Sebastian Schuster
030f42ec83
More efficient listing of assigned and available client role mappings
...
Closes #23404
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>
2023-11-22 14:10:11 +01:00
Thomas Darimont
d30d692335
Introduce MaxAuthAge Password policy ( #12943 )
...
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.
Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin
Fixes #12943
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2023-11-20 14:48:17 +01:00
rmartinc
1241bd2919
Fix lowerCaseHostname to lower-case scheme and host properly
...
Closes https://github.com/keycloak/keycloak/issues/24792
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-20 10:00:50 +01:00
Erik Jan de Wit
941457b805
added theme name as parameter
...
moved messages to theme bundle
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-17 08:35:54 +01:00
rmartinc
5fad76070a
Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience
...
Closes https://github.com/keycloak/keycloak/issues/24659
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 18:22:16 +01:00
Hynek Mlnarik
70d0f731f5
Use session ID rather than broker session ID
...
Closes : #24455
Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2023-11-16 17:01:40 +01:00
Vlasta Ramik
d86e062a0e
Removal of retry blocks introduced for CRDB
...
Closes #24095
Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-11-16 13:50:56 +01:00
rmartinc
cca33baac3
Avoid NPE if RelayState is null and return a proper error
...
Closes https://github.com/keycloak/keycloak/issues/24079
Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-11-16 12:56:49 +01:00
Erik Jan de Wit
89abc094d1
userprofile shared ( #23600 )
...
* move account ui user profile to shared
* use ui-shared on admin same error handling
also introduce optional renderer for added component
* move scroll form to ui-shared
* merged with main
* fix lock file
* fixed merge error
* fixed merge errors
* fixed tests
* moved user profile types to admin client
* fixed more types
* pr comments
* fixed some types
2023-11-14 08:04:55 -03:00
Erik Jan de Wit
fe7833c957
Load Admin Console localizations from resource bundles ( #24316 )
...
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-11-13 12:39:46 -05:00
Hynek Mlnařík
0ceaed0e2e
Transient users: Consents ( #24496 )
...
closes #24494
2023-11-10 11:18:27 +01:00
mposolda
7863c3e563
Moving UPConfig and related classes from keycloak-services
...
closes #24535
Signed-off-by: mposolda <mposolda@gmail.com>
2023-11-07 12:41:29 +01:00
Joshua Sorah
7ca00975d4
Feature flag DPoP metadata in OIDC Well Known endpoint
...
Closes keycloak/keycloak#24547
Signed-off-by: Joshua Sorah <jsorah@gmail.com>
2023-11-06 03:13:57 -08:00
Oliver
563ae104fd
[issue-14134] test partial import user with id
...
Fix #14134
2023-11-02 05:56:12 -07:00
rmartinc
d7bb59461d
Escape $ sign when replacing clientId in the role mappers
...
Closes https://github.com/keycloak/keycloak/issues/23692
2023-11-01 20:47:15 +01:00
rokkiter
e1735138cb
clean util * ( #24174 )
...
Signed-off-by: rokkiter <yongen.pan@daocloud.io>
2023-11-01 17:14:11 +01:00
Pedro Igor
be65ba8689
Make sure optional default attributes are removed when decorating the user-define user profile configuration
...
Closes #24420
2023-11-01 14:54:09 +01:00
mposolda
0bd2b342d7
Update per review
2023-10-31 12:56:46 -07:00
mposolda
6f992915d7
Move some UserProfile and Validation classes into keycloak-server-spi
...
closes #24387
2023-10-31 12:56:46 -07:00
Justin Tay
3ff0476cc3
Allow customization of aud claim with JWT Authentication
...
Closes #21445
2023-10-31 11:33:47 -07:00
rmartinc
7deb4ca545
Group count and PartialExport permission fixes
...
Closes https://github.com/keycloak/keycloak/issues/12171
2023-10-31 01:40:21 -07:00
rmartinc
6484a3e705
Add userProfileEnabled attribute to realm response if admin can view users
...
closes https://github.com/keycloak/keycloak/issues/19093
2023-10-30 07:39:03 -07:00
Alice
69497382d8
Group scalability upgrades ( #22700 )
...
closes #22372
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2023-10-26 16:50:45 +02:00
Hynek Mlnarik
2c4d58f5af
Fix KcOidcBrokerTransientSessionsTest
...
Closes : #24313
2023-10-26 14:36:01 +02:00
rmartinc
faf398e3c3
Add openapi annotations to the UserProfileResource
...
Closes https://github.com/keycloak/keycloak/issues/9318
2023-10-25 07:44:24 -07:00
Hynek Mlnarik
a668c2cb2b
Support for transient brokering in admin console
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
Hynek Mlnarik
26328a7c1e
Support for transient sessions via lightweight users
...
Part-of: Add support for not importing brokered user into Keycloak database
Closes : #11334
2023-10-25 12:02:35 +02:00
ggraziano
84112f57b5
Verification of iss at refresh token request
...
Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method.
Closes #22191
2023-10-24 23:42:11 +02:00
Marek Posolda
1bd6aca629
Remove RegistrationProfile class and handle migration ( #24215 )
...
closes #24182
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-10-24 20:19:33 +02:00
Thomas Darimont
e567210ed1
Add dedicated feature flag for oauth device grant flow ( #23892 )
...
Closes #23891
2023-10-24 10:09:26 +02:00
Erik Jan de Wit
e4632c9e78
move to theme resource
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
f3d387172e
changed to realm, because that is the source
2023-10-23 15:17:18 -07:00
Erik Jan de Wit
0f878566ab
add new locale endpoint that returns the messages
2023-10-23 15:17:18 -07:00
vramik
a0f04fa2be
Declarative User Profile export
...
Closes #12062
Resolves #20885
2023-10-21 19:21:20 +02:00
Pedro Igor
e47389f199
Username now shown when creating a user and edit username is not allowed
...
Closes #24183
2023-10-20 10:22:31 -07:00
Pedro Igor
55a5a8c0eb
Ignore custom attributes when processing attributes in verify profile action
...
Closes #24077
2023-10-20 17:51:40 +02:00
mposolda
c18e8ff535
User profile tweaks in registration forms
...
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name ( #24113 )
...
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0
After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
...
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias ( #24070 )
...
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2
The username in account is required and don't change when email as username is enabled
...
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648
Enhancing Light Weight Token( #22148 )
...
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b
Removing the default cache metadata
...
Closes #23910
2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation ( #23156 )
...
Closes #23155
2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500
Do not return empty scope field in token introspection response
...
Closes #16526
2023-10-13 08:36:12 +02:00
duckboy81
197b39492e
Update TokenManager.java
...
Fixed minor spelling typos
2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await
for storage access checks ( #23793 )
...
Closes #23743
2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider ( #20699 )
...
* Add support for single-tenant mode to Microsoft Identity Provider
Fixes #20695
Closes #11207
* Add SocialLoginTest for Microsoft single-tenant variant
2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate ( #23517 )
...
Closes #12406
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7
Avoid creating the component when there is no component and configuration is not provided
...
Closes #20970
Co-authored-by: Pedro Igor <psilva@redhat.com>
2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140
Improve logging in case of OIDC Identity provider errors:
...
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response
Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9
UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
...
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile ( #23537 )
...
Closes #23507 , #23584 , #23740 , #23774
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c
Remove backward compatibility for ECDSA tokens
...
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. ( #22317 )
...
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830
Fix client assertion with invalid ES256, ES384, ES512 signatures
...
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14
Aligns the logic in the welcome resources
...
as a result the quarkus one can be removed
closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie ( #23393 )
2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service ( #23293 )
...
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d
Client roles should be mapped to any claim name
...
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3
Change email checkserveridentity prop as angus mail sets it to true by default
...
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f
fix( Closes #21236 ): Adding client-id to logout event
2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c
Allow updating email when email as username is set and edit username disabed
...
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989
Use new findGroupByPath implementation and remove the old one
...
Closes #23344
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76
Allow public clients to use PAR endpoint
...
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308
verifyRedirectUri should return null when the passed redirectUri is invalid
...
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a
Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
...
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2
Remove P3P
header from authentication flow
...
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9
Allow duplicated keys in advanced claim mappers
...
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46
Switch to Resteasy Reactive
...
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170
Prevent NPE in AuthenticationManager.backchannelLogout ( #23306 )
...
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.
Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048
KEYCLOAK-15985 Add Brute Force Detection Lockout Event
2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45
Registration page not showing username when edit username is not enabled
...
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f
Send Client ID in token request with JWT Authentication
...
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix ( #23184 )
...
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37
Support to define compatible mappers for (new) Identity Providers
...
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers
Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87
Add regex support in 'Condition - User attribute' execution
...
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview ( #22641 )
...
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console ( #23025 )
...
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… ( #23148 )
...
closes #23066
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch ( #23078 )
...
fixes : #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612
Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
...
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address ( #23109 )
...
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd
Add old LinkedIn provider to the deprecated profile
...
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed ( #23064 )
...
Closes #21514
Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0
Broker claim mapper not recognizing claims from user info endpoint
...
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb
Remove use of Guava in services
...
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372
Added tests
2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102
Fixed Regex
2023-09-07 08:43:35 +02:00
rmartinc
8887be7887
Add a new identity provider for LinkedIn based on OIDC
...
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f
Role mappers must return a single value when they are not multivalued
...
Closes #20218
2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1
Decoupling legacy and dynamic user profiles and exposing metadata from admin api
...
Closes #22532
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55
Parsing response from user info rather than the access token
...
Closes #22581
2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30
RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing
...
Closes https://github.com/keycloak/keycloak/issues/22424
2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default ( #22460 )
2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f
Switch Trusted Host policy redirect verification to URI
...
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.
Closes #22309
2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1
Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts
...
Closes #21751
2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm ( #21554 )
...
fixes : #21553
2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f
DPoP verification in UserInfo endpoint
...
closes #22215
2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405
Using DPoP token type in the access-token and as token_type in introspection response
...
closes #21919
2023-08-07 10:40:18 +02:00