mposolda
c18e8ff535
User profile tweaks in registration forms
...
closes #24024
2023-10-20 06:31:21 -07:00
kaustubh-rh
1ac2c0997d
Inconsistent handling of parenthesis in auth flow name ( #24113 )
...
closes #16379
2023-10-20 10:00:46 +02:00
mposolda
04777299b0
After tab1 finish authentication, make sure that rootAuthenticationSession is expired shortly
...
closes #23880
2023-10-19 19:23:50 +02:00
Andrew
77c3e7190c
updates to method contracts and code impl to be more specific about providerAlias ( #24070 )
...
closes #24072
2023-10-18 08:33:06 +02:00
Pedro Igor
e91a0afca2
The username in account is required and don't change when email as username is enabled
...
Closes #23976
2023-10-17 16:43:44 -03:00
shigeyuki kabano
6112b25648
Enhancing Light Weight Token( #22148 )
...
Closes #21183
2023-10-17 13:12:36 +02:00
Pedro Igor
9c19a8972b
Removing the default cache metadata
...
Closes #23910
2023-10-13 16:32:55 +02:00
Charley Wu
31759f9c37
WebAuthn support for native applications. Support custom FIDO2 origin validation ( #23156 )
...
Closes #23155
2023-10-13 15:25:10 +02:00
Moritz Becker
e9f08b6500
Do not return empty scope field in token introspection response
...
Closes #16526
2023-10-13 08:36:12 +02:00
duckboy81
197b39492e
Update TokenManager.java
...
Fixed minor spelling typos
2023-10-12 14:56:24 +02:00
ici-dev-gb
32b373f05f
Don't use top-level await
for storage access checks ( #23793 )
...
Closes #23743
2023-10-12 09:28:01 +00:00
Vojtěch Boček
8871983b33
Add support for single-tenant mode to Microsoft Identity Provider ( #20699 )
...
* Add support for single-tenant mode to Microsoft Identity Provider
Fixes #20695
Closes #11207
* Add SocialLoginTest for Microsoft single-tenant variant
2023-10-10 16:35:36 -04:00
Marek Posolda
a6609bd969
Remove "You are already logged in" during authentication. Make other browser tabs to authenticate automatically when some browser tab successfully authenticate ( #23517 )
...
Closes #12406
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-10 21:54:37 +02:00
Pedro Igor
7385ed56c7
Avoid creating the component when there is no component and configuration is not provided
...
Closes #20970
Co-authored-by: Pedro Igor <psilva@redhat.com>
2023-10-10 13:28:48 +02:00
Daniel Fesenmeyer
dd37e02140
Improve logging in case of OIDC Identity provider errors:
...
- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter
- log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response
Closes #23690
2023-10-06 19:03:41 +02:00
mposolda
cdb61215c9
UserProfileContext.ACCOUNT_OLD seems to be obsolete and not needed
...
closes #23749
2023-10-06 11:27:48 -03:00
Pedro Igor
290bee0787
Resolve several usability issues around User Profile ( #23537 )
...
Closes #23507 , #23584 , #23740 , #23774
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-10-06 10:15:39 -03:00
rmartinc
890600c33c
Remove backward compatibility for ECDSA tokens
...
Closes https://github.com/keycloak/keycloak/issues/23734
2023-10-06 14:24:48 +02:00
Garth
2dfbbff343
added AccountResource SPI, Provider and ProviderFactory. ( #22317 )
...
Added AccountResource SPI, Provider and ProviderFactory. updated AccountLoader to load provider(s) and check if it is compatible with the chosen theme.
2023-10-05 15:08:01 +02:00
Justin Tay
55751a0830
Fix client assertion with invalid ES256, ES384, ES512 signatures
...
Closes #23721
2023-10-05 13:07:52 +02:00
Steve Hawkins
fb69936f14
Aligns the logic in the welcome resources
...
as a result the quarkus one can be removed
closes keycloak#23243
2023-09-28 19:33:12 -03:00
Jon Koops
1b6cb7b2a9
Always check storage access before placing test cookie ( #23393 )
2023-09-27 13:38:53 +02:00
Lucas Hedding
de5aa2e74d
Add createTimestamp to REST service ( #23293 )
...
Closes #14009
2023-09-27 13:38:16 +02:00
rmartinc
10c1e3ba6d
Client roles should be mapped to any claim name
...
Closes https://github.com/keycloak/keycloak/issues/22349
2023-09-27 08:11:22 -03:00
rmartinc
d90640b5a3
Change email checkserveridentity prop as angus mail sets it to true by default
...
Closes https://github.com/keycloak/keycloak/issues/22395
2023-09-26 09:11:16 +02:00
Maria Arias de Reyna
c15753266f
fix( Closes #21236 ): Adding client-id to logout event
2023-09-25 13:20:26 +02:00
Pedro Igor
741f76887c
Allow updating email when email as username is set and edit username disabed
...
#23438
2023-09-25 08:19:01 -03:00
Michal Hajas
496c5ad989
Use new findGroupByPath implementation and remove the old one
...
Closes #23344
Signed-off-by: Michal Hajas <mhajas@redhat.com>
2023-09-25 10:44:24 +02:00
Justin Tay
7d3104ee76
Allow public clients to use PAR endpoint
...
Closes #8939
2023-09-21 13:57:42 +02:00
rmartinc
082b0ed308
verifyRedirectUri should return null when the passed redirectUri is invalid
...
Closes https://github.com/keycloak/keycloak/issues/22778
2023-09-21 08:19:00 +02:00
rmartinc
f8a9e0134a
Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML
...
Closes https://github.com/keycloak/keycloak/issues/22974
2023-09-20 15:09:18 +02:00
Jon Koops
e86bf1f0b2
Remove P3P
header from authentication flow
...
Closes #23348
2023-09-19 08:50:33 -03:00
rmartinc
743bb696d9
Allow duplicated keys in advanced claim mappers
...
Closes https://github.com/keycloak/keycloak/issues/22638
2023-09-19 07:49:34 -03:00
Pedro Igor
217a09ce46
Switch to Resteasy Reactive
...
Closes #10713
2023-09-18 09:19:03 -03:00
Thomas Darimont
04d16ed170
Prevent NPE in AuthenticationManager.backchannelLogout ( #23306 )
...
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.
Fixes #23306
2023-09-18 08:16:51 +02:00
paul
f684a70048
KEYCLOAK-15985 Add Brute Force Detection Lockout Event
2023-09-15 10:32:07 -03:00
Pedro Igor
1442f14c45
Registration page not showing username when edit username is not enabled
...
Closes #23185
2023-09-14 07:32:39 -03:00
Justin Tay
658c0ef19f
Send Client ID in token request with JWT Authentication
...
Closes #21444
2023-09-14 10:57:32 +02:00
Pedro Igor
5958c7948d
Ignore attributes when they are not prefixed with user.attributes prefix ( #23184 )
...
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
2023-09-14 10:35:47 +02:00
Daniel Fesenmeyer
a68ad55a37
Support to define compatible mappers for (new) Identity Providers
...
- Also allows to use existing mappers for custom Identity Providers without having to change those mappers
Closes #21154
2023-09-13 17:19:06 -03:00
Konstantinos Georgilakis
0044472f87
Add regex support in 'Condition - User attribute' execution
...
Closes #265
2023-09-13 08:36:45 +02:00
Erik Jan de Wit
0789d3c1cc
better features overview ( #22641 )
...
Closes #17733
2023-09-12 16:03:13 +02:00
Thomas Darimont
3908537254
Show expiration date for certificates in Admin Console ( #23025 )
...
Closes #17743
2023-09-12 07:56:09 -04:00
Marek Posolda
56b94148a0
Remove bearer-only occurences in the documentation when possible. Mak… ( #23148 )
...
closes #23066
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-09-12 09:38:19 +02:00
Erik Jan de Wit
c7dcef7af8
fixed permissions for locale fetch ( #23078 )
...
fixes : #23065
2023-09-11 15:00:40 -04:00
Adeel Ahmad
4f90124612
Print 'key' in ReadOnlyAttributeUnchangedValidator failure log message
...
This change is quite useful for debugging and helps identify which specific attribute makes the update fail. Currently, the full pattern is printed which consists of multiple attributes.
2023-09-11 10:45:08 -03:00
kaustubh-rh
62927433dc
Fix for Keycloak 22.0.1 unable to create user with long email address ( #23109 )
...
Closes #22825
2023-09-11 08:56:13 +02:00
rmartinc
7da52a43bd
Add old LinkedIn provider to the deprecated profile
...
Closes https://github.com/keycloak/keycloak/issues/23067
2023-09-08 10:05:17 +02:00
Marek Posolda
506e2537ac
Registration flow fixed ( #23064 )
...
Closes #21514
Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-09-08 08:05:05 +02:00
Pedro Igor
bc31fde4c0
Broker claim mapper not recognizing claims from user info endpoint
...
Closes #12137
2023-09-07 16:34:45 +02:00
stianst
211c027adb
Remove use of Guava in services
...
Closes #23009
2023-09-07 08:59:02 +02:00
Kaustubh B
5ee2ba9372
Added tests
2023-09-07 08:43:35 +02:00
Kaustubh B
c57e775102
Fixed Regex
2023-09-07 08:43:35 +02:00
rmartinc
8887be7887
Add a new identity provider for LinkedIn based on OIDC
...
Closes https://github.com/keycloak/keycloak/issues/22383
2023-09-06 16:13:31 +02:00
Pedro Igor
13e5a02b9f
Role mappers must return a single value when they are not multivalued
...
Closes #20218
2023-08-31 19:16:12 +02:00
Pedro Igor
ea3225a6e1
Decoupling legacy and dynamic user profiles and exposing metadata from admin api
...
Closes #22532
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2023-08-29 08:14:47 -03:00
Pedro Igor
b779df6a55
Parsing response from user info rather than the access token
...
Closes #22581
2023-08-29 12:23:56 +02:00
rmartinc
b67ede2a30
RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing
...
Closes https://github.com/keycloak/keycloak/issues/22424
2023-08-17 09:11:08 +02:00
Erik Jan de Wit
b4650b7742
use logged in realm as default ( #22460 )
2023-08-16 14:29:07 -04:00
t0xicCode
822c13ff6f
Switch Trusted Host policy redirect verification to URI
...
Switch parsing of the redirect URIs for the Trusted Host Client Registration Policy from URL to URI.
The java URL class tries to instantiate a handler for the scheme, which fails when a "custom" scheme, such as those used in phone apps is used.
In contrast, the URI class simply parses the string, ensuring the format is valid.
The other URLs (baseUrl, rootUrl, adminUrl) are still parsed as URLs.
See https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata for the Client Registration parameter documentation.
Closes #22309
2023-08-14 10:20:23 +02:00
Pedro Igor
baac060eb1
Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts
...
Closes #21751
2023-08-11 13:32:16 +02:00
Erik Jan de Wit
874d2063b8
only add realm access to the current realm ( #21554 )
...
fixes : #21553
2023-08-10 12:43:15 +02:00
Takashi Norimatsu
258711ef4f
DPoP verification in UserInfo endpoint
...
closes #22215
2023-08-07 10:49:33 +02:00
Takashi Norimatsu
9d0960d405
Using DPoP token type in the access-token and as token_type in introspection response
...
closes #21919
2023-08-07 10:40:18 +02:00
Erik Jan de Wit
339619816a
lazy populate the treeview for groups ( #21520 )
...
* added lazy parameter
fixes : #19954
* changed to only have the parameter
* fixed merge errors
* removed the `lazy` and now add subgroups on select
* lint
* fixed prettier
* fixed nullpointer
* fixed member tab
2023-08-04 20:19:34 +00:00
Rishabh Dixit
d73298aab6
Add getStatus() to response obj
...
Closes #22241
2023-08-04 18:43:50 +02:00
Marek Posolda
4dc929abb3
Missing client_id validation match when authenticating client with JW… ( #22178 )
...
Closes #22177
2023-08-03 11:47:55 +02:00
Takashi Norimatsu
ee998fee66
Add FAPI 2.0 security profile as default profile of client policies
...
closes #21181
2023-08-03 09:26:16 +02:00
Ricardo Martin
a8bca522c1
Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers ( #21627 )
...
Closes #9004
Co-authored-by: Armel Soro <armel@rm3l.org>
2023-08-02 09:36:50 +02:00
Thomas Darimont
82269f789a
Avoid using deprecated junit APIs in tests
...
- Replaced usage of Assert.assertThat with static import
- Replaced static import org.junit.Assert.assertThat with org.hamcrest.MatcherAssert.assertThat
Fixes : #22111
2023-08-01 11:44:25 +02:00
Alexander Schwartz
748c53df7f
Use Java mechanisms to read language files and default to UTF-8 ( #21755 )
...
Closes #21753
2023-08-01 11:27:10 +02:00
mposolda
6f6b5e8e84
Fix authenticatorConfig for javascript providers
...
Closes #20005
2023-07-31 19:28:25 +02:00
rmartinc
0a7fcf43fd
Initial pagination in the admin REST API for identity providers
...
Closes https://github.com/keycloak/keycloak/issues/21073
2023-07-27 14:48:02 +02:00
Takashi Norimatsu
9a921441cc
Adjustements to the behaviour of dpop_bound_access_tokens switch
...
closes #21920
2023-07-27 11:30:01 +02:00
Alexander Schwartz
1ec8d3a9a4
Convert LinkExpirationFormatterMethod to Java's ChoiceFormat pattern
...
Closes #21887
2023-07-27 10:30:37 +02:00
Takashi Norimatsu
6498b5baf3
DPoP: OIDC client registration support
...
closes #21918
2023-07-26 13:00:35 +02:00
Ricardo Martin
ee35cfe478
Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages ( #21897 )
...
* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes #10232
2023-07-26 11:34:19 +02:00
Hunor Kovács
5eb505aba5
Handle error when Microsoft Graph API /me returns not successful ( #21696 )
...
* Response from Microsoft Graph API /me can be error too. So if that happens, throw an exception instead of trying to extract the user id.
* Update services/src/main/java/org/keycloak/social/microsoft/MicrosoftIdentityProvider.java
Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>
---------
Co-authored-by: Ondra Pelech <ondra.pelech@gmail.com>
2023-07-26 07:22:52 +00:00
Takashi Norimatsu
0ddef5dda8
DPoP support 1st phase ( #21202 )
...
closes #21200
Co-authored-by: Dmitry Telegin <dmitryt@backbase.com>
Co-authored-by: mposolda <mposolda@gmail.com>
2023-07-24 16:44:24 +02:00
Takashi Norimatsu
05b8b9ee51
Enhancing Pluggable Features of Token Manager
...
closes #21182
2023-07-24 09:16:29 +02:00
Takashi Norimatsu
2efd79f982
FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
...
Closes #20584
2023-07-24 09:11:30 +02:00
ali_dandach
ef19e08814
Fix String comparisona ( #21752 )
...
Closes #21773
2023-07-21 10:37:24 +02:00
mposolda
03716ed452
Keycloak forgets ui_locales parameter when using reset password
...
closes #10981
2023-07-18 09:24:12 +02:00
rmartinc
630e3b2312
Revert emailVerified to false if email modified on force-sync non-trusted broker
...
Closes https://github.com/keycloak/security/issues/48
2023-07-17 13:13:47 +02:00
vramik
47eeece827
Update javadoc for user search in UserResource
...
Closes #21053
2023-07-11 11:14:29 +02:00
Pedro Igor
376d20c285
Remove user credentials from admin event representation ( #21561 )
...
Closes #17470
2023-07-11 08:26:29 +02:00
rmartinc
13870f3a69
Improve error management in the github provider
...
Closes https://github.com/keycloak/keycloak/issues/9429
2023-07-10 16:09:08 -03:00
Václav Muzikář
97a37f565e
Align guava dependency with the Quarkus Platform BOM ( #21544 )
...
Closes #21364
2023-07-10 16:13:13 +02:00
Daniele Martinoli
1644432df3
Reviewed solution as per reviewer's comments
2023-07-10 08:31:47 -03:00
Daniele Martinoli
d148a789f7
added clientNote to show the sign out option
2023-07-10 08:31:47 -03:00
Patrick Jennings
399a23bd56
Find an appropriate key based on the given KID and JWA ( #21160 )
...
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.
Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.
* Update js/apps/admin-ui/public/locales/en/clients.json
Co-authored-by: Marek Posolda <mposolda@gmail.com>
* Updating boolean variable name based on suggestions by Marek.
* Adding integration test specifically for the JWT parameters for regression #20847 .
---------
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-07-10 13:28:55 +02:00
Daniele Martinoli
817f129484
fix: closes #21095 ( #21289 )
...
* fix: closes #21095
* Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.
2023-07-10 12:13:26 +02:00
Daniele Martinoli
7b8dcb42ea
Using "Account is disabled" message (and also added new test case)
2023-07-07 12:16:38 -03:00
Daniele Martinoli
13e2075ceb
Applying reviewer comments
2023-07-07 09:00:51 -03:00
Daniele Martinoli
e6d7749cbf
fix for 21476
2023-07-07 09:00:51 -03:00
Daniele Martinoli
b458356aa9
integrated reviewer comments
2023-07-07 08:59:36 -03:00
Daniele Martinoli
c9a226e220
Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java
...
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-07-07 08:59:36 -03:00
Daniele Martinoli
96f09fcd90
Update services/src/main/java/org/keycloak/broker/provider/HardcodedGroupMapper.java
...
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-07-07 08:59:36 -03:00
Daniele Martinoli
83d88f6bb5
added Hardcoded Group mapper to IDP configuration
2023-07-07 08:59:36 -03:00
Erik Jan de Wit
2f5040f565
added locale selector for account console
...
fixes : #20941
2023-07-06 11:14:39 -03:00
Douglas Palmer
8cc04a6724
NullPointerException on reading auth.attemptedUsername in terms template
...
closes #21294
2023-07-04 16:07:44 -03:00
rmartinc
09e30b3c99
Support for JWE IDToken and UserInfo tokens in OIDC brokers
...
Closes https://github.com/keycloak/keycloak/issues/21254
2023-07-03 21:25:46 -03:00
mposolda
ccbddb2258
Fix updating locale on info/error page after authenticationSession was already removed
...
Closes #13922
2023-07-03 18:57:36 -03:00
Jon Koops
c0b0a25f71
Handle exceptions thrown when requesting storage-access
permission ( #21325 )
2023-06-30 00:35:10 +00:00
Daniele Martinoli
e2ac9487f7
Conditional login through identity provider ( #20188 )
...
Closes #20191
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-06-29 18:44:15 +02:00
Joshua Sorah
f695eeaa44
Refactor Admin REST API Documentation to use OpenAPI annotations.
...
Removes dependencies on swagger-doclet
Adds dependencies on microprofile-openapi-api
Plugins for smallrye-open-api-maven-plugin, openapi-generator-maven-plugin
Customized ascii doc template for openapi-generator-maven-plugin, to give similar feel to previous documentation.
OpenAPI annotations added to Admin REST API resources.
Closes keycloak/keycloak#20433
2023-06-29 17:03:38 +02:00
Fouad Almalki
b336732251
Add iat to JWT passed to CIBA HttpAuthenticationChannel ( #21280 )
...
Closes #21283
2023-06-29 07:55:57 +02:00
Marek Posolda
51a9712e59
Improper Client Certificate Validation for OAuth/OpenID clients ( #20 )
...
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2023-06-28 17:52:48 -03:00
Ricardo Martin
1973d0f0d4
Check the redirect URI is http(s) when used for a form Post ( #22 )
...
Closes https://github.com/keycloak/security/issues/22
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Signed-off-by: Peter Skopek <pskopek@redhat.com>
2023-06-28 17:52:48 -03:00
Pedro Igor
28aa1d730d
Verify holder of the device code ( #21 )
...
Closes https://github.com/keycloak/security/issues/32
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Conflicts:
services/src/main/java/org/keycloak/protocol/oidc/grants/device/DeviceGrantType.java
2023-06-28 15:45:26 +02:00
rmartinc
4bc11bdf7f
Do not return an error when moving a group to the current parent
...
Closes https://github.com/keycloak/keycloak/issues/21242
2023-06-28 10:34:15 +02:00
rmartinc
a5a2753d11
Don't allow impersonate disabled users or service accounts
...
Closes https://github.com/keycloak/keycloak/issues/21106
2023-06-28 10:18:21 +02:00
Douglas Palmer
59e1a5d992
Custom theme - url.resourcesCommonPath references wrong theme
...
closes #20085
2023-06-28 08:25:44 +02:00
Douglas Palmer
c75bf31398
Empty shortVerificationUri not the same with default (null) value
...
closes #20851
2023-06-27 14:57:24 +02:00
Pedro Igor
d0691b0884
Support for the locale user attribute
...
Closes #21163
2023-06-27 09:21:08 -03:00
Erik Jan de Wit
3a3907ab15
changed to use ConfiguredProvider
instead ( #21097 )
...
fixes : #15344
2023-06-27 08:00:32 -04:00
eatik
0cc464695e
Allowing users with view-users permission to call configured-user-storage-credential-types endpoint as per issue #20783
...
Closes #20783
2023-06-26 11:05:35 -03:00
Takashi Norimatsu
f6ecc3f3f8
FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request
...
closes #20710
2023-06-26 12:09:25 +02:00
vramik
7fe7dfc529
ResourceType lost during clonning
...
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Closes #20947
2023-06-23 09:31:44 +02:00
Douglas Palmer
a0d1ac6baa
processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager
...
closes #20978
2023-06-23 08:12:44 +02:00
Pedro Igor
aff6cc1cbd
Running mappers during account linking
...
Closes #11195
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: toddkazakov
2023-06-22 17:41:31 +02:00
Sazzad Hossain
41e253c054
Check whether CREATE_REALM role exists in realm role mappings before hasRole check for user.
...
Closes #20332
2023-06-22 15:35:50 +02:00
Douglas Palmer
f526f7a091
Emails with non-ascii characters are not allowed since v21.0.0
...
closes #20878
2023-06-22 10:27:48 -03:00
Pedro Igor
eb5edb3a9b
Support reading base32 encoded OTP secret
...
Closes #9434
Closes #11561
2023-06-22 08:08:13 -03:00
mposolda
137f8d807a
Account Console II doesn't remove TOTP from UserStorage
...
closes #19575
2023-06-22 07:56:44 +02:00
Gilvan Filho
2493f11331
count users by custom user attribute
...
closes #14747
2023-06-21 11:56:22 -03:00
mposolda
dc3b037e3a
Incorrect Signature algorithms presented by Client Authenticator
...
closes #15853
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-06-21 08:55:58 +02:00
Stan Silvert
513c00bcd9
Remove unused feature flags. ( #21039 )
...
* Remove unused feature flags.
Fixes #20944
Fixes #20943
* Update release notes.
* Update docs/documentation/release_notes/topics/22_0_0.adoc
Co-authored-by: Jon Koops <jonkoops@gmail.com>
---------
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2023-06-20 15:02:22 -04:00
Stian Thorgersen
f82577a7f3
Removed old account console ( #21098 )
...
Co-authored-by: Jon Koops <jonkoops@gmail.com>
Closes #9864
2023-06-20 20:46:57 +02:00
Daniele Martinoli
d9b271c22a
Extends the conditional user attribute authenticator to check the attributes of the joined groups ( #20189 )
...
Closes #20007
2023-06-19 15:22:35 +02:00
Jon Koops
c998193797
Pass client id for Account and Admin consoles through environment ( #20961 )
2023-06-13 16:29:37 +00:00
rmartinc
ecf52285bc
Simplify TokenManager expiration calculations using SessionExpirationUtils
...
Closes https://github.com/keycloak/keycloak/issues/20794
2023-06-13 10:09:47 +02:00
Pedro Igor
af975d20f1
Avoid iterating indefinetly when checking CRLs
...
Closes #20725
2023-06-12 17:50:16 +02:00
Alexander Schwartz
9425432f2c
Handle HTTP response codes when retrieving data from remote endpoints
...
Closes #20895
2023-06-12 13:37:59 +02:00
rmartinc
f3fcf1f8c5
Session cross-reference / transaction mismatch
...
Closes https://github.com/keycloak/keycloak/issues/20855
2023-06-12 13:18:39 +02:00
Vlasta Ramik
ed473da22b
Clean-up of deprecated methods and interfaces
...
Fixes #20877
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-06-09 17:11:20 +00:00
rmartinc
61968bf747
Use OIDCAttributeMapperHelper.mapClaim in the GroupMembershipMapper
...
Closes https://github.com/keycloak/keycloak/issues/19767
2023-06-08 11:12:24 -03:00
Réda Housni Alaoui
eb9bb281ec
Require user to agree to 'terms and conditions' during registration
2023-06-08 10:39:00 -03:00
Marek Posolda
8080085cc1
Removing 'http challenge' authentication flow and related authenticators ( #20731 )
...
closes #20497
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-06-08 14:52:34 +02:00
Saman-jafari
31db84e924
fix: issuedFor added to token to get client id into the token also redirect uri added to token and then passed to info template for "back to application" functionality
...
test also added to check the availability of issueFor(azp) and redirect uri in Action
Fixes #14860
Fixes #15136
2023-06-07 12:19:46 -03:00
Zvi Grinberg
b29ce53f6e
Fix bug in regex policy evaluation that it ignored flatted user claims that are mapped by protocol mappers to complex JSON structure in access token( in the access token JWT it's key and value is a JSON by itself)
...
fixes : #20436
Signed-off-by: Zvi Grinberg <zgrinber@redhat.com>
2023-06-07 10:18:10 -03:00
Alice Wood
7e56938b74
Extend group search attribute functionality to account for use case where only the leaf group is required
2023-06-07 08:52:23 -03:00
ComplexSpaces
1af4a7a532
Pass webauthn signature algorithm IDs as integers instead of strings ( #20832 )
...
closes #20831
2023-06-07 11:46:16 +02:00
Pedro Hos
9ebd94a3a8
Userinfo endpoint doesn't accept charset #20671
...
Closes 20671
2023-06-07 08:08:05 +02:00
Bruno Sanches
ecf4dbfb18
Check if formData is empty before putting login hint ( #20733 )
...
closes keycloak#20732
2023-06-06 17:14:08 -04:00
Artur Baltabayev
041441f48f
Improved Reset OTP authenticator ( #20572 )
...
* ResetOTP authenticator can now be configured, so that one or all existing OTP configurations are deleted upon reset.
Closes #8753
---------
Co-authored-by: bal1imb <Artur.Baltabayev@bosch.com>
2023-06-06 08:30:44 -03:00
rmartinc
81aa588ddc
Fix and correlate session timeout calculations in legacy and new map implementations
...
Closes https://github.com/keycloak/keycloak/issues/14854
Closes https://github.com/keycloak/keycloak/issues/11990
2023-06-05 18:46:23 +02:00
Alexander Schwartz
cd9e0be9f0
Filter first, then sort, and avoid atomics
...
Closes #20394
2023-06-05 11:23:54 +02:00
Pedro Igor
f69ff5d270
Execution config not duplicated when duplicating flows
...
Closes #12012
2023-06-01 16:12:06 +02:00
Erik Jan de Wit
f3c393f53e
use the "remember me" max time if set for expires ( #20413 )
...
fixes : #9264
2023-05-31 15:25:20 -04:00
Pedro Igor
53dfb44a8f
Migration guide for JAX-RS changes ( #20659 )
...
Closes #keycloak/keycloak#15454
2023-05-31 13:50:34 +00:00
mposolda
bf9c5821cb
Fix for certificate revalidation
...
closes https://security.snyk.io/vuln/SNYK-JAVA-ORGKEYCLOAK-5291542
2023-05-31 15:42:37 +02:00
Takashi Norimatsu
a29c30ccd5
FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request
...
closes #20623
2023-05-31 14:02:44 +02:00
Takashi Norimatsu
6b42c2b4d0
FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error
...
Closes #20622
2023-05-30 18:24:50 +02:00
stianst
0832992e59
Removing OpenShift integration and moving to separate extension
...
closes #20496
Co-authored-by: mposolda <mposolda@gmail.com>
2023-05-30 17:39:32 +02:00
Pedro Igor
c22972af9c
Avoid using user property mapper when resolving root user attributes
...
Closes #20613
2023-05-29 14:30:05 +02:00
Yoshiyuki Tabata
bd37875a66
allow specifying format of "permission" parameter in the UMA grant token
...
endpoint (#15947 )
2023-05-29 08:56:39 -03:00
Jon Koops
98e5e9799b
Improve third-party storage access detection and cookie fallback
2023-05-25 22:16:59 -03:00
Douglas Palmer
1b8901f5a2
Changing the email address has no impact at username regardless "Email as username" toggle
...
closes #20459
2023-05-25 07:54:03 -03:00
Peter Zaoral
72b238fb48
Keystore vault ( #19644 )
...
* KeystoreVault SPI
* added KeystoreVault - a Vault SPI implementation (#19281 )
Closes #17252
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-05-24 16:20:30 +00:00
Stefan Guilhen
2252b09949
Remove deprecated default roles methods
...
Closes #15046
2023-05-23 22:32:52 +02:00
i7a7467
e41e1a971a
SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata
...
Closes #11079
2023-05-22 10:05:17 +02:00
Artur Baltabayev
33215ab6f4
Added User-Session Note Idp mapper. ( #19062 )
...
Closes #17659
Co-authored-by: bal1imb <Artur.Baltabayev@bosch.com>
Co-authored-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.io>
Co-authored-by: Sebastian Schuster <sebastian.schuster@bosch.io>
2023-05-18 13:47:10 +02:00
mkrueger92
256bb84cc4
Avoid NPE while fetching offline sessions ( #17577 )
2023-05-18 13:32:02 +02:00
Pedro Hos
c939b5b5ac
NPE when updating a subflow in an authentication flow
...
closes #19844
2023-05-17 18:35:40 +02:00
danielFesenmeyer
d543ba5b56
Consistent message resolving regarding language fallbacks for all themes
...
- the prio of messages is now as follows for all themes (RL = realm localization, T = Theme i18n files): RL <variant> > T <variant> > RL <region> > T <region> > RL <language> > T <language> > RL en > T en
- centralize the message resolving logic in helper methods in LocaleUtil and use it for all themes, add unit tests in LocaleUtilTest
- add basic integration tests to check whether realm localization can be used in all supported contexts:
- Account UI V2: org.keycloak.testsuite.ui.account2.InternationalizationTest
- Login theme: LoginPageTest
- Email theme: EmailTest
- deprecate the param useRealmDefaultLocaleFallback=true of endpoint /admin/realms/{realm}/localization/{locale}, because it does not resolve fallbacks as expected and is no longer used in admin-ui v2
- fix locale selection in DefaultLocaleSelectorProvider that a supported region (like "de-CH") will no longer selected instead of a supported language (like "de"), when just the language is requested, add corresponding unit tests
- improvements regarding message resolving in Admin UI V2:
- add cypress test i18n_test.spec.ts, which checks the fallback implementation
- log a warning instead of an error, when messages for some languages/namespaces cannot be loaded (the page will probably work with fallbacks in that case)
Closes #15845
2023-05-17 15:00:32 +02:00
Dominik Schlosser
8c58f39a49
Updates Datastore provider to contain full data model
...
Closes #15490
2023-05-16 15:05:10 +02:00
Takashi Norimatsu
7f5e94db87
KEYCLOAK-19539 FAPI 2.0 Baseline : Reject Implicit Grant
2023-05-16 14:17:29 +02:00
Alexander Schwartz
bd7f62acc3
Use retry-logic only for the map storage
...
This is a performance optimization that the retry doesn't affect the legacy store.
Closes #20176
2023-05-15 10:20:35 +02:00
Alexander Schwartz
754aac2f4e
Avoid creating a NPE when closing
...
This is a performance optimization and improved logging so it doesn't hide problems in the future.
Closes #20176
2023-05-15 10:20:35 +02:00
Alexander Schwartz
0f481da77f
Avoid creating instances of HashMap to generate a single MapEntry
...
This is a performance optimization.
Closes #20176
2023-05-15 10:20:35 +02:00
Alexander Schwartz
93373b9398
Cache theme root URI
...
This is a performance optimization.
Closes #20176
2023-05-15 10:20:35 +02:00
Martin Bartoš
5a96efad11
Do not display error log for initial admin creation
...
Closes #15789
Co-authored-by: Steve Weixel <steve.weixel@quantum.com>
2023-04-28 14:36:05 +02:00
Martin Bartoš
dcb7c498a4
Cannot find Generated annotation for ServicesLogger ( #20021 )
...
Fixes #20020
2023-04-28 11:37:44 +00:00
Peter Zaoral
a020d3f6df
Quarkus3 branch sync no. 12
...
31.3.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-04-27 13:36:54 +02:00
Martin Bartoš
bc43e4f435
Integrate Jakarta Mail API 2.1.0
2023-04-27 13:36:54 +02:00
Peter Zaoral
0b4f40f89b
Quarkus3 branch sync no. 8
...
3.3.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-04-27 13:36:54 +02:00
Peter Zaoral
c2d1cade8d
Quarkus3 branch sync no. 7
...
27.2.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-04-27 13:36:54 +02:00
Martin Bartoš
64738ea708
Fix issues with JakartaEE Mail dependencies
...
This reverts commit da4644844ed88818c05d777460624403326ab01c
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
2023-04-27 13:36:54 +02:00
Peter Zaoral
946eacd5b6
Quarkus3 branch sync no. 5
...
10.2.2023:
* renamed imports from javax to jakarta as a part of the migration from JavaEE to JakartaEE
* fixed Undertow server not starting due to ClassNotFoundException: javax.transaction.TransactionManager
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2023-04-27 13:36:54 +02:00
vramik
f18f356a0b
Update attribute name in HttpRequestImpl
to jakarta.
...
Closes #16721
2023-04-27 13:36:54 +02:00
Martin Bartoš
b1da7bd613
Revert Mail API
...
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/quarkus/pom.xml - Modified
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
2023-04-27 13:36:54 +02:00
Martin Bartoš
1f126647fe
Update dependencies
2023-04-27 13:36:54 +02:00
Martin Bartoš
124591ce1a
Adapters can still use Java EE
...
- Provided all JavaEE dependencies for adapters
- Automatically build Undertow Jakarta EE for testsuite (missing SAML)
---
Quarkus3 branch sync no. 11 (24.3.2023)
Resolved conflicts:
keycloak/adapters/oidc/spring-security/pom.xml - Modified
---
Quarkus3 branch sync no. 7 (27.2.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/pom.xml - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/pom.xml - Modified
2023-04-27 13:36:54 +02:00
Martin Bartoš
6118e5cfb7
Use JakartaEE dependencies
...
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
keycloak/pom.xml - Modified
2023-04-27 13:36:54 +02:00
Martin Bartoš
7cff857238
Migrate packages from javax.* to jakarta.*
...
---
Quarkus3 branch sync no. 14 (24.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/ComponentExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/DeclarativeUserTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/FederatedStorageExportImportTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/FlowTest.java - Modified
keycloak/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java - Modified
---
Quarkus3 branch sync no. 13 (11.4.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/AccountTotpPage.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/storage/BackwardsCompatibilityUserStorageTest.java - Modified
---
Quarkus3 branch sync no. 12 (31.3.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/services/resources/QuarkusWelcomeResource.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/profile/util/Soap.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/UserInfoClientUtil.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/sessionlimits/UserSessionLimitsTest.java - Modified
---
Quarkus3 branch sync no. 10 (17.3.2023)
Resolved conflicts:
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java - Modified
---
Quarkus3 branch sync no. 9 (10.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosSingleRealmTest.java - Modified
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java - Modified
---
Quarkus3 branch sync no. 8 (3.3.2023)
Resolved conflicts:
keycloak/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/SamlClient.java Modified - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java - Modified
keycloak/examples/providers/authenticator/src/main/java/org/keycloak/examples/authenticator/SecretQuestionAuthenticator.java - Modified
---
Quarkus3 branch sync no. 6 (17.2.2023)
Resolved conflicts:
keycloak/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ComponentsResource.java - Modified
keycloak/testsuite/utils/src/main/java/org/keycloak/testsuite/KeycloakServer.java - Modified
keycloak/services/src/main/java/org/keycloak/protocol/saml/installation/SamlSPDescriptorClientInstallation.java - Modified
---
Quarkus3 branch sync no. 5 (10.2.2023)
Resolved conflicts:
/keycloak/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java Modified - Modified
keycloak/services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java - Modified
---
Quarkus3 branch sync no. 4 (3.2.2023)
Resolved conflicts:
keycloak/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/integration/jaxrs/QuarkusKeycloakApplication.java - Modified
---
Quarkus3 branch sync no. 1 (18.1.2023)
Resolved conflicts:
keycloak/testsuite/client/ClientPoliciesTest.java - Deleted
keycloak/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java - Modified
keycloak/model/map-jpa/src/main/java/org/keycloak/models/map/storage/jpa/JpaModelCriteriaBuilder.java - Modified
2023-04-27 13:36:54 +02:00
rmartinc
04ac3a64ee
Adding support for rsa-oaep for SAML encryption
...
Closes https://github.com/keycloak/keycloak/issues/19689
2023-04-26 10:46:10 +02:00
mposolda
a3f2ebb193
Ability to override default/built-in providers with same providerId. Using ProviderFactory.order() for choosing priority providers
...
Closes #19867
2023-04-25 18:04:58 +02:00
Hynek Mlnarik
3161c4424c
Fix export / import tests relict
...
Closes : #19812
2023-04-19 22:17:49 +02:00
rmartinc
8e55a63f31
Do not allow add sub-flow to built-in workflow
...
Closes https://github.com/keycloak/keycloak/issues/15536
2023-04-19 11:12:49 +02:00
rmartinc
f051a0cdb3
Improve SessionCodeChecks to detect better the ALREADY_LOGGED_IN situation
...
Closes https://github.com/keycloak/keycloak/issues/19677
2023-04-18 10:35:47 -03:00
Marek Posolda
8d01109158
Invalid parameter redirect_uri when using an invalid client_id ( #19731 )
...
closes #19662
2023-04-17 15:12:59 +02:00
danielFesenmeyer
5554c62bea
Change locale of user profile validation message to be resolved from authenticated user instead of validated user
...
Closes #19707
2023-04-14 11:51:15 -03:00
Stian Thorgersen
f4cabea08c
Make sure the code is bound to the user session ( #18 ) ( #17380 ) ( #17389 )
...
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2023-04-14 14:42:12 +02:00
Jon Koops
a2eb619e0e
Include Account Console version 3 as a theme ( #19641 )
2023-04-13 09:41:40 -04:00
eatikrh
396e2ba931
Allow users with 'view-users' permission to see the 'credentials' tab ( #19587 )
...
Closes #17174
2023-04-07 14:13:43 +02:00
alwibrm
9f15cf432b
Respecting key use of EC keys in JWKS
2023-04-03 19:06:25 -03:00
rmartinc
99330dbb6d
Manage JsonProcessingException to not return error 500 when json data is wrong
...
Closes https://github.com/keycloak/keycloak/issues/11517
2023-04-03 18:07:34 +02:00
Hynek Mlnarik
0d5363d0d5
Throw an exception rather than returning response
...
Closes : #17644
2023-04-03 14:43:50 +02:00
Stan Silvert
c595e3430e
Add access to full group tree. Fix access for members tab. Add missing ( #19423 )
...
props to Access object.
Fixes #17589
2023-03-31 15:11:13 -04:00
mposolda
17c1b853e0
Custom implemention of OIDC Login Protocol doesn't get executed
...
closes #19335
2023-03-31 11:54:32 -03:00
rmartinc
c6a1820a47
Use SimpleHttp for SOAP calls
...
Closes https://github.com/keycloak/keycloak/issues/17139
2023-03-31 10:57:47 -03:00
Pedro Igor
6086201fe0
Do not verify identity cookie when processing required actions
...
Closes #17539
2023-03-31 09:56:27 +02:00
Robert Dey
044aca0863
Use replacePath() instead of path()
2023-03-30 12:03:43 -03:00
Robert Dey
4df73714e0
Fix totp manual link for proxy mode
...
Closes #11774
2023-03-30 12:03:43 -03:00
mposolda
709c6b5a47
Regressions in redirect URL verification when redirect_uri has encoded path or default port
...
closes #16851
closes #16587
2023-03-30 14:20:10 +02:00
Pedro Igor
48082d08ec
Email visible on registration page when edit username is not allowed
...
Closes #17439
2023-03-30 08:11:30 +02:00
Michal Hajas
e49dfe534e
Fix missing migration when reading TERMS_AND_CONDITIONS required action in legacy store
...
Closes #17277
2023-03-29 16:43:01 +02:00
Daniel Kobras
a45b5dcd90
Prefer cert over pubkey in SAML metadata
...
If SAML key material was given as a certificate, consistently
expose the certificate rather than just the public key when
presenting SAML metadata info. This change ensures that the
client obtains sufficient information (eg. issuer) to close
the trust chain.
Closes : #17549
Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
2023-03-29 11:17:24 +02:00
Marek Posolda
032ece9f7b
Clarify user session limits documentation and test SSO scenario ( #19372 )
...
Closes #17374
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-03-29 10:08:45 +02:00
rmartinc
2bb9de1a8c
Allow application/jwt media type for userinfo endpoint
...
Closes: https://github.com/keycloak/keycloak/issues/19346
2023-03-28 08:47:35 -03:00
Pedro Igor
a9c605750d
Returning email as username setting for admins
...
Fixes #17591
2023-03-27 16:33:44 -03:00
Alexander Schwartz
ccec3639ff
Update provider to create documentation entries for its properties
...
Closes #17565
2023-03-27 09:03:41 -03:00
Alexander Schwartz
251f6151e8
Rework the Import SPI to be configurable via the Config API
...
Also rework the export/import CLI for Quarkus, so that runtime options are available.
Closes #17663
2023-03-24 15:28:55 -03:00
Klajdi Paja
cf61a65198
Return a user friendly message when a group name already exists on the same level.
...
Closes #16888
2023-03-24 08:13:49 +01:00
Douglas Palmer
a48db930fe
Theme resource common path is always /keycloak/common
...
Closes #17569
2023-03-24 08:11:21 +01:00
Ayrat Hudaygulov
f578f91a0b
Fix ID token not being sent after expiration for OIDC logout
...
Closes #10164
2023-03-23 13:01:02 +01:00
Konstantinos Georgilakis
fd28cd2d4b
Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id
...
closes #16329
2023-03-23 11:45:34 +01:00
tomjo
705d20d4a2
AllowAllDockerProtocolMapper now allows multiple resourceScopes delimited by spaces as specified by the docker auth token spec.
...
Closes #17187
2023-03-23 09:43:43 +01:00
rmartinc
bef0a4a6f1
Check frontendUrl in the hostname providers
...
Closes https://github.com/keycloak/keycloak/issues/17686
2023-03-20 18:54:58 -03:00
rmartinc
cab7e50410
Better handling for SAML signatures in POST and REDIRECT bindings
...
Closes https://github.com/keycloak/keycloak/issues/17456
2023-03-15 09:06:59 -03:00
vramik
25d6161ebd
Remove ClearExpiredUserSessions
, ClearExpiredClientInitialAccessTokens
and ClearExpiredEvents
from services module
...
Closes #13835
2023-03-10 09:09:51 +01:00
Douglas Palmer
4a382752aa
Reverted back to Parser from CachingParser due to thread safety concerns
...
closes #16729
2023-03-09 17:50:39 +01:00
Douglas Palmer
181e1b914f
Update to UA Parser 1.5.4 and use CachingParser
...
closes #16729
2023-03-08 11:46:39 +01:00
Tero Saarni
9052ec2b02
Add admin events for realm create/delete. ( #10831 )
...
Closes #10733
2023-03-07 15:57:06 +01:00
Simon Levermann
96c1cf3c49
Allow mapping of UserSessionNotes into UserInfo
...
Fixes #15369
2023-03-07 15:25:14 +01:00
rmartinc
a56b38c5a6
Don't remove session and don't reset restart cookie if passive check error
...
Closes https://github.com/keycloak/keycloak/issues/11340
2023-03-07 15:10:09 +01:00
rmartinc
06ff8b016c
Don't set REMEMBER_ME if it's disabled at realm level
...
Closes https://github.com/keycloak/keycloak/issues/11330
2023-03-07 15:01:58 +01:00
Alexander Schwartz
f6f179eaca
Rework the export to use CLI options and property mappers
...
Also, adding the wiring to support Model tests for the export.
Closes #13613
2023-03-07 08:22:12 +01:00
mposolda
a0192d61cc
Redirect loop with authentication success but access denied at default identity provider
...
closes #17441
2023-03-06 10:45:01 +01:00
Michal Hajas
465019bec4
Extract attachDevice outside of storage layer
...
Closes #17336
2023-03-03 17:58:34 +01:00
Zakaria Amine
fb5a7f654b
trigger IDENTITY_PROVIDER_FIRST_LOGIN (and UPDATE_PROFILE ) event when identity provider flow succeeds ( #15100 )
...
closes #15098
2023-03-03 17:49:27 +01:00
Jon Koops
972ebb9650
Use a valid SemVer format for the SNAPSHOT version ( #17334 )
...
* Use a valid SemVer format for the SNAPSHOT version
* Update pom.xml
* Update pom.xml
---------
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
2023-03-03 11:11:44 +01:00
mposolda
b28bde542f
referrer_url is not correctly computed in account console
...
closes #16484
2023-03-01 20:49:15 +01:00
Marek Posolda
59f4fe1c60
NPE on Theme after upgrade to 21 when parent or import theme not exists ( #17350 )
...
* NPE on Theme after upgrade to 21 when parent or import theme not exists
closes #17313
* Update per review
2023-03-01 15:46:37 +00:00
mghalbi
e19e7bef2d
fix error in check mediaType
2023-02-27 14:34:32 -03:00
mghalbi
116b2fed0c
Added check for the presence of Content-Type header in the request
2023-02-27 14:34:32 -03:00
Pedro Igor
fbf5541802
Remove duplicated set-cookie header from response when expiring cookies
...
Closes #17192
2023-02-27 14:17:27 -03:00
lpa
3cd413dee1
SOAP backchannel logout for SAML protocol
...
Closes #16293
2023-02-27 14:24:12 +01:00
rmartinc
38a46726e4
Implement UserInfoTokenMapper in HardcodedRole and RoleNameMapper mappers
...
Closes https://github.com/keycloak/keycloak/issues/15624
2023-02-27 10:14:48 -03:00
mposolda
f180115d27
Log some details if error happens in CIBA authentication request
...
Closes #14650
2023-02-23 14:36:28 +01:00
Yohan Siguret
82423f38a1
Add user id to TOKEN_EXCHANGE events
...
Co-authored-by: thaDude <ogdude@googlemail.com>
2023-02-22 17:13:48 -03:00
Hynek Mlnarik
878debd2ab
Forbid changing ID
...
Closes : #16881
2023-02-22 17:19:22 +01:00
Marek Posolda
b9ab942ef8
FIPS related docs ( #17196 )
...
* FIPS related docs
Closes #16444 #12432 #12429
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2023-02-22 12:47:15 +01:00
Alexander Schwartz
54048f1e6c
Callers need to indicate if cookies need to be set at the end of the transaction
...
Closes #17141
2023-02-21 11:54:32 +01:00
Douglas Palmer
1d75000a0e
Create an SPI for DeviceActivityManager
...
closes #17134
2023-02-20 09:29:11 +01:00
Zakaria Amine
0972edd6a5
Fix label for IdpReviewProfileAuthenticatorFactory (take 2) ( #17062 )
...
Use static english text for IdpReviewProfileAuthenticatorFactory label config
Closes #16658
2023-02-16 19:16:00 +01:00
drohwer89
4ff180da64
Terminating all sessions above the session limit ( #16068 )
...
Adjusts implementation of UserSessionLimitsAuthenticator to terminate all sessions above the session limit.
Closes #14689
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2023-02-16 17:56:59 +01:00
summersab
a64f6dcfc2
Update TotpBean.java
...
Add a `getUsername()` method to the `TotpBean` class so usernames can be used in the TOTP templates.
2023-02-16 08:13:39 -03:00
sui.jieqiang
1f6fa0501c
Fix search user groups without limit
...
Closes #12649
2023-02-15 15:50:46 +01:00
Pedro Igor
9e46b9e43f
Handling events after transaction completion using a separate session
...
Closes #15656
2023-02-14 13:10:57 +01:00
Alexander Schwartz
d4604984d0
Compatibility with Maven4 and parallel builds ( #16312 )
...
Closes #16308
2023-02-14 11:44:53 +01:00
laskasn
dc8b759c3d
Use encryption keys rather than sig for crypto in SAML
...
Closes #13606
Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: hmlnarik <hmlnarik@redhat.com>
2023-02-10 12:06:49 +01:00
Stefan Guilhen
1da6244ec0
Add retry logic to LoginActionsService#authenticate
...
In addition to that, avoid adding cookies on each retry.
Closes #15849
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2023-02-09 11:56:15 +01:00
Dmitry Telegin
5f39aeb590
Pre-authorization hook for client policies
...
Closes #9017
2023-02-08 15:06:32 +01:00
Đặng Minh Dũng
d91eeac612
feat: support multi hd in GoogleIdentityProvider
...
Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
2023-02-07 11:32:35 -03:00
Stian Thorgersen
4782a85166
Remove old admin console feature ( #16861 )
...
* Remove old admin console feature
Closes #16860
* Update help txt files for Quarkus tests
2023-02-07 12:59:35 +01:00
Pedro Igor
7b58783255
Allow mapping claims to user attributes when exchanging tokens
...
Closes #8833
2023-02-07 10:57:35 +01:00
Denis Bernard
5db64133b8
Add Attribute to Group Mapper for SAML IDP
...
Cleansing code as PR Comment
Add test for Advanced Attribute to Group Mapper
Closes #12950
2023-02-06 10:58:48 -03:00
rmartinc
f8f112d8d2
Upgrade twitter4j ( #16828 )
...
Closes https://github.com/keycloak/keycloak/issues/16731
2023-02-03 15:28:37 +01:00
Marek Posolda
51bed81814
Fixes for OOB endpoint and KeycloakSanitizer ( #16773 )
...
(cherry picked from commit 91ac2fb9dd50808ff5c76d639594ba14a8d0d016)
2023-02-02 08:34:50 +01:00
Stian Thorgersen
d9025231f9
HTML Injection in Keycloak Admin REST API ( #16765 )
...
Resolves #GHSA-m4fv-gm5m-4725
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-02-01 14:34:15 +01:00
Alexander Schwartz
c6aba2e3de
Make LockAcquiringTimeoutException a RuntimeException
...
Closes #16690
2023-01-31 08:21:32 +01:00
Alexander Schwartz
7933f0489d
Align startup of Quarkus with the regular startup to ensure boostrap locks are created.
...
Also fixing an issue where DBLockGlobalLockProviderFactory held on to an old session, which lead to a closed DB connection on Quarkus.
Closes #16642
2023-01-30 12:59:40 +01:00
Zakaria Amine
f067c9aa26
Fix label for IdpReviewProfileAuthenticatorFactory ( #15293 )
...
Closes #16658
2023-01-27 10:58:59 +01:00
Ikko Eltociear Ashimine
025d47c57a
Fix typo in UPConfigUtils.java ( #16655 )
...
erorr -> error
2023-01-27 07:41:03 +01:00
Pedro Igor
f6602e611b
Allow managing the username idn homograph validator
...
Closes #13346
2023-01-26 04:55:43 -08:00
mposolda
a804400c84
Added KERBEROS feature. Disable it when running tests on FIPS
...
closes #14966
2023-01-25 18:38:46 +01:00
Benjamin Weimer
9176308d79
15812 Make DeclarativeUserProfileProvider MetaData Map thread safe
2023-01-25 06:28:04 -08:00
mposolda
16888eaeab
Only available RSA key sizes should be shown in admin console
...
Closes #16437
2023-01-25 13:15:07 +01:00
Benjamin Weimer
69c114288d
Return 404 when trying to retrieve non-existing external IDP token
2023-01-24 13:56:02 -08:00
Bastian
5ddb79cbe6
fix(account): do not leak into messages ( #16212 )
...
Closes #16211
2023-01-18 13:06:36 +01:00
Konstantinos Georgilakis
c73859794e
Short verification_uri for Device Authorization Request
...
Closes #16107
2023-01-18 08:34:52 +01:00
stianst
dceb2f96b2
Fix REST API header showing product.name.full
...
Closes #16067
2023-01-16 13:14:26 +01:00
mposolda
79fa6bb3c9
Initial support for running testsuite in BCFIPS approved mode
...
Closes #16429
2023-01-13 02:59:06 -08:00
Pedro Igor
9945135861
Verify if token is revoked when validating bearer tokens ( #16394 )
...
Closes #16388
2023-01-11 14:42:29 +01:00
mposolda
ac490a666c
Fix KcSamlSignedBrokerTest in FIPS. Support for choosing realm encryption key for decrypt SAML assertions instead of realm signature key
...
Closes #16324
2023-01-10 20:39:59 +01:00
Pedro Igor
d797d07d8f
Ignore user profile attributes for service accounts
...
Closes #13236
2023-01-10 16:26:53 +01:00
Karim Boukari
bcc23b6330
Fix (keycloak#15493): make nginx certificate-lookup thread safe ( #15480 )
...
Closes #15493
2023-01-10 11:56:40 +01:00
Mark Andreev
d900540034
Fix NPE if user not exists
...
Check "userSession.getId().equals(clientUser.getId())" fails if getUserFromToken return non existed user. It is happens when AccessToken.subject relates to non existed user.
Closes #16297
2023-01-09 06:43:39 -08:00
Pedro Igor
522bf1c0b0
Keep consistency when importing realms at startup when they are exported via the export command
...
Closes #16281
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2023-01-06 18:53:01 +01:00
Pedro Igor
53ee95764e
Do not show username field when updating profile if UPDATE_EMAIL feature is enabled and email as username is enabled
...
Closes #16263
2023-01-06 14:12:47 +01:00
Réda Housni Alaoui
141c9dd803
update-email: email change does not affect the username when "Email as username" option is checked ( #15583 )
...
Closes #13988
2023-01-06 14:04:48 +01:00
Réda Housni Alaoui
dbe0c27bcf
Allowing client registration access token rotation deactivation
2023-01-05 20:53:57 +01:00
Michal Hajas
6566b58be1
Introduce Infinispan GlobalLock implementation
...
Closes #14721
2023-01-05 16:58:44 +01:00
Hynek Mlnarik
071fc03f41
Move transaction processing into session close
...
Fixes : #15223
2023-01-05 16:12:32 +01:00
Pedro Igor
dbe225715d
Wrong auth session id being used when validating auth session id cookies ( #16253 )
...
Closes #16252
Closes #16132
2023-01-05 10:13:25 +01:00
cknoblauch
ae74cadcfc
Add missing < to Javadoc
2023-01-04 14:06:53 +01:00
ムハマドザクワンビンムハマドザヒド / MOHDZAHID,BIN MUHAMMADZAKWAN
ce6b737e33
NPE in userinfo endpoint
...
Closes #15429
2023-01-02 13:53:29 +01:00
Pedro Igor
857b02be63
Allow managing the required settigs for the email attribute
...
Closes #15026
2022-12-15 13:11:06 -08:00
Pedro Igor
782d145cef
Allow updating authz settings via default client registration provider
...
Closes #9008
2022-12-15 20:43:43 +01:00
Stian Thorgersen
a5670af745
Keycloak CI workflow refactoring ( #15968 )
...
* Keycloak CI workflow refactoring
Closes #15861
* Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
* Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
* Update CodeQL actions
Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com>
2022-12-14 16:12:23 +01:00
Stian Thorgersen
0f2ca3bfdd
fixes from release/20 ( #15982 )
...
* Avoid path traversal vis double-url encoding of redirect URI (#8 )
(cherry picked from commit a2128fb9e940d96c2f9a64edcd4fbcc768eedb4f)
* Do not resolve user session if corresponding auth session does not exist (#7 )
* Stabilizing the ConcurrentLoginTest when running with JPA map storage by locking user sessions (#9 )
Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2022-12-14 07:46:17 +01:00
Stan Silvert
5ced20e1ee
Allow any admin role on GET profile call ( #15967 )
2022-12-13 15:56:22 -05:00
zak905
993d910520
avoid NPE in LegacyAttributes when using federated storage
...
Closes #https://github.com/keycloak/keycloak/issues/15482
2022-12-07 14:25:08 -03:00
Michal Hajas
de7dd77aeb
Change id of TermsAndConditions required actions to uppercase
...
Closes #9991
2022-12-07 10:51:37 -03:00
mposolda
f4e91a5312
The redirect URI cannot be verified during logout in the case when client was removed
...
closes #15866
2022-12-07 08:20:30 +01:00
Pedro Igor
022d2864a6
Make sure JAX-RS resource methods are advertizing the media type they support
...
Closes #15811
Closes #15810
2022-12-06 08:13:43 -03:00
Václav Muzikář
7a0ad6ff21
Handle null
in HttpRequestImpl
2022-12-02 12:17:10 +01:00
Pedro Igor
168734b817
Removing references to request and response from Resteasy
...
Closes #15374
2022-12-01 08:38:24 -03:00
mposolda
3e9c729f9e
X.509 authentication fixes for FIPS
...
Closes #14967
2022-11-25 11:50:30 +01:00
Stefan Guilhen
5c2a5fac31
Enable all test methods in ConcurrentLoginTest for JPA Map Storage
...
- Tests still disabled for Hotrod and CHM
- Fixes concurrent login issues with CRDB. Verified with both PostgreSQL and CockroachDB.
Closes #12707
Closes #13210
2022-11-24 13:36:22 +01:00
Alexander Schwartz
fd152e8a3e
Modify RealmAdminResource.partialImport to work with InputStream
...
Rework existing PartialImportManager to not interfere with transaction handling, and bundle everything related to AdminEventBuild and JAX-RS Repsonses inside the Resource.
Closes #13611
2022-11-24 11:45:11 +01:00
Lex Cao
dd03137ea7
Strip secret of user when creating from admin API
...
Closes #14843
2022-11-24 11:38:42 +01:00
Pedro Igor
9e042b06b4
Avoid creating proxies at runtime for Rest-based SPIs
...
Closes #15605
2022-11-23 12:42:13 +01:00
Nagy Vilmos
4b6b607fe9
Should not hide IDP from login page ( #14174 )
...
Closes #14173
2022-11-23 10:49:21 +01:00
cgeorgilakis-grnet
085dd24875
Client registration service do not check client protocol for Bearer token
...
Closes #15612
2022-11-23 08:49:13 +01:00
Pedro Igor
28fc5b4574
Removing injection points for Resteasy objects and resolving instances from keycloak context instead
...
Relates #15374
2022-11-21 19:47:25 +01:00
Pedro Igor
6f7c62fc73
Remove unnecessary endpoints from our JAX-RS entensions
...
Closes #15525
2022-11-16 16:25:33 +01:00
Michal Hajas
6d683824a4
Deprecate DBLockProvider and replace it with new GlobalLockProvider
...
Closes #9388
2022-11-16 16:13:25 +01:00
Pedro Igor
10b7475b04
Removing unnecessary injection points from JAX-RS (sub)resources
...
Closes #15450
2022-11-16 08:55:55 -03:00
Alexander Schwartz
b6b6d01a8a
Importing a representation by first creating the defaults, importing a representation and then copying it over to the real store.
...
This is the foundation for a setup that's needed when importing the new file store for which importing the representation serves as a placeholder.
Closes #14583
2022-11-16 09:56:13 +01:00
Douglas Palmer
9f532eecaf
Weird export/re-import behaviour regarding post.logout.redirect.uris
...
Closes #14884
2022-11-15 09:24:32 +01:00
Stefan Guilhen
667f1f989f
Fix ConcurrentLoginTest.concurrentCodeReuseShouldFail on CockroachDB
...
- processGrantRequest in TokenManager is now executed in a separate retriable transaction.
Closes #13210
2022-11-11 13:34:29 +01:00
stianst
eb17157e44
Stop adding .v2 to default theme if set in server config
...
Closes #15392
2022-11-11 08:49:41 -03:00
Pedro Igor
13b39cf48a
Marking nested classes in brokering endpoints as static
...
Closes #15443
2022-11-10 16:10:09 -03:00
stianst
1de9c201c6
Refactor Profile
...
Closes #15206
2022-11-07 07:28:11 -03:00
Marek Posolda
f616495b05
Fixing UserFederationLdapConnectionTest,LDAPUserLoginTest to work with FIPS ( #15299 )
...
closes #14965
2022-11-03 16:35:57 +01:00
Marek Posolda
2ba5ca3c5f
Support for multiple keys with same kid, which differ just by algorithm in the JWKS ( #15114 )
...
Closes #14794
2022-11-03 09:32:45 +01:00
Stian Thorgersen
cf913af823
Add support for Microsoft Authenticator ( #15272 )
...
Closes #15271
2022-11-02 12:56:07 +01:00
Alexander Schwartz
dd5a60c321
Allow a partial import to overwrite the default role
...
Closes #9891
2022-11-01 15:35:02 -03:00
Pedro Igor
f6985949b6
Close the session within resteasy boundaries ( #15193 )
...
Closes #15192
2022-11-01 11:06:34 +01:00
Michal Hajas
883e83e625
Remove deprecated methods from data providers and models
...
Closes #14720
2022-10-25 09:01:33 +02:00
mposolda
55c514ad56
More flexibility in keystore related tests, Make keycloak to notify which keystore types it supports, Support for BCFKS
...
Closes #14964
2022-10-24 08:36:37 +02:00
Alexander Schwartz
440077de42
Reduce number of calls to the storage for clients and realms
...
Closes #15038
2022-10-21 15:08:39 +02:00
Stefan Guilhen
acaf1724dd
Fix ComponentsTest failures with CockroachDB
...
- Component addition/edition/removal is now executed in a retriable transaction.
Closes #13209
2022-10-21 10:48:08 +02:00
Klaus Betz
76d9125c3f
feat: add DisplayIconClasses to IdentityProviderModel for third-party IDPs https://github.com/klausbetz/apple-identity-provider-keycloak/issues/10 ( #14826 )
...
Closes #14974
2022-10-18 15:54:06 +02:00
Stian Thorgersen
97ae90de88
Remove Red Hat Single Sign-On product profile from upstream ( #14697 )
...
* Remove Red Hat Single Sign-On product profile from upstream
Closes #14916
* review suggestions: Remove Red Hat Single Sign-On product profile from upstream
Closes #14916
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2022-10-18 14:43:04 +02:00
Stian Thorgersen
31aefd1489
OTP Application SPI ( #14800 )
...
Closes #14800
2022-10-18 14:42:35 +02:00
Marek Posolda
0756ef9a75
Initial integration tests with BCFIPS distribution ( #14895 )
...
Closes #14886
2022-10-17 23:33:22 +02:00
Stian Thorgersen
f7490b7f7c
Fix issue where admin2 was not enabled by default if account2 was disabled ( #14914 )
...
Refactoring ThemeSelector and DefaultThemeManager to re-use the same logic for selecting default theme as there used to be two places where one had a broken implementation
Closes #14889
2022-10-17 15:17:54 +02:00
vramik
f49582cf63
MapUserProvider in KC20 needs to store username compatible with KC19 to be no-downtime-upgradable
...
Closes #14678
2022-10-14 09:32:38 +02:00
danielFesenmeyer
f80a8fbed0
Avoid login failures in case of non-existing group or role references and update references in case of renaming or moving
...
- no longer throw an exception, when a role or group cannot be found, log a warning instead
- update mapper references in case of the following events:
- moving a group
- renaming a group
- renaming a role
- renaming a client's Client ID (may affect role qualifiers)
- in case a role or group is removed, the reference still will not be changed
- extend and refactor integration tests in order to check the new behavior
Closes #11236
2022-10-13 13:23:29 +02:00
Martin Kanis
761929d174
Merge ActionTokenStoreProvider and SingleUseObjectProvider ( #13677 )
...
Closes #13334
2022-10-13 09:26:44 +02:00
Stian Thorgersen
ded52c6228
Move session iframe pages ( #14769 )
...
Closes #14767
2022-10-13 08:16:20 +02:00
Lex Cao
8ea3f30d82
Support profile projection parameter for LinkedIn IDP
...
Closes #13384
2022-10-11 15:22:00 -03:00
Alexander Schwartz
b67ce73227
Cleanup MapUserSessionAdapter.getAuthenticatedClientSessions()
...
Closes #14743
2022-10-10 13:01:14 +02:00
Stian Thorgersen
fda26385ec
Add profile feature for hosting keycloak.js on the server ( #14771 )
...
* Add profile feature for hosting keycloak.js on the server
Closes #14770
* Updated txt files for HelpCommandTest
2022-10-10 08:00:50 +02:00
Takashi Norimatsu
148c7695ff
Pluggable Features of Token Manager
...
Closes #12065
2022-10-07 08:43:34 +02:00
Hynek Mlnarik
36a1ce6a1a
Ensure map storage providers are closed upon session close
...
Fixes : #14730
2022-10-05 14:16:19 +02:00
Marek Posolda
425b6b8df2
Parameters 'client_id' and 'response_type' not strictly required in O… ( #14679 )
...
* Parameters 'client_id' and 'response_type' not strictly required in OIDC request object
Closes #14255
2022-10-05 11:20:15 +02:00
Douglas Palmer
44aae52fb4
Fixed locale switcher on error page ( #14728 )
...
Closes #14205
2022-10-05 10:30:07 +02:00
Marek Posolda
c59660ca86
KEYCLOAK_SESSION not working for some user federation setups when user ID has special chars ( #14560 )
...
closes #14354
2022-10-05 08:59:30 +02:00
Alice Wood
1eb7e95b97
enhance existing group search functionality allow exact name search keycloak/keycloak#13973
...
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
2022-09-30 10:37:52 +02:00
Marcelo Daniel Silva Sales
22713bc144
Incorrect error message OIDC client authentication ( #14656 )
...
closes #12162
Co-authored-by: Pedro Hos <pedro-hos@outlook.com>
2022-09-30 09:40:05 +02:00
David Anderson
a8db79a68c
Introduce crypto module using Wildfly Elytron ( #14415 )
...
Closes #12702
2022-09-27 08:53:46 +02:00
Alexander Schwartz
be2deb0517
Modify RealmsAdminResource.importRealm to work with InputStream
...
Closes #13609
2022-09-26 20:58:08 +02:00
Ivan Atanasov
4016dd95d2
Use temporary file to reduce the chance of serving partial gzipped resource ( #14511 )
...
Closes #14510
2022-09-23 07:51:41 +02:00
Alice Wood
55a660f50b
enhance group search to allow searching for groups via attribute keycloak/keycloak#12964
...
Co-authored-by: Abhijeet Gandhewar <agandhew@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-09-19 15:19:36 +02:00
Takashi Norimatsu
0a832fc744
Intent support before issuing tokens (UK OpenBanking)
...
Closes #12883
2022-09-19 12:15:00 +02:00
Dmitry Telegin
cc2117bf7c
UserInfo endpoint not fully standards compliant
...
Closes #14184
2022-09-16 10:15:08 +02:00
danielFesenmeyer
3af1134975
Update IDP link username when sync mode is "force"
...
Closes #13049
2022-09-14 08:02:17 -03:00
Václav Muzikář
e999aeeab8
Fix DefaultHostnameTest
on Undertow
2022-09-13 14:41:23 -03:00
Christoph Leistert
7e5b45f999
Issue #8749 : Add an option to control the order of the event query and admin event query
2022-09-11 21:30:12 +02:00
Alexander Schwartz
1d2d3e5ca5
Move UserFederatedStorageProvider into legacy module
...
Closes #13627
2022-09-11 18:37:45 +02:00
Thomas Darimont
962a685b7b
KEYCLOAK-15773 Control availability of admin api and admin-console via feature flags
...
Inline profile checks for enabled admin-console to avoid issues during
static initialization with quarkus.
Potentially Re-enable admin-api feature if admin-console is enabled
via the admin/admin2 feature flag.
Add legacy admin console as deprecated feature flag
Throw exception if admin-api feature is disabled but admin-console is enabled
Adapt ProfileTest
Consider adminConsoleEnabled flag in QuarkusWelcomeResource
Fix check for Admin-Console / Admin-API feature dependency.
Add new features to approved help output files
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2022-09-09 18:18:51 -03:00
Pedro Igor
3518362002
Validate auth time when max_age is sent to brokered OPs
...
Closes #14146
2022-09-09 10:30:51 -03:00
Martin Bartoš
0fcf5d3936
Reuse of token in TOTP is possible
...
Fixes #13607
2022-09-09 08:56:02 -03:00
Marek Posolda
040e52cfd7
SAML javascript protocol mapper: disable uploading scripts through admin console by default ( #14293 )
...
Closes #14292
2022-09-09 13:47:51 +02:00
Dominik Guhr
f2b02f19e6
Closes #13786
2022-09-07 18:29:26 +02:00
cgeorgilakis
07b0df8f62
View groups from account console ( #7933 )
...
Closes #8748
2022-09-07 11:25:31 +02:00
Lex Cao
1f197aa96b
Add basic auth compliant to RFC 6749 ( #14179 )
...
Closes #14179
2022-09-07 10:09:30 +02:00
evtr
4469bdc0a9
RelayState max length not respected
...
Fixes : #10227
2022-09-06 22:01:14 +02:00
Stu Tomlinson
f57560afd3
Improve error messages for invalid SAML responses
...
Closes #13534
2022-09-06 21:49:14 +02:00
Christoph Leistert
cc2bb96abc
Fixes #9482 : A user could be assigned to a parent group if he is already assigned to a subgroup.
2022-09-06 21:31:31 +02:00
Pedro Igor
a6137b9b86
Do not empty attributes if they are not provided when user profile is enabled
...
Closes #11096
2022-09-06 12:59:05 +02:00
Michal Hajas
f69497eb28
KEYCLOAK-12988 Deprecate getUsers* methods in favor of searchUsers* variants
...
Closes #14018
2022-09-06 10:38:28 +02:00
Youssef El Houti
7f58c1c570
KEYCLOAK-19138 nginx x509 client trusted certificate lookup
2022-09-01 15:02:56 -03:00
Thomas Darimont
43623ea9d0
KEYCLOAK-18499 Add max_age support to oauth2 brokered logins
...
Revise KcOidcBrokerPassMaxAgeTest to use setTimeOffset(...)
2022-09-01 09:24:44 -03:00
Joerg Matysiak
a8019d78e7
Fixed handling of required setting for email in user profile.
...
Resolves #13923
2022-08-31 17:19:19 -03:00
Nagy Vilmos
f6db484172
Keep the locale related authNotes through the IdentityBroker flow. ( #10444 )
...
Closes #8827
2022-08-31 09:37:26 +02:00
Martin Bartoš
e6a5f9c124
Default required action providers are still available after feature disabling
...
Closes #13189
2022-08-31 08:42:47 +02:00
Moritz H
c4971d179c
KEYCLOAK-18273 Display Idp displayName if available ( #8087 )
...
Co-authored-by: moritz.hilberg <moritz.hilberg@pwc.com>
2022-08-30 15:32:27 -03:00
Manato Takai
1cdc21f0ff
Add duplicate parameter check for UserInfo endpoint. ( #14024 )
...
Closes #14016
2022-08-30 14:39:15 +02:00
Réda Housni Alaoui
3f088bfd21
KEYCLOAK-17013 Brute force protection: Successfully logged in user should not have to wait up to 5 seconds for event processing ( #7748 )
2022-08-29 19:41:35 +02:00
Tero Saarni
4f199c7245
Fix compilation errors with Eclipse Java compiler
2022-08-29 19:33:12 +02:00
Nemanja Hiršl
b7309e86d9
Closes #8992 - Extending DefaultBruteForceProtector ( #8993 )
...
* Closes #8992 - Extending DefaultBruteForceProtector
* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java
* Update services/src/main/java/org/keycloak/services/managers/DefaultBruteForceProtectorFactory.java
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-29 16:43:13 +02:00
Stian Thorgersen
aeba5e9f4b
Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates ( #14062 )
...
* Add FreeMarkerProvider to prevent multiple instances of FreeMarker templates
Closes #19185
2022-08-29 08:42:53 -03:00
jsarem
f0397f33b4
Expose same common informational variables to all email body templates ( #13998 )
...
Closes #14017
2022-08-29 08:09:18 +02:00
Jason
c6c65ad10b
Check IdP display name length before capitalizing ( #13151 )
...
https://github.com/keycloak/keycloak/issues/13150
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 13:16:10 +02:00
Hawk Newton
b1487b9d72
Increase max size of additional request params ( #8382 )
...
Closes #14015
2022-08-26 09:34:43 +02:00
GQ
518d318f0c
Update CorsPreflightService.java ( #8387 )
...
Adding DELETE & PUT
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-26 08:00:55 +02:00
Joerg Matysiak
62790b8ce0
Allow permission configuration for username and email in user profile.
...
Enhanced Account API to respect access to these attributes.
Resolves #12599
2022-08-25 21:54:51 -03:00
supersoaker
e47bbba7ef
added possibility to use user
in terms.ftl ( #7831 )
2022-08-25 15:08:38 +02:00
Clay Risser
f145667144
Fixed spelling error ( #13595 )
...
Fixes issue #13594
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
2022-08-25 12:46:43 +02:00
Christoph Leistert
5408d25e09
Fixes #10656 : Sub realm localization GET endpoints can be called using tokens issued by the master realm. ( #10660 )
...
* Fixes #10656 : Sub realm localization GET endpoints can be called using tokens issued by the master realm.
* Fixes #10656 : Added some tests
2022-08-25 09:02:07 +02:00
Erich Bremer
c98a760beb
remove javax.json and replace with FasterXML ( #11554 )
...
remove javax.json and replace with FasterXML to be consistent with the rest of the project.
Closes #11544
2022-08-25 08:49:22 +02:00
Pedro Igor
ddcf0f45f9
Run import within the context of the realm being imported
...
Closes #12289
2022-08-25 08:18:43 +02:00
Pedro Igor
25be07be17
Allow introspecting tokens issued during token exchange with delegation semantics
...
Closes #9337
2022-08-24 09:47:04 -03:00
Takashi Norimatsu
8c1ea4b47c
mTLS binding support for password grant
...
Closes #13662
2022-08-24 11:44:48 +02:00
Konstantinos Georgilakis
c5b9dc1e7b
set context session client equal to clientsession client (fromClientSessionAndScopeParameter method of DefaultClientSessionContext)
...
Closes #13162
2022-08-23 17:33:07 +02:00
Konstantinos Georgilakis
baa89debd9
Correct isValidScope method of TokenManager for Dynamic scopes
...
Closes #13158
2022-08-23 16:30:04 +02:00
Konstantinos Georgilakis
2002fd983b
Showing consent screen text instead of scope name in consent part of Application page in Account console
...
Closes #13109
2022-08-23 11:22:31 +02:00
rishabhsvats
c223291a1e
Adds REGISTER event when new user login through first broker flow
...
Updates KcOidcBrokerEventTest, AbstractFirstBrokerLoginTest to factor in REGISTER event in first broker flow
Closes #11646
Correcting Indentation of AbstractFirstBrokerLoginTest
2022-08-23 10:43:56 +02:00
Stefan Guilhen
6d99686220
Fix user session deadlock by enlisting broker logout request after main logout transaction commits. ( #13889 )
...
- This also fixes broker test failures with CockroachDB
Closes #13348
Closes #13212
Closes #13214
2022-08-23 09:57:40 +02:00
David Anderson
ce1331f550
Remove bouncycastle dependency from keycloak-services ( #13489 )
...
Closes #12857
Co-authored-by: mposolda <mposolda@gmail.com>
2022-08-22 15:43:59 +02:00
Sebastian Schuster
fb978de0d8
12653 check if fine-grained permissions are enabled before retrieving group memberships of users
2022-08-22 09:34:46 -03:00
Sebastian Schuster
916cfbbaf1
13647 Added null checks and some comments/questions for discussions. Will be squashed later if accepted.
2022-08-22 09:34:12 -03:00
Sebastian Schuster
53472e097c
13647 fixed wrong feature flag for checking admin fine-grained authz
2022-08-22 09:34:12 -03:00
Pedro Igor
5f2191813a
Remove unnecessary code paths during startup ( #13848 )
...
Closes #13847
2022-08-19 14:54:11 +02:00
Pedro Igor
841c65d24f
Return 404 when invoking authorization endpoints in case authz settings are disabled
...
Closes #10151
2022-08-16 16:37:44 -03:00
Markus Till
fa383bf76c
Suppress confirmation screen for logout in oidc ( #13471 )
...
Closes #13469
2022-08-10 18:25:50 +02:00
Marcelo Daniel Silva Sales
e44cea587f
NullPointer during OIDC logout client disabled ( #13424 )
...
closes #12624
2022-08-08 12:34:09 +02:00
Sebastian Knauer
21f700679f
KEYCLOAK-19866 Fix user-defined- and xml-fragment-parsing/Add XPathAttributeMapper
2022-08-03 13:07:12 +02:00
Marek Posolda
7e925bfbff
Unit tests in "crypto/fips1402" passing on RHEL 8.6 with BC FIPS approved mode. Cleanup ( #13406 )
...
Closes #13128
2022-07-29 18:03:56 +02:00
Pedro Hos
ee2c5391bd
Possible client enumeration in the authorization endpoint
...
Closes #12164
2022-07-26 09:10:06 +02:00
Stian Thorgersen
7158e781be
Update base URL for admin rest docs ( #13305 )
...
Closes #10464
2022-07-25 16:25:55 +02:00
Douglas Palmer
c00514d659
Support for post_logout_redirect_uris in OIDC client registration ( #12282 )
...
Closes #10135
2022-07-25 10:57:52 +02:00
Stian Thorgersen
a251d785db
Remove text based login flows ( #13249 )
...
* Remove text based login flows
Closes #8752
* Add display param back in case it's used by some custom authenticators
2022-07-22 15:15:25 +02:00
Pedro Igor
e14bd51656
Properly enable/disable metrics and health endpoints
...
Closes #11506
Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-07-22 09:41:29 -03:00
Alexander Schwartz
cb81a17611
Disable Infinispan for map storage and avoid the component factory when creating a realm independent provider factory
...
Provide startup time in UserSessionProvider independent of Infinispan,
cleanup code that is not necessary for the map storage as it isn't using Clustering.
Move classes to the legacy module.
Closes #12972
2022-07-22 08:20:00 +02:00
Douglas Palmer
adeef6c2a0
Partial import feature does not import Identity Provider mappers in Keycloak #12861
2022-07-21 18:04:15 +02:00
Pedro Igor
3631a413d2
Allow token exchange when subjec_token is not associated with a session
...
Closes #12596
2022-07-20 15:42:26 -03:00
Alexander Schwartz
d30646b1f6
Refactor object locking for UserSessions
...
Closes #12717
2022-07-19 17:47:33 -03:00
Lex Cao
f0988a62b8
Use base64 url decoded for client secret when authenticating with Basic Auth ( #12486 )
...
Closes #11908
2022-07-16 09:38:41 +02:00
Vlasta Ramik
ec853a6b83
JPA map storage: User / client session no-downtime store ( #12241 )
...
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Closes #9666
2022-07-14 12:07:02 -03:00
Pedro Igor
5b48d72730
Upgrade Resteasy v4
...
Closes #10916
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2022-07-11 12:17:51 -03:00
Takashi Norimatsu
29aad9dc45
PAR logic affecting /auth endpoint
...
Closes #9289
2022-07-11 11:56:37 +02:00
Alexander Schwartz
29a501552e
Disable the JpaUserFederatedStorageProvider when map storage is enabled
...
Closes #12895
2022-07-07 10:47:42 -03:00
Alexander Schwartz
098d4dda0e
Split PublicKeyStorageProvider ( #12897 )
...
Split PublicKeyStorageProvider
- Extract clearCache() method to separate interface and move it to the legacy module
- Make PublicKeyProvider factories environment dependent
- Simple map storage for public keys that just delegates
Resolves #12763
Co-authored-by: Martin Kanis <mkanis@redhat.com>
2022-07-05 09:57:51 -03:00
Alexander Schwartz
4b20e90292
Move session persistence package to legacy-private module
...
Also, disabling the jpa session persister when map storage is enabled.
Closes #12712
2022-07-04 10:05:26 -03:00
Alexander Schwartz
d407a37ba3
Instead of returning instances with different semantics, throw an exception.
...
This exception points the caller to the migration guide of Keycloak 19.
Closes #12556
2022-07-01 14:12:39 -03:00
Konstantinos Georgilakis
32f8f30f36
Include 'urn:ietf:params:oauth:grant-type:token-exchange' in grant_types_supported field of Keycloak OP metadata, if token-exchange is enabled
...
closes #10888
2022-06-30 17:13:47 -03:00
Jon Koops
06d1b4faab
Restore enum variant of ResourceType
...
This reverts commit 3b5a578934
.
2022-06-30 12:20:51 -03:00
Pedro Igor
605b51890e
Enables the new store and the concurrenthashmap provider
...
Closes #12651
2022-06-30 10:55:22 -03:00
Alexander Schwartz
692ce0cd91
Moving ClientStorageProvider to the legacy modules
...
This prepares the move of CachedObject and CacheableStorageProviderModel
Closes #12531
fixup! Moving ClientStorageProvider to the legacy modules
2022-06-29 20:04:32 +02:00
vramik
3b5a578934
Change enum ResourceType to interface with String constants
...
Closes #12485
2022-06-29 13:35:11 +02:00
Lex Cao
c3c8b9f0c8
Add client_secret
to response when token_endpoint_auth_method
is not private_key_jwt
( #12609 )
...
Closes #12565
2022-06-29 10:19:18 +02:00
Konstantinos Georgilakis
ccc0449314
json device code flow error responses
...
closes #11438
2022-06-29 07:23:02 +02:00
Marek Posolda
be1e31dc68
Introduce crypto/default module. Refactoring BouncyIntegration ( #12692 )
...
Closes #12625
2022-06-29 07:17:09 +02:00
vramik
91335ebaad
Change returning type to Set in MapClientEntity when obtaining protocol mappers
...
Closes #11136
2022-06-28 21:47:56 +02:00
danielFesenmeyer
b6d8c27cac
OIDC logout: In "legacy mode", support post_logout_redirect_uri param without requiring id_token_hint param
...
Closes #12680
2022-06-28 14:36:03 +02:00
Alexander Schwartz
4b499c869c
Encapsulate MigrationModelManager in legacy module
...
Closes #12214
2022-06-28 10:53:04 +02:00
leandrobortoli
c5d5659100
Fixed bug on client credentials grant when encryption key not found
...
Closes #12348
2022-06-27 13:00:21 +02:00
Lex Cao
f8a7c8e160
Validate name of client scope ( #12571 )
...
Closes #12553
2022-06-27 12:26:18 +02:00
Pedro Igor
3d2c3fbc6a
Support JSON objects when evaluating claims in regex policy
...
Closes #11514
2022-06-23 14:04:09 -03:00
Pedro Igor
d3a40e8620
Use backend baseURL for UMA-related backend endpoints
...
Closes #12549
2022-06-23 10:35:26 -03:00
Takashi Norimatsu
a10eef882f
DeviceTokenRequestContext.getEvent returns a wrong ClientPolicyEvent
...
Closes #12455
2022-06-22 13:01:35 +02:00
Takashi Norimatsu
d396ee7d30
CIBA flow : no error on invalid scope
...
Closes #12589
2022-06-22 12:55:55 +02:00
rmartinc
711440e513
[ #11036 ] Identity Providers: Add support for elliptic curve signatures (ES256/ES384/ES512) using JWKS URL
2022-06-21 10:52:25 -03:00
Alexander Schwartz
ae7c01b719
Moving the CacheRealmProvider interface to the legacy module
2022-06-21 08:53:06 +02:00
Alexander Schwartz
7855b93390
Moving the UserCache interface to the legacy module
...
Co-Authored-By: hmlnarik@redhat.com
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6376db0f9c
code cleanup
2022-06-21 08:53:06 +02:00
Alexander Schwartz
84d21f0230
for all added files in the PR, update the copyright header or add it if it was missing
2022-06-21 08:53:06 +02:00
Alexander Schwartz
3fe477885c
when userStorageManager() is called recursively, provided a meaningful exception to the caller.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
d41764b19b
Inline deprecated methods in legacy code
2022-06-21 08:53:06 +02:00
Alexander Schwartz
30b5c646e1
Deprecated old KeycloakSession APIs
2022-06-21 08:53:06 +02:00
Alexander Schwartz
08bbb1fb92
Move LDAP REST Endpoints to LDAP package
...
- Thus remove implicit dependency on services on the legacy modules
- Disable tests for LDAP/Kerberos that won't work when map storage is enabled
2022-06-21 08:53:06 +02:00
Alexander Schwartz
a109e28be7
moving some functionality around imports
2022-06-21 08:53:06 +02:00
Alexander Schwartz
a43321c720
Moving logic to create service accounts in local storage only to legacy module
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
e396d0daa1
Renaming SingleUserCredentialManager and UserModel.getUserCredentialManager():
...
- class SingleUserCredentialManager to SingleEntityCredentialManager
- method UserModel.getUserCredentialManager() to credentialManager()
Renaming of API without "get" prefix to make it consistent with other APIs like for example with KeycloakSession
2022-06-21 08:53:06 +02:00
Alexander Schwartz
14a369a8cc
Added LegacySessionSupport SPI
...
While some methods around onCache() are still called from the legacy code, all other methods log a warning with a stacktrace.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
6f287e7ded
Avoid using methods on UserCredentialStoreManager
2022-06-21 08:53:06 +02:00
Alexander Schwartz
bc8fd21dc6
SingleUserCredentialManager moving in
...
- UserStorageManager now handles authentication for old Kerberos+LDAP style
- new getUserByCredential method in MapUserProvider would eventually do the same.
2022-06-21 08:53:06 +02:00
Alexander Schwartz
82094d113e
Move User Storage SPI, introduce ExportImportManager
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
703e868a51
Preparation for moving User Storage SPI
...
- Introduction of new AdminRealmResource SPI
- Moving handler of /realm/{realm}/user-storage into model/legacy-service
- session.users() and userStorageManager() moved refers legacy module
IMPORTANT: Broken as UserStorageSyncManager is not yet moved
2022-06-21 08:53:06 +02:00
Hynek Mlnarik
36f76a37ad
Move realms, clients, groups, roles, clientscopes into legacy module
...
- Introduces Datastore SPI for isolating data store methods
- Introduces implementation of the datastore for legacy storage
- Updates DefaultKeycloakSession to leverage Datastore SPI instead
of direct creating of area providers by the session
2022-06-21 08:53:06 +02:00
Lex Cao
06dfb45c39
Remove non-standard code_challenge_method
from token request for IDP ( #12473 )
...
Closes #12141
2022-06-14 20:46:35 +02:00
mposolda
3aefb59d40
Fix test failure in X509BrowserCRLTest on IBM JDK. Don't display details of exception message to the end user
...
Closes #12458
2022-06-14 10:44:31 +02:00
Christoph Leistert
442eff0169
Closes #11851 : Apply localization text from realm default locale when it is not defined for the requested language. ( #11852 )
2022-06-10 14:36:11 -04:00
Joerg Matysiak
3c19ad627f
Repsect permissions configured to firstName and lastName when configured in user profile
...
Resolves #12109
2022-06-09 10:10:15 -03:00
mposolda
5d2bf6ea33
Cannot find ScriptEngine for JDK8 and Wildfly
...
Closes #12247
2022-06-08 11:11:36 +02:00
Pedro Igor
243e63c9f3
Do not set empty permissions to username and email attributes
...
Closes #11647
2022-06-07 10:59:35 -03:00
Sebastian Schuster
a0c402b93a
11198 added event information to consent granting and revocation via REST API ( #11199 )
2022-06-07 11:29:20 +02:00
Stian Thorgersen
e49e8335e0
Refactor BouncyIntegration ( #12244 )
...
Closes #12243
2022-06-07 09:02:00 +02:00
rmartinc
5332a7d435
Issue #9194 : Client authentication fails when using signed JWT, if the JWA signing algorithm is not RS256
2022-06-06 12:07:09 +02:00
Takashi Norimatsu
3889eeda30
Client Policies: pkce-enforcer executor with client-access-type condition is not applied on client change via Admin API
...
Closes #12295
2022-06-06 11:30:48 +02:00
mposolda
f90fbb9c71
Changing locale on logout confirmation did not work
...
Closes #11951
2022-05-31 16:03:58 +02:00
Takashi Norimatsu
d083b6c484
ciba http auth channel sends client_id and client_secret via delegation request
...
Closes #10993
2022-05-31 08:22:50 +02:00
vramik
be28e866b9
JPA map storage: Authorization services no-downtime store
...
Closes #9669
2022-05-30 21:05:34 +02:00
mposolda
4222de8f41
OIDC RP-Initiated Logout POST method support
...
Closes #11958
2022-05-30 14:10:58 +02:00
Stefan Guilhen
808738220f
Change CodeGenerateUtil so that it doesn't add/remove the code in an inner transaction
...
Fixes #11617
2022-05-30 12:55:48 +02:00
Marek Posolda
cf386efa40
Support for client_id parameter in OIDC RP-Initiated logout endpoint ( #12202 )
...
Closes #12002
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-05-27 14:12:37 +02:00
Dmitry Telegin
86883fd68a
Remove org.keycloak.protocol.oidc.TokenManager.RefreshResult ( #12196 )
...
Closes #12194
2022-05-27 13:00:10 +02:00
Marek Posolda
eed944292b
Make script providers working on JDK 17 ( #11322 )
...
Closes #9945
2022-05-27 12:28:50 +02:00
Luca Leonardo Scorcia
27650ab816
Fix #10982 SAML Client - Introduce SAML Issuer validation
2022-05-27 10:58:10 +02:00
Yoshikazu Nojima
9fc6114ccd
Update webauth4j dependency version to 0.19.3.RELEASE ( #11927 )
...
Resolves #9506
2022-05-18 06:54:34 -03:00
Michal Hajas
0bda7e6038
Introduce map event store with CHM implementation
...
Closes #11189
2022-05-17 12:57:35 +02:00
Takashi Norimatsu
9541852a9b
ID token encryption without specifying id_token_encrypted_response_enc does not follow OIDC Dynamic Client Registration specification
...
Closes #11392
2022-05-16 09:05:22 +02:00
Takashi Norimatsu
7fa24d247a
Deprecated org.keycloak.jose.jws.Algorithm is used in OIDCAdvancedConfigWrapper
...
Closes #11394
2022-05-16 08:56:57 +02:00
Martin Kanis
0d6bbd437f
Merge single-use token providers into one
...
Fixes first part of: #11173
* Merge single-use token providers into one
* Remove PushedAuthzRequestStoreProvider
* Remove OAuth2DeviceTokenStoreProvider
* Delete SamlArtifactSessionMappingStoreProvider
* SingleUseTokenStoreProvider cleanup
* Addressing Michal's comments
* Add contains method
* Add revoked suffix
* Rename to SingleUseObjectProvider
2022-05-11 13:58:58 +02:00
Michal Hajas
d3b43a9f59
Make sure there is always Realm or ResourceServer when searching for authz entities
...
Closes #11817
2022-05-11 07:20:01 -03:00
Réda Housni Alaoui
5d87cdf1c6
KEYCLOAK-6455 Ability to require email to be verified before changing ( #7943 )
...
Closes #11875
2022-05-09 18:52:22 +02:00
Pedro Igor
eab2dff979
Loading message bundles using the flat-classpath theme provider ( #11711 )
...
Closes #11186
2022-05-05 15:34:54 +02:00
vramik
0d83b51b20
Enhance Map authz entities with REALM_ID (ResourceServer with CLIENT_ID) searchable field
...
Co-authored-by Michal Hajas <mhajas@redhat.com>
Closes #10883
2022-05-03 12:56:27 +02:00
vramik
2ecf250e37
Deletion of all objects when realm is being removed
...
Closes #11076
2022-04-28 11:09:17 +02:00
Guus der Kinderen
8d3a4803bb
Prevent service account lookup when feature is disabled on client ( #9579 )
...
Closes #9563
2022-04-26 09:12:46 +02:00
Hynek Mlnarik
0ce5dfc09c
Remove dependency of map on services
...
Fixes: 8903
2022-04-22 17:27:21 +02:00
Jeff Tian
b356618cc2
docs: Correct the base path for Admin REST APIs. #11007 ( #10933 )
2022-04-22 11:24:07 +02:00
Pedro Igor
76d83f46fa
Avoid clients exchanging tokens using tokens issued to other clients ( #11542 )
2022-04-20 19:14:55 +02:00
Stian Thorgersen
ac79fd0c23
Disallow special characters in usernames to prevent confusion with similarly looking usernames ( #11531 )
...
Closes #11532
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-04-20 15:53:15 +02:00
Stefan Guilhen
b29b27d731
Ensure code does not rely on a particular format for the realm id or component id
2022-04-20 14:40:38 +02:00
Stefan Guilhen
ae90b232ff
Realms Map JPA implementation
...
Closes #9661
2022-04-20 14:40:38 +02:00
Pedro Igor
2cb5d8d972
Removing upload scripts feature ( #11117 )
...
Closes #9865
Co-authored-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
2022-04-20 14:25:16 +02:00
Martin Bartoš
3aa3db16ea
Fix error response for invalid characters ( #11533 )
...
Fixes #11530
2022-04-20 11:26:08 +02:00
m-takai
5f0e27a792
Add duplicate parameters check process in Device Authz Endpoint.
...
AuthorizationEndpointRequest class already checks duplicated parameters but DeviceEndpoint class has not checked its error. Thus a check process is added in handleDeviceRequest()
Closes #11294
2022-04-19 14:20:39 +02:00
Pedro Igor
c5e4dc8cec
Associated permissions should only add resource type permissions if the resource is an instance ( #11220 )
...
Closes #11148
2022-04-19 09:10:14 +02:00
Pedro Igor
52d205ca91
Allow exposing some initial provider config options via web site ( #10572 )
...
* Allow exposing some initial provider config options via web site
Co-authored-by: Stian Thorgersen <stian@redhat.com>
Closes #10571
* Include type to provider options, and hide build-icon column as it's not relevant
Co-authored-by: stianst <stianst@gmail.com>
2022-04-19 08:01:42 +02:00
msvechla
820ab52dce
Add support for filtering by enabled attribute on users count endpoint ( #9842 )
...
Resolves #10896
2022-04-13 13:57:22 -03:00
Pedro Igor
7058a123b1
Avoid initializing the OWASP HTML Sanitizer at startup
...
Closes #11261
2022-04-13 08:21:53 -03:00
bamanuel
7652bbfcd1
Fix unmatched braces in error log formatter
...
Closes #11252
2022-04-13 08:03:29 -03:00
Giacomo Altiero
3b7243cd47
Support for UserInfo response encrypted ( #10519 )
...
Close #10517
2022-04-12 14:01:14 +02:00
mposolda
fb81242658
Script Mapper Performance Issues
...
Closes #11005
2022-04-08 09:47:43 -03:00
Neon Ngo
f11573eeb2
KEYCLOAK-13828 Allow override of baseUrl and apiUrl in GitHub identity provider ( #7021 )
...
Allow override of baseUrl & apiUrl in GitHub identity provider
Closes #11144
2022-04-06 13:45:11 +02:00
Tyler Andor
caebe50d7e
Updates patternfly libs and fixes breaking changes ( #10748 )
...
adding nvmrc
CIAM-1048 Device Activity screen PF updates
CIAM-1046: Personal Info sub-header update
Updates SigningInPage to use EmptyState component when there are no credentials.
rearanged some components used in signing in page
Displays ApplicationPage content in description list.
Updates refresh link on ContentPage, updates Resources screen.
CIAM-1049 Linked Accounts screen PF updates
CIAM-1043-General upstream updates
Updates AccountPage to display form errors.
fix: display Set up Authenticator Application link on large viewport
fix(page structure): rearranges page sections
CIAM-1254/Personal info PF4 updates & Sidebar text updates
updating layouts
updating layout on Signing in and Linked acounts
adding patternfly-additions
adding patternfly-addons styles
Updates Application page based on designs feedback.
moving page description
Updates status label on Applications page to be capitalized.
Updates the copy-fonts script for keycloak.v2 to copy all font directories instead of one.
update Personal info screen - set max width of 600px for form input fields
update Personal info - remove required indicator from input fields
General updates (#2 )
* removed the extra lines being shown
* tweaked general spacing
* general alignment and spacer application
* refactor to get proper alignments without css globals
* forgot to add the conditional on displaying the set up buttons
* try and adjust the alignments
Co-authored-by: zwitter <zwitter@redhat.com>
resolve merge conflicts
Device activity updates (#4 )
* update text to sentence case
* update device info columns to be dynamic across various viewport sizes
* update signed in device layout
* update based on feedback
Co-authored-by: Jon Szeto <jszeto@redhat.com>
Linked accounts update (#3 )
* linked accounts screen - updated icons & Linked/Unlinked Login Providers layout & update text to sentence case
Co-authored-by: Jon Szeto <jszeto@redhat.com>
fixing ts errors
cleaning up fonts and messages
final review updates
message update for Back to admin console link
fixing capitalization on 2fa
updating landing page welcome message
fix: reposition Back to... link
adjusting size for confirm modal
updating spacing and alignment issues
updating resources page
removing unused header class
fixes ts issues and updates node version to match the themes install
npm updates
fixing pf addons
adding chokidar to get babel:watch working
fixing issues from pull request feedback
fixing tests
fixes signingin page test
fixing tests
Co-authored-by: Tyler Andor <tandor@highereducation.com>
2022-04-06 13:00:38 +02:00
Stian Thorgersen
7c64f28934
Change admin console to load keycloak.js using a relative URL ( #11109 )
...
* Change admin console to load keycloak.js using a relative URL
Closes #11108
* fix tests
Co-authored-by: Dominik Guhr <dguhr@redhat.com>
2022-04-06 09:35:26 +02:00
Pedro Igor
2b5d68d645
Allow resoving theme resources from flat classpath ( #10989 )
...
Closes #10951
2022-04-05 09:16:20 +02:00
Douglas Palmer
f57d0dd100
Automated tests for session limits authenticator (browser, direct grant, reset password) ( #11046 )
...
Closes #11003
2022-04-01 18:44:38 +02:00
Michal Hajas
44000caaf5
KEYCLOAK-19177 Disable ECP flow by default for all Saml clients; ecp flow creates only transient users sessions
2022-03-31 16:06:44 +02:00
iingawal
6016b461db
Fix for "updatedAt" user attribute in "profile" client scope should use number instead of String ( #11020 )
...
Closes #10081
Co-authored-by: Indrajit Ingawale <iingawal@iingawal.pnq.csb>
2022-03-31 14:33:03 +02:00
Marek Posolda
aacae9b9ac
Support for frontchannel_logout_session_required OIDC client parameter ( #11009 )
...
* Support for frontchannel_logout_session_required OIDC client parameter
Closes #10137
2022-03-31 14:25:24 +02:00
Marek Posolda
22a16ee899
OIDC RP-Initiated logout endpoint ( #10887 )
...
* OIDC RP-Initiated logout endpoint
Closes #10885
Co-Authored-By: Marek Posolda <mposolda@gmail.com>
* Review feedback
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2022-03-30 11:55:26 +02:00
Marcelo Daniel Silva Sales
2b996b12a1
update javadoc for client secret rotation REST service ( #10990 )
...
Closes #10610
2022-03-29 21:46:54 +02:00
Marcelo Daniel Silva Sales
091b1472ce
Introduce client secret rotation dynamic registration ( #10952 )
...
Closes #10609
2022-03-28 20:39:11 +02:00
Konstantinos Georgilakis
99fa6275c1
KEYCLOAK-19313 configure the name format in Attribute Importer IdP Mapper
2022-03-25 09:42:22 +01:00
Robin Windey
eaf7c515f2
Fix typo in exception message
2022-03-24 12:43:33 +01:00
Alexander Schwartz
3ebfc91b75
Reduce logging of errors due to the bounded queue
...
Closes #10588
2022-03-23 15:42:06 +01:00
Takashi Norimatsu
9c01d819cb
Client Policies : An executor rejecting all requests
...
Closes #9097
2022-03-23 12:45:38 +01:00
iingawal
b773857a80
Display email address in login-verify-email.ftl ( #10870 )
...
Closes #8873
2022-03-23 12:44:21 +01:00
Marcelo Daniel Silva Sales
6efa45f93e
Update secret rotation when the policy is enabled using jwt ( #10853 )
...
Closes #10666
2022-03-23 08:25:58 +01:00
Michal Hajas
99c06d1102
Authorization services refactoring
...
Closes : #10447
* Prepare logical layer to distinguish between ResourceServer id and client.id
* Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz
* Prepare Logical (Models/Adapters) layer for returning other models instead of ids
* Replace resourceServerId with resourceServer model in PermissionTicketStore
* Replace resourceServerId with resourceServer model in PolicyStore
* Replace resourceServerId with resourceServer model in ScopeStore
* Replace resourceServerId with resourceServer model in ResourceStore
* Fix PermissionTicketStore bug
* Fix NPEs in caching layer
* Replace primitive int with Integer for pagination parameters
2022-03-22 20:49:40 +01:00
keycloak-bot
c71aa8b711
Set version to 999-SNAPSHOT ( #10784 )
2022-03-22 09:22:48 +01:00
Joaquim Fellmann
92c4e6d585
KEYCLOAK-16134 Allow webauthn idless login flow ( #7860 )
...
Closes #10832
2022-03-21 11:37:33 +01:00
mposolda
9e12587181
Protocol mapper and client scope for 'acr' claim
...
Closes #10161
2022-03-11 09:23:25 +01:00
Ivan Atanasov
5c6b123aff
Support for the Recovery codes ( #8730 )
...
Closes #9540
Co-authored-by: Zachary Witter <torquekma@gmail.com>
Co-authored-by: stelewis-redhat <91681638+stelewis-redhat@users.noreply.github.com>
2022-03-10 15:49:25 +01:00
rmartinc
a7c8aa1dd3
[ #10616 ] Incorrect username logged for federated accounts ( #10662 )
...
Closes #10616
2022-03-10 13:21:39 +01:00
Marcelo Daniel Silva Sales
0c25da542c
Update secret rotation when the policy is disabled ( #10674 )
...
Closes #10667
2022-03-10 13:03:09 +01:00
Marcelo Daniel Silva Sales
7335abaf08
Keycloak 10489 support for client secret rotation ( #10603 )
...
Closes #10602
2022-03-09 00:05:14 +01:00
mposolda
d394e51674
Introduce profile 'feature' for step-up authentication enabled by default
...
Closes #10315
2022-03-08 14:42:46 +01:00
mposolda
93bba8e338
Replace 'Store LoA in User Session' with 'Max Age'. Refactoring of step-up authentications related to that.
...
Closes #10205
2022-03-08 10:41:05 +01:00
Martin Bartoš
02d0fe82bc
Auth execution 'Condition - User Attribute' missing
...
Closes #9895
2022-03-08 08:24:48 +01:00
Michal Hajas
f77ce315bb
Disable Authz caching for new storage tests
...
Closes #10500
2022-03-07 10:22:55 -03:00
Takashi Norimatsu
201277b897
Handle OIDC authz request with "response_type" missing and "response_mode=form_post"
...
Closes #10144
2022-03-04 13:31:40 +01:00
Takashi Norimatsu
92f6c75328
Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type
...
Closes #10143
2022-03-03 13:26:39 +01:00
Daniel Gozalo
76101e3591
[ fixes #9225 ] - Get scopeIds from the AuthorizationRequestContext instead of session if DYNAMIC_SCOPES are enabled
...
Add a test to make sure ProtocolMappers run with Dynamic Scopes
Change the way we create the DefaultClientSessionContext with respect to OAuth2 scopes, and standardize the way we obtain them from the parameter
2022-03-01 13:47:58 +01:00
Vlasta Ramik
aa6a131b73
Change String client.id to ClientModel client in ResourceServerStore
...
Closes #10442
2022-02-24 12:46:26 +01:00
Alexander Volkov
91a51d276f
Realm translations are being added to the account console. ( #10329 )
...
For the account console translations are being fetched from the realm translations as well as from the theme properties.
Closes #10328
2022-02-23 08:35:10 -05:00
treydock
b26a1a4803
KEYCLOAK-18334 Fix null pointer exception when viewing flow executions ( #8121 )
...
* KEYCLOAK-18334 Fix null pointer exception when viewing flow executions
Closes #10371
2022-02-22 09:31:25 +01:00
Dominik Guhr
9358535161
Fix admin user creation message when calling quarkus welcomepage from remote ( #10362 )
...
For wildfly, everything is as before. For Quarkus, we check if http is enabled and provide the right port and scheme if so, and also we are relative-path aware.
Closes #10335
2022-02-22 08:19:45 +01:00
Marek Posolda
8c3fc5a60e
Option for client to specify default acr level ( #10364 )
...
Closes #10160
2022-02-22 07:54:30 +01:00
Marek Posolda
caf37b1f70
Support for acr_values_supported in OIDC well-known endpoint ( #10265 )
...
* Support for acr_values_supported in OIDC well-known endpoint
closes #10159
2022-02-18 11:33:31 +01:00
Filipe Bojikian Rissi
323c08c8cc
KEYCLOAK-19519 Encryption algorithm RSA-OAEP with A256GCM ( #8553 )
...
Closes #10300
2022-02-17 17:41:54 +01:00
Stian Thorgersen
2fd5a1f4fc
Revert "KEYCLOAK-19602 moved create/update admin console event after commit, to prevent false alarm to event listeners" ( #10278 )
...
This reverts commit 31d8a927ff
.
2022-02-17 10:16:32 +01:00
Satria Hu
31d8a927ff
KEYCLOAK-19602 moved create/update admin console event after commit, to prevent false alarm to event listeners
2022-02-16 19:53:29 -03:00
Pedro Igor
7da3953435
Path parameter is missing in the get account endpoint
...
Closes #10055
2022-02-15 15:44:05 -03:00
Pedro Igor
f3c3bb5001
Removing unnecessary code paths during startup ( #10131 )
...
Closes #10130
2022-02-15 12:09:14 +01:00
Marek Posolda
90d4e586b6
Show error in case of an unkown essential acr claim. Make sure correc… ( #10088 )
...
* Show error in case of an unkown essential acr claim. Make sure correct acr is set after authentication flow during step-up authentication
Closes #8724
Co-authored-by: Cornelia Lahnsteiner <cornelia.lahnsteiner@prime-sign.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2022-02-15 09:02:05 +01:00
Dominik Guhr
5d781304e7
Fix idelauncher resourceloading
...
caused by doubled slashes when getting the path for resources while running IDELauncher. So now we sanitize them. Tests by building and running wf and quarkus distribution, running from idelauncher and running using quarkus:dev, assets got always loaded.
closes #9942
2022-02-14 15:51:58 -03:00
keycloak-bot
d9f1a9b207
Set version to 18.0.0-SNAPSHOT ( #10165 )
2022-02-11 21:28:06 +01:00
Francis PEROT
623aaf1e8b
Fixes collection comparison ignoring order
...
Use of containsAll() does not permit to compare if 2 lists are equals
(ignoring order)
Previous implementation of CollectionUtil.collectionEquals(...) was not taking care of specific cases where you can have [ A, A, B ] and [ A, B, B ] and complexity was O(n²)
Using Map, complexity is now O(n)
Closes #9920
2022-02-11 10:01:41 +01:00
Martin Bartoš
6c09ec6de6
Hide 'unknown' transport media type label for WebAuthn authenticators
...
Closes #10036
2022-02-11 08:28:50 +01:00
Martin Bartoš
75c7491b85
Remove external Collection utility class for WebAuthn
...
Closes #10034
2022-02-09 11:53:03 +01:00
Mauro de Wit
2c238b9f04
session-limiting-feature ( #8260 )
...
Closes #10077
2022-02-08 19:16:06 +01:00
Alexander Schwartz
100dbb8781
Rework escaping of special characters in message properties for account console ( #9995 )
...
Closes #9503
2022-02-07 14:47:03 -05:00
Martin Bartoš
5494848f3f
Not possible to register webauthn key on Firefox
...
Closes #10020
2022-02-07 12:21:22 +01:00
Marek Posolda
d9c8cb30a5
Closes #9498 - Fix cases when user is forced to re-authenticate ( #9580 )
2022-02-07 09:02:08 +01:00
Martin Bartoš
d82122b982
Store information about transport media of WebAuthn authenticator
...
Closes #9800
2022-02-04 19:36:30 +01:00
Takashi Norimatsu
07d43f31f3
Expected Scopes of ClientScopesCondition created on Admin UI are not saved onto ClientScopesCondition.Configuration
...
Closes #9371
2022-02-04 18:02:15 +01:00
Martin Kanis
0471ec4941
Cross-site validation for lazy loading of offline sessions & Switch default offline sessions to lazy loaded
2022-02-03 21:43:47 +01:00
Konstantinos Georgilakis
a1f2f77b82
Device Authorization Grant with PKCE
...
Closes #9710
2022-02-03 08:37:07 +01:00
Daniel Gozalo
db4642d250
[ fixes #9919 ] - Enable Dynamic Scopes for the resource-owner-password-credentials grant
...
Change some calls to the new AuthorizationContextUtil class and add tests for the client-credentials grant
2022-02-03 08:19:44 +01:00
Marek Posolda
d27635fb1b
Fixing for token revocation checks only ( #9707 )
...
Closes #9705
2022-02-02 15:21:44 +01:00
Daniel Gozalo
3528e7ba54
[ fixes #9224 ] - Get consented scopes from AuthorizationContext
...
Always show the consent screen when a dynamic scope is requested and show the requested parameter
Improve the code that handles dynamic scopes consent and add some log traces
Add a test to check how we show dynamic scope in the consent screen and added missing template file change
Fix merge problem in comment and improve other comments
Fix the Dynamic Scope test by assigning it to the client as optional instead of default
Change how dynamic scopes are represented in the consent screen and adapt test
2022-02-02 09:10:20 +01:00
Martin Bartoš
c40e842b45
Verify the WebAuthn functionality and settings for authentication ( #9851 )
...
* Verify the WebAuthn functionality and settings for authentication
Closes #9504
2022-01-31 15:42:08 +01:00
Alexander Schwartz
df7ddbf9b3
Added ModelIllegalStateException to handle lazy loading exception.
...
Closes #9645
2022-01-31 10:10:41 +01:00
Stian Thorgersen
d1d656162d
Enable keycloak.v2 admin theme by default when admin2 feature is enabled ( #9859 )
...
Closes #9858
2022-01-28 13:24:50 +01:00
Takashi Norimatsu
ef134390c2
Client Policies : Condition's negative logic configuration is not shown in Admin Console's form view
...
Closes #9447
2022-01-27 09:55:22 +01:00
Daniel Gozalo
4136bf7700
[ fixes #9750 ] Make sure a Dynamic scope isn't assignable to a client as a default scope, and only show non-dynamic scopes in the available client scopes client menu
2022-01-26 13:32:04 +01:00
Daniel Gozalo
dad51773ea
[ fixes #9223 ] - Create an internal representation of RAR that also handles Static and Dynamic Client Scopes
...
Parse scopes to RAR representation and validate them against the requested scopes in the AuthorizationEndpointChecker
Parse scopes as RAR representation and add the created context on the different cache models in order to store the state and make it available for mappers in the ClientSessionContext
Create a new AuthorizationRequestSpi to provide different implementations for either dynamic scopes or RAR requests parsing
Move the AuthorizationRequest objects to server-spi
Add the AuthorizationRequestContext property to the MapAuthenticationSessionEntity and configure MapAuthenticationSessionAdapter to access it
Remove the AuthorizationRequestContext object from the cache adapters and entities and instead recalculate the RAR representations from scopes every time
Refactor the way we parse dynamic scopes and put everything behind the DYNAMIC_SCOPES feature flag
Added a login test and added a function to get the requested client scopes, including the dynamic one, behind a feature flag
Add a new filter to the Access Token dynamic scopes to avoid adding scopes that are not permitted for a user
Add tests around Dynamic Scopes: replaying existing tests while enabling the DYNAMIC_SCOPES feature and adding a few more
Test how the server genereates the AuthorizationDetails object
Fix formatting, move classes to better packages and fix parent test class by making it Abstract
Match Dynamic scopes to Optional scopes only and fix tests
Avoid running these tests on remote auth servers
2022-01-26 13:19:23 +01:00
Thomas Darimont
438fc2865f
Fix embedded theme-resources lookup in Keycloak.X
...
Previously lookups for embedded theme-resources did not work for Keycloak.X because of a missing
`ClasspathThemeResourceProvider` registration.
This PR ensures that a `ClasspathThemeResourceProvider` is registered in Keycloak.X based deployments.
Added empty constructors to ClasspathThemeResourceProvider to enable dynamic instantiation by Quarkus.
Fixes #9653
2022-01-21 09:52:26 -03:00
mposolda
3dd97f3f2f
Fix migration test
...
Closes #9550
2022-01-20 13:42:47 +01:00
Konstantinos Georgilakis
0c9ab32cf4
Fix scope bug in device authorization request
...
Closes #9617
2022-01-19 18:13:42 +01:00
Pedro Igor
4c747047ce
Backward compatibility for lower-case bearer type in token responses ( #9538 )
...
Closes #9537
2022-01-13 08:34:45 +01:00
Daniel Gozalo
8ea09d3816
[ fixes #9222 ] - Let users configure Dynamic Client Scopes ( #9327 )
2022-01-12 14:27:24 +01:00
Marek Posolda
8f221bb21e
Validation for CIBA binding_message parameter ( #9470 )
...
closes #9469
2022-01-11 11:19:15 +01:00
Martin Bartoš
d75d28468e
KEYCLOAK-19490 Add more details about 2FA to authenticate page ( #9252 )
...
Closes #9494
2022-01-11 09:16:22 +01:00
CorneliaLahnsteiner
dff79cee3c
KEYCLOAK-847 Add support for step up authentication ( #7897 )
...
KEYCLOAK-847 Fix behavior of unknown not essential acr claim
Co-authored-by: Georg Romstorfer <georg.romstorfer@gmail.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
2021-12-22 12:43:12 +01:00
keycloak-bot
9f3d4a7d42
Set version to 17.0.0-SNAPSHOT
2021-12-20 10:50:39 +01:00
Stian Thorgersen
45e9243054
Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users ( #9211 )
...
* Verify fine-grained admin permissions feature is enabled before checking fine-grained permissions when creating users
Co-authored-by: stianst <stianst@gmail.com>
* fixing test
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2021-12-17 14:45:56 +01:00
vramik
e61da278ba
When ternary conditional operator uses primitive type it could throw NPE in some cases
...
Closes #9137
2021-12-15 10:25:54 +01:00
Pedro Igor
7dc5556b40
[ fixes #9092 ] - Avoid failing when request is not a form-urlencoded
2021-12-14 03:32:43 -08:00
stianst
85240c9606
Remove deprecated kcinit from keycloak
...
Closes #9106
2021-12-13 15:51:51 +01:00
thomasmicro
c474e770fe
Clarify Admin UI Name of NoCookieFlowRedirectAuthenticator
...
In the Admin UI, the Authenticator was simply called Browser Redirect/Refresh which gives the impression that it is a generic redirector (which would be a cool validator).
This Quick Fix changes the Name to "Browser Redirect for Cookie free authentication" which should bring more clarity.
2021-12-13 13:14:49 +01:00
Martin Bartoš
3a2bf0c04b
WebAuthnAuthenticator add timeout property
2021-12-12 11:36:51 +01:00
Hynek Mlnarik
95614e8b40
Fix NPE for component creation when realm unset but config known
...
Fixes #9019
2021-12-07 20:15:05 +01:00
Yoshiyuki Tabata
b1eeb0626e
KEYCLOAK-13847 fix offline token refresh date
2021-12-01 08:30:08 +01:00
Andre Fucs de Miranda
b03b390dd2
KEYCLOAK-19228: Prevent user enumeration in FIPS mode
2021-11-24 18:11:27 +01:00
Nemanja Hiršl
c9e1e00b95
KEYCLOAK-19773 BFD and Direct Grant - inconsistent number of failures
...
Do not "failure" on temporary or permanently locked users, but "forceChallenge"
Failure increments number of failures, and forceChallenge doesn't
Test cases cover:
1. Already disabled users
2. Temporarily disabled users by BFD
3. Permanently disabled users by BFD
2021-11-24 15:28:18 +01:00
Martin Bartoš
1e1a6779be
Issue 8814: Replace deprecated hamcrest-all dependencies
2021-11-23 13:56:28 +01:00
bal1imb
661aca4452
KEYCLOAK-19283 Implemented new identity provider mapper "Advanced claim to group mapper" alongside tests.
2021-11-19 16:54:39 +01:00
Hiroyuki Wada
884471c729
KEYCLOAK-19237 Avoid using stream that has been operated
2021-11-18 17:46:35 +01:00
Takashi Norimatsu
10c3e149d3
KEYCLOAK-19699 RSA key provider with key use = enc cannot select corresponding algorithm on Admin Console
2021-11-18 13:24:50 +01:00
Olivier Boudet
ed6eea26ea
KEYCLOAK-19413 Allows to set login_hint on registration and reset-credentials pages
2021-11-18 13:17:10 +01:00
Konstantinos Georgilakis
63c9845cb9
KEYCLOAK-18276 client content screen enhancement
2021-11-18 13:15:02 +01:00
Martin Bartoš
b17f0695ee
8793 User Profile multiple implementations
2021-11-15 08:46:34 +01:00
David Perrenoud
36da2d20e9
KEYCLOAK-17039 Local file in a webview fails when requesting with "Origin: null" since 11.0.2
2021-11-11 10:55:33 +01:00
Yoshiyuki Tabata
9be4c289d8
KEYCLOAK-18440 Improve logging for token introspection
2021-11-08 15:26:52 +01:00
rmartinc
a4c4c00d00
[KEYCLOAK-14309] Duplicate sub claim at JSON level
2021-11-08 11:54:39 +01:00
Alec Henninger
cec6a8a884
KEYCLOAK-19700: Attempt to reuse denied device authorization code results in server error
2021-11-08 11:37:51 +01:00
Takashi Norimatsu
d0493b4306
KEYCLOAK-19723 Existing ECDSA key provider's key pair is not regenerated when its curve is changed on Admin Console
2021-11-05 10:05:40 +01:00
mposolda
5740e158e3
KEYCLOAK-18744 OpenBanking Brasil fix for X509 client authentication. More flexibility in Subject DN comparison.
2021-11-05 09:10:50 +01:00
Luca Leonardo Scorcia
e99b363ba0
KEYCLOAK-18879 Generate RequestedAttribute SP metadata for SAML Attribute Role Mappers
2021-11-04 11:15:32 +01:00
Bruno Oliveira da Silva
16db810b03
[KEYCLOAK-19754] - Update documentation files to remove problematic language in the main repository
2021-11-04 10:08:56 +01:00
Pedro Igor
eaa96f6147
[KEYCLOAK-18255] - Vault Support in Dist.X
2021-11-03 09:23:33 -03:00
Martin Bartoš
bfce612641
KEYCLOAK-18338 Fix update user account with configured SSSD
2021-11-02 08:42:07 +01:00
Joerg Matysiak
afc5cb4d14
KEYCLOAK-19617 Simplify creation of custom user profiles
...
* DeclarativeUserProfileProvider passes its ID to DeclarativeUserProfileModel, so this also works for derived classes.
* Moved creation of declarative user profile model to a protected factory method to allow subclasses to provide their own implementation.
* Added integration tests for custom user profile
* configured declarative-user-profile as default user profile provider in test servers
* Restore previously configured default provider after test with special provider settings
* Some refactoring in SpiProviderSwitchingUtils
2021-10-28 08:26:11 -03:00
Takashi Norimatsu
0d62c6d498
KEYCLOAK-19565 Client Policies : Wrong SecureLogoutExecutor's provider ID
2021-10-25 13:49:48 +02:00
Konstantinos Georgilakis
a5c8c45551
KEYCLOAK-19388 correct AttributeConsumingService bug in SAML SP metadata
2021-10-21 20:24:46 +02:00
Takashi Norimatsu
263161ff66
KEYCLOAK-19540 FAPI 2.0 Baseline : Reject Resource Owner Password Credentials Grant
2021-10-21 09:13:12 +02:00
Pham Hoang Nam
e87952d1ad
Fix logout-all enpoint return json format
2021-10-20 11:37:49 -03:00
Thomas Darimont
9857a04895
KEYCLOAK-16107 Enable ScriptBasedOIDCProtocolMapper to return JSON objects directly
...
We now allow to return JSON objects directly from a ScriptBasedOIDCProtocolMapper, by
adding support to turn objects that implement the java.util.Map into JsonNodes.
Previously returning JSON objects directly caused an exception during runtime.
2021-10-19 11:21:26 -03:00
Alec Henninger
c392538f69
KEYCLOAK-19575: Different user authenticated results in server error instead of bad request
2021-10-19 13:52:11 +02:00
Douglas Palmer
73f0474008
[KEYCLOAK-19422] ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader
2021-10-18 10:23:06 +02:00
Václav Muzikář
7d0af8519b
KEYCLOAK-19080 Simplify the RHSSO setup in an OpenShift Disconnected cluster
...
KEYCLOAK-19080 Simplify the RHSSO setup in an OpenShift Disconnected cluster
2021-10-18 09:35:32 +02:00
mposolda
7010017e0e
KEYCLOAK-19555 Improvements in ConsentRequiredExecutor of client policies
2021-10-16 14:11:18 +02:00
Dominik Guhr
a3b23700ea
KEYCLOAK-19553 Fix Resteasy Bug in Authenticators for Keycloak.X
2021-10-15 14:24:46 -03:00
Thomas Darimont
b1bcd5d66e
KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API ( #7097 )
...
* KEYCLOAK-12754 Honor nested composite roles when creating roles via REST API
- Validate composite roles when creating roles via REST API
2021-10-15 10:33:19 -03:00
mposolda
acd00a492b
KEYCLOAK-19556 Avoid auto-creating invalid redirect URL for FAPI clients
2021-10-15 11:17:59 +02:00
Bart Monhemius
5b0986e490
[KEYCLOAK-18891] Add support for searching users by custom user attributes
...
Users can now be searched by custom attributes using 'q' in the query parameters. The implementation is roughly the same as search clients by custom attributes.
2021-10-12 13:08:47 +02:00
R Yamada
891c8e1a12
[KEYCLOAK-17653] - OIDC Frontchannel logout support
2021-10-07 15:27:19 -03:00
Dominik
97ee8832a3
KEYCLOAK-19079 Add special case for kubeadmin without uid and OCP4
2021-10-07 14:29:00 -03:00
Martin Kanis
30b3caee9f
KEYCLOAK-18445 Add support for cross-site model tests
2021-10-06 14:37:06 +02:00
Seth
90947404a5
KEYCLOAK-16380 Make IdP display name available to idp link email subject ( #7626 )
...
KEYCLOAK-16380 Make IdP display name available to idp link email subject
2021-10-04 11:10:18 +02:00
Michal Hajas
da0c945475
KEYCLOAK-18940 Add support for searching composite roles
2021-10-01 12:41:19 +02:00
Nathan Strobbe
64717f650b
KEYCLOAK-15167 Retrieve email from Twitter IdP
2021-10-01 09:45:20 +02:00
Luca Leonardo Scorcia
43a3c676f7
KEYCLOAK-16456 X509 Auth: add option for OCSP fail-open behavior
2021-10-01 08:37:01 +02:00
Luca Leonardo Scorcia
9838a47662
KEYCLOAK-16520 X509 Auth: Add option to verify certificate policy
2021-09-30 16:36:05 +02:00
Daniel Fesenmeyer
0a2f8f5b63
KEYCLOAK-17887 fix endpoint for creating or updating realm localization texts for a given locale (UnsupportedOperation was thrown because RealmAdapter tried to change unmodifiable map):
...
- fix RealmAdapter to create a new map instead of trying to change unmodifiable map
- only provide POST endpoints for creating or updating the texts (to have the endpoints consistent with other Admin API endpoints)
- add tests
2021-09-30 15:07:56 +02:00
stianst
f471a110cd
KEYCLOAK-19408 Better client secrets
2021-09-29 18:19:43 +02:00
stianst
12c7bc7350
KEYCLOAK-19410 Compile issues in IntelliJ due to imports of sun packages
2021-09-28 14:59:33 +02:00
Václav Muzikář
69a146db7e
KEYCLOAK-18128 Keycloak cannot fetch group claims from openshift
2021-09-27 08:05:43 -03:00
Daniel Fesenmeyer
339224578e
KEYCLOAK-10603 adjust assignments to roles (user-role and group-role assignments, client-scope and client "scope mappings"): allow assignments of roles which are already indirectly assigned (e.g. by composite role)
...
- extend RoleMapperModel with method hasDirectRole(RoleModel), which only checks for direct assignment in contrast to the existing method hasRole(RoleModel)
- extend ScopeContainerModel with method hasDirectScope(RoleModel), which only checks for direct scope mapping in contrast to the existing method hasScope(RoleModel)
- use the new hasDirectRole and hasDirectScope methods to check whether a role is in the "available" list and whether it can be assigned (previously, the hasRole method was used for this purpose)
- add hint to UI that available roles contain effectively assigned roles which are not directly assigned
- adjust and extend tests
2021-09-22 13:56:29 +02:00
Nikolas Laskaris
8f09d34272
KEYCLOAK-18288 ( #8096 )
...
RealmsAdminResource now returns also a brief representation (not by default, to be backwards compatible) for realms[] if the appropriate flag is sent.
2021-09-20 15:32:15 -04:00
Vlastimil Elias
28e220fa6d
KEYCLOAK-18497 - Support different input types in built-in dynamic forms
2021-09-20 09:14:49 -03:00
Takashi Norimatsu
375e47877e
KEYCLOAK-18558 Client Policy - Endpoint : support Device Authorization Endpoint
2021-09-20 11:22:58 +02:00
Jess Thrysoee
b4fe7bbda2
KEYCLOAK-19344 Add CORS to Device Authorization Request
...
Add CORS headers to the Device Authorization Request (OAuth 2.0 Device Authorization Grant)
to make it available for non-confidential public webbrowser based clients, e.g. SPA like
signage or kiosk webapps.
2021-09-20 10:32:10 +02:00
chen kqing
c9809f0151
KEYCLOAK-18873 href attribute of a "Unable to scan?" tag is wrong in "Configure TOTP" page
2021-09-20 10:09:58 +02:00
Sophie Tauchert
b5d477c421
[KEYCLOAK-18556] Check for federated credentials when resolving authenticators
2021-09-15 16:54:56 +02:00
Stan Silvert
93e229e45d
KEYCLOAK-18512: Integrate New Admin Console into Keycloak build ( #8366 )
...
* KEYCLOAK-18512: Integrate New Admin Console into Keycloak build
* KEYCLOAK-18512: Integrate New Admin Console into Keycloak build
* Change version to project version. Make experimental.
* Add PAT for reading packages (#12 )
* Add PAT for reading packages
* Encode token
* Use generic GH account for installation of packages
* Enable Github packages repo only for snapshots
* KEYCLOAK-18512: Make ADMIN2 experimental instead of preview
* KEYCLOAK-18512: Remove early return
* KEYCLOAK-18512: Fix formatting issue
Co-authored-by: Jon Koops <jonkoops@gmail.com>
2021-09-15 10:09:06 -04:00
Vlastimil Elias
2be5f528e4
KEYCLOAK-18700 - consistently record User profile attribute changes in
...
UPDATE_PROFILE event
2021-09-15 08:26:01 -03:00
bohmber
4fe7d6d318
KEYCLOAK-17110
...
LDAP Connection Pool not used with org.keycloak.truststore.SSLSocketFactory
2021-09-15 10:55:59 +02:00
Luca Leonardo Scorcia
6d0708d263
KEYCLOAK-17368 Show forwarded errors when a default remote IdP is configured ( #7838 )
2021-09-14 09:44:59 +02:00
bal1imb
67e3df654f
KEYCLOAK-18740 Admin events trigger transaction rollback if exception is thrown.
2021-09-13 14:07:28 +02:00
Luca Leonardo Scorcia
af8354267b
KEYCLOAK-16462 X509 Auth: add option to revalidate certificate trust
2021-09-13 12:12:38 +02:00
David Hellwig
a6cd80c933
KEYCLOAK-16076 added new warining when cookies are disabled -with new branch- ( #7632 )
...
* KEYCLOAK-16076 added new warining when cookies are disabled
Co-authored-by: David Hellwig <david.hellwig@bosch.com>
Co-authored-by: Christoph Leistert <christoph.leistert@bosch-si.com>
2021-09-13 11:30:11 +02:00
Hynek Mlnarik
4518b3d3d1
KEYCLOAK-19143 Split note for broker and SP SAML request ID
2021-09-07 17:04:30 +02:00
Olivier Boudet
c7f8544b0c
KEYCLOAK-18454 Reset password : wrong email instructions when duplicates email is allowed
2021-09-02 14:44:18 +02:00
Thomas Darimont
e217e9a175
KEYCLOAK-18818 Add CORS preflight handler to token revocation endpoint
2021-08-31 10:07:32 +02:00
vramik
5fe675b612
KEYCLOAK-18841 prevent deletion of default role using RoleContainerResource
2021-08-20 12:02:07 +02:00
Thomas Darimont
f16eb4d8b9
KEYCLOAK-18954 Refactor user consent list retrieval to avoid ConcurrentModificationException
...
This avoids a ConcurrentModificationException to be thrown in UserResource.getConsents()
calls that got introduced in 4e8b18f560
by filtering
the resulting stream explicitly instead of removing items from the collection
that we iterate over, which triggered the CME in the first place.
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2021-08-18 10:39:44 +02:00
wuweixin
6431afe360
KEYCLOAK-18974 BitbucketIdentityProvider IdentityBrokerException message
...
github => bitbucket
2021-08-18 10:32:07 +02:00
rmartinc
5ff6ff57a8
[KEYCLOAK-18535] KeycloakSanitizerMethod causes java.lang.IndexOutOfBoundsException when there is more then one href in a sanitized message
2021-08-18 10:19:22 +02:00
bal1imb
269b661b8a
KEYCLOAK-16633 Prevent deletion of internal clients.
2021-08-09 11:45:03 -03:00
Martin Kanis
b42f765c2a
KEYCLOAK-18982 Token OIDC introspection endpoint should not update any of the timestamps
2021-08-05 18:21:16 +02:00
Yoshiyuki Tabata
b31b60fffe
KEYCLOAK-18341 Support JWKS OAuth2 Client Metadata in the "by value" key loading method
2021-08-05 16:52:55 +02:00
mposolda
b1d39aa136
KEYCLOAK-18949 DirectGrant login should fail if authenticationSession contains some required actions
2021-08-04 08:50:27 +02:00
carlChen
a0b01b6ef4
KEYCLOAK-16703 The username returned by token introspect endpoint is null when remove or modify username mapper
2021-08-03 17:38:37 +02:00
Florian Ritterhoff
65480cb5a1
Prevent security flaw using passwordless authentication
...
If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.
2021-08-03 10:49:45 -03:00
Sebastian Kanzow
4e8e4592ca
[KEYCLOAK-18419] Support SAML 2.0 Encrypted IDs in Assertion
2021-08-03 11:55:36 +02:00
laskasn
f265d1d662
KEYCLOAK-18933
2021-08-02 15:27:08 +02:00
keycloak-bot
262ec3d031
Set version to 16.0.0-SNAPSHOT
2021-07-30 14:56:10 +02:00
Pedro Igor
afb0b16e43
[KEYCLOAK-18922] - Ignore empty values for internal attributes not set to user
2021-07-30 12:30:43 +02:00
Pedro Igor
ff70e2e04b
[KEYCLOAK-18916] - Do not consider empty values when checking read-only attributes
2021-07-29 08:46:16 +02:00
Vlastimil Elias
32f2f095fe
KEYCLOAK-7724 User Profile default validations
2021-07-29 08:42:37 +02:00
mposolda
4dacbb9e0b
KEYCLOAK-16996 User not able to revoke his offline token for directGrant clients
2021-07-29 08:04:16 +02:00
mposolda
9b0e1fff8d
KEYCLOAK-18903 More customizable OIDC WellKnown provider
2021-07-28 18:03:23 +02:00
mposolda
05dfed721a
KEYCLOAK-18636 The mtls_endpoint_aliases claim is not advertized in the discovery document
2021-07-28 13:32:31 +02:00
Pedro Igor
ef72343a6a
[KEYCLOAK-18882] - User Profile still tech preview
2021-07-28 08:45:35 +02:00
mposolda
4520cbd38c
KEYCLOAK-18904 Support cert-bound tokens when doing client credentials grant. Client policies support for client credentials grant
2021-07-28 07:24:30 +02:00
mposolda
643b3c4c5a
KEYCLOAK-18594 CIBA Ping Mode
2021-07-27 08:33:17 +02:00
Hynek Mlnarik
8889122dc1
KEYCLOAK-18845 Remove key type in map storage (simplify generics)
2021-07-23 17:04:20 +02:00
Takashi Norimatsu
9018fe9fad
KEYCLOAK-18863 Global client profile for FAPI CIBA
2021-07-23 14:30:26 +02:00
Joerg Matysiak
9dff21d0a7
KEYCLOAK-18552
...
* added group as attribute metadata
* validation for groups and references to groups
* adapted template to use show attribute groups
* test and integration tests for attribute groups
2021-07-23 09:26:21 -03:00
Takashi Norimatsu
6436716514
KEYCLOAK-18834 Client Policies : ClientScopesCondition needs to be evaluated on CIBA backchannel authentication request and token request
2021-07-23 10:06:02 +02:00
Martin Bartoš
036239a901
KEYCLOAK-18643 Generic Javascript failure in server and adapters test pipeline
2021-07-23 08:47:27 +02:00
Takashi Norimatsu
84e19f1c57
KEYCLOAK-18833 FAPI-CIBA-ID1 : need to only accept confidential client on Backchannel Authentication endpoint
2021-07-23 08:26:36 +02:00
Luca Leonardo Scorcia
6bd7420907
KEYCLOAK-17290 SAML Client - Generate AttributeConsumingService SP metadata section
2021-07-22 21:53:16 +02:00
Pedro Igor
8260c3c623
[KEYCLOAK-18860] - Fixing attributes returned from user api
2021-07-22 15:09:30 -03:00
Vlastimil Elias
f307c56fe1
KEYCLOAK-18812 UserProfile metadata in Account REST API
2021-07-22 08:46:30 -03:00
Pedro Igor
b4c940fe3f
[KEYCLOAK-18860] - Return attributes defined in user profile from user api
2021-07-22 08:32:47 -03:00
Robert Schuh
843bbf1bb3
KEYCLOAK-18852 Prevent NPE in case of missing truststore
...
even though the "return null" at the top of the method is called if no truststore is set, the finally block is still executed. And since the keystore is not there an NPE is thrown when calling the remove method.
2021-07-21 14:13:22 +02:00
Pedro Igor
d29d945cc4
[KEYCLOAK-18857] - Do not force default to RS256 when verifying tokens sent by clients and JWK does not hold an algorithm
2021-07-21 11:09:02 +02:00
Takashi Norimatsu
2c019c9ce5
KEYCLOAK-18832 FAPI-CIBA-ID1 conformance test : need to return 401 error=invalid_client if client authentication is not successfully completed on Backchannel Authentication endpoint
2021-07-21 10:13:55 +02:00
Takashi Norimatsu
8df36fbf28
KEYCLOAK-18828 FAPI-CIBA-ID1 conformance test : Additional checks of signed authentication request
2021-07-21 08:19:19 +02:00
Takashi Norimatsu
61fcbb307b
KEYCLOAK-18830 FAPI-CIBA-ID1 conformance test : HolderOfKeyEnforcerExecutor needs to be executed on CIBA token request
2021-07-21 08:07:50 +02:00
Pedro Igor
54a0e84070
[KEYCLOAK-18741] - Review error messages when validating PAR requests
2021-07-20 14:08:49 -03:00
Pedro Igor
7f34af4016
Revert "[KEYCLOAK-18425] - Allow mapping user profile attributes"
...
This reverts commit 3e07ca3c
2021-07-20 14:08:09 -03:00
mposolda
db7e247f7b
KEYCLOAK-18848 KEYCLOAK-18850 Enable CIBA and PAR by default
2021-07-20 15:59:06 +02:00
Takashi Norimatsu
f154b0b209
KEYCLOAK-18831 FAPI-CIBA-ID1 conformance test : need to return 400 if user authentication is not successfully completed
2021-07-20 10:46:16 +02:00
Takashi Norimatsu
e2c5fa20a2
KEYCLOAK-18849 Client Policy - Condition : ClientRolesCondition needs to be evaluated on PAR endpoint
2021-07-20 09:41:48 +02:00
Pedro Igor
396a78bcc4
[KEYCLOAK-18723] - Configurable constraints for request object encryption
2021-07-20 09:28:09 +02:00
Pedro Igor
730d4e8ac9
[KEYCLOAK-18807] - Fixing claims in JARM responses
2021-07-20 08:23:33 +02:00
Pedro Igor
13a08362d4
[KEYCLOAK-18819] - SecureResponseType executor shall allow response_type=code when using JARM and response_mode=jwt
2021-07-20 08:16:19 +02:00
Takashi Norimatsu
f76c07476c
KEYCLOAK-18827 FAPI-CIBA-ID1 conformance test : Client JWT authentication should allow Backchannel Authentication endpoint as audience
2021-07-20 06:39:28 +02:00
Takashi Norimatsu
02a9eb442d
KEYCLOAK-18829 FAPI-CIBA-ID1 conformance test : ClientRolesCondition needs to be evaluated on CIBA backchannel authentication request and token request
2021-07-20 06:31:10 +02:00
Pedro Igor
fe4e089e81
[KEYCLOAK-18745] - Client JWT authentication should allow PAR endpoint as audience
2021-07-19 14:23:53 -03:00
Vlastimil Elias
61aa4e6a70
KEYCLOAK-18750 - Set "Email Verified" to false when email changed in
...
UserProfile Provider
2021-07-19 11:19:29 -03:00
Takashi Norimatsu
f188f02d03
KEYCLOAK-18826 FAPI-CIBA-ID1 conformance test : ID Token needs to include auth_time claim
2021-07-19 15:11:23 +02:00
Takashi Norimatsu
63f04c1118
KEYCLOAK-18683 Client policy executor for check Backchannel signed request algorithms matching FAPI compliant algorithms
2021-07-19 14:48:31 +02:00
Pedro Igor
a79d28f115
[KEYCLOAK-18729] - Support JAR when using PAR
2021-07-19 11:42:20 +02:00