* resolve org from scope instead of client session note (#42836)
Signed-off-by: Chris Leigh <3805338+Tungsten78@users.noreply.github.com>
* Keep track of current organization when refreshing tokens
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Handling select organization when querying userinfo and introspection endpoints
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* More tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Test to check prevent single to all
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Error when changing scopes to ANY
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: Chris Leigh <3805338+Tungsten78@users.noreply.github.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Add server-side filtering of users by creation timestamp on the admin
REST API. This avoids the need to retrieve all users and filter
client-side, which is inefficient for large realms.
Two optional query parameters are added to both the user list and count
endpoints. They accept either ISO-8601 date strings (yyyy-MM-dd) or
epoch milliseconds, consistent with the existing events API date
filtering via DateUtil.
Closes#43829
Signed-off-by: RafaelWO <weingartner.rafael@hotmail.com>
Closes#47038
Signed-off-by: Benjamin DeWeese <bdeweesevans@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
- also change name of add/remove required action providers to better align with other step providers.
Closes#47655
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
The client can select which Identity Provider to use for user authentication by including an Identity Provider alias in a "kc_idp_hint" parameter in a Pushed Authorization Request.
Closes#47229
Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
Only include @context in credential_definition when the credential
format is ldp_vc, as required by the OID4VCI specification. For
jwt_vc_json format, @context is now excluded by setting it to null
in JwtCredentialBuilder. The LDCredentialBuilder now explicitly
contributes credential definition metadata including @context.
Closes#47045
Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>
- replace non-cryptographic PRNG usage (java.util.Random, Math.random)
- use SecureRandom in JwtCNonceHandler for nonce length generation
- use SecureRandom in TimeClaimNormalizer for time claim randomization
- introduce centralized secure random utility (SecretGenerator)
- ensure uniform and unpredictable randomness in security-sensitive flows
Closes#47271
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Address review comments from @IngridPuppet
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Pre-compute the full effective role set once in
ClientRoleMappingsResource.getCompositeClientRoleMappings() using
RoleUtils.getDeepRoleMappings(), then filter by client. This replaces
the previous O(C*M*D) approach of calling user.hasRole() for every
client role, which recursively expanded composites without memoization.
RoleUtils.getDeepRoleMappings(RoleMapperModel) is introduced to handle
both RoleMapperModel implementations correctly: UserModel includes
group-inherited roles (matching UserModel.hasRole() semantics), while
GroupModel expands only its direct composite mappings.
The CompositeClientRoleMappingsTest is migrated from the deprecated
Arquillian framework to the new Keycloak test framework (JUnit 5).
Signed-off-by: Alexey Skosyrskiy <askosyrskiy@metropolis.io>
Pre-compute user's effective roles via RoleUtils.expandCompositeRoles()
(BFS) instead of calling user.hasRole() per client role which
recursively expands composites without memoization.
Closes#47157
Signed-off-by: Alexey Skosyrskiy <askosyrskiy@metropolis.io>
I added getResourcesCommonUrl() following the same URL/Path pattern already used by getResourcesUrl() and getResourcesPath(). Email clients can't resolve relative paths so the existing getResourcesCommonPath() wasn't enough for email templates.
I also pulled out the common-path lookup into a private getCommonPath() helper to avoid duplicating it between getResourcesCommonPath() and the new method. Updated the theme docs with a usage example and a note about absolute URLs in emails.
Closes#33198
Signed-off-by: Hager Khamis <hagerm98@hotmail.com>
closes: #47139
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
