Commit graph

3102 commits

Author SHA1 Message Date
mposolda
821405e175 KEYCLOAK-10852 Inconsistency when using 'forgot password' after changing email directly in LDAP 2020-04-16 12:28:41 +02:00
Pedro Igor
21597b1ff2 [KEYCLOAK-13581] - Fixing client pagination when permission is enabled 2020-04-14 16:57:27 -03:00
stianst
97b5654690 KEYCLOAK-13285 Enable check identity for email 2020-04-14 19:22:57 +02:00
Pedro Igor
b60b85ab65 [KEYCLOAK-7450] - Match subject when validating id_token returned from external OP 2020-04-06 13:43:19 +02:00
mduchrow
75acc27706 KEYCLOAK-13339 NPE when removing credentials and user cache is disabled 2020-03-31 17:14:34 +02:00
mposolda
6f62c0ed98 KEYCLOAK-13442 Backwards compatibility in users searching. searchForUser(String, RealmModel, int, int) is no longer called when searching users from the admin console 2020-03-27 13:29:55 +01:00
Pedro Igor
b812159193 [KEYCLOAK-10675] - Deleting an Identity Provider doesn't remove the associated IdP Mapper for that user 2020-03-26 11:41:17 +01:00
Pedro Igor
1b8369c7d5 [KEYCLOAK-13385] - Better message when saving a provider with invalid URLs 2020-03-26 08:46:44 +01:00
keycloak-bot
f6a592b15a Set version to 9.0.4-SNAPSHOT 2020-03-24 08:31:18 +01:00
mposolda
5ddd605ee9 KEYCLOAK-13259 2020-03-24 05:32:41 +01:00
mposolda
9474dd6208 KEYCLOAK-12986 BruteForceProtector does not log failures when login failure in PostBroker flow 2020-03-24 05:32:10 +01:00
Martin Kanis
e6e0e6945d KEYCLOAK-12156 LogoutEndpoint does not verify token type of id_token_hint
Co-authored-by: Martin Kanis <mkanis@redhat.com>
Co-authored-by: Marek Posolda <mposolda@redhat.com>
2020-03-24 05:31:36 +01:00
Martin Kanis
9336d598ba KEYCLOAK-13380 Validate alignment 2020-03-24 05:12:57 +01:00
mposolda
3e82473a90 KEYCLOAK-13369 Not possible to move groups in admin console 2020-03-23 10:17:23 +01:00
Dmitry Telegin
3b24465141
KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking (#6828)
* KEYCLOAK-12870 - Allow to pick arbitrary user for IdP linking

* KEYCLOAK-12870: always allow to choose user if password reset is called from first broker login flow

* KEYCLOAK-12870: remove "already authenticated as different user" check and message

* KEYCLOAK-12870: translations

* KEYCLOAK-12870: fix tests
2020-03-20 07:41:35 +01:00
rmartinc
a8e74196d1 KEYCLOAK-4923: Client Service Account Roles are not exported 2020-03-19 11:38:33 -03:00
Takashi Norimatsu
fc58af1365 KEYCLOAK-12696 Upgrade to webauthn4j 0.10.2.RELEASE 2020-03-18 10:56:51 +01:00
Stan Silvert
fff8571cfd KEYCLOAK-12768: Prevent reserved characters in URLs 2020-03-18 07:40:24 +01:00
stianst
aece5d1b4c KEYCLOAK-5162 Add index to even table 2020-03-17 17:05:21 +01:00
mposolda
56d1ab19a8 KEYCLOAK-11412 Display more nice error message when creating top level group with same name 2020-03-16 21:03:46 +01:00
mposolda
d7688f6b12 KEYCLOAK-12869 REST sends credential type when no credential exists and credential disabled 2020-03-16 21:02:40 +01:00
Stan Silvert
1f1ed36b71 KEYCLOAK-9782: Do not allow duplicate group name when updating 2020-03-13 10:13:45 -04:00
Sebastian Laskawiec
8774a0f4ba KEYCLOAK-12881 KEYCLOAK-13099 Update FederatedIdentities and Groups on POST 2020-03-12 14:57:02 +01:00
mposolda
72e4690248 KEYCLOAK-13174 Not possible to delegate creating or deleting OTP credential to userStorage 2020-03-11 12:51:56 +01:00
rmartinc
ad3b9fc389 KEYCLOAK-12579: LDAP groups duplicated during UI listing of user groups 2020-03-11 06:14:29 +01:00
mposolda
bc1146ac2f KEYCLOAK-10029 Offline token migration fix. Always test offline-token migration when run MigrationTest 2020-03-10 20:38:16 +01:00
Pedro Igor
b7a395a3ef [KEYCLOAK-11345] - Test basic features of Keycloak.X with current tetsuite 2020-03-10 15:59:35 +01:00
Phy
2b35321b7c KEYCLOAK-13253 read rpId from policy in WebAuthnAuthenticator
A new method, getRpID, is created.
2020-03-09 17:04:26 +01:00
Sebastian Schuster
99aba33980 KEYCLOAK-13163 Fixed searching for user with fine-grained permissions 2020-03-09 09:56:13 -03:00
mabartos
a1bbab9eb2 KEYCLOAK-12799 Missing Cancel button on The WebAuthn setup screen when using AIA 2020-03-05 15:04:38 +01:00
stianst
b84160786b KEYCLOAK-12885 Make sure empty protocol in client scope doesn't result in NPE in well-known endpoint 2020-03-05 13:43:46 +01:00
Pedro Igor
23b4aee445 [KEYCLOAK-13056] - Searching clients with reduced permissions results in 403 2020-03-05 13:39:25 +01:00
stianst
75a772f52b KEYCLOAK-10967 Add JSON body methods for test ldap and smtp connections. Deprecate old form based methods. 2020-03-05 10:07:58 +01:00
stianst
b39b84c5dc KEYCLOAK-13102 Remove error log message on invalid response_type 2020-03-05 08:47:12 +01:00
Pedro Igor
2f489a41eb [KEYCLOAK-12192] - Missing Input Validation in IDP Authorization URLs 2020-03-05 06:32:35 +01:00
stianst
bcb542d9cc KEYCLOAK-13116 Fix backwards compatilbity changes in LocaleSelectorSPI 2020-03-04 06:39:24 +01:00
Douglas Palmer
dfb67c3aa4 [KEYCLOAK-12980] Username not updated when "Email as username" is enabled 2020-03-03 10:26:35 +01:00
Pedro Igor
49b1dbba68 [KEYCLOAK-11804] - Block service accounts to authenticate or manage credentials 2020-03-03 06:48:02 +01:00
Stefan Guilhen
3fa8a5aa88 [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-03-03 06:48:02 +01:00
Hynek Mlnarik
f45f882f0c KEYCLOAK-11903 Test for XSW attacks 2020-03-02 21:26:13 +01:00
vramik
7c91e36e43 KEYCLOAK-10898 WildFly Adapter CLI based installation scripts 2020-03-02 10:08:45 +01:00
Hynek Mlnarik
aecfe251e4 KEYCLOAK-12816 Fix representation to model conversion 2020-02-27 21:11:24 +01:00
Douglas Palmer
85d7216228 [KEYCLOAK-12640] Client authorizationSettings.decisionStrategy value lost on realm import 2020-02-27 09:45:48 -03:00
Stian Thorgersen
26c166d965 Update OIDCIdentityProvider.java 2020-02-27 09:13:29 +01:00
Pedro Igor
a830818a84 [KEYCLOAK-12794] - Missing id token checks in oidc broker 2020-02-27 09:13:29 +01:00
Thomas Darimont
469bca624b KEYCLOAK-10953 Avoid NPE when Updating Clients via Admin REST API 2020-02-27 09:09:32 +01:00
Thomas Darimont
f426ed6de6 KEYCLOAK-7961 Avoid sending back-channel logout requests to disabled clients 2020-02-27 09:08:09 +01:00
Pedro Igor
1c71eb93db [KEYCLOAK-11576] - Properly handling redirect_uri parser errors 2020-02-27 08:29:06 +01:00
stianst
950eae090f KEYCLOAK-13054 Unblock temporarily disabled user on password reset, and remove invalid error message 2020-02-27 08:05:46 +01:00
Martin Bartoš
eaaff6e555
KEYCLOAK-12958 Preview feature profile for WebAuthn (#6780)
* KEYCLOAK-12958 Preview feature profile for WebAuthn

* KEYCLOAK-12958 Ability to enable features having EnvironmentDependent providers without restart server

* KEYCLOAK-12958 WebAuthn profile product/project

Co-authored-by: Marek Posolda <mposolda@gmail.com>
2020-02-26 08:45:26 +01:00
Peter Skopek
5db98a58d3 KEYCLOAK-12826 WebAuthn fails to login user when their security key supports "user handle" 2020-02-20 09:19:09 +01:00
stianst
9e47022116 KEYCLOAK-8044 Clear theme caches on hot-deploy 2020-02-20 08:50:10 +01:00
stianst
d8d81ee162 KEYCLOAK-12268 Show page not found for /account/log if events are disabled for the realm 2020-02-20 08:49:30 +01:00
stianst
06576a44c9 KEYCLOAK-13032 Add no cache headers to account form service 2020-02-19 15:47:18 +01:00
stianst
536824beb6 KEYCLOAK-12960 Use Long for time based values in JsonWebToken 2020-02-19 15:46:05 +01:00
Stefan Guilhen
7a3998870c [KEYCLOAK-12612][KEYCLOAK-12944] Fix validation of SAML destination URLs
- no longer compare them to the server absolutePath; instead use the base URI to build the validation URL
2020-02-18 16:38:19 -03:00
mposolda
eeeaafb5e7 KEYCLOAK-12858 Authenticator is sometimes required even when configured as alternative 2020-02-18 09:05:59 +01:00
Thomas Darimont
67ddd3b0eb KEYCLOAK-12926 Improve Locale based message lookup
We now consider intermediate Locales when performing a Locale based
ResourceBundle lookup, before using an Locale.ENGLISH fallback.

Co-authored-by: stianst <stianst@gmail.com>
2020-02-18 08:43:46 +01:00
keycloak-bot
d352d3fa8e Set version to 9.0.1-SNAPSHOT 2020-02-17 20:38:54 +01:00
mposolda
a76c496c23 KEYCLOAK-12860 KEYCLOAK-12875 Fix for Account REST Credentials to work with LDAP and social users 2020-02-14 20:24:42 +01:00
stianst
f0e3122792 KEYCLOAK-12953 Ignore empty realm frontendUrl 2020-02-14 11:33:07 +01:00
stianst
42773592ca KEYCLOAK-9632 Improve handling of user locale 2020-02-14 08:32:20 +01:00
stianst
4b09a4a2af KEYCLOAK-12993 AuthorizationBean invokes ResolveRelative.resolveRelativeUri with null as the value for KeycloakSession 2020-02-13 16:45:06 +01:00
Pedro Igor
7efaf9869a [KEYCLOAK-12864] - OIDCIdentityProvider with Reverse Proxy 2020-02-13 15:01:10 +01:00
Peter Zaoral
b0ffea699e KEYCLOAK-12186 Improve the OTP login form
-created and implemented login form design, where OTP device can be selected
-implemented selectable-card-view logic in jQuery
-edited related css and ftl theme resources
-fixed affected BrowserFlow tests

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2020-02-12 11:25:02 +01:00
Peter Skopek
622a97bd1c KEYCLOAK-12228 Sensitive Data Exposure
from patch of hiba haddad haddadhiba0@gmail.com
2020-02-12 09:57:31 +01:00
stianst
3c0cf8463a KEYCLOAK-12821 Check if action is disabled in realm before executing 2020-02-12 09:04:43 +01:00
stianst
0b8adc7874 KEYCLOAK-12921 Fix NPE in client validation on startup 2020-02-12 08:23:25 +01:00
stianst
dda829710e KEYCLOAK-12829 Require PKCE for admin and account console 2020-02-12 08:22:20 +01:00
Thomas Darimont
7969aed8e0 KEYCLOAK-10931 Trigger UPDATE_PASSWORD event on password update via AccountCredentialResource 2020-02-11 19:51:58 +01:00
Martin Kanis
1d54f2ade3 KEYCLOAK-9563 Improve access token checks for userinfo endpoint 2020-02-11 15:09:21 +01:00
stianst
ecec20ad59 KEYCLOAK-12193 Internal error message returned in error response 2020-02-07 18:10:41 +01:00
mabartos
a5d02d62c1 KEYCLOAK-12908 TOTP not accepted in request for Access token 2020-02-07 13:17:05 +01:00
stianst
7545749632 KEYCLOAK-12190 Add validation for client root and base URLs 2020-02-07 09:09:40 +01:00
Pedro Igor
fc514aa256 [KEYCLOAK-12792] - Invalid nonce handling in OIDC identity brokering 2020-02-06 13:16:01 +01:00
Dmitry Telegin
b6c5acef25 KEYCLOAK-7969 - SAML users should not be identified by SAML:NameID 2020-02-06 08:53:31 +01:00
Martin Bartoš
7dec314ed0
KEYCLOAK-12900 NullPointerException during WebAuthn Registration (#6732) 2020-02-05 17:01:36 +01:00
Axel Messinese
b73553e305 Keycloak-11526 search and pagination for roles 2020-02-05 15:28:25 +01:00
rmartinc
d39dfd8688 KEYCLOAK-12654: Data to sign is incorrect in redirect binding when URI has parameters 2020-02-05 11:30:28 +01:00
Martin Bartoš
b0c4913587
KEYCLOAK-12177 KEYCLOAK-12178 WebAuthn: Improve usability (#6710) 2020-02-05 08:35:47 +01:00
Thomas Darimont
42fdc12bdc
KEYCLOAK-8573 Invalid client credentials should return Unauthorized status (#6725) 2020-02-05 08:27:15 +01:00
Thomas Darimont
d417639cb8
KEYCLOAK-11033 Avoid NPE in password endpoint of AccountCredentialResource (#6721)
Added additional null guard since some credentials provide might not
maintain a "CreatedDate" for a password credentials.
2020-02-04 16:01:27 +01:00
rmartinc
5b9eb0fe19 KEYCLOAK-10884: Need clock skew for SAML identity provider 2020-02-03 22:00:44 +01:00
Jan Lieskovsky
b532570747
[KEYCLOAK-12168] Various setup TOTP screen usability improvements (#6709)
On both the TOTP account and TOTP login screens perform the following:
* Make the "Device name" label optional if user registers the first
  TOTP credential. Make it mandatory otherwise,
* Denote the "Authenticator code" with asterisk, so it's clear it's
  required field (always),
* Add sentence to Step 3 of configuring TOTP credential explaining
  the user to provide device name label,

Also perform other CSS & locale / messages file changes, so the UX is
identical when creating OTP credentials on both of these pages

Add a corresponding testcase

Also address issues pointed out by mposolda's review. Thanks, Marek!

Signed-off-by: Jan Lieskovsky <jlieskov@redhat.com>
2020-02-03 19:34:28 +01:00
Marek Posolda
154bce5693
KEYCLOAK-12340 KEYCLOAK-12386 Regression in credential handling when … (#6668) 2020-02-03 19:23:30 +01:00
Leon Graser
01a42f417f Search and Filter for the count endpoint 2020-02-03 09:36:30 +01:00
Pedro Igor
ed2d392a3d [KEYCLOAK-9666] - Entitlement request with service account results in server error 2020-02-03 08:57:56 +01:00
Pedro Igor
658a083a0c [KEYCLOAK-9600] - Find by name in authz client returning wrong resource 2020-02-03 08:57:20 +01:00
rmartinc
1989483401 KEYCLOAK-12001: Audience support for SAML clients 2020-01-31 15:56:40 +01:00
Marek Posolda
d8e450719b
KEYCLOAK-12469 KEYCLOAK-12185 Implement nice design to the screen wit… (#6690)
* KEYCLOAK-12469 KEYCLOAK-12185 Add CredentialTypeMetadata. Implement the screen with authentication mechanisms and implement Account REST Credentials API by use the credential type metadata
2020-01-31 14:28:23 +01:00
Stan Silvert
6ac5a2a17e
[KEYCLOAK-12744] rh-sso-preview theme for product build
* change logo for RH-SSO
* Small fixes to rh-sso-preview theme
* rh-sso-preview theme

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
2020-01-31 08:16:52 -03:00
Pedro Igor
c37ca235ab [KEYCLOAK-11352] - Can't request permissions by name by a non-owner resource service, although the audience is set 2020-01-30 11:36:21 +01:00
stianst
2916af351a KEYCLOAK-12712 Add thread-safety for provider hot-deployment 2020-01-29 14:06:11 +01:00
stianst
a3e5f9d547 KEYCLOAK-12736 Set time for admin events in milliseconds, instead of converted seconds 2020-01-29 14:05:22 +01:00
Marek Posolda
d46620569a
KEYCLOAK-12174 WebAuthn: create authenticator, requiredAction and policy for passwordless (#6649) 2020-01-29 09:33:45 +01:00
Takashi Norimatsu
993ba3179c KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT (#6633) 2020-01-28 14:55:48 +01:00
Stian Thorgersen
87cab778eb KEYCLOAK-11996 Authorization Endpoint does not return an error when a request includes a parameter more than once (#6696)
Co-authored-by: stianst <stianst@gmail.com>

Co-authored-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
2020-01-24 12:10:56 +01:00
Thomas Darimont
303861f7e8 KEYCLOAK-10003 Fix handling of request parameters for SMTP Connection Test
We now transfer the SMTP connection configuration via HTTP POST
request body parameters instead of URL parameters.
The improves handling of SMTP connection configuration values with
special characters. As a side effect sensitive information like SMTP
credentials are now longer exposed via URL parameters.

Previously the SMTP connection test send the connection parameters
as encoded URL parameters in combination with parameters in the request body.
However the server side endpoint did only look at the URL parameters.

Certain values, e.g. passwords with + or ; could lead to broken URL parameters.
2020-01-23 13:19:31 -06:00
Leon Graser
f1ddd5016f KEYCLOAK-11821 Add account api roles to the client on creation
Co-authored-by: stianst <stianst@gmail.com>
2020-01-23 13:10:04 -06:00
Benjamin Weimer
dd9ad305ca KEYCLOAK-12757 New Identity Provider Mapper "Advanced Claim to Role Mapper" with
following features

    * Regex support for claim values.
    * Support for multiple claims.
2020-01-23 07:17:22 -06:00