Commit graph

4840 commits

Author SHA1 Message Date
Gilvan Filho
c4005d29f0 add linear strategy to brute force
closes #25917

Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
2024-10-22 10:33:22 -03:00
rmartinc
6d52520730 Load client keys using SubjectPublicKeyInfo and upload jwks type into the jwks attributes for OIDC ones
Closes #33820

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 14:24:15 +02:00
Ricardo Martin
a84a2c2ac2
Change order of absolute path and normalize in the theme folder (#34153)
Closes #34028

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-22 09:53:30 +02:00
Stefan Guilhen
b03ce0047c Add explicit getter method for organizations in RealmAdminResource
- makes OrganizationsResource reachable to OpenAPI generator

Closes #30832

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-21 15:55:06 -03:00
rmartinc
2004467749 Check alias is unique for authenticator config when it is created
Closes #31727

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-21 15:25:32 +02:00
Simon Levermann
dcf1d83199
Enable enforcement of a minimum ACR at the client level (#16884) (#33205)
closes #16884 

Signed-off-by: Simon Levermann <github@simon.slevermann.de>
2024-10-21 13:54:02 +02:00
Pedro Igor
3a9bab35b6 Fixing action token lifespan information in the invitation email
Closes #34049

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:10:14 +02:00
Pedro Igor
d1dba15964 Do not show domain match message in the identity-first login when no login hint is provided
Closes #34069

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:05:27 +02:00
Pedro Igor
ee38d551ce Respect the locale set to a user when redering verify email pages
Closes #34063

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-18 09:04:38 +02:00
Stefan Guilhen
7d8ff710c2 Invalidate user session when associated IdP is missing (previously removed)
Closes #31724

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-17 16:30:51 -03:00
Krzysztof Szafrański
731274f39e Fix errors when code, clientId, or tabId are null
Calling parseSessionCode inside the try-catch would result in
ErrorPageException thrown by redirectToErrorPage being caught and
re-reported, resulting in one log entry with `invalidRequestMessage`
and another one with `unexpectedErrorHandlingRequestMessage`.

Additionally, one of ErrorPageException constructors didn't pass the
status to super(), resulting in the logger error message being
"HTTP 500 Internal Server Error" even though the status was actually
something else, like 400. I noticed that ErrorPageException can be
simplified by just passing the response to super(), which is one way of
fixing the problem.

Closes #33232

Signed-off-by: Krzysztof Szafrański <k.p.szafranski@gmail.com>
2024-10-17 14:37:40 -03:00
Pascal Knüppel
41ee68611f
Allow to create EC certificates if new EC-key-provider is created (#31843)
Closes #31842

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
2024-10-17 16:05:59 +02:00
Thomas Darimont
f99c5f6df3 Ensure referrer and referrer_uri params are carried over to account-console
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
40bdc902f0 Use account-console client for server-side auth check
Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
729417b20a Use account-console client for server-side auth check
- Also generate PKCE verifier and use challenge parameters

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
Thomas Darimont
c400eff9b0 Account console backend should redirect to login on missing auth (#31469)
Adapted the login redirect logic from the old account console.

Fixes #31469

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-17 07:53:20 -03:00
rmartinc
13655007a6 Remove online session for offline access in direct access grants and client credentials
Closes #32650

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-17 10:49:05 +02:00
Martin Kanis
8fb5ecaa6c Auth not possible for auth session where user was enabled in the meantime
Closes #33883

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-10-15 14:28:36 -03:00
Oliver
936cf68050
Fix NPE on whoami with unknown Realm (#33912)
Closes #33907

Signed-off-by: Oliver Cremerius <antikalk@users.noreply.github.com>
2024-10-15 08:22:59 +02:00
mposolda
43c55e0211 Improving documentation for AuthenticationManagementResource.addExecutionFlow
closes #32610

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-14 15:46:44 +02:00
Jon Koops
008faf44cf Check if deviceRepresentation is set
Closes #33814

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-11 16:02:20 +02:00
rmartinc
7e5734fd48 Fix incorrect filter in docker protocol
Closes #33776

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-11 08:58:18 +02:00
Pedro Igor
9a3d81c23e Only process organization selection when the user is identified
Closes #33699

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-10 16:24:25 +02:00
rmartinc
a74e60f4d7 Check email with ignorecase when setting basic attributes in IdP
Closes #31848

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-10 09:55:58 +02:00
Jon Koops
3930356c21
Treat unencrypted local origins as an insecure context in Safari (#33700)
Closes #33557

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-09 23:38:03 +02:00
Thomas Darimont
1ef845b31d Only show organization section in account UI of enabled
We now only show organization section in account ui if org support is enabled for realm.

Fixes #33735

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-10-09 18:15:32 +02:00
Matt Eaton
9f0a348e4c Allow certificate with duplicate principals in truststore.
The previous implementation uses principal as a key for a hashmap storing one certificate per entry. To preserve lookups, the value is now a List of certificates.

Additional logic was added to build certification validation chains using signature verification rather than just principal.

Closes #33125

Signed-off-by: Matt Eaton <git@divinehawk.com>
2024-10-08 12:03:03 +02:00
mposolda
07cf71e818 Better logging when error happens during transaction commit
closes #33275

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-08 11:14:10 +02:00
Dominik Schlosser
2c9e279213
Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses (#33639)
closes #33678

Signed-off-by: Dominik Schlosser <dominik.schlosser@gmail.com>
2024-10-08 10:35:27 +02:00
Ricardo Martin
611e6d102e
Create session for the requester client in Token Exchange (#31290)
Closes #31180


Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2024-10-08 10:24:10 +02:00
Gilles Etchepareborde
593afbb4e0 This PR intends to always set the event type in order to prevent error when firing an error event.
Closes #30453

Signed-off-by: Gilles Etchepareborde <etchepar@yahoo.fr>
2024-10-08 10:15:53 +02:00
rmartinc
44b1290917 Return next action if the current action is not supported in AIA
Closes #33513

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-10-08 09:54:53 +02:00
Pedro Aguiar
14f14152de
update/fix-typo-to-a-to-a
- Corrected "Map a custom user attribute to a to a SAML attribute." by removing the repeated "to a".

Closes: #33603

Signed-off-by: Pedro Aguiar <contact@codespearhead.com>
2024-10-04 19:44:43 +00:00
Steven Hawkins
cb3954fc7b
fix: ensuring placeholders can be used with --import-realm (#33589)
closes: #33578

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-10-04 16:59:55 +00:00
mposolda
c8ca0462a4 Prevent multiple logout confirmation actions
closes #32435

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-03 15:31:55 +02:00
Maksim Zvankovich
35eba8be8c Add option to include the organization id in the organization claims
Closes #32746

Signed-off-by: Maksim Zvankovich <m.zvankovich@nexovagroup.eu>
Co-authored-by: Stefan Guilhen <sguilhen@redhat.com>
2024-10-03 08:11:36 -03:00
Jon Koops
aacdf80664
Add shim for Web Crypto API to admin and account console (#33480)
Closes #33330

Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-10-03 10:51:23 +00:00
Erik Jan de Wit
e8d8de8936
Use feature versions for admin3, account3, and login2 (#33458)
Closes #33405

Signed-off-by: stianst <stianst@gmail.com>
2024-10-03 12:09:36 +02:00
Stian Thorgersen
6092524d79
Fix theme resource loading on Windows, and enable additional test in jdk-integration-tests (#33512)
Closes #33508

Signed-off-by: stianst <stianst@gmail.com>
2024-10-03 11:37:49 +02:00
vramik
c1653448f3 [Organizations] Allow orgs to define the redirect URL after user registers or accepts invitation link
Closes #33201

Signed-off-by: vramik <vramik@redhat.com>
2024-10-02 07:37:48 -03:00
Ricardo Martin
6e471a8477
Add the nonce attribute when the client session context is recreated (#33422)
Closes #33355


Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Tomas Kralik <tomas.kralik@pbktechnology.cz>
2024-10-02 09:44:25 +02:00
Pedro Igor
ef48a3a360 Avoid running org related code if there are no orgs in a realm
Closes #33424

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-10-02 09:39:25 +02:00
Giuseppe Graziano
b46fab2308 Remove root auth session after backchannel logout
Closes #32197

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2024-10-01 11:56:57 +02:00
mposolda
e582a17a7c Fix client-attributes condition configuration
closes #33390

Signed-off-by: mposolda <mposolda@gmail.com>
2024-10-01 10:12:28 +02:00
Stian Thorgersen
4a2fbf5339
Refactor loading of theme resources (#33326)
Closes #33325

Signed-off-by: stianst <stianst@gmail.com>
2024-10-01 08:02:05 +02:00
Alexander Schwartz
5c503a55e9 Optimize caching and use of DB connections when Organisations are enabled
Closes #33353

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-09-30 18:35:45 -03:00
rmartinc
8bbae59b60 Add LOGIN_WEBAUTHN as possible initial login page for locale bean
Closes #33336

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-09-30 18:59:39 +02:00
Steven Hawkins
5d99d91818
fix: allows for the detection of a master realm with --import-realms (#32914)
also moving initial bootstrapping after import

closes: #32689

Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-09-30 14:40:16 +02:00
Steven Hawkins
f1a7a4804e
fix: adds additional info / warnings to hostname v2 (#33261)
* fix: adds additional info / warnings to hostname v2

closes: #24815

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* refining the proxy-headers language from #33209

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* adding hostname-strict-https

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* moving removed property check to the quarkus side

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/HostnameV2PropertyMappers.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

* Update docs/guides/server/hostname.adoc

Signed-off-by: Steven Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2024-09-28 08:48:09 +00:00
Steven Hawkins
9064d5159a
fix: validate that a full hostname url is expected (#33348)
closes: #33347

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-09-27 13:57:14 +00:00