keycloak-scim

Author	SHA1	Message	Date
rmartinc	d31f128ca2	Fix test IdentityProviderTest#testSamlImportWithAnyEncryptionMethod Closes #28577 Closes #28576 Closes #28575 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-11 18:56:37 +02:00
Steven Hawkins	d059a2af36	task: remove MultiVersionClusterTest (#28520 ) closes: #17483 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-04-11 14:13:52 +02:00
Martin Bartoš	ad4cbf2a14	OrganizationTest.testAttributes fails in GHA CI Fixes #28606 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2024-04-11 11:56:43 +02:00
tqe1999	6e0fc8a774	fix integer overflow with explicit cast Closes #28564 Signed-off-by: tqe1999 <tqe1999@gmail.com>	2024-04-11 10:58:44 +02:00
Giuseppe Graziano	33b747286e	Changed userId value for refresh token events Closes #28567 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-11 07:46:44 +02:00
Stefan Guilhen	9a466f90ab	Add ability to set one or more internet domain to an organization. Closed #28274 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-10 13:18:12 -03:00
devjos	cccddc0810	Fix brute force detection for LDAP read-only users Closes #28579 Signed-off-by: devjos <github_11837948@feido.de>	2024-04-10 16:36:11 +02:00
vramik	00ce3e34bd	Manage a single identity provider for an organization Closes #28272 Signed-off-by: vramik <vramik@redhat.com>	2024-04-10 09:47:51 -03:00
Jon Koops	0327787645	Remove legacy Account Console tests Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-04-10 14:34:56 +02:00
vramik	0826a12ca4	Exclude `groovy` artefact from testsuite to avoid version collision Closes #28555 Signed-off-by: vramik <vramik@redhat.com>	2024-04-10 09:16:36 -03:00
Martin Kanis	51fa054ba7	Manage organization attributes Closes #28253 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-04-10 09:10:49 -03:00
rmartinc	41b706bb6a	Initial security profile SPI to integrate default client policies Closes #27189 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-10 11:19:56 +02:00
Giuseppe Graziano	c76cbc94d8	Add sub via protocol mapper to access token Closes #21185 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-10 10:40:42 +02:00
mposolda	aa619f0170	Redirect error to client right-away when browser tab detects that another browser tab authenticated closes #27880 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-09 17:59:34 +02:00
Konstantinos Georgilakis	a40a953644	SAML element EncryptionMethod can consist any element closes #12585 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-04-09 14:15:56 +02:00
Stian Thorgersen	a499512f35	Set SameSite for all cookies (#28467 ) Closes #28465 Signed-off-by: stianst <stianst@gmail.com>	2024-04-09 12:29:19 +02:00
Václav Muzikář	e4987f10f5	Hostname SPI v2 (#26345 ) * Hostname SPI v2 Closes: #26084 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Address review comment Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Partially revert the previous fix Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Do not polish values Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> * Remove filtering of denied categories Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> --------- Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>	2024-04-09 11:25:19 +02:00
vibrown	3fffc5182e	Added ClientType implementation from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> More updates Signed-off-by: vibrown <vibrown@redhat.com> Added client type logic from Marek's prototype Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> updates Signed-off-by: vibrown <vibrown@redhat.com> Testing to see if skipRestart was cause of test failures in MR	2024-04-08 20:20:37 +02:00
Pedro Igor	52ba9b4b7f	Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-08 09:05:16 -03:00
Justin Tay	e765932df3	Skip unsupported keys in JWKS Closes #16064 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-08 08:42:31 +02:00
rmartinc	2b769e5129	Better management of the CSP header Closes https://github.com/keycloak/keycloak/issues/24568 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-04-08 08:19:57 +02:00
Giuseppe Graziano	b4f791b632	Remove session_state from tokens Closes #27624 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-08 08:12:51 +02:00
MNaaz	811c70d136	Support for searching users based on search filter, enabled attribute, first, max Closes #27241 Signed-off-by: MNaaz <feminity2001@yahoo.com>	2024-04-05 12:10:15 -03:00
Jon Koops	d3c2475041	Upgrade admin and account console to PatternFly 5 (#28196 ) Closes #21345 Closes #21344 Signed-off-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Co-authored-by: Mark Franceschelli <mfrances@redhat.com> Co-authored-by: Hynek Mlnařík <hmlnarik@redhat.com> Co-authored-by: Agnieszka Gancarczyk <agancarc@redhat.com>	2024-04-05 16:37:05 +02:00
Gilvan Filho	96db7e3154	fix NotContainsUsernamePasswordPolicyProvider: reversed check closes #28389 Signed-off-by: Gilvan Filho <gfilho@redhat.com>	2024-04-05 10:39:07 -03:00
Pedro Igor	8fb6d43e07	Do not export ids when exporting authorization settings Closes #25975 Co-authored-by: 박시준 <sjpark@logblack.com> Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-04 19:26:03 +02:00
Justin Tay	30cd40e097	Use realm default signature algorithm for id_token_signed_response_alg Closes #9695 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 11:37:28 +02:00
Justin Tay	89a5da1afd	Allow empty key use in JWKS for client authentication Closes #28004 Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>	2024-04-04 10:42:37 +02:00
Marek Posolda	335a10fead	Handle 'You are already logged in' for expired authentication sessions (#27793 ) closes #24112 Signed-off-by: mposolda <mposolda@gmail.com>	2024-04-04 10:41:03 +02:00
Martin Bartoš	7f048300fe	Support management port for health and metrics (#27629 ) * Support management port for health and metrics Closes #19334 Signed-off-by: Martin Bartoš <mabartos@redhat.com> * Deprecate option Signed-off-by: Martin Bartoš <mabartos@redhat.com> * Remove relativePath first-class citizen, rename ManagementSpec Signed-off-by: Martin Bartoš <mabartos@redhat.com> * Fix KeycloakDistConfiguratorTest Signed-off-by: Martin Bartoš <mabartos@redhat.com> --------- Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2024-04-03 16:18:44 +02:00
Hynek Mlnarik	8ef3423f4a	Present effective sync mode value When sync mode value is missing in the config of newly created identity provider, the provider does not store any. When no value is found, the identity provider behaves as if `LEGACY` was used (#6705). This PR ensures the correct sync mode is returned from the REST endpoint, regardless of whether it has been stored in the database or not. Fixes: #26019 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-04-03 15:49:18 +02:00
Pedro Igor	4ec9fea8f7	Adding tests Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-04-03 08:04:17 -03:00
Clemens Zagler	b44252fde9	authz/client: Fix getPermissions returning wrong type Due to an issue with runtime type erasure, getPermissions returned a List<LinkedHashSet> instead of List<Permission>. Fixed and added test to catch this Closes #16520 Signed-off-by: Clemens Zagler <c.zagler@noi.bz.it>	2024-04-02 11:09:43 -03:00
Giuseppe Graziano	fe06df67c2	New default client scope for 'basic' claims with 'auth_time' protocol mapper Closes #27623 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-04-02 08:44:28 +02:00
Stefan Guilhen	2ca59d4141	Align isEnabled in MSAD mappers to how other properties are processed in UserAttributeLDAPStorageMapper - user model is updated by onImport with the enabled/disabled status of the LDAP user - a config option always.read.enabled.value.from.ldap was introduced, in synch to what we have in UserAttributeLDAPStorageMapper - isEnabled checks the flag to decide if it should always retrieve the value from LDAP, or return the local value. - setEnabled first updates the LDAP tx, and then calls the delegate to avoid issue #24201 Closes #26695 Closed #24201 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-04-01 08:20:35 -03:00
Steven Hawkins	e9ad9d0564	fix: replace aesh with picocli (#27458 ) * fix: replace aesh with picocli closes: #27388 Signed-off-by: Steve Hawkins <shawkins@redhat.com> * Update integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/AbstractRequestCmd.java Co-authored-by: Martin Bartoš <mabartos@redhat.com> * splitting the error handling for password input Signed-off-by: Steve Hawkins <shawkins@redhat.com> * adding a change note about kcadm Signed-off-by: Steve Hawkins <shawkins@redhat.com> * Update docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc Co-authored-by: Martin Bartoš <mabartos@redhat.com> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2024-03-28 14:34:06 +01:00
Alexander Schwartz	c580c88c93	Persist online sessions to the database (#27977 ) Adding two feature toggles for new code paths to store online sessions in the existing offline sessions table. Separate the code which is due to be changed in the next iteration in new classes/providers which used instead of the old one. Closes #27976 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Signed-off-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2024-03-28 09:17:07 +01:00
Gilvan Filho	757c524cc5	Password policy for not having username in the password closes #27643 Signed-off-by: Gilvan Filho <gfilho@redhat.com>	2024-03-28 08:29:03 +01:00
Pedro Igor	b9a7152a29	Avoid commiting the transaction prematurely when creating users through the User API Closes #28217 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-27 19:16:09 -03:00
Lex Cao	a53cacc0a7	Fire logout event when logout other sessions (#26658 ) Closes #26658 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-03-27 11:13:48 +01:00
Jon Koops	3382e16954	Remove Account Console version 2 (#27510 ) Closes #19664 Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-27 10:53:28 +01:00
Tomas Ondrusko	3160116a56	Remove Twitter workaround (#28232 ) Relates to #23252 Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2024-03-27 10:34:26 +01:00
Steven Hawkins	be32f8b1bf	fix: limit the use of Resteasy to the KeycloakSession (#28150 ) * fix: limit the use of Resteasy to the KeycloakSession contextualizes other state to the KeycloakSession close: #28152	2024-03-26 13:43:41 -04:00
vramik	fa1571f231	Map organization metadata when issuing tokens for OIDC clients acting on behalf of an organization member Closes #27993 Signed-off-by: vramik <vramik@redhat.com>	2024-03-26 14:02:09 -03:00
Pedro Igor	a470711dfb	Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider Closes #28100 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-26 10:14:49 -03:00
Stian Thorgersen	c3a98ae387	Use Argon2 as default password hashing algorithm (#28162 ) Closes #28161 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 13:04:14 +00:00
Stian Thorgersen	8cbd39083e	Default password hashing algorithm should be set to default password hash provider (#28128 ) Closes #28120 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 12:44:11 +01:00
Stian Thorgersen	3f9cebca39	Ability to set the default provider for an SPI (#28135 ) Closes #28134 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 07:45:08 +01:00
Stian Thorgersen	cae92cbe8c	Argon2 password hashing provider (#28031 ) Closes #28030 Signed-off-by: stianst <stianst@gmail.com>	2024-03-22 07:08:09 +01:00
Reda Bourial	a41d865600	fix for SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY (#27756 ) Signed-off-by: Reda Bourial <reda.bourial@gmail.com>	2024-03-21 17:06:42 +01:00
Steven Hawkins	7eab019748	task: deprecate WILDCARD and STRICT options (#26833 ) closes: #24893 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 16:22:41 +01:00
Steven Hawkins	35b9d8aa49	task: remove usage of resteasy-core-spi (#27387 ) closes: #27242 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-21 15:28:34 +01:00
Giuseppe Graziano	b24d446911	Avoid using wait() to wait for the redirect Closes #22644 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-03-21 14:36:43 +01:00
Giuseppe Graziano	939420cea1	Always include offline_access scope when refreshing with offline token Closes #27878 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2024-03-21 14:32:31 +01:00
Pedro Igor	32541f19a3	Allow managing members for an organization Closes #27934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-21 10:26:30 -03:00
Martin Kanis	4154d27941	Invalidating offline token is not working from client sessions tab Closes #27275 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-03-21 09:04:58 -03:00
Sebastian Schuster	0542554984	12671 querying by user attribute no longer forces case insensitivity for keys Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io>	2024-03-21 08:35:29 -03:00
Pedro Igor	f970deac37	Do not grant scopes not granted for resources owned the resource server itself Closes #25057 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-20 18:36:41 +01:00
Alexander Schwartz	149e50e1b1	Upgrading to Quarkus 3.8.3 (#28085 ) Closes #28084 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-20 17:16:42 +01:00
Takashi Norimatsu	d5bf79b932	Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention closes #26713 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-03-20 13:22:48 +01:00
René Zeidler	83a3500ccf	Attributes without a group should appear first In the login theme, user profile attributes that are not assigned to an attribute group should appear before all other attributes. This aligns the login theme (registration, verify profile, etc.) with the account and admin console. Fixes #27981 Signed-off-by: René Zeidler <rene.zeidler@gmx.de>	2024-03-19 18:40:01 +01:00
Hynek Mlnařík	9caac3814c	Enable WebAuthn tests for Account v3 (#28029 ) * Re-enable WebAuthn testsuite * Remove reference to Account 2 in UI testsuites Fixes: #26080 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com> --------- Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-03-19 14:26:44 +01:00
Stefan Wiedemann	67d3e1e467	Issue Verifiable Credentials in the VCDM format #25943 (#27071 ) closes #25943 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-03-18 17:05:53 +01:00
cgeorgilakis-grnet	24f105e8fc	successful SAML IdP Logout Request with BaseID or EncryptedID and SessionIndex Closes #23528 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-03-18 08:19:13 -03:00
Alexander Schwartz	62d24216e3	Remove offline session preloading Closes #27602 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-15 15:19:27 +01:00
Pedro Igor	7fc2269ba5	The bare minimum implementation for organization Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: vramik <vramik@redhat.com>	2024-03-15 11:06:43 -03:00
Alexander Schwartz	6de5325d1c	Limit the received content when handling the content as a String Closes #27293 Co-authored-by: rmartinc <rmartinc@redhat.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-03-13 16:43:03 +01:00
Pedro Igor	9ad447390a	Only remove attributes with empty values when updating user profile Closes #27797 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-13 15:03:08 +01:00
Réda Housni Alaoui	1bf90321ad	"Allowed Protocol Mapper Types" prevents clients from self-updating via client registration api (#27578 ) closes #27558 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-03-13 14:00:34 +01:00
rmartinc	d679c13040	Continue LDAP search if a duplicated user (ModelDuplicateException) is found Closes #25778 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-13 08:52:58 -03:00
rmartinc	43a5779f6e	Do not challenge inside spnego authenticator is FORKED_FLOW Closes #20637 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-12 14:23:03 +01:00
Pedro Igor	1e48cce3ae	Make sure empty configuration resolves to the system default configuration Closes #27611 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-11 09:01:38 -03:00
Stefan Wiedemann	6fc69b6a01	Issue Verifiable Credentials in the SD-JWT-VC format (#27207 ) closes #25942 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com> Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>	2024-03-11 08:55:28 +01:00
Steve Hawkins	4091baf4c2	fix: accounting for the possibility of null flows from existing realms closes: #23980 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-03-08 14:25:23 +01:00
Pedro Igor	40385061f7	Make sure refresh token expiration is based on the current time when the token is issued Closes #27180 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-07 15:23:19 +01:00
rmartinc	ea4155bbcd	Remove recursively when deleting an authentication executor Closes #24795 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 14:43:23 +01:00
graziang	54b40d31b6	Revoked token cache expiration fix Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token. Closes #26113 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-07 13:33:37 +01:00
rmartinc	dea15e25da	Only add the nonce claim to the ID Token (mapper for backwards compatibility) Closes #26893 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-07 09:56:57 +01:00
Pedro Igor	d5a613cd6b	Support for script providers when running in embedded mode Closes #27574 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-06 18:06:09 -03:00
Theresa Henze	653d09f39a	trigger REMOVE_TOTP event on removal of an OTP credential Closes #15403 Signed-off-by: Theresa Henze <theresa.henze@bare.id>	2024-03-06 17:12:50 +01:00
graziang	39299eeb38	Encode role name parameter in the location header uri The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}. Closes #27514 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-06 15:59:26 +01:00
rmartinc	82af0b6af6	Initial client policies integration for SAML Closes #26654 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-06 15:18:35 +01:00
Pedro Igor	d12711e858	Allow fetching roles when evaluating role licies Closes #20736 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-05 15:54:02 +01:00
graziang	4fa940a31e	Device verification flow always requires consent Force consent for device verification flow when there are no client scopes to approve by adding a default client scope to approve Closes #26100 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-05 14:14:19 +01:00
Tero Saarni	e06fcbe6ae	Change supported criteria for Google Authenticator List Google Authenticator as supported when - hash algorithm is SHA256 or SHA512 - number of digits is 8 - OTP type is hotp Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2024-03-05 11:19:06 +01:00
Tomas Ondrusko	9404b888d1	Update disabled feature status code in social login tests Closes #27366 Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2024-03-05 10:22:51 +01:00
Pavel Drozd	be7775a9be	LDAPSyncTest - additional removal of users at the end of the test Necessary when running with external AD Closes #27499 Signed-off-by: Pavel Drozd <pdrozd@redhat.com>	2024-03-05 09:54:58 +01:00
Pedro Igor	2c750c8ffb	Reverting unrelated changes to templates Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-03-04 20:28:06 +09:00
Jon Koops	0894642838	Fix up selector for submit button Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-03-04 20:28:06 +09:00
Lucy Linder	aa6771205a	Update ReCAPTCHA and add support for ReCAPTCHA Enterprise Closes #16138 Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>	2024-03-04 20:28:06 +09:00
vramik	032bb8e9cc	Map Store Removal: Remove obsolete `KeycloakModelUtils.isUsernameCaseSensitive` method Closes #27438 Signed-off-by: vramik <vramik@redhat.com>	2024-03-02 04:40:46 +09:00
rmartinc	f970803738	Check email and username for duplicated if isLoginWithEmailAllowed Closes #27297 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-03-02 00:14:27 +09:00
Andy	137907f5ef	Roles admin REST API: Don't expand composite roles Additionally: - Import clean-up - Added requireMapComposite as in RoleResource.addComposites Closes #26951 Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>	2024-03-02 00:03:03 +09:00
Takashi Norimatsu	1792af6850	OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor closes #27412 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-03-01 14:49:23 +01:00
Hynek Mlnarik	49bbed13b9	Localize admin error messages Fixes: #25977 (part of) Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>	2024-03-01 14:03:08 +01:00
graziang	082f9ec15b	Update client scopes in Client Update Request in DCR Fix ClientScopesClientRegistrationPolicy.beforeUpdate because it was modifying the original clientRepresentation. Add updateClientScopes method to set client scopes in Client Update Request in DCR. Closes #24361 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-03-01 12:32:45 +01:00
Marek Posolda	ae0a0ea30b	SecureRedirectUrisEnforcerExecutor fixes (#27369 ) closes #27344 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-29 17:24:20 +01:00
Steven Hawkins	51590668f5	fix: provide a better error message when option parsing fails (#27354 ) closes: #16260 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-29 08:22:21 -05:00
Takashi Norimatsu	3db04d8d8d	Replace Security Key with Passkey in WebAuthn UIs and their documents closes #27147 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-29 10:31:05 +01:00
Pedro Igor	326d63ce74	Make sure group searches are cached and entries invalidate accordingly Closes #26983 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-29 05:06:36 +09:00
Vlasta Ramik	ade3b31a91	Introduce new CLI config options for Infinispan remote store Closes #25676 Signed-off-by: vramik <vramik@redhat.com> Signed-off-by: Pedro Ruivo <pruivo@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-02-28 15:49:19 +00:00
Réda Housni Alaoui	a3b3ee4b87	Ability to declare a default "First broker login flow" per Realm Closes #25823 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-02-28 16:17:51 +01:00
Pedro Igor	788d146bf2	Use the target client when processing scopes for internal exchanges Closes #19183 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-28 15:18:43 +01:00
rmartinc	2bd9f09e29	Re-index CLIENT_ATTRIBUTES using name and value Closes #26618 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-28 11:07:03 +01:00
graziang	16a854c91b	Add option to clients to use lightweight access token Add an "Always use lightweight access token" option on the client's Advanced tab in the "Advanced Settings" section that uses the already existing Constants.USE_LIGHTWEIGHT_ACCESS_TOKEN_ENABLED to store a boolean client attribute. The attribute value is used to enable or disable the lightweight access token. Closes #27238 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-28 10:18:26 +01:00
Pedro Igor	0c91fceaad	Allow setting if both 'client_id' and 'id_token_hint' params should be sent in logout requests Closes #27281 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-27 20:37:27 +09:00
Dmitry Telegin	6a57614554	Fix disabled feature tests	2024-02-27 19:11:32 +09:00
rmartinc	562decde35	Perform internal introspect for the access token in the account app Closes #27243 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-27 09:19:20 +01:00
kaustubh-rh	03f6cda85a	Prevent user from removing built-in client scopes (#27134 ) Closes #26937 Signed-off-by: Kaustubh B <kbawanka@redhat.com>	2024-02-26 11:16:23 +01:00
Gilvan Filho	83af01c4c0	Add failedLoginNotBefore to AttackDetectionResource Closes #17574 Signed-off-by: Gilvan Filho <gfilho@redhat.com>	2024-02-26 09:35:51 +01:00
graziang	cecce40aa5	Avoid regenerating the totpSecret on every reload of the OTP configuration page Using an auth note to store the totpSecret and passing its value in the TotpBean constructor to keep the totpSecret on page reload Closes #26052 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-22 19:09:09 +01:00
Pedro Igor	604274fb76	Allow setting an attribute as multivalued Closes #23539 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2024-02-22 12:56:44 +01:00
Takashi Norimatsu	1e12b15890	Supporting OAuth 2.1 for public clients closes #25316 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 10:57:29 +01:00
Douglas Palmer	b0ef746f39	Permanently lock users out after X temporary lockouts during a brute force attack Closes #26172 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-02-22 09:34:51 +01:00
Takashi Norimatsu	9ea679ff35	Supporting OAuth 2.1 for confidential clients closes #25314 Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com> Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-22 08:34:21 +01:00
Peter Keuter	01d66a662b	Expose display name and locales when user has ANY admin role (#27160 ) * chore: expose display name and locales when user has view-realm Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: supportedlocales are available as stream Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: tests Signed-off-by: Peter Keuter <github@peterkeuter.nl> * fix: remove unnecessarily added ignore Signed-off-by: Peter Keuter <github@peterkeuter.nl> --------- Signed-off-by: Peter Keuter <github@peterkeuter.nl>	2024-02-21 13:30:31 -05:00
Ricardo Martin	3bc074913e	Allow LDAP provider to search using any attribute configured via mappers (#26235 ) Closes #22436 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-21 08:48:39 +00:00
Takashi Norimatsu	1bdbaa2ca5	Client policies: executor for validate and match a redirect URI closes #25637 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2024-02-20 08:37:33 +01:00
Ryan Emerson	a2f027ee00	Use AWS JDBC Wrapper in CI tests. Resolves #27123 Signed-off-by: Ryan Emerson <remerson@redhat.com>	2024-02-19 19:07:24 +01:00
Stefan Wiedemann	aa6b102e3d	Support EC Key-Imports for the JavaKeystoreKeyProvider #26936 (#27030 ) closes #26936 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-02-19 17:41:40 +01:00
Tomas Ondrusko	055a0e2231	Fix Microsoft social login test case Resolves #27120 Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2024-02-19 15:56:58 +01:00
Pedro Hos	6b3fa8b7a7	Invalid redirect uri when identity provider alias has spaces (#22840 ) closes #22836 Co-authored-by: Marek Posolda <mposolda@gmail.com>	2024-02-19 14:40:42 +01:00
graziang	1f57fc141c	UPDATED_PASSWORD required-action triggered only when login using password `UpdatePassword.evaluateTriggers` adds the required-action to the user by evaluating the expiration password policy. Added a check that skips the evaluation if no password used during auth flow. This check uses the value of an auth note set in the `validatePassword` method of the `AbstractUsernameFormAuthenticator`. Manually adding UPDATED_PASSWORD required-action to the user continues to trigger the action regardless of the authentication method. Closes #17155 Signed-off-by: graziang <g.graziano94@gmail.com>	2024-02-16 18:16:36 +01:00
Marek Posolda	c94f9f5716	Remove random redirect after password reset (#27076 ) closes #20867 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Ricardo Martin <rmartinc@redhat.com>	2024-02-16 18:13:27 +01:00
Vlasta Ramik	76453550a5	User attribute value length extension Closes #9758 Signed-off-by: vramik <vramik@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Signed-off-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2024-02-16 08:09:34 +01:00
mposolda	eff6c3af78	During password reset, the baseURL is not shown on the info page after browser restart closes #21127 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-15 18:48:53 +01:00
Michal Hajas	e55ba5dcdc	Make sure pagination is used even when first is null for getGroups endpoint Closes #25731 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2024-02-15 19:46:04 +09:00
mposolda	b4d289c562	Fixing UriValidator closes #26792 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-15 10:30:39 +01:00
rmartinc	4ff4c3f897	Increase internal algorithm security using HS512 and 128 byte hmac keys Closes #13080 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-15 08:16:45 +01:00
rmartinc	bc82929e3a	Cors modifications for UserInfo endpoint Closes #26782 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-14 18:24:06 +01:00
Ryan Emerson	67f6f2f657	Add Multi-AZ Aurora DB to CI store-integration-tests Closes #26730 Signed-off-by: Ryan Emerson <remerson@redhat.com>	2024-02-14 16:51:08 +01:00
rmartinc	bb12f3fb82	Do not require non-builtin attributes for service accounts Closes #26716 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-13 17:42:59 +01:00
Steven Hawkins	6bbf8358b4	task: addressing build warnings (#26877 ) Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-13 17:04:43 +01:00
Steven Hawkins	3a04acab51	fix: adds pfx as a recognized extension (#26876 ) closes #24661 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-13 15:38:12 +01:00
Stian Thorgersen	23d5f2188d	Run adapters in a separate job on GitHub Actions (#26962 ) Closes #25892 Signed-off-by: stianst <stianst@gmail.com>	2024-02-13 12:38:58 +01:00
Stefan Guilhen	2161e72872	Add migration for the useTruststoreSpi config property in LDAP user storage provider - legacy `ldapsOnly` value now migrated to `always`. Closes #25912 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-02-12 11:53:19 +01:00
Pedro Igor	e50642ac32	Allow setting a default user profile configuration Closes #26489 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-12 11:16:48 +01:00
Thomas Darimont	93fc6a6c54	Shorter lifespan for offline session cache entries in memory Closes #26810 Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Martin Kanis <mkanis@redhat.com> Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-02-09 19:44:04 +01:00
Stefan Guilhen	d3ae075a33	Fix MembershipType so that NPE is not thrown when an empty member is found within a group Closes #25883 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>	2024-02-09 19:04:37 +01:00
Réda Housni Alaoui	67718c653a	UPDATE_EMAIL action token handling should allow the user to resume its navigation to the redirect uri Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-02-08 18:32:38 -03:00
Douglas Palmer	66f0d2ff1d	blah Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-02-07 15:55:06 -03:00
Douglas Palmer	d9d41b1a09	Brute Force Detection is disabled when updating frontenUrl via admin client Closes #21409 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-02-07 15:55:06 -03:00
Steven Hawkins	402c7d9b18	Removing version overrides and further aligning with quarkus versions (#26788 ) * elevating wildfly-elytron-http-oidc version management Signed-off-by: Steve Hawkins <shawkins@redhat.com> * removing testing dependency overrides Signed-off-by: Steve Hawkins <shawkins@redhat.com> * further version aligment with quarkus Signed-off-by: Steve Hawkins <shawkins@redhat.com> * adding a resteay-core-spi that can be overriden Signed-off-by: Steve Hawkins <shawkins@redhat.com> * removing hamcrest override Signed-off-by: Steve Hawkins <shawkins@redhat.com> * aligning with 3.7.1 Signed-off-by: Steve Hawkins <shawkins@redhat.com> --------- Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-02-07 17:57:23 +01:00
Tero Saarni	ac1780a54f	Added event for temporary lockout for brute force protector (#26630 ) This change adds event for brute force protector when user account is temporarily disabled. It also lowers the priority of free-text log for failed login attempts. Signed-off-by: Tero Saarni <tero.saarni@est.tech> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-02-07 14:13:33 +00:00
Dmitry Telegin	b0403e2268	CORS SPI Closes #25446 Signed-off-by: Dmitry Telegin <demetrio@carretti.pro>	2024-02-06 15:27:53 -03:00
rmartinc	509f618992	Improvements for test connection and authentication in the LDAP provider Closes #26464 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-06 13:04:06 -03:00
mposolda	f468885fdd	Empty error message when validation issue due the PersonNameProhibitedValidator validation closes #26750 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-06 12:56:50 -03:00
Stian Thorgersen	3e08a1713b	Ignore empty attribute values when retriveing boolean/int/long (#26729 ) (#26737 ) Resolves #26597, resolves #26665 Signed-off-by: stianst <stianst@gmail.com>	2024-02-06 15:29:34 +01:00
Stian Thorgersen	c4b1fd092a	Use code from RestEasy to create and set cookies (#26558 ) Closes #26557 Signed-off-by: stianst <stianst@gmail.com>	2024-02-06 15:14:04 +01:00
rmartinc	720c5c6576	PKCE should return error if code_verifier sent but no code_challenge in the authorization request Closes #26430 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-02-06 08:31:56 -03:00
Pedro Igor	ec2fcb4333	Upgrade arquilliam bom to match org.apache.maven dependency versions from Quarkus Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-02-05 18:08:33 -03:00
Václav Muzikář	8833b9d2ac	Upgrade to Quarkus 3.7.1 (#26736 ) Closes #26701 Closes #23854 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>	2024-02-02 15:57:23 +00:00
Michal Hajas	00742a62dd	Remove RealmModel from authorization services interfaces (#26708 ) Closes #26530 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2024-02-02 16:51:32 +01:00
Thomas Darimont	277af021d7	Improve ScheduledTask task-name handling This PR introduces a String getTaskName() default method to the ScheduledTask interface and adjusts call sites to use the implementation derived task name where possible. Previously, ScheduledTask names were passed around separately, which lead to unhelpful debug messages. We now give ScheduledTask implementations control over their task-name which allows for more flexible naming. Enlist call StoreSyncEvent.fire(...) to after transaction to ensure realm is present in database. Ensure that Realm is already committed before updating sync via UserStorageSyncManager Align Sync task name generation for cancellation to support SyncFederationTest Only log a message if sync task was actually canceled. Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-02-02 09:57:03 -03:00
mposolda	cdc5d8fff8	Migrating Realm JSON with declarative user profile fails when scope selectors present on any attributes closes #26266 Signed-off-by: mposolda <mposolda@gmail.com>	2024-02-01 09:54:09 +01:00
Stian Thorgersen	64b5f42c4a	Revert new behaviour around setting secure flag for cookies (#26650 ) Closes #26649 Signed-off-by: stianst <stianst@gmail.com>	2024-01-31 19:33:56 +01:00
Steven Hawkins	37acb2fd09	task: upgrading to quarkus 3.7.0.CR1 (#26203 ) there are several downgrades from the quarkus versions, and some additional logic needed to handle changes with re-creating the configuration Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-01-31 18:23:07 +00:00
Lex Cao	a43ba73b93	Skip link only when client is not system when logout (#24595 ) Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-31 17:50:26 +01:00
rmartinc	01be4032d8	Enable verify-profile required action by default Closes #25985 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-31 13:32:53 +01:00
Lex Cao	f83756b177	Error handle for the Json request in createErrorPage Closes #13368 These changes introduce a new error handler for building error based on the media type. - It should create error form response when it is valid HTML request - It could create error response with JSON if content type matches Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-31 09:31:30 -03:00
Václav Muzikář	4096a2657e	Supported option to specify site name for multi-site deployments Closes #26460 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-31 11:52:19 +00:00
mposolda	10ba70c972	Possibility to email being not required closes #26552 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2024-01-31 10:57:10 +01:00
Thomas Darimont	346c2926f6	Fix error type in SAML response on missing destination We now use INVALID_SAML_RESPONSE insteadof INVALID_LOGOUT_RESPONSE. Added proposed test case. Closes #11178 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Michal Hajas <mhajas@redhat.com> Co-authored-by: Chris Dolphy <cdolphy@redhat.com>	2024-01-31 09:32:14 +01:00
Stefan Wiedemann	fa948f37e0	Issue Verifiable Credentials in jwt_vc format #25941 (#26484 ) closes #25941 Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>	2024-01-30 18:35:20 +01:00
mposolda	1213556eff	Fixes for UsernameIDNHomographValidator closes #26564 Signed-off-by: mposolda <mposolda@gmail.com>	2024-01-30 14:30:28 +01:00
Chris Tanaskoski	5373f3c97a	Don't fail reset credentials action upon first broker login without `EXISTING_USER_INFO` (#26324 ) The ResetCredentialsActionTokenHandler depends upon the `EXISTING_USER_INFO` through `AbstractIdpAuthenticator.getExistingUser` solely to log the username. However, if the first broker login flow does not include a `IdpCreateUserIfUniqueAuthenticator` or `IdpDetectExistingBrokerUserAuthenticator`, the `EXISTING_USER_INFO` is never set. This commit does not attempt to fetch the existing user if we don't have this info set. Closes #26323 Signed-off-by: Chris Tanaskoski <chris@devristo.com>	2024-01-30 11:16:52 +00:00
TheKeeroll	13b8db0026	typo fix (#26526 ) Signed-off-by: TheKeeroll <57570053+TheKeeroll@users.noreply.github.com>	2024-01-29 11:40:21 +00:00
Stian Thorgersen	0fb6bdfcac	Cookie Provider - move remaining cookies (#26531 ) Closes #26500 Signed-off-by: stianst <stianst@gmail.com>	2024-01-29 11:06:37 +01:00
Lex Cao	cf3f05a259	Skip grant role if exists for federated storage (#26508 ) Closes #26507 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-26 17:08:47 +00:00
Stian Thorgersen	bc3c27909e	Cookie Provider (#26499 ) Closes #26500 Signed-off-by: stianst <stianst@gmail.com>	2024-01-26 10:45:00 +01:00
Martin Kanis	7797f778d1	Map Store Removal: Rename legacy modules Closes #24107 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-01-25 16:29:16 +01:00
Ricardo Martin	b58f35fb47	Revert "Enable verify profile required action by default for new realms" (#26495 ) This reverts commit `7f195acc14`. Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-25 12:28:16 +01:00
Stian Thorgersen	cbfdae5e75	Remove support for multiple AUTH_SESSION_ID cookies (#26462 ) Closes #26457 Signed-off-by: stianst <stianst@gmail.com>	2024-01-25 06:58:42 +01:00
rmartinc	7f195acc14	Enable verify profile required action by default for new realms Closes #25985 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-24 20:28:06 +01:00
Thomas Darimont	e7363905fa	Change password hashing defaults according to OWASP recommendations (#16629 ) Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2): - Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512 - Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000 - Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000 - Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000 - Adapt PasswordHashingTest to new defaults - The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations. - Document changes in changes document with note on performance and how to keep the old behaviour. - Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly Fixes #16629 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2024-01-24 18:35:51 +01:00
Florian Garcia	af0b9164e3	fix: hardcoded conditional rendering of client secret input field (#25776 ) Closes #22660 Signed-off-by: ImFlog <garcia.florian.perso@gmail.com> Co-authored-by: useresd <yousifmagdi@gmail.com>	2024-01-24 16:30:22 +01:00
Stian Thorgersen	85ddac26ed	Remove code that expires old cookie paths (#26444 ) Closes #26416 Signed-off-by: stianst <stianst@gmail.com>	2024-01-24 13:43:03 +01:00
Lex Cao	142c14138f	Add verify email required action for IdP email verification Closes #26418 Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-24 12:15:09 +01:00
Takashi Norimatsu	b99f45ed3d	Supporting EdDSA closes #15714 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com> Co-authored-by: Muhammad Zakwan Bin Mohd Zahid <muhammadzakwan.mohdzahid.fg@hitachi.com> Co-authored-by: rmartinc <rmartinc@redhat.com>	2024-01-24 12:10:41 +01:00
Martin Kanis	84603a9363	Map Store Removal: Rename Legacy* classes (#26273 ) Closes #24105 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2024-01-23 13:50:31 +00:00
Peter Zaoral	d9f8a1bf4e	Testing Keycloak with nightly Quarkus releases (#23407 ) Closes #23322 Signed-off-by: Peter Zaoral <pzaoral@redhat.com>	2024-01-23 09:43:31 +01:00
Douglas Palmer	e7d842ea32	Invalidate session secretly Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
Douglas Palmer	18d0105de0	Invalidate authentication session on repeated OTP failures Closes #26177 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-19 15:44:35 -03:00
rmartinc	2f0a0b6ad8	Remove deprecated mode for saml encryption Closes #26291 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-18 16:52:10 +01:00
cgeorgilakis-grnet	ccade62289	Enhance error logs and error events during UserInfo endpoint and Token Introspection failure Closes #24344 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-16 11:26:29 +01:00
Alexander Schwartz	b9498b91cb	Deprecating the offline session preloading (#26160 ) Closes #25300 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-16 09:29:01 +01:00
cgeorgilakis-grnet	a3257ce08f	OIDC Protocol Mappers with same claim Closes #25774 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2024-01-15 09:16:12 -03:00
rmartinc	e162974a8d	Integrate registration with terms and conditions required action Closes #25891 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-15 10:19:30 +01:00
Alexander Schwartz	a8eca6add0	Changing to the Infinispan BOM to avoid mis-aligned Infinispan dependencies (#26137 ) Closes #22922 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Signed-off-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Pedro Ruivo <pruivo@redhat.com>	2024-01-15 09:20:47 +01:00
MikeTangoEcho	c2b132171d	Add X509 thumbprint to JWT when using private_key_jwt Closes keycloak#12946 Signed-off-by: MikeTangoEcho <mathieu.thine@gmail.com>	2024-01-12 16:01:01 +01:00
Lex Cao	47f7e3e8f1	Use email verification instead of executing action for `send-verify-email` endpoint Closes #15190 Add support for `send-verify-email` endpoint to use the `email-verification.ftl` instead of `executeActions.ftl` Also introduce a new parameter `lifespan` to be able to override the default lifespan value (12 hours) Signed-off-by: Lex Cao <lexcao@foxmail.com>	2024-01-11 16:28:02 -03:00
Jon Koops	5eb7363ddd	Promote Account Console v3 to default and deprecate v2 (#25852 ) Closes #19663 Signed-off-by: Jon Koops <jonkoops@gmail.com> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2024-01-11 19:42:10 +01:00
mposolda	692aeee17d	Enable user profile by default closes #25151 Signed-off-by: mposolda <mposolda@gmail.com>	2024-01-11 12:48:44 -03:00
Patrick Hamann	d36913a240	Ensure protocol forced reauthentication is correctly mapped during SAML identity brokering Closes #25980 Signed-off-by: Patrick Hamann <patrick@fastly.com>	2024-01-10 20:46:35 +01:00
remi	b22efeec78	Add a toggle to use context attributes on the regex policy provider Signed-off-by: remi <remi.tuveri@gmail.com>	2024-01-10 16:15:25 -03:00
Réda Housni Alaoui	98230aa372	Add federated identity ProviderEvent(s) Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-10 11:56:38 -03:00
rmartinc	42f0488d76	Avoid returning duplicated users in LDAP and unsynced Closes #24141 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-10 12:47:15 +01:00
Réda Housni Alaoui	3c05c123ea	On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-09 16:04:52 -03:00
Alexander Schwartz	01939bcf34	Remove concurrent loading of remote sessions as at startup time only one node is up anyway. (#25709 ) Closes #22082 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Martin Kanis <martin-kanis@users.noreply.github.com>	2024-01-09 16:55:22 +01:00
Alexander Schwartz	03372d2f41	Fix OfflineServletAdapterTest failures, and improve logging (#25724 ) Closes #25714 Closes #14448 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-09 14:59:20 +01:00
shigeyuki kabano	67e73d3d4e	Enhancing Lightweight access token M2(keycloak#25716) Closes keycloak#23724 Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>	2024-01-09 09:42:30 +01:00
Ricardo Martin	097d68c86b	Escape action in the form_post.jwt and only decode path in RedirectUtils (#93 ) (#25995 ) Closes #90 Signed-off-by: rmartinc <rmartinc@redhat.com>	2024-01-09 08:20:14 +01:00
Alexander Schwartz	0a16b64805	Stabilizing test cases by adding cleanups Closes #24651 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-08 19:32:01 -03:00
Douglas Palmer	58d167fe59	Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user. Closes #24651 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2024-01-08 19:32:01 -03:00
Steven Hawkins	d1d1d69840	fix: adds a general error message and descriptions for some exceptions (#25806 ) closes: #25746 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2024-01-08 18:19:40 +00:00
Felix Gustavsson	0f47071a29	Check if UMA is enabled on resource, if not reject the request. Closes #24422 Signed-off-by: Felix Gustavsson <felix.gustavsson@topgolf.com>	2024-01-08 11:28:57 -03:00
Tomas Ondrusko	e4fa5c034a	Update web element of the LinkedIn login page (#25905 ) Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2024-01-08 11:32:45 +01:00
Pedro Igor	d540584449	Using a valid URI when deleting cookies before/after running tests Closes #22691 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 15:13:12 -03:00
atharva kshirsagar	d7542c9344	Fix for empty realm name issue Throw ModelException if name is empty when creating/updating a realm Closes #17449 Signed-off-by: atharva kshirsagar <atharva4894@gmail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2024-01-05 14:23:42 +01:00
Pedro Igor	8ff9e71eae	Do not allow verifying email from a different account Closes #14776 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:45:07 +01:00
Pedro Igor	f476a42d66	Fixing the registration_client_uri to point to a valid URI after updating a client Closes #23229 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2024-01-05 12:41:36 +01:00
Ben Cresitello-Dittmar	057d8a00ac	Implement Authentication Method Reference (AMR) claim from OIDC specification This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens. This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note. The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens. Closes #19190 Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>	2024-01-03 14:59:05 -03:00
Jon Koops	07f9ead128	Upgrade Welcome theme to PatternFly 5 Closes #21343 Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Signed-off-by: Jon Koops <jonkoops@gmail.com>	2024-01-03 14:46:01 -03:00
Steven Hawkins	667ce4be9e	enhance: supporting versioned features (#24811 ) also adding a common PropertyMapper validation method closes #24668 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2024-01-03 17:56:31 +01:00
Réda Housni Alaoui	5287500703	@NoCache is not considered anymore Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2024-01-02 09:06:55 -03:00
Alexander Schwartz	9e890264df	Adding a test case to check that the expiration time is set on logout tokens Closes #25753 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>	2023-12-22 20:13:40 +01:00
Niko Köbler	5e623f42d4	add the exp claim to the backchannel logout token This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4. As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time. resolves #25753 Signed-off-by: Niko Köbler <niko@n-k.de>	2023-12-22 20:13:40 +01:00
Pedro Igor	ceb085e7b8	Update the UPDATE_EMAIL feature to rely on the user profile configuration when rendering templates and validating the email Closes #25704 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-20 15:15:06 -03:00
rmartinc	c2e41b0eeb	Make Locale updater generate an event and use the user profile Closes #24369 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-20 15:26:45 +01:00
Daniel Fesenmeyer	baafb670f7	Bugfix for: Removing all group attributes no longer works with keycloak-admin-client (java) Closes #25677 Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>	2023-12-20 14:03:35 +01:00
Konstantinos Georgilakis	cf57af1d10	scope parameter in refresh flow Closes #12009 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-20 14:00:10 +01:00
mposolda	eb184a8554	More info on UserProfileContext closes #25691 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-19 13:00:31 -03:00
Pedro Igor	810ebf4efd	Migration steps for enabling user profile by default Closes #25528 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-19 10:19:45 -03:00
Joshua Sorah	d411eafc42	Ensure 'iss' is returned when 'prompt=none' and user is not authenticated, per RFC9207 Closes keycloak/keycloak#25584 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-19 10:38:05 +01:00
Ricardo Martin	2ba7a51da6	Escape action in the form_post response mode (#60 ) Closes keycloak/keycloak-private#31 Closes https://issues.redhat.com/browse/RHBK-652 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 18:10:41 -03:00
Konstantinos Georgilakis	ba8c22eaf0	Scope parameter in Oauth 2.0 token exchange Closes #21578 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2023-12-18 15:44:26 -03:00
Pedro Igor	778847a3ce	Updating theme templates to render user attributes based on the user profile configuration Closes #25149 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-18 15:35:52 -03:00
rmartinc	d841971ff4	Updating the UP configuration needs to trigger an admin event Close #23896 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-18 19:24:30 +01:00
Steven Hawkins	ec28b68554	fix: improve group matching (#25627 ) closes #25451 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2023-12-18 11:46:02 +01:00
mposolda	cd154cf318	User Profile: If required roles ('user') and reqired scopes are set, the required scopes have no effect closes #25475 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-18 11:32:27 +01:00
Takashi Norimatsu	59536becec	Client policies : executor for enforcing DPoP closes #25315 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-12-18 10:45:18 +01:00
Joshua Sorah	a10149bbe9	For post logout redirect URI - Make '+' represent existing redirect URIs and merge with existing post logout redirect URIs Closes keycloak#25544 Signed-off-by: Joshua Sorah <jsorah@redhat.com>	2023-12-18 09:05:51 +01:00
Ricardo Martin	ae04b954a6	Fix for test SSSDUserProfileTest.test05MixedInternalDBUserProfile (#25570 ) Closes #25566 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-15 18:57:31 +00:00
Martin Bartoš	14fd61bacc	PubKeySignRegisterTest failures in WebAuthn tests Fixes #9693 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2023-12-15 14:52:05 +01:00
Erwin Rooijakkers	860978b15a	Change arg of getSubGroups to briefRepresentation Parameter name briefRepresentation should mean briefRepresentation, not full. This way callers will by default get the full representation, unless true is passed as value for briefRepresentation. Fixes #25096 Signed-off-by: Erwin Rooijakkers <erwin@rooijakkers.software>	2023-12-14 17:23:27 +01:00
Steven Hawkins	08751001db	enhance: adds truststores to the keycloak cr (#25215 ) also generally correcting the misspelling trustore closes: #24798 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2023-12-14 11:15:06 -03:00
mposolda	c81b533cf6	Update UserProfileProvider.setConfiguration. Tuning of UserProfileProvider.getConfiguration closes #25416 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-14 14:43:28 +01:00
Tomas Ondrusko	26342d829c	Update web elements of the Instagram login page Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2023-12-14 14:03:53 +01:00
rmartinc	c14bc6f2b0	Create terms and conditions execution when registration form is added Closes #21730 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-13 15:32:58 +01:00
Pedro Igor	fa79b686b6	Refactoring user profile interfaces and consolidating user representation for both admin and account context Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-13 08:27:55 +01:00
VR	1545b32a64	Revert changes related to map store in test classes in base testsuite Closes #24567 Signed-off-by: VR <vramik@redhat.com>	2023-12-12 16:16:38 +01:00
Thomas Darimont	0f5bbae75c	Add support for POST logout in Keycloak JS (#25348 ) Closes #25167 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-12-11 14:55:48 +01:00
Pedro Igor	78ba7d4a38	Do not allow removing username and email from user profile configuration Closes #25147 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-11 08:30:28 +01:00
Ricardo Martin	f78c54fa42	Fixes for LDAP group membership and search in chunks Closes #23966	2023-12-08 17:55:17 +01:00
mposolda	90bf88c540	Introduce ProtocolMapper.getEffectiveModel to make sure values displayed in the admin console UI are 'effective' values used when processing mappers closes #24718 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-12-08 12:26:35 +01:00
Lukas Hanusovsky	baf6186863	25208 MSSQL startup message - fix (#25378 ) Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com>	2023-12-07 16:27:16 +01:00
Vlasta Ramik	df465456b8	Map Store Removal: Remove `LockObjectsForModification` (#25323 ) Signed-off-by: vramik <vramik@redhat.com> Closes #24793	2023-12-07 12:43:43 +00:00
Pedro Igor	b1626172aa	Removing unnecessary property from auth-server-migration maven profile Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-06 15:35:29 -03:00
rmartinc	522e8d2887	Workaround to allow percent chars in getGroupByPath via PathSegment Closes #25111 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-06 14:22:34 -03:00
Peter Zaoral	340eb99412	Unable to use < as part of a password (admin-cli) (#24939 ) * escaped angle bracket characters in password Closes #21951 Signed-off-by: Peter Zaoral <pzaoral@redhat.com>	2023-12-06 17:27:44 +01:00
Pedro Igor	ab1173182c	Make sure realm is available from session when migrating to 23 Closes #25183 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-06 07:42:54 -03:00
rmartinc	d004e9295f	Do not allow remove a credential in account endpoint if provider marks it as not removable Closes #25220 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-05 17:11:57 +01:00
Vlasta Ramik	6f37fefd8d	Delete container providers from the base testsuite (#25168 ) Closes #24097 Signed-off-by: vramik <vramik@redhat.com>	2023-12-04 14:44:35 +01:00
Alfredo Moises Boullosa	0b48bef0b1	Update springboot version Signed-off-by: Alfredo Moises Boullosa <aboullos@redhat.com>	2023-12-04 11:15:51 +01:00
Michal Hajas	ec061e77ed	Remove GlobalLockProviderSpi (#25206 ) Closes #24103 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-12-01 16:40:56 +00:00
rmartinc	31b7c9d2c3	Add UP decorator to SSSD provider Closes https://github.com/keycloak/keycloak/issues/25075 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-12-01 15:41:05 +01:00
mposolda	3fa2d155ca	Decouple factory methods from the provider methods on UserProfileProvider implementation closes #25146 Signed-off-by: mposolda <mposolda@gmail.com>	2023-12-01 10:30:57 -03:00
Pedro Igor	c5bcdbdc3f	Make sure username is lowercase when normalizing attributes Closes #25173 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-12-01 12:16:13 +01:00
Martin Kanis	4279bbc6b5	Map Store Removal: Delete map profiles from testsuite Closes #24094 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2023-11-30 14:59:02 +01:00
vramik	587cef7de4	Delete `Profile.Feature.MAP_STORAGE` Signed-off-by: vramik <vramik@redhat.com> Closes #24102	2023-11-30 13:04:39 +01:00
Pedro Igor	c7f63d5843	Add options to change behavior on how unmanaged attributes are managed Closes #24934 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2023-11-30 06:58:21 -03:00
Steven Hawkins	8c3df19722	feature: add option for creating a global truststore (#24473 ) closes #24148 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Martin Bartoš <mabartos@redhat.com>	2023-11-30 08:57:17 +01:00
Douglas Palmer	d0b86d2f64	Register event not triggered on external to internal token exchange Closes #9684 Signed-off-by: Douglas Palmer <dpalmer@redhat.com>	2023-11-29 15:30:47 -03:00
mposolda	479e6bc86b	Update Kerberos provider for user-profile closes #25074 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-29 15:21:26 -03:00
rmartinc	16afecd6b4	Allow automatic download of SAML certificates in the identity provider Closes https://github.com/keycloak/keycloak/issues/24424 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 18:03:31 +01:00
rmartinc	3bc028fe2d	Remove lowercase for the hostname as recommended/advised by OAuth spec Closes https://github.com/keycloak/keycloak/issues/25001 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-29 10:26:00 -03:00
Martin Bartoš	e71d850a03	Run SAML adapter tests with EAP 8 Closes #24168 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2023-11-28 14:07:44 +01:00
Pedro Igor	2c611cb8fc	User profile configuration scoped to user-federation provider closes #23878 Co-Authored-By: mposolda <mposolda@gmail.com> Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-27 14:45:44 +01:00
Stian Thorgersen	a32b58d337	Escape ldap id when using normal attribute syntax (#25 ) (#25036 ) Closes https://github.com/keycloak/security/issues/46 Co-authored-by: Ricardo Martin <rmartinc@redhat.com>	2023-11-27 11:38:14 +01:00
Takashi Norimatsu	1f5ee9bf80	NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token closes #25022 Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>	2023-11-27 08:49:48 +01:00
Thomas Darimont	8888e3d41c	Avoid deprecated API usage in testsuite/integration-arquillian/tests/base (#24904 ) - Removed unused imports - Avoided deprecated junit/hamcrest API - Avoid usage of JDK API scheduled for removal This should reduce the number of compiler warnings in the logs quite a bit closes #24995 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-11-24 09:37:34 +01:00
Sebastian Schuster	030f42ec83	More efficient listing of assigned and available client role mappings Closes #23404 Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> Co-authored-by: Vlasta Ramik <vramik@users.noreply.github.com>	2023-11-22 14:10:11 +01:00
Thomas Darimont	cd1e0e06c6	Avoid deprecated API usage in testsuite/integration-arquillian/util (#24870 ) Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-11-21 12:45:58 +01:00
Martin Bartoš	87ed656685	Start of MS-SQL fails in CI Closes #24846 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2023-11-20 15:09:11 +01:00
Thomas Darimont	d30d692335	Introduce MaxAuthAge Password policy (#12943 ) This policy allows to specify the maximum age of an authentication with which a password may be changed without re-authentication. Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible. A value of 0 will always require reauthentication to update the password. Add documentation for MaxAuthAgePasswordPolicy to server_admin Fixes #12943 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2023-11-20 14:48:17 +01:00
rmartinc	5fad76070a	Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience Closes https://github.com/keycloak/keycloak/issues/24659 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 18:22:16 +01:00
Vlasta Ramik	d86e062a0e	Removal of retry blocks introduced for CRDB Closes #24095 Signed-off-by: vramik <vramik@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-11-16 13:50:56 +01:00
rmartinc	cca33baac3	Avoid NPE if RelayState is null and return a proper error Closes https://github.com/keycloak/keycloak/issues/24079 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-16 12:56:49 +01:00
rmartinc	e3b2eec1ba	Make user profile validation success if the attribute was already wrong and read-only in the context Closes https://github.com/keycloak/keycloak/issues/24697 Signed-off-by: rmartinc <rmartinc@redhat.com>	2023-11-14 03:07:00 -08:00
Erik Jan de Wit	89abc094d1	userprofile shared (#23600 ) * move account ui user profile to shared * use ui-shared on admin same error handling also introduce optional renderer for added component * move scroll form to ui-shared * merged with main * fix lock file * fixed merge error * fixed merge errors * fixed tests * moved user profile types to admin client * fixed more types * pr comments * fixed some types	2023-11-14 08:04:55 -03:00
Réda Housni Alaoui	3f014c7299	Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients (#21058 ) closes #21010 Signed-off-by: Réda Housni Alaoui <reda-alaoui@hey.com>	2023-11-13 19:13:01 +01:00
vramik	71b6757c2f	Remove quarkus options related to map store Signed-off-by: vramik <vramik@redhat.com> Closes #24098	2023-11-13 12:34:52 +01:00
vramik	926be135e8	Remove map related modules Signed-off-by: vramik <vramik@redhat.com> Closes #24100	2023-11-13 12:34:52 +01:00
vramik	76affa45c6	Delete removed `spi-events-store-jpa-max-detail-length` property from keycloak.conf in testsuite Signed-off-by: vramik <vramik@redhat.com> Fixes #17258	2023-11-13 08:34:09 +01:00
Hynek Mlnařík	0ceaed0e2e	Transient users: Consents (#24496 ) closes #24494	2023-11-10 11:18:27 +01:00
rmartinc	6963364514	Keep same name on update for LDAP attributes Closes https://github.com/keycloak/keycloak/issues/23888	2023-11-09 23:54:45 +01:00
mposolda	64836680d7	Failing test X509OCSPResponderTest due expired certificate closes #24650 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-09 13:34:51 +01:00
Alexander Schwartz	26e2fde115	Avoid reseting cachemanger to null to avoid a re-initialization (#24086 ) Also follow best practices of using volatile variables for double-locking, and not using shutdown caches. Closes #24085	2023-11-08 11:33:44 -05:00
vramik	6fa26d7ff4	Delete map dependencies from dependency management Closes #24101	2023-11-08 13:53:17 +01:00
mposolda	7863c3e563	Moving UPConfig and related classes from keycloak-services closes #24535 Signed-off-by: mposolda <mposolda@gmail.com>	2023-11-07 12:41:29 +01:00
Peter Skopek	e5eded0eab	Add possibility to override fileName and base directory of Keycloak Quarkus distribution ZIP archive (#24284 ) Closes #24283 Signed-off-by: Peter Skopek <pskopek@redhat.com>	2023-11-07 10:31:58 +01:00
Joshua Sorah	7ca00975d4	Feature flag DPoP metadata in OIDC Well Known endpoint Closes keycloak/keycloak#24547 Signed-off-by: Joshua Sorah <jsorah@gmail.com>	2023-11-06 03:13:57 -08:00
vramik	593c14cd26	Data too long for column 'DETAILS_JSON' Closes #17258	2023-11-02 20:29:35 +01:00
Oliver	563ae104fd	[issue-14134] test partial import user with id Fix #14134	2023-11-02 05:56:12 -07:00
Martin Kanis	e05effe62d	Map Store Removal: Delete map profiles and scopes from model tests Closes #24093	2023-11-02 11:33:00 +01:00
Jon Koops	fe0a9459dd	Remove UTF-8 encoding header from property files (#24471 )	2023-11-01 16:03:26 -04:00
rmartinc	d7bb59461d	Escape $ sign when replacing clientId in the role mappers Closes https://github.com/keycloak/keycloak/issues/23692	2023-11-01 20:47:15 +01:00
Pedro Igor	be65ba8689	Make sure optional default attributes are removed when decorating the user-define user profile configuration Closes #24420	2023-11-01 14:54:09 +01:00
mposolda	0bd2b342d7	Update per review	2023-10-31 12:56:46 -07:00
mposolda	6f992915d7	Move some UserProfile and Validation classes into keycloak-server-spi closes #24387	2023-10-31 12:56:46 -07:00
Aboullos	75440abb5f	Fix compilation error on springboot (#24437 )	2023-10-31 19:29:05 +00:00
Justin Tay	3ff0476cc3	Allow customization of aud claim with JWT Authentication Closes #21445	2023-10-31 11:33:47 -07:00
rmartinc	1b630326b2	Fixes in LDAP tests when using AD Closing https://github.com/keycloak/keycloak/issues/24357	2023-10-31 13:34:37 +01:00
rmartinc	7deb4ca545	Group count and PartialExport permission fixes Closes https://github.com/keycloak/keycloak/issues/12171	2023-10-31 01:40:21 -07:00
Aboullos	c23e1e0e2b	Fix springboot tests (#24254 ) Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-31 09:06:09 +01:00
rmartinc	6484a3e705	Add userProfileEnabled attribute to realm response if admin can view users closes https://github.com/keycloak/keycloak/issues/19093	2023-10-30 07:39:03 -07:00
rmartinc	ea398c21da	Add a property to the User Profile Email Validator for max length of the local part Closes https://github.com/keycloak/keycloak/issues/24273	2023-10-27 15:09:42 +02:00
Alice	69497382d8	Group scalability upgrades (#22700 ) closes #22372 Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com> Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-26 16:50:45 +02:00
Thomas Darimont	d56baa80b3	Add support for passing acr_values in auth requests in keycloak.js (#9383 ) (#24259 ) Fixes #9383	2023-10-25 15:33:39 +02:00
Hynek Mlnarik	c036980c37	Add TRANSIENT_USERS feature flag	2023-10-25 12:02:35 +02:00
Hynek Mlnarik	d59ceb17e9	Add tests for offline access, introspection and userinfo endpoint	2023-10-25 12:02:35 +02:00
Hynek Mlnarik	d70735f64d	Tests Part-of: Add support for not importing brokered user into Keycloak database Closes: #11334	2023-10-25 12:02:35 +02:00
ggraziano	84112f57b5	Verification of iss at refresh token request Added iss checking using the existing TokenVerifier.RealmUrlCheck in the verifyRefreshToken method. Closes #22191	2023-10-24 23:42:11 +02:00
Marek Posolda	1bd6aca629	Remove RegistrationProfile class and handle migration (#24215 ) closes #24182 Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>	2023-10-24 20:19:33 +02:00
Martin Kanis	10a2c96c72	Users in role Rest API returns empty when User federation used (#23318 ) * Users in role Rest API returns empty when User federation used Co-authored-by: Shankar Yadav <ET1024@neeyamoworks.com> Co-authored-by: Martin Kanis <mkanis@redhat.com> Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-24 11:10:20 -04:00
Martin Bartoš	9627187447	Adapter tests failing with Jakarta error (#24177 ) Fixes #24176	2023-10-24 10:11:48 -04:00
rmartinc	ad01ed1497	Do not reset the user profile configuration on disable Closes https://github.com/keycloak/keycloak/issues/23527	2023-10-24 03:05:34 -07:00
Thomas Darimont	e567210ed1	Add dedicated feature flag for oauth device grant flow (#23892 ) Closes #23891	2023-10-24 10:09:26 +02:00
Håvar Nøvik	bc55846809	Fixes a NullPointerException after import validation (#20151 ) * Fixes a NullPointerException after import validation If the import validation (when getting a user by email) returns null, indicating that the user entity should be removed from local storage, an email equality check results in a NullPointerException. This commit fixes this issue by explicitly checking for null. Closes #20150 --------- Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-10-23 17:19:25 -04:00
vramik	a0f04fa2be	Declarative User Profile export Closes #12062 Resolves #20885	2023-10-21 19:21:20 +02:00
Pedro Igor	e47389f199	Username now shown when creating a user and edit username is not allowed Closes #24183	2023-10-20 10:22:31 -07:00
Steven Hawkins	f4d1dd9b7f	improvement: validates the expected values of non-cli properties (#23797 ) also adds better messages for unknown options closes #13608	2023-10-20 17:21:03 +00:00
Pedro Igor	d4a5391013	Making sure public clients can RPT tokens Closes #14165	2023-10-20 17:53:10 +02:00
Pedro Igor	55a5a8c0eb	Ignore custom attributes when processing attributes in verify profile action Closes #24077	2023-10-20 17:51:40 +02:00
mposolda	c18e8ff535	User profile tweaks in registration forms closes #24024	2023-10-20 06:31:21 -07:00
kaustubh-rh	1ac2c0997d	Inconsistent handling of parenthesis in auth flow name (#24113 ) closes #16379	2023-10-20 10:00:46 +02:00
mposolda	04777299b0	After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly closes #23880	2023-10-19 19:23:50 +02:00
Vlasta Ramik	f6d582c761	Import migration step for kc22 Closes #24031 Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-10-19 09:00:49 +02:00
rmartinc	d10ccc7245	Use jdk LdapName and Rdn to parse inside LDAPDn and RDN and avoid string conversions Closes: https://github.com/keycloak/keycloak/issues/21797 Closes: https://github.com/keycloak/keycloak/issues/21818	2023-10-19 08:31:49 +02:00
Pedro Igor	e91a0afca2	The username in account is required and don't change when email as username is enabled Closes #23976	2023-10-17 16:43:44 -03:00
wojnarfilip	b5ec155b64	Fix issue with overlapping WebElements in SocialLoginTest#PaypalLogin Closes #23960	2023-10-17 16:59:09 +02:00
shigeyuki kabano	6112b25648	Enhancing Light Weight Token(#22148 ) Closes #21183	2023-10-17 13:12:36 +02:00
Alexander Schwartz	50916d58b1	Clean up created test user to avoid conflict with other tests Closes #23804	2023-10-16 19:10:52 +02:00
wojnarfilip	f9386bd62b	Update login flow in OCP social login	2023-10-16 10:45:38 -03:00
Pedro Igor	9c19a8972b	Removing the default cache metadata Closes #23910	2023-10-13 16:32:55 +02:00
Lex Cao	eedc4ceb18	Fix unexpected expiration when import offline client session Closes #23397	2023-10-13 15:45:07 +02:00
Moritz Becker	e9f08b6500	Do not return empty scope field in token introspection response Closes #16526	2023-10-13 08:36:12 +02:00
Steven Hawkins	478ceb0b34	modification of kc.sh to remove param eval (#22585 ) * test * modification of kc.sh to remove eval of env/args Closes #22337 --------- Co-authored-by: rmartinc <rmartinc@redhat.com>	2023-10-12 17:10:53 +02:00
Vojtěch Boček	8871983b33	Add support for single-tenant mode to Microsoft Identity Provider (#20699 ) * Add support for single-tenant mode to Microsoft Identity Provider Fixes #20695 Closes #11207 * Add SocialLoginTest for Microsoft single-tenant variant	2023-10-10 16:35:36 -04:00
Marek Posolda	a6609bd969	Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate (#23517 ) Closes #12406 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-10 21:54:37 +02:00
Pedro Igor	7385ed56c7	Avoid creating the component when there is no component and configuration is not provided Closes #20970 Co-authored-by: Pedro Igor <psilva@redhat.com>	2023-10-10 13:28:48 +02:00
Tero Saarni	22d093f5c0	Fix multi-valued LDAP attribute support FullName LDAP storage mapper was delegating to single-valued setter even when multi-valued setter was called. Closes #22091 Signed-off-by: Tero Saarni <tero.saarni@est.tech>	2023-10-06 14:36:02 +00:00
mposolda	cdb61215c9	UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed closes #23749	2023-10-06 11:27:48 -03:00
Pedro Igor	290bee0787	Resolve several usability issues around User Profile (#23537 ) Closes #23507, #23584, #23740, #23774 Co-authored-by: Jon Koops <jonkoops@gmail.com>	2023-10-06 10:15:39 -03:00
rmartinc	890600c33c	Remove backward compatibility for ECDSA tokens Closes https://github.com/keycloak/keycloak/issues/23734	2023-10-06 14:24:48 +02:00
Martin Kanis	0853d484ec	Remove transaction in InfinispanSingleUseObjectProvider#remove (#23708 ) Co-authored-by: mposolda <mposolda@gmail.com>	2023-10-06 10:00:04 +02:00
Garth	2dfbbff343	added AccountResource SPI, Provider and ProviderFactory. (#22317 ) Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.	2023-10-05 15:08:01 +02:00
vramik	7f2f4aae67	Upgrade liquibase version to avoid a bug where a changeset is executed twice Closes #23220	2023-10-05 13:35:05 +02:00
Tomas Ondrusko	58131f1dcc	Update the Instagram login process Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2023-10-05 09:33:05 +02:00
Steven Hawkins	9a93b9a273	allows csv output to handle missing requested fields (#23459 ) * allows csv output to handle missing requested fields Closes #12330 * fixes the handling of the content type also makes it more explicit the expectation of applying csv and return fields * fix: consolidating the logic dealing with the content-type Closes #23580	2023-10-04 15:49:19 +02:00
Dmitry Telegin	085d0d73c9	Fix nonce/scope typo	2023-10-02 22:36:51 +02:00
Tomas Ondrusko	fcb91a83ba	Ignore query parameters while testing the LinkedIn profile picture URL (#23557 ) Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2023-10-02 14:36:17 +02:00
Tomas Ondrusko	3d42573813	Update PayPal social login flow to use 127.0.0.1 instead of localhost (#23532 ) Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2023-09-28 09:34:45 +00:00
fwojnar	56082cdd2d	Fixes issue in login flow of SocialLoginTest#twitterLogin (#23122 ) Co-authored-by: wojnarfilip <fwojnar@redhat.com>	2023-09-28 10:21:59 +02:00
Lucas Hedding	de5aa2e74d	Add createTimestamp to REST service (#23293 ) Closes #14009	2023-09-27 13:38:16 +02:00
rmartinc	10c1e3ba6d	Client roles should be mapped to any claim name Closes https://github.com/keycloak/keycloak/issues/22349	2023-09-27 08:11:22 -03:00
rmartinc	d90640b5a3	Change email checkserveridentity prop as angus mail sets it to true by default Closes https://github.com/keycloak/keycloak/issues/22395	2023-09-26 09:11:16 +02:00
Maria Arias de Reyna	c15753266f	fix(Closes #21236 ): Adding client-id to logout event	2023-09-25 13:20:26 +02:00
Pedro Igor	741f76887c	Allow updating email when email as username is set and edit username disabed #23438	2023-09-25 08:19:01 -03:00
Michal Hajas	496c5ad989	Use new findGroupByPath implementation and remove the old one Closes #23344 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-09-25 10:44:24 +02:00
Jon Koops	47d9ae71c4	Revert the new welcome screen experience (#23446 ) This reverts commit `bcab75a7ef`.	2023-09-21 16:03:00 +00:00
Justin Tay	7d3104ee76	Allow public clients to use PAR endpoint Closes #8939	2023-09-21 13:57:42 +02:00
rmartinc	7afd90982d	Align wildfly-core and wildfly version for tests Closes https://github.com/keycloak/keycloak/issues/23342	2023-09-21 10:53:57 +02:00
Michal Hajas	533f9e7093	Disable CockroachDB model tests since they are flaky (#23391 ) Closes #22645 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-09-20 16:04:11 +00:00
Bernd Bohmann	bb2f59df87	Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted (#8430 ) Closes #14820 --------- Co-authored-by: Michal Hajas <mhajas@redhat.com>	2023-09-20 17:20:43 +02:00
Jon Koops	e86bf1f0b2	Remove `P3P` header from authentication flow Closes #23348	2023-09-19 08:50:33 -03:00
rmartinc	743bb696d9	Allow duplicated keys in advanced claim mappers Closes https://github.com/keycloak/keycloak/issues/22638	2023-09-19 07:49:34 -03:00
wojnarfilip	5603ee7b46	Fixes login flow in Microsoft social login test Closes #22657	2023-09-18 14:21:41 +02:00
Pedro Igor	217a09ce46	Switch to Resteasy Reactive Closes #10713	2023-09-18 09:19:03 -03:00
Alexander Schwartz	798846df6f	Remove legacy code which isn't used anymore and was deprecated for some time (#23264 ) Closes #23263	2023-09-18 11:04:02 +02:00
paul	f684a70048	KEYCLOAK-15985 Add Brute Force Detection Lockout Event	2023-09-15 10:32:07 -03:00
Jon Koops	bcab75a7ef	Add new version of Welcome theme based on PatternFly 5 (#23008 )	2023-09-14 08:24:17 -04:00
Andreas Blaettlinger	86c0e338d9	Toggle visibility of password input fields in login-ftl-based pages Closes #22067	2023-09-14 08:04:35 -03:00
Pedro Igor	1442f14c45	Registration page not showing username when edit username is not enabled Closes #23185	2023-09-14 07:32:39 -03:00
Justin Tay	658c0ef19f	Send Client ID in token request with JWT Authentication Closes #21444	2023-09-14 10:57:32 +02:00
Pedro Igor	5958c7948d	Ignore attributes when they are not prefixed with user.attributes prefix (#23184 ) Co-authored-by: mposolda <mposolda@gmail.com> Co-authored-by: stianst <stianst@gmail.com>	2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer	a68ad55a37	Support to define compatible mappers for (new) Identity Providers - Also allows to use existing mappers for custom Identity Providers without having to change those mappers Closes #21154	2023-09-13 17:19:06 -03:00
Jacek Kowalski	f5182deb30	Fix valid redirect URIs for built-in account-console client on realm rename (#20894 ) Closes #9541 Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-09-13 15:28:07 +02:00
Konstantinos Georgilakis	0044472f87	Add regex support in 'Condition - User attribute' execution Closes #265	2023-09-13 08:36:45 +02:00
rmartinc	48ab2b1688	FullNameLDAPStoreMapper removes values for other attributes Closes https://github.com/keycloak/keycloak/issues/22526	2023-09-13 08:11:32 +02:00
vramik	d34a371971	Enable ZeroDowntimeTest Closes #21825	2023-09-11 19:09:30 +02:00
Pedro Igor	04dd9afc5e	Do not store empty attributes when updating user profile Closes #22960	2023-09-11 07:47:31 -03:00
kaustubh-rh	62927433dc	Fix for Keycloak 22.0.1 unable to create user with long email address (#23109 ) Closes #22825	2023-09-11 08:56:13 +02:00
rmartinc	7da52a43bd	Add old LinkedIn provider to the deprecated profile Closes https://github.com/keycloak/keycloak/issues/23067	2023-09-08 10:05:17 +02:00
Marek Posolda	506e2537ac	Registration flow fixed (#23064 ) Closes #21514 Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Marek Posolda <mposolda@gmail.com>	2023-09-08 08:05:05 +02:00
Pedro Igor	bc31fde4c0	Broker claim mapper not recognizing claims from user info endpoint Closes #12137	2023-09-07 16:34:45 +02:00
Alexander Schwartz	2eb37dbe4f	Remove MS SQL JDBC driver from the Keycloak product Closes #22983	2023-09-07 15:30:34 +02:00
Peter Skopek	ef272f7668	SAML Adapter fix for EAP8 and WF29 Signed-off-by: Peter Skopek <pskopek@redhat.com>	2023-09-07 13:32:25 +02:00
Kaustubh B	5ee2ba9372	Added tests	2023-09-07 08:43:35 +02:00
Martin Bartoš	6ca78b7554	Return Oracle JDBC driver to the upstream Closes #22999	2023-09-06 19:11:29 +02:00
rmartinc	8887be7887	Add a new identity provider for LinkedIn based on OIDC Closes https://github.com/keycloak/keycloak/issues/22383	2023-09-06 16:13:31 +02:00
Pedro Igor	13e5a02b9f	Role mappers must return a single value when they are not multivalued Closes #20218	2023-08-31 19:16:12 +02:00
mposolda	57e51e9dd4	Use an original domain name of Kerberos Principal in UserModel attribute instead of configured value of Kerberos realm in User federation closes #20045	2023-08-30 13:24:48 +02:00
vramik	4cd34f8423	Update logging properties for showing SQL statements and JDBC parameters Closes #22815	2023-08-30 12:52:08 +02:00
Marek Posolda	6f989fc132	Fallback to next LDAP/Kerberos provider when not able to find authenticated Kerberos principal (#22531 ) closes #22352 #9422	2023-08-29 11:21:01 +00:00
Pedro Igor	ea3225a6e1	Decoupling legacy and dynamic user profiles and exposing metadata from admin api Closes #22532 Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>	2023-08-29 08:14:47 -03:00
Pedro Igor	b779df6a55	Parsing response from user info rather than the access token Closes #22581	2023-08-29 12:23:56 +02:00
Tomas Ondrusko	e70ffd0105	Handle GitHub logout properly (#22463 ) Add profile info update to GitHub login test cases Closes #22461 Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>	2023-08-28 10:06:12 +02:00
Michal Hajas	94089bd492	Clean LDAP between test method executions Closes #22602 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-08-23 04:15:32 -03:00
Martin Bartoš	fcf65389ea	Remove Oracle Database JDBC driver from the Keycloak distribution (#22577 ) * Remove Oracle Database JDBC driver from the Keycloak distribution Closes #22452 * Remove profile for proprietary Oracle JDBC driver --------- Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-08-21 15:13:49 +00:00
t0xicCode	822c13ff6f	Switch Trusted Host policy redirect verification to URI Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI. The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used. In contrast, the URI class simply parses the string, ensuring the format is valid. The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs. See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation. Closes #22309	2023-08-14 10:20:23 +02:00
Pedro Igor	baac060eb1	Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts Closes #21751	2023-08-11 13:32:16 +02:00
Erik Jan de Wit	874d2063b8	only add realm access to the current realm (#21554 ) fixes: #21553	2023-08-10 12:43:15 +02:00
wojnarfilip	6c070d587f	Closes #22282	2023-08-10 12:05:20 +02:00
Todor Staykovski	dffa7a31cb	Add subgroups sorting (#22295 ) * Review comments to add a test, update the API description and adjust the map storage. Closes #19348 Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-08-07 21:18:09 +02:00
Takashi Norimatsu	258711ef4f	DPoP verification in UserInfo endpoint closes #22215	2023-08-07 10:49:33 +02:00
Takashi Norimatsu	9d0960d405	Using DPoP token type in the access-token and as token_type in introspection response closes #21919	2023-08-07 10:40:18 +02:00
Alex Szczuczko	92bec0214f	Add -DdeployTestsuite profile to testsuite Closes #22258	2023-08-04 20:54:59 +02:00
Marek Posolda	4dc929abb3	Missing client_id validation match when authenticating client with JW… (#22178 ) Closes #22177	2023-08-03 11:47:55 +02:00
Takashi Norimatsu	ee998fee66	Add FAPI 2.0 security profile as default profile of client policies closes #21181	2023-08-03 09:26:16 +02:00
Ricardo Martin	a8bca522c1	Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers (#21627 ) Closes #9004 Co-authored-by: Armel Soro <armel@rm3l.org>	2023-08-02 09:36:50 +02:00
Thomas Darimont	82269f789a	Avoid using deprecated junit APIs in tests - Replaced usage of Assert.assertThat with static import - Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat Fixes: #22111	2023-08-01 11:44:25 +02:00
mposolda	6f6b5e8e84	Fix authenticatorConfig for javascript providers Closes #20005	2023-07-31 19:28:25 +02:00
Vlasta Ramik	29b67fc8df	Inconsistent Wildcard handling for JPA (#21671 ) * Inconsistent Wildcard handling for JPA Closes #20610 Co-authored-by: Alexander Schwartz <aschwart@redhat.com>	2023-07-27 17:03:22 +02:00
rmartinc	0a7fcf43fd	Initial pagination in the admin REST API for identity providers Closes https://github.com/keycloak/keycloak/issues/21073	2023-07-27 14:48:02 +02:00
Martin Bartoš	4b36da03db	Profile activation for WF app server doesn't properly work for Windows Fixes #21284	2023-07-27 12:09:00 +02:00
Takashi Norimatsu	9a921441cc	Adjustements to the behaviour of dpop_bound_access_tokens switch closes #21920	2023-07-27 11:30:01 +02:00
Takashi Norimatsu	6498b5baf3	DPoP: OIDC client registration support closes #21918	2023-07-26 13:00:35 +02:00
Ricardo Martin	ee35cfe478	Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages (#21897 ) * Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page Closes #10232	2023-07-26 11:34:19 +02:00
Marek Posolda	bb8ba1af5a	Fix script tests on windows (#21942 ) Closes #21778 #21779 #21780	2023-07-25 12:37:21 +00:00
Takashi Norimatsu	0ddef5dda8	DPoP support 1st phase (#21202 ) closes #21200 Co-authored-by: Dmitry Telegin <dmitryt@backbase.com> Co-authored-by: mposolda <mposolda@gmail.com>	2023-07-24 16:44:24 +02:00
Takashi Norimatsu	05b8b9ee51	Enhancing Pluggable Features of Token Manager closes #21182	2023-07-24 09:16:29 +02:00
Takashi Norimatsu	2efd79f982	FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification Closes #20584	2023-07-24 09:11:30 +02:00
Martin Kanis	6907134f17	Removing workaround for state transfer never completes Closes #21256	2023-07-21 18:21:00 +02:00
rmartinc	7336ff07ac	Check RDN attribute for DN membership Closes https://github.com/keycloak/keycloak/issues/20718	2023-07-21 11:13:45 +02:00
todor	897965f604	KEYCLOAK-20343 Add message bundle to export/import Closes #20343	2023-07-20 23:00:28 +02:00
Alexander Schwartz	7c9593f88a	Upgrade Infinispan to 14.0.13.Final (#21565 ) Closes #21564	2023-07-20 16:59:19 +00:00
Václav Muzikář	776bcbcbd4	Update bcpkix and bcprov dependencies (#21543 ) Closes #21360	2023-07-20 11:57:18 +02:00
vramik	13d412989c	Disable ZeroDowntimeTest Closes #21823	2023-07-19 20:35:08 +02:00
Lukas Hanusovsky	086b85fad4	[20455] Arquillian reflection bug -> using different setter to avoid overloading. (#21806 )	2023-07-19 14:43:36 +02:00
rmartinc	ed1934d73a	Ensure that the flow tested to be deleted is a built in flow Closes https://github.com/keycloak/keycloak/issues/20763	2023-07-19 08:56:32 +02:00
Pedro Igor	d2cdd78655	Add Java Distribution IT for Windows (#21675 ) Co-authored-by: Miquel Simon <msimonma@redhat.com>	2023-07-18 12:15:56 +02:00
mposolda	03716ed452	Keycloak forgets ui_locales parameter when using reset password closes #10981	2023-07-18 09:24:12 +02:00
Martin Kanis	67b20dfd9b	Introduce delay in SessionTimeoutsTest to allow xsite replication to finish Fixes #20983	2023-07-17 15:46:33 +02:00
rmartinc	630e3b2312	Revert emailVerified to false if email modified on force-sync non-trusted broker Closes https://github.com/keycloak/security/issues/48	2023-07-17 13:13:47 +02:00
Michal Hajas	07c27336aa	Check whether realm has store enabled for immediately sent events Closes #21698 Signed-off-by: Michal Hajas <mhajas@redhat.com>	2023-07-14 20:50:33 +02:00
Stian Thorgersen	5a411d8931	Allow setting context-path for KeycloakServer (#21590 ) Closes #21589	2023-07-11 14:24:07 +00:00
Martin Kanis	2bd7de6e8a	UserSessionConcurrencyTest#testConcurrentNotesChange fails intermittently Closes #21290	2023-07-11 13:12:38 +02:00
Pedro Igor	57423bca2b	Additional test for logout when using multiple tabs (#21518 ) Closes #21451	2023-07-11 11:22:20 +02:00
Pedro Igor	376d20c285	Remove user credentials from admin event representation (#21561 ) Closes #17470	2023-07-11 08:26:29 +02:00
rmartinc	13870f3a69	Improve error management in the github provider Closes https://github.com/keycloak/keycloak/issues/9429	2023-07-10 16:09:08 -03:00
Pedro Igor	94074f4a98	Remove unnecessary tests (#21551 ) Closes #21099	2023-07-10 13:36:21 +00:00
Daniele Martinoli	75741d17ab	Updated test case in RequiredActionResetPasswordTest	2023-07-10 08:31:47 -03:00
Patrick Jennings	399a23bd56	Find an appropriate key based on the given KID and JWA (#21160 ) * keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found. Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication. * Update js/apps/admin-ui/public/locales/en/clients.json Co-authored-by: Marek Posolda <mposolda@gmail.com> * Updating boolean variable name based on suggestions by Marek. * Adding integration test specifically for the JWT parameters for regression #20847. --------- Co-authored-by: Marek Posolda <mposolda@gmail.com>	2023-07-10 13:28:55 +02:00
Daniele Martinoli	7b8dcb42ea	Using "Account is disabled" message (and also added new test case)	2023-07-07 12:16:38 -03:00
Daniele Martinoli	2a95e2c245	updated failed login test case with new error message	2023-07-07 09:00:51 -03:00
Daniele Martinoli	44570d12ee	fixed error in IdentityProviderTest	2023-07-07 08:59:36 -03:00
Daniele Martinoli	83d88f6bb5	added Hardcoded Group mapper to IDP configuration	2023-07-07 08:59:36 -03:00
A. Tammy	497d08af1c	make cli usable on OpenBSD (#16462 ) Signed-off-by: Aisha Tammy <aisha@bsd.ac> Co-authored-by: Aisha Tammy <aisha@bsd.ac>	2023-07-07 08:58:41 +02:00
Peter Zaoral	2b1c29a6f2	Use Quarkus Platform BOM Closes #20570 Closes #15870 Co-authored-by: Peter Zaoral <pzaoral@redhat.com>	2023-07-06 12:45:48 -03:00

... 7 8 9 10 11 ...

6967 commits