Add server-side filtering of users by creation timestamp on the admin
REST API. This avoids the need to retrieve all users and filter
client-side, which is inefficient for large realms.
Two optional query parameters are added to both the user list and count
endpoints. They accept either ISO-8601 date strings (yyyy-MM-dd) or
epoch milliseconds, consistent with the existing events API date
filtering via DateUtil.
Closes#43829
Signed-off-by: RafaelWO <weingartner.rafael@hotmail.com>
The client can select which Identity Provider to use for user authentication by including an Identity Provider alias in a "kc_idp_hint" parameter in a Pushed Authorization Request.
Closes#47229
Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
Only include @context in credential_definition when the credential
format is ldp_vc, as required by the OID4VCI specification. For
jwt_vc_json format, @context is now excluded by setting it to null
in JwtCredentialBuilder. The LDCredentialBuilder now explicitly
contributes credential definition metadata including @context.
Closes#47045
Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>
- Migrate time normalization tests from Arquillian to JUnit 5
- Add shared test base with common helpers
- Replace server-side execution with admin REST API (ManagedRealm)
- Remove old Arquillian tests
Closes#47437
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Address review comments from @forkimenjeckayang
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Pre-compute the full effective role set once in
ClientRoleMappingsResource.getCompositeClientRoleMappings() using
RoleUtils.getDeepRoleMappings(), then filter by client. This replaces
the previous O(C*M*D) approach of calling user.hasRole() for every
client role, which recursively expanded composites without memoization.
RoleUtils.getDeepRoleMappings(RoleMapperModel) is introduced to handle
both RoleMapperModel implementations correctly: UserModel includes
group-inherited roles (matching UserModel.hasRole() semantics), while
GroupModel expands only its direct composite mappings.
The CompositeClientRoleMappingsTest is migrated from the deprecated
Arquillian framework to the new Keycloak test framework (JUnit 5).
Signed-off-by: Alexey Skosyrskiy <askosyrskiy@metropolis.io>
I added getResourcesCommonUrl() following the same URL/Path pattern already used by getResourcesUrl() and getResourcesPath(). Email clients can't resolve relative paths so the existing getResourcesCommonPath() wasn't enough for email templates.
I also pulled out the common-path lookup into a private getCommonPath() helper to avoid duplicating it between getResourcesCommonPath() and the new method. Updated the theme docs with a usage example and a note about absolute URLs in emails.
Closes#33198
Signed-off-by: Hager Khamis <hagerm98@hotmail.com>
Includes some NPE fixes (no client attribute) and refactors handling of verifying authz request resource param matching token request resource param.
Closes#47180
Signed-off-by: stianst <stianst@gmail.com>
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Update model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/changes/remote/updater/loginfailures/LoginFailuresUpdater.java
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Add recovery codes to the list of brute force checked authenticators.
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
