libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6
25978 commits 4 branches 5 tags 480 MiB
Commit graph

6905 commits

Author SHA1 Message Date
Pedro Igor
bbb83236f5 Do not lower-case the username from the IdP when creating the federated identity 
Closes #28495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-29 01:58:20 -03:00
Alexander Schwartz
46f0da43da Instead of the test blocking for an unknown reason, specify a timeout 
Closes #29528

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-05-28 21:06:49 +02:00
Stefan Guilhen
694ffaf289 Allow organizations in different realms to have the same domain 
Closes #29886

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-28 08:02:30 -03:00
Francis Pouatcha
4317a474d1
JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification (#29635) 
closes #29634 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>


Co-authored-by: DYLANE BENGONO <85441363+bengo237@users.noreply.github.com>
 2024-05-28 12:51:56 +02:00
Yutaka Obuchi
68d9dcecb5
Supporting OID4VCI AuthZCode flow: (#29685) 
closes #29724

Signed-off-by: Yutaka Obuchi <yutaka.obuchi.sd@hitachi.com>


Co-authored-by: Yutaka Obuchi <yutaka.obuchi.sd@hitachi.com>
Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2024-05-28 12:29:31 +02:00
Martin Bartoš
d396dfed6a
Upgrade old Keycloak version for DB migration tests (#29884) 
Closes #29883

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2024-05-28 11:32:31 +02:00
Jon Koops
66ef3bf2d7
Remove Opera from supported web drivers (#29903) 
Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-05-28 09:01:40 +00:00
Douglas Palmer
b9c04bb8bc Refactor PolicyEnforcer tests to remove dependency on keycloak-adapter-core and remove keycloak-adapter-core 
Closes #29189
Closes #28791

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-05-27 15:00:13 -03:00
Stefan Wiedemann
5a68056f2a
Fix oid4vc mappers 
Closes #29805

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
 2024-05-27 11:28:46 +02:00
mposolda
ea1cdc10bd MigrateTo25_0_0 does not complete within default transaction timeout 
closes #29756

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-05-27 10:31:39 +02:00
Pedro Igor
2d4d32764c Show a message when confirming an invitation link 
Closes #29794

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-27 08:33:22 +02:00
rmartinc
b258b459d7 Generate RESTART_AUTHENTICATION event on success 
Closes #29385

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-23 19:08:22 +02:00
vramik
0508d279f7 Filter empty domains from OrganizationsRepresentation before running validation 
Closes #29809

Signed-off-by: vramik <vramik@redhat.com>
 2024-05-23 09:53:51 -03:00
Marek Posolda
2efc163b89
Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database 
Closes #27941

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-05-23 12:00:18 +00:00
Daniel Fesenmeyer
c08621fa63 Always order required actions by priority (regardless of context) 
- AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action
- AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation)
- add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now)
- fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80)

Closes #16873

Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
 2024-05-23 09:07:56 +02:00
Thomas Darimont
ab376d9101 Make required actions configurable (#28400) 
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata

Fixes #28400

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-05-23 08:38:36 +02:00
vramik
278341aff9 Add organizations enabled/disabled capability 
Closes #28804

Signed-off-by: vramik <vramik@redhat.com>
 2024-05-22 07:58:26 -03:00
Alexander Schwartz
80de3a0a71
Allow migration of non-persistent sessions to persistent sessions 
Closes #29375

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-05-22 10:30:46 +02:00
Francis Pouatcha
542fc65923
Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 (#29628) 
closes #29627 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>


Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-05-22 10:30:34 +02:00
rmartinc
f7044ba5c2 Use SessionExpirationUtils for validate user and client sessions 
Check client session is valid in TokenManager
Closes #24936

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-22 10:12:20 +02:00
Case Walker
f32cd91792 Upgrade owasp-java-html-sanitizer, address all fallout 
Signed-off-by: Case Walker <case.b.walker@gmail.com>
 2024-05-22 09:15:25 +02:00
Raffaele Lucca
a5a55dc66e
Protocol now is mandatory during client scope creation. (#29544) 
closes #29027

Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
 2024-05-22 09:10:46 +02:00
Patrick Jennings
84acc953dd
Client type OIDC base read only defaults (#29706) 
closes #29742
closes #29422

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-05-22 09:07:19 +02:00
Pedro Igor
b019cf6129 Support unmanaged attributes for service accounts and make sure they are only managed through the admin api 
Closes #29362

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-21 16:56:18 -03:00
Martin Kanis
97cd5f3b8d Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not 
Closes #29482

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-05-21 12:29:10 -03:00
rmartinc
3304540855 Allow admin console whoami endpoint to applications that have a special attribute 
Closes #29640

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-20 09:51:07 +02:00
Stefan Guilhen
1aab371912 Fix errors when importing realms with the organization feature enabled 
Closes #29630

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-17 07:25:31 -03:00
Ricardo Martin
74a80997c7
Fix CRL verification failing due to client cert not being in chain (#29582) 
closes #19853

Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
 2024-05-17 11:28:07 +02:00
Dimitri Papadopoulos Orfanos
64a145e960
Fix user-facing typos in error messages (#29326) 
Update resource file and tests accordingly

Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com>
 2024-05-16 09:55:41 +02:00
Takashi Norimatsu
b4e7d9b1aa
Passkeys: Supporting WebAuthn Conditional UI (#24305) 
closes #24264

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
 2024-05-16 07:58:43 +02:00
rmartinc
89d7108558 Restrict access to whoami endpoint for the admin console and users with realm access 
Closes #25219

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-15 19:06:57 +02:00
Stefan Guilhen
c4760b8188 Ensure that IDP's linked domains are remove when org is deleted or when the domain is removed from the org. 
Closes #29481

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-14 15:39:18 -03:00
Martin Kanis
3985157f9f Make sure operations on a organization are based on realm they belong to 
Closes #28841

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-05-14 10:47:39 -03:00
Pedro Igor
b4d231fd40 Fixing realm removal when removing groups and brokers associated with an organization 
Closes #29495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-14 14:29:27 +02:00
Pedro Igor
b5a854b68e
Minor improvements to invitation email templates (#29498) 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-14 13:19:02 +02:00
Pedro Igor
1b583a1bab Email validation for managed members should only fail if it does not match the domain set to a broker 
Closes #29460

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-14 10:46:22 +02:00
mposolda
d8a7773947 Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests 
closes #12298

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-05-13 16:33:29 +02:00
kaustubh-rh
8a82b6b587
Added a check in ClientInitialAccessResource (#29353) 
closes #29311

Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>
 2024-05-13 13:00:36 +02:00
rmartinc
2cc051346d Allow empty CSP header in headers provider 
Closes #29458

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-13 10:51:31 +02:00
Alexander Schwartz
6cc8d653f3 Make SessionWrapper related fields immutable that are part of the equals method 
The cache replace logic depends on it, as values returned by reference from a local cache must never be modified on those critical fields directly.

Closes #28906

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-05-13 09:59:50 +02:00
Giuseppe Graziano
d735668fcd Fix test failures after @DisableFeature 
Closes #29253

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-05-13 08:20:54 +02:00
Pedro Igor
b50d481b10 Make sure organization groups can not be managed but when managing an organization 
Closes #29431

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-10 21:28:11 -03:00
Stefan Guilhen
f0620353a4 Ensure master realm can't be removed 
Closes #28896

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-10 16:56:18 -03:00
Stefan Guilhen
ceed7bc120 Add ability to search organizations by attribute 
Closes #29411

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-10 16:45:41 -03:00
Pedro Igor
77b58275ca Improvements to the organization authentication flow 
Closes #29416
Closes #29417
Closes #29418

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-09 16:07:52 -03:00
Pedro Igor
a65508ca13 Simplifying the CORS SPI and the default implementation 
Closes #27646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-08 12:27:55 -03:00
Pedro Ruivo
cbce548e71 Infinispan 15.0.3.Final 
Closes #29068

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
 2024-05-08 17:18:39 +02:00
Stefan Guilhen
dde2746595 Improve tests to ensure managed users disabled upon disabling the org can't be updated 
Closes #28891

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-07 18:11:52 -03:00
Pedro Igor
927ba48f7a Adding tests to cover using SAML brokers in an organization 
Closes #28732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-07 20:44:38 +02:00
Douglas Palmer
8d628d740e Can we remove undertow OIDC adapter? 
Closes #28788

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-05-07 19:47:46 +02:00
Thore
4b194d00be iso-date validator for the user-profile 
Adds a new validator in order to be able to validate user-model fields which should be modified/supplied by a datepicker.

Closes #11757

Signed-off-by: Thore <thore@kruess.xyz>
 2024-05-07 11:42:39 -03:00
Martin Kanis
d4b7e1a7d9 Prevent to manage groups associated with organizations from different APIs 
Closes #28734

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-05-07 11:16:40 -03:00
Pedro Igor
f8bc74d64f Adding SAML protocol mapper to map organization membership 
Closes #28732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-07 15:52:35 +02:00
Stefan Guilhen
aa945d5636 Add description field to OrganizationEntity 
Closes #29356

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-07 10:35:51 -03:00
Pedro Igor
c0325c9fdb Do not manage brokers through the Organization API 
Closes #29268

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-07 09:15:25 -03:00
Dinesh Solanki
2172741eb6
Refactor element identifiers from ID to class (#28690) 
Closes #24462

Signed-off-by: Dinesh Solanki <15937452+DineshSolanki@users.noreply.github.com>
 2024-05-07 13:56:21 +02:00
Alice W
d1549a021e Update invitation changes based on review and revert deleted test from OrganizationMembertest 
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
 2024-05-06 17:57:13 -03:00
Pedro Igor
40a283b9e8 Token expiration tests and updates to registration required action 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-06 17:57:13 -03:00
Pedro Igor
158162fb4f Review tests and having invitation related operations in a separate class 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-06 17:57:13 -03:00
Pedro Igor
287f3a44ce registration link tests 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-06 17:57:13 -03:00
Alice W
ce2e83c7f9 Update test and link formation on invite of new user 
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
 2024-05-06 17:57:13 -03:00
Alice W
18356761db Add test for user invite registration and fix minor bug with registration link generation and email templating 
Signed-off-by: Alice W <105500542+alice-wondered@users.noreply.github.com>
 2024-05-06 17:57:13 -03:00
Pedro Igor
e0bdb42d41 adding test and minor updates to cover inviting existing users 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-06 17:57:13 -03:00
Stefan Guilhen
dae1eada3d Add enabled field to OrganizationEntity 
Closes #28891

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-06 14:46:56 -03:00
Alexander Schwartz
a9532274e3
Generate translations for locales via built-in Java functionality (#29125) 
Closes #29124

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2024-05-06 09:30:14 +02:00
Giuseppe Graziano
c6d3e56cda Handle reset password flow with logged in user 
Closes #8887

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-05-06 09:10:47 +02:00
Douglas Palmer
00bd6224fa Remove remaining Fuse adapter bits 
Closes #28787

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-05-06 09:02:26 +02:00
Michal Hajas
128bba34d3 Remove PERSISTENT_USER_SESSIONS_No_CACHE feature 
Closes #29264

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2024-05-06 08:53:39 +02:00
Michal Hajas
8b715d3a31 Do not use LastSessionRefreshPersister with persistent user sessions enabled 
Closes #29144

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2024-05-06 08:49:48 +02:00
Thomas Darimont
ba43a10a6d
Improve details for user error events in OIDC protocol endpoints 
Closes #29166

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2024-05-06 08:32:31 +02:00
Pedro Igor
32d25f43d0 Support for mutiple identity providers 
Closes #28840

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-05-04 16:19:27 +02:00
Douglas Palmer
051c0197db Remove old-WildFly, EAP 7.4 and 6.4 SAML adapters 
Closes #28785

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-05-03 15:39:05 +02:00
Justin Tay
7bd48e9f9f Set logout token type to logout+jwt 
Closes #28939

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-05-03 14:51:10 +02:00
Giuseppe Graziano
8c3f7cc6e9 Ignore include in token scope for refresh token 
Closes #12326

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-05-03 09:05:03 +02:00
Douglas Palmer
e0176a7e31 Remove Wildfly and EAP OIDC adapters 
Closes #23381

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-05-02 20:16:55 +02:00
Steven Hawkins
3b1ca46be2
fix: updating docs around -q parameter (#29151) 
closes: #27877

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-05-02 16:48:43 +02:00
Stefan Guilhen
45e5e6cbbf Introduce filtered (and paginated) search for organization members 
Closes #28844

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-05-02 11:25:43 -03:00
Stefan Wiedemann
3e16af8c0f
Fix oid4vc tests (#29209) 
closes #28982
closes #28983
closes #28984
closes #28985
closes #28986
closes #28987
closes #28988
closes #28989
closes #28990
closes #28991
closes #28992
closes #28993
closes #28994
closes #28995
closes #28996

* only enable/disable features that should

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>

* use default profile if nothing is set

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>

---------

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
 2024-05-02 10:57:25 +00:00
Patrick Jennings
64824bb77f
Client type service account default type (#29037) 
* Adding additional non-applicable client fields to the default service-account client type configuration.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Creating TypedClientAttribute which maps clientmodel fields to standard client type configurations.

Adding overrides for fields in TypeAwareClientModelDelegate required for
service-account client type.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Splitting client type attribute enum into 3 separate enums, representing
the top level ClientModel fields, the extended attributes through the
client_attributes table, and the composable fields on
ClientRepresentation.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Removing reflection use for client types.

Validation will be done in the RepresentationToModel methods that are responsible for the ClientRepresentation -> ClientModel create and update static methods.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

More updates

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Update client utilzes type aware client property update method.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* If user inputted representation object does not contain non-null value, try to get property value from the client. Type aware client model will return non-applicable or default value to keep fields consistent.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Cleaning up RepresentationToModel

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue when updating client secret.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issue where created clients would not have fullscope allowed, because getter is a boolean and so cannot be null.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to be able to clear out client attributes on update as was allowed before and causing failures in integration tests.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Fixing issues with redirectUri and weborigins defaults in type aware clients.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Need to allow client attributes the ability to clear out values during update.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Renaming interface based on PR feedback.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Shall be able to override URI sets with an empty set.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

* Comments around fields that are primitive and may cause problems determining whether to set sane default on create.

Signed-off-by: Patrick Jennings <pajennin@redhat.com>

---------

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-05-02 12:22:02 +02:00
Ricardo Martin
65bdf1a604
Encode realm name in console URIs (#29102) 
Before this fix console uris (including the client redirect uris) did not contain the url encoded realm name and therefore were invalid.

closes #25807

Signed-off-by: Philip Sanetra <code@psanetra.de>
Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Philip Sanetra <code@psanetra.de>
Co-authored-by: rmartinc <rmartinc@redhat.com>
 2024-05-02 10:30:06 +02:00
Michal Hajas
7c427e8d38 Remove offline sessions timeouts adjusters as with persistent session we have bounded caches and it is no longer necessary to adjust time in caches 
Closes #29140
Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2024-04-30 18:03:17 +02:00
Douglas Palmer
8d4d5c1c54 Remove redundant servers from the testsuite 
Closes #29089

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-30 17:39:32 +02:00
Stefan Guilhen
02e2ebf258 Add check to prevent deserialization issues when the context token is not an AccessTokenResponse. 
- also adds a test for the refresh token on first login scenario.

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-30 12:02:10 -03:00
Alexander Schwartz
d69872fa11
Batch writes originating from logins/logouts for persistent sessions 
All writes for the sessions are handled by a background thread which batches them.

Closes #28862

Wait for persistent-store to contain update
instead of cache which has the change immediately since it is in memory + introduce new model-test profile

Closes #29141

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2024-04-30 14:07:35 +02:00
rmartinc
8042cd5d4f Set client in the context for docker protocol 
Fix to execute again the docker test
Closes #28649

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-30 10:17:17 +02:00
Pedro Igor
51352622aa Allow adding realm users as an organization member 
Closes #29023

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-29 08:37:47 -03:00
Jon Koops
a6e2ab5523 Remove jaxrs-oauth-client and OIDC servlet-filter adapters 
Closes #28784

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-04-26 15:56:57 +02:00
Douglas Palmer
cca660067a Remove JAAS login modules 
Closes #28789

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
b2f09feebf Remove servlet filter saml adapters 
Closes #28786

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
a4a7d023a7 Remove Jetty OIDC adapter 
Closes #28779

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
c5dbab2740 Remove Jetty SAML adapter 
Closes #28782

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
bf2c97065f Remove SpringBoot adapters 
Closes #28781

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
43aa10e091 Remove Tomcat OIDC adapter 
Closes #28778

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-26 09:30:35 +02:00
Douglas Palmer
98faf6e6a0 Remove Tomcat SAML adapter 
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

Closes #28783
 2024-04-26 09:30:35 +02:00
Stefan Guilhen
bfabc291cc 28843 - Introduce filtered (and paginated) searches for organizations 
Closes #28843

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-25 12:38:20 -03:00
Stefan Guilhen
8fa2890f68 28818 - Reintroduce search by name for subgroups 
Closes #28818

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-25 12:06:07 -03:00
vramik
d65649d5c0 Make sure organization are only manageable by the admin users with the manage-realm role 
Closes #28733

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-23 12:16:57 -03:00
Mark Banierink
ad32896725
replaced and removed deprecated token methods (#27715) 
closes #19671 

Signed-off-by: Mark Banierink <mark.banierink@nedap.com>


Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-23 09:23:37 +02:00
mposolda
337a337bf9 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code was enabled even if oid4vc_vci feature is disabled 
closes #28968

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-04-22 18:31:46 +02:00
Ott
975bb6762f Fixed type in invalidPasswordNotContainsUsernameMessage 
Signed-off-by: Ott <ottalexanderdev@gmail.com>
 2024-04-22 08:06:02 -03:00
Douglas Palmer
ed22530d16 Failure reset time is applied to Permanent Lockout 
Closes #28821

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-22 11:47:22 +02:00
Stefan Wiedemann
b08c644601
Support credentials issuance through oid4vci (#27931) 
closes #25940 

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
 2024-04-22 11:37:55 +02:00
Lex Cao
7e034dbbe0
Add IdpConfirmOverrideLinkAuthenticator to handle duplicate federated identity (#26393) 
Closes #26201.

Signed-off-by: Lex Cao <lexcao@foxmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-04-22 11:30:14 +02:00
etiksouma
1afd20e4c3 return proper error message for admin users endpoint 
closes #28416

Signed-off-by: etiksouma <al@mouskite.com>
 2024-04-20 12:17:53 +02:00
Pedro Ruivo
3e0a185070 Remove deprecated EnvironmentDependentProviderFactory.isSupported method 
Closes #26280

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
 2024-04-19 16:36:49 +02:00
Giuseppe Graziano
f6071f680a Avoid the same userSessionId after re-authentication 
Closes keycloak/keycloak-private#69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-19 14:44:39 +02:00
mposolda
c427e65354 Secondary factor bypass in step-up authentication 
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit e632c03ec4dbfbb7c74c65b0627027390b2e605d)
 2024-04-19 14:43:53 +02:00
Giuseppe Graziano
897c44bd1f Validation of providerId during required action registration 
Closes #26109

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-19 13:06:51 +02:00
Joerg Matysiak
76a5a27082 Refactored StripSecretsUtils in order to make it unit-testable, added unit tests for it 
Don't mask secrets at realm export

Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
 2024-04-18 18:26:47 -03:00
Pedro Igor
7483bae130 Make sure admin events are not referencing sensitive data from their representation 
Closes #21562

Signed-off-by: Joerg Matysiak <joerg.matysiak@bosch.com>
 2024-04-18 18:26:47 -03:00
Steve Hawkins
0be34d64e7 task: refactor overlap between cli clients 
also repackaging to more clearly delineate code roles

closes: #28329

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-04-18 17:39:16 -03:00
cgeorgilakis-grnet
89263f5255 Fix refresh token scope in refresh token flow with scope request parameter 
Closes #28463

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
 2024-04-18 16:17:46 -03:00
Ricardo Martin
8daace3f69
Validate Saml URLs inside DefaultClientValidationProvider (#135) (#28873) 
Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-18 16:04:13 +02:00
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) (#28872) 
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2024-04-18 16:02:24 +02:00
Douglas Palmer
00d4cab55e Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink 
Closes #21422

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-18 15:54:30 +02:00
vramik
860f3b7320 Prevent updating IdP via organization API not linked with the organization 
Closes #28833

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866) 
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-18 14:11:05 +02:00
Justin Tay
d807093f63 Fix OCSP nonce handling 
Closes #26439

Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-18 09:04:46 +02:00
Pedro Igor
f0f8a88489 Automatically fill username when authenticating to through a broker 
Closes #28848

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider 
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-17 07:24:01 -03:00
Alexander Schwartz
13af4f44f5
Defer updates of last session updates and batch them (#28502) 
Defer updates of last session refreshes and batch them

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2024-04-17 09:25:05 +02:00
Pedro Ruivo
2494ad6950 Refactor and remove deprecated Infinispan methods from DefaultInfinispanConnectionProviderFactory 
Closes #28752

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
 2024-04-16 10:51:57 +02:00
Pedro Ruivo
63cb137b37 Remove usages of EnvironmentDependentProviderFactory.isSupported 
Closes #28751

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
 2024-04-16 09:43:23 +02:00
Šimon Vacek
0205262c91
Workflow failure: Fuse adapter tests 
Closes: #27021

Signed-off-by: Simon Vacek <simonvacky@email.cz>
 2024-04-15 17:28:16 +02:00
Steven Hawkins
58398d1f69
fix: replaces aesh with picocli (#28276) 
* fix: replaces aesh with picocli

closes: #28275

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* fix: replaces aesh with picocli

closes: #28275

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-04-15 13:04:58 +00:00
Stefan Guilhen
2ab8bf852d Add validation for the organization's internet domains. 
Closes #28634

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-15 09:03:52 -03:00
Patrick Jennings
551a3db987 Updating validation logic to match our expectations on what applicable should mean. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56 Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3 DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e Translate client type exception during client create into bad request response. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint (#28642) 
Closes #24466

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
 2024-04-12 21:19:04 +02:00
rmartinc
92bcd2645c Retry the login in the SAML adapter if response is authentication_expired 
Closes #28412

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-12 14:55:31 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper (#28663) 
closes #28661


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization 
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-12 08:33:18 -03:00
Alexander Schwartz
b4cfebd8d5
Persistent sessions code also for offline sessions (#28319) 
Persistent sessions code also for offline sessions

Closes #28318

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-04-12 13:15:02 +02:00
Martin Bartoš
a3669a6562
Make general cache options runtime (#28542) 
Closes #27549

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2024-04-12 11:56:11 +02:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default 
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-12 10:53:39 +02:00
Stefan Guilhen
e6b9d287af Add null checks after retrieving user from LDAP for validation to prevent NPE when user is removed in LDAP. 
Closes #28523

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-11 14:29:30 -03:00
rmartinc
d31f128ca2 Fix test IdentityProviderTest#testSamlImportWithAnyEncryptionMethod 
Closes #28577
Closes #28576
Closes #28575

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-11 18:56:37 +02:00
Steven Hawkins
d059a2af36
task: remove MultiVersionClusterTest (#28520) 
closes: #17483

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-04-11 14:13:52 +02:00
Martin Bartoš
ad4cbf2a14 OrganizationTest.testAttributes fails in GHA CI 
Fixes #28606

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2024-04-11 11:56:43 +02:00
tqe1999
6e0fc8a774
fix integer overflow with explicit cast 
Closes #28564

Signed-off-by: tqe1999 <tqe1999@gmail.com>
 2024-04-11 10:58:44 +02:00
Giuseppe Graziano
33b747286e Changed userId value for refresh token events 
Closes #28567

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization. 
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-10 13:18:12 -03:00
devjos
cccddc0810 Fix brute force detection for LDAP read-only users 
Closes #28579

Signed-off-by: devjos <github_11837948@feido.de>
 2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd Manage a single identity provider for an organization 
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-10 09:47:51 -03:00
Jon Koops
0327787645 Remove legacy Account Console tests 
Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-04-10 14:34:56 +02:00
vramik
0826a12ca4 Exclude groovy artefact from testsuite to avoid version collision 
Closes #28555

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-10 09:16:36 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes 
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies 
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token 
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-10 10:40:42 +02:00
mposolda
aa619f0170 Redirect error to client right-away when browser tab detects that another browser tab authenticated 
closes #27880

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-04-09 17:59:34 +02:00
Konstantinos Georgilakis
a40a953644 SAML element EncryptionMethod can consist any element 
closes #12585

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
 2024-04-09 14:15:56 +02:00
Stian Thorgersen
a499512f35
Set SameSite for all cookies (#28467) 
Closes #28465

Signed-off-by: stianst <stianst@gmail.com>
 2024-04-09 12:29:19 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 (#26345) 
* Hostname SPI v2

Closes: #26084

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Address review comment

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Partially revert the previous fix

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Do not polish values

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Remove filtering of denied categories

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype 
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
 2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user 
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-08 09:05:16 -03:00
Justin Tay
e765932df3 Skip unsupported keys in JWKS 
Closes #16064

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-08 08:42:31 +02:00
rmartinc
2b769e5129 Better management of the CSP header 
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-08 08:19:57 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens 
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-08 08:12:51 +02:00
MNaaz
811c70d136 Support for searching users based on search filter, enabled attribute, first, max Closes #27241 
Signed-off-by: MNaaz <feminity2001@yahoo.com>
 2024-04-05 12:10:15 -03:00
Jon Koops
d3c2475041
Upgrade admin and account console to PatternFly 5 (#28196) 
Closes #21345
Closes #21344

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Mark Franceschelli <mfrances@redhat.com>
Co-authored-by: Hynek Mlnařík <hmlnarik@redhat.com>
Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>
 2024-04-05 16:37:05 +02:00
Gilvan Filho
96db7e3154 fix NotContainsUsernamePasswordPolicyProvider: reversed check 
closes #28389

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
 2024-04-05 10:39:07 -03:00
Pedro Igor
8fb6d43e07 Do not export ids when exporting authorization settings 
Closes #25975

Co-authored-by: 박시준 <sjpark@logblack.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-04 19:26:03 +02:00
Justin Tay
30cd40e097 Use realm default signature algorithm for id_token_signed_response_alg 
Closes #9695

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-04 11:37:28 +02:00
Justin Tay
89a5da1afd Allow empty key use in JWKS for client authentication 
Closes #28004

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-04 10:42:37 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions (#27793) 
closes #24112

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-04-04 10:41:03 +02:00
Martin Bartoš
7f048300fe
Support management port for health and metrics (#27629) 
* Support management port for health and metrics

Closes #19334

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Deprecate option

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Remove relativePath first-class citizen, rename ManagementSpec

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Fix KeycloakDistConfiguratorTest

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2024-04-03 16:18:44 +02:00
Hynek Mlnarik
8ef3423f4a Present effective sync mode value 
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).

This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.

Fixes: #26019

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2024-04-03 15:49:18 +02:00
Pedro Igor
4ec9fea8f7 Adding tests 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-03 08:04:17 -03:00
Clemens Zagler
b44252fde9 authz/client: Fix getPermissions returning wrong type 
Due to an issue with runtime type erasure, getPermissions returned a
List<LinkedHashSet> instead of List<Permission>.
Fixed and added test to catch this

Closes #16520

Signed-off-by: Clemens Zagler <c.zagler@noi.bz.it>
 2024-04-02 11:09:43 -03:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper 
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-02 08:44:28 +02:00
Stefan Guilhen
2ca59d4141 Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper 
- user model is updated by onImport with the enabled/disabled status of the LDAP user
- a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper
- isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value.
- setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201

Closes #26695
Closed #24201

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-01 08:20:35 -03:00
Steven Hawkins
e9ad9d0564
fix: replace aesh with picocli (#27458) 
* fix: replace aesh with picocli

closes: #27388

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/AbstractRequestCmd.java

Co-authored-by: Martin Bartoš <mabartos@redhat.com>

* splitting the error handling for password input

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* adding a change note about kcadm

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc

Co-authored-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2024-03-28 14:34:06 +01:00
Alexander Schwartz
c580c88c93
Persist online sessions to the database (#27977) 
Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one.

Closes #27976

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2024-03-28 09:17:07 +01:00
Gilvan Filho
757c524cc5 Password policy for not having username in the password 
closes #27643

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
 2024-03-28 08:29:03 +01:00
Pedro Igor
b9a7152a29 Avoid commiting the transaction prematurely when creating users through the User API 
Closes #28217

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-27 19:16:09 -03:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658) 
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
 2024-03-27 11:13:48 +01:00
Jon Koops
3382e16954
Remove Account Console version 2 (#27510) 
Closes #19664

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-03-27 10:53:28 +01:00
Tomas Ondrusko
3160116a56
Remove Twitter workaround (#28232) 
Relates to #23252

Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
 2024-03-27 10:34:26 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150) 
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
 2024-03-26 13:43:41 -04:00
vramik
fa1571f231 Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member 
Closes #27993

Signed-off-by: vramik <vramik@redhat.com>
 2024-03-26 14:02:09 -03:00
Pedro Igor
a470711dfb Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider 
Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-26 10:14:49 -03:00
Stian Thorgersen
c3a98ae387
Use Argon2 as default password hashing algorithm (#28162) 
Closes #28161

Signed-off-by: stianst <stianst@gmail.com>
 2024-03-22 13:04:14 +00:00
Stian Thorgersen
8cbd39083e
Default password hashing algorithm should be set to default password hash provider (#28128) 
Closes #28120

Signed-off-by: stianst <stianst@gmail.com>
 2024-03-22 12:44:11 +01:00
Stian Thorgersen
3f9cebca39
Ability to set the default provider for an SPI (#28135) 
Closes #28134

Signed-off-by: stianst <stianst@gmail.com>
 2024-03-22 07:45:08 +01:00
Stian Thorgersen
cae92cbe8c
Argon2 password hashing provider (#28031) 
Closes #28030

Signed-off-by: stianst <stianst@gmail.com>
 2024-03-22 07:08:09 +01:00
Reda Bourial
a41d865600 fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756) 
Signed-off-by: Reda Bourial <reda.bourial@gmail.com>
 2024-03-21 17:06:42 +01:00
Steven Hawkins
7eab019748
task: deprecate WILDCARD and STRICT options (#26833) 
closes: #24893

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-03-21 16:22:41 +01:00
Steven Hawkins
35b9d8aa49
task: remove usage of resteasy-core-spi (#27387) 
closes: #27242

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-03-21 15:28:34 +01:00
Giuseppe Graziano
b24d446911 Avoid using wait() to wait for the redirect 
Closes #22644

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-03-21 14:36:43 +01:00
Giuseppe Graziano
939420cea1 Always include offline_access scope when refreshing with offline token 
Closes #27878

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-03-21 14:32:31 +01:00
Pedro Igor
32541f19a3 Allow managing members for an organization 
Closes #27934

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-21 10:26:30 -03:00
Martin Kanis
4154d27941 Invalidating offline token is not working from client sessions tab 
Closes #27275

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-03-21 09:04:58 -03:00
Sebastian Schuster
0542554984 12671 querying by user attribute no longer forces case insensitivity for keys 
Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>
 2024-03-21 08:35:29 -03:00
Pedro Igor
f970deac37 Do not grant scopes not granted for resources owned the resource server itself 
Closes #25057

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-20 18:36:41 +01:00
Alexander Schwartz
149e50e1b1
Upgrading to Quarkus 3.8.3 (#28085) 
Closes #28084

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-03-20 17:16:42 +01:00
Takashi Norimatsu
d5bf79b932 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention 
closes #26713

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-03-20 13:22:48 +01:00
René Zeidler
83a3500ccf Attributes without a group should appear first 
In the login theme, user profile attributes that
are not assigned to an attribute group should
appear before all other attributes. This aligns
the login theme (registration, verify profile,
etc.) with the account and admin console.

Fixes #27981

Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
 2024-03-19 18:40:01 +01:00
Hynek Mlnařík
9caac3814c
Enable WebAuthn tests for Account v3 (#28029) 
* Re-enable WebAuthn testsuite
* Remove reference to Account 2 in UI testsuites

Fixes: #26080

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>

---------

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2024-03-19 14:26:44 +01:00
Stefan Wiedemann
67d3e1e467
Issue Verifiable Credentials in the VCDM format #25943 (#27071) 
closes #25943


Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
 2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet
24f105e8fc successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex 
Closes #23528

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
 2024-03-18 08:19:13 -03:00
Alexander Schwartz
62d24216e3 Remove offline session preloading 
Closes #27602

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-03-15 15:19:27 +01:00
Pedro Igor
7fc2269ba5 The bare minimum implementation for organization 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: vramik <vramik@redhat.com>
 2024-03-15 11:06:43 -03:00
Alexander Schwartz
6de5325d1c Limit the received content when handling the content as a String 
Closes #27293

Co-authored-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-03-13 16:43:03 +01:00
Pedro Igor
9ad447390a Only remove attributes with empty values when updating user profile 
Closes #27797

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-13 15:03:08 +01:00
Réda Housni Alaoui
1bf90321ad
"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578) 
closes #27558 

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
 2024-03-13 14:00:34 +01:00
rmartinc
d679c13040 Continue LDAP search if a duplicated user (ModelDuplicateException) is found 
Closes #25778

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-13 08:52:58 -03:00
rmartinc
43a5779f6e Do not challenge inside spnego authenticator is FORKED_FLOW 
Closes #20637

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-12 14:23:03 +01:00
Pedro Igor
1e48cce3ae Make sure empty configuration resolves to the system default configuration 
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-11 09:01:38 -03:00
Stefan Wiedemann
6fc69b6a01
Issue Verifiable Credentials in the SD-JWT-VC format (#27207) 
closes #25942

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2024-03-11 08:55:28 +01:00
Steve Hawkins
4091baf4c2 fix: accounting for the possibility of null flows from existing realms 
closes: #23980

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-03-08 14:25:23 +01:00
Pedro Igor
40385061f7 Make sure refresh token expiration is based on the current time when the token is issued 
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-07 15:23:19 +01:00
rmartinc
ea4155bbcd Remove recursively when deleting an authentication executor 
Closes #24795

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-07 14:43:23 +01:00
graziang
54b40d31b6 Revoked token cache expiration fix 
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-03-07 13:33:37 +01:00
rmartinc
dea15e25da Only add the nonce claim to the ID Token (mapper for backwards compatibility) 
Closes #26893

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-07 09:56:57 +01:00
Pedro Igor
d5a613cd6b Support for script providers when running in embedded mode 
Closes #27574

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-06 18:06:09 -03:00
Theresa Henze
653d09f39a trigger REMOVE_TOTP event on removal of an OTP credential 
Closes #15403

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
 2024-03-06 17:12:50 +01:00
graziang
39299eeb38 Encode role name parameter in the location header uri 
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.

Closes #27514

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-03-06 15:59:26 +01:00
rmartinc
82af0b6af6 Initial client policies integration for SAML 
Closes #26654

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-06 15:18:35 +01:00
Pedro Igor
d12711e858 Allow fetching roles when evaluating role licies 
Closes #20736

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-05 15:54:02 +01:00
graziang
4fa940a31e Device verification flow always requires consent 
Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve

Closes #26100

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-03-05 14:14:19 +01:00
Tero Saarni
e06fcbe6ae Change supported criteria for Google Authenticator 
List Google Authenticator as supported when
- hash algorithm is SHA256 or SHA512
- number of digits is 8
- OTP type is hotp

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2024-03-05 11:19:06 +01:00
Tomas Ondrusko
9404b888d1
Update disabled feature status code in social login tests 
Closes #27366

Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
 2024-03-05 10:22:51 +01:00
Pavel Drozd
be7775a9be LDAPSyncTest - additional removal of users at the end of the test 
Necessary when running with external AD

Closes #27499

Signed-off-by: Pavel Drozd <pdrozd@redhat.com>
 2024-03-05 09:54:58 +01:00
Pedro Igor
2c750c8ffb Reverting unrelated changes to templates 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-04 20:28:06 +09:00
Jon Koops
0894642838 Fix up selector for submit button 
Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-03-04 20:28:06 +09:00
Lucy Linder
aa6771205a Update ReCAPTCHA and add support for ReCAPTCHA Enterprise 
Closes #16138

Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
 2024-03-04 20:28:06 +09:00
vramik
032bb8e9cc Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive method 
Closes #27438

Signed-off-by: vramik <vramik@redhat.com>
 2024-03-02 04:40:46 +09:00
rmartinc
f970803738 Check email and username for duplicated if isLoginWithEmailAllowed 
Closes #27297

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-02 00:14:27 +09:00
Andy
137907f5ef Roles admin REST API: Don't expand composite roles 
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites

Closes #26951

Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
 2024-03-02 00:03:03 +09:00
Takashi Norimatsu
1792af6850 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor 
closes #27412

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-03-01 14:49:23 +01:00
Hynek Mlnarik
49bbed13b9 Localize admin error messages 
Fixes: #25977 (part of)

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2024-03-01 14:03:08 +01:00
graziang
082f9ec15b Update client scopes in Client Update Request in DCR 
Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation.
Add updateClientScopes method to set client scopes in Client Update Request in DCR.

Closes #24361

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-03-01 12:32:45 +01:00
Marek Posolda
ae0a0ea30b
SecureRedirectUrisEnforcerExecutor fixes (#27369) 
closes #27344

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-02-29 17:24:20 +01:00
Steven Hawkins
51590668f5
fix: provide a better error message when option parsing fails (#27354) 
closes: #16260

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-02-29 08:22:21 -05:00
Takashi Norimatsu
3db04d8d8d Replace Security Key with Passkey in WebAuthn UIs and their documents 
closes #27147

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-29 10:31:05 +01:00
Pedro Igor
326d63ce74 Make sure group searches are cached and entries invalidate accordingly 
Closes #26983

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-29 05:06:36 +09:00
Vlasta Ramik
ade3b31a91
Introduce new CLI config options for Infinispan remote store 
Closes #25676

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2024-02-28 15:49:19 +00:00
Réda Housni Alaoui
a3b3ee4b87
Ability to declare a default "First broker login flow" per Realm 
Closes #25823

Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2024-02-28 16:17:51 +01:00
Pedro Igor
788d146bf2 Use the target client when processing scopes for internal exchanges 
Closes #19183

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-28 15:18:43 +01:00
rmartinc
2bd9f09e29 Re-index CLIENT_ATTRIBUTES using name and value 
Closes #26618

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-28 11:07:03 +01:00
graziang
16a854c91b Add option to clients to use lightweight access token 
Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute.
The attribute value is used to enable or disable the lightweight access token.
Closes #27238

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-28 10:18:26 +01:00
Pedro Igor
0c91fceaad Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests 
Closes #27281

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-27 20:37:27 +09:00
Dmitry Telegin
6a57614554 Fix disabled feature tests 2024-02-27 19:11:32 +09:00
rmartinc
562decde35 Perform internal introspect for the access token in the account app 
Closes #27243

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-02-27 09:19:20 +01:00
kaustubh-rh
03f6cda85a
Prevent user from removing built-in client scopes (#27134) 
Closes #26937

Signed-off-by: Kaustubh B <kbawanka@redhat.com>
 2024-02-26 11:16:23 +01:00
Gilvan Filho
83af01c4c0 Add failedLoginNotBefore to AttackDetectionResource 
Closes #17574

Signed-off-by: Gilvan Filho <gfilho@redhat.com>
 2024-02-26 09:35:51 +01:00
graziang
cecce40aa5 Avoid regenerating the totpSecret on every reload of the OTP configuration page 
Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload

Closes #26052

Signed-off-by: graziang <g.graziano94@gmail.com>
 2024-02-22 19:09:09 +01:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued 
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-02-22 12:56:44 +01:00