* resolve org from scope instead of client session note (#42836)
Signed-off-by: Chris Leigh <3805338+Tungsten78@users.noreply.github.com>
* Keep track of current organization when refreshing tokens
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Handling select organization when querying userinfo and introspection endpoints
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* More tests
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Test to check prevent single to all
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
* Error when changing scopes to ANY
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
---------
Signed-off-by: Chris Leigh <3805338+Tungsten78@users.noreply.github.com>
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
Co-authored-by: Pedro Igor <pigor.craveiro@gmail.com>
Closes#46883
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
The client can select which Identity Provider to use for user authentication by including an Identity Provider alias in a "kc_idp_hint" parameter in a Pushed Authorization Request.
Closes#47229
Signed-off-by: Laurids Møller Jepsen <laurids.jepsen@cryptomathic.com>
- Migrate time normalization tests from Arquillian to JUnit 5
- Add shared test base with common helpers
- Replace server-side execution with admin REST API (ManagedRealm)
- Remove old Arquillian tests
Closes#47437
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Address review comments from @forkimenjeckayang
Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
Pre-compute the full effective role set once in
ClientRoleMappingsResource.getCompositeClientRoleMappings() using
RoleUtils.getDeepRoleMappings(), then filter by client. This replaces
the previous O(C*M*D) approach of calling user.hasRole() for every
client role, which recursively expanded composites without memoization.
RoleUtils.getDeepRoleMappings(RoleMapperModel) is introduced to handle
both RoleMapperModel implementations correctly: UserModel includes
group-inherited roles (matching UserModel.hasRole() semantics), while
GroupModel expands only its direct composite mappings.
The CompositeClientRoleMappingsTest is migrated from the deprecated
Arquillian framework to the new Keycloak test framework (JUnit 5).
Signed-off-by: Alexey Skosyrskiy <askosyrskiy@metropolis.io>
These tests simply check if the sever-info returns if the feature is enabled or not, which really serves no value as it doesn't check if providers/endpoints are disabled/enabled as expected
Signed-off-by: stianst <stianst@gmail.com>
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Update model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/changes/remote/updater/loginfailures/LoginFailuresUpdater.java
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Add recovery codes to the list of brute force checked authenticators.
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
This commit addresses a NullPointerException that occurs when logging in with a mixed-case email domain in a Keycloak Organization. The root cause was a mismatch between how the JPA layer (case-insensitive) and the Infinispan cache layer (case-sensitive) handled domain name casing.
Key changes:
- Normalized the domain name to lowercase when generating Infinispan cache keys in InfinispanOrganizationProvider.
- Added defensive null checks when resolving organizations from the cache to prevent NullPointerException from stale cache entries.
- Added a new integration test testStaleCacheEntryDoesNotThrowNPE in OrganizationCacheTest to verify the fix.
- Fixed a flaky test (incorporated @martin-kanis commit)
Signed-off-by: asafm <asafm1989@gmail.com>
