mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-08 16:09:54 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,196 Commits 34 Branches 304 Tags
eb10072d53b359f8b49d04672aaabf15b8972f9d
Commit Graph

28196 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Guilhen eb10072d53 Skip checksum validation for 2.5.0-unicode-oracle, that is preventing migrations when schema name changes 
Closes #43564

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
(cherry picked from commit ef3de183df)
 2025-11-10 15:10:59 -03:00
Tobi 84c5701b89 Add new indices on offline_client_session 
Closes #43566
Closes #43516

Signed-off-by: twobiers <22715034+twobiers@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-11-03 16:07:22 -03:00
Ricardo Martin 1f0b5d4cb2 Ensure the logout endpoint removes the authentication session 
Closes #43853


(cherry picked from commit 3b3adcf1e4)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-11-01 20:14:32 +01:00
Alexander Schwartz c64b722400 Don't keep an old session to avoid a stable objects and a memory leak 
Closes #43761

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-29 17:36:28 -03:00
Alexander Schwartz 0a5c97d3a9 Resolve session leak in DeclarativeUserProfileProvider 
Closes #43785

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-29 17:35:59 -03:00
Ricardo Martin 50102e50de Check offline scope is still assigned when performing a refresh 
Closes #43734


(cherry picked from commit e0c1f2ee0f)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-29 13:53:14 +01:00
Alexander Schwartz 4cd381edbf Avoid holding on to the realm in cached configurations 
Closes #43744

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-29 08:01:02 -03:00
Alexander Schwartz 8f8dabab55 Role mapper should check if an update is needed for the role 
Closes #43698

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-28 14:53:06 -03:00
Ricardo Martin 5ad8f1a026 Only add the none verifier when attestation conveyance preference is none 
Closes #43723


(cherry picked from commit 1bd9a3f473)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-28 15:51:56 +00:00
Alexander Schwartz e7938a7c22 Make intra-document links work in downstream 
Closes #43544

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-21 08:16:22 -03:00
mposolda a794fca977 Possible overflow in brute force computation 
closes #30939

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit a2cc51aed7)
 2025-10-16 16:09:00 +02:00
Giuseppe Graziano a752492843 Invalidate sessions created with remember me when remember me is disabled for realm 
Closes #43328

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-10-16 15:06:38 +02:00
Martin Bartoš 494b230c97 [26.2] Upgrade to Quarkus 3.20.3 LTS (#42897) 
* Upgrade to Quarkus 3.20.3 LTS

Closes #41371

Closes #42491

Closes #42492

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* Revert "MariaDB connector dependency is not properly overriden (#41372)"

This reverts commit 089975417b.

Closes #41373

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-10-15 10:01:23 +02:00
Alexander Schwartz e5f2e2f45a Use quoted values for boolean and number values in Operator examples 
Closes #43459

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-14 13:28:47 -04:00
Steven Hawkins f20dd66196 fix: refining https-protocols documentation 
closes: #43164


(cherry picked from commit 700b86fad8)

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-10-14 17:02:31 +00:00
Alexander Schwartz a97613bf7b Prevent using JTA transaction when initializing JDBC_PING 
Closes #43335

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-14 09:15:37 +00:00
Alexander Schwartz cce230818e Register new protocols to avoid exceptions on startup 
Closes #43337

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-10 07:43:13 -03:00
Marek Posolda 0c3a042029 openid-connect flow is missing response type on language change 
closes #41292


(cherry picked from commit 76d271bf00)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-10-10 10:45:51 +02:00
Marek Posolda 2720ed988f Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (#43318) 
closes #42676


(cherry picked from commit 0100ac6d6e)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-10-09 14:21:59 +02:00
Alexander Schwartz c0fe9b197b Close spans in the exceptional path 
Closes #41469

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-10-08 11:36:58 -03:00
Pedro Igor 0404f78f39 Lowercase username and email when fetching values from LDAP object 
Closes #43254

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-10-07 23:58:40 +02:00
Pedro Igor e3ad01f777 Invalidate user cache entries when email or username are different from storage 
Closes #40085

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2025-10-07 23:58:40 +02:00
Pedro Ruivo 02fb1299d2 Restarting an user session broken for persistent sessions 
Fixes #43161

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2025-10-03 19:27:34 +02:00
Steven Hawkins 2b1b2c2d7d fix: removing test os restriction (#41952) (#43172) 
closes: #13501


(cherry picked from commit c2a7914c73)

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-10-03 10:25:36 +02:00
Alexander Schwartz 30a278eda0 Disable Secure Client-Initiated Renegotiation by default 
The parameter  -Djdk.tls.rejectClientInitiatedRenegotiation=true disables Secure Client-Initiated Renegotiation in Keycloak to resolve a potential DoS vulnerability. Note this is applicable only to TLS 1.2.

Closes #43020

Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Erasure5959 <154384607+erasure5959@users.noreply.github.com>
 2025-10-02 18:07:39 +02:00
Ricardo Martin 02db622a50 Do not remove sid claim when the session is transient only for the client 
Closes #42565


(cherry picked from commit e256513ceb)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-01 22:57:40 +02:00
Martin Kanis e2726e7342 Username containing a '#' is truncated in Admin Console when hiding inherited roles (#42950) 
Closes #42949

Signed-off-by: Martin Kanis <mkanis@redhat.com>
(cherry picked from commit 0baeff171a)
 2025-09-30 08:39:32 -03:00
Ricardo Martin 69685b54f2 Expose system-info information in the serverinfo endpoint only for users in the admin realm 
Closes #42828


(cherry picked from commit 1d28c0cd35)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-09-29 18:21:50 +02:00
Alexander Schwartz 27121d010c Avoid invalidating the realm when managing client initial access 
Closes #42922

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2025-09-25 06:14:13 +02:00
rmartinc afec535e61 Do not regenerate the secret key when the size is not explicitly passed 
Closes #42405

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 605b51905c)
 2025-09-23 17:30:01 +02:00
Pedro Igor 19da322d88 URL encode forwarded parameters 
Closes #41755

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-22 14:58:33 +02:00
mposolda 86516bb3dc Missing switch 'ID Token as detached signature' in the admin console client settings 
closes #42769

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 201ea6d19c)
 2025-09-22 12:09:10 +02:00
Alexander Schwartz f21138745c Add missing fields for client offline session timeout and lifespan 
Closes #42369

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-12 14:23:29 +02:00
Alexander Schwartz 2743174f2c Handle already existing user session in the store 
Closes #40374

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-11 17:09:50 +02:00
Pedro Ruivo 60a93d7d80 [26.2] ClientSession timestamp not updated in the database 
Closes #42012

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2025-09-10 20:33:22 +02:00
Ricardo Martin 85a66c071f Add User_agent header for documentation links checker 
Closes #42164

(cherry picked from commit 93791f67fb)

Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-10 09:20:26 +00:00
mposolda 4d1330593d Unbounded login_hint parameter Can Corrupt KC_RESTART Cookie 
closes #40857

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 5a05d2123e)
(cherry picked from commit 8c04f6d655)
 2025-09-09 17:09:12 +02:00
Ricardo Martin a61f1d90be Use back keycloak-js instead of initiate login in the backend for account (#42035) 
Closes #40463

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 360ff7050c)
 2025-09-09 08:51:04 +02:00
Alexander Schwartz 077aa8b19c Avoid removing client sessions before the user session times out 
As the client session timeout can be overwritten on a per client level, the realm level timeout can not be used to remove client sessions early.

Closes #35825

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-08 16:38:05 -03:00
Alexander Schwartz 399aa6cfd4 Translate the validation error returned from the backend 
Closes #42182

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-08 14:47:56 -04:00
andymunro 6b6156a9bb Clarify OpenShift instructions 
Closes #40487


(cherry picked from commit cef7b1cb06)

Signed-off-by: AndyMunro <amunro@redhat.com>
 2025-09-05 17:57:41 +02:00
Alexander Schwartz 53625e5d81 Lock the database before doing migrations 
Closes #41801

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-09-04 12:29:17 -03:00
Alexander Schwartz 0ccb91d97e Show length validations in the admin UI 
Closes #42178

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Jon Koops <jonkoops@gmail.com>
 2025-09-04 12:28:44 -03:00
Pedro Igor e08d5ef34e memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles 
Closes #41842

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-04 13:33:16 +02:00
Sylvere Richard 14965400f4 Fix #40995 avoid ModelException: At least one condition should be provided to OR query 
Closes #40995
Signed-off-by: Sylvere Richard <sylvere.richard@gmail.com>
 2025-09-04 13:33:16 +02:00
Pedro Igor 3a7dc9a493 Make sure inner transactions are using their own session 
Closes #41942

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-04 13:32:19 +02:00
Václav Muzikář 8eb640797b Upgrade to Quarkus 3.20.2.2 
Closes #42245

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2025-08-29 19:38:22 +00:00
Steven Hawkins 65f4650f34 fix: expands our warnings/notes around placeholder usage (#42151) (#42233) 
addresses CVE-2025-9162

closes: #42046


(cherry picked from commit e891336167)

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-08-29 13:49:10 +02:00
Alexander Schwartz 0a948fe22f Avoid deleting old client sessions 
Closes #41427

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-08-28 09:59:32 -03:00
Giuseppe Graziano f5ff8099c9 Fix client scope validation test and add null check (c1) 
Closes #40187

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit ad511cbc53)

# Conflicts:
#	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java
 2025-08-27 12:34:08 +02:00