External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity
28,207 Commits 26 Branches 288 Tags
Commit Graph

5174 Commits

Author SHA1 Message Date
Ricardo Martin
1f0b5d4cb2
Ensure the logout endpoint removes the authentication session 
Closes #43853


(cherry picked from commit 3b3adcf1e4819bf63e08269142459f747c31cb37)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-11-01 20:14:32 +01:00
Alexander Schwartz
c64b722400
Don't keep an old session to avoid a stable objects and a memory leak 
Closes #43761

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-29 17:36:28 -03:00
Alexander Schwartz
0a5c97d3a9
Resolve session leak in DeclarativeUserProfileProvider 
Closes #43785

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-29 17:35:59 -03:00
Ricardo Martin
50102e50de
Check offline scope is still assigned when performing a refresh 
Closes #43734


(cherry picked from commit e0c1f2ee0fd14ba76338d9c2c213d45d0e857450)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-29 13:53:14 +01:00
Alexander Schwartz
8f8dabab55
Role mapper should check if an update is needed for the role 
Closes #43698

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2025-10-28 14:53:06 -03:00
Ricardo Martin
5ad8f1a026
Only add the none verifier when attestation conveyance preference is none 
Closes #43723


(cherry picked from commit 1bd9a3f4733f80f30111a5e2bad973b85530dc16)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-28 15:51:56 +00:00
mposolda
a794fca977 Possible overflow in brute force computation 
closes #30939

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit a2cc51aed7692ec09c619f2a6f4ecc7055beb9e1)
 2025-10-16 16:09:00 +02:00
Giuseppe Graziano
a752492843
Invalidate sessions created with remember me when remember me is disabled for realm 
Closes #43328

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-10-16 15:06:38 +02:00
Marek Posolda
0c3a042029
openid-connect flow is missing response type on language change 
closes #41292


(cherry picked from commit 76d271bf00847370a4ef39b2c46b74212a3ce7bd)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-10-10 10:45:51 +02:00
Ricardo Martin
02db622a50
Do not remove sid claim when the session is transient only for the client 
Closes #42565


(cherry picked from commit e256513ceb7d423f0532b9fd9c182171c3e23309)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-10-01 22:57:40 +02:00
Ricardo Martin
69685b54f2
Expose system-info information in the serverinfo endpoint only for users in the admin realm 
Closes #42828


(cherry picked from commit 1d28c0cd35a186551cf4114cbd6cdf75b9e3fe58)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-09-29 18:21:50 +02:00
rmartinc
afec535e61 Do not regenerate the secret key when the size is not explicitly passed 
Closes #42405

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 605b51905ca9d991e1656ab875fec22840289761)
 2025-09-23 17:30:01 +02:00
Pedro Igor
19da322d88
URL encode forwarded parameters 
Closes #41755

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-09-22 14:58:33 +02:00
mposolda
4d1330593d Unbounded login_hint parameter Can Corrupt KC_RESTART Cookie 
closes #40857

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 5a05d2123ee14f36b64b6aac08041ef7623734cf)
(cherry picked from commit 8c04f6d65585003eb63b256a2b3628a042507529)
 2025-09-09 17:09:12 +02:00
Ricardo Martin
a61f1d90be Use back keycloak-js instead of initiate login in the backend for account (#42035) 
Closes #40463

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 360ff7050c290939d529e68b461ba61c7c11404a)
 2025-09-09 08:51:04 +02:00
Giuseppe Graziano
f5ff8099c9 Fix client scope validation test and add null check (c1) 
Closes #40187

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit ad511cbc538f1d9727d17cc423420abc50367af4)

# Conflicts:
#	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/policies/AbstractClientPoliciesTest.java
 2025-08-27 12:34:08 +02:00
Giuseppe Graziano
1b3541ed15 Validate client policy condition configuration 
Closes #40187

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit b9033ad9c38bacd16e205866c8891b6df6a210d7)
 2025-08-27 12:34:08 +02:00
Giuseppe Graziano
0074fab5c6 Validate client scopes registration policy configuration 
Closes #40187

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit aaf905aa842b4f56b6dcdb4885c009a64f4af283)
 2025-08-27 12:34:08 +02:00
Steven Hawkins
41ca008476
fix: using volatile for double checked locking 
closes: #40630

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-08-22 15:59:59 +00:00
Ricardo Martin
9f653d7e64 Allow and control sending UTF-8 emails in the default email sender impl 
Closes #41023

Signed-off-by: rmartinc <rmartinc@redhat.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
(cherry picked from commit 949ef35a3bda916b24763c435033258a84ba8596)
 2025-08-19 09:46:39 +02:00
Ricardo Martin
3f669f8ea3
Use Optional instead of getOrDefault for settings in testSMTPConnection 
Closes #41643


(cherry picked from commit a58556d761cdee0647bb7293665d99d1770152fb)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-08-08 17:05:25 +02:00
mposolda
b4cc4b005a Getting error 405 'Method Not Allowed' when calling the 'certs' endpoint with HEAD method 
closes #41537

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 2dab73063dd5cc1fdcd5080f8a9f01222ea32d81)
 2025-08-01 10:45:00 +02:00
vramik
e5a2d3789d Allow mapping Admin roles by server administrator only 
Closes #39956


# Conflicts:
#	services/src/main/java/org/keycloak/services/resources/admin/fgap/RolePermissionsV2.java
#	tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/RoleResourceTypeEvaluationTest.java

Signed-off-by: vramik <vramik@redhat.com>
 2025-07-14 21:32:43 +02:00
mposolda
e36fff1287 Add option 'Requires short state parameter' to OIDC IDP 
closes #40237

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 274afa88fae0967ab281be93d41ec0ad1e8586cc)
 2025-07-14 08:43:29 +02:00
vramik
3121b9d334 Fix NPE when accessing group concurrently 
Closes #40368

# Conflicts:
#	tests/base/src/test/java/org/keycloak/tests/admin/group/GroupTest.java

Signed-off-by: vramik <vramik@redhat.com>
 2025-07-09 08:06:21 -03:00
rmartinc
31ef40dd80 Use POST binding for logout when REDIRECT url is not set and forced POST 
Closes #40637

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 2db98b6a98c78a871921a82224f260b6fa383892)
 2025-07-01 14:54:57 +02:00
rmartinc
5bb39db986 Disable email verification when email manually changed by idp review 
Closes #40446

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 86f0a7864f2bdd991d5e24e6844ddabfce0aa6de)
 2025-06-26 16:15:15 +02:00
Ricardo Martin
9f02d2c18c
Use offline time calculations when transient created from offline 
Closes #40611


(cherry picked from commit 1350da4332718dcfbe0cadb5949ea7023b179a51)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-06-20 08:12:03 +00:00
Steven Hawkins
950ce6ddff
fix: prevent multiple init when dependsOn is used 
closes: #40408

(cherry picked from commit d4392779f6ebd15afda33e8e5555d292b8527fdb)

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2025-06-18 07:00:27 +00:00
Ryan Morris
99fa500c75
case insensitive match on organization identity provider domain 
Closes #40253

Signed-off-by: ryan-morris <ryan.morris@angeltrax.com>
 2025-06-06 15:06:27 +00:00
Alexander Schwartz
c16ffe8cf2
Sequential transactions instead of nested transactions 
Closes #40171

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-06-06 10:04:58 -03:00
Niko Köbler
87e2633c0c
make property name unique 
fixes: #40128

(cherry picked from commit 3a1ac8c934f965fc636726bee4be84c89b99503e)

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2025-06-05 22:39:47 +02:00
Stefan Guilhen
09373c11de
Revert changes to exception handling in RealmsAdminResource#importRealm (#39974) 
- ModelDuplicateException and ModelIllegalException were wrongfully handled as ModelException, returning wrong status code

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #39753

(cherry picked from commit 75e6d7214ad064db6451589f035349f473303005)
 2025-05-27 08:58:43 +02:00
rmartinc
825c868774 Only reuse SMTP authentication data for testing endpoint when the same auth, host, port and user are passed 
Closes #39486

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 598154bc5839934569a78d8ee1ec8c1af8fc4142)
 2025-05-22 14:01:13 +02:00
Awambeng
60445d2a9f Fix scope validation for realm-level credential definitions in Authorization Code flow (#39148) 
Closes #39130

Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
(cherry picked from commit ca3859b0f821587dfc4be31daef77c3a3e273e77)
 2025-05-21 14:03:58 +02:00
Abhishek Kumar Gupta
1b9d993dff Persist refresh token for IDP token exchange 
Closes #39502

Signed-off-by: abhishek818 <abhishekguptaatweb17@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-16 08:53:30 +02:00
Alexander Schwartz
a7985c175b
Reorder operations to avoid the slow operation to get all client sessions 
Closes #39665

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-13 16:54:32 +02:00
Ricardo Martin
6d198a98f6 Add option to log details in the JBossLoggingEventListenerProvider (#39361) 
Closes #38985

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 688a80d5ef4895315abfe2edb70d7b505c2ff492)
 2025-05-05 12:23:56 +02:00
Marek Posolda
c830a27928
UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope 
closes #39037


(cherry picked from commit 54e1c8af1e089ad33d32e0f2792610e4b8df421b)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-30 10:30:47 +02:00
Ricardo Martin
4eaff6cbed
Do the re-hash of password in a separate transaction to continue login in case of model exception 
Closes #38970


(cherry picked from commit 6e66a7e2554252f686bc30b73f17ab75c4b05eaf)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:28:23 +02:00
Ricardo Martin
6efa899adb
Make DateUtil convert the local dates into epoch in milliseconds 
Closes #38911


(cherry picked from commit 08704df6516078cb31246861bb5858ef51838690)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:27:56 +02:00
Pedro Igor
89b66cd3a7
Remove authentication session when deleting the account 
Closes #38671

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-30 10:27:23 +02:00
Giuseppe Graziano
c9b5ac4d6c
Fix multiple loading of config properties for GrantTypeCondition 
Closes #39219


(cherry picked from commit a4ea26f9cdbd954fb45672fc9a52c4b4ffd6091f)

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-04-30 10:27:05 +02:00
Giuseppe Graziano
a83794e817
Fix GrantTypeCondition config key mismatch 
This ensures that the grant types are correctly read during evaluation,
allowing the condition to trigger as intended when client policies are enforced.

Closes #39296


(cherry picked from commit d7966c0e2afcd556c8a884374350d7c687ecd2d1)

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
Co-authored-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
 2025-04-30 10:26:20 +02:00
Steven Hawkins
928a756a7a
fix: relaxes the admin root redirect check (#39095) (#39337) 
closes: #39085



also changing the adminroot test to seem like it's coming from a proxy



---------


(cherry picked from commit 08b5183784b7bbedaeee7e965a5fac17c2407ffa)

Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-30 09:13:14 +02:00
Steve Hawkins
99ca24c832 fix: remove ANY mode modification of truststores 
also note that ANY should not be used in production

closes: CVE-2025-3501

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

Add a test for the error (#1)

Signed-off-by: Ricardo Martin <rmartinc@redhat.com>

Update docs/guides/server/keycloak-truststore.adoc

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-24 12:09:03 +02:00
mposolda
a78c951a5a Make sure Cancel AIA does not remove required action from user 
Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-24 11:45:04 +02:00
vramik
7437677863 Fix JpaUserProvider.getUsersCount(RealmModel, boolean) 
Closes #38692

(cherry picked from commit bd58b7044749628eb570a07f90921da0e71a3b30)

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-16 16:26:09 -03:00
sophie [⛧-440729]
d1ff1b186e
add option to the nginx x509 client cert lookup provider to not url-decode the passed client cert 
Closes #17171 

Signed-off-by: ⛧-440729 [sophie] <sophie@999eagle.moe>
 2025-04-11 10:38:38 +02:00
Thomas Darimont
478e0b3264 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication 
closes #38819

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-04-10 18:08:10 +02:00