Commit Graph

4844 Commits

Author SHA1 Message Date
Johannes Knutsen
0cc62b520e Remove duplicate code block introduced with commit c3a15cb3 (#36465)
Closes #36464

Signed-off-by: Johannes Knutsen <johannes@knutsen.me>
2025-01-15 11:50:38 +01:00
rmartinc
25953f2fbb Add option to sign the IdP metadata for SAML
Closes #34132

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-01-15 11:50:26 +01:00
Giuseppe Graziano
32d5db532f ClientProtocolCondition.getProviderId() fix
Closes #36447

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2025-01-15 11:48:46 +01:00
Stian Thorgersen
c1c147cb17 Restrict access to environment variables when at the server runtime (#36472)
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-01-15 09:36:19 +01:00
mposolda
0332319538 Make @EnableFeature to handle the case with added provider of currently non-used SPI
closes #36425

Signed-off-by: mposolda <mposolda@gmail.com>
2025-01-15 09:20:01 +01:00
Stian Thorgersen
fd9db3a00e EMBARGOED CVE-2024-11734 org.keycloak/keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers (#228) (#36470)
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2025-01-15 08:51:55 +01:00
vramik
0a632fdefa [FGAP] Add adminPermissionClientCheck to authorization services REST endpoints
Closes #35945

Signed-off-by: vramik <vramik@redhat.com>
2025-01-10 08:56:48 -03:00
rmartinc
153ba20ea3 Incorrect manage permission for getting a specific execution
Closes #36121

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-01-09 10:13:51 +01:00
Kevin Tang
4136a677e7 WebAuthn registration now respects the configured extra origins policy (#35404)
closes #35110


Signed-off-by: Kevin Tang <kevin.tang@inventage.com>
2025-01-09 09:41:03 +01:00
Tobi
02691a8d76 Add nullcheck to passwordAgePredicate
Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
2025-01-08 15:55:10 +01:00
Steven Hawkins
696bc07103 fix: remove the use of regex for determining local addresses (#36228)
closes: #36227

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2025-01-07 17:42:30 +00:00
Martin Kanis
1c4dd66f52 Translations specified in the admin console do not override the translations specified in a theme
Closes #36037

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2025-01-07 14:59:11 +01:00
Pedro Igor
58c344dfeb Error when re-authenticating when organization is enabled
Closes #36249

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-01-07 11:51:09 +01:00
Martin Bartoš
0cfeabe6cf Upgrade to Quarkus 3.15.2 (#35078)
* Upgrade to Quarkus 3.15.2

Closes #35077

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Remove workaround for overridden micrometer dependencies

Closes #33469

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Unable to use custom handlers for HTTP OPTIONS method in subresources

Fixes #36009

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
2025-01-07 11:37:39 +01:00
Michal Hajas
3839f8e3b5 Add metric for password validations (#36049)
Closes #36048
Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2025-01-07 10:05:47 +01:00
Pedro Igor
abaf8489e7 Fix NPE when exchanging external using the issuer value
Closes #36053

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-01-06 17:20:10 +01:00
Pedro Igor
f13688edd6 Re-calculate the organization scope when re-authenticating in the browser flow
Closes #35935
Closes #35830

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-01-02 20:52:24 +01:00
Patrick Weiner
2eae680108 Add functions and set existing functions to protected in BackchannelAuthenticationCallbackEndpoint to allow developers easier customization when overriding. (#24993)
Two new methods added when approving device code, one before and one after approving, to allow additional checks.

Closes #24992

Signed-off-by: Patrick Weiner <patrick.weiner@prime-sign.com>
2024-12-20 16:54:21 +01:00
Marek Posolda
a3fd076960 Adding ConditionalClientScopeAuthenticator (#36020)
closes #36081 

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
2024-12-20 09:53:51 +01:00
Martin Kanis
dbd9429256 Incomplete registration form when edit email is disabled and email is set as username
Closes #34876

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2024-12-19 15:38:11 -03:00
rmartinc
1fc6d595d9 Check minValidityToken to refresh the token if it is equals
Closes #36038

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-12-19 13:54:55 +01:00
Ingrid Kamga
206436fde9 Offload format-specific credential building to dedicated credential builder providers (#32951) (#35046)
Closes #32951

Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>
2024-12-19 12:42:41 +01:00
Rungsikorn Rungsikavanich
41696b964b Add client ID length validation (#35725)
Closes #35723

Signed-off-by: Rungsikorn Rungsikavarnich <rungsikorn@me.com>
2024-12-19 11:19:59 +01:00
Richie B2B
c81246e2d0 Correct documention of GET GroupResources
Closes #27694

Signed-off-by: Richard van den Berg <richard@vdberg.org>
2024-12-19 11:10:42 +01:00
Richard van den Berg
481acac41f Document behaviour of GET GroupResources
Closes #27694

Signed-off-by: Richard van den Berg <richard@vdberg.org>
2024-12-18 19:24:22 +01:00
Pedro Igor
93c1740538 Support for initial CRUD operations when managing admin permissions
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Closes #35987
2024-12-18 07:43:13 -03:00
rmartinc
e7e6185175 Fix expires_in in internal to external token exchange
Closes #35704

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-12-18 09:08:19 +01:00
mposolda
9b01e958dc Failed to authenticate client with method client_secret_jwt when client has keys generated
closes #34547

Signed-off-by: mposolda <mposolda@gmail.com>
2024-12-17 20:43:25 +01:00
Benedikt Rohlf
1f278b75fc Display IDP Display Name instead of IDP Alias
This commit close the Issue where the IDP alias is displayed instead of the IDP display name in the existing account link. The alias will continue to be used when no display name is set.

Close #33408

Signed-off-by: Benedikt Rohlf <benedikt.rohlf@gmx.de>
2024-12-17 11:25:34 +01:00
Thomas Darimont
3cdbbc5b15 Add support for Initiating User Registration via prompt=create (#10701) (#35903)
Fixes #10701

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2024-12-16 19:54:52 +01:00
Manuel Schallar
7e08b095a3 Use optional realm attribute for request param max size/number (#25007)
closes #25006 

Enable fail-fast toggle for additional request parameter parsing
Enable configuration of an overall size of additional request parameters

Everything is backwardscompatible. No configuration necessary when upgrading.

Signed-off-by: Manuel Schallar <manuel.schallar@prime-sign.com>
Co-authored-by: Manuel Schallar <manuel.schallar@prime-sign.com>
2024-12-16 14:03:12 +01:00
Pedro Igor
a33d5c646e Better path parameter names for organization and member APIs
Closes #35745

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2024-12-12 13:02:33 +01:00
Alaa
6f469b9dd1 Fix missing userId in LOGIN_ERROR event for permanent lockout with separate username/password forms
Signed-off-by: Alaa <alaainamor@gmail.com>
2024-12-12 11:17:34 +01:00
Ricardo Martin
bbca6116b0 Implement a conditional authenticator to check if a sub-flow was executed or not previously in the process (#35668)
Closes #35231

Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-12-12 11:16:30 +01:00
rmartinc
8e13e761b9 Use UPDATE_CREDENTIAL as the enet type in RecoveryAuthnCodesAction
Closes #35760

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-12-12 09:35:45 +01:00
mposolda
efdc42c2a4 Token revocation may not correctly revoke related access tokens
closes #35813

Signed-off-by: mposolda <mposolda@gmail.com>
2024-12-11 18:25:35 +01:00
Nicola Baiocco
4c263f4897 fix: refactor LightweightUserAdapter instantiation for DefaultTokenEx… (#35363)
Closes #28241

Signed-off-by: Nicola Baiocco <nicola.baiocco@intesys.it>
2024-12-11 14:46:14 +01:00
mposolda
349fc63de1 Keycloak arquillian testsuite not working with the default embedded undertow
closes #35802

Signed-off-by: mposolda <mposolda@gmail.com>
2024-12-11 13:42:27 +01:00
ch-lepp
3255e50580 Other clients but Account-Management can link account (#35728)
closes #12309 

Signed-off-by: ch-lepp <ch.lepp@deg.local>
2024-12-11 13:21:37 +01:00
mposolda
3fca2f3b7f When using the token revocation endpoint with refresh-token, only particular clientSession related to given refresh token should be terminated
closes #35486

Signed-off-by: mposolda <mposolda@gmail.com>
2024-12-10 15:55:59 +01:00
Steven Hawkins
80890737d4 fix: using regex to expand local ipv6 matching (#35736)
closes: #35675

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-12-09 14:33:28 +00:00
Martin Bartoš
d7aa0042fd Apache HTTP client OpenTelemetry instrumentation
Closes #32094

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
2024-12-06 11:43:36 +01:00
Stian Thorgersen
5bc4ab1429 Delete OpenShift 3.x identity provider (#34331)
Closes #34330

Signed-off-by: stianst <stianst@gmail.com>
2024-12-06 11:24:47 +01:00
vramik
044807f162 [FGAP] Create new internal client which would hold the authorization objects for feature V2
Closes #34565

Signed-off-by: vramik <vramik@redhat.com>
2024-12-05 11:56:13 -03:00
Steven Hawkins
4c7dea5d70 fix: changing the bootstrapping suggestion to the command (#35616)
closes: #35526

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-12-05 14:31:53 +01:00
Andreas Blättlinger
a1f5234571 Always set lang attribute in login templates (#35361)
Closes #35103

Signed-off-by: Andreas Blaettlinger <bln1imb@bosch.com>
2024-12-04 15:24:42 -03:00
Steven Hawkins
806e140f45 fix: ensuring quarkus-embedded does does not use system.exit (#35574)
closes: #35550

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2024-12-04 12:08:16 +01:00
rmartinc
d19ba82779 Set clientId in the VerifyEmailActionToken when no one is passed
Closes #35317

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-12-03 15:55:17 +01:00
mposolda
4ad4a8d37b Support for multiple values of some parameters in the grant SPI
closes #35506

Signed-off-by: mposolda <mposolda@gmail.com>
2024-12-03 13:25:11 +01:00
Douglas Palmer
d553f3967b Step-up authentication with existing cookie not working when using Authentication Flow Overrides per client (#35376)
closes #12919

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>


Signed-off-by: Jonathan Putney <jputney@noverant.com>
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Co-authored-by: Jonathan Putney <jputney@noverant.com>
Co-authored-by: Douglas Palmer <dpalmer@redhat.com>
2024-12-03 12:39:18 +01:00