Commit graph

4615 commits

Author SHA1 Message Date
Erik Jan de Wit
f088b0009c
initial ui for organizations (#29643)
* initial screen

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* more screens

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added members tab

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added the backend

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added member add / invite models

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* initial version of the identity provider section

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add link and unlink providers

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* small fix

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* PR comments

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Do not validate broker domain when the domain is an empty string

Closes #29759

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added filter and value

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* added first name last name

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* refresh menu when realm organization is changed

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* changed to record

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* changed to form data

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed lint error

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Changing name of invitation parameters

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Chancing name of parameters on the client

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Enable organization at the realm before running tests

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Domain help message

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Handling model validation errors when creating organizations

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Message key for organizationDetails

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Do not change kc.org attribute on group

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* add realm into the context

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* tests

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Changing button in invitation model to use Send instead of Save

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Better message when validating the organization domain

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* Fixing compilation error after rebase

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* fixed test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* removed wait as it no longer required and skip flacky test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* skip tests that are flaky

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* stabilize user create test

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-29 14:34:02 +02:00
Thomas Darimont
4edb204777 Add reason details in event before error event is submitted for broken SAML requests (#29948)
Previously the reason was omitted in the details because it was set after the event was already submitted.

Fixes #29948

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-29 08:34:28 +02:00
Pedro Igor
bbb83236f5 Do not lower-case the username from the IdP when creating the federated identity
Closes #28495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-29 01:58:20 -03:00
mposolda
49a2aaf7bc Adding realmName to be logged by jboss-logging event listener
closes #27506

Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-28 18:41:43 +02:00
Francis Pouatcha
583054b929
Enhancement: Add support for RSA encryption key imports in JavaKeystoreKeyProvider (#29853)
closes #29852 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-05-28 13:56:20 +02:00
Stefan Guilhen
694ffaf289 Allow organizations in different realms to have the same domain
Closes #29886

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-28 08:02:30 -03:00
Francis Pouatcha
4317a474d1
JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification (#29635)
closes #29634 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>


Co-authored-by: DYLANE BENGONO <85441363+bengo237@users.noreply.github.com>
2024-05-28 12:51:56 +02:00
Sebastian Prehn
b5d0154bb1 Improve documentation on ClientRolemappingsRessource
Closes #29266

Signed-off-by: Sebastian Prehn <sebastian.prehn@ero.eu>
2024-05-28 09:06:31 +02:00
BaptisteMcd
8d76ce3f54
Fix: Added LDSigningServiceProvider entry for LD-Credentials/VCDM
Closes #29885

Signed-off-by: Baptiste Marchand <baptiste.marchand01@gmail.com>
2024-05-27 14:42:09 +00:00
Stefan Wiedemann
5a68056f2a
Fix oid4vc mappers
Closes #29805

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2024-05-27 11:28:46 +02:00
Francis Pouatcha
29dee7ec63
Fix: Corrected media type/format string for SD-JWT-VC
Closes #29620

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
2024-05-27 10:13:36 +02:00
Pedro Igor
2d4d32764c Show a message when confirming an invitation link
Closes #29794

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-27 08:33:22 +02:00
rmartinc
b258b459d7 Generate RESTART_AUTHENTICATION event on success
Closes #29385

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-23 19:08:22 +02:00
vramik
0508d279f7 Filter empty domains from OrganizationsRepresentation before running validation
Closes #29809

Signed-off-by: vramik <vramik@redhat.com>
2024-05-23 09:53:51 -03:00
Daniel Fesenmeyer
c08621fa63 Always order required actions by priority (regardless of context)
- AuthenticationManager#actionRequired: make sure that the highest prioritized required action is performed first, possibly before the currently requested required action
- AuthenticationManager#nextRequiredAction: make sure that the next action is requested via URL, also based on highest priority (-> requested URL will match actually performed action, unless required actions for the user are changed by a parallel operation)
- add tests to RequiredActionPriorityTest, add helper method for priority setup to ApiUtil (for easier and more robust setup than up-to-now)
- fix test WebAuthnRegisterAndLoginTest - which failed because WebAuthnRegisterFactory (prio 70) is now executed before WebAuthnPasswordlessRegisterFactory (prio 80)

Closes #16873

Signed-off-by: Daniel Fesenmeyer <daniel.fesenmeyer@bosch.com>
2024-05-23 09:07:56 +02:00
Thomas Darimont
ab376d9101 Make required actions configurable (#28400)
- Add tests for crud operations on configurable required actions
- Add support exposing the required action configuration via RequiredActionContext
- Make configSaveError message reusable in other contexts
- Introduced admin-ui specific endpoint for retrieving required actions with config metadata

Fixes #28400

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2024-05-23 08:38:36 +02:00
Stefan Guilhen
37f85937a7 Move organization authenticator into conditional subflows in the default browser and first broker login flows
Closes #29446

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-22 20:48:29 -03:00
vramik
1e597cca3e Split OrganizationResource into OrganizationResource and OrganizationsResource
Closes #29574

Signed-off-by: vramik <vramik@redhat.com>
2024-05-22 07:58:26 -03:00
vramik
278341aff9 Add organizations enabled/disabled capability
Closes #28804

Signed-off-by: vramik <vramik@redhat.com>
2024-05-22 07:58:26 -03:00
Francis Pouatcha
542fc65923
Issue 29627: Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 (#29628)
closes #29627 

Signed-off-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>


Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2024-05-22 10:30:34 +02:00
rmartinc
f7044ba5c2 Use SessionExpirationUtils for validate user and client sessions
Check client session is valid in TokenManager
Closes #24936

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 10:12:20 +02:00
Case Walker
f32cd91792 Upgrade owasp-java-html-sanitizer, address all fallout
Signed-off-by: Case Walker <case.b.walker@gmail.com>
2024-05-22 09:15:25 +02:00
Raffaele Lucca
a5a55dc66e
Protocol now is mandatory during client scope creation. (#29544)
closes #29027

Signed-off-by: raff897 <85362193+raff897@users.noreply.github.com>
2024-05-22 09:10:46 +02:00
Patrick Jennings
84acc953dd
Client type OIDC base read only defaults (#29706)
closes #29742
closes #29422

Signed-off-by: Patrick Jennings <pajennin@redhat.com>
2024-05-22 09:07:19 +02:00
rmartinc
9dfaab6d82 Invalid default/options in JavaKeystoreKeyProviderFactory algorithm property
Closes #29426

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-22 08:49:45 +02:00
Pedro Igor
b019cf6129 Support unmanaged attributes for service accounts and make sure they are only managed through the admin api
Closes #29362

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-21 16:56:18 -03:00
Marek Posolda
6dc28bc7b5
Clarify the documentation about step-up authentication (#29735)
closes #28341

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-05-21 19:46:27 +02:00
Martin Kanis
97cd5f3b8d Provide an additional endpoint to allow sending both invitation and registration links depending on the email being associated with an user or not
Closes #29482

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-21 12:29:10 -03:00
Hynek Mlnarik
65fcd44fe1 Use admin console correctly in KeycloakIdentity
Fixes: #29688

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-05-21 13:35:44 +02:00
rmartinc
3304540855 Allow admin console whoami endpoint to applications that have a special attribute
Closes #29640

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-20 09:51:07 +02:00
Richard van den Berg
cb3f248d73 Document getGroupById() will not set subGroups in JavaDoc
Closes #27787

Signed-off-by: Richard van den Berg <richard@vdberg.org>
2024-05-17 17:05:25 +02:00
Filipe Roque
e83f3af080 Call super constructor in subclasses of WebApplicationException
Frameworks like Datadog dd-trace-java java agent inspect the known WebApplicationException
and mark the exception as an HTTP 500, because that is the default for the
non argument constructor.

https://github.com/keycloak/keycloak/issues/29451

Signed-off-by: Filipe Roque <froque@premium-minds.com>
2024-05-17 16:25:59 +02:00
Ricardo Martin
74a80997c7
Fix CRL verification failing due to client cert not being in chain (#29582)
closes #19853

Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
2024-05-17 11:28:07 +02:00
Stefan Guilhen
bfa4660ecd Add OpenAPI documentation for the Organization API
Closes #29479

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-16 14:59:30 -03:00
Takashi Norimatsu
b4e7d9b1aa
Passkeys: Supporting WebAuthn Conditional UI (#24305)
closes #24264

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
2024-05-16 07:58:43 +02:00
rmartinc
89d7108558 Restrict access to whoami endpoint for the admin console and users with realm access
Closes #25219

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-15 19:06:57 +02:00
Pedro Igor
b4d231fd40 Fixing realm removal when removing groups and brokers associated with an organization
Closes #29495

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 14:29:27 +02:00
Pedro Igor
b5a854b68e
Minor improvements to invitation email templates (#29498)
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 13:19:02 +02:00
Pedro Igor
1b583a1bab Email validation for managed members should only fail if it does not match the domain set to a broker
Closes #29460

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-14 10:46:22 +02:00
mposolda
d8a7773947 Adding dummyHash to DirectGrant request in case user does not exists. Fix dummyHash for normal login requests
closes #12298

Signed-off-by: mposolda <mposolda@gmail.com>
2024-05-13 16:33:29 +02:00
kaustubh-rh
8a82b6b587
Added a check in ClientInitialAccessResource (#29353)
closes #29311

Signed-off-by: Kaustubh Bawankar <kbawanka@redhat.com>
2024-05-13 13:00:36 +02:00
vramik
fbdaf03972 Ensure master realm can't be removed
Fixes #28896

Signed-off-by: vramik <vramik@redhat.com>
2024-05-13 07:47:48 -03:00
rmartinc
2cc051346d Allow empty CSP header in headers provider
Closes #29458

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-05-13 10:51:31 +02:00
Pedro Igor
b50d481b10 Make sure organization groups can not be managed but when managing an organization
Closes #29431

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-10 21:28:11 -03:00
Stefan Guilhen
f0620353a4 Ensure master realm can't be removed
Closes #28896

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:56:18 -03:00
Stefan Guilhen
ceed7bc120 Add ability to search organizations by attribute
Closes #29411

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:45:41 -03:00
Pedro Igor
77b58275ca Improvements to the organization authentication flow
Closes #29416
Closes #29417
Closes #29418

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-09 16:07:52 -03:00
Pedro Igor
a65508ca13 Simplifying the CORS SPI and the default implementation
Closes #27646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-05-08 12:27:55 -03:00
Thomas Darimont
6ba8b3faa2 Revise ObjectMapper construction (#16295)
Previously an ObjectMapper was created multiple times during startup:
two times during bootstrap and one additional time for the first request sent to Keycloak.
Additionally jackson modules, e.g. support for JSR310 java.time types
were not registered event-though they are present on the classpath.

This PR revises the initialization of the ObjectMapper.

- Ensure ObjectMapper is only initialized once
- Ensure that jackson modules on the classpath are properly

Fixes #16295

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-05-07 19:04:43 +02:00
Martin Kanis
d4b7e1a7d9 Prevent to manage groups associated with organizations from different APIs
Closes #28734

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-05-07 11:16:40 -03:00