Add server-side filtering of users by creation timestamp on the admin
REST API. This avoids the need to retrieve all users and filter
client-side, which is inefficient for large realms.
Two optional query parameters are added to both the user list and count
endpoints. They accept either ISO-8601 date strings (yyyy-MM-dd) or
epoch milliseconds, consistent with the existing events API date
filtering via DateUtil.
Closes#43829
Signed-off-by: RafaelWO <weingartner.rafael@hotmail.com>
Pre-compute the full effective role set once in
ClientRoleMappingsResource.getCompositeClientRoleMappings() using
RoleUtils.getDeepRoleMappings(), then filter by client. This replaces
the previous O(C*M*D) approach of calling user.hasRole() for every
client role, which recursively expanded composites without memoization.
RoleUtils.getDeepRoleMappings(RoleMapperModel) is introduced to handle
both RoleMapperModel implementations correctly: UserModel includes
group-inherited roles (matching UserModel.hasRole() semantics), while
GroupModel expands only its direct composite mappings.
The CompositeClientRoleMappingsTest is migrated from the deprecated
Arquillian framework to the new Keycloak test framework (JUnit 5).
Signed-off-by: Alexey Skosyrskiy <askosyrskiy@metropolis.io>
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Update model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/changes/remote/updater/loginfailures/LoginFailuresUpdater.java
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Add recovery codes to the list of brute force checked authenticators.
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
* Add support to specify max expiration time for client assertions in Identity Provider settings (#46304, #46626, #46627)
We now support the configuration of max client assertion expiration time for the following providers:
- OIDC Identity Provider
- SPIFFE Identity Provider
- Kubernetes Identity Provider
Added testFederatedClientAssertionMaxExpiration test.
Added UI test for saving and retrieving fedClientAssertionMaxExp for Kubernetes Identity Provider.
Fixes#46304 (SPIFFE)
Fixes#46626 (Kubernetes)
Fixes#46627 (OIDC)
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* Move client auth tests to AbstractBaseClientAuthTest
This allows testing base, Kubernetes and Spiffe implementations.
Fixes#46630
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
---------
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Closes#46100
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Closes#45823
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Closes#45838
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Closes#45727
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Closes#45574
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Closes#44801
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Pedro Ruivo <pruivo@redhat.com>
Co-authored-by: Christian Glasmachers <Christian.Glasmachers-extern@deutschebahn.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Closes#44068
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: Ryan Emerson <remerson@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Ryan Emerson <remerson@ibm.com>
Closes#38809
Signed-off-by: Alexis Rico <sferadev@gmail.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
* fix: adding a single method to get the base uri
closes: #43330
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update server-spi/src/main/java/org/keycloak/urls/HostnameProvider.java
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Václav Muzikář <vaclav@muzikari.cz>
Closes#43370
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: 1867605+tkyjovsk@users.noreply.github.com
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Fixes#43349
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
