Commit graph

4288 commits

Author SHA1 Message Date
Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
Closes #23404

Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335 Introduce MaxAuthAge Password policy (#12943)
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.

Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin

Fixes #12943

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919 Fix lowerCaseHostname to lower-case scheme and host properly
Closes https://github.com/keycloak/keycloak/issues/24792

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805 added theme name as parameter
moved messages to theme bundle

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5 Use session ID rather than broker session ID
Closes: #24455

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
Closes #24095

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3 Avoid NPE if RelayState is null and return a proper error
Closes https://github.com/keycloak/keycloak/issues/24079

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared (#23600)
* move account ui user profile to shared

* use ui-shared on admin same error handling

also introduce optional renderer for added component

* move scroll form to ui-shared

* merged with main

* fix lock file

* fixed merge error

* fixed merge errors

* fixed tests

* moved user profile types to admin client

* fixed more types

* pr comments

* fixed some types
2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles (#24316)
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents (#24496)
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563 Moving UPConfig and related classes from keycloak-services
closes #24535

Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4 Feature flag DPoP metadata in OIDC Well Known endpoint
Closes keycloak/keycloak#24547

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-06 03:13:57 -08:00
Oliver
563ae104fd [issue-14134] test partial import user with id
Fix #14134
2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d Escape $ sign when replacing clientId in the role mappers
Closes https://github.com/keycloak/keycloak/issues/23692
2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * (#24174)
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689 Make sure optional default attributes are removed when decorating the user-define user profile configuration
Closes #24420
2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7 Update per review 2023-10-31 12:56:46 -07:00
mposolda
6f992915d7 Move some UserProfile and Validation classes into keycloak-server-spi
closes #24387
2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3 Allow customization of aud claim with JWT Authentication
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545 Group count and PartialExport permission fixes
Closes https://github.com/keycloak/keycloak/issues/12171
2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705 Add userProfileEnabled attribute to realm response if admin can view users
closes https://github.com/keycloak/keycloak/issues/19093
2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades (#22700)
closes #22372 


Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af Fix KcOidcBrokerTransientSessionsTest
Closes: #24313
2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3 Add openapi annotations to the UserProfileResource
Closes https://github.com/keycloak/keycloak/issues/9318
2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b Support for transient brokering in admin console
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e Support for transient sessions via lightweight users
Part-of: Add support for not importing brokered user into Keycloak database

Closes: #11334
2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5 Verification of iss at refresh token request
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.

Closes #22191
2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration (#24215)
closes #24182


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow (#23892)
Closes #23891
2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78 move to theme resource 2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e changed to realm, because that is the source 2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab add new locale endpoint that returns the messages 2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be Declarative User Profile export
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199 Username now shown when creating a user and edit username is not allowed
Closes #24183
2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb Ignore custom attributes when processing attributes in verify profile action
Closes #24077
2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535 User profile tweaks in registration forms
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name (#24113)
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0 After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias (#24070)
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2 The username in account is required and don't change when email as username is enabled
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648 Enhancing Light Weight Token(#22148)
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b Removing the default cache metadata
Closes #23910
2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation (#23156)
Closes #23155
2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500 Do not return empty scope field in token introspection response
Closes #16526
2023-10-13 08:36:12 +02:00
duckboy81
197b39492e Update TokenManager.java
Fixed minor spelling typos
2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await for storage access checks (#23793)
Closes #23743
2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider (#20699)
* Add support for single-tenant mode to Microsoft Identity Provider

Fixes #20695
Closes #11207

* Add SocialLoginTest for Microsoft single-tenant variant
2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517)
Closes #12406


Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7 Avoid creating the component when there is no component and configuration is not provided
Closes #20970

Co-authored-by: Pedro Igor <psilva@redhat.com>
2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140 Improve logging in case of OIDC Identity provider errors:
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response

Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9 UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile (#23537)
Closes #23507, #23584, #23740, #23774

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c Remove backward compatibility for ECDSA tokens
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. (#22317)
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830 Fix client assertion with invalid ES256, ES384, ES512 signatures
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14 Aligns the logic in the welcome resources
as a result the quarkus one can be removed

closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie (#23393) 2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service (#23293)
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d Client roles should be mapped to any claim name
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3 Change email checkserveridentity prop as angus mail sets it to true by default
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f fix(Closes #21236): Adding client-id to logout event 2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c Allow updating email when email as username is set and edit username disabed
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989 Use new findGroupByPath implementation and remove the old one
Closes #23344

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76 Allow public clients to use PAR endpoint
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308 verifyRedirectUri should return null when the passed redirectUri is invalid
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2 Remove P3P header from authentication flow
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9 Allow duplicated keys in advanced claim mappers
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46 Switch to Resteasy Reactive
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170 Prevent NPE in AuthenticationManager.backchannelLogout (#23306)
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.

Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048 KEYCLOAK-15985 Add Brute Force Detection Lockout Event 2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45 Registration page not showing username when edit username is not enabled
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f Send Client ID in token request with JWT Authentication
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix (#23184)
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37 Support to define compatible mappers for (new) Identity Providers
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers

Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87 Add regex support in 'Condition - User attribute' execution
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview (#22641)
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console (#23025)
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… (#23148)
closes #23066


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch (#23078)
fixes: #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612 Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address (#23109)
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd Add old LinkedIn provider to the deprecated profile
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed (#23064)
Closes #21514


Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0 Broker claim mapper not recognizing claims from user info endpoint
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb Remove use of Guava in services
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372 Added tests 2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102 Fixed Regex 2023-09-07 08:43:35 +02:00
rmartinc
8887be7887 Add a new identity provider for LinkedIn based on OIDC
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f Role mappers must return a single value when they are not multivalued
Closes #20218
2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1 Decoupling legacy and dynamic user profiles and exposing metadata from admin api
Closes #22532

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55 Parsing response from user info rather than the access token
Closes #22581
2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30 RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing
Closes https://github.com/keycloak/keycloak/issues/22424
2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default (#22460) 2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f Switch Trusted Host policy redirect verification to URI
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.

Closes #22309
2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1 Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts
Closes #21751
2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm (#21554)
fixes: #21553
2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f DPoP verification in UserInfo endpoint
closes #22215
2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405 Using DPoP token type in the access-token and as token_type in introspection response
closes #21919
2023-08-07 10:40:18 +02:00