External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity
28,067 Commits 26 Branches 288 Tags
Commit Graph

5143 Commits

Author SHA1 Message Date
github-actions[bot]
73e5f4bead Set version to 26.2.5 2025-05-28 06:36:32 +00:00
Stefan Guilhen
09373c11de
Revert changes to exception handling in RealmsAdminResource#importRealm (#39974) 
- ModelDuplicateException and ModelIllegalException were wrongfully handled as ModelException, returning wrong status code

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #39753

(cherry picked from commit 75e6d7214ad064db6451589f035349f473303005)
 2025-05-27 08:58:43 +02:00
rmartinc
825c868774 Only reuse SMTP authentication data for testing endpoint when the same auth, host, port and user are passed 
Closes #39486

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 598154bc5839934569a78d8ee1ec8c1af8fc4142)
 2025-05-22 14:01:13 +02:00
Awambeng
60445d2a9f Fix scope validation for realm-level credential definitions in Authorization Code flow (#39148) 
Closes #39130

Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
(cherry picked from commit ca3859b0f821587dfc4be31daef77c3a3e273e77)
 2025-05-21 14:03:58 +02:00
Abhishek Kumar Gupta
1b9d993dff Persist refresh token for IDP token exchange 
Closes #39502

Signed-off-by: abhishek818 <abhishekguptaatweb17@gmail.com>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-16 08:53:30 +02:00
Alexander Schwartz
a7985c175b
Reorder operations to avoid the slow operation to get all client sessions 
Closes #39665

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-05-13 16:54:32 +02:00
Ricardo Martin
6d198a98f6 Add option to log details in the JBossLoggingEventListenerProvider (#39361) 
Closes #38985

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 688a80d5ef4895315abfe2edb70d7b505c2ff492)
 2025-05-05 12:23:56 +02:00
Marek Posolda
c830a27928
UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope 
closes #39037


(cherry picked from commit 54e1c8af1e089ad33d32e0f2792610e4b8df421b)

Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-30 10:30:47 +02:00
Ricardo Martin
4eaff6cbed
Do the re-hash of password in a separate transaction to continue login in case of model exception 
Closes #38970


(cherry picked from commit 6e66a7e2554252f686bc30b73f17ab75c4b05eaf)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:28:23 +02:00
Ricardo Martin
6efa899adb
Make DateUtil convert the local dates into epoch in milliseconds 
Closes #38911


(cherry picked from commit 08704df6516078cb31246861bb5858ef51838690)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-30 10:27:56 +02:00
Pedro Igor
89b66cd3a7
Remove authentication session when deleting the account 
Closes #38671

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-30 10:27:23 +02:00
Giuseppe Graziano
c9b5ac4d6c
Fix multiple loading of config properties for GrantTypeCondition 
Closes #39219


(cherry picked from commit a4ea26f9cdbd954fb45672fc9a52c4b4ffd6091f)

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2025-04-30 10:27:05 +02:00
Giuseppe Graziano
a83794e817
Fix GrantTypeCondition config key mismatch 
This ensures that the grant types are correctly read during evaluation,
allowing the condition to trigger as intended when client policies are enforced.

Closes #39296


(cherry picked from commit d7966c0e2afcd556c8a884374350d7c687ecd2d1)

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
Co-authored-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
 2025-04-30 10:26:20 +02:00
Steven Hawkins
928a756a7a
fix: relaxes the admin root redirect check (#39095) (#39337) 
closes: #39085



also changing the adminroot test to seem like it's coming from a proxy



---------


(cherry picked from commit 08b5183784b7bbedaeee7e965a5fac17c2407ffa)

Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-30 09:13:14 +02:00
Steve Hawkins
99ca24c832 fix: remove ANY mode modification of truststores 
also note that ANY should not be used in production

closes: CVE-2025-3501

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

Add a test for the error (#1)

Signed-off-by: Ricardo Martin <rmartinc@redhat.com>

Update docs/guides/server/keycloak-truststore.adoc

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-24 12:09:03 +02:00
mposolda
a78c951a5a Make sure Cancel AIA does not remove required action from user 
Signed-off-by: mposolda <mposolda@gmail.com>
 2025-04-24 11:45:04 +02:00
vramik
7437677863 Fix JpaUserProvider.getUsersCount(RealmModel, boolean) 
Closes #38692

(cherry picked from commit bd58b7044749628eb570a07f90921da0e71a3b30)

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-16 16:26:09 -03:00
sophie [⛧-440729]
d1ff1b186e
add option to the nginx x509 client cert lookup provider to not url-decode the passed client cert 
Closes #17171 

Signed-off-by: ⛧-440729 [sophie] <sophie@999eagle.moe>
 2025-04-11 10:38:38 +02:00
Thomas Darimont
478e0b3264 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication 
closes #38819

Signed-off-by: mposolda <mposolda@gmail.com>

Co-authored-by: Thomas Darimont <thomas.darimont@googlemail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-04-10 18:08:10 +02:00
Pedro Igor
ae88d7921f
Improvements to partial evaluation 
Closes #38732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-09 18:15:28 +02:00
WMartel
182758f046
Improve Organization endpoints with String body 
- Added trim() call to get rid of surrounding white space characters
  for organization POST endpoints that expect a String body instead of
  an actual object

Closes #38760

Signed-off-by: WMartel <10606973+WMartel@users.noreply.github.com>
 2025-04-09 11:59:24 +00:00
vramik
9c02bb29d3 Fix AvailableRoleMappingResource 
Closes #35580

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-09 08:41:15 -03:00
Martin Bartoš
83001e4024
OTelHttpClientFactory not configured properly when tracing enabled 
Closes #38740

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-04-08 17:04:23 +00:00
rmartinc
ba91a092ab Migrate old recaptcha secret name when used 
Closes #38607

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-08 14:22:25 +02:00
Pedro Igor
79b533ee02
Allow managing client authorization settings is manage scope is granted for clients 
Closes #38726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 13:07:48 +02:00
Pedro Igor
be880ae204
Do not cache partial results when FGAP is enabled 
Closes #38705

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-08 08:22:22 +02:00
Pedro Igor
8521b9952a
Export failing if the realm has FGAP enabled 
Closes #38695

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 18:47:44 +02:00
rmartinc
540ee9eda2 Add webauthn tests for the passkeys conditional UI authenticator 
Closes #23659

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-07 15:04:59 +02:00
Pedro Igor
d98ca0a2a2
Make sure searches by identifiers are filtered 
Closes #38679

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-07 14:59:43 +02:00
Stefan Guilhen
a4ca92ab4d
Validate realm name for uniqueness before creating a new realm in the DB 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38426
 2025-04-07 08:49:42 -04:00
vramik
6488890585 [FGAP:V2] remove configure scope from Client resource type 
Closes #38567

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-07 07:05:02 -03:00
Stefan Guilhen
c4c3e2eee6 Allow redirection to idp when user email matches any of the org domains 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Co-authored-by: Martin Panzer <martin.panzer@active-logistics.com>

Closes #33804
 2025-04-04 11:28:04 -03:00
Alexander Schwartz
b211391e02
Enhance logging for a missing provider factory dependency 
Closes #38594

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-04-04 15:38:02 +02:00
Pedro Igor
9f079f7874
Permission checks that do not check a specific client should check the permissions granted to the client resource type 
Closes #38653

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 17:00:47 +00:00
vramik
8127a9da60 [FGAP] Allow user creation when the admin has permission to manage-members and manage-membership for all existing groups defined in UserRepresentation 
Closes #38269

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 12:08:46 -03:00
Pedro Igor
29d3dcb49a
Do not allow delete the FGAP client 
Closes #38644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-03 14:57:06 +02:00
vramik
999d9aa75b [FGAP] Override canList() for V2. 
Closes #38641

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-03 08:35:08 -03:00
rtufisi
134437a5a7
Create recovery keys in user storage or local (#38446) 
closes #38445

Signed-off-by: rtufisi <rtufisi@phasetwo.io>
 2025-04-03 10:09:48 +02:00
vramik
f12fa0b5bb [FGAP] remove transitiveness from auth scopes 
Closes #38557

Signed-off-by: vramik <vramik@redhat.com>
 2025-04-02 16:56:25 -03:00
tranthanhhien06072001
13405b184a
Add totp policy to TotpLoginBean (#38606) 
Closes #38523

Signed-off-by: hientt85 <hientt85@viettel.com.vn>
 2025-04-02 18:34:07 +02:00
rmartinc
a10c8119d4 Define a max expiration window for Signed JWT client authentication 
Closes #38576

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 18:32:54 +02:00
rmartinc
43c79e8d1b Add locale attribute to the registration context 
Closes #38029

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-04-02 09:03:06 +02:00
Pedro Igor
61cb0acbc4 Fixing inconsistencies when evaluating permission in the evaluation tab 
Closes #38498

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-04-01 11:40:27 -03:00
Alexander Schwartz
85737f52b5
Make access Token in user info endpoint bound to the dpop proof 
Closes #38333

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-03-31 09:41:57 +02:00
Václav Muzikář
2a0ce46471
Prevent frontend endpoint redirect to admin endpoint (#38464) 
Closes #38463

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
 2025-03-28 18:44:43 +01:00
Douglas Palmer
4ccb50106a
Add audience to the client-scopes evaluate tab (#38457) 
* Add audience to the client-scopes evaluate tab #37548

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>

* Simulate audience parameter in the evaluate tab - polishing

Signed-off-by: mposolda <mposolda@gmail.com>

---------

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2025-03-28 16:22:34 +01:00
Steven Hawkins
06e0885f46
fix: adds back reporting of non-ip client addresses (#37797) 
closes: #36843

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
# Conflicts:
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/AbstractTokenExchangeProvider.java
#	services/src/main/java/org/keycloak/protocol/oidc/tokenexchange/StandardTokenExchangeProvider.java
 2025-03-27 19:33:20 +00:00
Stefan Guilhen
d62fa871b5 Allow users to unset their e-mail when the previous e-mail matches org domain but user is not an org member 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38257
 2025-03-27 08:50:08 -03:00
Stefan Guilhen
e694065aed User UserModel.isFederated() instead of comparing federation link to null 
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

Closes #38137
 2025-03-27 08:11:14 -03:00
Pedro Igor
78aa8b486f User not visible when permission with different scope exists 
Closes #38369

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-03-27 08:01:04 -03:00