mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-11 09:49:17 -06:00
Code Issues Packages Projects Releases Wiki Activity
28,068 Commits 23 Branches 294 Tags
e77df154d9b5917dfd81dcee6b6dbe2beaf01d25
Commit Graph

5142 Commits

Author SHA1 Message Date
Stefan Guilhen
09373c11de Revert changes to exception handling in RealmsAdminResource#importRealm (#39974) 
- ModelDuplicateException and ModelIllegalException were wrongfully handled as ModelException, returning wrong status code

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #39753

(cherry picked from commit 75e6d7214a)
 2025-05-27 08:58:43 +02:00
rmartinc
825c868774 Only reuse SMTP authentication data for testing endpoint when the same auth, host, port and user are passed 
Closes #39486

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 598154bc58)
 2025-05-22 14:01:13 +02:00
Awambeng
60445d2a9f Fix scope validation for realm-level credential definitions in Authorization Code flow (#39148) 
Closes #39130

Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
(cherry picked from commit ca3859b0f8)
 2025-05-21 14:03:58 +02:00
Abhishek Kumar Gupta
1b9d993dff Persist refresh token for IDP token exchange 
Closes #39502

Signed-off-by: abhishek818 <abhishekguptaatweb17@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-16 08:53:30 +02:00
Alexander Schwartz
a7985c175b Reorder operations to avoid the slow operation to get all client sessions 
Closes #39665

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-13 16:54:32 +02:00
Ricardo Martin
6d198a98f6 Add option to log details in the JBossLoggingEventListenerProvider (#39361) 
Closes #38985

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 688a80d5ef)
 2025-05-05 12:23:56 +02:00
Marek Posolda
c830a27928 UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope 
closes #39037


(cherry picked from commit 54e1c8af1e)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-30 10:30:47 +02:00
Ricardo Martin
4eaff6cbed Do the re-hash of password in a separate transaction to continue login in case of model exception 
Closes #38970


(cherry picked from commit 6e66a7e255)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:28:23 +02:00
Ricardo Martin
6efa899adb Make DateUtil convert the local dates into epoch in milliseconds 
Closes #38911


(cherry picked from commit 08704df651)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:27:56 +02:00
Pedro Igor
89b66cd3a7 Remove authentication session when deleting the account 
Closes #38671

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-30 10:27:23 +02:00
Giuseppe Graziano
c9b5ac4d6c Fix multiple loading of config properties for GrantTypeCondition 
Closes #39219


(cherry picked from commit a4ea26f9cd)

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-04-30 10:27:05 +02:00
Giuseppe Graziano
a83794e817 Fix GrantTypeCondition config key mismatch 
This ensures that the grant types are correctly read during evaluation,
allowing the condition to trigger as intended when client policies are enforced.

Closes #39296


(cherry picked from commit d7966c0e2a)

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
Co-authored-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
 2025-04-30 10:26:20 +02:00
Steven Hawkins
928a756a7a fix: relaxes the admin root redirect check (#39095) (#39337) 
closes: #39085



also changing the adminroot test to seem like it's coming from a proxy



---------


(cherry picked from commit 08b5183784)

Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-30 09:13:14 +02:00
Steve Hawkins
99ca24c832 fix: remove ANY mode modification of truststores 
also note that ANY should not be used in production

closes: CVE-2025-3501

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

Add a test for the error (#1)

Signed-off-by: Ricardo Martin <rmartinc@redhat.com>

Update docs/guides/server/keycloak-truststore.adoc

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-24 12:09:03 +02:00
mposolda
a78c951a5a Make sure Cancel AIA does not remove required action from user 
Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-24 11:45:04 +02:00
vramik
7437677863 Fix JpaUserProvider.getUsersCount(RealmModel, boolean) 
Closes #38692

(cherry picked from commit bd58b70447)

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-16 16:26:09 -03:00
sophie [⛧-440729]
d1ff1b186e add option to the nginx x509 client cert lookup provider to not url-decode the passed client cert 
Closes #17171 

Signed-off-by: ⛧-440729 [sophie] <sophie@999eagle.moe>
 2025-04-11 10:38:38 +02:00
Thomas Darimont
478e0b3264 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication 
closes #38819

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-04-10 18:08:10 +02:00
Pedro Igor
ae88d7921f Improvements to partial evaluation 
Closes #38732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-09 18:15:28 +02:00
WMartel
182758f046 Improve Organization endpoints with String body 
- Added trim() call to get rid of surrounding white space characters
  for organization POST endpoints that expect a String body instead of
  an actual object

Closes #38760

Signed-off-by: WMartel <10606973+WMartel@users.noreply.github.com>
 2025-04-09 11:59:24 +00:00
vramik
9c02bb29d3 Fix AvailableRoleMappingResource 
Closes #35580

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-09 08:41:15 -03:00
Martin Bartoš
83001e4024 OTelHttpClientFactory not configured properly when tracing enabled 
Closes #38740

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-04-08 17:04:23 +00:00
rmartinc
ba91a092ab Migrate old recaptcha secret name when used 
Closes #38607

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-08 14:22:25 +02:00
Pedro Igor
79b533ee02 Allow managing client authorization settings is manage scope is granted for clients 
Closes #38726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 13:07:48 +02:00
Pedro Igor
be880ae204 Do not cache partial results when FGAP is enabled 
Closes #38705

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 08:22:22 +02:00
Pedro Igor
8521b9952a Export failing if the realm has FGAP enabled 
Closes #38695

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 18:47:44 +02:00
rmartinc
540ee9eda2 Add webauthn tests for the passkeys conditional UI authenticator 
Closes #23659

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-07 15:04:59 +02:00
Pedro Igor
d98ca0a2a2 Make sure searches by identifiers are filtered 
Closes #38679

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 14:59:43 +02:00
Stefan Guilhen
a4ca92ab4d Validate realm name for uniqueness before creating a new realm in the DB 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38426
 2025-04-07 08:49:42 -04:00
vramik
6488890585 [FGAP:V2] remove configure scope from Client resource type 
Closes #38567

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-07 07:05:02 -03:00
Stefan Guilhen
c4c3e2eee6 Allow redirection to idp when user email matches any of the org domains 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Martin Panzer <martin.panzer@active-logistics.com>

Closes #33804
 2025-04-04 11:28:04 -03:00
Alexander Schwartz
b211391e02 Enhance logging for a missing provider factory dependency 
Closes #38594

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-04-04 15:38:02 +02:00
Pedro Igor
9f079f7874 Permission checks that do not check a specific client should check the permissions granted to the client resource type 
Closes #38653

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 17:00:47 +00:00
vramik
8127a9da60 [FGAP] Allow user creation when the admin has permission to manage-members and manage-membership for all existing groups defined in UserRepresentation 
Closes #38269

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 12:08:46 -03:00
Pedro Igor
29d3dcb49a Do not allow delete the FGAP client 
Closes #38644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 14:57:06 +02:00
vramik
999d9aa75b [FGAP] Override canList() for V2. 
Closes #38641

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 08:35:08 -03:00
rtufisi
134437a5a7 Create recovery keys in user storage or local (#38446) 
closes #38445

Signed-off-by: rtufisi <rtufisi@phasetwo.io>
 2025-04-03 10:09:48 +02:00
vramik
f12fa0b5bb [FGAP] remove transitiveness from auth scopes 
Closes #38557

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-02 16:56:25 -03:00
tranthanhhien06072001
13405b184a Add totp policy to TotpLoginBean (#38606) 
Closes #38523

Signed-off-by: hientt85 <hientt85@viettel.com.vn>
 2025-04-02 18:34:07 +02:00
rmartinc
a10c8119d4 Define a max expiration window for Signed JWT client authentication 
Closes #38576

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 18:32:54 +02:00
rmartinc
43c79e8d1b Add locale attribute to the registration context 
Closes #38029

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 09:03:06 +02:00
Pedro Igor
61cb0acbc4 Fixing inconsistencies when evaluating permission in the evaluation tab 
Closes #38498

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-01 11:40:27 -03:00
Alexander Schwartz
85737f52b5 Make access Token in user info endpoint bound to the dpop proof 
Closes #38333

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-03-31 09:41:57 +02:00
Václav Muzikář
2a0ce46471 Prevent frontend endpoint redirect to admin endpoint (#38464) 
Closes #38463

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2025-03-28 18:44:43 +01:00
Douglas Palmer
4ccb50106a Add audience to the client-scopes evaluate tab (#38457) 
* Add audience to the client-scopes evaluate tab #37548

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

* Simulate audience parameter in the evaluate tab - polishing

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-03-28 16:22:34 +01:00
Steven Hawkins
06e0885f46 fix: adds back reporting of non-ip client addresses (#37797) 
closes: #36843

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
# Conflicts:
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java
 2025-03-27 19:33:20 +00:00
Stefan Guilhen
d62fa871b5 Allow users to unset their e-mail when the previous e-mail matches org domain but user is not an org member 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38257
 2025-03-27 08:50:08 -03:00
Stefan Guilhen
e694065aed User UserModel.isFederated() instead of comparing federation link to null 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38137
 2025-03-27 08:11:14 -03:00
Pedro Igor
78aa8b486f User not visible when permission with different scope exists 
Closes #38369

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-27 08:01:04 -03:00
Yoshiyuki Tabata
08bac045be Raising an event when a ClientPolicyException is caught #38366 
Signed-off-by: Yoshiyuki Tabata <yoshiyuki.tabata.jy@hitachi.com>
 2025-03-27 10:41:21 +01:00