External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity
26,545 Commits 26 Branches 288 Tags
Commit Graph

4881 Commits

Author SHA1 Message Date
stianst
7dca54e8dc Set version to 26.0.11 2025-04-24 14:12:15 +02:00
mposolda
b329e6e79a Make sure Cancel AIA does not remove required action from user 
Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 5e0915854348c9cb95519d5d2d04b41ee97605db)
 2025-04-24 11:44:46 +02:00
Steve Hawkins
f835f49065 fix: remove ANY mode modification of truststores 
also note that ANY should not be used in production

closes: CVE-2025-3501

Add a test for the error (#1)

Signed-off-by: Ricardo Martin <rmartinc@redhat.com>

Update docs/guides/server/keycloak-truststore.adoc

Co-authored-by: Marek Posolda <mposolda@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2025-04-24 11:44:33 +02:00
Venelin Cvetkov
4ae7d60784 Add config param disableTypeClaimCheck in order to validate external tokens without typ claim 
Closes #33332

Signed-off-by: Venelin Cvetkov <venelin.tsvetkov@gmail.com>
(cherry picked from commit d388dc79361cd8ba2ace049bd888334faf253552)
 2025-04-17 15:11:25 +02:00
rmartinc
2a845aa2b5 Migrate old recaptcha secret name when used 
Closes #38607

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit ba91a092ab6a8266a89be254405d3a6d64dcce85)
 2025-04-09 13:56:19 +02:00
Alexander Schwartz
b62e2f3e8e
Set the mail.from to avoid looking up the local hostname 
Closes #38353

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-04-03 11:53:38 -03:00
rmartinc
154206c5f3 Define a max expiration window for Signed JWT client authentication 
Closes #38576

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit a10c8119d4452b866b90a9019b2cc159919276ca)
 2025-04-03 13:24:12 +02:00
Pedro Igor
44f18467d5
Only set organization to client session when re-authenticating if user is member of the mapped organization 
Closes #37169

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-02-14 15:38:22 +00:00
Ricardo Martin
707a556828
Force login in reset-credentials to federated users 
Closes #37207

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 6850f410605d79ea1fa98ea20774056e3a210217)
 2025-02-13 08:31:06 +00:00
Ricardo Martin
66a6248d51 Provide an option to force login after reset credentials (#36856) 
Closes #36844

Signed-off-by: rmartinc <rmartinc@redhat.com>


Co-authored-by: Ricardo Martin <rmartinc@redhat.com>
Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
 2025-01-29 10:05:00 +01:00
Pedro Igor
3122e4d18d Remember the organization once selected when reloading pages 
Closes #36629

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-24 17:36:57 +01:00
Pedro Igor
4df89c5f47 Support for the login_hint parameter in the identity-first login page 
Closes #36649

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-24 13:58:44 +01:00
Alexander Schwartz
2a3dc2c643
Avoid both loggingan error and throwing an exception (#36753) 
Closes #36728

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2025-01-24 09:51:32 +01:00
Pedro Igor
cc6ed54bc3 Allow using a custom scope name when mapping organization to tokens 
Closes #36514

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-23 13:50:36 +01:00
rmartinc
f3b86833fd Check next update time for CRL in certificate validation 
Closes #35983

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2025-01-23 10:30:44 +01:00
Pedro Igor
3e604cf27d Allow enforce that users are members of organizations when authenticating 
Closes #34275

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-22 21:49:30 +01:00
Pedro Igor
676f2a0469
Error when re-authenticating when organization is enabled 
Closes #36249

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-17 15:36:36 +00:00
Pedro Igor
30b3afbf69
Re-calculate the organization scope when re-authenticating in the browser flow 
Closes #35935
Closes #35830

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-14 09:43:40 +01:00
Stefan Guilhen
a0318812d9 Update UP via provider instead of going through the UserProfileResource 
- prevents error when updating realm

Closes #34540

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
(cherry picked from commit abf0eb7f92e83f6c081c4378f2b715c3b480320a)
 2025-01-13 14:41:53 -03:00
Martin Kanis
1cd854fe73 Incomplete registration form when edit email is disabled and email is set as username 
Closes #34876

Signed-off-by: Martin Kanis <mkanis@redhat.com>
(cherry picked from commit dbd94292560d91eb57d29dd2f9fab0de4bd605df)
 2025-01-13 14:24:10 -03:00
Pedro Igor
99775848f6
Fix NPE when exchanging external using the issuer value 
Closes #36053

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-13 17:52:25 +01:00
Martin Kanis
d1c7a9b347
Translations specified in the admin console do not override the translations specified in a theme (#36275) 
Closes #36037

Signed-off-by: Martin Kanis <mkanis@redhat.com>
(cherry picked from commit 03b6f4b306102184127c2acbd319077e5036c13d)
 2025-01-13 17:50:35 +01:00
Steven Hawkins
0ba546d384
Remove the use of regex for determining local addresses (#36228) (#36282) 
Closes #36227

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
(cherry picked from commit 696bc0710336da15ecaa9c66df2d9f2f8404c7f8)
 2025-01-13 17:49:06 +01:00
Martin Bartoš
ed16c89b7d
Upgrade to Quarkus 3.15.2 (#36246) 
Closes #35077
Closes #33469
Closes #36009

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2025-01-13 17:47:58 +01:00
Marek Posolda
3e4cbfac14
Failed to authenticate client with method client_secret_jwt when client has keys generated (#35992) 
closes #34547

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 9b01e958dc73ab7634c4e49b5730cd9cd579129a)
 2025-01-13 17:47:03 +01:00
Pedro Igor
caec411d9b
Better path parameter names for organization and member APIs 
Closes #35745

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2025-01-13 17:45:49 +01:00
mposolda
f9dcfbd59c Token revocation may not correctly revoke related access tokens 
closes #35813

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit efdc42c2a4132b9c8c953c2ed0bea9d71dcb848e)
 2025-01-13 17:43:18 +01:00
mposolda
0bd989fd0e When using the token revocation endpoint with refresh-token, only particular clientSession related to given refresh token should be terminated 
closes #35486

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 3fca2f3b7f132bb775a2158e978a3a546b887d7c)
 2025-01-13 17:43:18 +01:00
Giuseppe Graziano
4e13c0bbd3
Avoid a NullPointerException when client roles are associated with a client that no longer exists (#35489) 
Closes #34444

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit 8f417d63183369f84cc6cdab1b0843d470c07c43)

Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2025-01-13 17:29:37 +01:00
Pedro Igor
7a76858fe4 Restrict access to environment variables when at the server runtime 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-12-16 10:12:52 -03:00
mposolda
edbf75e6ee Keycloak arquillian testsuite not working with the default embedded undertow 
closes #35802

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-12-16 10:12:52 -03:00
Douglas Palmer
93b2a7327b
EMBARGOED CVE-2024-11734 org.keycloak/keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers (#228) 
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-12-13 10:43:31 +01:00
rmartinc
e96ffa1c42 Set clientId in the VerifyEmailActionToken when no one is passed 
Closes #35317

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit d19ba82779a1d80a0ef2b1f464744eb73ce7ad62)
 2024-12-10 12:59:25 +01:00
Steven Hawkins
0bd8a1fec9
fix: using regex to expand local ipv6 matching (#35736) (#35737) 
closes: #35675

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
(cherry picked from commit 80890737d48a40d790d7594989c3f6eae567c442)
 2024-12-09 19:39:53 +01:00
Steven Hawkins
c6d06e0226
fix: changing the bootstrapping suggestion to the command (#35616) (#35666) 
closes: #35526

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
(cherry picked from commit 4c7dea5d708bab3f5df5afe671c94ca7cf9166d8)
 2024-12-06 11:25:21 +01:00
Martin Kanis
4fd52adc8c Intermittent missing organization claim in Keycloak JWT token 
Closes #35324

Signed-off-by: Martin Kanis <mkanis@redhat.com>
(cherry picked from commit 2482302d4dbc805aa84b0be70fd0db48563fad3f)
 2024-12-04 16:37:46 -03:00
rmartinc
68d979882e Create a new logout session when initiating it for another client 
Closes #34207

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit e41553bcfb943f6658f1928e52dd96b4fa1420bf)
 2024-12-03 12:24:35 +01:00
Venkatesh Kannan
1fae6be539 Persist admin event only when roles is non-empty 
Currently, an adminEvent is created regardless of if the roles passed to the
role-mapping API is empty. The event should only be created when the list
`roles` is non-empty.

Closes #33195

Signed-off-by: Venkatesh Kannan <venkatesprasad512@gmail.com>
 2024-11-29 15:59:58 +01:00
Rishabh Singh
babd6563a0 setting the user in ExecuteActionsActionTokenHandler.handleToken to manage user null case in FreeMarkerLoginFormsProvider.createResponse 
Closes #17233

Signed-off-by: Rishabh Singh <rishabhsvats@gmail.com>
(cherry picked from commit 8cad78b1dfff5b9154d0068702544e6ef62cbc29)
 2024-11-29 13:11:17 +01:00
rmartinc
73ed0613ee Do not count current sessions in UserSessionLimitsAuthenticator 
Closes #35276

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 8a4651c6643aae60abc9e6773e04ae084c4a2b09)
 2024-11-28 13:02:39 +01:00
Agnieszka Gancarczyk
f0243a8c0b Backport to expose membership type 
Signed-off-by: Agnieszka Gancarczyk <agagancarczyk@gmail.com>
 2024-11-27 11:15:25 -03:00
Pedro Igor
3a9cc8e3bd
Make sure unmanaged attributes are populated before updating username when in update email context 
Closes #34930

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-11-22 12:18:17 +01:00
Ricardo Martin
154e14122f
Check the authentication config exists before returning its reference 
Closes #34888


(cherry picked from commit 8d559d542c1b4f3f030caa1b11c7d8bc9717618b)

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-11-22 12:11:42 +01:00
Jon Koops
cd8a801a85
Ignore Accept-Language header for email themes 
Closes #10233

(cherry picked from commit 84f60bc121bc815711b615723833e19fd29838ac)

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
Co-authored-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-11-22 12:08:45 +01:00
Giuseppe Graziano
63180be938
Check "Always use lightweight access token" is enabled on the client for Admin REST APIs 
Closes #34944

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit 5d600be6f2b34c5bcb4093af37005903db26cef0)
 2024-11-22 12:07:31 +01:00
Pedro Igor
cc64375c88
Allow returning attributes when querying organizations 
Closes #34590

Signed-off-by: Himanshi Gupta <higupta@redhat.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Himanshi Gupta <higupta@redhat.com>
 2024-11-22 11:50:28 +01:00
Peter Zaoral
7bdc16f029
fix: prevent inclusion of characters that could lead to FileVault path traversal (#212) 
Closes: #211

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
 2024-11-18 09:27:50 +01:00
Steven Hawkins
6a10c0e345
fix: returning addresses instead of hosts on the ClientConnection (#208) 
also consolidates checks of whether a host or address is local

closes: #CVE-2024-9666

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-11-18 09:25:44 +01:00
Douglas Palmer
b956819187
EMBARGOED CVE-2024-10270 org.keycloak/keycloak-services: Keycloak Denial of Service (#214) 
Closes #CVE-2024-10270

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-11-14 09:47:04 +01:00
Erik Jan de Wit
12890936cb
add brute force enabled so we can render switch (#34282) (#34476) 
fixes: #34065

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
(cherry picked from commit 4d25128018305f9b7fadc692d6e370b663402a68)
 2024-11-12 10:51:19 +01:00