libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions
24067 commits 4 branches 9 tags 483 MiB
Commit graph

276 commits

Author SHA1 Message Date
Alexander Schwartz
a109e28be7 moving some functionality around imports 2022-06-21 08:53:06 +02:00
Alexander Schwartz
14a369a8cc Added LegacySessionSupport SPI 
While some methods around onCache() are still called from the legacy code, all other methods log a warning with a stacktrace.
 2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6 SingleUserCredentialManager moving in 
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
 2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51 Preparation for moving User Storage SPI 
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
  IMPORTANT: Broken as UserStorageSyncManager is not yet moved
 2022-06-21 08:53:06 +02:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing (#7943) 
Closes #11875
 2022-05-09 18:52:22 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames (#11531) 
Closes #11532

Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
 2022-04-20 15:53:15 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature (#11117) 
Closes #9865

Co-authored-by: Michal Hajas <mhajas@redhat.com>

Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2022-04-20 14:25:16 +02:00
Takashi Norimatsu
9c01d819cb Client Policies : An executor rejecting all requests 
Closes #9097
 2022-03-23 12:45:38 +01:00
mposolda
9e12587181 Protocol mapper and client scope for 'acr' claim 
Closes #10161
 2022-03-11 09:23:25 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes (#8730) 
Closes #9540


Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
 2022-03-10 15:49:25 +01:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation (#10603) 
Closes #10602
 2022-03-09 00:05:14 +01:00
Martin Bartoš
02d0fe82bc Auth execution 'Condition - User Attribute' missing 
Closes #9895
 2022-03-08 08:24:48 +01:00
Filipe Bojikian Rissi
323c08c8cc
KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM (#8553) 
Closes #10300
 2022-02-17 17:41:54 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature (#8260) 
Closes #10077
 2022-02-08 19:16:06 +01:00
Daniel Gozalo
dad51773ea [fixes #9223] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes 
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker

Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext

Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing

Move the AuthorizationRequest objects to server-spi

Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it

Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time

Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag

Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag

Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user

Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more

Test how the server genereates the AuthorizationDetails object

Fix formatting, move classes to better packages and fix parent test class by making it Abstract

Match Dynamic scopes to Optional scopes only and fix tests

Avoid running these tests on remote auth servers
 2022-01-26 13:19:23 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication (#7897) 
KEYCLOAK-847 Fix behavior of unknown not essential acr claim

Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2021-12-22 12:43:12 +01:00
bal1imb
661aca4452 KEYCLOAK-19283 Implemented new identity provider mapper "Advanced claim to group mapper" alongside tests. 2021-11-19 16:54:39 +01:00
Takashi Norimatsu
10c3e149d3 KEYCLOAK-19699 RSA key provider with key use = enc cannot select corresponding algorithm on Admin Console 2021-11-18 13:24:50 +01:00
Takashi Norimatsu
263161ff66 KEYCLOAK-19540 FAPI 2.0 Baseline : Reject Resource Owner Password Credentials Grant 2021-10-21 09:13:12 +02:00
mposolda
7010017e0e KEYCLOAK-19555 Improvements in ConsentRequiredExecutor of client policies 2021-10-16 14:11:18 +02:00
R Yamada
891c8e1a12 [KEYCLOAK-17653] - OIDC Frontchannel logout support 2021-10-07 15:27:19 -03:00
Václav Muzikář
69a146db7e KEYCLOAK-18128 Keycloak cannot fetch group claims from openshift 2021-09-27 08:05:43 -03:00
Vlastimil Elias
32f2f095fe KEYCLOAK-7724 User Profile default validations 2021-07-29 08:42:37 +02:00
Takashi Norimatsu
9018fe9fad KEYCLOAK-18863 Global client profile for FAPI CIBA 2021-07-23 14:30:26 +02:00
Takashi Norimatsu
63f04c1118 KEYCLOAK-18683 Client policy executor for check Backchannel signed request algorithms matching FAPI compliant algorithms 2021-07-19 14:48:31 +02:00
Takashi Norimatsu
43eb2b7c90 KEYCLOAK-18123 Client Policy - Executor : Enforce Backchannel Authentication Request satisfying high security level 2021-07-09 09:11:13 +02:00
Dmitry Telegin
3b3a61dfba KEYCLOAK-18639 Token Exchange SPI Milestone 1 2021-07-06 15:48:45 -03:00
Hryhorii Hevorkian
2803685cd7 KEYCLOAK-18353 Implement Pushed Authorization Request inside the Keycloak 
Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2021-07-03 08:47:42 +02:00
Pedro Igor
948f453e2d [KEYCLOAK-18427] - Allowing switching to declarative provider 2021-06-28 15:50:04 -03:00
Pedro Igor
faadb896ea [KEYCLOAK-18426] - Support required by role and scopes in Admin UI 2021-06-24 10:43:49 -03:00
Pedro Igor
ef3a0ee06c [KEYCLOAK-17399] - Declarative User Profile and UI 
Co-authored-by: Vlastimil Elias <velias@redhat.com>
 2021-06-14 11:28:32 +02:00
mposolda
3d16a1e8d3 KEYCLOAK-16811 Add executor for disable 'Full Scope Allowed' and add it to FAPI profiles 2021-06-04 15:46:33 +02:00
mposolda
73a38997d8 KEYCLOAK-14208 Default client profiles for FAPI 2021-05-31 12:31:52 +02:00
Vlastimil Elias
4ad1687f2b [KEYCLOAK-17399] UserProfile SPI - Validation SPI integration 2021-05-20 15:26:17 -03:00
Pedro Igor
a0f8d2bc0e [KEYCLOAK-17399] - Review User Profile SPI 
Co-Authored-By: Vlastimil Elias <vlastimil.elias@worldonline.cz>
 2021-05-20 08:44:24 -03:00
mposolda
b8a7750000 KEYCLOAK-18113 Refactor some executor/condition provider IDs 2021-05-18 09:17:41 +02:00
Marek Posolda
a6d4316084
KEYCLOAK-14209 Client policies admin console support. Changing of format of JSON for client policies and profiles. Remove support for default policies (#7969) 
* KEYCLOAK-14209 KEYCLOAK-17988 Client policies admin console support. Changing of format of JSON for client policies and profiles. Refactoring based on feedback and remove builtin policies
 2021-05-12 16:19:55 +02:00
Takashi Norimatsu
5dced05591 KEYCLOAK-18050 Client Policies : Rename "secure-redirecturi-enforce-executor" to indicate what this executor does 2021-05-11 07:42:18 +02:00
Takashi Norimatsu
b78d151a23 KEYCLOAK-16808 Client Policy : Implement existing ConsentRequiredClientRegistrationPolicy as Client Policies' executor 
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
 2021-05-06 08:36:34 +02:00
Takashi Norimatsu
65c48a4183
KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA) (#7679) 
* KEYCLOAK-12137 OpenID Connect Client Initiated Backchannel Authentication (CIBA)

Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
Co-authored-by: Christophe Lannoy <c4r1570p4e@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2021-04-29 15:56:39 +02:00
i7a7467
ada7f37430 KEYCLOAK-16918 Set custom user attribute to Name ID Format for a SAML client 
https://issues.redhat.com/browse/KEYCLOAK-16918

Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2021-04-20 10:29:17 +02:00
AlistairDoswald
8b3e77bf81 KEYCLOAK-9992 Support for ARTIFACT binding in server to client communication 
Co-authored-by: AlistairDoswald <alistair.doswald@elca.ch>
Co-authored-by: harture <harture414@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2021-04-16 12:15:59 +02:00
Martin Bartoš
5a9068e732 KEYCLOAK-16401 Deny/Allow access in a conditional context 2021-04-09 12:04:45 +02:00
Takashi Norimatsu
3221708499 KEYCLOAK-17667 Client Policy - Executor : Only Accept Confidential Client 2021-04-08 09:17:10 +02:00
Takashi Norimatsu
42dec08f3c
KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation) (#7780) 
* KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation)

* support tests using auth-server-quarkus

* Configuration changes for ClientPolicyExecutorProvider

* Change VALUE of table REALM_ATTRIBUTES to NCLOB

* add author tag

* incorporate all review comments

Co-authored-by: mposolda <mposolda@gmail.com>
 2021-04-06 16:31:10 +02:00
Hynek Mlnarik
a36fafe04e KEYCLOAK-17409 Support for amphibian (both component and standalone) provider 2021-03-25 13:28:20 +01:00
Michito Okai
298ab0bc3e KEYCLOAK-7675 Support for Device Authorization Grant 2021-03-15 10:09:20 -03:00
diodfr
cb12fed96e KEYCLOAK-4544 Detect existing user before granting user autolink 2021-02-11 11:06:49 +01:00
Takashi Norimatsu
5f445ec18e KEYCLOAK-14200 Client Policy - Executor : Enforce Holder-of-Key Token 
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
 2021-01-12 11:21:41 +01:00
Takashi Norimatsu
f423c0dc51 KEYCLOAK-16249 Client Policy - Condition : Client - Any Client 2021-01-08 17:29:50 +01:00
Takashi Norimatsu
05dfac75ca KEYCLOAK-14202 Client Policy - Executor : Enforce secure signature algorithm for Signed JWT client authentication 
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
 2021-01-06 08:58:20 +01:00
Takashi Norimatsu
edabbc9449 KEYCLOAK-14203 Client Policy - Executor : Enforce HTTPS URIs 2020-12-15 09:31:20 +01:00
Takashi Norimatsu
200b53ed1e KEYCLOAK-14192 Client Policy - Condition : Author of a client - User Role 2020-12-14 15:37:05 +01:00
Takashi Norimatsu
7da5a71314 KEYCLOAK-14191 Client Policy - Condition : Author of a client - User Group 2020-12-03 17:52:06 +01:00
Takashi Norimatsu
a51e0cc484 KEYCLOAK-14197 Client Policy - Condition : Client - Client Host 2020-12-02 09:05:42 +01:00
zak905
4f330f4a57 KEYCLOAK-953: add allowing user to delete his own account feature 2020-11-24 15:50:07 +01:00
Takashi Norimatsu
9ce2e9b1f7 KEYCLOAK-14193 Client Policy - Condition : Client - Client Access Type 2020-11-18 09:49:22 +01:00
Takashi Norimatsu
21c7af1c53 KEYCLOAK-14207 Client Policy - Executor : Enforce more secure client signature algorithm when client registration 2020-11-13 09:24:59 +01:00
Takashi Norimatsu
244a1b2382 KEYCLOAK-14196 Client Policy - Condition : Client - Client Scope 2020-11-12 08:40:28 +01:00
Takashi Norimatsu
e35a4bcefc KEYCLOAK-14206 Client Policy - Executor : Enforce more secure state and nonce treatment for preventing CSRF 2020-11-11 21:11:34 +01:00
Takashi Norimatsu
a0b1710735 KEYCLOAK-14198 Client Policy - Condition : Client - Client IP 2020-11-10 15:37:26 +01:00
Takashi Norimatsu
a63814da67 KEYCLOAK-14201 Client Policy - Executor : Enforce Proof Key for Code Exchange (PKCE) 2020-11-09 08:18:05 +01:00
Takashi Norimatsu
6dc136dfc0 KEYCLOAK-14199 Client Policy - Executor : Enforce more secure client authentication method when client registration 2020-11-05 20:42:49 +01:00
Markus Till
72f73f153a UserProfile M1 2020-10-05 09:59:44 -03:00
Takashi Norimatsu
6596811d5d KEYCLOAK-14204 FAPI-RW Client Policy - Executor : Enforce Request Object satisfying high security level 2020-09-25 08:31:14 +02:00
Takashi Norimatsu
b670734eec KEYCLOAK-14205 FAPI-RW Client Policy - Executor : Enforce Response Type of OIDC Hybrid Flow 2020-09-14 20:58:25 +02:00
Takashi Norimatsu
af2f18449b KEYCLOAK-14195 FAPI-RW Client Policy - Condition : Client - Client Role 2020-09-10 18:34:19 +02:00
stianst
76f7fbb984 KEYCLOAK-14548 Add support for cached gzip encoding of resources 2020-09-07 00:58:47 -07:00
Takashi Norimatsu
1d8230d438 KEYCLOAK-14190 Client Policy - Condition : The way of creating/updating a client 2020-09-04 09:54:55 +02:00
Dillon Sellars
25bb2e3ba2 KEYCLOAK-14529 Signed and Encrypted ID Token Support : RSA-OAEP-256 Key Management Algorithm 2020-07-30 15:20:51 +02:00
Takashi Norimatsu
0191f91850 KEYCLOAK-14380 Support Requesting Claims using the claims Request Parameter 2020-07-29 09:53:28 +02:00
Takashi Norimatsu
e0fbfa722e KEYCLOAK-14189 Client Policy : Basics 2020-07-21 07:50:08 +02:00
Luca Leonardo Scorcia
d6934c64fd Refactor SAML metadata generation to use the SAMLMetadataWriter class 2020-07-09 09:39:35 +02:00
Martin Idel
8fe25948f7 KEYCLOAK-13959 Add AdvancedAttribute mapper for SAML to allow regexes 2020-07-03 18:19:35 +02:00
Takashi Norimatsu
c057b994e7 KEYCLOAK-13104 Signed and Encrypted ID Token Support : AES 192bit and 256bit key support 2020-05-20 09:01:59 +02:00
stianst
5b017e930d KEYCLOAK-13128 Security Headers SPI and response filter 2020-04-28 15:28:24 +02:00
stianst
bcb542d9cc KEYCLOAK-13116 Fix backwards compatilbity changes in LocaleSelectorSPI 2020-03-04 06:39:24 +01:00
vramik
7c91e36e43 KEYCLOAK-10898 WildFly Adapter CLI based installation scripts 2020-03-02 10:08:45 +01:00
stianst
9e47022116 KEYCLOAK-8044 Clear theme caches on hot-deploy 2020-02-20 08:50:10 +01:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
stianst
7545749632 KEYCLOAK-12190 Add validation for client root and base URLs 2020-02-07 09:09:40 +01:00
rmartinc
1989483401 KEYCLOAK-12001: Audience support for SAML clients 2020-01-31 15:56:40 +01:00
Marek Posolda
d46620569a
KEYCLOAK-12174 WebAuthn: create authenticator, requiredAction and policy for passwordless (#6649) 2020-01-29 09:33:45 +01:00
Takashi Norimatsu
993ba3179c KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT (#6633) 2020-01-28 14:55:48 +01:00
Benjamin Weimer
dd9ad305ca KEYCLOAK-12757 New Identity Provider Mapper "Advanced Claim to Role Mapper" with 
following features

    * Regex support for claim values.
    * Support for multiple claims.
 2020-01-23 07:17:22 -06:00
AlistairDoswald
4553234f64 KEYCLOAK-11745 Multi-factor authentication (#6459) 
Co-authored-by: Christophe Frattino <christophe.frattino@elca.ch>
Co-authored-by: Francis PEROT <francis.perot@elca.ch>
Co-authored-by: rpo <harture414@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Denis <drichtar@redhat.com>
Co-authored-by: Tomas Kyjovsky <tkyjovsk@redhat.com>
 2019-11-14 14:45:05 +01:00
stianst
b8881b8ea0 KEYCLOAK-11728 New default hostname provider 
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2019-11-11 12:25:44 +01:00
Gideon Caranzo
e07fd9ffa3 KEYCLOAK-9936 Added optional hooks for preprocessing SAML authentication 
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
 2019-10-29 13:06:59 +01:00
mhajas
2f44c58a0d KEYCLOAK-11495 Change name of PlaintextVaultProvider to FilesPlaintextVaultProvider 2019-10-09 14:48:00 +02:00
Takashi Norimatsu
7c75546eac KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase 
* KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
 2019-10-01 15:17:38 +02:00
Sebastian Laskawiec
69d6613ab6 KEYCLOAK-10169 OpenShift 4 Identity Provider 2019-09-05 16:33:59 +02:00
Sebastian Laskawiec
3afbdd3ea3 KEYCLOAK-10934 PlainTextVaultProvider 2019-08-20 21:46:47 +02:00
Takashi Norimatsu
8225157a1c KEYCLOAK-6768 Signed and Encrypted ID Token Support 2019-08-15 15:57:35 +02:00
Takashi Norimatsu
9b3e297cd0 KEYCLOAK-9756 PS256 algorithm support for token signing and validation 2019-04-09 20:52:02 +02:00
Hynek Mlnarik
1c906c834b KEYCLOAK-3373 Remove SAML IdP descriptor from client installation and publicize it in realm endpoint instead 2019-03-19 11:37:15 +01:00
mposolda
061693a8c9 KEYCLOAK-9089 IllegalArgumentException when trying to use ES256 as OIDC access token signature 2018-12-14 21:01:03 +01:00
Pedro Igor
0c39eda8d2 [KECLOAK-8237] - Openshift Client Storage 2018-12-06 10:57:53 -02:00
Takashi Norimatsu
0793234c19 KEYCLOAK-8460 Request Object Signature Verification Other Than RS256 (#5603) 
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

also support client signed signature verification by refactored token
verification mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

incorporate feedbacks and refactor client public key loading mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

unsigned request object not allowed

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

revert to re-support "none"
 2018-11-19 14:28:32 +01:00
MICHEL Arnault (UA 2118)
ab8789739f [KEYCLOAK-8580] Add Nginx certificate lookup provider 2018-10-16 07:53:18 +02:00
mposolda
2a4cee6044 KEYCLOAK-6884 KEYCLOAK-3454 KEYCLOAK-8298 Default 'roles' and 'web-origins' client scopes. Add roles and allowed-origins to the token through protocol mappers 2018-10-04 12:00:38 +02:00