mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-08 08:01:18 -05:00
Code Issues Packages Projects Releases Wiki Activity
22,792 Commits 34 Branches 304 Tags
f671e4c38baaaa7932915f548d8256c06eff2da9
Commit Graph

4180 Commits

Author SHA1 Message Date
Ricardo Martin f671e4c38b Fix CRL verification failing due to client cert not being in chain (#29582) 
closes #19853

Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>

Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 74a80997c7)
 2024-10-17 13:10:58 +02:00
Giuseppe Graziano ef75a4dc50 Remove root auth session after backchannel logout 
Closes #32197

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit b46fab2308)
 2024-10-03 08:50:08 +02:00
Stian Thorgersen 5d1e20efd3 Improve handling for loopback redirect-uri validation (#197) 
Signed-off-by: stianst <stianst@gmail.com>
 2024-09-16 13:34:01 +02:00
rmartinc 0f270dbf30 Adding upgrading notes for brute force changes 
Closes #31960

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-08-09 16:38:38 +02:00
rmartinc b25c28458a Remove the attempt in brute force when the off-thread finishes 
Closes #31881

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-08-09 16:38:38 +02:00
Pedro Igor d78b3072ff Support for blocking concurrent requests when brute force is enabled 
Closes #31726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
 2024-08-09 16:38:38 +02:00
Jon Koops d618a27283 Use the Keycloak server URL for common resources (#30823) (#30827) 
Closes #30541

Signed-off-by: Jon Koops <jonkoops@gmail.com>
(cherry picked from commit cd0dbdf264)
 2024-06-26 16:19:27 +00:00
graziang ec4b43bca2 Revoked token cache expiration fix 
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
(cherry picked from commit 54b40d31b6)
 2024-06-26 12:27:20 +02:00
rmartinc 8d6f9ab153 Logout from all clients after IdP logout is performed 
Closes #25234

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 7d05a7a013)
 2024-06-11 10:36:57 +02:00
rmartinc 54c91e38a8 Generate RESTART_AUTHENTICATION event on success 
Closes #29385

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit b258b459d7)
 2024-06-07 07:40:11 +02:00
Giuseppe Graziano 5756cc244c Encrypted KC_RESTART cookie and removed sensitive notes (#168) 
Closes #keycloak/keycloak-private#162

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-05-21 12:01:50 +02:00
Ricardo Martin e014504ab4 Missing auth checks in some admin endpoints (#169) 
Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-21 08:26:22 +02:00
rmartinc b9db6c1e74 Better management of the CSP header 
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 2b769e5129)
 2024-04-18 14:39:21 +02:00
Marek Posolda aa634aee88 CVE-2023-3597 - Secondary factor bypass in step-up authentication (#144) 
* Restrict the token types that can be verified when not using the user info endpoint

Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java

* Secondary factor bypass in step-up authentication
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-23 15:16:28 +01:00
Ricardo Martin c6c0ee1d3b Better management of domains in TrustedHostClientRegistrationPolicy (#141) 
Closes keycloak/keycloak-private#63

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-23 15:15:08 +01:00
Giuseppe Graziano ab3b30f624 Avoid the same userSessionId after re-authentication (#138) 
Closes #69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-03-23 15:14:10 +01:00
Ricardo Martin abd03e3e25 Validate Saml URLs inside DefaultClientValidationProvider (#142) 
Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-23 15:12:01 +01:00
Ricardo Martin e310604cf6 Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#114) 
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-23 15:09:43 +01:00
Jon Koops e3598a5367 Limit requests sent through session status iframe (#118) 
Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-03-23 08:23:02 +01:00
Pedro Igor df55b8f104 Do not grant scopes not granted for resources owned the resource server itself 
Closes #25057

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-21 09:37:09 +01:00
Ricardo Martin ab940a0807 Fix issue with access tokens claims not being imported using OIDC IDP Attribute Mappers (#21627) 
Closes #9004

Co-authored-by: Armel Soro <armel@rm3l.org>
Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-01-23 15:58:36 +01:00
rmartinc 110f64a814 Sanitize logs in JBossLoggingEventListenerProvider 
Closes #25078

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 179ca3fa3a)
 2024-01-12 20:09:44 +01:00
Ricardo Martin 4525849e72 Escape action in the form_post.jwt and only decode path in RedirectUtils (#94) 
Closes #90

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-01-04 13:46:34 +01:00
Alexander Schwartz efd53f1d5d Adding a test case to check that the expiration time is set on logout tokens 
Closes #25753

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
(cherry picked from commit 9e890264df)
 2023-12-26 14:41:41 +01:00
Niko Köbler 0c660af047 add the exp claim to the backchannel logout token 
This is now, as of Dec 15th 2023, part of the OIDC Backchannel Logout spec, chapter 2.4.

As of chapter 4, the logout token should have a short expiration time, preferably at most two minutes in the future. So we set the expiration to this time.

resolves #25753

Signed-off-by: Niko Köbler <niko@n-k.de>
(cherry picked from commit 5e623f42d4)
 2023-12-26 14:41:41 +01:00
rmartinc 98ceed7242 Do not allow remove a credential in account endpoint if provider marks it as not removable 
Closes #25220

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit d004e9295f)
 2023-12-15 13:34:01 +01:00
Ricardo Martin 67f905ecc5 Escape action in the form_post response mode (#30) 
Closes https://issues.redhat.com/browse/RHBK-652

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-06 16:14:44 +01:00
Ricardo Martin 15a21bf8e4 CVE-2023-6291 keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (#57) 
* Remove lowercase for the hostname as recommended/advised by OAuth spec
Closes https://github.com/keycloak/keycloak/issues/25001

Signed-off-by: rmartinc <rmartinc@redhat.com>

* Strip off user-info from redirect URI when validating using wildcard
Closes https://issues.redhat.com/browse/RHBK-679

Signed-off-by: rmartinc <rmartinc@redhat.com>

---------

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-06 13:51:02 +01:00
Ricardo Martin ae4c7ebea9 Add active RSA key to decryption if deprecated mode (#25205) (#25229) 
Closes https://github.com/keycloak/keycloak/issues/24652

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2023-12-04 10:57:52 +00:00
Jon Koops 948bc65370 Attempt to request storage access for cookies (#25055) (#25157) 
Closes #23872

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2023-12-01 11:04:00 +00:00
Michal Hajas 1d50fcd162 Publish information about Infinispan availability in lb-check if MULTI_SITE is enabled 
Closes #25077

Signed-off-by: Michal Hajas <mhajas@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
(cherry picked from commit 2b2207af93)

 Conflicts:
	common/src/main/java/org/keycloak/common/Profile.java
	common/src/test/java/org/keycloak/common/ProfileTest.java
	quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/FeaturesDistTest.java
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testBuildHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testExportHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testImportHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartDevHelpAll.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelp.unix.approved.txt
	quarkus/tests/integration/src/test/resources/org/keycloak/it/cli/dist/approvals/cli/help/HelpCommandDistTest.testStartHelpAll.unix.approved.txt

Signed-off-by: Michal Hajas <mhajas@redhat.com>
 2023-11-30 19:31:19 +01:00
rmartinc d17e3bf1d7 Use LinkedIn instead of LinkedIn OpenID Connect for better UI experience 
Closes https://github.com/keycloak/keycloak/issues/24659

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 5fad76070a)
 2023-11-30 14:15:43 +01:00
Ricardo Martin 789a6a1e5f Escape ldap id when using normal attribute syntax (#25) 
Closes https://github.com/keycloak/security/issues/46
 2023-11-21 09:37:04 +01:00
Pedro Igor 1603e291ba Make sure optional default attributes are removed when decorating the user-define user profile configuration 
Closes #24420
 2023-11-02 09:03:24 +01:00
Pedro Igor 1afcccfbc7 Removing the default cache metadata 
Closes #23910
 2023-10-16 09:51:30 -03:00
Pedro Igor 90818fc53a Avoid creating the component when there is no component and configuration is not provided 
Closes #20970

Co-authored-by: Pedro Igor <psilva@redhat.com>
 2023-10-16 09:51:30 -03:00
Jon Koops 2786929cfb Don't use top-level await for storage access checks (#23991) 
Backports #23743

Co-authored-by: ici-dev-gb <104197269+ici-dev-gb@users.noreply.github.com>
 2023-10-14 18:59:22 +02:00
Jon Koops 1ff31e4b52 Resolve several usability issues around User Profile 
Backports #23507, #23584, #23740, #23774, #22982

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2023-10-13 08:40:59 -03:00
Jon Koops 1fd2bbec25 Always check storage access before placing test cookie (#23558) 
Backports #22839
 2023-09-27 14:18:22 +00:00
Pedro Igor 1e4f284e31 Allow updating email when email as username is set and edit username disabed 
#23438
 2023-09-27 10:52:26 +02:00
Ricardo Martin ddf11ced16 Ensure that the EncryptedKey is passed to the DecryptionKeyLocator for SAML (#23468) 
Closes https://github.com/keycloak/keycloak/issues/22974
 2023-09-26 08:04:41 -04:00
rmartinc ea63fd7f1d verifyRedirectUri should return null when the passed redirectUri is invalid 
Closes https://github.com/keycloak/keycloak/issues/22778
 2023-09-21 17:17:19 +02:00
Jon Koops 012e8c197f better features overview (#23429) 
Backports #17733

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2023-09-21 12:57:41 +00:00
Erik Jan de Wit 9a7d79a6e7 fixed permissions for locale fetch 
Backports #23065
 2023-09-21 14:50:07 +02:00
Thomas Darimont a3ec7686f5 Prevent NPE in AuthenticationManager.backchannelLogout (#23313) 
Previously, if the user was already removed from the userSession
and the log level was set to DEBUG, then an NPE was triggered by
the debug log statement during backchannelLogout.

Fixes #23306

(cherry picked from commit 04d16ed170)
 2023-09-18 09:59:34 +00:00
Pedro Igor ed805067e0 Registration page not showing username when edit username is not enabled 
Closes #23185
 2023-09-14 14:05:41 +02:00
kaustubh-rh e347d788ce Unable to create user with long email address (#23132) 
closes #22825 


Co-authored-by: mposolda <mposolda@gmail.com>
 2023-09-13 11:31:51 +02:00
Marek Posolda 0fd4161c45 Remove bearer-only occurences in the documentation when possible. Mak… (#23148) 
closes #23066

Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
(cherry picked from commit 56b94148a0)
 2023-09-13 08:19:16 +02:00
Pedro Igor 55b2eddb0c Ignore attributes when they are not prefixed with user.attributes prefix (#26) 
* Ignore attributes when they are not prefixed with user.attributes prefix

Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>

* Update docs/documentation/release_notes/topics/22_0_3.adoc

* Update docs/documentation/release_notes/topics/22_0_3.adoc

---------

Co-authored-by: mposolda <mposolda@gmail.com>
Co-authored-by: stianst <stianst@gmail.com>
Co-authored-by: Stian Thorgersen <stian@redhat.com>
 2023-09-12 19:09:55 +02:00
Pedro Igor ed339de092 Broker claim mapper not recognizing claims from user info endpoint 
Closes #12137
 2023-09-11 08:20:32 +02:00