dd17f7d811
Add a test for IdpUsernamePasswordForm in webauthn CI job
...
Closes #41259
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-07-24 10:39:29 -03:00
0b98cb7466
Passkeys support in IdpUsernamePasswordForm
...
closes #41259
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-24 10:39:29 -03:00
8fc5664115
Add id token claims to OpenID Provider Metadata claims_supported
...
Closes #41170
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2025-07-24 07:21:45 -03:00
57972d85d3
Update per feedback review
...
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-22 10:00:37 -03:00
bba869b3d5
Fixing Re-authentication with passkeys
...
closes #41242
closes #41008
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-22 10:00:37 -03:00
e0bba39da0
Allow configure encryption details for SAML clients
...
Closes #40933
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-07-18 20:13:40 +02:00
631aebd848
FAPI 2.0 Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions
...
closes #41119
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com >
2025-07-18 08:26:21 +02:00
4bb02305c3
Implement CompatibilityMetadataProvider for Cache CLI args
...
Closes #41138
Signed-off-by: Ryan Emerson <remerson@redhat.com >
2025-07-16 19:52:51 +02:00
d62d5030fe
Adds log context information for MDC for realm, users, etc.
...
Closes #39812
Signed-off-by: Björn Eickvonder <b.eicki@gmx.net >
Signed-off-by: Alexander Schwartz <aschwart@redhat.com >
Signed-off-by: Bjoern Eickvonder <bjoern.eickvonder@inform-software.com >
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com >
Co-authored-by: Alexander Schwartz <aschwart@redhat.com >
2025-07-16 17:46:46 +02:00
87f30a6285
Adding a config to the UPDATE_EMAIL action to force users to verify email
...
Closes #32569
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-07-16 16:21:08 +02:00
0a745d6aeb
Allow Features to declare that they support Rolling upgrades
...
Closes #41022
Signed-off-by: Ryan Emerson <remerson@redhat.com >
Signed-off-by: Alexander Schwartz <aschwart@redhat.com >
Co-authored-by: Alexander Schwartz <aschwart@redhat.com >
2025-07-16 12:10:29 +02:00
f00cd980c4
Add FAPI 2.0 + DPoP security profile as default profile of client policies
...
closes #35441
Signed-off-by: Takashi Norimatsu <takashi.norimatsu.ws@hitachi.com >
2025-07-16 09:30:11 +02:00
d5206b61f6
Update email feature only enabled if the required action is enabled at the realm
...
Closes #41045
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-07-14 16:31:15 -03:00
a3441689e9
[OID4VCI] OpenID for Verifiable Credentials support in client settings ( #39385 )
...
Closes #32967
Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com >
Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com >
2025-07-14 11:47:10 +02:00
2f36276ff0
Remove FGAP:v1 from external-internal token exchange ( #40938 )
...
Closes #40855
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2025-07-11 17:42:47 +02:00
274afa88fa
Add option 'Requires short state parameter' to OIDC IDP
...
closes #40237
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-11 16:17:03 +02:00
919554e6fc
Resolve organization when scope is requested and the user is a member or the email domain matches the organization
...
Closes #39864
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-07-10 20:38:47 +02:00
88069cd5fb
Mark user session for removal when the user bound to cannot be resolved
...
Closes #40398
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-07-10 20:37:18 +02:00
f39a37d8d1
[OID4VCI] Move realm attributes to clientScope and protocol-mappers ( #39768 )
...
fixes #39527
Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de >
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de >
2025-07-10 14:46:36 +02:00
5a42390341
Make UPDATE_EMAIL a supported feature
...
Closes #40227
Signed-off-by: Martin Kanis <mkanis@redhat.com >
2025-07-09 10:15:48 -03:00
20a4dc283b
Generate a UUID to be the JTI instead of reusing the nonce.
...
Signed-off-by: michael.cordingley <michael.cordingley@upstart.com >
2025-07-09 13:15:17 +02:00
beb4be6b32
[OID4VCI] : Update Credential Issuer Metadata Model for OID4VCI Draft-15 ( #40749 )
...
Closes #39290
Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com >
2025-07-09 11:41:17 +02:00
9d41092944
BUGFIX: session limit exceeded for both client & realm
...
This commit fixes a bug the wrong user session is removed if the user session limit
for realm and client is exceeded at the same time.
Closes #38016
Signed-off-by: Håvar Nøvik <havar@novik.email >
2025-07-09 11:37:55 +02:00
900d8c7400
Changing default passwordless webauthn policy to follow recommended values in the documentation
...
Closes #40792
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-07-09 11:34:28 +02:00
6b050776bc
Set client in the session context for logout token encode
...
Closes #40984
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-07-09 10:50:05 +02:00
d62114e50e
Do not add steps if feature disabled in default flows
...
Allow login if a step is disabled even the authenticator is not enabled by profile
Closes #40954
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-07-09 10:44:36 +02:00
332c9b6e4a
Fix NPE when accessing group concurrently
...
Closes #40368
Signed-off-by: vramik <vramik@redhat.com >
2025-07-08 16:13:54 -03:00
e92b825a14
[OID4VCI]: Add a unique notification_id generation to OID4VCIssuerEndpoint used in CredentialResponse. ( #40229 )
...
closes #39284
Signed-off-by: Ogenbertrand <ogenbertrand@gmail.com >
2025-07-08 19:57:31 +02:00
193ab471c1
fix: correcting to use the X-Forwarded-Proto header ( #40905 )
...
close : #40903
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2025-07-07 17:07:47 +02:00
114afee7f1
Use MgmtPermissionsV2 by default
...
Closes #40192
Signed-off-by: vramik <vramik@redhat.com >
2025-07-07 11:07:21 -03:00
eba4934950
fix: correcting spi-theme options
...
closes : #40930
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2025-07-07 13:18:24 +00:00
2aca97bd19
Remove interval property from Credential Offer ( #40412 )
...
Closes #39294
Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com >
2025-07-07 13:55:39 +02:00
178b893492
Always Return Array of Credentilas for Credential Responses ( #40409 )
...
Closes #39283
Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com >
Co-authored-by: Francis Pouatcha <francis.pouatcha@adorsys.com >
2025-07-07 13:53:28 +02:00
b70342dda7
Fix NPE when client is not set in context during token encoding
...
This commit fixes an issue throwing an NPE when trying to encode a token without having a client set in the session context. In other places in this class (like getSignatureAlgorithm(String)) this is checked. But in the type(TokenCategory) it was forgotten to check.
2025-07-07 13:01:25 +02:00
47ca339656
More secure call of Facebook debug token
...
closes #40926
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-04 14:44:56 +02:00
81a7f38a76
Added emailVerified filtering for users endpoint; updated user count endpoint with logic to support enabled, emailVerified, idpAlias, idpUserId, and exact field query parameters
...
Closes #38556
Closes #29295
Signed-off-by: Barathwaja S <sbarathwaj4@gmail.com >
2025-07-03 17:05:36 -03:00
c52edc853d
Verification of external OIDC token by introspection-endpoint. Adding ExternalInternalTokenExchangeV2Test
...
closes #40167
closes #40198
Signed-off-by: mposolda <mposolda@gmail.com >
2025-07-03 16:23:13 +02:00
886c592422
Verification of external GitHub token via "check token" endpoint
...
Closes #40164
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2025-07-01 15:03:49 +02:00
2db98b6a98
Use POST binding for logout when REDIRECT url is not set and forced POST
...
Closes #40637
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-06-30 10:30:12 +02:00
e7e4ce8339
make abstract class AbstractUserRoleMappingMapper public (was package-private)
...
closes #40765
Signed-off-by: Niko Köbler <niko@n-k.de >
2025-06-28 11:38:34 +02:00
304bcdce88
Do not show update email link if the email attribute is not writable
...
Closes #39669
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-06-28 10:19:41 +02:00
a981f6b6d5
Access Token IDs have less than 128 bits of entropy
...
Closes #38663
Signed-off-by: Douglas Palmer <dpalmer@redhat.com >
2025-06-26 16:48:03 +02:00
150ac639bf
Verification of external facebook token via "debug token" endpoint
...
Closes #40163
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2025-06-26 15:21:20 +02:00
dcb136ff4e
Resolve resources with same URI if the permission request is based on URI matching
...
Closes #40695
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2025-06-26 08:24:44 +02:00
a9202d48e2
Integrate passkeys with the organization authenticator
...
Closes #40022
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-06-26 08:15:36 +02:00
5af775db0f
Allow passkeys login when user has no password credential
...
Closes #40717
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-06-26 08:09:09 +02:00
af40a4db19
Forward LOGIN_HINT of authentication session with identity-provider-redirector
...
Fixes keycloak#36396
Signed-off-by: Oliver Cremerius <antikalk@users.noreply.github.com >
2025-06-26 06:08:36 +02:00
cc7b63cfc6
Integrate passkeys with separate username and password forms
...
Closes #40021
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-06-25 09:43:48 +02:00
86f0a7864f
Disable email verification when email manually changed by idp review
...
Closes #40446
Signed-off-by: rmartinc <rmartinc@redhat.com >
2025-06-25 08:56:03 +02:00
1183157d86
Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm
...
Closes #38620
Signed-off-by: Douglas Palmer <dpalmer@redhat.com >
2025-06-25 08:15:43 +02:00
rmartinc