mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-24 10:48:52 -05:00
Code Issues Packages Projects Releases Wiki Activity
22,720 Commits 34 Branches 307 Tags
d07fe2f7fdfeef1112ca40d4dd4902cf030cd09e
Commit Graph

4160 Commits

Author SHA1 Message Date
Ricardo Martin ab940a0807 Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers (#21627) 
Closes #9004

Co-authored-by: Armel Soro <armel@rm3l.org>
Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-01-23 15:58:36 +01:00
rmartinc 110f64a814 Sanitize logs in JBossLoggingEventListenerProvider 
Closes #25078

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 179ca3fa3a)
 2024-01-12 20:09:44 +01:00
Ricardo Martin 4525849e72 Escape action in the form_post.jwt and only decode path in RedirectUtils (#94) 
Closes #90

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-01-04 13:46:34 +01:00
Alexander Schwartz efd53f1d5d Adding a test case to check that the expiration time is set on logout tokens 
Closes #25753

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
(cherry picked from commit 9e890264df)
 2023-12-26 14:41:41 +01:00
Niko Köbler 0c660af047 add the exp claim to the backchannel logout token 
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.

As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.

resolves #25753

Signed-off-by: Niko Köbler <niko@n-k.de>
(cherry picked from commit 5e623f42d4)
 2023-12-26 14:41:41 +01:00
rmartinc 98ceed7242 Do not allow remove a credential in account endpoint if provider marks it as not removable 
Closes #25220

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit d004e9295f)
 2023-12-15 13:34:01 +01:00
Ricardo Martin 67f905ecc5 Escape action in the form_post response mode (#30) 
Closes https://issues.redhat.com/browse/RHBK-652

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-06 16:14:44 +01:00
Ricardo Martin 15a21bf8e4 CVE-2023-6291 keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (#57) 
* Remove lowercase for the hostname as recommended/advised by OAuth spec
Closes https://github.com/keycloak/keycloak/issues/25001

Signed-off-by: rmartinc <rmartinc@redhat.com>

* Strip off user-info from redirect URI when validating using wildcard
Closes https://issues.redhat.com/browse/RHBK-679

Signed-off-by: rmartinc <rmartinc@redhat.com>

---------

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-06 13:51:02 +01:00
Ricardo Martin ae4c7ebea9 Add active RSA key to decryption if deprecated mode (#25205) (#25229) 
Closes https://github.com/keycloak/keycloak/issues/24652

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-04 10:57:52 +00:00
Jon Koops 948bc65370 Attempt to request storage access for cookies (#25055) (#25157) 
Closes #23872

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2023-12-01 11:04:00 +00:00
Michal Hajas 1d50fcd162 Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled 
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
(cherry picked from commit 2b2207af93)

 Conflicts:
	common/src/main/java/org/keycloak/common/Profile.java
	common/src/test/java/org/keycloak/common/ProfileTest.java
	quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2023-11-30 19:31:19 +01:00
rmartinc d17e3bf1d7 Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience 
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 5fad76070a)
 2023-11-30 14:15:43 +01:00
Ricardo Martin 789a6a1e5f Escape ldap id when using normal attribute syntax (#25) 
Closes https://github.com/keycloak/security/issues/46
 2023-11-21 09:37:04 +01:00
Pedro Igor 1603e291ba Make sure optional default attributes are removed when decorating the user-define user profile configuration 
Closes #24420
 2023-11-02 09:03:24 +01:00
Pedro Igor 1afcccfbc7 Removing the default cache metadata 
Closes #23910
 2023-10-16 09:51:30 -03:00
Pedro Igor 90818fc53a Avoid creating the component when there is no component and configuration is not provided 
Closes #20970

Co-authored-by: Pedro Igor <psilva@redhat.com>
 2023-10-16 09:51:30 -03:00
Jon Koops 2786929cfb Don't use top-level await for storage access checks (#23991) 
Backports #23743

Co-authored-by: ici-dev-gb <104197269+ici-dev-gb@users.noreply.github.com>
 2023-10-14 18:59:22 +02:00
Jon Koops 1ff31e4b52 Resolve several usability issues around User Profile 
Backports #23507, #23584, #23740, #23774, #22982

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-10-13 08:40:59 -03:00
Jon Koops 1fd2bbec25 Always check storage access before placing test cookie (#23558) 
Backports #22839
 2023-09-27 14:18:22 +00:00
Pedro Igor 1e4f284e31 Allow updating email when email as username is set and edit username disabed 
#23438
 2023-09-27 10:52:26 +02:00
Ricardo Martin ddf11ced16 Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML (#23468) 
Closes https://github.com/keycloak/keycloak/issues/22974
 2023-09-26 08:04:41 -04:00
rmartinc ea63fd7f1d verifyRedirectUri should return null when the passed redirectUri is invalid 
Closes https://github.com/keycloak/keycloak/issues/22778
 2023-09-21 17:17:19 +02:00
Jon Koops 012e8c197f better features overview (#23429) 
Backports #17733

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-09-21 12:57:41 +00:00
Erik Jan de Wit 9a7d79a6e7 fixed permissions for locale fetch 
Backports #23065
 2023-09-21 14:50:07 +02:00
Thomas Darimont a3ec7686f5 Prevent NPE in AuthenticationManager.backchannelLogout (#23313) 
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.

Fixes #23306

(cherry picked from commit 04d16ed170)
 2023-09-18 09:59:34 +00:00
Pedro Igor ed805067e0 Registration page not showing username when edit username is not enabled 
Closes #23185
 2023-09-14 14:05:41 +02:00
kaustubh-rh e347d788ce Unable to create user with long email address (#23132) 
closes #22825 


Co-authored-by: mposolda <mposolda@gmail.com>
 2023-09-13 11:31:51 +02:00
Marek Posolda 0fd4161c45 Remove bearer-only occurences in the documentation when possible. Mak… (#23148) 
closes #23066

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
(cherry picked from commit 56b94148a0)
 2023-09-13 08:19:16 +02:00
Pedro Igor 55b2eddb0c Ignore attributes when they are not prefixed with user.attributes prefix (#26) 
* Ignore attributes when they are not prefixed with user.attributes prefix

Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>

* Update docs/documentation/release_notes/topics/22_0_3.adoc

* Update docs/documentation/release_notes/topics/22_0_3.adoc

---------

Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-09-12 19:09:55 +02:00
Pedro Igor ed339de092 Broker claim mapper not recognizing claims from user info endpoint 
Closes #12137
 2023-09-11 08:20:32 +02:00
rmartinc f52af8d63b Add old LinkedIn provider to the deprecated profile 
Closes https://github.com/keycloak/keycloak/issues/23067
 2023-09-08 14:36:24 +02:00
Marek Posolda 47b97b9404 Registration flow fixed (#23064) 
Closes #21514

Co-authored-by: Vilmos Nagy <vilmos.nagy@outlook.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
(cherry picked from commit 506e2537ac)
 2023-09-08 10:06:53 +02:00
rmartinc 4f2115c642 Add a new identity provider for LinkedIn based on OIDC 
Closes https://github.com/keycloak/keycloak/issues/22383
 2023-09-07 15:49:24 +02:00
Pedro Igor e88c0aa61d Decoupling legacy and dynamic user profiles and exposing metadata from admin api 
Closes #22532

    Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-09-07 11:27:53 +02:00
Pedro Igor 83e854785b Parsing response from user info rather than the access token 
Closes #22581
 2023-08-29 14:52:32 +02:00
Jon Koops ef0f8ea532 lazy populate the treeview for groups (#21520) (#22656) 
Fixes: #19954
 2023-08-23 17:42:06 +02:00
rmartinc 4570718ec6 RedirectUtils needs to use KeycloakUriBuilder with no parameter parsing 
Closes https://github.com/keycloak/keycloak/issues/22424
 2023-08-17 16:09:52 +02:00
Pedro Igor adec6c5f01 Fixing how e-mail attribute permissions are set for both USER_API and ACCOUNT contexts 
Closes #21751
 2023-08-11 17:02:49 +02:00
mposolda 29d5fc6c49 Fix authenticatorConfig for javascript providers 
Closes #20005

(cherry picked from commit 6f6b5e8e84)
 2023-08-01 08:59:28 +02:00
Ricardo Martin 75305269d1 Add logout other sessions checkbox to TOTP, webauthn and recovery authn codes setup pages (#21897) 
* Add logout other sessions checkbox to TOTP, webauthn, recovery authn codes setup pages and to update-email page
Closes #10232
 2023-07-28 08:34:47 +02:00
mposolda 6b83b3880f Keycloak forgets ui_locales parameter when using reset password 
closes #10981

(cherry picked from commit 03716ed452)
 2023-07-26 15:33:17 +02:00
rmartinc 87a50d3ba7 Revert emailVerified to false if email modified on force-sync non-trusted broker 
Closes https://github.com/keycloak/security/issues/48
 2023-07-17 13:14:45 +02:00
vramik 47eeece827 Update javadoc for user search in UserResource 
Closes #21053
 2023-07-11 11:14:29 +02:00
Pedro Igor 376d20c285 Remove user credentials from admin event representation (#21561) 
Closes #17470
 2023-07-11 08:26:29 +02:00
rmartinc 13870f3a69 Improve error management in the github provider 
Closes https://github.com/keycloak/keycloak/issues/9429
 2023-07-10 16:09:08 -03:00
Václav Muzikář 97a37f565e Align guava dependency with the Quarkus Platform BOM (#21544) 
Closes #21364
 2023-07-10 16:13:13 +02:00
Daniele Martinoli 1644432df3 Reviewed solution as per reviewer's comments 2023-07-10 08:31:47 -03:00
Daniele Martinoli d148a789f7 added clientNote to show the sign out option 2023-07-10 08:31:47 -03:00
Patrick Jennings 399a23bd56 Find an appropriate key based on the given KID and JWA (#21160) 
* keycloak-20847 Find an appropriate key based on the given KID and JWA. Prefers matching on both inputs but will match on partials if found. Or return the first key if a match is not found.

Mark Key as fallback if it is the singular client certificate to be used for signed JWT authentication.

* Update js/apps/admin-ui/public/locales/en/clients.json

Co-authored-by: Marek Posolda <mposolda@gmail.com>

* Updating boolean variable name based on suggestions by Marek.

* Adding integration test specifically for the JWT parameters for regression #20847.

---------

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2023-07-10 13:28:55 +02:00
Daniele Martinoli 817f129484 fix: closes #21095 (#21289) 
* fix: closes #21095

* Added overloaded version of GroupUtils.toGroupHierarchy with additional full parameter.
 2023-07-10 12:13:26 +02:00