Commit Graph

5336 Commits

Author SHA1 Message Date
Steven Hawkins
aa04ff8781 fix: adding checks around the hostname path (#43193)
closes: #43166

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2025-10-14 17:41:25 +02:00
Giuseppe Graziano
bda0e2a67c Invalidate sessions created with remember me when remember me is disabled for realm
Closes #43328

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2025-10-14 15:00:41 +00:00
Stian Thorgersen
567a8ab93f Cleanup changes made to JWTClientValidator after refactoring
Closes #43429

Signed-off-by: stianst <stianst@gmail.com>
2025-10-14 16:12:40 +02:00
Stian Thorgersen
5c5905fed3 Fix SPIFFE client authentication when iss claim is included (#43428)
Closes #43394

Signed-off-by: stianst <stianst@gmail.com>
2025-10-14 13:20:51 +02:00
Václav Muzikář
28749042c7 Fix Spotless checks (#43418)
Closes #43417

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
2025-10-13 20:16:27 +02:00
Peter Zaoral
f87b90339d Stabilize PlainTextVaultProviderTest by enhancing validation logging (#42014)
Closes: #39660

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2025-10-13 17:03:50 +00:00
rmartinc
248d6d1feb Upgrade xmlsec to 3.0.4 and remove KeycloakFipsSecurityProvider workaround
Closes #43263

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-10-13 15:38:58 +02:00
Pedro Igor
fa581c8148 Allow passing a context to steps
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-10-13 09:53:30 -03:00
Pedro Igor
5b5a83b800 Moving WorkflowsManager and WorkflowStateSpi to server-spi-private module
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-10-13 09:53:30 -03:00
Stefan Guilhen
652270302d Workflows code cleanup
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2025-10-13 09:53:30 -03:00
stianst
aedd7fe5db Remove unused imports as part of #43233
Signed-off-by: stianst <stianst@gmail.com>
2025-10-13 13:32:01 +02:00
vramik
815d2d14d4 Check FGAP enabled before proceeding with evaluation
Closes #43331

Signed-off-by: vramik <vramik@redhat.com>
2025-10-10 15:44:01 -03:00
rmartinc
a19f4d00fc Throw and catch UnsupportedOperationException to fix XPathAttributeMapperTest
Closes #43262

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-10-10 09:39:47 +02:00
Giuseppe Graziano
0bfb9079f2 Reject search for not allowed client attributes
Closes #42541

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2025-10-10 09:37:40 +02:00
mposolda
76d271bf00 openid-connect flow is missing response type on language change
closes #41292

Signed-off-by: mposolda <mposolda@gmail.com>
2025-10-10 08:38:32 +02:00
Pedro Igor
faa0ccbb7d Automatically redirect based on login hint
Closes #42715

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-10-08 14:43:32 -03:00
vramik
e4dc88de13 [FGAP] Make additional rest endpoints respect permissions
Closes #40058

Signed-off-by: vramik <vramik@redhat.com>
2025-10-08 08:47:22 -03:00
Thomas Darimont
85afd62452 Use correct error response for missing assertions in Signed JWT Validation
* Ensure conformance for Signed JWT Validation (#43269)

This re-adds the explicit client assertion parameter validation to produce the correct error responses required by RFC7523.
See: https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2

The refactoring for the support for Federated JWT Client authentication broke the OIDF conformance tests for https://www.rfc-editor.org/rfc/rfc7523.html.

Fixes #43269
Fixes #43270

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

* Ensure conformance for Signed JWT Validation (#43269)

Add additional tests for ClientAuthSignedJWTTest.

Fixes #43269

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

---------

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2025-10-08 11:01:13 +02:00
rmartinc
9f9f5ae97a Ensure events are fully filled before success is called
Closes #42914

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-10-07 17:06:26 +02:00
rmartinc
4476b44482 Use UserSessionUtil.findValidSessionForAccessToken in revocation endpoint
Closes #43218

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-10-07 16:49:08 +02:00
Stian Thorgersen
ab7939f33a Add support for spiffe_refresh_hint to Spiffe Identity Provider (#43242)
Closes #42806

Signed-off-by: stianst <stianst@gmail.com>
2025-10-07 14:00:46 +02:00
Martin Kanis
a493213ad4 Hide read-only email attribute in update profile context with update … …email enabled (#43024)
* Hide read-only email attribute in update profile context with update email enabled

Closes #42990

Signed-off-by: Martin Kanis <mkanis@redhat.com>

* Simplifying conditions when checking read/write on email attribute and more tests

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

---------

Signed-off-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-10-07 12:52:55 +02:00
sashyo
8dd7437e90 feat(timer-provider): expose scheduled tasks and start time (#43107)
update to return task name and taskcontext and using keycloak time over instant



fix naming

Signed-off-by: Sasha Le <iamsasha.le@gmail.com>
2025-10-07 07:56:38 +00:00
vramik
03052e79b9 Fix scope interference
Closes #40965

Signed-off-by: vramik <vramik@redhat.com>
2025-09-30 09:20:22 -03:00
Martin Kanis
6e89bd72a9 Update email page with pending verification email messages prefilled with old email
Closes #43070

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2025-09-30 09:19:33 -03:00
rmartinc
e256513ceb Do not remove sid claim when the session is transient only for the client
Closes #42565

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-09-30 12:08:43 +02:00
Thomas Darimont
8780bc22b4 Fix NPE in FederatedJWTClientAuthenticator (#43042) (#43043)
Add additional null guard before the check for supported assertation types.

Fixes #43042

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2025-09-30 10:31:33 +02:00
Pedro Igor
a3db07a8f5 Re-adding max age setting to the update email action (#43036)
Closes #43035

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-30 05:31:23 +02:00
Stefan Guilhen
7f29c9bb88 Improve workflow logging messages
- every execution gets its own id that can be used to track all activities related to that particular workflow execution

Closes #42952

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2025-09-29 23:10:21 -03:00
Pedro Igor
d6da849206 Introducing a EMAL_PENDING user attribute to set the email pending verification
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-29 12:41:41 -03:00
Martin Kanis
88eea73cdc Introduce pending email verification message for UPDATE_EMAIL
Closes #42770

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2025-09-29 12:41:41 -03:00
Stian Thorgersen
dbd516f8e6 Refactor SimpleHttp to make it injectable and usable outside server (#42936)
Closes #42902

Signed-off-by: stianst <stianst@gmail.com>
2025-09-29 08:37:05 +02:00
Pedro Igor
6e851ce80e Only filter default organization related scopes based on dynamic scope format
Closes #42877

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-26 16:28:12 -03:00
Stefan Guilhen
ab7daf7fac Add validation to workflow update so that only changes to the name and enabled flag are allowed for now
Closes #42916

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2025-09-26 14:51:05 -03:00
Stefan Guilhen
7e28d13e76 Add workflow condition that uses boolean expressions to combine and negate conditions
Closes #42583

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2025-09-26 07:52:12 -03:00
vramik
80453bdbfb Allow defining steps in a workflow that can run immediate or scheduled
Closes #42888

Signed-off-by: vramik <vramik@redhat.com>
2025-09-25 14:37:22 -03:00
forkimenjeckayang
29bee21683 [OID4VCI] Fix authorization_details generation and credential identifier mapping for conformance tests (#42819)
Closes: #42818

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
2025-09-25 13:56:30 +02:00
Pedro Ruivo
56c1823082 Document Caffeine cache metrics
Closes #42705

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
2025-09-25 12:55:31 +02:00
Sebastian Łaskawiec
a1c66829db Kubernetes Signed JWT Authenticator UI (#42853)
* Kubernetes Signed JWT Authenticator UI

Signed-off-by: Sebastian Łaskawiec <sebastian.laskawiec@defenseunicorns.com>

* Test and lint fix

Signed-off-by: Sebastian Łaskawiec <sebastian.laskawiec@defenseunicorns.com>

* Optimized imports

Signed-off-by: Sebastian Łaskawiec <sebastian.laskawiec@defenseunicorns.com>

---------

Signed-off-by: Sebastian Łaskawiec <sebastian.laskawiec@defenseunicorns.com>
2025-09-25 12:15:00 +02:00
rmartinc
83994c4a5c Enable validate signature for SAML IdP to true when there are signing keys in the IdP metadata
Closes #42213

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-09-25 10:17:13 +02:00
Pedro Igor
05a8dc006b Do not skip dedicated client mapper when validating dynamic scopes in authorization or token requests
Closes #42142
Closes #42208

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-25 08:43:56 +02:00
rmartinc
1d28c0cd35 Expose system-info information in the serverinfo endpoint only for users in the admin realm
Closes #42828

Signed-off-by: rmartinc <rmartinc@redhat.com>
2025-09-24 17:21:57 +02:00
vramik
cfec364b17 Add validation of workflow steps also when adding single step to workflow
Closes #42833

Signed-off-by: vramik <vramik@redhat.com>
2025-09-24 12:03:05 -03:00
Ruslan Sheremet
5cefc497fd User session in LOGIN event (#42866)
closes #42867 

Signed-off-by: Ruslan Sheremet <toor.ua@gmail.com>
2025-09-24 16:30:51 +02:00
Alexander Schwartz
4389bc2990 Fix duplicate label when using password history
Closes #42736

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2025-09-24 11:21:59 +02:00
Marek Posolda
e09ce9e18d Documentation update for DPoP (#42865)
closes #42728


Signed-off-by: mposolda <mposolda@gmail.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2025-09-24 10:00:23 +02:00
Pedro Igor
1948e5baf3 Prevent empty usernames and allow restarting the login
Closes #42837
Closes #42409

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-24 04:07:03 -03:00
Pedro Igor
fe8fce859d Improve the Workflow JSON schema
Closes #42697

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2025-09-24 04:04:44 -03:00
Giuseppe Graziano
e4114e6c74 Promote DPoP feature to supported by default
Closes #42032

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2025-09-24 08:26:09 +02:00
Stefan Wiedemann
83cfd4a3e2 [OID4VCI] filter for asymmetric keys (#42758)
Closes #42755

Signed-off-by: Stefan Wiedemann <wistefan@googlemail.com>
2025-09-23 09:37:25 +02:00