keycloak

mirror of https://github.com/keycloak/keycloak.git synced 2025-12-16 20:15:46 -06:00

Author	SHA1	Message	Date
Awambeng	c0be5c42b9	[OID4VCI]: Add backward compatibility for Draft 15 wallets (single proof support) (#43951 ) Closes #43926 Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>	2025-11-12 14:30:33 +01:00
forkimenjeckayang	a05ed3154c	[OID4VCI] Relax CORS policy on credential offer endpoint (#43182 ) Closes #43183 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: Awambeng Rodrick <awambengrodrick@gmail.com>	2025-11-12 14:25:20 +01:00
Ricardo Martin	de49500393	Client policy to enforce only downscoping in Token Exchange (#44030 ) Closes #43931 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-11-12 08:48:42 +01:00
rmartinc	fb13aa5039	Use http for the DockerClientTest to avoid certificate issues Closes #44117 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-11-11 17:48:44 +01:00
Martin Kanis	c28cde359c	Local user can't login when ldap error Closes #43639 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2025-11-11 08:48:26 -03:00
Ingrid Kamga	ce05241c7f	[OID4VCI] Tolerate clock skew in SD-JWT time checks (#43506 ) Closes #43456 Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>	2025-11-11 09:02:44 +01:00
vramik	302fa3db08	Make LDAPProvidersIntegrationTest import a test realm after each test Closes #43754 Signed-off-by: vramik <vramik@redhat.com>	2025-11-10 10:19:25 -03:00
Stian Thorgersen	d8275fe5df	Remove wildcard imports (#44060 ) Closes #44059 Signed-off-by: stianst <stianst@gmail.com>	2025-11-10 11:46:05 +01:00
Pedro Ruivo	18eeef7b26	Create user session expired event Closes #43942 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-11-07 22:36:47 +00:00
Pedro Ruivo	80895d7fb4	AUTH_SESSION_ID cookie has the incorrect route Fixes #43933 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>	2025-11-07 21:32:45 +00:00
Lukas Hanusovsky	768cea1b82	Add FIPS suite to the new tests (#43431 ) * Add FIPS test suite to the new tests Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com> * Tweaks to FIPS suite in new test Signed-off-by: stianst <stianst@gmail.com> --------- Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com> Signed-off-by: stianst <stianst@gmail.com> Co-authored-by: stianst <stianst@gmail.com>	2025-11-06 14:08:19 +01:00
Stian Thorgersen	b278dbbb3d	Allow identity provider configuration without defaults for user authentication (#43963 ) Closes #43552 Signed-off-by: stianst <stianst@gmail.com>	2025-11-05 10:13:40 -03:00
Alexander Schwartz	3ef8c565f3	Avoid touching the database layer if no changes are necessary for a user Closes #43682 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-11-05 06:44:48 -03:00
fengyuchuanshen	e321f5ab23	chore: remove repetitive words in comments (#43944 ) Signed-off-by: fengyuchuanshen <fengyuchuanshen@outlook.com>	2025-11-04 17:55:22 +00:00
Martin Kanis	8e71657576	Add rate limiter for sending verification emails in context of update email Closes #43076 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2025-11-04 12:16:12 -03:00
Martin Bartoš	d5763b9c0b	Migrate the OTelProvider test to the new framework Closes #43858 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2025-11-04 12:53:47 +01:00
Thomas Diesler	131e2357a9	Cannot issue vc of type oid4vc_natural_person Signed-off-by: Thomas Diesler <tdiesler@ibm.com>	2025-11-04 10:46:44 +01:00
KONSTANTINOS GEORGILAKIS	1c0d4616a5	hide scopes from scopes_supported in discovery endpoint Closes #10388 Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-11-03 16:26:12 +00:00
Lukas Hanusovsky	2ddde05afb	Moving UserFederationLdapConnectionTest to federation/ldap package (#43852 ) Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com>	2025-11-03 15:39:40 +01:00
Stian Thorgersen	1048c8d9c9	Filter out non-user authentication IdPs from account and login (#43798 ) Closes #43553 Signed-off-by: stianst <stianst@gmail.com>	2025-10-31 12:40:04 +01:00
forkimenjeckayang	f27982aeb7	[OID4VCI] Ensure authorization_details from PAR requests are properly returned in token responses (#43215 ) Closes #43214 Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com> Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com> Co-authored-by: Awambeng Rodrick <awambengrodrick@gmail.com>	2025-10-31 11:39:38 +01:00
Ingrid Kamga	ea06651da5	[OID4VCI] Ensure `openid_credential` is one of `authorization_details_types_supported` on the Authorization Server metadata (#43599 ) Closes #43398 Signed-off-by: Ingrid Kamga <Ingrid.Kamga@adorsys.com>	2025-10-31 11:32:24 +01:00
rmartinc	3b3adcf1e4	Ensure the logout endpoint removes the authentication session Closes #43853 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-31 10:59:25 +01:00
Martin Bartoš	12d9ec048b	[quarkus-next] Removed exception escaped OTel attribute (#43848 ) Closes #43845 Signed-off-by: Martin Bartoš <mabartos@redhat.com>	2025-10-31 08:52:07 +01:00
Pedro Ruivo	24f67d0c04	Always validate cookie signature Closes #43851 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>	2025-10-30 22:18:13 +00:00
Pedro Ruivo	e40c5de050	Session cache affinity Closes #42776 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net> Co-authored-by: Steven Hawkins <shawkins@redhat.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-10-30 21:01:09 +00:00
Pedro Ruivo	6317c02a27	Refactor AuthenticationSessionManager Closes #43825 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-10-30 12:26:07 +01:00
Tomáš Kyjovský	4c64b7189c	Deprecate `org.keycloak.common.util.Base64` Closes #43370 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Signed-off-by: 1867605+tkyjovsk@users.noreply.github.com Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-10-30 09:12:14 +01:00
Marek Posolda	2fc5419676	Avoid using UserCredentialManager from user storage extensions (#43695 ) closes #43694 Signed-off-by: mposolda <mposolda@gmail.com>	2025-10-29 16:26:59 +01:00
Ricardo Martin	e0c1f2ee0f	Check offline scope is still assigned when performing a refresh Closes #43734 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-28 16:42:34 +01:00
Pedro Igor	42edee22d9	Email should be set when email as username is enabled and email is read-only Closes #43718 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2025-10-28 14:44:57 +01:00
rmartinc	1bd9a3f473	Only add the none verifier when attestation conveyance preference is none Closes #43723 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-28 05:30:24 -03:00
Pedro Igor	53142d8f92	Fixing flaky test KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP Closes #42601 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2025-10-27 17:28:28 +01:00
Pedro Igor	e4d4570404	Prevent the username field from being rendered when running the identity-first login flow Closes #43091 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2025-10-23 13:02:57 +02:00
Pedro Igor	6527b139dc	Do not lower-case username and email if users are not imported from LDAP Closes #43621 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2025-10-23 13:02:33 +02:00
rmartinc	62f68b2f19	DPoP replay check should take clockSkew into account Closes #43505 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-22 15:35:13 +02:00
Ronaldo Paulino Jiconda	987ce19b45	Fix OIDC IDP broker basic auth encoding Ensures that the client_id and client_secret are URL-encoded before being Base64-encoded for the Basic Auth header, following RFC 6749. This fixes authentication failures when the client_id contains special characters. Closes #26374 Closes #43022 Signed-off-by: rpjicond <ronaldopaulino32@hotmail.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: rpjicond <ronaldopaulino32@hotmail.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>	2025-10-20 23:48:24 +02:00
Martin Kanis	986fdd7341	Make pending email verification attribute removable by admin Closes #43351 Signed-off-by: Martin Kanis <mkanis@redhat.com>	2025-10-20 09:06:01 -03:00
mposolda	a2cc51aed7	Possible overflow in brute force computation closes #30939 Signed-off-by: mposolda <mposolda@gmail.com>	2025-10-16 12:36:14 +02:00
Giuseppe Graziano	bda0e2a67c	Invalidate sessions created with remember me when remember me is disabled for realm Closes #43328 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>	2025-10-14 15:00:41 +00:00
Pedro Ruivo	468c063e27	Client session may be lost during session restart Fixes #43349 Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com> Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com> Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>	2025-10-14 11:01:16 +00:00
rmartinc	248d6d1feb	Upgrade xmlsec to 3.0.4 and remove KeycloakFipsSecurityProvider workaround Closes #43263 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-13 15:38:58 +02:00
stianst	aedd7fe5db	Remove unused imports as part of #43233 Signed-off-by: stianst <stianst@gmail.com>	2025-10-13 13:32:01 +02:00
mposolda	76d271bf00	openid-connect flow is missing response type on language change closes #41292 Signed-off-by: mposolda <mposolda@gmail.com>	2025-10-10 08:38:32 +02:00
Pedro Igor	faa0ccbb7d	Automatically redirect based on login hint Closes #42715 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>	2025-10-08 14:43:32 -03:00
Steve Hawkins	6f36a02ffe	fix: retaining user creation timestamp when importing closes: #43195 Signed-off-by: Steve Hawkins <shawkins@redhat.com>	2025-10-08 11:36:29 -03:00
Thomas Darimont	85afd62452	Use correct error response for missing assertions in Signed JWT Validation * Ensure conformance for Signed JWT Validation (#43269) This re-adds the explicit client assertion parameter validation to produce the correct error responses required by RFC7523. See: https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2 The refactoring for the support for Federated JWT Client authentication broke the OIDF conformance tests for https://www.rfc-editor.org/rfc/rfc7523.html. Fixes #43269 Fixes #43270 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> * Ensure conformance for Signed JWT Validation (#43269) Add additional tests for ClientAuthSignedJWTTest. Fixes #43269 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> --------- Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>	2025-10-08 11:01:13 +02:00
rmartinc	5732946388	Add ECDSA as a valid key type that should return EC public key Closes #42588 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-07 19:41:27 +02:00
rmartinc	9f9f5ae97a	Ensure events are fully filled before success is called Closes #42914 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-07 17:06:26 +02:00
rmartinc	94a4e062f7	Add a debug statement when the KeycloakFipsSecurityProvider is created Closes #43015 Signed-off-by: rmartinc <rmartinc@redhat.com>	2025-10-07 16:59:22 +02:00

1 2 3 4 5 ...

5875 Commits