Commit graph

6441 commits

Author SHA1 Message Date
Michal Hajas
e55ba5dcdc Make sure pagination is used even when first is null for getGroups endpoint
Closes #25731

Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-15 19:46:04 +09:00
mposolda
b4d289c562 Fixing UriValidator
closes #26792

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-15 10:30:39 +01:00
rmartinc
4ff4c3f897 Increase internal algorithm security using HS512 and 128 byte hmac keys
Closes #13080

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-15 08:16:45 +01:00
rmartinc
bc82929e3a Cors modifications for UserInfo endpoint
Closes #26782

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-14 18:24:06 +01:00
Ryan Emerson
67f6f2f657
Add Multi-AZ Aurora DB to CI store-integration-tests
Closes #26730

Signed-off-by: Ryan Emerson <remerson@redhat.com>
2024-02-14 16:51:08 +01:00
rmartinc
bb12f3fb82 Do not require non-builtin attributes for service accounts
Closes #26716

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-13 17:42:59 +01:00
Steven Hawkins
6bbf8358b4
task: addressing build warnings (#26877)
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 17:04:43 +01:00
Steven Hawkins
3a04acab51
fix: adds pfx as a recognized extension (#26876)
closes #24661

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-13 15:38:12 +01:00
Stian Thorgersen
23d5f2188d
Run adapters in a separate job on GitHub Actions (#26962)
Closes #25892

Signed-off-by: stianst <stianst@gmail.com>
2024-02-13 12:38:58 +01:00
Stefan Guilhen
2161e72872 Add migration for the useTruststoreSpi config property in LDAP user storage provider
- legacy `ldapsOnly` value now migrated to `always`.

Closes #25912

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-12 11:53:19 +01:00
Pedro Igor
e50642ac32 Allow setting a default user profile configuration
Closes #26489

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-12 11:16:48 +01:00
Thomas Darimont
93fc6a6c54 Shorter lifespan for offline session cache entries in memory
Closes #26810

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-02-09 19:44:04 +01:00
Stefan Guilhen
d3ae075a33 Fix MembershipType so that NPE is not thrown when an empty member is found within a group
Closes #25883

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-02-09 19:04:37 +01:00
Réda Housni Alaoui
67718c653a UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri
Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>
2024-02-08 18:32:38 -03:00
Douglas Palmer
66f0d2ff1d blah
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-07 15:55:06 -03:00
Douglas Palmer
d9d41b1a09 Brute Force Detection is disabled when updating frontenUrl via admin client
Closes #21409

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
2024-02-07 15:55:06 -03:00
Steven Hawkins
402c7d9b18
Removing version overrides and further aligning with quarkus versions (#26788)
* elevating wildfly-elytron-http-oidc version management

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* removing testing dependency overrides

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* further version aligment with quarkus

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* adding a resteay-core-spi that can be overriden

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* removing hamcrest override

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* aligning with 3.7.1

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-02-07 17:57:23 +01:00
Tero Saarni
ac1780a54f
Added event for temporary lockout for brute force protector (#26630)
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-02-07 14:13:33 +00:00
Dmitry Telegin
b0403e2268 CORS SPI
Closes #25446

Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>
2024-02-06 15:27:53 -03:00
rmartinc
509f618992 Improvements for test connection and authentication in the LDAP provider
Closes #26464

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-06 13:04:06 -03:00
mposolda
f468885fdd Empty error message when validation issue due the PersonNameProhibitedValidator validation
closes #26750

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-06 12:56:50 -03:00
Stian Thorgersen
3e08a1713b
Ignore empty attribute values when retriveing boolean/int/long (#26729) (#26737)
Resolves #26597, resolves #26665

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:29:34 +01:00
Stian Thorgersen
c4b1fd092a
Use code from RestEasy to create and set cookies (#26558)
Closes #26557

Signed-off-by: stianst <stianst@gmail.com>
2024-02-06 15:14:04 +01:00
rmartinc
720c5c6576 PKCE should return error if code_verifier sent but no code_challenge in the authorization request
Closes #26430

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-02-06 08:31:56 -03:00
Pedro Igor
ec2fcb4333 Upgrade arquilliam bom to match org.apache.maven dependency versions from Quarkus
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-02-05 18:08:33 -03:00
Václav Muzikář
8833b9d2ac
Upgrade to Quarkus 3.7.1 (#26736)
Closes #26701
Closes #23854

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2024-02-02 15:57:23 +00:00
Michal Hajas
00742a62dd
Remove RealmModel from authorization services interfaces (#26708)
Closes #26530
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2024-02-02 16:51:32 +01:00
Thomas Darimont
277af021d7 Improve ScheduledTask task-name handling
This PR introduces a String getTaskName() default method to
the ScheduledTask interface and adjusts call sites to use the
implementation derived task name where possible.

Previously, ScheduledTask names were passed around separately, which
lead to unhelpful debug messages.
We now give ScheduledTask implementations control over their task-name
which allows for more flexible naming.

Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database.
Ensure that Realm is already committed before updating sync via UserStorageSyncManager
Align Sync task name generation for cancellation to support SyncFederationTest
Only log a message if sync task was actually canceled.

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-02-02 09:57:03 -03:00
mposolda
cdc5d8fff8 Migrating Realm JSON with declarative user profile fails when scope selectors present on any attributes
closes #26266

Signed-off-by: mposolda <mposolda@gmail.com>
2024-02-01 09:54:09 +01:00
Stian Thorgersen
64b5f42c4a
Revert new behaviour around setting secure flag for cookies (#26650)
Closes #26649

Signed-off-by: stianst <stianst@gmail.com>
2024-01-31 19:33:56 +01:00
Steven Hawkins
37acb2fd09
task: upgrading to quarkus 3.7.0.CR1 (#26203)
there are several downgrades from the quarkus versions, and some
additional logic needed to handle changes with re-creating the
configuration

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-01-31 18:23:07 +00:00
Lex Cao
a43ba73b93 Skip link only when client is not system when logout (#24595)
Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 17:50:26 +01:00
rmartinc
01be4032d8 Enable verify-profile required action by default
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-31 13:32:53 +01:00
Lex Cao
f83756b177 Error handle for the Json request in createErrorPage
Closes #13368

These changes introduce a new error handler for building error based on the media type.
- It should create error form response when it is valid HTML request
- It could create error response with JSON if content type matches

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-31 09:31:30 -03:00
Václav Muzikář
4096a2657e
Supported option to specify site name for multi-site deployments
Closes #26460

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-01-31 11:52:19 +00:00
mposolda
10ba70c972 Possibility to email being not required
closes #26552

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
2024-01-31 10:57:10 +01:00
Thomas Darimont
346c2926f6
Fix error type in SAML response on missing destination
We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE.
Added proposed test case.

Closes #11178

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Chris Dolphy <cdolphy@redhat.com>
2024-01-31 09:32:14 +01:00
Stefan Wiedemann
fa948f37e0
Issue Verifiable Credentials in jwt_vc format #25941 (#26484)
closes #25941 

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-01-30 18:35:20 +01:00
mposolda
1213556eff Fixes for UsernameIDNHomographValidator
closes #26564

Signed-off-by: mposolda <mposolda@gmail.com>
2024-01-30 14:30:28 +01:00
Chris Tanaskoski
5373f3c97a
Don't fail reset credentials action upon first broker login without EXISTING_USER_INFO (#26324)
The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set.

This commit does not attempt to fetch the existing user if we don't have this info set.

Closes #26323

Signed-off-by: Chris Tanaskoski <chris@devristo.com>
2024-01-30 11:16:52 +00:00
TheKeeroll
13b8db0026
typo fix (#26526)
Signed-off-by: TheKeeroll <57570053+TheKeeroll@users.noreply.github.com>
2024-01-29 11:40:21 +00:00
Stian Thorgersen
0fb6bdfcac
Cookie Provider - move remaining cookies (#26531)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-29 11:06:37 +01:00
Lex Cao
cf3f05a259
Skip grant role if exists for federated storage (#26508)
Closes #26507

Signed-off-by: Lex Cao <lexcao@foxmail.com>
2024-01-26 17:08:47 +00:00
Stian Thorgersen
bc3c27909e
Cookie Provider (#26499)
Closes #26500

Signed-off-by: stianst <stianst@gmail.com>
2024-01-26 10:45:00 +01:00
Martin Kanis
7797f778d1 Map Store Removal: Rename legacy modules
Closes #24107

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-01-25 16:29:16 +01:00
Ricardo Martin
b58f35fb47
Revert "Enable verify profile required action by default for new realms" (#26495)
This reverts commit 7f195acc14.

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-25 12:28:16 +01:00
Stian Thorgersen
cbfdae5e75
Remove support for multiple AUTH_SESSION_ID cookies (#26462)
Closes #26457

Signed-off-by: stianst <stianst@gmail.com>
2024-01-25 06:58:42 +01:00
rmartinc
7f195acc14 Enable verify profile required action by default for new realms
Closes #25985

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-01-24 20:28:06 +01:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629)
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-01-24 18:35:51 +01:00
Florian Garcia
af0b9164e3
fix: hardcoded conditional rendering of client secret input field (#25776)
Closes #22660

Signed-off-by: ImFlog <garcia.florian.perso@gmail.com>
Co-authored-by: useresd <yousifmagdi@gmail.com>
2024-01-24 16:30:22 +01:00