Ensures that the client_id and client_secret are URL-encoded before being Base64-encoded for the Basic Auth header, following RFC 6749. This fixes authentication failures when the client_id contains special characters.
Closes#26374Closes#43022
Signed-off-by: rpjicond <ronaldopaulino32@hotmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: rpjicond <ronaldopaulino32@hotmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
Fixes#43349
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
* Ensure conformance for Signed JWT Validation (#43269)
This re-adds the explicit client assertion parameter validation to produce the correct error responses required by RFC7523.
See: https://www.rfc-editor.org/rfc/rfc7523.html#section-3.2
The refactoring for the support for Federated JWT Client authentication broke the OIDF conformance tests for https://www.rfc-editor.org/rfc/rfc7523.html.
Fixes#43269Fixes#43270
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
(cherry picked from commit e0ef5ea0c79914b16e6d9f8498da99382432d84a)
* Ensure conformance for Signed JWT Validation + tests (#43269)
Add additional tests for ClientAuthSignedJWTTest.
Fixes#43269
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
(cherry picked from commit 8dd28533583e7c638bd1b9bbb34042b76b9e91e1)
---------
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* Hide read-only email attribute in update profile context with update email enabled
Closes#42990
Signed-off-by: Martin Kanis <mkanis@redhat.com>
* Simplifying conditions when checking read/write on email attribute and more tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: Martin Kanis <mkanis@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
(cherry picked from commit a493213ad4f9824eca6f204776962b6c6417e6f5)
Add additional null guard before the check for supported assertation types.
Fixes#43042
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
(cherry picked from commit 8780bc22b47671c9d5a24ea6419ca937bc5f8ff9)
The parameter -Djdk.tls.rejectClientInitiatedRenegotiation=true disables Secure Client-Initiated Renegotiation in Keycloak to resolve a potential DoS vulnerability. Note this is applicable only to TLS 1.2.
Closes#43020
Signed-off-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Erasure5959 <154384607+Erasure5959@users.noreply.github.com>
Closes#43148
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
- every execution gets its own id that can be used to track all activities related to that particular workflow execution
Closes#42952
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
* docs: Use BASH TCP redirect for HEALTHCHECK
Add a BASH script to perform an in-container healtcheck.
For the curious, here's how this works:
1. For the code within braces, a TCP connection is made to the keycloak's management port and a successful connection is redirected in the read-write fashion to the descriptor 0 (stdin).
- When bash fails to connect (TCP RST), it ends up with an error right away.
- When the connection is hanging (no reply till TCP retry timeout, usually about 1 minute), it just hangs, virtually being a subject to the HEALTHCHECK's timeout (which should be definitely smaller than the usual TCP retry timeout).
2. Then a simple hand-crafted HTTP HEAD request is sent to the socket using printf. This is supposed to always succeed, unless the send buffer of the socket is set ridiculously small on the target OS. In the other case it will just hang again, not being able to push all the bytes through, until that eventually happens or times out.
3. Next, the eventual response is being checked with grep to be the successful one. Only at this time it's return code (and the final) is 0.
- When no response comes, it's hanging forever and is subject to timeout.
- When a 503 response comes, grep doesn't match anything and returns 1.
Closes: #38126
Signed-off-by: Vit Zikmund <vit.zikmund@themama.ai>
* expanding bash healthcheck for scenarios that enable http health checks
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update docs/guides/observability/health.adoc
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
* Update docs/guides/observability/health.adoc
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
* Update docs/guides/observability/health.adoc
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Vit Zikmund <vit.zikmund@themama.ai>
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
