External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 15:02:05 -03:30
Code Issues Packages Projects Releases Wiki Activity
29,885 Commits 26 Branches 288 Tags
Commit Graph

1373 Commits

Author SHA1 Message Date
Bagautdino
d225bce21f feat(FGAPv2): introduce RESET_PASSWORD scope and evaluation 
- Add RESET_PASSWORD to AdminPermissionsSchema.USERS
- Require RESET_PASSWORD in UserResource.resetPassword()
- Expose canResetPassword()/requireResetPassword()
- Implement FGAP v2 deny-overrides + secure-by-default + optional fallback
- Include access.resetPassword for Admin Console

Closes #41901

Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Bagautdino <336373@edu.itmo.ru>
 2025-09-03 15:10:56 -03:00
forkimenjeckayang
a74076e8ab
Enforce batch_size ≥ 2 validation for batch_credential_issuance (#42003) 
Closes #41590

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2025-09-03 17:15:55 +02:00
Pedro Igor
76e02388ff Moving resetOnevent to base class 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-02 17:45:59 -03:00
Pedro Igor
a4f115b4cc Moving deactivation events to base class 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-02 17:45:59 -03:00
Pedro Igor
cee9b6803b Refactoring built-in policies to use conditions 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-02 17:45:59 -03:00
Pedro Igor
03cbc11e7e Initial refactoring to make federated identities a condition 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-02 17:45:59 -03:00
Pedro Igor
17a053b2af Add support for generic event-based policies and conditions 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-02 17:45:59 -03:00
stianst
57242d2497 Experimental federated client authentication 
Closes #42228

Signed-off-by: stianst <stianst@gmail.com>
 2025-09-02 10:02:51 -03:00
Stefan Guilhen
d855e0f06c Add support for recurring policies 
Closes #42120

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2025-09-01 12:28:46 -03:00
Stefan Guilhen
af96183788 Allow resource policies to be deactivated for a resource based on events 
- Listen for federated identity add/remove events to activate and deactivate policies based on IDP association

Closes #42107
Closes #42108

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2025-09-01 11:02:00 -03:00
Stefan Guilhen
05fa5cb552 Add enabled config option to resource policies 
Closes #42104

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2025-09-01 10:28:01 -03:00
Pedro Igor
a64c5c0d70 Adding RLM Admin API and basic endpoints 
Closes #40346

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-08-28 14:49:21 -03:00
Stefan Guilhen
8eb6ee619f Rework getEligibleResourcesForInitialAction so it returns all resources that are eligible to be associated with a policy 
Closes #42106

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2025-08-26 11:52:46 -03:00
Thomas Darimont
8f326750e8 More flexible handling of params, headers and entities for SimpleHTTP (#42016) 
Fixes #42016

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2025-08-22 09:44:45 -03:00
Ricardo Martin
46e990b7a7
Check for non-ascii local part on emails depending on SMTP configuration 
Closes #41994

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-08-21 08:16:47 +00:00
Stefan Guilhen
70659ac183
Rework RLM core to schedule action based on events @sguilhen (#42010) 
* Rework RLM core to schedule action based on events

Closes #41803

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-08-20 17:59:52 +00:00
Marek Posolda
dd7ad5b866
Ability to display 'authenticator provider' of the WebAuthn credential (#41615) 
closes #41613

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: Jon Koops <jonkoops@gmail.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
 2025-08-20 11:42:24 +02:00
rmartinc
0ff7d551dd Check null for new keySize and validity parameters when generating certificates 
Closes #41906

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-08-19 21:53:24 +02:00
Steven Hawkins
2ce3474ed5
fix: addressing possible npes (#41944) 
close: #40659

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-08-18 23:51:17 +02:00
Ricardo Martin
949ef35a3b
Allow and control sending UTF-8 emails in the default email sender impl 
Closes #41023

Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-08-15 10:43:38 +00:00
Akbar Husain
06f80416fb
Replace keySet with entrySet 
Closes #40064

Signed-off-by: akbarhusainpatel <apatel@intermiles.com>
Co-authored-by: akbarhusainpatel <apatel@intermiles.com>
 2025-08-14 17:31:15 +02:00
Peter Skopek
651d651c30 Add missing artifact descriptions to allow Maven Central Portal Publisher pass validation process. (#40822) 
Signed-off-by: Peter Skopek <pskopek@redhat.com>
 2025-08-12 16:50:17 +02:00
rmartinc
acf39b34c3 Make passkeys feature supported 
Closes #41556

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-08-12 11:18:57 +02:00
vramik
a8225655cf Initial commit for the RLM feature 
Closes #40340
Closes #40341

Co-authored-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>

Signed-off-by: vramik <vramik@redhat.com>
 2025-08-11 17:34:41 -03:00
Pedro Igor
a8997c364f Fixing updating attribute value 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-08-06 13:59:54 -03:00
huyenvu2101
5436f9781c Allow setting default value for userprofile attribute 
Closes #36160

Signed-off-by: huyenvu2101 <vhuyen2101@gmail.com>
 2025-08-06 13:59:54 -03:00
Steven Hawkins
11924e6473
enhance: adding the ability to get the root config from a Scope 
closes: #36268

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-08-05 18:51:33 +02:00
forkimenjeckayang
43610cfa67
[OID4VCI] Update SD-JWT VCs Format Identifier to dc+sd-jwt (#41233) 
Closes #39293

Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2025-08-01 09:13:35 +02:00
Keshav Deshpande
bee7e4b335
Change error to 400 for unknown user (#40939) 
Closes #39079

Signed-off-by: Keshav Deshpande <keshavprashantdeshpande@gmail.com>
 2025-07-31 10:23:14 +02:00
rmartinc
1f608fae6e Create a new condition for credential type and add it to default flows 
Closes #41354

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-31 10:14:15 +02:00
Thomas Darimont
97dfbd2c84
Add details about client assertion to event 
Fixes #41405

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2025-07-30 18:50:27 +00:00
Björn Eickvonder
d62d5030fe
Adds log context information for MDC for realm, users, etc. 
Closes #39812

Signed-off-by: Björn Eickvonder <b.eicki@gmx.net>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Signed-off-by: Bjoern Eickvonder <bjoern.eickvonder@inform-software.com>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-07-16 17:46:46 +02:00
Pedro Igor
d5206b61f6 Update email feature only enabled if the required action is enabled at the realm 
Closes #41045

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-07-14 16:31:15 -03:00
Pascal Knüppel
f39a37d8d1
[OID4VCI] Move realm attributes to clientScope and protocol-mappers (#39768) 
fixes #39527


Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
Signed-off-by: Captain-P-Goldfish <captain.p.goldfish@gmx.de>
 2025-07-10 14:46:36 +02:00
Martin Kanis
5a42390341 Make UPDATE_EMAIL a supported feature 
Closes #40227

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2025-07-09 10:15:48 -03:00
rmartinc
900d8c7400 Changing default passwordless webauthn policy to follow recommended values in the documentation 
Closes #40792

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-09 11:34:28 +02:00
rmartinc
d62114e50e Do not add steps if feature disabled in default flows 
Allow login if a step is disabled even the authenticator is not enabled by profile
Closes #40954

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-07-09 10:44:36 +02:00
Steven Hawkins
d74e71e5ed
fix: streamlining the client scope update (#40808) 
closes: #40805

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-07-07 17:57:39 +02:00
Steven Hawkins
2b44c5676f
fix: adding logic to isolate realm migration processing (#39377) 
* fix: adding logic to isolate realm migration processing

also adding an info log for each realm migrated

closes: #33978 #38649

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* switching to an export strategy tolerant to read committed

also preventing creating cached users during export

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* updating the docs to still recommend shutting the server down for export

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* accounting for null managed users

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* refinements based upon review comments

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Scaling back the docs

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>

* Remove rogue release note

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
 2025-06-30 08:31:57 -04:00
Pedro Igor
304bcdce88
Do not show update email link if the email attribute is not writable 
Closes #39669

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-06-28 10:19:41 +02:00
rmartinc
cc7b63cfc6 Integrate passkeys with separate username and password forms 
Closes #40021

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-25 09:43:48 +02:00
rmartinc
86f0a7864f Disable email verification when email manually changed by idp review 
Closes #40446

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-25 08:56:03 +02:00
Douglas Palmer
1183157d86 Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm 
Closes #38620

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2025-06-25 08:15:43 +02:00
Steven Hawkins
c01736a9cd
fix: correcting additional legacy scope usage (#40644) 
closes: #39063

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-06-24 14:58:27 +02:00
Pedro Igor
828f9f7916
Mark user as disabled if reaching max login failures and permanent lockout is enabled 
Closes #40159

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-06-18 08:34:56 +02:00
Giuseppe Graziano
b9033ad9c3 Validate client policy condition configuration 
Closes #40187

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-06-11 11:01:08 -03:00
Giuseppe Graziano
1d9ecb2d7a
Added WebAuthn and recovery codes as disabled in the First Broker Login Flow (#40319) 
Closes #40000

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-06-09 12:40:53 +02:00
rmartinc
2ec1496c5b Rename "Browser - Conditional OTP" to "Browser - Conditional 2FA" in default browser flow 
Closes #40281

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-09 08:41:23 +02:00
rmartinc
c3bbf45a7b Add webauthn and recovery codes to the default browser flow as disabled 
Closes #39999

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-05 16:09:32 +02:00
Ricardo Martin
41110823c7
Integrate current auth-username-password-form authenticator with passkeys isConditionalMediationAvailable (#38781) 
Closes #29596

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-05 08:53:00 +02:00