 
Closes #9736
 2022-02-24 13:23:19 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore 
Closes #10442
 2022-02-24 12:46:26 +01:00
Pedro Igor
209df44641
Fixing responses when unexpected errors occurs (#10383) 
Closes #10338
 2022-02-23 07:44:25 +01:00
Marek Posolda
8c3fc5a60e
Option for client to specify default acr level (#10364) 
Closes #10160
 2022-02-22 07:54:30 +01:00
Marek Posolda
caf37b1f70
Support for acr_values_supported in OIDC well-known endpoint (#10265) 
* Support for acr_values_supported in OIDC well-known endpoint
closes #10159
 2022-02-18 11:33:31 +01:00
Filipe Bojikian Rissi
323c08c8cc
KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM (#8553) 
Closes #10300
 2022-02-17 17:41:54 +01:00
Martin Bartoš
18581ca4f7 Test more recent versions of Spring Boot 
Closes #9934
 2022-02-17 16:08:57 +01:00
Martin Bartoš
314d303a99 Possibility to ignore tests for particular browsers 
Closes #10213
 2022-02-17 09:02:11 +01:00
Pedro Igor
a9668d14ce Proper error response when handing unexpected errors 
Closes #10176
 2022-02-16 15:35:38 -03:00
Martin Bartoš
bbe9ab38bc Unstable AuthenticationFlowCallbackProviderTest for undertow-map 
Closes #10225
 2022-02-16 15:49:08 +01:00
Pedro Igor
7da3953435 Path parameter is missing in the get account endpoint 
Closes #10055
 2022-02-15 15:44:05 -03:00
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… (#10088) 
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724

Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2022-02-15 09:02:05 +01:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT (#10165) 2022-02-11 21:28:06 +01:00
Martin Kanis
26ac142b99 Hot Rod map storage: Roles no-downtime store 2022-02-11 14:31:34 +01:00
wojnarfilip
f54cd969f8 OTPPolicyTest failures resolve 
Tests pass locally, Closes #9692
 2022-02-11 14:06:17 +01:00
Michal Hajas
b50b8f883b Implement HotRod storage for Users 
Closes #9671
 2022-02-11 10:20:36 +01:00
Douglas Palmer
340d8da197
LDAP Integration tests fail on JDK-17 #9899 (#9980) 2022-02-11 09:03:16 +01:00
Martin Bartoš
6c09ec6de6 Hide 'unknown' transport media type label for WebAuthn authenticators 
Closes #10036
 2022-02-11 08:28:50 +01:00
Dominik Guhr
1b77358160 Logging guide v1 
Closes #10001
 2022-02-08 18:13:05 -03:00
Mauro de Wit
2c238b9f04
session-limiting-feature (#8260) 
Closes #10077
 2022-02-08 19:16:06 +01:00
Martin Bartoš
571f2d5107 WebAuthnSigningInTest failures in pipeline 
Closes #9691
 2022-02-07 10:57:14 +01:00
Martin Bartoš
8573ea5fb2 KEYCLOAK-17690 Add missing test case for user email update 2022-02-07 10:56:11 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate (#9580) 2022-02-07 09:02:08 +01:00
Pedro Igor
f107f0596e Rename h2-file and h2-mem and removing defaults from production databases 
Closes #9973
 2022-02-04 15:43:51 -03:00
Martin Bartoš
d82122b982 Store information about transport media of WebAuthn authenticator 
Closes #9800
 2022-02-04 19:36:30 +01:00
Takashi Norimatsu
07d43f31f3 Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration 
Closes #9371
 2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941 Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded 2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82 Device Authorization Grant with PKCE 
Closes #9710
 2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250 [fixes #9919] - Enable Dynamic Scopes for the resource-owner-password-credentials grant 
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
 2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only (#9707) 
Closes #9705
 2022-02-02 15:21:44 +01:00
Martin Bartoš
191ef1874e Complete support for Passwordless tests 
Closes #9850
 2022-02-02 09:12:46 +01:00
Daniel Gozalo
3528e7ba54 [fixes #9224] - Get consented scopes from AuthorizationContext 
Always show the consent screen when a dynamic scope is requested and show the requested parameter

Improve the code that handles dynamic scopes consent and add some log traces

Add a test to check how we show dynamic scope in the consent screen and added missing template file change

Fix merge problem in comment and improve other comments

Fix the Dynamic Scope test by assigning it to the client as optional instead of default

Change how dynamic scopes are represented in the consent screen and adapt test
 2022-02-02 09:10:20 +01:00
Martin Bartoš
243b6ba552 Test scenarios for verifying of JS injection for WebAuthn Policy 
Closes #9544
 2022-02-01 11:16:12 +01:00
Martin Bartoš
47208b7a20 Extend and fix tests for Resident Keys for WebAuthn 
Closes #9796
 2022-02-01 11:11:04 +01:00
Stian Thorgersen
cc88fb2daa
Update default distribution to Quarkus (#9839) 
Closes #9837
 2022-02-01 09:42:09 +01:00
Martin Bartoš
c40e842b45
Verify the WebAuthn functionality and settings for authentication (#9851) 
* Verify the WebAuthn functionality and settings for authentication

Closes #9504
 2022-01-31 15:42:08 +01:00
Dominik Guhr
5a1f4b8889 Quarkus update to 2.7.0.Final 
Minor and micro dependency updates, some relocations (e.g. vault, ZipUtils), so some changes were needed to make this work.

Closes #9872
 2022-01-31 09:55:02 -03:00
Daniel Gozalo
dc814b85c7 Pass the UserId to the function that runs the inner function in the server as it was losing its value when defined globally for Wildfly and Quarkus 2022-01-31 13:02:22 +01:00
Martin Bartoš
2919342f3a Add test scenarios for Passwordless Webauthn AIA 
Closes #9795
 2022-01-27 11:02:43 +01:00
bal1imb
9621d513b5 KEYCLOAK-18727 Improve user search query 2022-01-26 17:03:05 +01:00
Daniel Gozalo
4136bf7700 [fixes #9750] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu 2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea [fixes #9223] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes 
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker

Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext

Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing

Move the AuthorizationRequest objects to server-spi

Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it

Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time

Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag

Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag

Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user

Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more

Test how the server genereates the AuthorizationDetails object

Fix formatting, move classes to better packages and fix parent test class by making it Abstract

Match Dynamic scopes to Optional scopes only and fix tests

Avoid running these tests on remote auth servers
 2022-01-26 13:19:23 +01:00
Pedro Igor
d28b54e5d5
Hide Hasicorp Vault from CLI (#9700) 
Closes #9688
 2022-01-25 14:24:35 +01:00
Pedro Igor
b53c5d5eee Build command should not allow runtime options 
Closes #9618
 2022-01-23 16:30:48 -03:00
Pedro Igor
7511725af4 GHA failing due to wrong scheme when downloading ISPN server 
Closes #9696
 2022-01-20 20:44:23 +01:00
Martin Kanis
ddcabe61b2 KEYCLOAK-19571 Add indices to HotRodClientEntity fields 2022-01-20 17:46:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4 Fix scope bug in device authorization request 
Closes #9617
 2022-01-19 18:13:42 +01:00
vramik
22bcdcb630 MapRoleProvider could return also client roles when searching for realm roles 
Closes #9587
 2022-01-19 16:39:59 +01:00
Pedro Igor
0a9387ff4f Unified configuration option format and renaming keycloak.properties to keycloak.conf 
Closes #9606
 2022-01-19 08:47:15 -03:00
Konstantinos Georgilakis
db0b36460f KEYCLOAK-19148 correct getGroupsCountByNameContaining of MapGroupProvider 2022-01-15 20:15:27 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses (#9538) 
Closes #9537
 2022-01-13 08:34:45 +01:00