mirrors/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-25 16:42:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 24 Branches 291 Tags
1cc1911ec35ffbf32d191f22dfd8eb75abcf7b09
Commit Graph

98 Commits

Author SHA1 Message Date
Alexander Schwartz
fa12b14a32 Update docs about when emails for changed credentials are sent 
Closes #27620

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-03-07 07:16:16 +01:00
Alexander Schwartz
4b697009d3 Clean up feature IDs in the docs (#27418) 
Closes #27416

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-03-06 12:32:06 +01:00
Lucy Linder
84d48a9877 Update documentation for reCAPTCHA support 
Signed-off-by: Lucy Linder <lucy.derlin@gmail.com>
 2024-03-04 20:28:06 +09:00
Takashi Norimatsu
3db04d8d8d Replace Security Key with Passkey in WebAuthn UIs and their documents 
closes #27147

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-29 10:31:05 +01:00
Marek Posolda
8dd0eb451d Additional release notes for Keycloak 24 (#27339) 
closes #27142

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-02-29 08:43:22 +01:00
Alexander Schwartz
6de61f61f0 Adding missing explicit IDs for cross-references 
Closes #27316

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-02-28 08:37:52 +01:00
Pedro Igor
b98e115183 Updating docs and account message 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-22 22:58:22 +09:00
Pedro Igor
604274fb76 Allow setting an attribute as multivalued 
Closes #23539

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Co-authored-by: Jon Koops <jonkoops@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-02-22 12:56:44 +01:00
Takashi Norimatsu
1e12b15890 Supporting OAuth 2.1 for public clients 
closes #25316

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-22 10:57:29 +01:00
Douglas Palmer
b0ef746f39 Permanently lock users out after X temporary lockouts during a brute force attack 
Closes #26172

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-02-22 09:34:51 +01:00
Takashi Norimatsu
9ea679ff35 Supporting OAuth 2.1 for confidential clients 
closes #25314

Co-authored-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-22 08:34:21 +01:00
Jon Koops
89af9e3ffd Write announcement and documentation for Account Console v3 (#26318) 
Closes #26122

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-02-21 13:42:33 -05:00
Alexander Schwartz
3b6886d970 Add warning about too long attribute values as it can exhaust caches (#27126) 
Closes #27125

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-02-21 13:47:58 +01:00
Takashi Norimatsu
1bdbaa2ca5 Client policies: executor for validate and match a redirect URI 
closes #25637

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-20 08:37:33 +01:00
Joshua Sorah
018914d7fd Change Open ID Connect to OpenID Connect in UI and docs 
Closes #27093

Signed-off-by: Joshua Sorah <jsorah@redhat.com>
 2024-02-19 17:01:57 +01:00
Takashi Norimatsu
849a920955 Rename Resident key to Discoverable Credential 
closes #9508

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2024-02-19 14:12:15 +01:00
Vlasta Ramik
76453550a5 User attribute value length extension 
Closes #9758

Signed-off-by: vramik <vramik@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Michal Hajas <mhajas@redhat.com>
 2024-02-16 08:09:34 +01:00
Marek Posolda
e2fb8406a3 Fixing the docs about default hashing iterations (#27020) 
closes #26816

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-02-15 08:11:44 +01:00
Joshua Sorah
b81233a4af [docs] Align OAuth 2.0 Security Best Current Practice links (#24706) 
Closes keycloak/keycloak#24705

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
 2024-02-13 13:53:56 +01:00
Pedro Igor
750bc2c09c Reviewing references to user attribute management and UIs 
Closes #26155

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-12 16:01:34 +01:00
mposolda
7af753e166 Documentation for AIA 
closes #25569

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-02-12 09:42:34 +01:00
Thomas Darimont
93fc6a6c54 Shorter lifespan for offline session cache entries in memory 
Closes #26810

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: Martin Kanis <mkanis@redhat.com>

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2024-02-09 19:44:04 +01:00
Michael Schnitzler
fdfe41bdda fix documentation for resetting OTP in "reset credentials" flow (#26834) 
The former version stated that the "Reset OTP" step had to be disabled in the "reset credentials" authentication flow in order to keep the OTP unchanged. This leads to an error. More precisely, the "Reset - Conditional OTP" sub-flow has to be disabled.

Fixex #26834

Signed-off-by: Michael Schnitzler <schnitzler.michael+github@gmail.com>
 2024-02-07 11:57:58 -03:00
Tero Saarni
ac1780a54f Added event for temporary lockout for brute force protector (#26630) 
This change adds event for brute force protector when user account is
temporarily disabled.

It also lowers the priority of free-text log for failed login attempts.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2024-02-07 14:13:33 +00:00
Pedro Igor
4338f44955 Reviewing the user profile documentation 
Closes #26154

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-02 17:14:51 +01:00
christian-2
e14b523a8d Fixes typo in Server Administration guide (#26543) 
Signed-off-by: Christian Hörtnagl <christian2@univie.ac.at>
 2024-02-01 19:36:32 +01:00
mposolda
56a605fae7 Documentation for SuppressRefreshTokenRotationExecutor 
closes #26587

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-02-01 17:18:50 +01:00
Pedro Igor
3a7ce54266 Allow formating numbers when rendering attributes 
Closes keycloak#26320

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-02-01 08:14:58 -03:00
Thomas Darimont
e7363905fa Change password hashing defaults according to OWASP recommendations (#16629) 
Changes according to the latest [OWASP cheat sheet for secure Password Storage](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2):

- Changed default password hashing algorithm from pbkdf2-sha256 to pbkdf2-sha512
- Increased number of hash iterations for pbkdf2-sha1 from 20.000 to 1.300.000
- Increased number of hash iterations for pbkdf2-sha256 from 27.500 to 600.000
- Increased number of hash iterations for pbkdf2-sha512 from 30.000 to 210.000
- Adapt PasswordHashingTest to new defaults
- The test testBenchmarkPasswordHashingConfigurations can be used to compare the different hashing configurations.
- Document changes in changes document with note on performance and how
  to keep the old behaviour.
- Log a warning at the first time when Pbkdf2PasswordHashProviderFactory is used directly

Fixes #16629

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2024-01-24 18:35:51 +01:00
Stian Thorgersen
fea49765f0 Remove Jetty 9.4 adapters (#26261) 
Only removing the distribution of the Jetty adapter for now, and leaving the rest for now. This is due to the complexity of removing all Jetty adapter code due to Spring, OSGI, Fuse, testsuite, etc. and it will be better to leave the rest of the clean-up to after 24 when we are removing most adapters

Closes #26255

Signed-off-by: stianst <stianst@gmail.com>
 2024-01-24 11:17:29 +01:00
Alexander Schwartz
b9498b91cb Deprecating the offline session preloading (#26160) 
Closes #25300

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-01-16 09:29:01 +01:00
AndyMunro
b875acbc20 Change RHDG to Infinispan 
Closes #26083

Signed-off-by: AndyMunro <amunro@redhat.com>
 2024-01-10 17:18:50 +01:00
Alexander Schwartz
4be4212dca Remove conditionals about Linux vs. Windows (#26031) 
Closes #26028

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-01-10 16:03:38 +01:00
shigeyuki kabano
8b65e6727b Creating documentation for Lightweight access token(#25743) 
Closes keycloak#23725

Signed-off-by: shigeyuki kabano <shigeyuki.kabano.sj@hitachi.com>
 2024-01-09 09:48:20 +01:00
Pedro Igor
7fad0e805e Improve brute force documentation around how the effective wait time is calculated 
Closes #25915

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
 2024-01-09 07:50:17 +00:00
Ben Cresitello-Dittmar
057d8a00ac Implement Authentication Method Reference (AMR) claim from OIDC specification 
This implements a method for configuring authenticator reference values for Keycloak authenticator executions and a protocol mapper for populating the AMR claim in the resulting OIDC tokens.

This implementation adds a default configuration item to each authenticator execution, allowing administrators to configure an authenticator reference value. Upon successful completion of an authenticator during an authentication flow, Keycloak tracks the execution ID in a user session note.

The protocol mapper pulls the list of completed authenticators from the user session notes and loads the associated configurations for each authenticator execution. It then captures the list of authenticator references from these configs and sets it in the AMR claim of the resulting tokens.

Closes #19190

Signed-off-by: Ben Cresitello-Dittmar <bcresitellodittmar@mitre.org>
 2024-01-03 14:59:05 -03:00
Takashi Norimatsu
59536becec Client policies : executor for enforcing DPoP 
closes #25315

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2023-12-18 10:45:18 +01:00
Steven Hawkins
8c3df19722 feature: add option for creating a global truststore (#24473) 
closes #24148

Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2023-11-30 08:57:17 +01:00
rmartinc
16afecd6b4 Allow automatic download of SAML certificates in the identity provider 
Closes https://github.com/keycloak/keycloak/issues/24424

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-29 18:03:31 +01:00
Tomas Ondrusko
8ac6120274 Social Identity Providers documentation adjustments (#24840) 
Closes #24601

Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
 2023-11-20 22:26:11 +01:00
Thomas Darimont
d30d692335 Introduce MaxAuthAge Password policy (#12943) 
This policy allows to specify the maximum age of an authentication
with which a password may be changed without re-authentication.

Defaults to 300 seconds (default taken from Constants.KC_ACTION_MAX_AGE) to remain backwards compatible.
A value of 0 will always require reauthentication to update the password.
Add documentation for MaxAuthAgePasswordPolicy to server_admin

Fixes #12943

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2023-11-20 14:48:17 +01:00
rmartinc
5fad76070a Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience 
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-11-16 18:22:16 +01:00
Tomas Ondrusko
fe48afc1dc Update Social Identity Providers documentation (#24601) 
Signed-off-by: Tomas Ondrusko <tondrusk@redhat.com>
 2023-11-16 17:58:53 +01:00
andymunro
d4cee15c3a Correct Securing Apps Guide (#24730) 
* Correcting Securing Apps guide

Closes #24729

Signed-off-by: AndyMunro <amunro@redhat.com>

* Update docs/documentation/securing_apps/topics/saml/java/general-config/sp_role_mappings_provider_element.adoc

Co-authored-by: Stian Thorgersen <stian@redhat.com>

---------

Signed-off-by: AndyMunro <amunro@redhat.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-11-14 11:04:55 +01:00
AndyMunro
20f5edc708 Addressing Server Admin review comments 
Closes #24643

Signed-off-by: AndyMunro <amunro@redhat.com>
 2023-11-13 15:48:02 +01:00
Alexander Schwartz
8acb6c1845 Fix broken link to node.js and internal anchor 
Closes #24699

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2023-11-13 12:20:54 +01:00
andymunro
bf17fcc0be Fix broken links (#24476) 2023-11-13 09:17:34 +01:00
vramik
593c14cd26 Data too long for column 'DETAILS_JSON' 
Closes #17258
 2023-11-02 20:29:35 +01:00
AndyMunro
9ef9c944d0 Minor changes to documentation 
Closes #24456
 2023-11-01 22:14:11 +01:00
Justin Tay
3ff0476cc3 Allow customization of aud claim with JWT Authentication 
Closes #21445
 2023-10-31 11:33:47 -07:00