libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions
24739 commits 4 branches 5 tags 483 MiB
Commit graph

4508 commits

Author SHA1 Message Date
Ricardo Martin
fc6b6f0d94
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) (#28872) 
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2024-04-18 16:02:24 +02:00
Hynek Mlnarik
9d1433d266 Update URL builder 
Fixes: keycloak/keycloak-quickstarts#548

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2024-04-18 14:50:10 +02:00
vramik
860f3b7320 Prevent updating IdP via organization API not linked with the organization 
Closes #28833

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-18 09:14:54 -03:00
Stian Thorgersen
0d60e58029
Restrict the token types that can be verified when not using the user info endpoint (#146) (#28866) 
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-18 14:11:05 +02:00
Stian Thorgersen
cbc4a8c305
Limit requests sent through session status iframe (#132) (#28864) 
Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2024-04-18 14:02:37 +02:00
rmartinc
ddacfbdefd Remove deprecated LinkedIn social provider 
Closes #23127

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-18 10:10:58 +02:00
Pedro Igor
f0f8a88489 Automatically fill username when authenticating to through a broker 
Closes #28848

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-18 08:24:34 +02:00
Pedro Igor
1e3837421e Organization member onboarding using the organization identity provider 
Closes #28273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-17 07:24:01 -03:00
Jon Koops
3216e7c781
Only allow a known refferer URI for the Account Console (#28743) 
Closes #27628

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-04-16 17:24:22 +02:00
Pedro Ruivo
63cb137b37 Remove usages of EnvironmentDependentProviderFactory.isSupported 
Closes #28751

Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
 2024-04-16 09:43:23 +02:00
Stefan Guilhen
2ab8bf852d Add validation for the organization's internet domains. 
Closes #28634

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-15 09:03:52 -03:00
Patrick Jennings
5e0d323304 Log exception when failure to augment client and re-throw instead of returning the raw client. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
551a3db987 Updating validation logic to match our expectations on what applicable should mean. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
03db2e8b56 Integration tests around client type parameter validation. Throw common ClientTypeException with invalid params requested during client creation/update requests. This gets translated into ErrorResponseException in the Resource handlers. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
9814733dd3 DefaultClientType service will now validate all client type default values and respond with bad request message with the affending parameters that attempt to override readonly in the client type config. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
c0f5dab209 If client cannot be augmented due to error, we shall return the un-augmented client entity. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Patrick Jennings
42202ae45e Translate client type exception during client create into bad request response. 
Signed-off-by: Patrick Jennings <pajennin@redhat.com>
 2024-04-15 09:39:34 +02:00
Giuseppe Graziano
4672366eb9
Simplified checks in IntrospectionEndpoint (#28642) 
Closes #24466

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>


Co-authored-by: mposolda <mposolda@gmail.com>
 2024-04-12 21:19:04 +02:00
Marek Posolda
e6747bfd23
Adjust priority of SubMapper (#28663) 
closes #28661


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-04-12 14:13:03 +02:00
Pedro Igor
61b1eec504 Prevent members with an email other than the domain set to an organization 
Closes #28644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-12 08:33:18 -03:00
rmartinc
6d74e6b289 Escape slashes in full group path representation but disabled by default 
Closes #23900

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-12 10:53:39 +02:00
Douglas Palmer
69ba92808d DefaultBruteForceProtector leverages a single thread to write success/failed events 
Closes #14084

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-04-12 09:53:40 +02:00
Pedro Igor
8f8094408e Encapsulate the logic to set attributes into the domain model 
Closes #28646

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-11 15:32:21 -03:00
Marek Posolda
74faddec8e
Release notes for lightweight access tokens and group together relate… (#28622) 
closes #28460

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-04-11 20:02:33 +02:00
Giuseppe Graziano
33b747286e Changed userId value for refresh token events 
Closes #28567

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-11 07:46:44 +02:00
Stefan Guilhen
9a466f90ab Add ability to set one or more internet domain to an organization. 
Closed #28274

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2024-04-10 13:18:12 -03:00
devjos
cccddc0810 Fix brute force detection for LDAP read-only users 
Closes #28579

Signed-off-by: devjos <github_11837948@feido.de>
 2024-04-10 16:36:11 +02:00
vramik
00ce3e34bd Manage a single identity provider for an organization 
Closes #28272

Signed-off-by: vramik <vramik@redhat.com>
 2024-04-10 09:47:51 -03:00
Martin Kanis
51fa054ba7 Manage organization attributes 
Closes #28253

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-04-10 09:10:49 -03:00
rmartinc
41b706bb6a Initial security profile SPI to integrate default client policies 
Closes #27189

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-10 11:19:56 +02:00
Giuseppe Graziano
c76cbc94d8 Add sub via protocol mapper to access token 
Closes #21185

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-10 10:40:42 +02:00
mposolda
aa619f0170 Redirect error to client right-away when browser tab detects that another browser tab authenticated 
closes #27880

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-04-09 17:59:34 +02:00
Václav Muzikář
e4987f10f5
Hostname SPI v2 (#26345) 
* Hostname SPI v2

Closes: #26084

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Fix HostnameV2DistTest#testServerFailsToStartWithoutHostnameSpecified

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Address review comment

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Partially revert the previous fix

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Do not polish values

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

* Remove filtering of denied categories

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2024-04-09 11:25:19 +02:00
vibrown
3fffc5182e Added ClientType implementation from Marek's prototype 
Signed-off-by: vibrown <vibrown@redhat.com>

More updates

Signed-off-by: vibrown <vibrown@redhat.com>

Added client type logic from Marek's prototype

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

updates

Signed-off-by: vibrown <vibrown@redhat.com>

Testing to see if skipRestart was cause of test failures in MR
 2024-04-08 20:20:37 +02:00
Pedro Igor
52ba9b4b7f Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user 
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-08 09:05:16 -03:00
rmartinc
2b769e5129 Better management of the CSP header 
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-04-08 08:19:57 +02:00
Giuseppe Graziano
b4f791b632 Remove session_state from tokens 
Closes #27624

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-08 08:12:51 +02:00
Alexander Schwartz
647bce49c8 Add error details to events to be able to track down root causes 
Closes #28429

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-04-04 20:28:45 +02:00
Justin Tay
30cd40e097 Use realm default signature algorithm for id_token_signed_response_alg 
Closes #9695

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-04 11:37:28 +02:00
Justin Tay
89a5da1afd Allow empty key use in JWKS for client authentication 
Closes #28004

Signed-off-by: Justin Tay <49700559+justin-tay@users.noreply.github.com>
 2024-04-04 10:42:37 +02:00
Marek Posolda
335a10fead
Handle 'You are already logged in' for expired authentication sessions (#27793) 
closes #24112

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-04-04 10:41:03 +02:00
Anar Sultanov
6708f1f12d Update method for sending identity broker link confirmation 
Signed-off-by: Anar Sultanov <anar.sultanov@assessio.se>
 2024-04-03 19:08:51 -03:00
Hynek Mlnarik
8ef3423f4a Present effective sync mode value 
When sync mode value is missing in the config of newly created identity
provider, the provider does not store any. When no value is
found, the identity provider behaves as if `LEGACY` was used (#6705).

This PR ensures the correct sync mode is returned from the REST endpoint,
regardless of whether it has been stored in the database or not.

Fixes: #26019

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
 2024-04-03 15:49:18 +02:00
Pedro Igor
fefeb83588 Changes the contract to make it simpler and rely on the realm available from the current session 
Closes #28403

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-03 14:45:31 +02:00
Nicola Beghin
a7e5c861cc fixes SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor (keycloak/keycloak#27875) 
Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>
 2024-04-02 10:58:15 +02:00
Giuseppe Graziano
fe06df67c2 New default client scope for 'basic' claims with 'auth_time' protocol mapper 
Closes #27623

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-02 08:44:28 +02:00
Pedro Igor
b9a7152a29 Avoid commiting the transaction prematurely when creating users through the User API 
Closes #28217

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-27 19:16:09 -03:00
Lex Cao
a53cacc0a7 Fire logout event when logout other sessions (#26658) 
Closes #26658

Signed-off-by: Lex Cao <lexcao@foxmail.com>
 2024-03-27 11:13:48 +01:00
Jon Koops
3382e16954
Remove Account Console version 2 (#27510) 
Closes #19664

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-03-27 10:53:28 +01:00
Steven Hawkins
be32f8b1bf
fix: limit the use of Resteasy to the KeycloakSession (#28150) 
* fix: limit the use of Resteasy to the KeycloakSession

contextualizes other state to the KeycloakSession

close: #28152
 2024-03-26 13:43:41 -04:00