Commit graph

2398 commits

Author SHA1 Message Date
Erik Jan de Wit
93a1374558 KEYCLOAK-11129 coalesce possible null values 2020-02-27 09:11:29 +01:00
Pedro Igor
1c71eb93db [KEYCLOAK-11576] - Properly handling redirect_uri parser errors 2020-02-27 08:29:06 +01:00
stianst
950eae090f KEYCLOAK-13054 Unblock temporarily disabled user on password reset, and remove invalid error message 2020-02-27 08:05:46 +01:00
vmuzikar
de8ba75399 KEYCLOAK-12635 KEYCLOAK-12935 KEYCLOAK-13023 UI test fixes 2020-02-26 15:54:44 -03:00
Martin Bartoš
eaaff6e555
KEYCLOAK-12958 Preview feature profile for WebAuthn (#6780)
* KEYCLOAK-12958 Preview feature profile for WebAuthn

* KEYCLOAK-12958 Ability to enable features having EnvironmentDependent providers without restart server

* KEYCLOAK-12958 WebAuthn profile product/project

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2020-02-26 08:45:26 +01:00
stianst
9e47022116 KEYCLOAK-8044 Clear theme caches on hot-deploy 2020-02-20 08:50:10 +01:00
stianst
d8d81ee162 KEYCLOAK-12268 Show page not found for /account/log if events are disabled for the realm 2020-02-20 08:49:30 +01:00
stianst
9a3a358b96 KEYCLOAK-11700 Lower-case passwords before checking with password blacklist 2020-02-20 08:33:46 +01:00
stianst
536824beb6 KEYCLOAK-12960 Use Long for time based values in JsonWebToken 2020-02-19 15:46:05 +01:00
Stefan Guilhen
7a3998870c [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-02-18 16:38:19 -03:00
mposolda
eeeaafb5e7 KEYCLOAK-12858 Authenticator is sometimes required even when configured as alternative 2020-02-18 09:05:59 +01:00
Thomas Darimont
67ddd3b0eb KEYCLOAK-12926 Improve Locale based message lookup
We now consider intermediate Locales when performing a Locale based
ResourceBundle lookup, before using an Locale.ENGLISH fallback.

Co-authored-by: stianst <stianst@gmail.com>
2020-02-18 08:43:46 +01:00
keycloak-bot
d352d3fa8e Set version to 9.0.1-SNAPSHOT 2020-02-17 20:38:54 +01:00
Adamczyk Błażej
497787d2cd [KEYCLOAK-10696] - fixed missing client role attributes after import 2020-02-17 10:01:19 +01:00
mposolda
a76c496c23 KEYCLOAK-12860 KEYCLOAK-12875 Fix for Account REST Credentials to work with LDAP and social users 2020-02-14 20:24:42 +01:00
Douglas Palmer
876086c846 [KEYCLOAK-12161] "Back to Application" link is shown with link to current page 2020-02-14 10:37:32 -03:00
stianst
f0e3122792 KEYCLOAK-12953 Ignore empty realm frontendUrl 2020-02-14 11:33:07 +01:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
Pedro Igor
7efaf9869a [KEYCLOAK-12864] - OIDCIdentityProvider with Reverse Proxy 2020-02-13 15:01:10 +01:00
mabartos
90b35cc13d KEYCLOAK-10420 Broker tests don't work with RH-SSO 2020-02-12 18:33:55 +01:00
mabartos
1bdf77f409 KEYCLOAK-12065 UserSessionInitializerTest is failing 2020-02-12 17:39:28 +01:00
mhajas
c3f0b342bf KEYCLOAK-12964 Fix adapter remote tests execution deciding 2020-02-12 16:04:44 +01:00
mhajas
1bb238d20f KEYCLOAK-12950 Use maven-plugin to configure shrinkwrap resolver 2020-02-12 16:04:44 +01:00
mhajas
f28ca30e6d KEYCLOAK-12963 Exclude testNoPortInDestination test for remote container 2020-02-12 13:18:51 +01:00
Peter Zaoral
b0ffea699e KEYCLOAK-12186 Improve the OTP login form
-created and implemented login form design, where OTP device can be selected
-implemented selectable-card-view logic in jQuery
-edited related css and ftl theme resources
-fixed affected BrowserFlow tests

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-02-12 11:25:02 +01:00
vramik
3d22644bbe KEYCLOAK-12237 Fix WelcomePageTest on Postgresql 2020-02-12 10:43:29 +01:00
Peter Skopek
622a97bd1c KEYCLOAK-12228 Sensitive Data Exposure
from patch of hiba haddad haddadhiba0@gmail.com
2020-02-12 09:57:31 +01:00
stianst
3c0cf8463a KEYCLOAK-12821 Check if action is disabled in realm before executing 2020-02-12 09:04:43 +01:00
stianst
6676b9bba0 Fix 2020-02-12 08:23:25 +01:00
stianst
0b8adc7874 KEYCLOAK-12921 Fix NPE in client validation on startup 2020-02-12 08:23:25 +01:00
stianst
dda829710e KEYCLOAK-12829 Require PKCE for admin and account console 2020-02-12 08:22:20 +01:00
Thomas Darimont
7969aed8e0 KEYCLOAK-10931 Trigger UPDATE_PASSWORD event on password update via AccountCredentialResource 2020-02-11 19:51:58 +01:00
Martin Kanis
1d54f2ade3 KEYCLOAK-9563 Improve access token checks for userinfo endpoint 2020-02-11 15:09:21 +01:00
mhajas
e5935d8069 KEYCLOAK-12764 Fix shrinkwrap issue by updating arquillian bom version 2020-02-08 10:51:48 +01:00
stianst
ecec20ad59 KEYCLOAK-12193 Internal error message returned in error response 2020-02-07 18:10:41 +01:00
Pedro Igor
da0e2aaa12 [KEYCLOAK-12897] - Policy enforcer should just deny when beare is invalid 2020-02-07 15:04:45 +01:00
mabartos
a5d02d62c1 KEYCLOAK-12908 TOTP not accepted in request for Access token 2020-02-07 13:17:05 +01:00
stianst
5d1fa8719e KEYCLOAK-12190 Fix PartialImportTest for client validation 2020-02-07 11:44:09 +01:00
stianst
7545749632 KEYCLOAK-12190 Add validation for client root and base URLs 2020-02-07 09:09:40 +01:00
Pedro Igor
fc514aa256 [KEYCLOAK-12792] - Invalid nonce handling in OIDC identity brokering 2020-02-06 13:16:01 +01:00
Pedro Igor
199e5dfa3e [KEYCLOAK-12909] - Keycloak uses embedded cache manager instead of container-managed one 2020-02-06 13:14:36 +01:00
Dmitry Telegin
b6c5acef25 KEYCLOAK-7969 - SAML users should not be identified by SAML:NameID 2020-02-06 08:53:31 +01:00
Axel Messinese
b73553e305 Keycloak-11526 search and pagination for roles 2020-02-05 15:28:25 +01:00
mhajas
66350f415c KEYCLOAK-12849 Exclude SameSite tests in non-SSL test runs 2020-02-05 11:44:07 +01:00
rmartinc
d39dfd8688 KEYCLOAK-12654: Data to sign is incorrect in redirect binding when URI has parameters 2020-02-05 11:30:28 +01:00
Martin Bartoš
b0c4913587
KEYCLOAK-12177 KEYCLOAK-12178 WebAuthn: Improve usability (#6710) 2020-02-05 08:35:47 +01:00
Thomas Darimont
42fdc12bdc
KEYCLOAK-8573 Invalid client credentials should return Unauthorized status (#6725) 2020-02-05 08:27:15 +01:00
vmuzikar
0801cfb01f KEYCLOAK-12105 Add UI tests for Single page to manage credentials 2020-02-04 15:18:52 -03:00
rmartinc
5b9eb0fe19 KEYCLOAK-10884: Need clock skew for SAML identity provider 2020-02-03 22:00:44 +01:00
Jan Lieskovsky
b532570747
[KEYCLOAK-12168] Various setup TOTP screen usability improvements (#6709)
On both the TOTP account and TOTP login screens perform the following:
* Make the "Device name" label optional if user registers the first
  TOTP credential. Make it mandatory otherwise,
* Denote the "Authenticator code" with asterisk, so it's clear it's
  required field (always),
* Add sentence to Step 3 of configuring TOTP credential explaining
  the user to provide device name label,

Also perform other CSS & locale / messages file changes, so the UX is
identical when creating OTP credentials on both of these pages

Add a corresponding testcase

Also address issues pointed out by mposolda's review. Thanks, Marek!

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-02-03 19:34:28 +01:00
Marek Posolda
154bce5693
KEYCLOAK-12340 KEYCLOAK-12386 Regression in credential handling when … (#6668) 2020-02-03 19:23:30 +01:00
vramik
337e8f8fad KEYCLOAK-12240 MigrationModelTest fails in pipeline 2020-02-03 13:14:53 +01:00
Leon Graser
01a42f417f Search and Filter for the count endpoint 2020-02-03 09:36:30 +01:00
Pedro Igor
ed2d392a3d [KEYCLOAK-9666] - Entitlement request with service account results in server error 2020-02-03 08:57:56 +01:00
Pedro Igor
658a083a0c [KEYCLOAK-9600] - Find by name in authz client returning wrong resource 2020-02-03 08:57:20 +01:00
Jan Lieskovsky
00a36e5f7b
[KEYCLOAK-12865] Stabilize distribution profile (#6712)
Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-02-01 13:31:54 +01:00
rmartinc
1989483401 KEYCLOAK-12001: Audience support for SAML clients 2020-01-31 15:56:40 +01:00
Marek Posolda
d8e450719b
KEYCLOAK-12469 KEYCLOAK-12185 Implement nice design to the screen wit… (#6690)
* KEYCLOAK-12469 KEYCLOAK-12185 Add CredentialTypeMetadata. Implement the screen with authentication mechanisms and implement Account REST Credentials API by use the credential type metadata
2020-01-31 14:28:23 +01:00
Bart Monhemius
52fd2b4aa4 KEYCLOAK-12698: Allow setting lifespan on executeActionsEmail 2020-01-31 09:27:07 +01:00
Pedro Igor
c37ca235ab [KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set 2020-01-30 11:36:21 +01:00
Pedro Igor
2a82ed6eea [KEYCLOAK-9402] - 401 response when enforcement mode is DISABLED 2020-01-30 11:09:32 +01:00
Pedro Igor
873c62bbef [KEYCLOAK-12569] - User cannot be deleted if he has owned resources / permission tickets
Co-authored-by: mhajas <mhajas@redhat.com>
2020-01-30 11:08:28 +01:00
Pedro Igor
c821dcf820 [KEYCLOAK-12438] - Scope-based policies falsely give a permit with an empty scope list 2020-01-29 14:02:44 +01:00
Marek Posolda
d46620569a
KEYCLOAK-12174 WebAuthn: create authenticator, requiredAction and policy for passwordless (#6649) 2020-01-29 09:33:45 +01:00
Takashi Norimatsu
993ba3179c KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT (#6633) 2020-01-28 14:55:48 +01:00
Stian Thorgersen
87cab778eb KEYCLOAK-11996 Authorization Endpoint does not return an error when a request includes a parameter more than once (#6696)
Co-authored-by: stianst <stianst@gmail.com>

Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2020-01-24 12:10:56 +01:00
Denis Richtárik
24c6e2ba08 KEYCLOAK-12742 Authentication -> WebAuthn Policy: Unable to delete the Acceptable AAGUIDS via the provided minus (-) button, once set (#6695) 2020-01-24 11:55:20 +01:00
Leon Graser
f1ddd5016f KEYCLOAK-11821 Add account api roles to the client on creation
Co-authored-by: stianst <stianst@gmail.com>
2020-01-23 13:10:04 -06:00
Martin Kanis
1fbee8134b KEYCLOAK-12697 Remove mvel2 from parent pom and licenses 2020-01-23 13:04:31 -06:00
Benjamin Weimer
dd9ad305ca KEYCLOAK-12757 New Identity Provider Mapper "Advanced Claim to Role Mapper" with
following features

    * Regex support for claim values.
    * Support for multiple claims.
2020-01-23 07:17:22 -06:00
mposolda
f0d95da52d KEYCLOAK-12281 Fix export/import for users that have custom credential algorithms with no salt 2020-01-23 05:43:29 -06:00
Denis Richtárik
8d312d748b KEYCLOAK-12163 Old account console: UI not updated after removing of TOTP (#6688) 2020-01-22 12:26:28 +01:00
vmuzikar
03306b87e8 KEYCLOAK-12125 Introduce SameSite attribute in cookies
Co-authored-by: mhajas <mhajas@redhat.com>
Co-authored-by: Peter Skopek <pskopek@redhat.com>
2020-01-17 08:36:53 -03:00
vmuzikar
475ec6f3e4 Add tests for 'Always Display in Console' 2020-01-17 08:35:01 -03:00
Stan Silvert
568b1586a6 KEYCLOAK-12526: Add 'Always Display in Console' to admin console 2020-01-17 08:35:01 -03:00
Martin Bartos RH
d3f6937a23 [KEYCLOAK-12426] Add username to the login form + ability to reset login 2020-01-17 09:40:13 +01:00
mposolda
85dc1b3653 KEYCLOAK-12426 Add username to the login form + ability to reset login - NOT DESIGN YET 2020-01-17 09:40:13 +01:00
Tomas Kyjovsky
05c428f6e7 KEYCLOAK-12295 After password reset, the new password has low priority (#6653) 2020-01-16 09:11:25 +01:00
Martin Bartoš
5aab03d915 [KEYCLOAK-12184] Remove BACK button from login forms (#6657) 2020-01-15 12:25:37 +01:00
Axel Messinese
789e8c70ce KEYCLOAK-12630 full representation param for get groups by user endpoint 2020-01-15 10:14:52 +01:00
Axel Messinese
72aff51fca KEYCLOAK-12670 inconsistent param name full to briefRepresentation 2020-01-15 08:32:57 +01:00
Marek Posolda
8d49409de1
KEYCLOAK-12183 Refactor login screens. Introduce try-another-way link. Not show many credentials of same type in credential selector (#6591) 2020-01-14 21:54:45 +01:00
k-tamura
221aad9877 KEYCLOAK-11511 Improve exception handling of REST user creation 2020-01-14 13:34:34 +01:00
vramik
3b1bdb216a KEYCLOAK-11486 Add support for system property or env variable in AllowedClockSkew in keycloak-saml subsystem 2020-01-14 13:17:13 +01:00
mhajas
a79d6289de KEYCLOAK-11416 Fix nil AttributeValue handling 2020-01-10 12:47:09 +01:00
vramik
a2b3747d0e KEYCLOAK-7014 - Correctly handle null-values in UserAttributes 2020-01-10 12:44:52 +01:00
Pedro Igor
03bbf77b35 [KEYCLOAK-12511] - Mapper not visible in client's mapper list 2020-01-09 10:25:06 +01:00
mposolda
fea7b4e031 KEYCLOAK-12424 SPNEGO / Kerberos sends multiple 401 responses with WWW-Authenticate: Negotiate header when kerberos token is invalid 2020-01-09 10:21:24 +01:00
Thomas Darimont
062cbf4e0a KEYCLOAK-9925 Use Client WebOrigins in UserInfoEndpoint
We now use the allowed WebOrigins configured for the client
for which the user info is requested.

Previously, Web Origins defined on the Client were not being recognized
by the /userinfo endpoint unless you apply the "Allowed Web Origins"
protocol mapper.
This was an inconsistency with how the Web Origins work compared
with the /token endpoint.
2020-01-09 10:10:59 +01:00
Pedro Igor
dae212c035 [KEYCLOAK-12312] - Partial import of realm breaking access to client's service account roles 2020-01-09 10:06:32 +01:00
Pedro Igor
c596647241 [KEYCLOAK-11712] - Request body not buffered when using body CIP in Undertow 2020-01-09 10:02:18 +01:00
Pedro Igor
709cbfd4b7 [KEYCLOAK-10705] - Return full resource representation when querying policies by id 2020-01-09 10:00:24 +01:00
vramik
419d9c6351 KEYCLOAK-11597 Remote testing changes + possibility to exclude tests for specific auth server
Co-Authored-By: <mhajas@redhat.com>
2020-01-06 14:29:36 +01:00
Thomas Darimont
1a7aeb9b20 KEYCLOAK-8249 Improve extraction of Bearer tokens from Authorization headers (#6624)
We now provide a simple way to extract the Bearer token string from
Authorization header with a null fallback.

This allows us to have more fine grained error handling for the
various endpoints.
2020-01-06 13:58:52 +01:00
mhajas
28b01bc34d KEYCLOAK-12609 Fix integer overflow for SAML XMLTimeUtil add method parameters 2020-01-06 13:53:16 +01:00
Yoshiyuki Tabata
e96725127f KEYCLOAK-12165 Fix UserSessionProviderTest to work correctly (#6513) 2020-01-02 17:57:14 +01:00
Marek Posolda
fa453e9c0c
KEYCLOAK-12278 Default first broker login flow is broken after migration (#6556) 2020-01-02 17:53:56 +01:00
Pedro Igor
56d53b191a [KEYCLOAK-8779] - Fixing PartialImportTest 2019-12-28 06:24:19 -03:00
rmartinc
401d36b446 KEYCLOAK-8779: Partial export and import to an existing realm is breaking clients with service accounts 2019-12-27 15:59:38 -03:00
Thomas Darimont
0219d62f09 KEYCLOAK-6867 UserInfoEndpoint should return WWW-Authenticate header for Invalid tokens
As required by the OIDC spec (1) we now return a proper WWW-Authenticate
response header if the given token is invalid.

1) https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
2019-12-23 07:42:06 -03:00