mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-12 02:09:29 -06:00
Code Issues Packages Projects Releases Wiki Activity
27,950 Commits 23 Branches 294 Tags
00104461bfd3ffdb968bb3bf566718b1a8a76558
Commit Graph

5121 Commits

Author SHA1 Message Date
Martin Bartoš
83001e4024 OTelHttpClientFactory not configured properly when tracing enabled 
Closes #38740

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-04-08 17:04:23 +00:00
rmartinc
ba91a092ab Migrate old recaptcha secret name when used 
Closes #38607

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-08 14:22:25 +02:00
Pedro Igor
79b533ee02 Allow managing client authorization settings is manage scope is granted for clients 
Closes #38726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 13:07:48 +02:00
Pedro Igor
be880ae204 Do not cache partial results when FGAP is enabled 
Closes #38705

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 08:22:22 +02:00
Pedro Igor
8521b9952a Export failing if the realm has FGAP enabled 
Closes #38695

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 18:47:44 +02:00
rmartinc
540ee9eda2 Add webauthn tests for the passkeys conditional UI authenticator 
Closes #23659

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-07 15:04:59 +02:00
Pedro Igor
d98ca0a2a2 Make sure searches by identifiers are filtered 
Closes #38679

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 14:59:43 +02:00
Stefan Guilhen
a4ca92ab4d Validate realm name for uniqueness before creating a new realm in the DB 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38426
 2025-04-07 08:49:42 -04:00
vramik
6488890585 [FGAP:V2] remove configure scope from Client resource type 
Closes #38567

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-07 07:05:02 -03:00
Stefan Guilhen
c4c3e2eee6 Allow redirection to idp when user email matches any of the org domains 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Martin Panzer <martin.panzer@active-logistics.com>

Closes #33804
 2025-04-04 11:28:04 -03:00
Alexander Schwartz
b211391e02 Enhance logging for a missing provider factory dependency 
Closes #38594

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-04-04 15:38:02 +02:00
Pedro Igor
9f079f7874 Permission checks that do not check a specific client should check the permissions granted to the client resource type 
Closes #38653

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 17:00:47 +00:00
vramik
8127a9da60 [FGAP] Allow user creation when the admin has permission to manage-members and manage-membership for all existing groups defined in UserRepresentation 
Closes #38269

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 12:08:46 -03:00
Pedro Igor
29d3dcb49a Do not allow delete the FGAP client 
Closes #38644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 14:57:06 +02:00
vramik
999d9aa75b [FGAP] Override canList() for V2. 
Closes #38641

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 08:35:08 -03:00
rtufisi
134437a5a7 Create recovery keys in user storage or local (#38446) 
closes #38445

Signed-off-by: rtufisi <rtufisi@phasetwo.io>
 2025-04-03 10:09:48 +02:00
vramik
f12fa0b5bb [FGAP] remove transitiveness from auth scopes 
Closes #38557

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-02 16:56:25 -03:00
tranthanhhien06072001
13405b184a Add totp policy to TotpLoginBean (#38606) 
Closes #38523

Signed-off-by: hientt85 <hientt85@viettel.com.vn>
 2025-04-02 18:34:07 +02:00
rmartinc
a10c8119d4 Define a max expiration window for Signed JWT client authentication 
Closes #38576

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 18:32:54 +02:00
rmartinc
43c79e8d1b Add locale attribute to the registration context 
Closes #38029

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 09:03:06 +02:00
Pedro Igor
61cb0acbc4 Fixing inconsistencies when evaluating permission in the evaluation tab 
Closes #38498

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-01 11:40:27 -03:00
Alexander Schwartz
85737f52b5 Make access Token in user info endpoint bound to the dpop proof 
Closes #38333

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-03-31 09:41:57 +02:00
Václav Muzikář
2a0ce46471 Prevent frontend endpoint redirect to admin endpoint (#38464) 
Closes #38463

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2025-03-28 18:44:43 +01:00
Douglas Palmer
4ccb50106a Add audience to the client-scopes evaluate tab (#38457) 
* Add audience to the client-scopes evaluate tab #37548

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

* Simulate audience parameter in the evaluate tab - polishing

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-03-28 16:22:34 +01:00
Steven Hawkins
06e0885f46 fix: adds back reporting of non-ip client addresses (#37797) 
closes: #36843

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
# Conflicts:
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java
 2025-03-27 19:33:20 +00:00
Stefan Guilhen
d62fa871b5 Allow users to unset their e-mail when the previous e-mail matches org domain but user is not an org member 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38257
 2025-03-27 08:50:08 -03:00
Stefan Guilhen
e694065aed User UserModel.isFederated() instead of comparing federation link to null 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38137
 2025-03-27 08:11:14 -03:00
Pedro Igor
78aa8b486f User not visible when permission with different scope exists 
Closes #38369

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-27 08:01:04 -03:00
Yoshiyuki Tabata
08bac045be Raising an event when a ClientPolicyException is caught #38366 
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
 2025-03-27 10:41:21 +01:00
Giuseppe Graziano
0d5346e8ca Add broker session id in IDENTITY_PROVIDER_LOGIN event 
Closes #34720

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-03-26 16:18:12 +00:00
Pedro Igor
26c90f369f Support for partial evaluation for clients 
Closes #38393

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-25 09:04:12 -03:00
Thomas Darimont
6c1f0d25cd Avoid NPE in WebAuthnPasswordlessAuthenticator 
- If the user provided a custom username, we check if the user actually exists.
If no user exists, we mark this authenticator as attempted.
- If the user provided no username and selected no webauthn credential,
but submitted the form, we mark this authenticator as attempted.

Fixes #29585

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2025-03-25 10:53:46 +01:00
Steven Hawkins
c0da146873 fix: limit the scope of when a single transaction is used for import (#37990) 
closes: #34364

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-03-24 14:39:07 -04:00
Pedro Igor
1c57035d41 Support partial evaluation for the group resource type 
Closes #38273

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-24 11:49:53 -03:00
vramik
a72d15b857 PartialEvaluator ignores view-* and manage-* roles 
Closes #38284

Signed-off-by: vramik <vramik@redhat.com>
 2025-03-24 08:30:59 -03:00
Laurids Møller Jepsen
8f7c1871a7 Add client OIDC configuration for setting the header type in access tokens. 
If this setting is On, the access token header type will be "at+jwt" in compliance with RFC 9068, see https://datatracker.ietf.org/doc/html/rfc9068#section-2.1. If the setting is Off, the access token header type will be "JWT". The setting is Off per default.

Closes #36696

Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
 2025-03-24 10:35:41 +01:00
Ricardo Martin
734c4af876 Add version column to credential table to avoid simultaneous recovery codes updates 
Closes #26106

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-03-24 10:30:06 +01:00
Alexander Schwartz
83e99f7617 Set the mail.from to avoid looking up the local hostname 
Closes #38353

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2025-03-24 09:38:03 +01:00
Martin Bartoš
299c42f4cc Locale RTL does not work properly 
Fixes #38320

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-03-21 12:21:36 +00:00
Sebastian Rose
4fb1c41155 Sending Mails via SMTP and XOAUTH2 authentication mechanism 
Closes #17432

Signed-off-by: Sebastian Rose <sebastian.rose@gmail.com>
 2025-03-21 10:12:18 +01:00
Venelin Cvetkov
d388dc7936 Add config param disableTypeClaimCheck in order to validate external tokens without typ claim 
Closes #33332

Signed-off-by: Venelin Cvetkov <venelin.tsvetkov@gmail.com>
 2025-03-20 12:42:12 +01:00
mposolda
45344ef65f User session lookup optimization and fixes 
closes #37662

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-03-20 12:39:50 +01:00
sang
a2d600cc98 fix invalid scope http error code 
Closes #37544

Signed-off-by: dcs <6716371+uwevil@users.noreply.github.com>
 2025-03-20 12:14:26 +01:00
rmartinc
be4db3ada0 Recovery codes modifications to not tamper sent values 
Closes #26104
Closes #26105

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-03-19 21:22:48 +01:00
Pedro Igor
76bf463de3 Improve message when evaluating permission results 
Closes #38212

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-19 19:58:47 +01:00
Pedro Igor
a4000575a4 Initial support for partial evaluation 
Closes #38085

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-19 13:30:52 -03:00
Takashi Norimatsu
be818502ad DPoP: User Info Endpoint authorization type mismatch 
closes #36476

Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com>
 2025-03-19 12:22:23 +01:00
Awambeng
1d9c0f373a Refactor credential issuance to use scope-based approach (#37687) 
Closes #32957

Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
 2025-03-19 10:47:50 +01:00
Pedro Igor
5073266039 Improve message when evaluating permission results 
Closes #38212

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-18 16:01:20 -03:00
Borja Domínguez
7d7e153fb2 Add APIResponse annotations to Realm resources 
Closes #36907

Signed-off-by: Borja Domínguez Vázquez <borja.dominguez@hotmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-03-17 21:17:35 +01:00