mirrors/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-25 16:42:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 24 Branches 291 Tags
74cfa87f3cf1eba129e8cbcecb0cf367ae2abc11
Commit Graph

5273 Commits

Author SHA1 Message Date
rmartinc
e0bba39da0 Allow configure encryption details for SAML clients 
Closes #40933

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-18 20:13:40 +02:00
Takashi Norimatsu
631aebd848 FAPI 2.0 Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions 
closes #41119

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2025-07-18 08:26:21 +02:00
Ryan Emerson
4bb02305c3 Implement CompatibilityMetadataProvider for Cache CLI args 
Closes #41138

Signed-off-by: Ryan Emerson <remerson@redhat.com>
 2025-07-16 19:52:51 +02:00
Björn Eickvonder
d62d5030fe Adds log context information for MDC for realm, users, etc. 
Closes #39812

Signed-off-by: Björn Eickvonder <b.eicki@gmx.net>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Bjoern Eickvonder <bjoern.eickvonder@inform-software.com>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-07-16 17:46:46 +02:00
Pedro Igor
87f30a6285 Adding a config to the UPDATE_EMAIL action to force users to verify email 
Closes #32569

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-07-16 16:21:08 +02:00
Ryan Emerson
0a745d6aeb Allow Features to declare that they support Rolling upgrades 
Closes #41022

Signed-off-by: Ryan Emerson <remerson@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-07-16 12:10:29 +02:00
Takashi Norimatsu
f00cd980c4 Add FAPI 2.0 + DPoP security profile as default profile of client policies 
closes #35441

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2025-07-16 09:30:11 +02:00
Pedro Igor
d5206b61f6 Update email feature only enabled if the required action is enabled at the realm 
Closes #41045

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-07-14 16:31:15 -03:00
forkimenjeckayang
a3441689e9 [OID4VCI] OpenID for Verifiable Credentials support in client settings (#39385) 
Closes #32967

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2025-07-14 11:47:10 +02:00
Giuseppe Graziano
2f36276ff0 Remove FGAP:v1 from external-internal token exchange (#40938) 
Closes #40855

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-07-11 17:42:47 +02:00
mposolda
274afa88fa Add option 'Requires short state parameter' to OIDC IDP 
closes #40237

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-07-11 16:17:03 +02:00
Pedro Igor
919554e6fc Resolve organization when scope is requested and the user is a member or the email domain matches the organization 
Closes #39864

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-07-10 20:38:47 +02:00
Pedro Igor
88069cd5fb Mark user session for removal when the user bound to cannot be resolved 
Closes #40398

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-07-10 20:37:18 +02:00
Pascal Knüppel
f39a37d8d1 [OID4VCI] Move realm attributes to clientScope and protocol-mappers (#39768) 
fixes #39527


Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
 2025-07-10 14:46:36 +02:00
Martin Kanis
5a42390341 Make UPDATE_EMAIL a supported feature 
Closes #40227

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2025-07-09 10:15:48 -03:00
michael.cordingley
20a4dc283b Generate a UUID to be the JTI instead of reusing the nonce. 
Signed-off-by: michael.cordingley <michael.cordingley@upstart.com>
 2025-07-09 13:15:17 +02:00
forkimenjeckayang
beb4be6b32 [OID4VCI] : Update Credential Issuer Metadata Model for OID4VCI Draft-15 (#40749) 
Closes #39290

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2025-07-09 11:41:17 +02:00
Håvar Nøvik
9d41092944 BUGFIX: session limit exceeded for both client & realm 
This commit fixes a bug the wrong user session is removed if the user session limit
for realm and client is exceeded at the same time.

Closes #38016

Signed-off-by: Håvar Nøvik <havar@novik.email>
 2025-07-09 11:37:55 +02:00
rmartinc
900d8c7400 Changing default passwordless webauthn policy to follow recommended values in the documentation 
Closes #40792

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-09 11:34:28 +02:00
rmartinc
6b050776bc Set client in the session context for logout token encode 
Closes #40984

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-09 10:50:05 +02:00
rmartinc
d62114e50e Do not add steps if feature disabled in default flows 
Allow login if a step is disabled even the authenticator is not enabled by profile
Closes #40954

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-09 10:44:36 +02:00
vramik
332c9b6e4a Fix NPE when accessing group concurrently 
Closes #40368

Signed-off-by: vramik <vramik@redhat.com>
 2025-07-08 16:13:54 -03:00
Ogen Bertrand
e92b825a14 [OID4VCI]: Add a unique notification_id generation to OID4VCIssuerEndpoint used in CredentialResponse. (#40229) 
closes #39284

Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com>
 2025-07-08 19:57:31 +02:00
Steven Hawkins
193ab471c1 fix: correcting to use the X-Forwarded-Proto header (#40905) 
close: #40903

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-07-07 17:07:47 +02:00
vramik
114afee7f1 Use MgmtPermissionsV2 by default 
Closes #40192

Signed-off-by: vramik <vramik@redhat.com>
 2025-07-07 11:07:21 -03:00
Steven Hawkins
eba4934950 fix: correcting spi-theme options 
closes: #40930

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-07-07 13:18:24 +00:00
forkimenjeckayang
2aca97bd19 Remove interval property from Credential Offer (#40412) 
Closes #39294

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2025-07-07 13:55:39 +02:00
forkimenjeckayang
178b893492 Always Return Array of Credentilas for Credential Responses (#40409) 
Closes #39283

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>


Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com>
 2025-07-07 13:53:28 +02:00
mkrueger92
b70342dda7 Fix NPE when client is not set in context during token encoding 
This commit fixes an issue throwing an NPE when trying to encode a token without having a client set in the session context. In other places in this class (like getSignatureAlgorithm(String)) this is checked. But in the type(TokenCategory) it was forgotten to check.
 2025-07-07 13:01:25 +02:00
mposolda
47ca339656 More secure call of Facebook debug token 
closes #40926

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-07-04 14:44:56 +02:00
Barathwaja S
81a7f38a76 Added emailVerified filtering for users endpoint; updated user count endpoint with logic to support enabled, emailVerified, idpAlias, idpUserId, and exact field query parameters 
Closes #38556
Closes #29295

Signed-off-by: Barathwaja S <sbarathwaj4@gmail.com>
 2025-07-03 17:05:36 -03:00
mposolda
c52edc853d Verification of external OIDC token by introspection-endpoint. Adding ExternalInternalTokenExchangeV2Test 
closes #40167
closes #40198

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-07-03 16:23:13 +02:00
Giuseppe Graziano
886c592422 Verification of external GitHub token via "check token" endpoint 
Closes #40164

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-07-01 15:03:49 +02:00
rmartinc
2db98b6a98 Use POST binding for logout when REDIRECT url is not set and forced POST 
Closes #40637

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-30 10:30:12 +02:00
Niko Köbler
e7e4ce8339 make abstract class AbstractUserRoleMappingMapper public (was package-private) 
closes #40765

Signed-off-by: Niko Köbler <niko@n-k.de>
 2025-06-28 11:38:34 +02:00
Pedro Igor
304bcdce88 Do not show update email link if the email attribute is not writable 
Closes #39669

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-06-28 10:19:41 +02:00
Douglas Palmer
a981f6b6d5 Access Token IDs have less than 128 bits of entropy 
Closes #38663

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2025-06-26 16:48:03 +02:00
Giuseppe Graziano
150ac639bf Verification of external facebook token via "debug token" endpoint 
Closes #40163

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-06-26 15:21:20 +02:00
Pedro Igor
dcb136ff4e Resolve resources with same URI if the permission request is based on URI matching 
Closes #40695

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-06-26 08:24:44 +02:00
rmartinc
a9202d48e2 Integrate passkeys with the organization authenticator 
Closes #40022

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-26 08:15:36 +02:00
rmartinc
5af775db0f Allow passkeys login when user has no password credential 
Closes #40717

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-26 08:09:09 +02:00
Oliver
af40a4db19 Forward LOGIN_HINT of authentication session with identity-provider-redirector 
Fixes keycloak#36396

Signed-off-by: Oliver Cremerius <antikalk@users.noreply.github.com>
 2025-06-26 06:08:36 +02:00
rmartinc
cc7b63cfc6 Integrate passkeys with separate username and password forms 
Closes #40021

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-25 09:43:48 +02:00
rmartinc
86f0a7864f Disable email verification when email manually changed by idp review 
Closes #40446

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-25 08:56:03 +02:00
Douglas Palmer
1183157d86 Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm 
Closes #38620

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2025-06-25 08:15:43 +02:00
Ricardo Martin
dd4c21700f Deprecate the original Passkeys Conditional UI Authenticator (#40674) 
Closes #40033

Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Signed-off-by: Ricardo Martin <rmartinc@redhat.com>
 2025-06-24 20:32:39 +02:00
Ricardo Martin
1350da4332 Use offline time calculations when transient created from offline 
Closes #40611

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-19 16:38:51 +02:00
Alexander Schwartz
efb1e0953e Preserve query parameters when redirecting requests 
Also hardening the redirect against uncommon URLs

Closes #40489

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-06-18 10:47:20 +02:00
Pedro Igor
828f9f7916 Mark user as disabled if reaching max login failures and permanent lockout is enabled 
Closes #40159

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-06-18 08:34:56 +02:00
Alexander Schwartz
01dcb7a87a Fix message format parsing when linking accounts (#40492) 
Closes #40479

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2025-06-17 09:32:55 -04:00