upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-04-15 22:09:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
30289 commits 34 branches 304 tags 876 MiB
Commit graph

376 commits

Author SHA1 Message Date
Thomas Darimont
2a7495b4f5
Allow specifying max allowed expiration of federated client assertion in the Identity Provider settings (#46629)
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
Details 
* Add support to specify max expiration time for client assertions in Identity Provider settings (#46304, #46626, #46627)

We now support the configuration of max client assertion expiration time for the following providers:
- OIDC Identity Provider
- SPIFFE Identity Provider
- Kubernetes Identity Provider

Added testFederatedClientAssertionMaxExpiration test.
Added UI test for saving and retrieving fedClientAssertionMaxExp for Kubernetes Identity Provider.

Fixes #46304 (SPIFFE)
Fixes #46626 (Kubernetes)
Fixes #46627 (OIDC)

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

* Move client auth tests to AbstractBaseClientAuthTest

This allows testing base, Kubernetes and Spiffe implementations.

Fixes #46630

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>

---------

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2026-02-27 07:05:10 +00:00
Thomas Diesler
8cfef9443d [OID4VCI] Add support for CredentialScopeRepresentation 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-26 09:06:15 +01:00
Ricardo Martin
e7ac4ef3f7
Move test class for persistent CIMD to the new test-suite 
Closes #46438

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-24 11:40:26 +01:00
Marie Daly
3bdf058578
Added delay to flaky test AttackDetectionResourceTest (#46490) 
closes #45986


Signed-off-by: Marie Daly <marie.daly1@ibm.com>
 2026-02-23 08:14:30 +01:00
Pedro Ruivo
4253a79eb2
Client or role parsing caching should be realm specific 
Closes #46403

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-02-17 16:57:38 +01:00
Pedro Ruivo
7e00961ee1
Cache evaluation of client roles with dots for role mapper 
Closes #43726

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-02-17 12:45:37 +01:00
Geremia Taglialatela
418700b4f8
Fix duplicate header in VERIFY_EMAIL flow 
Fix #46105

Signed-off-by: Geremia Taglialatela <tagliala.dev@gmail.com>
Co-authored-by: tagliala <556268+tagliala@users.noreply.github.com>
 2026-02-16 16:26:22 +01:00
Steven Hawkins
c28cac9db3
fix: ensuring proper error handling for duplicate protocol mappers 
closes: #26946

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2026-02-13 16:33:01 +00:00
Giuseppe Graziano
a8418b251d Unique issuer for identity providers 
Closes #45747

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-13 08:44:07 +01:00
Thomas Diesler
de0ae92ebe [OID4VCI] Wrong typ value for SD-JWT VC 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-11 08:28:07 +01:00
Giuseppe Graziano
d6f07f27ec
User validation in JWT Authorization Grant (#46149) 
Closes #46144

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-10 13:09:05 +00:00
Valeria
05ff44b8a0
Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (#45787) 
Closes #45649

Signed-off-by: Valeria Epifanova <lerkamandarinka24@gmail.com>
 2026-02-10 13:10:29 +01:00
Giuseppe Graziano
176dc8902c
Check if idp is enabled for JWT Auth Grant and Federated Client Auth (#46148) 
Closes #46146

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-10 13:01:42 +01:00
Alexander Schwartz
fc7b1b1e83
Check if two IDPs with the same issuer URL exist before caching them 
Closes #45453

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-02-09 11:30:09 +01:00
Stefan Guilhen
9a32b5e2c4 Add ProviderEvents to workflows 
- custom listeners can now react to workflow operations

Closes #45170

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-06 16:48:03 -03:00
Pedro Ruivo
02c6499d96
Deprecate unused methods in UserSessionProvider 
Closes #45823

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-02-06 19:04:19 +01:00
Lukas Hanusovsky
a21a53667e
Creating user with roles/clientRoles via UserSupplier is not supported. (#46070) 
Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com>
 2026-02-06 08:55:19 +00:00
Aggelos Sachtouris
6c003a41aa Format: apply code formatting using spotless 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
fb58f1c40f fix: Test Old ResourceOperationType to UserCreatedWorkflowEventFactory 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
e6e4017d3d doc: Changed comment on Unlink User Test 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
dc6c1683bd Create test for unlink user workflow step 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Stian Thorgersen
ea4c8f65b6
Review realm cleanup in test framework 
Closes #45973

Signed-off-by: stianst <stianst@gmail.com>
 2026-02-04 18:03:15 +01:00
Pedro Ruivo
297d8ac95d
Refactor ClientResource for better performance 
Closes #45838

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-02-04 11:29:18 +01:00
Stefan Guilhen
2111dcf913 Check only for the existence of the attribute if only the key is specified 
Closes #45983

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-03 14:52:34 -03:00
Stefan Guilhen
021d544000 Ensure required action is enabled at the realm level before adding it to the user via workflow step 
Closes #45976

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-03 14:51:28 -03:00
Martin Bartoš
3e568fc81b
OTEL: Use suggested 'code.function.name' for span attributes 
Closes #45944

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2026-02-03 15:56:48 +01:00
rmartinc
c63f54ba3a Client policy executor to allow extra audiences for JWT authorization grant 
Closes #45180

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-03 13:39:31 +01:00
Stefan Guilhen
6e408dd7bc Introduce WorkflowEventSpi 
- supports custom event handling beyond the built-in workflow capabilities.

Closes #43916

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-02 11:18:27 -03:00
rmartinc
d4e9b16ea9 Include version in system-info for manage-realm and restrict view-system mapping 
Closes #45776

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-02 12:40:57 +01:00
Pedro Igor
13cf35ded3
Only realm admins can manage workflows
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
Details 
Closes #45875

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-01-30 21:18:06 +01:00
Pedro Ruivo
02066f4985
Bugfix Refactor SessionsResource 
Closes #45727

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-01-29 14:51:50 +01:00
Pedro Ruivo
bae3963d25
Refactor SessionsResource for better memory usage and performance 
Closes #45727

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-01-29 11:38:54 +01:00
Tero Saarni
cb4c533464
Add support for looking up client secrets via Vault SPI (#39650) 
Fixes #13102


Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2026-01-28 16:45:30 +01:00
Pedro Igor
b9243a7270
Only enable JS policies if the scripts feature is enabled 
Closes #44132

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-01-28 12:28:32 +01:00
Alexander Schwartz
0ddb355d3d
Optimize deletion of composite roles 
Closes #45065

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-01-28 08:05:16 -03:00
Stefan Guilhen
c13a1772f8 Adds ability to migrate scheduled workflow resources from one step to another step in the same or different workflow 
Closes #45174

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-01-27 13:46:18 -03:00
Steven Hawkins
38b5466093
fix: aligns our dev http-host default behavior with that of quarkus (#45691) 
closes: #42876

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
 2026-01-27 16:51:47 +01:00
Šimon Vacek
8f0cbcb244
Run new framework db testsuite on Aurora
Some checks are pending
Weblate Sync / Trigger Weblate to pull the latest changes (push) Waiting to run
Details 
Closes #41940

Signed-off-by: Simon Vacek <simonvacky@email.cz>
 2026-01-22 20:14:54 +01:00
vramik
111ba36504 Organization Groups Core Backend & API 
Closes #45562

Signed-off-by: vramik <vramik@redhat.com>
 2026-01-22 09:39:24 -03:00
Alexander Schwartz
fd9c513c9c
When creating or updating a Kubernetes IDP, check if issuer URL is unique 
Closes #45449

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-01-21 17:52:11 +01:00
Giuseppe Graziano
b74be6ed41
JWT Authorization Grant for Google idp (#45543) 
Closes #45179

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-01-21 16:17:52 +01:00
rmartinc
b7a23e88d2 Test for authorization chaining across domains 
Closes #45468

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-01-21 15:52:59 +01:00
rmartinc
7e20b87136 Add abstract property for themes and do not display base for selection 
Closes #41924

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-01-21 15:42:52 +01:00
Hathoute
ea2083ed2c Support for clients in workflows 
Signed-off-by: Hathoute <whitesmith.thedj@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-01-21 11:20:30 -03:00
Giuseppe Graziano
3c3915556c OIDC identity provider issuer config 
Closes #45590

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-01-20 13:19:16 +01:00
forkimenjeckayang
fa28ddddb2
[OID4VCI] Disable OID4VCI functionality when Verified Credentials switch is off (#44995) 
closes #44622


Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2026-01-19 14:09:42 +01:00
rmartinc
07b9b9656b Allow client_id as an audience in the JWT Authorization Grant and Client Assertions 
Closes #45178

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-01-16 15:48:28 +01:00
stianst
8aaf3e4606 Allow re-using server when running tests with the new framework 
Closes #44101

Signed-off-by: stianst <stianst@gmail.com>
 2026-01-16 09:11:43 -03:00
Martin Kanis
4f91b5246e User REST Admin API - count and search returns different amount of users 
Closes #45219

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2026-01-16 07:29:42 -03:00
Stefan Guilhen
5ed7894502 Add step implementation to remove user attributes 
Closes #44650

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-01-15 14:28:35 -03:00