Commit graph

4329 commits

Author SHA1 Message Date
Douglas Palmer
e7d842ea32 Invalidate session secretly
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Douglas Palmer
18d0105de0 Invalidate authentication session on repeated OTP failures
Closes #26177
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-01-19 15:44:35 -03:00
Pedro Igor
62020ffc68 Make sure the component resolves to a UPConfig before cloning it
Closes #26308
2024-01-18 19:11:48 +01:00
rmartinc
2f0a0b6ad8 Remove deprecated mode for saml encryption
Closes #26291

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet
ccade62289 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
Closes #24344

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-16 11:26:29 +01:00
Alexander Schwartz
b9498b91cb
Deprecating the offline session preloading (#26160)
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet
a3257ce08f OIDC Protocol Mappers with same claim
Closes #25774

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2024-01-15 09:16:12 -03:00
rmartinc
e162974a8d Integrate registration with terms and conditions required action
Closes #25891

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-15 10:19:30 +01:00
MikeTangoEcho
c2b132171d Add X509 thumbprint to JWT when using private_key_jwt
Closes keycloak#12946

Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>
2024-01-12 16:01:01 +01:00
Lex Cao
47f7e3e8f1 Use email verification instead of executing action for send-verify-email endpoint
Closes #15190

Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl`

Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours)

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-11 16:28:02 -03:00
mposolda
692aeee17d Enable user profile by default
closes #25151

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-11 12:48:44 -03:00
Patrick Hamann
d36913a240 Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering
Closes #25980

Signed-off-by: Patrick Hamann <patrick@fastly.com>
2024-01-10 20:46:35 +01:00
rmartinc
179ca3fa3a Sanitize logs in JBossLoggingEventListenerProvider
Closes #25078

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-10 16:50:27 +01:00
Réda Housni Alaoui
3c05c123ea On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-09 16:04:52 -03:00
shigeyuki kabano
67e73d3d4e Enhancing Lightweight access token M2(keycloak#25716)
Closes keycloak#23724

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
2024-01-09 09:42:30 +01:00
Ricardo Martin
097d68c86b
Escape action in the form_post.jwt and only decode path in RedirectUtils (#93) (#25995)
Closes #90

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-09 08:20:14 +01:00
Steven Hawkins
d1d1d69840
fix: adds a general error message and descriptions for some exceptions (#25806)
closes: #25746

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-08 18:19:40 +00:00
Felix Gustavsson
0f47071a29 Check if UMA is enabled on resource, if not reject the request.
Closes #24422

Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>
2024-01-08 11:28:57 -03:00
agagancarczyk
768231d950
Localization tabs (#25532)
* Add new localization tabs to Administration Console

Closes #23057

Signed-off-by: Agnieszka <agancarc@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>

* css cleanup

Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>

* css cleanup

Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>

---------

Signed-off-by: Agnieszka <agancarc@redhat.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Agnieszka Gancarczyk <agancarc@redhat.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>
2024-01-08 14:03:26 +00:00
atharva kshirsagar
d7542c9344 Fix for empty realm name issue
Throw ModelException if name is empty when creating/updating a realm

Closes #17449

Signed-off-by: atharva kshirsagar <atharva4894@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-05 14:23:42 +01:00
Pedro Igor
8ff9e71eae Do not allow verifying email from a different account
Closes #14776

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:45:07 +01:00
Pedro Igor
f476a42d66 Fixing the registration_client_uri to point to a valid URI after updating a client
Closes #23229

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 12:41:36 +01:00
Pedro Igor
986b6af4f5 Make sure the context path from the base URI is respected when building TOTP URIs
Closes #21542

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-05 07:10:49 -03:00
Réda Housni Alaoui
a21e95c5ae In UserProfileContext.IDP_REVIEW, NPE on UserModel#getEmail because UserModelDelegate#delegate is null
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-03 15:00:30 -03:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
2024-01-03 14:59:05 -03:00
Jon Koops
07f9ead128 Upgrade Welcome theme to PatternFly 5
Closes #21343

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Jon Koops <jonkoops@gmail.com>
2024-01-03 14:46:01 -03:00
Pedro Igor
15b10f58fc Make the user attribute available to the idp-review-user-profile.ftl template
Closes #25872

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-01-03 13:26:33 -03:00
Réda Housni Alaoui
5287500703 @NoCache is not considered anymore
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-01-02 09:06:55 -03:00
Alexander Schwartz
9e890264df Adding a test case to check that the expiration time is set on logout tokens
Closes #25753

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-22 20:13:40 +01:00
Niko Köbler
5e623f42d4 add the exp claim to the backchannel logout token
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.

As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.

resolves #25753

Signed-off-by: Niko Köbler <niko@n-k.de>
2023-12-22 20:13:40 +01:00
DAHAG-ArisNourbakhsh
b52d97475a
Add raw OpenApi documentation files to rest-api documentation (#22940)
Add raw OpenApi documentation files to rest-api documentation

Closes #21559

Signed-off-by: Aris Nourbakhsh <aris.nourbakhsh@dahag.de>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-12-21 12:07:33 +01:00
Pedro Igor
ceb085e7b8 Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email
Closes #25704

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-20 15:15:06 -03:00
rmartinc
c2e41b0eeb Make Locale updater generate an event and use the user profile
Closes #24369

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-20 15:26:45 +01:00
Konstantinos Georgilakis
cf57af1d10 scope parameter in refresh flow
Closes #12009

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-12-20 14:00:10 +01:00
mposolda
eb184a8554 More info on UserProfileContext
closes #25691

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-19 13:00:31 -03:00
Ricardo Martin
32a70cbedd Strip off user-info from redirect URI when validating using wildcard (#61)
Closes keycloak/keycloak-private#58
Closes https://issues.redhat.com/browse/RHBK-679

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-19 10:13:36 -03:00
Joshua Sorah
d411eafc42 Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207
Closes keycloak/keycloak#25584

Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-19 10:38:05 +01:00
Ricardo Martin
2ba7a51da6 Escape action in the form_post response mode (#60)
Closes keycloak/keycloak-private#31
Closes https://issues.redhat.com/browse/RHBK-652

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis
ba8c22eaf0 Scope parameter in Oauth 2.0 token exchange
Closes #21578

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
2023-12-18 15:44:26 -03:00
Pedro Igor
778847a3ce Updating theme templates to render user attributes based on the user profile configuration
Closes #25149

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-12-18 15:35:52 -03:00
rmartinc
d841971ff4 Updating the UP configuration needs to trigger an admin event
Close #23896

Signed-off-by: rmartinc <rmartinc@redhat.com>
2023-12-18 19:24:30 +01:00
mposolda
cd154cf318 User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect
closes #25475

Signed-off-by: mposolda <mposolda@gmail.com>
2023-12-18 11:32:27 +01:00
Takashi Norimatsu
59536becec Client policies : executor for enforcing DPoP
closes #25315

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2023-12-18 10:45:18 +01:00
Yoshiyuki Tabata
0ca73829d0
Fix OpenAPI spec POST /admin/realms/{realm}/clients
Closes #21536 

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 10:08:54 +01:00
Yoshiyuki Tabata
66ee27f413 Fix OpenAPI spec POST /admin/realms/{realm}/clients-initial-access
Closes #25656

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 09:12:02 +01:00
Joshua Sorah
a10149bbe9 For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs
Closes keycloak#25544

Signed-off-by: Joshua Sorah <jsorah@redhat.com>
2023-12-18 09:05:51 +01:00
Yoshiyuki Tabata
5bdadaacbc
Modify OpenAPI spec POST /admin/realms
Closes #25565

Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
2023-12-18 08:41:23 +01:00
Sophie Tauchert
3ab24afe93 Add response annotations to resourceserver
Closes: #25604

Signed-off-by: Sophie Tauchert <sophie@999eagle.moe>
2023-12-15 19:45:39 +01:00
Erwin Rooijakkers
860978b15a Change arg of getSubGroups to briefRepresentation
Parameter name briefRepresentation should mean briefRepresentation,
   not full. This way callers will by default get the full
   representation, unless true is passed as value for
   briefRepresentation.

   Fixes #25096

Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>
2023-12-14 17:23:27 +01:00
Steven Hawkins
08751001db
enhance: adds truststores to the keycloak cr (#25215)
also generally correcting the misspelling trustore

closes: #24798

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2023-12-14 11:15:06 -03:00