Commit graph

4288 commits

Author SHA1 Message Date
Martin Bartoš
5a9068e732 KEYCLOAK-16401 Deny/Allow access in a conditional context 2021-04-09 12:04:45 +02:00
Michito Okai
d9ebbe4958 KEYCLOAK-17202 Restrict Issuance of Refresh tokens to specific clients 2021-04-08 11:51:25 +02:00
Takashi Norimatsu
8b0b657a8f KEYCLOAK-17682 Client Policy - Executor : remove inner config class for executor without any config 2021-04-08 09:22:16 +02:00
Takashi Norimatsu
3221708499 KEYCLOAK-17667 Client Policy - Executor : Only Accept Confidential Client 2021-04-08 09:17:10 +02:00
Takashi Norimatsu
e9035bb7b3 KEYCLOAK-17681 Client Policy - Executor : Limiting available period of Request Object with its configuration 2021-04-08 09:12:20 +02:00
Daniel Fesenmeyer
a48d04bfe0 KEYCLOAK-16082 save attributes when role is created (with REST POST request)
- add missing mapping code to RoleContainerResource#createRole
- extend ClientRolesTest and RealmRolesTest to check that now the attributes are saved when a role is created
- remove no longer needed code which updated roles because attributes were not saved on creation
2021-04-07 14:08:49 -03:00
Takashi Norimatsu
7b227ae47c KEYCLOAK-17666 Client Policy - Executor : Limiting available period of Request Object 2021-04-07 08:36:26 +02:00
Takashi Norimatsu
42dec08f3c
KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation) (#7780)
* KEYCLOAK-16805 Client Policy : Support New Admin REST API (Implementation)

* support tests using auth-server-quarkus

* Configuration changes for ClientPolicyExecutorProvider

* Change VALUE of table REALM_ATTRIBUTES to NCLOB

* add author tag

* incorporate all review comments

Co-authored-by: mposolda <mposolda@gmail.com>
2021-04-06 16:31:10 +02:00
Stan Silvert
ca49840266 KEYCLOAK-17610: WhoAMI doesn't support CORS 2021-03-31 18:51:39 +02:00
vramik
185075d373 KEYCLOAK-14552 Realm Map Store 2021-03-31 15:49:03 +02:00
Konstantinos Georgilakis
ec5c256562 KEYCLOAK-5657 Support for transient NameIDPolicy and AllowCreate in SAML IdP 2021-03-31 14:45:39 +02:00
rmartinc
0a0caa07d6 KEYCLOAK-17215 Slowness issue while hitting /auth/admin/realms/$REALM/clients?viewableOnly=true after DELETE a role 2021-03-31 12:57:17 +02:00
vramik
c3b9c66941 KEYCLOAK-17460 invalidate client when assigning scope 2021-03-30 10:58:16 +02:00
sma1212
e10f3b3672
[KEYCLOAK-17484] OIDC Conformance - Authorization response with Hybrid flow does not contain token_type (#7872)
* [KEYCLOAK-17484] fix oidc conformance for hybrid-flow

* [KEYCLOAK-17484] add TokenType & ExpiresIn to OAuth2Constants

* [KEYCLOAK-17484] add request validation for oidc-flows automated tests
2021-03-30 08:59:30 +02:00
devopsix
590ee1b1a2
KEYCLOAK-15459 Fix serialization of locale in admin console's “whoami” (#7397)
call.
2021-03-29 18:37:26 -04:00
Alexandros Trifyllis
a60cb65252 KEYCLOAK-17444 Enlist the EventListenerTransaction with the Keycloak Transaction Manager 2021-03-26 12:47:15 +01:00
Thomas Darimont
7ec6a54e22 KEYCLOAK-17581 Prevent empty group names
Create / Update operations in `GroupResource ` and `GroupsResource#addTopLevelGroup`
did not validate the given group name. This allowed the creation of groups with empty names.

We now prevent the creation of groups with empty names.
2021-03-25 19:10:38 -03:00
Hynek Mlnarik
a36fafe04e KEYCLOAK-17409 Support for amphibian (both component and standalone) provider 2021-03-25 13:28:20 +01:00
Xiangjiaox
ca81e6ae8c
KEYCLOAK-15015 Extend KeyWrapper to add whole certificate chain in x5c parameter (#7643)
* [KEYCLOAK-15015] - Publishing the x5c for JWK

Co-authored-by: Vetle Bergstad <vetle.bergstad@evry.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-03-23 08:37:50 -03:00
cgeorgilakis
18afdea392
KEYCLOAK-16048 SAML Client import - add md:RequestedAttribute as "User Attribute" ProtocolMapper 2021-03-22 21:55:32 +01:00
mposolda
853a6d7327 KEYCLOAK-17000 Adding server tmp directory inside the auth-server home directory 2021-03-17 10:06:48 +01:00
Andrew Elwell
c76ca4ad13
Correct "doesn't exists" typos - fixes KEYCLOAK-14986 (#7316)
* Correct "doesn't exists" typos

* Revert changes to imported package

Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2021-03-16 11:52:36 +01:00
Yang Xie
db30b470c4 KEYCLOAK-17342 Make the default value of default signature algorithm show up in the admin console 2021-03-16 09:15:22 +01:00
Michito Okai
298ab0bc3e KEYCLOAK-7675 Support for Device Authorization Grant 2021-03-15 10:09:20 -03:00
Łukasz Dywicki
f58bf0deeb Make sure additional params are passed between device request and user authnetication. 2021-03-15 10:09:20 -03:00
Hiroyuki Wada
5edf14944e KEYCLOAK-7675 SPI and default implementation for Device User Code.
Author:    Hiroyuki Wada <h2-wada@nri.co.jp>
Date:      Sun May 12 15:47:15 2019 +0900

Signed-off-by: Łukasz Dywicki <luke@code-house.org>
2021-03-15 10:09:20 -03:00
Hiroyuki Wada
9d57b88dba KEYCLOAK-7675 Prototype Implementation of Device Authorization Grant.
Author:    Hiroyuki Wada <h2-wada@nri.co.jp>
Date:      Thu May 2 00:22:24 2019 +0900

Signed-off-by: Łukasz Dywicki <luke@code-house.org>
2021-03-15 10:09:20 -03:00
Hynek Mlnarik
4946484cb6 KEYCLOAK-17377 Fix invalidation cluster tests (do not hide failures) 2021-03-11 16:14:59 +01:00
Yang Xie
2605eddbe7 KEYCLOAK-17300 Add a method to check if the token revocation request has duplicate parameters 2021-03-09 18:27:38 +01:00
vramik
6e501946b1 KEYCLOAK-17021 Client Scope map store 2021-03-08 21:59:28 +01:00
Michal Hajas
fc29a39e5a KEYCLOAK-16592 Do not require destination with SOAP binding 2021-03-05 19:52:00 +01:00
Douglas Palmer
852593310f [KEYCLOAK-14913] GitLab Identity Provider shouldn't request for 'api' scope 2021-03-05 14:23:34 +01:00
mposolda
99c1ee7f5a KEYCLOAK-16793 KEYCLOAK-16948 Cors on error responses for logoutEndpoint and tokenEndpoint 2021-03-05 14:14:53 +01:00
Pedro Igor
6c7f66d30c
[KEYCLOAK-17174] - Fxing not passing referrer param when reaching the account console (#7818) 2021-03-04 09:00:10 -05:00
Blake Smith
b122f31d2c
KEYCLOAK-17257 Fix NPEs when user storage doesn't implement the CredentialInputValidator interface 2021-03-04 09:49:12 +01:00
Denis
23bfaef4bb KEYCLOAK-15535 Account Log of user login with realm not available details when update profile 2021-03-04 08:06:36 +01:00
Yang Xie
78754d1127 KEYCLOAK-17259 Add a method to check if the introspection request has duplicate parameters 2021-03-03 16:23:27 +01:00
Pedro Igor
2796f62899
[KEYCLOAK-17174] - New admin console using wrong base URI for redirection (#7794) 2021-03-03 10:15:24 -05:00
Takashi Norimatsu
882f5ffea4 KEYCLOAK-15533 Client Policy : Extends Policy Interface to Migrate Client Registration Policies
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-03-02 09:26:04 +01:00
i7a7467
b83064b142 KEYCLOAK-16679 Add algorithm settings for client assertion signature in OIDC identity broker 2021-03-01 18:11:25 +01:00
Takashi Norimatsu
c4bf8ecdf0 KEYCLOAK-16880 Client Policy - Condition : Negative Logic Support 2021-03-01 14:27:39 +01:00
mposolda
41dc94fead KEYCLOAK-14483 Broker state param fix 2021-02-24 19:07:58 -03:00
mposolda
6f409d088a KEYCLOAK-15239 Reset Password Success Message not shown when Kerberos is Enabled 2021-02-23 16:15:50 -03:00
Pedro Igor
dbc6514bfc [KEYCLOAK-17206] - Avoid removing attributes when updating user and profile 2021-02-23 08:41:41 +01:00
Juan Manuel Rodriguez Alvarado
6255ebe6b5 [KEYCLOAK-16536] Implement Audit Events for Authorization Services requests 2021-02-22 17:28:59 -03:00
mposolda
ed8d5a257f KEYCLOAK-16517 Make sure that just real clients with standardFlow or implicitFlow enabled are considered for redirectUri during logout 2021-02-22 14:30:32 +01:00
mposolda
0058011265 KEYCLOAK-16006 User should not be required to re-authenticate after revoking consent to an application 2021-02-22 14:29:42 +01:00
Pedro Igor
ffadbc3ba3 [KEYCLOAK-17173] - Support for script providers in keycloak.x 2021-02-22 10:12:36 -03:00
Pedro Igor
1dc0b005fe [KEYCLOAK-17087] - X509 OCSP Validation Not Checking Intermediate CAs 2021-02-22 13:50:19 +01:00
Pedro Igor
9356843c6c [KEYCLOAK-16521] - Fixing secret for non-confidential clients 2021-02-19 08:38:49 +01:00
Torsten Roemer
00ee6bb9fa KEYCLOAK-14577 OIDCIdentityProvider incorrectly sets firstName and lastName in BrokeredIdentityContext 2021-02-18 19:50:27 +01:00
rmartinc
056b52fbbe KEYCLOAK-16800 userinfo fails with 500 Internal Server Error for service account token 2021-02-18 19:37:52 +01:00
Pedro Igor
431f137c37 [KEYCLOAK-17123] - Avoid validation and updates for read-only attributes during updates 2021-02-17 17:57:46 +01:00
stefvdwel
8f719885fd Fixed tests. Removed styling changes. 2021-02-17 09:40:19 -03:00
stefvdwel
11b0c23937 Reduced code duplication 2021-02-17 09:40:19 -03:00
stefvdwel
ee28be982f Reduced code duplication 2021-02-17 09:40:19 -03:00
stefvdwel
c15361c129 Revert "Removed styling changes"
This reverts commit d64361c3
2021-02-17 09:40:19 -03:00
stefvdwel
1fa68c0a52 Removed styling changes 2021-02-17 09:40:19 -03:00
stefvdwel
b97f5eb128 Added PermissionTicket count test. 2021-02-17 09:40:19 -03:00
stefvdwel
5a500055f6 Added permission ticket /count endpoint. Todo: testing 2021-02-17 09:40:19 -03:00
mposolda
80bf0b6bad KEYCLOAK-16708 Unexpected exceptions during client authentication 2021-02-12 18:27:54 +01:00
Pedro Igor
ca2a761d4b [KEYCLOAK-16886] - Updating user account removes attributes 2021-02-12 12:01:50 -03:00
Michito Okai
33bb1fda38 KEYCLOAK-16931 Authorization Server Metadata of
introspection_endpoint_auth_methods_supported and
introspection_endpoint_auth_signing_alg_values_supported
2021-02-11 14:53:49 +01:00
Florian Apolloner
e7a3dc59ab [KEYCLOAK-15440] Fixed PasswordForm usage with LDAP users. 2021-02-11 14:32:28 +01:00
mposolda
456cdc51f2 KEYCLOAK-15719 CORS headers missing on userinfo error response 2021-02-11 13:37:42 +01:00
diodfr
cb12fed96e KEYCLOAK-4544 Detect existing user before granting user autolink 2021-02-11 11:06:49 +01:00
Pedro Igor
307e16391c [KEYCLOAK-14947] - Removing unnecessary code 2021-02-10 11:35:38 -03:00
Pedro Igor
f6c3ec5d9e [KEYCLOAK-14366] - Missing check for iss claim in JWT validation on Client Authentication (Token Endpoint) 2021-02-09 13:54:06 +01:00
mposolda
f4b5942c6c KEYCLOAK-16755 ClearExpiredUserSessions optimization. Rely on infinispan expiration rather than Keycloak own background task. 2021-02-04 08:49:42 +01:00
Yang Xie
cffe24f815 KECLOAK-16009 Add a method to check if the token request has duplicate parameters 2021-02-03 16:10:41 +01:00
Florian Apolloner
eeec82dea3 KEYCLOAK-16656 Only set execution authenticator for form flows. 2021-01-29 17:19:15 +01:00
Martin Kanis
8432513daa KEYCLOAK-16908 Refactor UserSessionPersisterProvider 2021-01-29 09:29:00 +01:00
Hynek Mlnarik
60e4bd622f KEYCLOAK-16828 Fix HttpClient failures and close HttpResponses 2021-01-28 08:38:34 +01:00
rmartinc
f3a4991b6a KEYCLOAK-15975 NPE in DefaultThemeManager.loadTheme() if theme directory is absent 2021-01-27 22:05:19 +01:00
mposolda
99a70267d9 KEYCLOAK-16801 Improve performance of ClearExpiredEvents background task 2021-01-27 09:57:46 +01:00
Cédric Couralet
8fcbf465d9 KEYCLOAK-16862 Avoid NPE on realm update with trace enabled 2021-01-26 13:32:15 +01:00
Davy Van Roy
eacc95b699 KEYCLOAK-15298 2021-01-21 22:51:05 +01:00
Martin Kanis
9f580e3ed8 KEYCLOAK-15695 Streamification cleanup 2021-01-20 14:39:53 +01:00
Takashi Norimatsu
bcf313f321 KEYCLOAK-16858 Client Policy - Improper retainAll operation in Client Scope Condition and other minor bugs 2021-01-20 09:10:21 +01:00
Michal Hajas
ba8e2fef6b KEYCLOAK-15524 Cleanup user related interfaces 2021-01-18 16:56:10 +01:00
mposolda
dae4a3eaf2 KEYCLOAK-16468 Support for deny list of metadata attributes not updateable by account REST and admin REST
(cherry picked from commit 79db549c9d561b8d5efe3596370190c4da47e4e1)
(cherry picked from commit bf4401cddd5d3b0033820b1cb4904bd1c8b56db9)
2021-01-18 13:17:51 +01:00
mposolda
eac3329d22 KEYCLOAK-14019 Improvements for request_uri parameter
(cherry picked from commit da38b36297a5bd9890f7df031696b516268d6cff)
2021-01-18 13:05:09 +01:00
Pedro Igor
c631013031 [KEYCLOAK-16515] - Scope permissions not added to result if previous permission is granted 2021-01-14 17:08:05 +01:00
Albert-Jan Verhees
32319c727b Removed representations as suggested 2021-01-13 16:23:31 +01:00
Albert-Jan Verhees
b0ac44cf7d Applied PR suggestion: added resourceType and changed operation types 2021-01-13 16:23:31 +01:00
Albert-Jan Verhees
483e28bb02 [KEYCLOAK-14653] Changed operation type to UPDATE when updating client scopes in a client and added representation. 2021-01-13 16:23:31 +01:00
Thomas Darimont
42c47c1732 KEYCLOAK-16330 Expose ActionTokenLifespans in RealmBean to freemarker login themes 2021-01-12 21:11:10 +01:00
moritz.hilberg
70a20ef50d KEYCLOAK-16566 Display Idp displayName if available 2021-01-12 20:56:18 +01:00
Luca Leonardo Scorcia
553514707e
KEYCLOAK-16428 Move certificate timestamp validation configuration to CertificateValidatorBuilder (#7634) 2021-01-12 20:52:34 +01:00
Takashi Norimatsu
5f445ec18e KEYCLOAK-14200 Client Policy - Executor : Enforce Holder-of-Key Token
Co-authored-by: Hryhorii Hevorkian <hhe@adorsys.com.ua>
2021-01-12 11:21:41 +01:00
Takashi Norimatsu
f423c0dc51 KEYCLOAK-16249 Client Policy - Condition : Client - Any Client 2021-01-08 17:29:50 +01:00
vramik
1402d021de KEYCLOAK-14846 Default roles processing 2021-01-08 13:55:48 +01:00
Takashi Norimatsu
05dfac75ca KEYCLOAK-14202 Client Policy - Executor : Enforce secure signature algorithm for Signed JWT client authentication
Co-authored-by: Andrii Murashkin <amu@adorsys.com.ua>
2021-01-06 08:58:20 +01:00
Thomas Darimont
1a7600e356
KEYCLOAK-13923 Support PKCE for OIDC based Identity Providers (#7381)
* KEYCLOAK-13923 - Support PKCE for Identity Provider

We now support usage of PKCE for OIDC based Identity Providers.

* KEYCLOAK-13923 Warn if PKCE information cannot be found code-to-token request in OIDCIdentityProvider

* KEYCLOAK-13923 Pull up PKCE handling from OIDC to OAuth IdentityProvider infrastructure

* KEYCLOAK-13923 Adding test for PKCE support for OAuth Identity providers

* KEYCLOAK-13923 Use URI from KeycloakContext instead of HttpRequest

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-01-05 10:59:59 -03:00
mposolda
d4a36d0d9c KEYCLOAK-16350 invalid_scope error response should be displayed for openid-connect/auth 2021-01-05 12:55:53 +01:00
Sven-Torben Janus
4652fd4fcd KEYCLOAK-16540 X.509 Authentication logs Exception when no client cert
When no client cert is present the variable clientCert is null. In this
case the log statement leads to a NPE which then gets logged as an
error.
2021-01-04 10:55:21 +01:00
Jiri Lunacek
d70de48ba9 KEYCLOAK-16605 add localpart username template transformer 2021-01-04 06:30:41 +01:00
keycloak-bot
75be33ccad Set version to 13.0.0-SNAPSHOT 2020-12-16 17:31:55 +01:00
Stefan Guilhen
d6422e415c [KEYCLOAK-16508] Complement methods for accessing user sessions with Stream variants 2020-12-15 19:52:31 +01:00
Takashi Norimatsu
edabbc9449 KEYCLOAK-14203 Client Policy - Executor : Enforce HTTPS URIs 2020-12-15 09:31:20 +01:00
Martin Bartoš
cfc035ee42 KEYCLOAK-15066 Internal Server error when calling random idp endpoint 2020-12-14 16:37:53 +01:00
Takashi Norimatsu
200b53ed1e KEYCLOAK-14192 Client Policy - Condition : Author of a client - User Role 2020-12-14 15:37:05 +01:00
Luca Leonardo Scorcia
8b7806dbb1 KEYCLOAK-16519 Fix typo in regex
The regex has a typo that prevents correct splitting of parameter values containing multiple OIDs.
2020-12-12 21:28:08 +01:00
Michal Hajas
8e376aef51
KEYCLOAK-15847 Add MapUserProvider 2020-12-10 08:57:53 +01:00
Martin Kanis
3ddedc49f5 KEYCLOAK-11417 Internal server error on front channel logout with expired session 2020-12-09 14:45:04 +01:00
Thomas Riccardi
f45e187c35 Finish renaming 'application role' to 'client role' in help texts 2020-12-08 12:18:13 +01:00
Martin Bartoš
873a69305f KEYCLOAK-15264 Import realm using directory provider twice with IGNORE_EXISTING will cause NPE for clientId 2020-12-08 11:28:07 +01:00
Hynek Mlnarik
8c0c542f09 KEYCLOAK-16489 Add ability to run model tests with LDAP 2020-12-07 20:54:06 +01:00
Martin Kanis
f6be378eca KEYCLOAK-14556 Authentication session map store 2020-12-07 20:48:59 +01:00
Lukas Hanusovsky
7f916ad20c KEYCLOAK-14231 - validate supported locales 2020-12-07 19:56:32 +01:00
Stefan Guilhen
edef93cd49 [KEYCLOAK-16232] Streamify the UserCredentialStore and UserCredentialManager interfaces 2020-12-07 19:48:35 +01:00
Stefan Guilhen
73d0bb34c4 [KEYCLOAK-16232] Replace usages of deprecated collection-based methods with the respective stream variants 2020-12-07 19:48:35 +01:00
vramik
bcfe985c24 KEYCLOAK-16543 fix compilation failure on keycloak-services 2020-12-04 13:01:22 +01:00
Ryoji
ea67033097 KEYCLOAK-16474 typo in javadoc sproxy_set_header -> proxy_set_header 2020-12-03 18:07:59 +01:00
Takashi Norimatsu
7da5a71314 KEYCLOAK-14191 Client Policy - Condition : Author of a client - User Group 2020-12-03 17:52:06 +01:00
Ian
be4c99dfe5 KEYCLOAK-15287 Ability to add custom claims to the AccessTokenResponse 2020-12-03 17:28:03 +01:00
Takashi Norimatsu
a51e0cc484 KEYCLOAK-14197 Client Policy - Condition : Client - Client Host 2020-12-02 09:05:42 +01:00
vramik
cd9e01af90 KEYCLOAK-16502 Migration of DELETE_ACCOUNT role 2020-12-01 13:10:20 +01:00
Luca Leonardo Scorcia
cb1060799e KEYCLOAK-16429 Pass default boolean values as strings, as expected by the UI 2020-11-25 12:45:29 +01:00
zak905
4f330f4a57 KEYCLOAK-953: add allowing user to delete his own account feature 2020-11-24 15:50:07 +01:00
Václav Muzikář
e56bd9d8b8 KEYCLOAK-14547: Make New Account Console the default. 2020-11-23 20:56:05 +01:00
Stan Silvert
0afd55f32c KEYCLOAK-14547: Make New Account Console the default. 2020-11-23 20:56:05 +01:00
Takashi Norimatsu
5dd5b5bedf KEYCLOAK-16392 Client Policy - Condition : NPE without any initial configuration 2020-11-23 12:07:28 +01:00
Luca Leonardo Scorcia
bd4315ef37 KEYCLOAK-16065 Replace last UrlConnection uses with HttpClientProvider 2020-11-20 15:07:59 +01:00
Thomas Darimont
00ea64d1d4 KEYCLOAK-16143 Honor AuthenticationProcessor.forwardedErrorMessage when rendering registration form 2020-11-20 15:05:55 +01:00
st
a7666d4ccf KEYCLOAK-11699 add support for 127.0.0.1 for native app 2020-11-20 11:03:29 +01:00
Stefan Guilhen
84df008bc2 [KEYCLOAK-16341] Make the new stream-based methods in server-spi user interfaces default instead of the collection-based versions.
- this ensures that providing implementation for the collection-based methods is enough, which preserves
   backwards compatibility with older custom implementations.
 - alternative interfaces now allow new implementations to focus on the stream variants of the query methods.
2020-11-18 21:07:51 +01:00
nkkumawat
43baf1bea7 KEYCLOAK-16381: error text moved to constants file 2020-11-18 21:05:58 +01:00
Douglas Palmer
43e075afa5 [KEYCLOAK-14352] JavaScript injection vulnerability of Realm registration REST API 2020-11-18 10:48:11 -03:00
Takashi Norimatsu
9ce2e9b1f7 KEYCLOAK-14193 Client Policy - Condition : Client - Client Access Type 2020-11-18 09:49:22 +01:00
Martin Bartoš
59aa31084e KEYCLOAK-16143 Login form expected, but registraion form is displayed 2020-11-13 21:36:51 +01:00
Pedro Igor
42b9141326 [KEYCLOAK-13639] - Improvements to metrics and health status 2020-11-13 07:14:43 -03:00
Takashi Norimatsu
21c7af1c53 KEYCLOAK-14207 Client Policy - Executor : Enforce more secure client signature algorithm when client registration 2020-11-13 09:24:59 +01:00
Pedro Igor
7ad1c350a3 [KEYCLOAK-16245] - Update Quarkus 1.10.0.CR1 2020-11-12 13:21:08 -03:00
Takashi Norimatsu
244a1b2382 KEYCLOAK-14196 Client Policy - Condition : Client - Client Scope 2020-11-12 08:40:28 +01:00
vmuzikar
01be601dbd KEYCLOAK-14306 OIDC redirect_uri allows dangerous schemes resulting in potential XSS
(cherry picked from commit e86bec81744707f270230b5da40e02a7aba17830)

Conflicts:
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
    testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java
    services/src/main/java/org/keycloak/validation/DefaultClientValidationProvider.java
2020-11-12 08:21:54 +01:00
Miquel Simon
e8e5808aa9 KEYCLOAK-13639. Added metrics and custom healthcheck endpoints, both enabled via 'metrics.enabled' config parameter. 2020-11-11 21:16:14 +01:00
Takashi Norimatsu
e35a4bcefc KEYCLOAK-14206 Client Policy - Executor : Enforce more secure state and nonce treatment for preventing CSRF 2020-11-11 21:11:34 +01:00
Martin Kanis
d9029b06b9 KEYCLOAK-15889 Streamification of ProtocolMappers 2020-11-10 16:40:34 +01:00
Takashi Norimatsu
a0b1710735 KEYCLOAK-14198 Client Policy - Condition : Client - Client IP 2020-11-10 15:37:26 +01:00
Stefan Guilhen
aa46735173 [KEYCLOAK-15200] Complement methods for accessing users with Stream variants 2020-11-10 15:13:11 +01:00
Martin Kanis
8d6577d66c KEYCLOAK-15898 Streamification of Keymanager 2020-11-10 14:43:23 +01:00
Takashi Norimatsu
a63814da67 KEYCLOAK-14201 Client Policy - Executor : Enforce Proof Key for Code Exchange (PKCE) 2020-11-09 08:18:05 +01:00
Thomas Darimont
de20830412 KEYCLOAK-9551 KEYCLOAK-16159 Make refresh_token generation for client_credentials optional. Support for revocation of access tokens.
Co-authored-by: mposolda <mposolda@gmail.com>
2020-11-06 09:15:34 +01:00
stianst
1281f28bb8 KEYCLOAK-15012 Fix issue with folder theme provider 2020-11-06 09:14:36 +01:00
vmuzikar
2df62369c3 KEYCLOAK-15295 User can manage resources with just "view-profile" role using new Account Console
(cherry picked from commit 1b063825755d9f5aa13e612757e8ef7299430761)
2020-11-06 08:55:57 +01:00
Takashi Norimatsu
6dc136dfc0 KEYCLOAK-14199 Client Policy - Executor : Enforce more secure client authentication method when client registration 2020-11-05 20:42:49 +01:00
Martin Bartos
7522d5ac74 KEYCLOAK-15841 Upgrade rest of the minor forms to PF4 2020-11-05 17:58:41 +01:00
Otto Leppänen
bc6bb22173 [KEYCLOAK-16055] Update DefaultKeyManager kid is null logging
Got this "kid is null, can't find public key" without a hint to which realm it's belonging. Not sure if the realm name is dropped because it's null(?), but at least the log message is now explicit. Dropping kid because the text says it's null. Haven't tested whether this breaks tests etc.
2020-11-03 20:40:00 +01:00
Christoph Leistert
e131de9574 KEYCLOAK-14855 Added realm-specific localization texts which affect texts in every part of the UI (admin console / login page / personal info page / email templates). Also new API endpoints and a new UI screen to manage the realm-specific localization texts were introduced.
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
2020-10-30 08:02:43 -03:00
Hynek Mlnarik
925f089d62 KEYCLOAK-16077 Remove need for MapStorage.replace 2020-10-29 15:40:47 +01:00
Martin Bartos
2e59d5c232 KEYCLOAK-14679 Unable to log in with WebAuthn on unsupported browsers 2020-10-29 14:03:17 +01:00
Johannes Knutsen
23c575c236 KEYCLOAK-15399: Wrong token type in token response. bearer vs Bearer 2020-10-28 10:38:22 -03:00
Martin Bartos
a8df7d88a1 [KEYCLOAK-14139] Upgrade login screen to PF4 2020-10-27 20:24:07 +01:00
nxadm
580f2b4977
KEYCLOAK-16040 Typo in comment: Authoirzation => Authorization 2020-10-22 16:26:24 +02:00
stianst
74b5143c5e KEYCLOAK-15498 Disable gzip encoding when themes are not cached 2020-10-22 09:07:37 +02:00
Daniel Fesenmeyer
de8d2eafa3 KEYCLOAK-14781 Extend Admin REST API with search by federated identity
- Add parameters idpAlias and idpUserId to the resource /{realm}/users and allow it to be combined with the other search parameters like username, email and so on
- Add attribute "federatedIdentities" to UserEntity to allow joining on this field
- extend integration test "UserTest"
2020-10-22 08:51:26 +02:00
Sven-Torben Janus
850d3e7fef KEYCLOAK-15511 OTP registration during login with LDAP read-only
When LDAP user federation is configured in read-only mode, it is not
possible to set required actions for users from LDAP.
Keycloak credential model allows for registering OTP devices when LDAP
ist configured with "Import Users" flag enabled. Registering OTP devices
needs to be done via the account management console and works as
expecetd. However, it fails, if a user has to register aN OTP device
during login (i.e. within the authentication flow), because the OTP Form
Authenticator tries to enforce OTP registration via setting the
corresponding required action for the user. That fails, because the user
is read-only.
To work around this, the required action is set on the authentication
session instead.
2020-10-21 17:00:11 +02:00
mposolda
7891daef73 KEYCLOAK-15998 Keycloak OIDC adapter broken when Keycloak server is on http 2020-10-21 08:36:08 +02:00
mhajas
4556e858ad KEYCLOAK-15522 Use AbstractStorageManager in UserStorageManager 2020-10-15 20:41:13 +02:00
Martin Kanis
086f7b4696 KEYCLOAK-15450 Complement methods for accessing realms with Stream variants 2020-10-14 08:16:49 +02:00
testn
269a72d672 KEYCLOAK-15184: Use static inner class where possible 2020-10-09 23:37:08 +02:00
Trey Dockendorf
6e713b5044 KEYCLOAK-15545 Fix null pointer exception when updating flow via API 2020-10-09 23:33:51 +02:00
Luca Leonardo Scorcia
f274ec447b KEYCLOAK-15697 Make the Service Provider Entity ID user configurable 2020-10-09 22:04:02 +02:00
Dustin Frank
59ef7d258f Fix typo in FileTruststoreProviderFactory.java 2020-10-09 22:01:52 +02:00
mposolda
ff05072c16 KEYCLOAK-15770 Skip creating session for docker protocol authentication 2020-10-09 07:53:26 +02:00
mposolda
d269af1b70 KEYCLOAK-15830 Remove authentication session after failed directGrant authentication 2020-10-07 18:13:21 +02:00
vmuzikar
bb7ce62cd5 KEYCLOAK-15332 Missing CORS headers in some endpoints in Account REST API 2020-10-07 09:07:55 -03:00
dashaylan
0d6da99844 Add UserInfo check fix and associated tests. 2020-10-06 08:44:02 +02:00
Markus Till
f0ea7a04bd remove unused getApplications method from user account 2020-10-05 17:02:22 -03:00
Markus Till
43206d3158 minor restructering of the userprofile impl -> add AbstractUserProfile introduced to make getId override explicit 2020-10-05 09:59:44 -03:00
Markus Till
c71ce8cd2e refactoring add UserProfileAttributes 2020-10-05 09:59:44 -03:00
Markus Till
695db3e8ef remove unused isCreated Flag in user profile context 2020-10-05 09:59:44 -03:00
Markus Till
7da619385c refactore userupdate helper api 2020-10-05 09:59:44 -03:00
Markus Till
802a670cc5 have a factory like approach for profile contexts 2020-10-05 09:59:44 -03:00
Markus Till
21cfa54d4d remove StoredUserProfile interface 2020-10-05 09:59:44 -03:00
Markus Till
72f73f153a UserProfile M1 2020-10-05 09:59:44 -03:00
Pedro Igor
0d99e01b98 [KEYCLOAK-15807] - Wrong parsing of Cookie header 2020-10-02 08:19:24 -03:00
Michito Okai
eac3341241 KEYCLOAK-15779 Authorization Server Metadata for the URL of the
authorization server's JWK Set [JWK] document
2020-10-02 11:18:31 +02:00
Thomas Darimont
12576e339d KEYCLOAK-15146 Add support for searching users by emailVerified status
We now allow to search for users by their emailVerified status.
This enables users to easily find users and deal with incomplete user accounts.
2020-09-29 08:28:59 -03:00
Takashi Norimatsu
6596811d5d KEYCLOAK-14204 FAPI-RW Client Policy - Executor : Enforce Request Object satisfying high security level 2020-09-25 08:31:14 +02:00
Pedro Igor
76dede0f1e [KEYCLOAK-14221] - Allow to map subject to userinfo response 2020-09-23 14:33:14 +02:00
Frode Ingebrigtsen
0a0b7da53e KEYCLOAK-15429 Add CORS origin on permission request with invalid access token 2020-09-22 08:56:21 -03:00
Denis
50210c4d9b KEYCLOAK-14161 Regression on custom registration process 2020-09-21 20:23:39 +02:00
mhajas
12bc84322a KEYCLOAK-14974 Map group storage provider 2020-09-21 15:56:32 +02:00
testn
2cd03569d6 KEYCLOAK-15238: Fix potential resource leak from not closing Stream/Reader 2020-09-21 13:05:03 +02:00
Takashi Norimatsu
bd3840c606 KEYCLOAK-15559 Client Policy - Executor : Missing Help Text of SecureResponseTypeExecutor 2020-09-21 12:40:25 +02:00
vmuzikar
790b549cf9 KEYCLOAK-15262 Logout all sessions after password change 2020-09-18 20:09:40 -03:00
mhajas
b75ad2fbd8 KEYCLOAK-15259 Avoid using "null" Origin header as a valid value 2020-09-17 23:21:49 -07:00
mhajas
f7e0af438d KEYCLOAK-14232 Add Referrer-Policy: no-referrer to each response from Keycloak
(cherry picked from commit 0b49640231abc6e465542bd2608e1c908c079ced)
2020-09-17 23:21:49 -07:00
Luca Leonardo Scorcia
10077b1efe KEYCLOAK-15485 Add option to enable SAML SP metadata signature 2020-09-16 16:40:45 +02:00
Mark Wolfe
3723d78e3c KEYCLOAK-15460 Fix missing event types in SAML endpoint
A change was done in 32f13016fa which isn't setting the type for events and causing an internal error.
2020-09-16 16:36:19 +02:00
Martin Kanis
5d5e56dde3 KEYCLOAK-15199 Complement methods for accessing roles with Stream variants 2020-09-16 16:29:51 +02:00
Benjamin Weimer
f874e9a43c KEYCLOAK-9874 include realm and client roles in user info response 2020-09-16 10:01:02 +02:00
Takashi Norimatsu
b670734eec KEYCLOAK-14205 FAPI-RW Client Policy - Executor : Enforce Response Type of OIDC Hybrid Flow 2020-09-14 20:58:25 +02:00
Hynek Mlnarik
a05066d567 KEYCLOAK-15477 Fix permission evaluation logic 2020-09-14 20:53:46 +02:00
mposolda
4123b7a91e KEYCLOAK-11678 Remove dummy resource. Adding keycloak-services and liquibase to jandex indexing 2020-09-14 09:27:34 -03:00
vmuzikar
a9a719b88c KEYCLOAK-15270 Account REST API doesn't verify audience 2020-09-14 08:43:09 -03:00
mhajas
3186f1b5a9 KEYCLOAK-15514 Update AbstractStorageManager to check capability interface types 2020-09-11 14:42:48 +02:00
Miquel Simon
2572b1464b KEYCLOAK-15395. Removed totp/remove (DELETE) and credentials/password (GET, POST) endpoints. 2020-09-10 18:03:03 -03:00
Takashi Norimatsu
af2f18449b KEYCLOAK-14195 FAPI-RW Client Policy - Condition : Client - Client Role 2020-09-10 18:34:19 +02:00
Clement Cureau
b19fe5c01b Finegrain admin as fallback and added some tests 2020-09-10 12:26:55 -03:00
Clement Cureau
73378df52e [KEYCLOAK-11621] Allow user creation via group permissions (Admin API)
Problem:
Using fine-grained admin permissions on groups, it is not permitted to create new users
within a group.

Cause:
The POST /{realm}/users API does not check permission for each group part of the new
user representation

Solution:
- Change access logic for POST /{realm}/users to require MANAGE_MEMBERS and
MANAGE_MEMBERSHIP permissions on each of the incoming groups

Tests:
Manual API testing performed:
  1. admin user from master realm:
    - POST /{realm}/users without groups                  => HTTP 201 user created
    - POST /{realm}/users with groups                     => HTTP 201 user created
  2. user with MANAGE_MEMBERS & MANAGE_MEMBERSHIP permissions on group1
    - POST /{realm}/users without groups                  => HTTP 403 user NOT created
    - POST /{realm}/users with group1                     => HTTP 201 user created
    - POST /{realm}/users with group1 & group2            => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & wrong group path  => HTTP 400 user NOT created
  3. user with MANAGE_MEMBERS permission on group1
    - POST /{realm}/users without groups                  => HTTP 403 user NOT created
    - POST /{realm}/users with group1                     => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & group2            => HTTP 403 user NOT created
    - POST /{realm}/users with group1 & wrong group path  => HTTP 400 user NOT created
2020-09-10 12:26:55 -03:00
Sebastian Laskawiec
e01159a943 KEYCLOAK-14767 OpenShift Review Endpoint audience fix 2020-09-09 11:57:24 -03:00
Takashi Norimatsu
cbb79f0430 KEYCLOAK-15448 FAPI-RW : Error Response on OIDC private_key_jwt Client Authentication Error (400 error=invalid_client) 2020-09-09 11:14:21 +02:00
Benjamin Weimer
b2934e8dd0 KEYCLOAK-15327 backchannel logout invalidate offline session even if there is no corresponding active session found 2020-09-08 11:17:20 -03:00
Martin Kanis
4e9bdd44f3 KEYCLOAK-14901 Replace deprecated ClientProvider related methods across Keycloak 2020-09-07 13:11:55 +02:00
stianst
76f7fbb984 KEYCLOAK-14548 Add support for cached gzip encoding of resources 2020-09-07 00:58:47 -07:00
Martin Bartos
e34ff6cd9c [KEYCLOAK-14326] Identity Provider force sync is not working 2020-09-07 09:42:40 +02:00
Takashi Norimatsu
1d8230d438 KEYCLOAK-14190 Client Policy - Condition : The way of creating/updating a client 2020-09-04 09:54:55 +02:00
Luca Leonardo Scorcia
67b2d5ffdd KEYCLOAK-14961 SAML Client: Add ability to request specific AuthnContexts to remote IdPs 2020-09-03 21:25:36 +02:00
Konstantinos Georgilakis
1fa93db1b4 KEYCLOAK-14304 Enhance SAML Identity Provider Metadata processing 2020-09-02 20:43:09 +02:00
Takashi Norimatsu
b93a6ed19f KEYCLOAK-14919 Dynamic registration - Scope ignored 2020-09-02 13:59:22 +02:00
Takashi Norimatsu
107a429238 KEYCLOAK-15236 FAPI-RW : Error Response on OAuth 2.0 Mutual TLS Client Authentication Error (400 error=invalid_client) 2020-09-02 09:31:20 +02:00
mhajas
3928a49c77 KEYCLOAK-14816 Reset brute-force-detection data for the user after a successful password grant type flow 2020-09-01 21:45:17 +02:00
Hynek Mlnarik
583fa07bc4 KEYCLOAK-11029 Support modification of broker username / ID for identity provider linking 2020-09-01 20:40:38 +02:00
mhajas
bdccfef513 KEYCLOAK-14973 Create GroupStorageManager 2020-09-01 10:21:39 +02:00
Martin Bartos
9c847ab176 [KEYCLOAK-14432] Unhandled NPE in identity broker auth response 2020-08-31 14:14:42 +02:00
Martin Kanis
d59a74c364 KEYCLOAK-15102 Complement methods for accessing groups with Stream variants 2020-08-28 20:56:10 +02:00
Stan Silvert
35931d60eb KEYCLOAK-15137: Move PF4 css files to keycloak/common 2020-08-20 08:46:28 -04:00
Pratik Somanagoudar
f486e97c18 KEYCLOAK-15087 : Reduce get client and get roles calls in realm create 2020-08-20 08:49:51 -03:00
mhajas
ae39760a62 KEYCLOAK-14972 Add independent GroupProvider interface 2020-08-13 21:13:12 +02:00
Benjamin Weimer
fdcfa6e13e KEYCLOAK-15156 backchannel logout offline session handling 2020-08-13 08:09:59 -03:00
David Hellwig
ddc2c25951
KEYCLOAK-2940 - draft - Backchannel Logout (#7272)
* KEYCLOAK-2940 Backchannel Logout

Co-authored-by: Benjamin Weimer <external.Benjamin.Weimer@bosch-si.com>
Co-authored-by: David Hellwig <hed4be@bosch.com>
2020-08-12 09:07:58 -03:00
Sebastian Paetzold
4ff34c1be9 KEYCLOAK-14890 Improve null handling in case of missing NameId 2020-08-06 10:45:22 -03:00
Dmitry Telegin
70ee36224c KEYCLOAK-14944 - Unit test failure in keycloak-services on Java 11 2020-08-05 10:41:43 -03:00
vmuzikar
b68d06f91c KEYCLOAK-13127 Update Account Console to Account REST API v1 2020-08-04 18:43:23 -03:00
zak905
8597edba8e KEYCLOAK-14851: make AIA max auth age configurable per AIA 2020-08-04 13:30:37 -04:00
vramik
6b00633c47 KEYCLOAK-14812 Create RoleStorageManager 2020-07-31 15:11:25 -03:00
vramik
bfa21c912c KEYCLOAK-14811 Create RoleProvider and make it independent of ClientProvider and RealmProvider 2020-07-31 15:11:25 -03:00
Dillon Sellars
25bb2e3ba2 KEYCLOAK-14529 Signed and Encrypted ID Token Support : RSA-OAEP-256 Key Management Algorithm 2020-07-30 15:20:51 +02:00
Yoshiyuki Tabata
cd76ed0d74 KEYCLOAK-14289 OAuth Authorization Server Metadata for Token Revocation 2020-07-29 11:41:56 +02:00
Martin Idel
97400827d2 KEYCLOAK-14870: Fix bug where user is incorrectly imported
Bug: SerializedBrokeredIdentityContext was changed to mirror
UserModel changes. However, when creating the user in LDAP,
the username must be provided first (everything else can
be handled via attributes).
2020-07-29 11:33:41 +02:00
Takashi Norimatsu
0191f91850 KEYCLOAK-14380 Support Requesting Claims using the claims Request Parameter 2020-07-29 09:53:28 +02:00
Martin Idel
330a3d8ff5 KEYCLOAK-14904 Fix AccountRestService
- custom attributes in UserModel are removed during update
- this can break caching (doesn't break if user is written
  to database)
- also ensure that we don't accidentally change username
  and/or firstName/lastName through attributes
2020-07-28 10:03:14 +02:00
Martin Kanis
feef5b4db2 KEYCLOAK-14220 Complement methods for accessing clients with Stream variants 2020-07-27 10:38:39 +02:00
Luca Leonardo Scorcia
da6530471b KEYCLOAK-14742 SAML2NameIDPolicyBuilder: add AllowCreate and SPNameQualifier properties 2020-07-25 10:16:57 +02:00
Lorent Lempereur
0d5b5abb4d
KEYCLOAK-13962 SAML2 Identity Provider - During login phase, SamlAuthenticationPreprocessors are not taken into account to produce an appropriate destination url 2020-07-25 00:10:43 +02:00
Lorent Lempereur
e82fe7d9e3
KEYCLOAK-13950 SAML2 Identity Provider - Send Subject in SAML requests 2020-07-24 21:41:57 +02:00
keycloak-bot
afff0a5109 Set version to 12.0.0-SNAPSHOT 2020-07-22 14:36:15 +02:00
Hynek Mlnarik
c566b46e8f KEYCLOAK-14549 Make ClientProvider independent of RealmProvider
Co-Authored-By: vramik <vramik@redhat.com>
2020-07-22 00:08:15 +02:00
Pedro Igor
7501e42969 [KEYCLOAK-14646] - Improving permission resolution and evaluation 2020-07-21 14:22:09 +02:00
Luca Leonardo Scorcia
9204402514 KEYCLOAK-14820 Import the NameIDPolicyFormat attribute from SAML IDP metadata descriptors 2020-07-21 12:23:25 +02:00
Takashi Norimatsu
e0fbfa722e KEYCLOAK-14189 Client Policy : Basics 2020-07-21 07:50:08 +02:00
Douglas Palmer
6d5495141d [KEYCLOAK-14611] Incorrect error message shown on duplicated email registration 2020-07-20 18:17:54 -03:00
Thomas Vitale
4cd5ace800 KEYCLOAK-9321 Remove invalid token_introspection_endpoint
The discovery document is advertizing both token_introspection_endpoint
and introspection_endpoint. The former has been removed as it is not
defined by OAuth2/OIDC.
2020-07-17 11:41:28 +02:00
Pedro Igor
582046bbfe [KEYCLOAK-13141] - Fixing filter 2020-07-15 11:00:55 -03:00
Luca Leonardo Scorcia
f8a4f66d6c
KEYCLOAK-13698 - SAML Client - Add certificate info to signature
Adds the X509Data tag to the XML Document signature in AuthnRequests
2020-07-10 23:06:37 +02:00
vmuzikar
7087c081f0 KEYCLOAK-14023 Instagram User Endpoint change
Co-authored-by: Jean-Baptiste PIN <jibet.pin@gmail.com>
2020-07-10 17:36:51 -03:00
Pedro Igor
1db1deb066 [KEYCLOAK-13141] - Supporting re-augmentation 2020-07-10 11:04:46 -03:00
Luca Leonardo Scorcia
d6934c64fd Refactor SAML metadata generation to use the SAMLMetadataWriter class 2020-07-09 09:39:35 +02:00
slayne
e22fdabc02 KEYCLOAK-14146 : null check on subject nameId 2020-07-09 09:34:50 +02:00
Pete Cracknell
2ec572e9b5 KEYCLOAK-14655 Check issuer config exists 2020-07-07 22:47:56 +02:00
Pedro Igor
9c4da9b3ce [KEYCLOAK-14147] - Request filter refactoring
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2020-07-07 11:26:12 -03:00
kurisumakise2011
738f24aa38 [KEYCLOAK-14570] Resolve nullpointer issue in controller
Some ProviderFactory returns null as properties instead of
Collections.emptyList() and it leads to NPE.

Fix it with using Optional.ofNullable(...).orElse(Collections.emptyList())
2020-07-07 07:46:26 +02:00
Douglas Palmer
9369c7cf4d Add filter by name to applications endpoint 2020-07-03 15:35:38 -03:00
Martin Idel
8fe25948f7 KEYCLOAK-13959 Add AdvancedAttribute mapper for SAML to allow regexes 2020-07-03 18:19:35 +02:00
Plamen Kostov
f639cc82b7 [KEYCLOAK-14282] Fix missing flag for enabled and exact flag 2020-07-03 09:07:42 -03:00
Plamen Kostov
914b226d11 [KEYCLOAK-14282] Create additional filtering for GET /users endpoint for enabled/disabled users 2020-07-03 09:07:42 -03:00
Axel Messinese
f30395d535 KEYCLOAK-12687 Add briefRepresentation queryParams to get roles 'composite' endpoints 2020-07-03 09:41:53 +02:00
Oleksandr Shevchuk
10cdc581f9
KEYCLOAK-11683 Reduce unnecessary load on work cache 2020-07-03 09:38:42 +02:00
Bartosz Siemieńczuk
e2040f5d13 KEYCLOAK-14006 Allow administrator to add additional fields to be fetched with Facebook profile request 2020-07-01 18:27:04 -03:00
Eric Rodrigues Pires
de9a0a0a4a [KEYCLOAK-13044] Fix owner name representations of UMA tickets for client-owned resources 2020-07-01 18:15:22 -03:00
vmuzikar
001fe9eb11 KEYCLOAK-13206 Session Status iframe cannot access cookies when 3rd party cookies are blocked
Co-authored-by: mhajas <mhajas@redhat.com>
2020-06-30 17:11:20 -03:00
Stan Silvert
25e8210066 KEYCLOAK-14584: Clients that have empty string as Base URL are displayed
in Account Console
2020-06-29 09:41:55 -03:00
Douglas Palmer
5e44bb781b [KEYCLOAK-14344] Cannot revoke offline access for an app if the app doesn't require consent 2020-06-26 14:56:08 -04:00
Martin Idel
05b6ef8327 KEYCLOAK-14536 Migrate UserModel fields to attributes
- In order to make lastName/firstName/email/username field
  configurable in profile
  we need to store it as an attribute
- Keep database as is for now (no impact on performance, schema)
- Keep field names and getters and setters (no impact on FTL files)

Fix tests with logic changes

- PolicyEvaluationTest: We need to take new user attributes into account
- UserTest: We need to take into account new user attributes

Potential impact on users:

- When subclassing UserModel, consistency issues may occur since one can
  now set e.g. username via setSingleAttribute also
- When using PolicyEvaluations, the number of attributes has changed
2020-06-25 14:50:57 +02:00
Douglas Palmer
1434f14663 [KEYCLOAK-14346] Base URL for applications is broken 2020-06-23 15:26:07 -03:00
ynojima
420968cc53 Update WebAuthn4J to 0.12.0.RELEASE 2020-06-23 10:53:08 +02:00
Erik Jan de Wit
55291bad76 KEYCLOAK-14531 Welcome cards should be driven by content.json
`content.js` is now `content.json` it's used in freemarker to create the cards
2020-06-22 11:29:20 -04:00
Hiroyuki Wada
f73b51818b KEYCLOAK-14113 Support for exchanging to SAML 2.0 token 2020-06-19 22:08:42 +02:00
Dirk Weinhardt
08dca9e89f KEYCLOAK-13205 Apply locale resolution strategy to admin console. 2020-06-19 10:27:13 -04:00
Dmitry Telegin
219d2b9a7c KEYCLOAK-14156 - Passive authentication emits incomplete LOGIN event 2020-06-19 11:14:32 +02:00
Martin Bartos
ec9bf6206e [KEYCLOAK-13202] Reset password redirects to account client 2020-06-18 13:08:36 +02:00
Erik Jan de Wit
c20766f2d7 KEYCLOAK-14140 added more test cases
Co-authored-by: vmuzikar <vmuzikar@redhat.com>
2020-06-17 13:56:11 -04:00
Thomas Darimont
92ab9c08ae KEYCLOAK-8100 Expose sub claim in OIDC IdentityBroker Mappers
We now expose the claims "sub" for use in Identity Broker mappers.
Previously claims directly mapped to `JsonWebToken` fields were not
accessible for mappings.
2020-06-17 12:56:08 -03:00
Pedro Igor
d331091c5e [KEYCLOAK-11330] - Quarkus tests 2020-06-17 17:20:55 +02:00
Martin Kanis
8f18cf1646 KEYCLOAK-14132 DefaultSecurityHeadersProvider should support 307 as redirect code 2020-06-17 11:55:40 +02:00
Tero Saarni
3c82f523ff [KEYCLOAK-14343] Truststore SPI support for LDAP with StartTLS
Signed-off-by:  Tero Saarni <tero.saarni@est.tech>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-06-11 18:07:53 +02:00
Pedro Igor
e16f30d31f [KEYCLOAK-2343] - Allow exact user search by user attributes
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2020-06-10 12:02:50 -03:00
Erik Jan de Wit
8b0760a6d1 KEYCLOAK-14158 Polished the My Resource page
empty state

change case

added dropdown menu instead of buttons

now on edit you can add and remove permissions

changed how the actions work

updated success messages

use live region alerts toast alerts

username or email search

labels for the buttons

margin between accecpt and deny button

fixed test and types

changed to bigger distance with split component

changed to use seperate empty state component
2020-06-08 09:05:30 -04:00
Yoshiyuki Tabata
f03ee2ec98 KEYCLOAK-14145 OIDC support for Client "offline" session lifespan 2020-06-04 14:24:52 +02:00
Denis
8d6f8d0465 EYCLOAK-12741 Add name and description edit functionality to Authentication and Execution Flows 2020-06-04 08:08:52 +02:00
Pedro Igor
e8dc10b4a1 [KEYCLOAK-11330] - Properly handling POST formdata and UriInfo 2020-06-02 09:36:40 +02:00
stianst
90b29b0e31 KEYCLOAK-14107 Admin page content blocked on v10.0.0 due to content security policy 2020-05-29 13:57:38 +02:00
Benjamin Weimer
4265fdcab2 KEYCLOAK-14318 Client Empty Root URL and relative Base URL is valid 2020-05-29 11:21:28 +02:00
vmuzikar
f8dce7fc3e KEYCLOAK-13819 SAML brokering with POST binding is broken by new SameSite policies 2020-05-28 13:37:56 +02:00
Youssef El Houti
086bdd1700 add optional field at_hash to idToken when using Authorization Code flow since it improves performance and allows to follow the recommandation in RFC for clients to use hash for access_token validation 2020-05-27 07:34:05 +02:00
Pedro Igor
bc901d0025 [KEYCLOAK-14299] - Do not create keys during startup but on-demand 2020-05-26 15:13:26 -03:00
Pedro Igor
f15821fe69 [KEYCLOAK-11679] - Server startup on Quarkus 2020-05-26 08:34:07 -03:00
Hynek Mlnarik
7deb89caab KEYCLOAK-10729 Do not serialize SAML signature 2020-05-25 15:38:17 +02:00
cachescrubber
3382682115
KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation … (#6962)
* KEYCLOAK-10927 - Implement LDAPv3 Password Modify Extended Operation (RFC-3062).

* KEYCLOAK-10927 - Introduce getLDAPSupportedExtensions(). Use result instead of configuration.

Co-authored-by: Lars Uffmann <lars.uffmann@vitroconnect.de>
Co-authored-by: Kevin Kappen <kevin.kappen@vitroconnect.de>
Co-authored-by: mposolda <mposolda@gmail.com>
2020-05-20 21:04:45 +02:00
Stan Silvert
13d0491ff3 KEYCLOAK-14038: Re-allow special characters for Roles only 2020-05-20 07:53:23 -04:00
Takashi Norimatsu
c057b994e7 KEYCLOAK-13104 Signed and Encrypted ID Token Support : AES 192bit and 256bit key support 2020-05-20 09:01:59 +02:00
Takashi Norimatsu
be0ba79daa KEYCLOAK-7997 Implement Client Registration Metadata based on Mutual TLS 2020-05-19 17:00:41 +02:00
mposolda
12d965abf3 KEYCLOAK-13047 LDAP no-import fixes. Avoid lost updates - dont allow update attributes, which are not mapped to LDAP 2020-05-19 16:58:25 +02:00
Martin Kanis
6f43b58ccf KEYCLOAK-14074 filterIdentityProviders compares providerId instead of alias 2020-05-19 09:46:21 +02:00
Thomas Darimont
6211fa90e0 KEYCLOAK-10932 Honor given_name and family_name in OIDC brokering
Previously firstname and lastname were derived from the name claim.
We now use direct mappings to extract firstname and lastname from
given_name and family_name claims.

Added test to KcOidcFirstBrokerLoginTest

Marked org.keycloak.broker.provider.BrokeredIdentityContext#setName
as deprecated to avoid breaking existing integrations.
2020-05-19 09:10:43 +02:00
stianst
d99d65eb92 KEYCLOAK-14163 Common resources are not loaded from common path 2020-05-18 15:08:34 +02:00
Pedro Igor
bae802bcfa [KEYCLOAK-11784] - Using Hibernate Extension 2020-05-14 11:10:46 +02:00
stianst
b04932ede5 KEYCLOAK-12414 Remove the need to specify defaults in config file 2020-05-13 09:02:29 -03:00
Pedro Igor
35f622f48e [KEYCLOAK-11719] - Remove need for servlets/undertow from Quarkus dist
Co-authored-by: MatthewC <matthewc@backbase.com>
2020-05-13 09:28:58 +02:00
Sven-Torben Janus
fcb0e450a0 KEYCLOAK-13817 Return local user from LDAPStorageProvider 2020-05-12 20:50:18 +02:00
Yoshiyuki Tabata
f7d00fc2e9 KEYCLOAK-13844 "exp" claim should not be "0" when using offline token 2020-05-12 16:14:37 +02:00
stianst
49db2c13a5 KEYCLOAK-8141 Fix issue where attribute values are duplicated if updates to user are done in parallell 2020-05-12 09:06:44 +02:00
Pedro Igor
44c49d69a7 [KEYCLOAK-13071] - AuthorizationTokenService swallows Exceptions thrown by KeycloakIdentity 2020-05-08 09:21:37 +02:00
Takashi Norimatsu
3716bd96ad KEYCLOAK-14093 Specify Signature Algorithm in Signed JWT with Client Secret 2020-05-07 11:28:39 +02:00
Agniswar Mandal
8646d0668a KEYCLOAK-14072 docker-compose.yaml file generated creates an invalid urls
* Updated Invalid URLs

The docker-compose.yaml file generated creates an invalid url for REGISTRY_AUTH_TOKEN_REALM and REGISTRY_AUTH_TOKEN_ISSUER. Fixed

* KEYCLOAK-14072 JIRA#14072

Test coverage fix for the the JIRA#14072
2020-05-07 08:40:52 +02:00
stianst
2be61246f4 KEYCLOAK-14057 Fix resource not found error when creating policy 2020-05-06 11:08:29 +02:00
Takashi Norimatsu
0d0617d44a KEYCLOAK-13720 Specify Signature Algorithm in Signed JWT Client Authentication 2020-05-05 17:43:00 +02:00
rmartinc
f0852fd362 KEYCLOAK-13823: "Dir" Full export/import: On import, service account roles and authorization info are not imported 2020-05-05 17:05:56 +02:00
Vanrar68
85feda3beb KEYCLOAK-13998 ConditionalRoleAuthenticator doesn't work with composite roles 2020-05-05 08:39:04 +02:00
Michael Riedmann
b3a88d6509 [KEYCLOAK-13995] fixed ClientMappers update capabilities of Admin REST API endpoint. 2020-05-04 17:13:57 +02:00
stianst
48b1b2b7de KEYCLOAK-14043 Fixes for authz due to security header spi changes 2020-05-04 14:11:01 +02:00
Erik Jan de Wit
435815249b KEYCLOAK-12783 changed to base account url for new console 2020-05-04 07:16:15 -04:00
Hynek Mlnarik
32f13016fa KEYCLOAK-12874 Align Destination field existence check with spec 2020-05-04 09:19:44 +02:00
cc
8876294a72 [KEYCLOAK-13964] exported realm should include keycloak version, not Project/product version
The exported realm json file includes a field named "KeycloakVersion", which is assigned
Version.Version. In community edition, Version.Version is identical to Version.KeycloakVersion.
If we rebrand product based on keycloak project, Version.Version will be Product version, while
keycloak codes expect exported realm file including KeycloakVersion for normal migrating.

For RHSSO product, there are somes codes in class MigrationModelManager for converting the right
KeycloakVersion.

From semantic point, a field named "KeycloakVersion" should be assigned variable named "KeycloakVersion".
2020-04-30 12:41:40 +02:00
Martin Kanis
aa309b96a8 KEYCLOAK-13682 NPE when refreshing token after enabling consent 2020-04-30 08:46:21 +02:00
stianst
a77c35ea8f KEYCLOAK-14009 Add fix for token revocation endpoint 2020-04-29 17:22:25 +02:00
keycloak-bot
ae20b7d3cd Set version to 11.0.0-SNAPSHOT 2020-04-29 12:57:55 +02:00
Pedro Igor
601bf8d63e [KEYCLOAK-12735] - Improving queries and cache for authz 2020-04-29 03:58:03 +02:00
Yoshiyuki Tabata
874642fe9e KEYCLOAK-12406 Add "Client Session Max" and "Client Session Idle" for OIDC 2020-04-28 15:34:25 +02:00
stianst
5b017e930d KEYCLOAK-13128 Security Headers SPI and response filter 2020-04-28 15:28:24 +02:00
Yoshiyuki Tabata
b40c12c712 KEYCLOAK-5325 Provide OAuth token revocation capability 2020-04-28 15:25:22 +02:00
Erik Jan de Wit
e093fa218d Fixed console for test 2020-04-27 09:09:31 -04:00
Erik Jan de Wit
7580be8708 KEYCLOAK-13121 added the basic functionality 2020-04-27 09:09:31 -04:00
Stefan Guilhen
da1138a8d2 [KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
2020-04-27 14:25:03 +02:00
Pedro Igor
44b489b571 [KEYCLOAK-13656] - Deny request if requested scope is not associated to resource or any typed resources 2020-04-27 08:39:38 +02:00
Martin Idel
7e8018c7ca KEYCLOAK-11862 Add Sync mode option
- Store in config map in database and model
- Expose the field in the OIDC-IDP
- Write logic for import, force and legacy mode
- Show how mappers can be updated keeping correct legacy mode
- Show how mappers that work correctly don't have to be modified
- Log an error if sync mode is not supported

Fix updateBrokeredUser method for all mappers

- Allow updating of username (UsernameTemplateMapper)
- Delete UserAttributeStatementMapper: mapper isn't even registered
  Was actually rejected but never cleaned up: https://github.com/keycloak/keycloak/pull/4513
  The mapper won't work as specified and it's not easy to tests here
- Fixup json mapper
- Fix ExternalKeycloakRoleToRoleMapper:
  Bug: delete cannot work - just delete it. Don't fix it in legacy mode

Rework mapper tests

- Fix old tests for Identity Broker:
  Old tests did not work at all:
  They tested that if you take a realm and assign the role,
  this role is then assigned to the user in that realm,
  which has nothing to do with identity brokering
  Simplify logic in OidcClaimToRoleMapperTests
- Add SyncMode tests to most mappers
  Added tests for UsernameTemplateMapper
  Added tests to all RoleMappers
  Add test for json attribute mapper (Github as example)
- Extract common test setup(s)
- Extend admin console tests for sync mode

Signed-off-by: Martin Idel <external.Martin.Idel@bosch.io>
2020-04-24 15:54:32 +02:00
Pedro Igor
8f5e58234e [KEYCLOAK-11317] - IDP review profile allows empty username 2020-04-24 10:52:59 -03:00
Martin Kanis
a04c70531a KEYCLOAK-9623 Disabling logged in user will not allow other user to login after he is thrown out of his session 2020-04-23 14:40:25 +02:00
Takashi Norimatsu
8513760e25 KEYCLOAK-12176 WebAuthn: show the attestation statement format in the admin console 2020-04-23 10:01:19 +02:00
Thomas Darimont
12e53e6f11 KEYCLOAK-11003 Remove UPDATE_PASSWORD RequiredAction on non-temporary password reset
We now remove a potentially existing UPDATE_PASSWORD action when
explicitly assigning a non-temporary password.

Adapted tests to use a temporary password when UpdatePassword required actions
were used.
2020-04-22 10:59:49 +02:00
Thomas Darimont
f9f71039ae KEYCLOAK-13566 ValidateUsername should raise USER_NOT_FOUND event if the user lookup fails 2020-04-21 21:11:11 +02:00
Pedro Igor
cbab159aa8 [KEYCLOAK-8071] - Properly validating requested scopes 2020-04-21 12:23:59 +02:00
keycloak-bot
33314ae3ca Set version to 10.0.0-SNAPSHOT 2020-04-21 09:19:32 +02:00
mposolda
821405e175 KEYCLOAK-10852 Inconsistency when using 'forgot password' after changing email directly in LDAP 2020-04-16 12:28:41 +02:00
Pedro Igor
21597b1ff2 [KEYCLOAK-13581] - Fixing client pagination when permission is enabled 2020-04-14 16:57:27 -03:00
stianst
97b5654690 KEYCLOAK-13285 Enable check identity for email 2020-04-14 19:22:57 +02:00
Pedro Igor
b60b85ab65 [KEYCLOAK-7450] - Match subject when validating id_token returned from external OP 2020-04-06 13:43:19 +02:00
mduchrow
75acc27706 KEYCLOAK-13339 NPE when removing credentials and user cache is disabled 2020-03-31 17:14:34 +02:00
mposolda
6f62c0ed98 KEYCLOAK-13442 Backwards compatibility in users searching. searchForUser(String, RealmModel, int, int) is no longer called when searching users from the admin console 2020-03-27 13:29:55 +01:00
Pedro Igor
b812159193 [KEYCLOAK-10675] - Deleting an Identity Provider doesn't remove the associated IdP Mapper for that user 2020-03-26 11:41:17 +01:00
Pedro Igor
1b8369c7d5 [KEYCLOAK-13385] - Better message when saving a provider with invalid URLs 2020-03-26 08:46:44 +01:00
keycloak-bot
f6a592b15a Set version to 9.0.4-SNAPSHOT 2020-03-24 08:31:18 +01:00
mposolda
5ddd605ee9 KEYCLOAK-13259 2020-03-24 05:32:41 +01:00
mposolda
9474dd6208 KEYCLOAK-12986 BruteForceProtector does not log failures when login failure in PostBroker flow 2020-03-24 05:32:10 +01:00
Martin Kanis
e6e0e6945d KEYCLOAK-12156 LogoutEndpoint does not verify token type of id_token_hint
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2020-03-24 05:31:36 +01:00
Martin Kanis
9336d598ba KEYCLOAK-13380 Validate alignment 2020-03-24 05:12:57 +01:00
mposolda
3e82473a90 KEYCLOAK-13369 Not possible to move groups in admin console 2020-03-23 10:17:23 +01:00
Dmitry Telegin
3b24465141
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking (#6828)
* KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking

* KEYCLOAK-12870: always allow to choose user if password reset is called from first broker login flow

* KEYCLOAK-12870: remove "already authenticated as different user" check and message

* KEYCLOAK-12870: translations

* KEYCLOAK-12870: fix tests
2020-03-20 07:41:35 +01:00
rmartinc
a8e74196d1 KEYCLOAK-4923: Client Service Account Roles are not exported 2020-03-19 11:38:33 -03:00
Takashi Norimatsu
fc58af1365 KEYCLOAK-12696 Upgrade to webauthn4j 0.10.2.RELEASE 2020-03-18 10:56:51 +01:00
Stan Silvert
fff8571cfd KEYCLOAK-12768: Prevent reserved characters in URLs 2020-03-18 07:40:24 +01:00
stianst
aece5d1b4c KEYCLOAK-5162 Add index to even table 2020-03-17 17:05:21 +01:00
mposolda
56d1ab19a8 KEYCLOAK-11412 Display more nice error message when creating top level group with same name 2020-03-16 21:03:46 +01:00
mposolda
d7688f6b12 KEYCLOAK-12869 REST sends credential type when no credential exists and credential disabled 2020-03-16 21:02:40 +01:00
Stan Silvert
1f1ed36b71 KEYCLOAK-9782: Do not allow duplicate group name when updating 2020-03-13 10:13:45 -04:00
Sebastian Laskawiec
8774a0f4ba KEYCLOAK-12881 KEYCLOAK-13099 Update FederatedIdentities and Groups on POST 2020-03-12 14:57:02 +01:00
mposolda
72e4690248 KEYCLOAK-13174 Not possible to delegate creating or deleting OTP credential to userStorage 2020-03-11 12:51:56 +01:00
rmartinc
ad3b9fc389 KEYCLOAK-12579: LDAP groups duplicated during UI listing of user groups 2020-03-11 06:14:29 +01:00
mposolda
bc1146ac2f KEYCLOAK-10029 Offline token migration fix. Always test offline-token migration when run MigrationTest 2020-03-10 20:38:16 +01:00
Pedro Igor
b7a395a3ef [KEYCLOAK-11345] - Test basic features of Keycloak.X with current tetsuite 2020-03-10 15:59:35 +01:00
Phy
2b35321b7c KEYCLOAK-13253 read rpId from policy in WebAuthnAuthenticator
A new method, getRpID, is created.
2020-03-09 17:04:26 +01:00
Sebastian Schuster
99aba33980 KEYCLOAK-13163 Fixed searching for user with fine-grained permissions 2020-03-09 09:56:13 -03:00
mabartos
a1bbab9eb2 KEYCLOAK-12799 Missing Cancel button on The WebAuthn setup screen when using AIA 2020-03-05 15:04:38 +01:00
stianst
b84160786b KEYCLOAK-12885 Make sure empty protocol in client scope doesn't result in NPE in well-known endpoint 2020-03-05 13:43:46 +01:00
Pedro Igor
23b4aee445 [KEYCLOAK-13056] - Searching clients with reduced permissions results in 403 2020-03-05 13:39:25 +01:00
stianst
75a772f52b KEYCLOAK-10967 Add JSON body methods for test ldap and smtp connections. Deprecate old form based methods. 2020-03-05 10:07:58 +01:00
stianst
b39b84c5dc KEYCLOAK-13102 Remove error log message on invalid response_type 2020-03-05 08:47:12 +01:00
Pedro Igor
2f489a41eb [KEYCLOAK-12192] - Missing Input Validation in IDP Authorization URLs 2020-03-05 06:32:35 +01:00
stianst
bcb542d9cc KEYCLOAK-13116 Fix backwards compatilbity changes in LocaleSelectorSPI 2020-03-04 06:39:24 +01:00
Douglas Palmer
dfb67c3aa4 [KEYCLOAK-12980] Username not updated when "Email as username" is enabled 2020-03-03 10:26:35 +01:00
Pedro Igor
49b1dbba68 [KEYCLOAK-11804] - Block service accounts to authenticate or manage credentials 2020-03-03 06:48:02 +01:00
Stefan Guilhen
3fa8a5aa88 [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-03-03 06:48:02 +01:00
Hynek Mlnarik
f45f882f0c KEYCLOAK-11903 Test for XSW attacks 2020-03-02 21:26:13 +01:00
vramik
7c91e36e43 KEYCLOAK-10898 WildFly Adapter CLI based installation scripts 2020-03-02 10:08:45 +01:00
Hynek Mlnarik
aecfe251e4 KEYCLOAK-12816 Fix representation to model conversion 2020-02-27 21:11:24 +01:00
Douglas Palmer
85d7216228 [KEYCLOAK-12640] Client authorizationSettings.decisionStrategy value lost on realm import 2020-02-27 09:45:48 -03:00
Stian Thorgersen
26c166d965 Update OIDCIdentityProvider.java 2020-02-27 09:13:29 +01:00
Pedro Igor
a830818a84 [KEYCLOAK-12794] - Missing id token checks in oidc broker 2020-02-27 09:13:29 +01:00
Thomas Darimont
469bca624b KEYCLOAK-10953 Avoid NPE when Updating Clients via Admin REST API 2020-02-27 09:09:32 +01:00
Thomas Darimont
f426ed6de6 KEYCLOAK-7961 Avoid sending back-channel logout requests to disabled clients 2020-02-27 09:08:09 +01:00
Pedro Igor
1c71eb93db [KEYCLOAK-11576] - Properly handling redirect_uri parser errors 2020-02-27 08:29:06 +01:00
stianst
950eae090f KEYCLOAK-13054 Unblock temporarily disabled user on password reset, and remove invalid error message 2020-02-27 08:05:46 +01:00
Martin Bartoš
eaaff6e555
KEYCLOAK-12958 Preview feature profile for WebAuthn (#6780)
* KEYCLOAK-12958 Preview feature profile for WebAuthn

* KEYCLOAK-12958 Ability to enable features having EnvironmentDependent providers without restart server

* KEYCLOAK-12958 WebAuthn profile product/project

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2020-02-26 08:45:26 +01:00
Peter Skopek
5db98a58d3 KEYCLOAK-12826 WebAuthn fails to login user when their security key supports "user handle" 2020-02-20 09:19:09 +01:00
stianst
9e47022116 KEYCLOAK-8044 Clear theme caches on hot-deploy 2020-02-20 08:50:10 +01:00
stianst
d8d81ee162 KEYCLOAK-12268 Show page not found for /account/log if events are disabled for the realm 2020-02-20 08:49:30 +01:00
stianst
06576a44c9 KEYCLOAK-13032 Add no cache headers to account form service 2020-02-19 15:47:18 +01:00
stianst
536824beb6 KEYCLOAK-12960 Use Long for time based values in JsonWebToken 2020-02-19 15:46:05 +01:00
Stefan Guilhen
7a3998870c [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-02-18 16:38:19 -03:00
mposolda
eeeaafb5e7 KEYCLOAK-12858 Authenticator is sometimes required even when configured as alternative 2020-02-18 09:05:59 +01:00
Thomas Darimont
67ddd3b0eb KEYCLOAK-12926 Improve Locale based message lookup
We now consider intermediate Locales when performing a Locale based
ResourceBundle lookup, before using an Locale.ENGLISH fallback.

Co-authored-by: stianst <stianst@gmail.com>
2020-02-18 08:43:46 +01:00
keycloak-bot
d352d3fa8e Set version to 9.0.1-SNAPSHOT 2020-02-17 20:38:54 +01:00
mposolda
a76c496c23 KEYCLOAK-12860 KEYCLOAK-12875 Fix for Account REST Credentials to work with LDAP and social users 2020-02-14 20:24:42 +01:00
stianst
f0e3122792 KEYCLOAK-12953 Ignore empty realm frontendUrl 2020-02-14 11:33:07 +01:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
stianst
4b09a4a2af KEYCLOAK-12993 AuthorizationBean invokes ResolveRelative.resolveRelativeUri with null as the value for KeycloakSession 2020-02-13 16:45:06 +01:00
Pedro Igor
7efaf9869a [KEYCLOAK-12864] - OIDCIdentityProvider with Reverse Proxy 2020-02-13 15:01:10 +01:00
Peter Zaoral
b0ffea699e KEYCLOAK-12186 Improve the OTP login form
-created and implemented login form design, where OTP device can be selected
-implemented selectable-card-view logic in jQuery
-edited related css and ftl theme resources
-fixed affected BrowserFlow tests

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-02-12 11:25:02 +01:00
Peter Skopek
622a97bd1c KEYCLOAK-12228 Sensitive Data Exposure
from patch of hiba haddad haddadhiba0@gmail.com
2020-02-12 09:57:31 +01:00
stianst
3c0cf8463a KEYCLOAK-12821 Check if action is disabled in realm before executing 2020-02-12 09:04:43 +01:00
stianst
0b8adc7874 KEYCLOAK-12921 Fix NPE in client validation on startup 2020-02-12 08:23:25 +01:00
stianst
dda829710e KEYCLOAK-12829 Require PKCE for admin and account console 2020-02-12 08:22:20 +01:00
Thomas Darimont
7969aed8e0 KEYCLOAK-10931 Trigger UPDATE_PASSWORD event on password update via AccountCredentialResource 2020-02-11 19:51:58 +01:00
Martin Kanis
1d54f2ade3 KEYCLOAK-9563 Improve access token checks for userinfo endpoint 2020-02-11 15:09:21 +01:00
stianst
ecec20ad59 KEYCLOAK-12193 Internal error message returned in error response 2020-02-07 18:10:41 +01:00
mabartos
a5d02d62c1 KEYCLOAK-12908 TOTP not accepted in request for Access token 2020-02-07 13:17:05 +01:00
stianst
7545749632 KEYCLOAK-12190 Add validation for client root and base URLs 2020-02-07 09:09:40 +01:00
Pedro Igor
fc514aa256 [KEYCLOAK-12792] - Invalid nonce handling in OIDC identity brokering 2020-02-06 13:16:01 +01:00
Dmitry Telegin
b6c5acef25 KEYCLOAK-7969 - SAML users should not be identified by SAML:NameID 2020-02-06 08:53:31 +01:00
Martin Bartoš
7dec314ed0
KEYCLOAK-12900 NullPointerException during WebAuthn Registration (#6732) 2020-02-05 17:01:36 +01:00
Axel Messinese
b73553e305 Keycloak-11526 search and pagination for roles 2020-02-05 15:28:25 +01:00
rmartinc
d39dfd8688 KEYCLOAK-12654: Data to sign is incorrect in redirect binding when URI has parameters 2020-02-05 11:30:28 +01:00
Martin Bartoš
b0c4913587
KEYCLOAK-12177 KEYCLOAK-12178 WebAuthn: Improve usability (#6710) 2020-02-05 08:35:47 +01:00
Thomas Darimont
42fdc12bdc
KEYCLOAK-8573 Invalid client credentials should return Unauthorized status (#6725) 2020-02-05 08:27:15 +01:00
Thomas Darimont
d417639cb8
KEYCLOAK-11033 Avoid NPE in password endpoint of AccountCredentialResource (#6721)
Added additional null guard since some credentials provide might not
maintain a "CreatedDate" for a password credentials.
2020-02-04 16:01:27 +01:00
rmartinc
5b9eb0fe19 KEYCLOAK-10884: Need clock skew for SAML identity provider 2020-02-03 22:00:44 +01:00
Jan Lieskovsky
b532570747
[KEYCLOAK-12168] Various setup TOTP screen usability improvements (#6709)
On both the TOTP account and TOTP login screens perform the following:
* Make the "Device name" label optional if user registers the first
  TOTP credential. Make it mandatory otherwise,
* Denote the "Authenticator code" with asterisk, so it's clear it's
  required field (always),
* Add sentence to Step 3 of configuring TOTP credential explaining
  the user to provide device name label,

Also perform other CSS & locale / messages file changes, so the UX is
identical when creating OTP credentials on both of these pages

Add a corresponding testcase

Also address issues pointed out by mposolda's review. Thanks, Marek!

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-02-03 19:34:28 +01:00
Marek Posolda
154bce5693
KEYCLOAK-12340 KEYCLOAK-12386 Regression in credential handling when … (#6668) 2020-02-03 19:23:30 +01:00
Leon Graser
01a42f417f Search and Filter for the count endpoint 2020-02-03 09:36:30 +01:00
Pedro Igor
ed2d392a3d [KEYCLOAK-9666] - Entitlement request with service account results in server error 2020-02-03 08:57:56 +01:00
Pedro Igor
658a083a0c [KEYCLOAK-9600] - Find by name in authz client returning wrong resource 2020-02-03 08:57:20 +01:00
rmartinc
1989483401 KEYCLOAK-12001: Audience support for SAML clients 2020-01-31 15:56:40 +01:00
Marek Posolda
d8e450719b
KEYCLOAK-12469 KEYCLOAK-12185 Implement nice design to the screen wit… (#6690)
* KEYCLOAK-12469 KEYCLOAK-12185 Add CredentialTypeMetadata. Implement the screen with authentication mechanisms and implement Account REST Credentials API by use the credential type metadata
2020-01-31 14:28:23 +01:00
Stan Silvert
6ac5a2a17e
[KEYCLOAK-12744] rh-sso-preview theme for product build
* change logo for RH-SSO
* Small fixes to rh-sso-preview theme
* rh-sso-preview theme

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2020-01-31 08:16:52 -03:00
Pedro Igor
c37ca235ab [KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set 2020-01-30 11:36:21 +01:00
stianst
2916af351a KEYCLOAK-12712 Add thread-safety for provider hot-deployment 2020-01-29 14:06:11 +01:00
stianst
a3e5f9d547 KEYCLOAK-12736 Set time for admin events in milliseconds, instead of converted seconds 2020-01-29 14:05:22 +01:00
Marek Posolda
d46620569a
KEYCLOAK-12174 WebAuthn: create authenticator, requiredAction and policy for passwordless (#6649) 2020-01-29 09:33:45 +01:00
Takashi Norimatsu
993ba3179c KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT (#6633) 2020-01-28 14:55:48 +01:00
Stian Thorgersen
87cab778eb KEYCLOAK-11996 Authorization Endpoint does not return an error when a request includes a parameter more than once (#6696)
Co-authored-by: stianst <stianst@gmail.com>

Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2020-01-24 12:10:56 +01:00
Thomas Darimont
303861f7e8 KEYCLOAK-10003 Fix handling of request parameters for SMTP Connection Test
We now transfer the SMTP connection configuration via HTTP POST
request body parameters instead of URL parameters.
The improves handling of SMTP connection configuration values with
special characters. As a side effect sensitive information like SMTP
credentials are now longer exposed via URL parameters.

Previously the SMTP connection test send the connection parameters
as encoded URL parameters in combination with parameters in the request body.
However the server side endpoint did only look at the URL parameters.

Certain values, e.g. passwords with + or ; could lead to broken URL parameters.
2020-01-23 13:19:31 -06:00
Leon Graser
f1ddd5016f KEYCLOAK-11821 Add account api roles to the client on creation
Co-authored-by: stianst <stianst@gmail.com>
2020-01-23 13:10:04 -06:00
Benjamin Weimer
dd9ad305ca KEYCLOAK-12757 New Identity Provider Mapper "Advanced Claim to Role Mapper" with
following features

    * Regex support for claim values.
    * Support for multiple claims.
2020-01-23 07:17:22 -06:00
Stan Silvert
210fd92d23 KEYCLOAK-11550: Signing In page 2020-01-23 07:35:09 -05:00
Domenico Briganti
812b69af13 KEYCLOAK-9837 Not hide exception in email templating - clean code 2020-01-23 05:45:25 -06:00
Domenico Briganti
f07e08ef28 KEYCLOAK-9837 Not hide exception in email templating - Throws always an Exception 2020-01-23 05:45:25 -06:00
Domenico Briganti
476da4f276 KEYCLOAK-9837 Not hide exception in email templating 2020-01-23 05:45:25 -06:00
Captain-P-Goldfish
b90a0307ea Add certificate timestamp validation (#6330)
KEYCLOAK-11818 Add certificate timestamp validation
2020-01-22 20:53:06 +01:00
vmuzikar
03306b87e8 KEYCLOAK-12125 Introduce SameSite attribute in cookies
Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2020-01-17 08:36:53 -03:00
Martin Bartos RH
d3f6937a23 [KEYCLOAK-12426] Add username to the login form + ability to reset login 2020-01-17 09:40:13 +01:00
mposolda
85dc1b3653 KEYCLOAK-12426 Add username to the login form + ability to reset login - NOT DESIGN YET 2020-01-17 09:40:13 +01:00
Tomas Kyjovsky
05c428f6e7 KEYCLOAK-12295 After password reset, the new password has low priority (#6653) 2020-01-16 09:11:25 +01:00
k-tamura
562dc3ff8c KEYCLOAK-10659 Proxy authentication support for proxy-mappings 2020-01-15 13:29:54 +01:00
Martin Bartoš
5aab03d915 [KEYCLOAK-12184] Remove BACK button from login forms (#6657) 2020-01-15 12:25:37 +01:00
Axel Messinese
789e8c70ce KEYCLOAK-12630 full representation param for get groups by user endpoint 2020-01-15 10:14:52 +01:00
Axel Messinese
72aff51fca KEYCLOAK-12670 inconsistent param name full to briefRepresentation 2020-01-15 08:32:57 +01:00
Marek Posolda
8d49409de1
KEYCLOAK-12183 Refactor login screens. Introduce try-another-way link. Not show many credentials of same type in credential selector (#6591) 2020-01-14 21:54:45 +01:00
k-tamura
221aad9877 KEYCLOAK-11511 Improve exception handling of REST user creation 2020-01-14 13:34:34 +01:00
mhajas
a79d6289de KEYCLOAK-11416 Fix nil AttributeValue handling 2020-01-10 12:47:09 +01:00
Viswa Teja Nariboina
5082ed2fcb [ KEYCLOAK-12606 ] Passing email in login_hint query parameter during Identity brokering fails when an account already exists 2020-01-09 10:40:42 +01:00
Pedro Igor
03bbf77b35 [KEYCLOAK-12511] - Mapper not visible in client's mapper list 2020-01-09 10:25:06 +01:00
Thomas Darimont
062cbf4e0a KEYCLOAK-9925 Use Client WebOrigins in UserInfoEndpoint
We now use the allowed WebOrigins configured for the client
for which the user info is requested.

Previously, Web Origins defined on the Client were not being recognized
by the /userinfo endpoint unless you apply the "Allowed Web Origins"
protocol mapper.
This was an inconsistency with how the Web Origins work compared
with the /token endpoint.
2020-01-09 10:10:59 +01:00
Pedro Igor
709cbfd4b7 [KEYCLOAK-10705] - Return full resource representation when querying policies by id 2020-01-09 10:00:24 +01:00
Pedro Igor
9fd7ab81f0 [KEYCLOAK-10407] - Avoiding redundant calls on identity.getid 2020-01-09 09:56:48 +01:00
Manfred Duchrow
f926529767 KEYCLOAK-12616 Vault unit test always failes on Windows 2020-01-07 20:55:50 +01:00
Hynek Mlnarik
f7379086e0 KEYCLOAK-12619 Improve mapped byte buffer cleanup 2020-01-07 16:07:43 +01:00
Thomas Darimont
54b69bd1dc KEYCLOAK-10190 Fix NPE on missing clientSession in TokenEndpoint.codeToToken
In certain scenarios, e.g. when an auth code from another realm login is
used to perform the code to token exchange, it can happen that the
ClientSession is null which triggered an NPE when the userSession field is accessed.

Added null check for clientSession in TokenEndpoint.codeToToken to prevent an NPE.
2020-01-06 14:45:20 +01:00
Thomas Darimont
1a7aeb9b20 KEYCLOAK-8249 Improve extraction of Bearer tokens from Authorization headers (#6624)
We now provide a simple way to extract the Bearer token string from
Authorization header with a null fallback.

This allows us to have more fine grained error handling for the
various endpoints.
2020-01-06 13:58:52 +01:00
rmartinc
401d36b446 KEYCLOAK-8779: Partial export and import to an existing realm is breaking clients with service accounts 2019-12-27 15:59:38 -03:00
Thomas Darimont
0219d62f09 KEYCLOAK-6867 UserInfoEndpoint should return WWW-Authenticate header for Invalid tokens
As required by the OIDC spec (1) we now return a proper WWW-Authenticate
response header if the given token is invalid.

1) https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
2019-12-23 07:42:06 -03:00
Andrei Arlou
eed4847469 KEYCLOAK-12311 Fix minor warnings with collections in packages: forms, keys, partialimport, protocol from module "services" 2019-12-20 13:31:38 +01:00
Peter Skopek
7a14661fce KEYCLOAK-6115 Login fails if federated user is read-only and has selected a locale on the login screen 2019-12-19 14:36:50 +01:00
Andrei Arlou
aceb123242 KEYCLOAK-12417 Fix minor warnings in tests from module "services" 2019-12-19 10:51:37 +01:00
Andrei Arlou
697eaa4f36 KEYCLOAK-12309 Fix warnings with collections in packages:
authentification, authorization, broker, email, events, exportimport from module "services"
2019-12-18 14:02:27 +01:00
Andrei Arlou
bb156fb2fd KEYCLOAK-12317 Fix minor warnings with modificators in packages: authentication, authorization, keys, partialimport, protocol from module "services" 2019-12-18 13:26:27 +01:00
Andrei Arlou
c61cc1a493 KEYCLOAK-12316 Simplify conditions in packages: authentication, broker, credential, protocol from module "services" 2019-12-18 13:22:36 +01:00
Stefan Guilhen
9f69386a53 [KEYCLOAK-11707] Add support for Elytron credential store vault
- Adds the elytron-cs-keystore provider that reads secrets from a keystore-backed elytron credential store
 - Introduces an abstract provider and factory that unifies code that is common to the existing implementations
 - Introduces a VaultKeyResolver interface to allow the creation of different algorithms to combine the realm
   and key names when constructing the vault entry id
 - Introduces a keyResolvers property to the existing implementation via superclass that allows for the
   configuration of one or more VaultKeyResolvers, creating a fallback mechanism in which different key formats
   are tried in the order they were declared when retrieving a secret from the vault
 - Adds more tests for the files-plaintext provider using the new key resolvers
 - Adds a VaultTestExecutionDecider to skip the elytron-cs-keystore tests when running in Undertow. This is
   needed because the new provider is available only as a Wildfly extension
2019-12-18 11:54:06 +01:00
harture
26458125cb [KEYCLOAK-12254] Fix re-evaluation of conditional flow (#6558) 2019-12-18 08:45:11 +01:00
Douglas Palmer
106e6e15a9 [KEYCLOAK-11859] Added option to always display a client in the accounts console 2019-12-17 17:12:49 -03:00
jacac
3ae508e1b9 KEYCLOAK-12425 Encode userid with Base64Url. (#6585) 2019-12-16 20:40:27 +01:00
Douglas Palmer
af0594b58d [KEYCLOAK-12463] Fixed missing consents 2019-12-12 17:27:54 -03:00
Douglas Palmer
f9fa5b551d [KEYCLOAK-5628] Added application endpoint 2019-12-11 13:06:04 -03:00
Martin Bartoš
2cf6483cdf [KEYCLOAK-12044] Fix messages in the UsernameForm (#6548) 2019-12-11 10:59:46 +01:00
Dmitry Telegin
56aa14ffab KEYCLOAK-11347 - MicroProfile-Config 2019-12-10 12:08:22 +01:00
Denis Richtárik
48bddc37ae KEYCLOAK-12011 Remove cancel button from OTP form (#6511)
* KEYCLOAK-12011 Remove cancel button from OTP form

* Remove back button
2019-12-09 19:23:26 +01:00
Dmitry Telegin
e2144d6aec KEYCLOAK-12175 - Platform SPI 2019-12-09 09:55:04 +01:00
Yoshiyuki Tabata
b2664c7ef9 KEYCLOAK-12094 "client-session-stats" not search null client information (#6554) 2019-12-06 10:37:25 +01:00
Martin Bartoš
e405ce6e97 [KEYCLOAK-11824] Fix bug with only one value of the authentication model execution requirement (#6570) 2019-12-05 18:28:00 +01:00
Andrei Arlou
fb421d3086 KEYCLOAK-12262 Remove unused imports from packages "authorization" and "authentification" in module "services" (#6547) 2019-12-05 14:39:03 +01:00
Andrei Arlou
da7e0ba403 KEYCLOAK-12310 Remove unused imports from packages: exportimport, forms, jose, partialimport, protocol in module "services" (#6560) 2019-12-05 14:28:47 +01:00
Cristian Schuszter
5c7ce775cf KEYCLOAK-11472 Pagination support for clients
Co-authored-by: stianst <stianst@gmail.com>
2019-12-05 08:17:17 +01:00
vmuzikar
072cd9f93f KEYCLOAK-12329 Fix linking accounts in the new Account Console 2019-12-03 18:49:40 -03:00
Martin Kanis
73d1a26040 KEYCLOAK-11773 Front-channel logout with identity brokering does not work after browser restart 2019-12-03 08:17:54 +01:00
harture
129c689855 [KEYCLOAK-12253] Fix conditional authenticators are evaluated even if they are disabled (#6553) 2019-11-28 09:30:31 +01:00
Stan Silvert
de6f90b43b KEYCLOAK-11550: Single page for credentials (initial commit) 2019-11-27 07:32:13 -03:00
rmartinc
82ef5b7927 KEYCLOAK-12000: Allow overriding time lifespans on a SAML client 2019-11-26 10:02:34 +01:00
Dmitry Telegin
79074aa380 KEYCLOAK-12162 Modularize config backends (#6499)
* KEYCLOAK-12162 - Modularize configuration backends

* - Use JsonSerialization
- simplify backend selection (no fallbacks)

* Remove unused org.wildfly.core:wildfly-controller dependency
2019-11-22 15:23:04 +01:00
Yoshiyuki Tabata
0a9d058b81 KEYCLOAK-12150 change error response from invalid_request to unsupported_grant_type 2019-11-22 11:11:07 +01:00
Yoshiyuki Tabata
a36cfee84b KEYCLOAK-12149 change error response from invalid_grant to unauthorized_client 2019-11-22 11:10:16 +01:00
Yoshiyuki Tabata
4117710379 KEYCLOAK-12019 change error response from unsupported_response_type to unauthorized_client 2019-11-22 11:03:02 +01:00
Vidhyadharan Deivamani
9e366f0453 KEYCLOAK-8162 review comment adopted 2019-11-22 10:37:50 +01:00
Vidhyadharan Deivamani
318b290f55 KEYCLOAK-8162 Added resourcesPath 2019-11-22 10:37:50 +01:00
Fuxin Hao
ff4c94506f use reCAPTCHA globally 2019-11-22 10:22:15 +01:00
Stan Silvert
ea268af511 KEYCLOAK-12159: AIA and Logout broken in new acct console 2019-11-21 09:35:46 -03:00
stianst
3731e36ece KEYCLOAK-12069 Add account-console client for new account console 2019-11-20 08:48:40 -05:00
keycloak-bot
76aa199fee Set version to 9.0.0-SNAPSHOT 2019-11-15 20:43:21 +01:00
Stefan Guilhen
9a7c1a91a5 KEYCLOAK-10780 Stop creating placeholder e-mails for service accounts (#228) 2019-11-15 15:08:29 +01:00
k-tamura
43e2370f21 KEYCLOAK-11772 Fix temporary credential property to work correctly 2019-11-15 08:48:12 +01:00
AlistairDoswald
4553234f64 KEYCLOAK-11745 Multi-factor authentication (#6459)
Co-authored-by: Christophe Frattino <christophe.frattino@elca.ch>
Co-authored-by: Francis PEROT <francis.perot@elca.ch>
Co-authored-by: rpo <harture414@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Denis <drichtar@redhat.com>
Co-authored-by: Tomas Kyjovsky <tkyjovsk@redhat.com>
2019-11-14 14:45:05 +01:00
Stan Silvert
d439f4181a KEYCLOAK-6503: Linked Accounts Page 2019-11-14 07:39:43 -03:00
Martin Kanis
25511d4dbf KEYCLOAK-9651 Wrong ECDSA signature R and S encoding 2019-11-13 15:32:51 +01:00
stianst
b8881b8ea0 KEYCLOAK-11728 New default hostname provider
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2019-11-11 12:25:44 +01:00
stianst
062841a059 KEYCLOAK-11898 Refactor AIA implementation 2019-11-08 16:03:07 -03:00
stianst
63abebd993 KEYCLOAK-11627 Require users to re-authenticate before invoking AIA 2019-11-08 16:03:07 -03:00
stianst
bc5113053d KEYCLOAK-11897 Change kc_action parameter to proper built-in parameter 2019-11-08 16:03:07 -03:00
stianst
1e66660fd0 KEYCLOAK-11896 Remove initiate-action role 2019-11-08 16:03:07 -03:00
Takashi Norimatsu
4574d37d8d KEYCLOAK-11372 Support for attestation statement verification (#6449) 2019-11-08 09:15:28 +01:00
Stian Thorgersen
f14f92ab0b KEYCLOAK-6073 Make adapters use discovery endpoint for URLs instead of hardcoding (#6412) 2019-11-06 10:34:35 +01:00
Stan Silvert
041229f9ca KEYCLOAK-7429: Linked Accounts REST API 2019-11-05 16:03:21 -05:00
Takashi Norimatsu
ecae2c5772 KEYCLOAK-11743 Update to webauthn4j 0.9.14.RELEASE and add apache-kerby-asn1:2.0.0 dependency (#6401) 2019-11-05 09:23:09 +01:00
Miguel Paulos Nunes
aa44579a02 KEYCLOAK-9553 Performance optimization on role mappings retrieval. 2019-11-05 08:59:53 +01:00
Dmitry Telegin
203646627f Use global bootstrap flag 2019-11-01 10:56:06 +01:00
Dmitry Telegin
b68e8323ed KEYCLOAK-11785 - Support for deferred initialization 2019-11-01 10:56:06 +01:00
Gideon Caranzo
e07fd9ffa3 KEYCLOAK-9936 Added optional hooks for preprocessing SAML authentication
Co-Authored-By: Hynek Mlnarik <hmlnarik@redhat.com>
2019-10-29 13:06:59 +01:00
Helge Olav Aarstein
d7a0597b1d KEYCLOAK-9091 Fix for claims with dots from userInfo (#6312)
* KEYCLOAK-9091 Unable to map claim attributes with dots (.) in them when claims are retrieved from userInfo endpoint
2019-10-24 21:41:38 +02:00
pkokush
ff551c5545 KEYCLOAK-10307: check password history length in password verification (#6058) 2019-10-24 21:33:21 +02:00
Takashi Norimatsu
1905260eac KEYCLOAK-11251 ES256 or PS256 support for Client Authentication by Signed JWT (#6414) 2019-10-24 17:58:54 +02:00
Pedro Igor
bb4ff55229 [KEYCLOAK-10868] - Deploy JavaScript code directly to Keycloak server
Conflicts:
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java

(cherry picked from commit 338fe2ae47a1494e786030eb39f908c964ea76c4)
2019-10-22 10:34:24 +02:00
Pedro Igor
bad9e29c15 [KEYCLOAK-10870] - Deprecate support for JavaScript policy support from UMA policy endpoint
Conflicts:
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java

(cherry picked from commit 13923a7683cb666d2842bc61429c23409c1493b6)
2019-10-22 10:34:24 +02:00
Martin Kanis
0e0177136c KEYCLOAK-9984 Remove org.apache.commons.* usages from the code 2019-10-22 09:48:15 +02:00
Martin Kanis
37304fdd7d KEYCLOAK-10728 Upgrade to WildFly 18 Final 2019-10-21 14:06:44 +02:00
Martin Reinhardt
28748ebf3f [KEYCLOAK-6376] Fix NPE and test setup 2019-10-21 10:41:04 +02:00
Martin Reinhardt
f18c8b9da5 [KEYCLOAK-6376] Switching to arquillian end2end tests 2019-10-21 10:41:04 +02:00
Martin Reinhardt
eed4449f8d [KEYCLOAK-6376] Fixing Conditional OTP by reusing existing API for role checks 2019-10-21 10:41:04 +02:00
Kohei Tamura
59ba874e1d KEYCLOAK-10945 Avoid lockout when clicking login twice 2019-10-21 10:36:16 +02:00
Pedro Igor
17785dac08 [KEYCLOAK-10714] - Add filtering support in My Resources endpoint by name 2019-10-16 16:26:55 +02:00
Sebastian Laskawiec
b6b7c11517 KEYCLOAK-11725 Removed VaultRealmModel from tests 2019-10-15 10:59:05 +02:00
stianst
c16cfe9696 Fixes for Quarkus 2019-10-15 10:57:54 +02:00
Sebastian Laskawiec
ea1b22daa7 KEYCLOAK-11227 Removed enabled/disabled flag from FileTruststoreProvider 2019-10-15 05:24:28 +02:00
stianst
52085da520 KEYCLOAK-11702 Remove RestEasy 4 dependencies from core codebase 2019-10-11 15:03:34 +02:00
mhajas
2f44c58a0d KEYCLOAK-11495 Change name of PlaintextVaultProvider to FilesPlaintextVaultProvider 2019-10-09 14:48:00 +02:00
Pedro Igor
f0fb48fb76 [KEYCLOAK-11326] - Refactoring to support different versions of resteasy 2019-10-09 12:01:34 +02:00
Pedro Igor
a2e98b57f4 [KEYCLOAK-11326] - Refactoring to use types from JAX-RS API 2019-10-09 12:01:34 +02:00
Hisanobu Okuda
75a44696a2 KEYCLOAK-10636 Large Login timeout causes login failure
KEYCLOAK-10637 Large Login Action timeout causes login failure
2019-10-07 13:27:20 +02:00
vmuzikar
434ea0965c KEYCLOAK-11632 Don't cache server info endpoint 2019-10-07 10:29:52 +02:00
Axel Messinese
f3607fd74d KEYCLOAK-10712 get groups full representation endpoint 2019-10-03 11:26:30 +02:00
Takashi Norimatsu
66de87a211 KEYCLOAK-11253 Advertise acr claim in claims_supported Server Metadata 2019-10-03 11:25:45 +02:00
Niko Köbler
d0324d8098 KEYCLOAK-11566 add attribute resourceType to log output of admin events 2019-10-02 13:18:30 +02:00
Vincent Letarouilly
6b36e57593 KEYCLOAK-6698 - Add substitution of system properties and environment variables in theme.properties file 2019-10-01 16:34:54 +02:00
Takashi Norimatsu
6c9cf346c6 KEYCLOAK-11252 Implement Server Metadata of OAuth 2.0 Mutual TLS Client Authentication 2019-10-01 15:27:59 +02:00
Takashi Norimatsu
7c75546eac KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
* KEYCLOAK-9360 Two factor authentication with W3C Web Authentication - 1st impl phase
2019-10-01 15:17:38 +02:00
Jess Thrysoee
3b58692d7c KEYCLOAK-11596 Enable template cache when cacheTemplates attribute is true 2019-10-01 14:37:48 +02:00
David Festal
d73a2b821c Fix a NPE when using token-exchange
When using the preview token-exchange feature with the `openshit-v3` identity provider, a NPE is triggered, because it tries to extract the `metadata` field twice from the user profile:

```
13:17:13,667 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
.....
13:17:28,916 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
......
13:17:53,492 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.NullPointerException
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.getJsonProperty(AbstractOAuth2IdentityProvider.java:357)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractUserContext(OpenshiftV3IdentityProvider.java:61)
	at org.keycloak.social.openshift.OpenshiftV3IdentityProvider.extractIdentityFromProfile(OpenshiftV3IdentityProvider.java:87)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.validateExternalTokenThroughUserInfo(AbstractOAuth2IdentityProvider.java:489)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalUserInfoValidationOnly(AbstractOAuth2IdentityProvider.java:548)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternalImpl(AbstractOAuth2IdentityProvider.java:528)
	at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider.exchangeExternal(AbstractOAuth2IdentityProvider.java:519)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.exchangeExternalToken(TokenEndpoint.java:917)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:696)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:194)
```
2019-10-01 14:23:46 +02:00
Mathieu CLAUDEL
2fb507e170 KEYCLOAK-10802 add support of SAMLv2 ForceAuthn 2019-09-27 09:55:54 +02:00
Yaroslav Kvasetskiy
622d049207 KEYCLOAK-10837 Add possibility to disable certificate verification for outgoing https connections 2019-09-26 08:12:09 -03:00
madgaet
0d12b8dd5a [KEYCLOAK-11497] OIDC Idp authentication with private_key_jwt may not always work (#6337) 2019-09-25 23:10:07 +02:00
Hisanobu Okuda
da49dbce2b KEYCLOAK-10770 user-storage/{id}/sync should return 400 instead of 404 2019-09-20 11:17:09 +02:00
mhajas
37b7b595a5 KEYCLOAK-11410 Do not throw exception in PlaintextVaultProvider if unconfigured 2019-09-19 14:56:19 +02:00
rradillen
b71198af9f [KEYCLOAK-8575] oidc idp basic auth (#6268)
* [KEYCLOAK-8575] Allow to choose between basic auth and form auth for oidc idp

* uncomment ui and add tests

* move basic auth to abstract identity provider (except for getting refresh tokens)

* removed duplications
2019-09-19 14:36:16 +02:00
rmartinc
7f54a57271 KEYCLOAK-10757: Replaying assertion with signature in SAML adapters 2019-09-18 16:49:00 +02:00
farmersmurf
515727c944 fix: as discussed changed to NOT_ACCEPTABLE rather than OK to prevent INTERNAL SERVER ERROR on validation 2019-09-17 16:35:42 +02:00
farmersmurf
ae74335760 KEYCLOAK-10944 Fix 500 Error Code on Update Password 2019-09-17 16:35:42 +02:00
farmersmurf
b443c8186d KEYCLOAK-10944 Fix 500 Error Code on Update Password 2019-09-17 16:35:42 +02:00
madgaet
c35718cb87 [KEYCLOAK-9809] Support private_key_jwt authentication for external IdP 2019-09-17 16:04:23 +02:00
Kohei Tamura
09671aa480 KEYCLOAK-11178 Suppress incorrect warnings 2019-09-13 10:21:20 +02:00
Shiva Prasad Thagadur Prakash
ff8b790549 KEYCLOAK-10022 Fixing few admin events not raised bug 2019-09-11 18:01:10 -03:00
Cédric Couralet
9c37da0ee9 KEYCLOAK-8818 Support message bundle in theme resources 2019-09-11 08:03:16 +02:00
mhajas
2703388946 KEYCLOAK-11245 Adapt LDAPConnectionTestManager to use newly introduced LDAPContextManager 2019-09-10 22:51:19 +02:00
mhajas
9c2525ec1a KEYCLOAK-11245 Use transcription object for LDAP bindCredential 2019-09-09 19:39:53 +02:00
Martin Kanis
4235422798 KEYCLOAK-11246 Use the transcription object for SMTP password 2019-09-09 13:27:11 +02:00
Hynek Mlnarik
9eb2e1d845 KEYCLOAK-11028 Use pessimistic locks to prevent DB deadlock when deleting objects 2019-09-09 10:57:49 +02:00
rmartinc
a726e625e9 KEYCLOAK-10782: Credentials tab on clients can only be displayed with view-realm 2019-09-06 16:45:08 -03:00
Martin Kanis
b1be6c2bdd KEYCLOAK-11247 Use the transcription object for Identity providers password 2019-09-06 15:29:11 +02:00
Cédric Couralet
aadd5331bc [KEYCLOAK-11219] log an explicit error message when state is null 2019-09-06 10:59:28 +02:00
Pedro Igor
a1d8850373 [KEYCLOAK-7416] - Device Activity 2019-09-05 11:43:27 -03:00
Sebastian Laskawiec
69d6613ab6 KEYCLOAK-10169 OpenShift 4 Identity Provider 2019-09-05 16:33:59 +02:00
Stefan Guilhen
bb9c811a65 [KEYCLOAK-10935] Add a vault transcriber implementation that can be obtained from the session.
- automatically parses ${vault.<KEY>} expressions to obtain the key that contains the secret in the vault.
 - enchances the capabilities of the VaultProvider by offering methods to convert the raw secrets into other types.
2019-09-04 22:34:08 +02:00
Kohei Tamura
6ae0773e09 KEYCLOAK-11006 Add method to log catched exception 2019-09-02 10:11:20 +02:00
Sebastian Laskawiec
3afbdd3ea3 KEYCLOAK-10934 PlainTextVaultProvider 2019-08-20 21:46:47 +02:00
Pedro Igor
e12c245355 [KEYCLOAK-10779] - CSRF check to My Resources
(cherry picked from commit dbaba6f1b8c043da4a37c906dc0d1700956a0869)
2019-08-20 06:35:00 -03:00
Hynek Mlnarik
97811fdd51 KEYCLOAK-10786 Check signature presence in SAML broker
(cherry picked from commit ba9f73aaff22eb34c7dec16f4b76d36d855d569b)
2019-08-20 06:35:00 -03:00
Leon Graser
0ce10a3249 [KEYCLOAK-10653] Manage Consent via the Account API 2019-08-20 06:24:44 -03:00
Nemanja Hiršl
411ea331f6 KEYCLOAK-10785 X.509 Authenticator - Update user identity source mappers
Update user identity sources and the way how X.509 certificates are mapped to the user to:
1. Include "Serial number + Issuer DN" as described in RFC 5280
2. Include "Certificate's SHA256-Thumbprint"
3. Exclude "Issuer DN"
4. Exclude "Issuer Email"

Add an option to represent serial number in hexadecimal format.

Documentation PR created: https://github.com/keycloak/keycloak-documentation/pull/714
KEYCLOAK-10785 - Documentation for new user identity source mappers
2019-08-16 11:35:50 -03:00
Takashi Norimatsu
8225157a1c KEYCLOAK-6768 Signed and Encrypted ID Token Support 2019-08-15 15:57:35 +02:00
Hynek Mlnarik
d2da206d6b KEYCLOAK-10933 Interfaces for vault SPI 2019-08-13 08:50:29 +02:00
Kohei Tamura
c0f73c0df4 KEYCLOAK-10817 Set referrer on error 2019-08-02 10:02:23 -03:00
Vlastimil Elias
4571f65d1e KEYCLOAK-10209 - AuthenticationSessionModel made available through
KeycloakContext in KeycloakSession
2019-07-30 12:36:57 +02:00
Pedro Igor
8b203d48ce [KEYCLOAK-10949] - Proper error messages when failing to authenticate the request 2019-07-29 17:01:42 -03:00
Pedro Igor
967d21dbb5 [KEYCLOAK-10713] - Pagination to resources rest api 2019-07-29 16:19:22 -03:00
k-tamura
fe0d6f4583 KEYCLOAK-10665 Fix incorrect client link on my resources page 2019-07-26 15:36:06 -03:00
k-tamura
2dceda3f50 KEYCLOAK-10807 Fix incorrect RS link on my resources page 2019-07-26 15:29:25 -03:00
Stan Silvert
bc818367a1 KEYCLOAK-10854: App-initiated actions Phase I 2019-07-26 14:56:29 -03:00
Stan Silvert
6c79bdee41 KEYCLOAK-10854: App initiated actions phase I 2019-07-26 14:56:29 -03:00
mhajas
57a8fcb669 KEYCLOAK-10776 Add session expiration to Keycloak saml login response 2019-07-24 13:35:07 +02:00
keycloak-bot
17e9832dc6 Set version to 8.0.0-SNAPSHOT 2019-07-19 19:05:03 +02:00
Pedro Igor
5f5cb6cb7b [KEYCLOAK-10808] - Do not show authorization tab when client is not confidential 2019-07-15 10:07:31 -03:00
rmartinc
1d2d6591b2 KEYCLOAK-10826: Provide the locale name in the LocaleBean to be used in themes 2019-07-13 07:18:40 +02:00
rmartinc
6d6db1f3e5 KEYCLOAK-10345: OCSP validation fails if there is no intermediate CA in the client certificate 2019-07-12 15:16:00 +02:00
Takashi Norimatsu
2e850b6d4a KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings 2019-07-12 08:33:20 +02:00
Martin Kanis
efdf0f1bd8 KEYCLOAK-6839 You took too long to login after SSO idle 2019-07-10 10:15:26 +02:00
Kohei Tamura
55a6141bff KEYCLOAK-10783 Fix internal server error when logging out after sharing my resource 2019-07-09 09:06:58 -03:00
mposolda
5f9feee3f8 KEYCLOAK-9846 Verifying signatures on CRL during X509 authentication 2019-07-08 20:20:38 +02:00
Tomasz Prętki
0376e7241a KEYCLOAK-10251 New Claim JSON Type - JSON 2019-07-08 11:59:57 +02:00
Sven-Torben Janus
c883c11e7e KEYCLOAK-10158 Use PEM cert as X.509 user identity
Allows to use the full PEM encoded X.509 certificate from client cert
authentication as a user identity. Also allows to validate that user's
identity against LDAP in PEM (String and binary format). In addition,
a new custom attribute mapper allows to validate against LDAP when
certificate is stored in DER format (binay, Octet-String).

KEYCLOAK-10158 Allow lookup of certs in binary adn DER format from LDAP
2019-07-08 11:58:26 +02:00
Hynek Mlnarik
ca4e14fbfa KEYCLOAK-7852 Use original NameId value in logout requests 2019-07-04 19:30:21 +02:00
Sebastian Laskawiec
b5d8f70cc7 KEYCLOAK-8224 Client not found error message 2019-07-03 18:34:56 +02:00
Asier Aguado
bed22b9b8d [KEYCLOAK-10710] Make social providers compatible with OIDC UsernameTemplateMappers 2019-07-03 15:01:46 +02:00
rmartinc
bd5dec1830 KEYCLOAK-10112: Issues in loading offline session in a cluster environment during startup 2019-07-03 13:17:45 +02:00
Axel Messinese
b32d52e62b KEYCLOAK-10750 Check if role exist on get user/group in role endpoint 2019-07-03 08:46:36 +02:00
Pedro Igor
0cdd23763c [KEYCLOAK-10443] - Define a global decision strategy for resource servers 2019-07-02 09:14:37 -03:00
Jeroen ter Voorde
7518692c0d [KEYCLOAK-10419] Added briefRepresentation parameter support to the admin client interface
And added a aquillian test for it.
2019-06-21 11:31:01 +02:00
Jeroen ter Voorde
a2099cff39 [KEYCLOAK-10419] Added support for briefRepresentation param on the GroupResource members endpoint. 2019-06-21 11:31:01 +02:00
k-tamura
542333a0dd KEYCLOAK-10660 Fix internal server error when re-logging in from my resources page 2019-06-18 06:18:36 -03:00
Hisanobu Okuda
1ac51611d3 KEYCLOAK-10664 correct the error message when no SAML request provided 2019-06-18 08:47:35 +02:00
Pedro Igor
fdc0943a92 [KEYCLOAK-8060] - My Resources REST API 2019-06-11 14:23:26 -03:00
Pedro Igor
61eb94c674 [KEYCLOAK-8915] - Support resource type in authorization requests 2019-06-04 21:02:54 -03:00
Stefan Guilhen
40ec46b79b [KEYCLOAK-8043] Allow prompt=none query parameter to be propagated to default IdP 2019-05-29 09:22:46 +02:00
Pedro Igor
e9ea1f0e36 [KEYCLOAK-10279] - Do not limit results when fetching resources 2019-05-28 15:35:29 -03:00
Ian Duffy
de0ee474dd Review feedback 2019-05-27 21:30:01 +02:00
Ian Duffy
54909d3ef4 [KEYCLOAK-10230] Support for LDAP with Start TLS
This commit sends the STARTTLS on LDAP 389 connections is specified.
STARTTLS doesn't work with connection pooling so connection pooling will
be disabled should TLS be enabled.
2019-05-27 21:30:01 +02:00
vramik
d64f716a20 KEYCLOAK-2709 SAML Identity Provider POST Binding request page shown to user is comletely blank with nonsense title 2019-05-20 09:51:04 +02:00
Sebastian Loesch
76a6e82173 Fix log message
Single quotes need to be represented by double single quotes throughout a String.
See: https://docs.oracle.com/javase/7/docs/api/java/text/MessageFormat.html
2019-05-15 15:33:43 +02:00
Kohei Tamura
8bee7ec542 KEYCLOAK-9983 - Fix the P3P header corruption in Japanese and Turkish (#6006) 2019-05-15 15:23:45 +02:00
Tomohiro Nagai
d593ac3e6f KEYCLOAK-9711 REQUIRED authentictor in ALTERNATIVE subflow throws AuthenticationFlowException when the authentictor returns ATTEMPTED. 2019-05-15 12:45:50 +02:00
Hynek Mlnarik
b8aa1916d8 KEYCLOAK-10195 Fix role lookup to address roles with dots 2019-05-14 13:00:04 +02:00
Kohei Tamura
43bda455bc KEYCLOAK-10106 - Fix typos in default scripts (#6010) 2019-05-07 10:20:04 +02:00
Stefan Guilhen
f1acdc000e [KEYCLOAK-10168] Handle microprofile-jwt client scope migration 2019-05-06 15:14:27 -03:00
Jan Lieskovsky
9eb400262f KEYCLOAK-6055 Include X.509 certificate data in audit logs
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2019-04-30 11:31:04 +02:00
Sebastian Loesch
96250c9685 [KEYCLOAK-9573] Allow AdminEvents for custom resource types 2019-04-26 09:57:28 +01:00
Hynek Mlnarik
65326ce16a KEYCLOAK-9629 Update cookie type 2019-04-24 07:18:41 +01:00
Sebastian Loesch
43393220bf Add X.509 authenticator option for canonical DN
Because the current distinguished name determination is security provider
dependent, a new authenticator option is added to use the canonical format
of the distinguished name, as descriped in
javax.security.auth.x500.X500Principal.getName(String format).
2019-04-23 21:04:18 +02:00
keycloak-bot
49d4e935cb Set version to 7.0.0-SNAPSHOT 2019-04-17 09:48:07 +01:00
Bekh-Ivanov George
ebcfeb20a3 [KEYCLOAK-10020] - Add ability to request user-managed (ticket) permissions by name 2019-04-12 08:44:57 -03:00
Takashi Norimatsu
9b3e297cd0 KEYCLOAK-9756 PS256 algorithm support for token signing and validation 2019-04-09 20:52:02 +02:00
Francesco Degrassi
1bf19ada7e KEYCLOAK-9825: keep existing refresh token on token exchange requiring refresh if new one not provided in response 2019-04-09 15:21:56 -03:00
Francesco Degrassi
5b78063dce KEYCLOAK-6614: Support requesting refresh tokens from Google using access_type=offline 2019-04-08 15:06:03 -03:00
Stefan Guilhen
2fa2437555 KEYCLOAK-5613 Add built-in optional client scope for MicroProfile-JWT 2019-04-02 08:40:19 -03:00
Hisanobu Okuda
b44c86bd26 KEYCLOAK-9833 Large SSO Session Idle/SSO Session Max causes login failure 2019-03-27 11:42:40 +01:00
vramik
b7c5ca8b38 KEYCLOAK-8535 Inconsistent SAML Logout endpoint handling 2019-03-22 14:09:31 +01:00
Pedro Igor
d2275ca563 [KEYCLOAK-7939] - Startup logs warning instead of error when admin user already exists 2019-03-21 11:44:17 -03:00
mposolda
db271f7150 KEYCLOAK-9572 Support for multiple CRLs with X509 authentication 2019-03-20 15:00:44 +01:00
Hynek Mlnarik
25c07f78bc KEYCLOAK-9578 Fix typo in SAML attribute name format 2019-03-19 11:45:38 +01:00
Hynek Mlnarik
1c906c834b KEYCLOAK-3373 Remove SAML IdP descriptor from client installation and publicize it in realm endpoint instead 2019-03-19 11:37:15 +01:00
fisache
a868b8b22a [KEYCLOAK-9772] Permissions are duplicated
- when resource server is current user
2019-03-18 16:37:54 -03:00
stianst
8d42c9193b KEYCLOAK-9838 Trim username in admin welcome page 2019-03-18 09:20:38 +01:00
vramik
3cc405b1c5 KEYCLOAK-8542 Remove resteasy workaround - KeycloakStringEntityFilter 2019-03-16 13:53:54 +01:00
mposolda
a48698caa3 KEYCLOAK-6056 Map user by Subject Alternative Name (otherName) when authenticating user with X509 2019-03-15 23:11:47 +01:00
Yaser Abouelenein
404ac1d050 KEYCLOAK-8701 changes needed to include x5c property in jwks 2019-03-15 06:01:15 +01:00
Axel Messinese
e18fb56389 KEYCLOAK-4978 Add endpoint to get groups by role 2019-03-15 06:00:17 +01:00
Corey McGregor
be77fd9459 KEYCLOAK-2339 Adding impersonator details to user session notes and supporting built-in protocol mappers. 2019-03-08 09:14:42 +01:00
rmartinc
231db059b2 KEYCLOAK-8996: Provide a way to set a responder certificate in OCSP/X509 Authenticator 2019-03-07 07:57:20 +01:00
keycloak-bot
e843d84f6e Set version to 6.0.0-SNAPSHOT 2019-03-06 15:54:08 +01:00
Gilles
f295a2e303 [KEYCLOAK-3723] Fixed updated of protocol mappers within client updates in clients-registrations resource 2019-03-04 11:57:59 +01:00
vramik
5d205d16e8 KEYCLOAK-9167 Using kcadm to update an identity-provider instance via a json file does not work without an "internalId" present in the json 2019-02-27 14:56:36 +01:00
Stan Silvert
fe5966d224 KEYCLOAK-8602: PatternFly 4 integration 2019-02-25 08:26:54 -03:00
Simon Neaves
b5fbc04e5e KEYCLOAK-9376 Add "aud" to DEFAULT_CLAIMS_SUPPORTED
See https://issues.jboss.org/browse/KEYCLOAK-9376?_sscc=t
2019-02-25 10:21:49 +01:00
Pedro Igor
99f8e5f808 [KEYCLOAK-9489] - Fixing fine-grained permission functionality 2019-02-22 09:22:14 -03:00
Steven Aerts
d36cb27bd9 KEYCLOAK-9526 admin console auth-url with hostname SPI 2019-02-21 11:55:11 +01:00
Guilhem Lucas
b666756b8f KEYCLOAK-9320 Make theme properties available in email templates 2019-02-21 11:19:17 +01:00
stianst
e06c705ca8 Set version 5.0.0 2019-02-21 09:35:14 +01:00
Pedro Igor
34d8974e7f [KEYCLOAK-9489] - User not able to log in to admin console when using query-* roles 2019-02-20 18:09:36 +01:00
Hynek Mlnarik
52840533c9 KEYCLOAK-9111 Fix for unhandled exception 2019-02-13 15:49:49 +01:00
Hynek Mlnarik
37e6b6ffc6 KEYCLOAK-9113 Add support for inspecting log messages for uncaught errors 2019-02-13 15:49:49 +01:00
stianst
7c9f15778a Set version to 4.8.3.Final 2019-01-09 20:39:30 +01:00
Pedro Igor
382f6b0c2c [KEYCLOAK-9185] - Update LinkedIn broker to LinkedIn API v2 2019-01-09 15:29:40 +01:00
stianst
7c4890152c Set version to 4.8.2 2019-01-03 14:43:22 +01:00
Hynek Mlnarik
ca76f943c1 KEYCLOAK-9190 Update GoogleIdentityProvider endpoints
per https://accounts.google.com/.well-known/openid-configuration
2019-01-03 14:32:57 +01:00
stianst
07ccbdc3db KEYCLOAK-9182 2019-01-03 14:28:35 +01:00
Hynek Mlnarik
2e52093ac5 KEYCLOAK-9123 Fix content-type check 2018-12-19 10:43:33 +01:00
mposolda
061693a8c9 KEYCLOAK-9089 IllegalArgumentException when trying to use ES256 as OIDC access token signature 2018-12-14 21:01:03 +01:00
mposolda
1237986fd0 KEYCLOAK-8838 Incorrect resource_access in accessToken when clientId contains dots 2018-12-13 10:31:27 +01:00
rmartinc
3c44e6c377 KEYCLOAK-9068: IDP-initiated-flow is not working with REDIRECT binding 2018-12-13 06:28:38 -02:00
mposolda
c51c492996 KEYCLOAK-9050 Change LoginProtocol.authenticated to read most of the values from authenticationSession 2018-12-12 13:30:03 +01:00
Stan Silvert
3ed77825a2 KEYCLOAK-8495: Account REST Svc doesn't require acct roles 2018-12-12 12:07:29 +01:00
mposolda
a7f57c7e23 KEYCLOAK-9021 2018-12-12 07:09:14 +01:00
mposolda
10eb13854e KEYCLOAK-9028 Fix another NPE in Cors debug logging 2018-12-11 21:24:32 +01:00
Hynek Mlnarik
cea9e877ad KEYCLOAK-9036 Fix NPE 2018-12-11 15:35:19 +01:00
MICHEL Arnault (UA 2118)
3f13df81ab [KEYCLOAK-8580] Fixes and log improvements :
- fix  buildChain method (return value)
- method setJVMDebuggingForCertPathBuilder removed as it doesn't output anything in server.log
- Performance : don't reload truststore on each authentication request
- Don't generate stacktrace while detecting intermediate CA's
- review log levels and messages : no log if
- log if truststore is not properly configured in standalone[-ha].xml
2018-12-10 13:58:58 +01:00
Hynek Mlnarik
dad12635f6 KEYCLOAK-9014 Fix displayed applications 2018-12-10 09:59:46 +01:00
Pedro Igor
0c39eda8d2 [KECLOAK-8237] - Openshift Client Storage 2018-12-06 10:57:53 -02:00
Hynek Mlnarik
27f145969f KEYCLOAK-7936 Prevent registration of the same node
The root cause is that NodesRegistrationManagement.tryRegister can be
called from multiple threads on the same node, so it can require
registration of the same node multiple times. Hence once it turns to
tasks that invoke sendRegistrationEvent (called sequentially), the same
check has been added to that method to prevent multiple invocations on
server side, or invocation upon undeployment/termination.
2018-12-05 12:34:17 +01:00
Pedro Igor
e798c3bca2 [KEYCLOAK-8901] - Identity Provider : UserInfo response as JWT Token not supported 2018-12-05 09:28:12 -02:00
stianst
b674c0d4d9 Prepare for 4.8.0.Final 2018-12-04 13:54:25 +01:00
Pedro Igor
4355c89b9d [KEYCLOAK-7365] - No need to check roles when refreshing tokens 2018-11-29 08:51:25 -02:00
rmartinc
1b37394276 KEYCLOAK-7242: LDAPS not working with truststore SPI and connection timeout 2018-11-29 11:21:46 +01:00
mposolda
6db1f60e27 KEYCLOAK-7774 KEYCLOAK-8438 Errors when SSO authenticating to same client multiple times concurrently in more browser tabs 2018-11-21 21:51:32 +01:00
Cédric Couralet
dc06a8cee3 Fix KEYCLOAK-8832 (#5735)
Avoid NullPointerException when browser sends "Origin" header and
allowedOrigin is null. This happens on chrome with admin console
2018-11-19 17:53:05 +01:00
Stian Thorgersen
f3bf1456ab
KEYCLOAK-8781 Mark OpenShift integration as preview. Fix issue in Profile where preview features was not enabled in preview mode. (#5738) 2018-11-19 17:32:21 +01:00
Hynek Mlnarik
548950ed8e KEYCLOAK-8756 Consider also required actions of AuthenticationSession 2018-11-19 16:04:43 +01:00
Marek Posolda
f67d6f9660 KEYCLOAK-8482 Access token should never contain azp as an audience (#5719) 2018-11-19 14:38:41 +01:00
Stian Thorgersen
3756cf629b
KEYCLOAK-7081 Fixes for manual/qr mode switches on login config otp page (#5717) 2018-11-19 14:32:28 +01:00
Takashi Norimatsu
0793234c19 KEYCLOAK-8460 Request Object Signature Verification Other Than RS256 (#5603)
* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

also support client signed signature verification by refactored token
verification mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

incorporate feedbacks and refactor client public key loading mechanism

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

unsigned request object not allowed

* KEYCLOAK-8460 Request Object Signature Verification Other Than RS256

revert to re-support "none"
2018-11-19 14:28:32 +01:00
Hynek Mlnarik
461dae20de KEYCLOAK-8731 Ensure password history is kept in line with password policy 2018-11-19 12:48:51 +01:00
mposolda
0533782d90 KEYCLOAK-7275 KEYCLOAK-5479 Faster offline sessions preloading at startup. Track lastSessionRefresh timestamps more properly by support bulk update to DB 2018-11-16 14:23:28 +01:00
Stan Silvert
0b36020bf5 KEYCLOAK-8759: Wrong RH-SSO name on Welcome Page 2018-11-15 13:00:55 -05:00
Leon Graser
85f11873c3 KEYCLOAK-8613 Group Membership Pagination 2018-11-15 17:54:07 +01:00
Gideon Caranzo
39bf08e1b9 KEYCLOAK-8783 also checked admin roles when realm admin client is specified 2018-11-15 14:23:18 +01:00
Gideon Caranzo
9f88abb022 KEYCLOAK-8783 only checked master and realm admin roles when roles are specified in imported realm 2018-11-15 14:23:18 +01:00
Thomas Darimont
cf57a1bc4b KEYCLOAK-1267 Add dedicated SSO timeouts for Remember-Me
Previously remember-me sessions where tied to the SSO max session
timeout which could lead to unexpected early session timeouts.
We now allow SSO timeouts to be configured separately for sessions
with enabled remember-me. This enables users to opt-in for longer
session timeouts.

SSO session timeouts for remember-me can now be configured in the
tokens tab in the realm admin console. This new configuration is
optional and will tipically host values larger than the regular
max SSO timeouts. If no value is specified for remember-me timeouts
then the regular max SSO timeouts will be used.

Work based on PR https://github.com/keycloak/keycloak/pull/3161 by
Thomas Darimont <thomas.darimont@gmail.com>
2018-11-15 06:11:22 +01:00
Pedro Igor
f5ae76d8e3 [KEYCLOAK-8768] - Policy evaluation tool failing when client is used and identity.getId is called 2018-11-14 19:16:41 -02:00
stianst
ecd476fb10 Prepare for 4.7.0.Final 2018-11-14 20:10:59 +01:00
Hynek Mlnarik
c3778e66db KEYCLOAK-8260 Improve SAML conditions handling 2018-11-14 20:09:22 +01:00
Martin Kanis
6a23eb19f5 KEYCLOAK-8166 2018-11-14 20:09:22 +01:00
Martin Kanis
72b23c1357 KEYCLOAK-8160 2018-11-14 20:09:22 +01:00
Martin Kanis
0cb6053699 KEYCLOAK-8125 2018-11-14 20:09:22 +01:00
vramik
6564cebc0f KEYCLOAK-7707 2018-11-14 20:09:22 +01:00
Bruno Oliveira da Silva
a957e118e6 Redirect URLs are not normalized 2018-11-14 20:09:22 +01:00
mposolda
0897d969b1 KEYCLOAK-7340 2018-11-14 20:09:22 +01:00
mposolda
1b5a83c4f1 KEYCLOAK-6980 Check if client_assertion was already used during signed JWT client authentication 2018-11-14 20:09:22 +01:00
Pedro Igor
cd96d6cc35 [KEYCLOAK-8694] - Mark Drools policy as tech preview 2018-11-09 11:08:49 -02:00
Pedro Igor
bce2aee144 [KEYCLOAK-8646] - Error deleting policies when admin events are enabled 2018-11-06 11:27:32 -02:00
rmartinc
cbe59f03b7 KEYCLOAK-8708: Provide aggregation of group attributes for mappers 2018-11-06 13:42:38 +01:00
Torbjørn Skyberg Knutsen
36b0d8b80e KEYCLOAK-7166 Added the possibility of not logging out of remote idp on browser logout, by passing a query param containing the id of the identity provider 2018-11-06 13:39:19 +01:00
Pedro Igor
327991bd73 [KEYCLOAK-8716] - Issue with caching resolved roles in KeycloakSession 2018-11-06 10:27:04 -02:00
mposolda
ffcd8e09e7 KEYCLOAK-8175 Possibility of clientScope not being used if user doesn't have a role 2018-10-31 18:04:41 +01:00
mposolda
cfeb56e18a KEYCLOAK-8641 Remove aud from the authorization tickets 2018-10-31 13:31:26 +01:00
mposolda
9652748ba9 KEYCLOAK-8484 Remove audience client scope template 2018-10-31 11:11:02 +01:00
Pedro Igor
f6943296c7 [KEYCLOAK-8489] - RPT request: Authorized Party's protocol mappers are being applied instead of the Audience's ones 2018-10-26 09:40:32 -03:00
Graser Leon
9ef4c7fffd KEYCLOAK-8377 Role Attributes 2018-10-24 22:04:28 +02:00
Pedro Igor
2af9d002b6 [KEYCLOAK-8172] - Evaluation not considering scopes inherited from parent resources 2018-10-24 12:50:27 -03:00
Pedro Igor
a2b13715ed [KEYCLOAK-8625] - Saving client settings will cause always adding default authorization settings 2018-10-24 10:18:04 -03:00
mposolda
c36b577566 KEYCLOAK-8483 Remove application from the aud claim of accessToken and refreshToken 2018-10-23 13:52:09 +02:00
Gideon Caranzo
7d85ce93bb KEYCLOAK-8555 queried only realms with user storage provider to speed up user storage sync bootstrap 2018-10-19 09:53:58 +02:00
vramik
7a96911a83 KEYCLOAK-8300 KEYCLOAK-8301 Wildfly 14 upgrade
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2018-10-17 20:01:07 +02:00
MICHEL Arnault (UA 2118)
ab8789739f [KEYCLOAK-8580] Add Nginx certificate lookup provider 2018-10-16 07:53:18 +02:00
stianst
5f0424fb11 KEYCLOAK-8310 Change scheme option to alwaysHttps option 2018-10-15 14:00:00 +02:00
Stefan Guilhen
68a54abb09 KEYCLOAK-6757 Update MicrosoftIdentityProvider to use the Microsoft Graph endpoints 2018-10-15 12:46:15 +02:00
stianst
11374a2707 KEYCLOAK-8556 Improvements to profile 2018-10-12 12:26:37 +02:00
Gideon Caranzo
0e8d79bbfb KEYCLOAK-8554 checked if master realm exist instead of number of realms for new installation check 2018-10-12 09:43:41 +02:00
stianst
aaa33ad883 KEYCLOAK-8509 Improvements to session iframe 2018-10-10 21:01:05 +02:00
rmartinc
0a6f43c1a1 KEYCLOAK-8490: Direct grants returns invalid credentials when user has pending actions 2018-10-10 20:18:20 +02:00
Toni Ristola
22d64368a6 KEYCLOAK-8191 Fixed DI that was not working 2018-10-09 08:22:43 -03:00
Pedro Igor
79ca722b49 [KEYCLOAK-7605] - Make sure Evaluation API is read-only 2018-10-09 08:09:29 -03:00
Moritz Becker
f17b5f0f49 fix KEYCLOAK-7572 consistently perform duplicate user checks during account update only if email changes
Fix test
2018-10-05 09:35:05 +02:00
stianst
86a2f28561 KEYCLOAK-8310 Add support to set fixed scheme on fixed hostname provider 2018-10-05 09:34:17 +02:00
gbtec-igormartens
c41bcddd8d Update UserResource.java
In my opinion, the old documentation does not match the actual behaviour of the resetPassword method.
2018-10-04 12:54:49 +02:00
mposolda
2a4cee6044 KEYCLOAK-6884 KEYCLOAK-3454 KEYCLOAK-8298 Default 'roles' and 'web-origins' client scopes. Add roles and allowed-origins to the token through protocol mappers 2018-10-04 12:00:38 +02:00
Stan Silvert
dba513c921 KEYCLOAK-8419: Make most act mgt APIs only active in preview mode 2018-10-02 16:32:56 -04:00
Pedro Igor
b4b3527df7 [KEYCLOAK-7950] - Fixes user pagination when using filtering users members of groups 2018-10-02 15:44:23 -03:00
mposolda
4b9b189016 KEYCLOAK-8008 Ensure InputStream are closed 2018-10-01 16:06:32 +02:00
Martin Kanis
efe6a38648 KEYCLOAK-6718 Auth Flow does not Check Client Protocol 2018-09-26 21:00:02 +02:00
stianst
c3fc9e9815 Set version to 4.6.0.Final-SNAPSHOT 2018-09-26 20:58:41 +02:00
Pedro Igor
43f5983613 [KEYCLOAK-8289] - Remove authorization services from product preview profile 2018-09-26 18:27:27 +02:00
mposolda
3777dc45d0 KEYCLOAK-3058 Support for validation of "aud" in adapters through verify-token-audience configuration switch 2018-09-21 11:17:05 +02:00
Douglas Palmer
b748e269ec [KEYCLOAK-7435] Added code to delete a specific session and tests for session deletion 2018-09-20 15:57:58 +02:00
Pedro Igor
6b0bc0b3be [KEYCLOAK-8308] - Deprecate token_introspection_endpoint claim from OIDC discovery document 2018-09-19 09:46:50 -03:00
Rafael Weingärtner
3dd6f9cb85 Enable "DockerComposeYamlInstallationProviderTest" to run on Windows 2018-09-19 11:22:57 +02:00
Pedro Igor
aaf78297c9 [KEYCLOAK-7987] - Can't set authorization enabled when using kcreg 2018-09-18 10:00:16 -03:00
mposolda
99a16dcc1f KEYCLOAK-6638 Support for adding audiences to tokens 2018-09-13 21:40:16 +02:00
slominskir
c4a651bcac KEYCLOAK-7270 - Support for automatically linking brokered identities 2018-09-12 18:50:35 +02:00
Johannes Knutsen
d4a5c81034 KEYCLOAK-8146: Extract LocaleSelectorSPI to allow custom overrides of locale selection 2018-09-11 20:35:48 +02:00
stianst
26f257a6ac KEYCLOAK-8264 Update OpenShift Token Review endpoint to support additional algorithms and to update session last refresh on token introspection 2018-09-11 19:57:38 +02:00
stianst
12f3d2115d KEYCLOAK-8263 Add option to client to override access token timeout 2018-09-11 12:40:51 +02:00
stianst
24e60747b6 KEYCLOAK-7560 Refactor token signature SPI PR
Also incorporates:
KEYCLOAK-6770 ES256/384/512 providers
KEYCLOAK-4622 Use HS256 for refresh tokens
KEYCLOAK-4623 Use HS256 for client reg tokens
2018-09-11 08:14:10 +02:00
Takashi Norimatsu
5b6036525c KEYCLOAK-7560 Refactor Token Sign and Verify by Token Signature SPI 2018-09-11 08:14:10 +02:00
Pedro Igor
0561d73ae2 [KEYCLOAK-6285] - HTTP Challenge Authentication Flow 2018-09-10 19:02:49 +02:00
stianst
bf758809ba KEYCLOAK-6229 OpenShift Token Review interface 2018-09-07 08:21:28 +02:00
stianst
1fb4ca4525 Set version to 4.5.0.Final 2018-09-06 20:08:02 +02:00
stianst
c56e171f3a KEYCLOAK-7608 Check if themes dir is null in FolderThemeProvider 2018-09-06 08:52:17 +02:00
Hynek Mlnarik
812e76c39b KEYCLOAK-8163 Improve SAML validations 2018-09-05 15:47:03 +02:00
Pedro Igor
47066e1b89 [KEYCLOAK-8012] - Fix offline session support in authorization services 2018-09-04 15:07:49 -03:00
Pedro Igor
6a0a1031a1 [KEYCLOAK-7754] - Fixing compat issues with UMA spec in RPT Introspection Provider 2018-09-04 11:41:09 -03:00
June Zhang
237318dfd3 KEYCLOAK-7751 Auth welcome page 2018-09-04 07:55:08 +02:00
Hynek Mlnarik
54b5ec206e KEYCLOAK-8183 Improve authz caching for negative cases 2018-08-31 18:31:55 +02:00
Hynek Mlnarik
bee3894cdf KEYCLOAK-8150 Improve loading user list 2018-08-30 13:03:49 +02:00
mposolda
b70468341e KEYCLOAK-7470 Ability to order client scopes 2018-08-29 14:37:27 +02:00
Jani
42553cdc44 [KEYCLOAK-7695] Restore token_type and expires_in for implicit flow
As KEYCLOAK-6585 concerns only hybrid flow, this commit restores the behavior for implicit flow.

This commit partially reverts #5041 (061049e41a6b0e6fb45c75f05748023ad7ab7d92).
2018-08-29 13:00:57 +02:00
AlistairDoswald
36837ae4b6 Added a ScriptMapper for SAML for KEYCLOAK-5520
Added mapper, tests and entry in the ProtocolMapper file.
This code is adapted from the following module: https://github.com/cloudtrust/keycloak-client-mappers
2018-08-29 09:39:30 +02:00
mposolda
31270e2f52 KEYCLOAK-7437 Support for prompt=consent 2018-08-29 08:35:29 +02:00
Johannes Knutsen
56c97407d4 KEYCLOAK-8152: Allow passing the current locale to OAuth2 identity providers 2018-08-28 15:52:23 +02:00
mposolda
6fc99cd749 KEYCLOAK-7594 Upgrade to Wildfly 13. Cross-DC: Upgrade to infinispan server 9.2.4 and JDG 7.2
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Hynek Mlnarik <hmlnarik@redhat.com>
2018-08-27 12:52:53 +02:00
Martin Kanis
59082e0b5f KEYCLOAK-7943 NPE when SAML User Property mapper is empty 2018-08-24 14:39:24 +02:00
Pedro Igor
9882341ecf [KEYCLOAK-7725] - CORS should be set based on client making the request 2018-08-24 09:35:38 -03:00
Martin Kanis
248654a75e KEYCLOAK-6706 E-mail verification won't let user back into the app 2018-08-21 16:30:15 +02:00
rmartinc
1b88eaf817 KEYCLOAK-8080 Audit the realm event configuration change 2018-08-20 21:01:38 +02:00
Corentin Dupont
b80701589c [KEYCLOAK-7804] - Option to return resource body 2018-08-20 13:07:29 -03:00
Martin Kanis
d04791243c KEYCLOAK-7970-KEYCLOAK-7222 Add clientId to action tokens 2018-08-20 15:25:24 +02:00
Pedro Igor
625f613128 [KEYCLOAK-4902] - Using streams to process requested permissions and limit support for scope responses 2018-08-17 11:00:53 -03:00
stianst
e406e8f1f0 KEYCLOAK-8069 Simplify config for fixed hostname provider 2018-08-17 14:47:14 +02:00
Hiroyuki Wada
730377a843 KEYCLOAK-7528 Set Cache-Control and Pragma header in token endpoint 2018-08-14 11:41:12 +02:00
Stefan Guilhen
f36e45cb10 [KEYCLOAK-4902] - Using streams to process scopes and cache improvements 2018-08-14 06:29:10 -03:00
Steffen Kreutz
ed72097862 KEYCLOAK-5289 Add support for Google's hd parameter 2018-08-14 11:08:57 +02:00
Stefan Guilhen
1912a8acf4 [KEYCLOAK-7885] Fix javadoc/log message typos 2018-08-13 22:09:17 -03:00
Sebastian Laskawiec
3449401ae2 KEYCLOAK-7635: Subject DN validation for x509ClientAuthenticator 2018-08-13 09:36:02 +02:00
sebastienblanc
02b2a8aab0 KEYCLOAK-7635 : Authenticate clients with x509 certificate 2018-08-13 09:36:02 +02:00
Stefan Guilhen
060b3b8d0f [KEYCLOAK-4902] - Using streams when fetching resources 2018-08-09 16:28:31 -03:00
Hynek Mlnarik
a8a9631d4f KEYCLOAK-6832 Unify Destination attribute handling 2018-08-09 10:30:30 +02:00
Pedro Igor
80e5227bcd [KEYCLOAK-4902] - Refactoring and improvements to processing of authz requests 2018-08-07 10:53:40 -03:00
Richard Kolkovich
72750b9882 KEYCLOAK-7954 treat empty string as null for skipping token verification 2018-08-07 11:13:15 +02:00
mposolda
959cd035ba Set version to 4.3.0.Final-SNAPSHOT 2018-08-01 22:40:05 +02:00
ssilvert@win.redhat.com
e7e15652cf KEYCLOAK-7479: Sanitize 2018-08-01 14:22:39 -04:00
Hynek Mlnarik
f57cc3a9c0 KEYCLOAK-5257 Clarify usage of TokenVerifier 2018-08-01 13:38:31 +02:00
mposolda
29da7d3d90 KEYCLOAK-7562 Fix ClientInitiatedAccountLinkTest#testErrorConditions 2018-08-01 13:33:23 +02:00
stianst
f99299ee39 KEYCLOAK-7967 Introduce Hostname SPI 2018-08-01 11:57:45 +02:00
stianst
ae47b7fa80 KEYCLOAK-7967 Remove injection of UriInfo 2018-08-01 11:57:45 +02:00
Takashi Norimatsu
665bcaebbb KEYCLOAK-7959 OAuth 2.0 Certificate Bound Access Tokens in Rev Proxy 2018-07-31 21:53:46 +02:00
Hiroyuki Wada
398f7d950f KEYCLOAK-7910 Store credentials when updating user via Admin REST API 2018-07-31 15:36:21 +02:00
Takashi Mogi
959e7b1b01 KEYCLOAK-7201 OIDC Identity Brokering with Client parameter forward
Forward "custom" (non-standard) query parameters to external IDP
2018-07-31 10:18:29 +02:00
ssilvert@win.redhat.com
6c593bab5a Check credential confirmation on server side. 2018-07-30 13:15:02 -04:00
Hynek Mlnarik
f43519a16e KEYCLOAK-6708 Fix NPE when email not set for email NameIDFormat 2018-07-27 11:10:35 +02:00
fisache
771d7f1724 [KEYCLOAK-7872] Fix. Remove Identity Provider Mapper when remove identity provider 2018-07-26 08:45:26 +02:00
ssilvert@win.redhat.com
0844aa8d68 KEYCLOAK-7857: Fix notifications 2018-07-25 08:59:25 -04:00
ssilvert@win.redhat.com
d73c4288ae KEYCLOAK-7294: Password page - Angular 2018-07-25 08:59:25 -04:00
vramik
524ab44160 KEYCLOAK-6866 Error 404 after changing locale while authenticating using X.509 2018-07-24 17:24:32 +02:00
Daniil Filippov
af72c1374a KEYCLOAK-7823 Fix HTTP status returned during SPNEGO auth 2018-07-24 10:38:42 +02:00
Hiroyuki Wada
7c0ca9aad2 KEYCLOAK-6313 Add required action's priority for customizing the execution order 2018-07-23 22:21:04 +02:00
Hynek Mlnarik
b43392bac8 KEYCLOAK-6577 KEYCLOAK-5609 Support dot in claim names by escaping with backslash 2018-07-23 14:46:25 +02:00
Pedro Igor
acc5f5c6d1 [KEYCLOAK-7864] - Authorization claim not set in refresh token when issuing a new refresh token 2018-07-19 09:56:59 -03:00
Pedro Igor
8b6979ac18 [KEYCLOAK-7849] - Improvements to RPT upgrade 2018-07-18 16:40:55 -03:00
Martin Kanis
34407957b9 KEYCLOAK-6314 Internal server error after T&C rejection 2018-07-18 15:05:22 +02:00
ssilvert@win.redhat.com
3e158c0321 KEYCLOAK-7846: Turn off disallowed features 2018-07-17 12:44:06 -04:00
Pedro Igor
90bfa2bff5 [KEYCLOAK-7781] - More validations to authorization requests 2018-07-13 09:18:05 -03:00
stianst
f022bc1269 [KEYCLOAK-5629] Add credential endpoints to account service 2018-07-12 13:00:25 -04:00
mhajas
5aebc74f8c KEYCLOAK-7269 Setting more uris for Authorization Resource 2018-07-11 17:48:34 -03:00
mposolda
d0a824dde4 Updating version to 4.2.0.Final-SNAPSHOT 2018-07-05 07:42:48 -04:00
mposolda
8c66f520af KEYCLOAK-7745 JTA error if offline sessions can't be preloaded at startup within 5 minutes 2018-07-04 10:22:13 +02:00
Pedro Igor
dafd567e68 [KEYCLOAK-7763] - NPE when enabling authorization to security-admin-console 2018-07-03 13:18:53 -03:00
ssilvert@win.redhat.com
d55ccf5312 KEYCLOAK-7015: Not allowing two users to have empty string emails addrs. 2018-07-03 11:04:36 -04:00
Pedro Igor
871be4ad87 [KEYCLOAK-7764] - Error when processing resource-less permissions 2018-07-03 10:35:11 -03:00
vramik
742a280f5d KEYCLOAK-5556 support for POST for AuthorizationEndpoint 2018-07-03 10:38:10 +02:00
wyvie
1450a7fad4 [KEYCLOAK-7569] support for authentication flow update
Added support for the PUT method of the authentication flow endpoint in
the admin API.

Now it's possible to run the 'update' method for authentication/flows in
kcadm.sh.
2018-07-03 10:31:23 +02:00
stianst
3c5027de3c KEYCLOAK-7701 Refactor key providers to support additional algorithms 2018-06-29 14:14:25 +02:00
Johannes Knutsen
fc3ca33033 Set hardcoded user session attribute after IDP first login flow 2018-06-26 10:31:55 +02:00
Takashi Norimatsu
2fb022e501 KEYCLOAK-7688 Offline Session Max for Offline Token 2018-06-26 08:25:06 +02:00
vramik
b478472b35 KEYCLOAK-7478 Add key query param to change locale url 2018-06-26 08:19:25 +02:00
Hynek Mlnarik
6b968796ce KEYCLOAK-7667 Fix namespace handling when decrypting assertion 2018-06-21 13:09:18 +02:00
Hiroyuki Wada
c2012a595b KEYCLOAK-7650 Don't display disabled identity providers 2018-06-19 08:55:24 -04:00
stianst
e1a0e581b9 Update to 4.1.0.Final-SNAPSHOT 2018-06-14 14:22:28 +02:00
Marek Posolda
49407c2e4f
KEYCLOAK-6630 Client scopes initial support (#5076)
* KEYCLOAK-6630 KEYCLOAK-349 Client Scopes

Co-authored-by: vramik <vramik@redhat.com>

* KEYCLOAK-6630 Change some clientTemplate occurences to clientScope
2018-06-08 15:38:38 +02:00
Pedro Igor
aa128d6c07
Merge pull request #5240 from pedroigor/KEYCLOAK-7353
[KEYCLOAK-7353] Support Policy Management in Protection API
2018-06-07 11:05:49 -03:00
Ola Bergefall
c8c76cc03f KEYCLOAK-7316: Default back to false if isPassive is missing in request. 2018-06-07 08:50:32 +02:00
Federico M. Facca
5a9bfea419 [KEYCLOAK-7353] Support Policy Management in Protection API
See https://issues.jboss.org/browse/KEYCLOAK-7353
2018-06-06 19:36:42 -03:00
Hynek Mlnarik
7ff18ca14b KEYCLOAK-7331 Fix NPE when SAML Issuer not set in AuthnRequest 2018-06-06 16:21:18 +02:00
Takashi Norimatsu
c586c63533 KEYCLOAK-6771 Holder of Key mechanism
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access
Tokens
2018-06-05 08:18:29 +02:00
Pedro Igor
f8919f8baa
Merge pull request #5211 from pedroigor/KEYCLOAK-7367
[KEYCLOAK-7367] - User-Managed Policy Provider
2018-06-04 09:35:13 -03:00
Jared Blashka
65c39763eb KEYCLOAK-7356 Code to Token flow fails if initial redirect_uri contains a session_state parameter 2018-05-31 08:53:11 +02:00
Martin Kanis
f429469fc8 KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106) 2018-05-31 08:44:34 +02:00
Takashi Norimatsu
eb97151476 KEYCLOAK-7451 OAuth Authorization Server Metadata for Proof Key for Code Exchange 2018-05-28 22:15:43 +02:00
Pedro Igor
2b6597e9f1 [KEYCLOAK-7367] - User-Managed Policy Provider 2018-05-25 16:18:15 -03:00
Stian Thorgersen
dbf5c395b0
Bump version to 4.0.0.Final (#5224) 2018-05-24 19:02:30 +02:00
Pedro Igor
e5d997a6c0
Merge pull request #5203 from martel-innovate/separate-ticket-permission-and-uma-permission-API
[KEYCLOAK-7354] - Split ticket management and permission endpoint
2018-05-17 15:22:55 -03:00
Federico M. Facca
76076cdb3c [KEYCLOAK-7354] split ticket management and permission endpoint
see (https://issues.jboss.org/browse/KEYCLOAK-7354)

* created new endpoint for ticket management /permission/ticket
* removed unused class
* support for direct creation of ticket by resource owner
* fix DELETE ticket
2018-05-16 15:10:39 +02:00
Timo Knapp
487539542a KEYCLOAK-7325: Fix Issue regarding HTTP 500 Server Error for resource_set Endpoint in ProtectionService (#5196)
* KEYCLOAK-7325: Fix Issue regarding HTTP 500 Server Error for resource_set Endpoint in ProctectionService
2018-05-15 14:57:33 -03:00
Federico M. Facca
5cbe595fe3 This commit implement feature KEYCLOAK-7337
* return requester

when returnNames=true

* return requesterName
* return owernName
2018-05-11 21:08:16 +02:00
Pedro Igor
e84acd9898
Merge pull request #5177 from pedroigor/KEYCLOAK-7206
[KEYCLOAK-7206] - Search by user id on admin console
2018-05-04 09:11:49 -03:00
Stian Thorgersen
90e5c7f3eb
Bump version to 4.0.0.Beta3-SNAPSHOT (#5185) 2018-05-02 14:32:20 +02:00
Martin Kanis
9505925363 Revert "KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106)" (#5183)
This reverts commit a67da7bc59.
2018-05-02 09:31:42 +02:00
pedroigor
ddceaaf3d5 [KEYCLOAK-7206] - Search by user id on admin console 2018-04-30 11:44:33 -03:00
Pedro Igor
e960642399
Merge pull request #5144 from pedroigor/KEYCLOAK-4903
[KEYCLOAK-4903] - Pushed Claims
2018-04-26 15:59:13 -03:00
Stan Silvert
35154db50f
KEYCLOAK-7123: l10n dropdowns (#5170)
* KEYCLOAK-7196: Add kc_locale to keycloak.js

* KEYCLOAK-7123: Localization dropdowns

* Update keycloak-service to latest keycloak.js
2018-04-25 15:04:12 -04:00
pedroigor
035ebc881a [KEYCLOAK-4903] - Claim Information point Provider SPI and configuration 2018-04-25 10:16:41 -03:00
pedroigor
e813fcd9c8 [KEYCLOAK-4903] - Pushing claims when obtaining a permission ticket 2018-04-24 19:47:28 -03:00
mposolda
634e7170e3 KEYCLOAK-7158 RestartLoginCookie throws error when KC_RESTART cookie created by Keycloak 1.9 2018-04-23 21:56:13 +02:00
Martin Kanis
7efa45126c KEYCLOAK-6991 NPE when importing realm from file 2018-04-19 14:26:50 +02:00
Oskars
3bef6d5066 KEYCLOAK-4538 Configurable clock skew when validating tokens (#5014)
* [master]: fix type for checkLoginIframeInterval

* [master]: KEYCLOAK-4538 Feature to tolerate a configurable amount of seconds of clock skew when validating tokens

* [master]: KEYCLOAK-4538 Fix unit test scenarios for token clock skew

* [master]: KEYCLOAK-4538 Reverted wildcard imports

* [master]: fix unit test to use longer intervals to make test less fragile.
2018-04-16 11:09:25 +02:00
Vlastimil Eliáš
c1311e4619 KEYCLOAK-6849 - LinkedIn social login provider updated to new LinkedIn OAuth2 endpoint (#5125)
* KEYCLOAK-6849 - LinkedIn social login provider updated to new LinkedIn
OAuth2 endpoint

* KEYCLOAK-6849 - LinkedIn social login provider test updated

* KEYCLOAK-6849 - LinkedIn social login provider test updated to
conditionally handle consent page when shown only

* Simplify the LinkedIn app authorization

This reverts commit c12359e7a13d9ff231fe2e25cddba66ad679a9cd.
2018-04-13 08:09:27 +02:00
Stan Silvert
095fec95e5
KEYCLOAK-7022 Fix l10n on Welcome page (#5143) 2018-04-11 12:05:07 -04:00
Hugo Guerrero
fac3118b0a KEYCLOAK-6448 - implement instagram social broker (#4963)
* KEYCLOAK-6448 - implement instagram social broker

* Instagram SocialLogin Tests
2018-04-09 17:30:27 +02:00
Martin Kanis
a67da7bc59 KEYCLOAK-5270 Realm cookie path for IE<=11 users (#5106) 2018-04-06 09:26:29 +02:00
Bill Burke
ffd9d957f4
Merge pull request #5123 from patriot1burke/kcadm-token
KEYCLOAK-7044 KEYCLOAK-7046
2018-04-04 17:22:17 -04:00
Stefan Guilhen
87abe5e648 [KEYCLOAK-6853] Make TimePolicyProvider use the kc.date.time_date contextual attribute when evaluating policies 2018-04-04 14:37:03 -03:00
Stan Silvert
701c318b60
KEYCLOAK-7047: Fix RegistrationEmailAsUsername and EditUserNameAllowed (#5122)
on personal info page.
2018-04-04 09:31:38 -04:00
Bill Burke
8a5428808e KEYCLOAK-7044 KEYCLOAK-7046 2018-04-03 21:29:31 -04:00
Bill Burke
4078e84fb6 server driven success page 2018-03-31 10:16:44 -04:00
Bill Burke
f4a5e49b63 initial 2018-03-29 17:14:36 -04:00
Pedro Igor
5cae1bb134
Merge pull request #5093 from pedroigor/KEYCLOAK-4102
[KEYCLOAK-4102] - Support lazy load paths
2018-03-29 09:16:34 -03:00
Bill Burke
8d3dc790df
Merge pull request #5087 from patriot1burke/kcinit
KEYCLOAK-6813
2018-03-28 17:35:33 -04:00
Bill Burke
f5bacb79c1 review changes 2018-03-28 16:45:52 -04:00
pedroigor
4a425c2674 [KEYCLOAK-4102] - Support lazy loading of paths via policy enforcer config 2018-03-28 09:23:59 -03:00
Bill Burke
c38b6d585e KEYCLOAK-528 (#5103) 2018-03-28 11:15:37 +02:00
Bill Burke
ad5f3fefc5 Merge remote-tracking branch 'upstream/master' into kcinit 2018-03-27 16:38:35 -04:00
Stan Silvert
80feb67fc2
KEYCLOAK-6494: Address load time of new acct mgt console (#5100)
* Optimize loading. min bundles, stop double-loading, rxjs-system instead of
plain rxjs, clean up 404's

* Create module loading hierarchy.  Allows for lazy loading.

* Upgrade NG, remove jquery, load keycloak.js only from auth/js

* Delay systemjs loading.  Load home page instead of account.

* KEYCLOAK-6496: Cleanup and polish code after optimizations.

* Fix message bundle to be back the way it was.

* Remove unused png's. Remove comments in index.ftl. Remove javaMessages.
2018-03-27 12:42:13 -04:00
pedroigor
e9e376419d [KEYCLOAK-4102] - Removing create-resources configuration option 2018-03-27 09:51:13 -03:00
Pedro Igor
ffeb0420bf
Merge pull request #5079 from pedroigor/KEYCLOAK-6529
[KEYCLOAK-6529] - Resource Attributes
2018-03-27 09:30:38 -03:00
stianst
07fea02146 Bump versions to 4.0.0.Beta2-SNAPSHOT 2018-03-26 18:17:38 +02:00
wyvie
d40e9bd3c1 [KEYCLOAK-6814] check if HMAC exists during session restart 2018-03-26 10:05:39 +02:00
Bill Burke
f000cedcbb Merge remote-tracking branch 'upstream/master' into kcinit 2018-03-20 16:49:43 -04:00
Jérôme Blanchard
f11c24e359 [KEYCLOAK-6147] Include Nonce in OIDC authentication 2018-03-20 10:51:44 +01:00
Bill Burke
8926837a3e tests 2018-03-19 16:47:13 -04:00
Áron Bustya
82ba2b1b0d remove changes from standard OIDC client registration, move constants 2018-03-19 19:31:22 +01:00
Áron Bustya
57f57f5c75 set request object mandatory for client, restrict delivery mode
handle new attribute in client representation


add to UI
2018-03-19 19:31:22 +01:00
pedroigor
08896ee9c9 [KEYCLOAK-6529] - Resource Attributes 2018-03-19 13:21:39 -03:00
Bill Burke
4bba11cd94 kcinit 2018-03-16 12:11:57 -04:00
Alex Szczuczko
e4781b8aa3 KEYCLOAK-6828 Drop jcenter repository from services/pom.xml
swagger2markup-maven-plugin depends transitively on markdown_to_asciidoc, which
is inexplicably not in Central. This causes issues during productisation, as
it's reasonably assumed that all third party artifacts will be in Central.

Stian has already asked the community project to get their artifacts in Central
( bodiam/markdown-to-asciidoc#26 ), and they haven't done anything in almost a
year. So, I've added the artifacts under my own namespace, and changed the pom
to use those instead. The artifacts are unchanged from the ones on jcenter,
except the pom was expanded slightly to meet the minimum requirements of
Central.

I'm making this change now, as I hit the problem when trying to set up
continuous productization builds from master.
2018-03-16 08:36:04 +01:00
Douglas Palmer
fed1b62c5d [KEYCLOAK-6301] Remove service account when it is disabled from the client 2018-03-14 15:09:42 +01:00
Takashi Norimatsu
5b1e65c23e KEYCLOAK-6700 Financial API Read and Write API Security Profile : state
hash value (s_hash) to protect state parameter
2018-03-13 16:40:34 +01:00
Takashi Norimatsu
e72756d01a KEYCLOAK-6700 Financial API Read and Write API Security Profile : state hash value (s_hash) to protect state parameter 2018-03-13 16:40:34 +01:00
Pedro Igor
2aa71d1737
Merge pull request #5051 from pedroigor/KEYCLOAK-6787
[KEYCLOAK-6787] - Wrong validation of resources with same name and different owners
2018-03-12 11:41:49 -03:00
pedroigor
0a4fd79b22 [KEYCLOAK-6116] - Get email attribute from 'subject alternative name' using X509 certificate 2018-03-09 10:56:35 -03:00
Martin Hardselius
8549bd70b7 Add pairwise sub support to authorization services
Identity token verification will now fetch the user from the session
state instead of relying on the sub provided in the token. Also done in
KeycloakIdentity.

Resolves: KEYCLOAK-6659
2018-03-02 13:08:27 +01:00
pedroigor
1e1de85685 [KEYCLOAK-6787] - Wrong validation of resources with same name and different owners 2018-03-01 16:50:05 -03:00
pedroigor
cb531056a6 [KEYCLOAK-6621] - Fixing cache and queries of policies with type scope 2018-02-28 16:33:45 -03:00
Pedro Igor
91bdc4bde2 [KEYCLOAK-3169] - UMA 2.0 (#4368)
* [KEYCLOAK-3169] - UMA 2.0 Support

* [KEYCLOAK-3169] - Changes to account service and more tests

* [KEYCLOAK-3169] - Code cleanup and tests

* [KEYCLOAK-3169] - Changes to account service and tests

* [KEYCLOAK-3169] - Changes to account service and tests

* [KEYCLOAK-3169] - More tests

* [KEYCLOAK-3169] - Changes to adapter configuration

* [KEYCLOAK-3169] - Reviewing UMA specs and more tests

* [KEYCLOAK-3169] - Reviewing UMA specs and more tests

* [KEYCLOAK-3169] - Changes to UMA Grant Type and refactoring

* [KEYCLOAK-3169] - Refresh tokens for RPT responses and tests

* [KEYCLOAK-3169] - Changes to account my resources and policy enforcers

* [KEYCLOAK-3169] - Realm settings flag to enable/disable user-managed access in account mgmt console

* [KEYCLOAK-3169] - More changes to my resource pages in account mgmt console

* [KEYCLOAK-3169] - Need to enable user-managed on realm to run tests

* [KEYCLOAK-3169] - Removing more UMA 1.0 related code

* [KEYCLOAK-3169] - Only submit requests if ticket exists

* [KEYCLOAK-3169] - Returning UMA 401 response when not authenticated

* [KEYCLOAK-3169] - Removing unused code

* [KEYCLOAK-3169] - Removing unused code

* [KEYCLOAK-3169] - 403 response in case ticket is not created

* [KEYCLOAK-3169] - Fixing AbstractPhotozExampleAdapterTest#testClientRoleRepresentingUserConsent

* [KEYCLOAK-3169] - 403 status code only returned for non-bearer clients
2018-02-28 08:53:10 +01:00
wyvie
f8022a5c2f [KEYCLOAK-6585] hybrid flow: removed token_type and expires_in paramters from oidc auth response 2018-02-27 15:31:12 +01:00
vmuzikar
a2cc7bd4b9 KEYCLOAK-6709 Fix OpenShift IdP doesn't fetch user's full name 2018-02-27 12:28:42 +01:00
wyvie
52acd959e0 [KEYCLOAK-6584] removed not-before-policy parameter from authorization response 2018-02-26 17:41:18 +01:00
Josh Cain
24132c8f5b Return location for execution and flow creation in admin interface. Also allow for retrieval of execution by ID 2018-02-26 17:00:17 +01:00
Hynek Mlnarik
e7cdb8ad54 KEYCLOAK-6473 KEYCLOAK-6472 SAML parser refactor + protocol parsers 2018-02-23 08:16:14 +01:00
Stian Thorgersen
9ef1f1b73c KEYCLOAK-3482 2018-02-22 09:42:45 -03:00
Erlend Hamnaberg
208ecbc3f7 KEYCLOAK-6676: Fix NPE if the redirect_uri parameter is missing 2018-02-21 19:44:22 +01:00
mposolda
fc463ae50b KEYCLOAK-6617 Offline token logout did not invalidate user session 2018-02-19 08:49:05 +01:00
cgol
86a8addf49 KEYCLOAK-6615 Remove offline session from database on offline token logout
remove offline token from database on offline session logout
2018-02-19 08:49:05 +01:00
stianst
9b63cd35f0 KEYCLOAK-6431 2018-02-13 19:38:46 +01:00
Hynek Mlnarik
84ea3f8cb1 KEYCLOAK-4315 Remove some dead/duplicate classes 2018-02-13 15:41:36 +01:00
Bill Burke
5d5373454c
Merge pull request #4991 from patriot1burke/challenge-support
KEYCLOAK-6355
2018-02-13 09:38:45 -05:00
Bill Burke
87ee15a081 fix 2018-02-12 16:52:55 -05:00
Bill Burke
d6788a0839 finish 2018-02-10 13:38:39 -05:00
stianst
505cf5b251 KEYCLOAK-6519 Theme resource provider 2018-02-09 08:28:59 +01:00
Bill Burke
5ea4ef9e55 change code query params to session_code 2018-02-08 17:37:27 -05:00
Douglas Palmer
e8de4655ac KEYCLOAK-6344 Use POST instead of GET for LDAP connection tests 2018-02-08 21:18:03 +01:00
Jochen Preusche
8325151e16
Extract findLocale to LocaleNegotiator, add tests
* Improve Testability of Locale Negotiation
 * Add test for Locale Negotiation
 * Fix Locale Negotiation for omitted Country Code
2018-02-06 09:50:04 +01:00
Serhii Shymkiv
c2fe500eb8 [KEYCLOAK-4721] Consider Session Language of Realm Also In ReCaptcha 2018-02-02 13:57:03 +01:00
vramik
019c3c9ef9 KEYCLOAK-6146 realm import fails when password policy is specified 2018-02-02 08:30:06 +01:00
Thomas Darimont
77334af34e KEYCLOAK-6222 Check syntax for errors on ScriptBasedOIDCProtocolMapper validation
We now explicitly check for syntax errors
during validation of ScriptBasedOIDCProtocolMappers.
2018-02-02 08:28:27 +01:00
Bill Burke
8f09efab9d
Merge pull request #4949 from patriot1burke/client-storage-spi
KEYCLOAK-6228
2018-02-01 08:59:02 -05:00
Bill Burke
126dd70efc client stat improvement 2018-01-31 13:05:13 -05:00
Bill Burke
a571781240 hynek db changes 2018-01-30 17:00:55 -05:00
Vlastimil Elias
a5f675d693 KEYCLOAK-4937 - convert time units in emails into human-friendly format 2018-01-30 06:38:57 +01:00
Bill Burke
1d8e38f0c6 admin console 2018-01-27 13:05:02 -05:00
Bill Burke
dd4c0d448c Merge remote-tracking branch 'upstream/master' into client-storage-spi 2018-01-27 09:47:41 -05:00
Bill Burke
6b84b9b4b6 done 1st iteration 2018-01-27 09:47:16 -05:00
Takashi Norimatsu
502627f590 KEYCLOAK-5811 Client Authentication by JWS Client Assertion in client secret 2018-01-26 10:59:40 +01:00
gregoirew
13261b52db Use the github /user/emails api endpoint if the github user did not set any public email.
Github can send a null email on the user info endpoint if there is no public email on the user profile.
This commit look for email on the /user/emails endpoint, selecting the primary email.
2018-01-25 20:56:24 +01:00
Bill Burke
ddad1cb8af Merge remote-tracking branch 'upstream/master' into client-storage-spi 2018-01-25 10:08:37 -05:00
Bill Burke
8a17b61f4e initial work 2018-01-25 10:08:26 -05:00
Bill Burke
7c66f76858
Merge pull request #4932 from patriot1burke/per-client-flow
KEYCLOAK-6335
2018-01-25 09:55:11 -05:00
Thomas Darimont
3d12bf7d14 KEYCLOAK-4743 Revise proxy support for HttpClient SPI
Polishing & more tests.
2018-01-25 09:31:32 +01:00
Thomas Darimont
851d0192ad KEYCLOAK-4743 Add proxy support to HttpClient SPI
We now provide a configurable way for dynamic proxy route selection
for the default HttpClient based on regex based targetHostname patterns.

Introduced `ProxyMapping` to describe a regex based mapping
between target hosts and the proxy URL to use.

A `ProxyMapping` can be build from an ordered list of string based
mapping representations, e.g:
```
   ^.*.(google.com|googleapis.com)$;http://localhost:8080
```
If the targetHost does not match a configured proxy mapping,
no proxy is used.

This can be configured via standalone.xml / jboss-cli, e.g.:
```
   echo SETUP: Configure proxy routes for HttpClient SPI
   /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:add(enabled=true)
   /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=["^.*.(google.com|googleapis.com)$;http://www-proxy1:8080","^.*.facebook.com$;http://www-proxy2:8080"])
```
The new `ProxyMappingWareRoutePlanner` uses a configured `ProxyMapping`
to decide which proxy to use for a given request based on the target host
denoted by the HTTP request to execute.

I verified this manually with the BurpProxy Suite.
2018-01-25 09:31:32 +01:00
mposolda
6369c26671 KEYCLOAK-6286 Adding 'Exclude Session State From Authentication Response' switch to fix backwards compatibility with Keycloak 2.X adapters 2018-01-24 11:35:13 +01:00
Bill Burke
7b2e72d395 Merge remote-tracking branch 'upstream/master' into per-client-flow 2018-01-23 12:10:11 -05:00
Bill Burke
a9297df89c KEYCLOAK-6335 2018-01-23 12:09:49 -05:00
Hynek Mlnarik
4ba72e2d2d KEYCLOAK-5976 Fix client setting in brokered IdP-initiated scenario 2018-01-23 09:34:11 +01:00
stianst
f762173eb0 KEYCLOAK-3370 Add option to override theme in client template and client 2018-01-18 09:14:13 +01:00
stianst
35ada9d636 KEYCLOAK-6289 Add ThemeSelectorSPI 2018-01-18 09:14:13 +01:00
Thomas Darimont
bae4d4c673 KEYCLOAK-5791 Allow multi-valued ScriptBasedOIDCProtocolMapper
We now support multi-valued attribute values for the
`ScriptBasedOIDCProtocolMapper`.
Previously the `ScriptBasedOIDCProtocolMapper` only supported
single valued output. If a script returned a list of
output values then only the first value was emitted to the token.

By default multi-valued is set to `false` / `off`.
2018-01-11 08:52:24 +01:00
stianst
d8c0cc447f KEYCLOAK-6090 Add missing cors headers with invalid username/password and resource owner grant 2018-01-02 15:15:15 +01:00
stianst
0bedbb4dd3 Bump version to 4.0.0.CR1-SNAPSHOT 2017-12-21 15:06:00 +01:00
Marko Strukelj
23d0afbfd8 KEYCLOAK-6058 Partial import should ignore built-in clients 2017-12-21 13:52:58 +01:00
stianst
f0c5752ef9 KEYCLOAK-5443 Fix update user account when both email as username and edit username are enabled 2017-12-20 14:40:03 +01:00
Bruno Oliveira
811cd3a04a KEYCLOAK-6011 2017-12-20 13:37:11 +01:00
stianst
e96c6a4bcb KEYCLOAK-6068 Fix preflight request on admin endpoints 2017-12-20 10:19:34 +01:00
stianst
465675ac28 KEYCLOAK-5019 Fixes for password managers 2017-12-19 16:13:16 +01:00
mposolda
5a66f577eb KEYCLOAK-5982 Fix NPEs when client 'account' was renamed/removed 2017-12-18 21:47:17 +01:00
stianst
27b5e1aae2 KEYCLOAK-6050 Fix export doesn't export internal realm rep 2017-12-18 13:15:42 +01:00
stianst
b303acaaba KEYCLOAK-2120 Added manual setup page for OTP 2017-12-18 11:20:20 +01:00
Bill Burke
118e998570
Merge pull request #4834 from pedroigor/KEYCLOAK-5806
[KEYCLOAK-5806] - Create policy button to associated policies
2017-12-16 23:44:35 -05:00
Bill Burke
80be4c9dbc fix more 2017-12-16 07:12:32 -05:00
pedroigor
5d7ba39e0c [KEYCLOAK-5806] - Create policy component to permission pages 2017-12-15 23:41:52 -02:00
Bill Burke
7cb39c2dfc KEYCLOAK-5420 2017-12-15 12:16:24 -05:00
Hynek Mlnarik
e4a91c0706 KEYCLOAK-6042 Encode user ID before storing in auth session 2017-12-15 15:16:26 +01:00
stianst
a8943fb323 KEYCLOAK-6043 Use same urls for get and posts in account 2017-12-15 08:31:04 +01:00
Bruno Oliveira
1a541889f4 [KEYCLOAK-6015] replyTo can be empty string in DB 2017-12-15 07:01:15 +01:00
stianst
b672229efc KEYCLOAK-6032 Fix error page when internationalization is enabled 2017-12-15 06:32:00 +01:00
Vlastimil Elias
7e20a65989 KEYCLOAK-6040 AuthenticationSessionModel pushing into
EmailTemplateProvider
2017-12-14 15:51:04 +01:00
Hynek Mlnarik
2a2e6c839b KEYCLOAK-5635 2017-12-13 21:07:46 +01:00
Hynek Mlnarik
7174c0b4ec KEYCLOAK-6025 Simplify easy access to current session in action token handlers 2017-12-12 17:53:44 +01:00
stianst
f939818252 KEYCLOAK-5907 Use client manager to delete clients in client registration services 2017-12-12 14:25:05 +01:00