libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions
12471 commits 4 branches 9 tags 483 MiB
Commit graph

626 commits

Author SHA1 Message Date
vmuzikar
001fe9eb11 KEYCLOAK-13206 Session Status iframe cannot access cookies when 3rd party cookies are blocked 
Co-authored-by: mhajas <mhajas@redhat.com>
 2020-06-30 17:11:20 -03:00
Hiroyuki Wada
f73b51818b KEYCLOAK-14113 Support for exchanging to SAML 2.0 token 2020-06-19 22:08:42 +02:00
Martin Bartos
ec9bf6206e [KEYCLOAK-13202] Reset password redirects to account client 2020-06-18 13:08:36 +02:00
Yoshiyuki Tabata
f03ee2ec98 KEYCLOAK-14145 OIDC support for Client "offline" session lifespan 2020-06-04 14:24:52 +02:00
Pedro Igor
e8dc10b4a1 [KEYCLOAK-11330] - Properly handling POST formdata and UriInfo 2020-06-02 09:36:40 +02:00
Youssef El Houti
086bdd1700 add optional field at_hash to idToken when using Authorization Code flow since it improves performance and allows to follow the recommandation in RFC for clients to use hash for access_token validation 2020-05-27 07:34:05 +02:00
Takashi Norimatsu
be0ba79daa KEYCLOAK-7997 Implement Client Registration Metadata based on Mutual TLS 2020-05-19 17:00:41 +02:00
Yoshiyuki Tabata
f7d00fc2e9 KEYCLOAK-13844 "exp" claim should not be "0" when using offline token 2020-05-12 16:14:37 +02:00
Agniswar Mandal
8646d0668a KEYCLOAK-14072 docker-compose.yaml file generated creates an invalid urls 
* Updated Invalid URLs

The docker-compose.yaml file generated creates an invalid url for REGISTRY_AUTH_TOKEN_REALM and REGISTRY_AUTH_TOKEN_ISSUER. Fixed

* KEYCLOAK-14072 JIRA#14072

Test coverage fix for the the JIRA#14072
 2020-05-07 08:40:52 +02:00
Takashi Norimatsu
0d0617d44a KEYCLOAK-13720 Specify Signature Algorithm in Signed JWT Client Authentication 2020-05-05 17:43:00 +02:00
Hynek Mlnarik
32f13016fa KEYCLOAK-12874 Align Destination field existence check with spec 2020-05-04 09:19:44 +02:00
Martin Kanis
aa309b96a8 KEYCLOAK-13682 NPE when refreshing token after enabling consent 2020-04-30 08:46:21 +02:00
stianst
a77c35ea8f KEYCLOAK-14009 Add fix for token revocation endpoint 2020-04-29 17:22:25 +02:00
Yoshiyuki Tabata
874642fe9e KEYCLOAK-12406 Add "Client Session Max" and "Client Session Idle" for OIDC 2020-04-28 15:34:25 +02:00
stianst
5b017e930d KEYCLOAK-13128 Security Headers SPI and response filter 2020-04-28 15:28:24 +02:00
Yoshiyuki Tabata
b40c12c712 KEYCLOAK-5325 Provide OAuth token revocation capability 2020-04-28 15:25:22 +02:00
Stefan Guilhen
da1138a8d2 [KEYCLOAK-13005] Make sure the master URL is used if the consumer POST or REDIRECT URL is an empty string 
- Fixes issue where admin console sets an empty string when the consumer POST or REDIRECT URL is deleted
 2020-04-27 14:25:03 +02:00
Martin Idel
7e8018c7ca KEYCLOAK-11862 Add Sync mode option 
- Store in config map in database and model
- Expose the field in the OIDC-IDP
- Write logic for import, force and legacy mode
- Show how mappers can be updated keeping correct legacy mode
- Show how mappers that work correctly don't have to be modified
- Log an error if sync mode is not supported

Fix updateBrokeredUser method for all mappers

- Allow updating of username (UsernameTemplateMapper)
- Delete UserAttributeStatementMapper: mapper isn't even registered
  Was actually rejected but never cleaned up: https://github.com/keycloak/keycloak/pull/4513
  The mapper won't work as specified and it's not easy to tests here
- Fixup json mapper
- Fix ExternalKeycloakRoleToRoleMapper:
  Bug: delete cannot work - just delete it. Don't fix it in legacy mode

Rework mapper tests

- Fix old tests for Identity Broker:
  Old tests did not work at all:
  They tested that if you take a realm and assign the role,
  this role is then assigned to the user in that realm,
  which has nothing to do with identity brokering
  Simplify logic in OidcClaimToRoleMapperTests
- Add SyncMode tests to most mappers
  Added tests for UsernameTemplateMapper
  Added tests to all RoleMappers
  Add test for json attribute mapper (Github as example)
- Extract common test setup(s)
- Extend admin console tests for sync mode

Signed-off-by: Martin Idel <external.Martin.Idel@bosch.io>
 2020-04-24 15:54:32 +02:00
Martin Kanis
a04c70531a KEYCLOAK-9623 Disabling logged in user will not allow other user to login after he is thrown out of his session 2020-04-23 14:40:25 +02:00
Pedro Igor
cbab159aa8 [KEYCLOAK-8071] - Properly validating requested scopes 2020-04-21 12:23:59 +02:00
Pedro Igor
b60b85ab65 [KEYCLOAK-7450] - Match subject when validating id_token returned from external OP 2020-04-06 13:43:19 +02:00
Martin Kanis
e6e0e6945d KEYCLOAK-12156 LogoutEndpoint does not verify token type of id_token_hint 
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Marek Posolda <mposolda@redhat.com>
 2020-03-24 05:31:36 +01:00
mposolda
bc1146ac2f KEYCLOAK-10029 Offline token migration fix. Always test offline-token migration when run MigrationTest 2020-03-10 20:38:16 +01:00
stianst
b84160786b KEYCLOAK-12885 Make sure empty protocol in client scope doesn't result in NPE in well-known endpoint 2020-03-05 13:43:46 +01:00
stianst
b39b84c5dc KEYCLOAK-13102 Remove error log message on invalid response_type 2020-03-05 08:47:12 +01:00
vramik
7c91e36e43 KEYCLOAK-10898 WildFly Adapter CLI based installation scripts 2020-03-02 10:08:45 +01:00
Pedro Igor
1c71eb93db [KEYCLOAK-11576] - Properly handling redirect_uri parser errors 2020-02-27 08:29:06 +01:00
Stefan Guilhen
7a3998870c [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs 
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
 2020-02-18 16:38:19 -03:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
Peter Skopek
622a97bd1c KEYCLOAK-12228 Sensitive Data Exposure 
from patch of hiba haddad haddadhiba0@gmail.com
 2020-02-12 09:57:31 +01:00
Martin Kanis
1d54f2ade3 KEYCLOAK-9563 Improve access token checks for userinfo endpoint 2020-02-11 15:09:21 +01:00
Dmitry Telegin
b6c5acef25 KEYCLOAK-7969 - SAML users should not be identified by SAML:NameID 2020-02-06 08:53:31 +01:00
rmartinc
d39dfd8688 KEYCLOAK-12654: Data to sign is incorrect in redirect binding when URI has parameters 2020-02-05 11:30:28 +01:00
rmartinc
1989483401 KEYCLOAK-12001: Audience support for SAML clients 2020-01-31 15:56:40 +01:00
Stian Thorgersen
87cab778eb KEYCLOAK-11996 Authorization Endpoint does not return an error when a request includes a parameter more than once (#6696) 
Co-authored-by: stianst <stianst@gmail.com>

Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2020-01-24 12:10:56 +01:00
Pedro Igor
03bbf77b35 [KEYCLOAK-12511] - Mapper not visible in client's mapper list 2020-01-09 10:25:06 +01:00
Thomas Darimont
062cbf4e0a KEYCLOAK-9925 Use Client WebOrigins in UserInfoEndpoint 
We now use the allowed WebOrigins configured for the client
for which the user info is requested.

Previously, Web Origins defined on the Client were not being recognized
by the /userinfo endpoint unless you apply the "Allowed Web Origins"
protocol mapper.
This was an inconsistency with how the Web Origins work compared
with the /token endpoint.
 2020-01-09 10:10:59 +01:00
Thomas Darimont
54b69bd1dc KEYCLOAK-10190 Fix NPE on missing clientSession in TokenEndpoint.codeToToken 
In certain scenarios, e.g. when an auth code from another realm login is
used to perform the code to token exchange, it can happen that the
ClientSession is null which triggered an NPE when the userSession field is accessed.

Added null check for clientSession in TokenEndpoint.codeToToken to prevent an NPE.
 2020-01-06 14:45:20 +01:00
Thomas Darimont
1a7aeb9b20 KEYCLOAK-8249 Improve extraction of Bearer tokens from Authorization headers (#6624) 
We now provide a simple way to extract the Bearer token string from
Authorization header with a null fallback.

This allows us to have more fine grained error handling for the
various endpoints.
 2020-01-06 13:58:52 +01:00
Thomas Darimont
0219d62f09 KEYCLOAK-6867 UserInfoEndpoint should return WWW-Authenticate header for Invalid tokens 
As required by the OIDC spec (1) we now return a proper WWW-Authenticate
response header if the given token is invalid.

1) https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
 2019-12-23 07:42:06 -03:00
Andrei Arlou
eed4847469 KEYCLOAK-12311 Fix minor warnings with collections in packages: forms, keys, partialimport, protocol from module "services" 2019-12-20 13:31:38 +01:00
Andrei Arlou
bb156fb2fd KEYCLOAK-12317 Fix minor warnings with modificators in packages: authentication, authorization, keys, partialimport, protocol from module "services" 2019-12-18 13:26:27 +01:00
Andrei Arlou
c61cc1a493 KEYCLOAK-12316 Simplify conditions in packages: authentication, broker, credential, protocol from module "services" 2019-12-18 13:22:36 +01:00
Andrei Arlou
da7e0ba403 KEYCLOAK-12310 Remove unused imports from packages: exportimport, forms, jose, partialimport, protocol in module "services" (#6560) 2019-12-05 14:28:47 +01:00
Martin Kanis
73d1a26040 KEYCLOAK-11773 Front-channel logout with identity brokering does not work after browser restart 2019-12-03 08:17:54 +01:00
rmartinc
82ef5b7927 KEYCLOAK-12000: Allow overriding time lifespans on a SAML client 2019-11-26 10:02:34 +01:00
Yoshiyuki Tabata
0a9d058b81 KEYCLOAK-12150 change error response from invalid_request to unsupported_grant_type 2019-11-22 11:11:07 +01:00
Yoshiyuki Tabata
a36cfee84b KEYCLOAK-12149 change error response from invalid_grant to unauthorized_client 2019-11-22 11:10:16 +01:00
Yoshiyuki Tabata
4117710379 KEYCLOAK-12019 change error response from unsupported_response_type to unauthorized_client 2019-11-22 11:03:02 +01:00
AlistairDoswald
4553234f64 KEYCLOAK-11745 Multi-factor authentication (#6459) 
Co-authored-by: Christophe Frattino <christophe.frattino@elca.ch>
Co-authored-by: Francis PEROT <francis.perot@elca.ch>
Co-authored-by: rpo <harture414@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: Jan Lieskovsky <jlieskov@redhat.com>
Co-authored-by: Denis <drichtar@redhat.com>
Co-authored-by: Tomas Kyjovsky <tkyjovsk@redhat.com>
 2019-11-14 14:45:05 +01:00