External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity
24,477 Commits 26 Branches 288 Tags
Commit Graph

4464 Commits

Author SHA1 Message Date
stianst
fb2bd05840 Set version to 24.0.9 2024-11-27 10:32:04 +01:00
Peter Zaoral
22f0f81507
fix: prevent inclusion of characters that could lead to FileVault path traversal (#219) 
Closes: #211

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
Co-authored-by: Václav Muzikář <vmuzikar@redhat.com>
 2024-11-18 09:28:05 +01:00
Steven Hawkins
d0eaed4d82
fix: returning addresses instead of hosts on the ClientConnection (#217) 
also consolidates checks of whether a host or address is local

closes: #CVE-2024-9666

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2024-11-18 09:25:36 +01:00
Douglas Palmer
c4160df1e8
EMBARGOED CVE-2024-10270 org.keycloak/keycloak-services: Keycloak Denial of Service (#216) 
Closes #CVE-2024-10270

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-11-14 09:47:34 +01:00
Ricardo Martin
99eafb1a5e Fix CRL verification failing due to client cert not being in chain (#29582) 
closes #19853

Signed-off-by: Micah Algard <micahalgard@gmail.com>
Signed-off-by: rmartinc <rmartinc@redhat.com>

Co-authored-by: Micah Algard <micahalgard@gmail.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 74a80997c79928bc928bc7ff9402b47f06aa3a97)
 2024-10-17 10:38:59 +02:00
mposolda
d38f0ec19f Better logging when error happens during transaction commit 
closes #33275

Signed-off-by: mposolda <mposolda@gmail.com>
(cherry picked from commit 07cf71e818e7feca1a36164c216a225f198d50f0)
 2024-10-08 13:15:49 +02:00
Giuseppe Graziano
5344aada5e Remove root auth session after backchannel logout 
Closes #32197

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit b46fab230824a2304daafe74be019e8bd4ee590a)
 2024-10-03 08:49:56 +02:00
Stian Thorgersen
babfcba148
Improve handling for loopback redirect-uri validation (#196) 
Signed-off-by: stianst <stianst@gmail.com>
 2024-09-16 13:33:04 +02:00
cgeorgilakis-grnet
b9bd644dc5 Check refresh token flow response for offline based on refresh token request parameter 
Closes #30857

Signed-off-by: cgeorgilakis-grnet <cgeorgilakis@admin.grnet.gr>
(cherry picked from commit 20cedb84eb2084c22cab4f263ce00ba9fb79ffc1)
 2024-09-10 08:52:08 +02:00
rmartinc
4875c117a3 Adding upgrading notes for brute force changes 
Closes #31960

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-08-08 17:21:27 +02:00
rmartinc
c8053dd812 Remove the attempt in brute force when the off-thread finishes 
Closes #31881

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-08-08 17:21:27 +02:00
Pedro Igor
461fa631dc Support for blocking concurrent requests when brute force is enabled 
Closes #31726

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
Signed-off-by: mposolda <mposolda@gmail.com>
 2024-08-08 17:21:27 +02:00
Jon Koops
bd38e1d323
Only allow a known refferer URI for the Account Console (#28743) (#31814) 
Closes #27628

Signed-off-by: Jon Koops <jonkoops@gmail.com>
(cherry picked from commit 3216e7c781a9bb6399d33255e6b10275b3cc81f9)
 2024-08-01 13:08:52 +02:00
Alexander Schwartz
a1cfc4d816
Trigger clearing the user cache when the duplicate email allowed flag changes (#31723) 
Closes #31045

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-07-30 14:58:17 +02:00
Douglas Palmer
3500618ee2 Failure reset time is applied to Permanent Lockout 
Closes #28821

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
 2024-07-18 18:49:28 +02:00
Jon Koops
98ab4341f0
Use the Keycloak server URL for common resources (#30823) (#30826) 
Closes #30541

Signed-off-by: Jon Koops <jonkoops@gmail.com>
(cherry picked from commit cd0dbdf2647c7328cafb6f9dc194c8196244d432)
 2024-06-27 09:22:55 +00:00
graziang
20ebff7e07 Revoked token cache expiration fix 
Added 1 second to the duration of the cache for revoked tokens to prevent them from still being valid for 1 second after the expiration date of the access token.

Closes #26113

Signed-off-by: graziang <g.graziano94@gmail.com>
(cherry picked from commit 54b40d31b66435c016174be1728278189b1dc7d9)
 2024-06-21 10:56:25 +02:00
Pedro Igor
63734c4955
Support unmanaged attributes for service accounts and make sure they are only managed through the admin api (#30578) 
Closes #29362

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-06-20 14:35:13 +02:00
rmartinc
16b8ce0aee Logout from all clients after IdP logout is performed 
Closes #25234

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 7d05a7a013495a8c59c3bdc71a04f743d3391b34)
 2024-06-11 10:37:18 +02:00
rmartinc
8a922e9146 Generate RESTART_AUTHENTICATION event on success 
Closes #29385

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit b258b459d72b11411fffb833355b36963b0a47ff)
 2024-06-07 07:40:02 +02:00
rmartinc
e2972d05a4 Invalid default/options in JavaKeystoreKeyProviderFactory algorithm property 
Closes #29426

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 9dfaab6d821e33500600c937e1465b5123ade17a)
 2024-06-06 09:15:36 +02:00
Giuseppe Graziano
2191cc26ae
Encrypted KC_RESTART cookie and removed sensitive notes (#167) 
Closes #keycloak/keycloak-private#162

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-05-21 08:29:17 +02:00
Ricardo Martin
d9f0c84b79
Missing auth checks in some admin endpoints (#166) 
Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-05-21 08:26:19 +02:00
rmartinc
19a232c7a4 Allow empty CSP header in headers provider 
Closes #29458

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 2cc051346df2cca7ed438db852a52a7123740600)
 2024-05-13 19:38:17 +02:00
Alexander Schwartz
bda30ddb5a Run validation of email addresses only for new and changed email addresses 
Closes #29133

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-05-03 09:16:47 -03:00
rmartinc
047e80445f Better management of the CSP header 
Closes https://github.com/keycloak/keycloak/issues/24568

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 2b769e5129a0db453bb8cc00452c33afdcd2c322)
 2024-04-18 14:38:10 +02:00
Giuseppe Graziano
60ea525d1d Added new SessionStateMapper 
Closes #28591

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-04-18 10:12:12 +02:00
graziang
eda33155aa Encode role name parameter in the location header uri 
The role is encoded to avoid template resolution by the URIBuilder. This fix avoids the exception when creating roles with names containing {patterns}.

Closes #27514

Signed-off-by: graziang <g.graziano94@gmail.com>
(cherry picked from commit 39299eeb38df999816b49dab82ac8afe083458c8)
 2024-04-18 08:01:34 +02:00
Alexander Schwartz
261b68927b Add error details to events to be able to track down root causes 
Closes #28429

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
 2024-04-16 20:36:28 +02:00
Pedro Igor
eb0f792431
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user (#150) 
Closes #28248

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	docs/documentation/upgrading/topics/changes/changes-24_0_3.adoc
 2024-04-09 08:12:02 +02:00
Pedro Igor
d7947bb336
Resolve the user federation link as null when decorating the user profile metadata in the LDAP provider (#147) 
Closes #28100

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-04-02 09:14:43 +02:00
Pedro Igor
e3edf76867
Restrict the token types that can be verified when not using the user info endpoint (#146) 
Closes #47

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

Conflicts:
	core/src/main/java/org/keycloak/util/TokenUtil.java
	testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java
 2024-03-23 15:17:52 +01:00
Marek Posolda
77254a28e9
Secondary factor bypass in step-up authentication (#143) 
closes #34

Signed-off-by: mposolda <mposolda@gmail.com>
 2024-03-23 15:16:21 +01:00
Ricardo Martin
9d9b57879c
Better management of domains in TrustedHostClientRegistrationPolicy (#139) 
Closes keycloak/keycloak-private#63

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-23 15:15:14 +01:00
Giuseppe Graziano
aebd051cf0
Avoid the same userSessionId after re-authentication (#136) 
Closes #69

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2024-03-23 15:14:16 +01:00
Ricardo Martin
df1cc0a4d9
Validate Saml URLs inside DefaultClientValidationProvider (#135) 
Closes keycloak/keycloak-private#62

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-23 15:12:07 +01:00
Ricardo Martin
4ffb69ecef
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) 
Closes keycloak/keycloak-private#113
Closes keycloak/keycloak-private#134

Signed-off-by: rmartinc <rmartinc@redhat.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2024-03-23 15:09:31 +01:00
Jon Koops
9d9817e15a
Limit requests sent through session status iframe (#132) 
Closes #116

Signed-off-by: Jon Koops <jonkoops@gmail.com>
 2024-03-23 08:23:14 +01:00
Giuseppe Graziano
ca1c1eb3cf Always include offline_access scope when refreshing with offline token 
Closes #27878

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
(cherry picked from commit 939420cea1dd98e779b991c5420a8158e4db6a13)
 2024-03-21 17:09:02 +01:00
Martin Kanis
f7bcaaa687 Invalidating offline token is not working from client sessions tab 
Closes #27275

Signed-off-by: Martin Kanis <mkanis@redhat.com>
(cherry picked from commit 4154d27941e4cc7ccb0452e6f43978897b5dc3d3)
 2024-03-21 17:01:30 +01:00
Pedro Igor
c453cdd535 Do not grant scopes not granted for resources owned the resource server itself 
Closes #25057

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-21 09:20:12 +01:00
Jon Koops
3fdb396ac9
Attributes without a group should appear first (#28091) 
Fixes #27981

Signed-off-by: René Zeidler <rene.zeidler@gmx.de>
(cherry picked from commit 83a3500ccf26f5920c976fab13e0f00a3bf56ea6)

Co-authored-by: René Zeidler <rene.zeidler@gmx.de>
 2024-03-20 13:01:45 +00:00
Jon Koops
f3165fcc2f
no result to parse on success (#27336) (#27985) 
* no result to parse on success

fixes: #27245
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

* translate error message

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>

---------

Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
(cherry picked from commit 7d104dbe9d077d44b2f9b4054b667a0146f1b1dc)

Co-authored-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
 2024-03-18 19:50:00 +00:00
rmartinc
77306f8087 Do not challenge inside spnego authenticator is FORKED_FLOW 
Closes #20637

Signed-off-by: rmartinc <rmartinc@redhat.com>
(cherry picked from commit 43a5779f6e0b75a6d2ac1cc94f702d256d58c259)
 2024-03-12 18:13:16 +01:00
Pedro Igor
c76ff3e6b6 Make sure refresh token expiration is based on the current time when the token is issued 
Closes #27180

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-12 13:11:07 +01:00
Pedro Igor
b7a95bea12
Make sure empty configuration resolves to the system default configuration 
Closes #27611

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2024-03-11 16:40:49 +01:00
Theresa Henze
3fbb117271 trigger REMOVE_TOTP event on removal of an OTP credential 
Closes #15403

Signed-off-by: Theresa Henze <theresa.henze@bare.id>
 2024-03-06 21:09:04 +01:00
vramik
032bb8e9cc Map Store Removal: Remove obsolete KeycloakModelUtils.isUsernameCaseSensitive method 
Closes #27438

Signed-off-by: vramik <vramik@redhat.com>
 2024-03-02 04:40:46 +09:00
rmartinc
f970803738 Check email and username for duplicated if isLoginWithEmailAllowed 
Closes #27297

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2024-03-02 00:14:27 +09:00
Andy
137907f5ef Roles admin REST API: Don't expand composite roles 
Additionally:
- Import clean-up
- Added requireMapComposite as in RoleResource.addComposites

Closes #26951

Signed-off-by: synth3 <19573241+synth3@users.noreply.github.com>
 2024-03-02 00:03:03 +09:00