* Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Christoph Kisfeld <spam@b-web.org>
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: Robin <39960884+robson90@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Christoph Kisfeld <spam@b-web.org>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Robin <39960884+robson90@users.noreply.github.com>
* Updated translation for Ukrainian
Language: uk
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (1 of 1 strings)
Updated translation for Ukrainian
Language: uk
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (1 of 1 strings)
Updated translation for Ukrainian
Language: uk
Updated translation for Ukrainian
Language: uk
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: Oleksandr Bilko <git@bil.co.ua>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Oleksandr Bilko <git@bil.co.ua>
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-e-mail-theme/uk/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-v2-login-theme/uk/
Translation: Keycloak/Keycloak E-mail theme
Translation: Keycloak/Keycloak v2 Login theme
* Translated using Weblate (Czech)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Czech)
Translated using Weblate (Czech)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Czech)
Translated using Weblate (Czech)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Czech)
Translated using Weblate (Czech)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Czech)
Updated translation for Czech
Language: cs
Updated translation for Czech
Language: cs
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: Peter Schiffer <peter@pschiffer.eu>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Peter Schiffer <peter@pschiffer.eu>
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-e-mail-theme/cs/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-login-theme/cs/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-v2-login-theme/cs/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-welcome-theme/cs/
Translation: Keycloak/Keycloak E-mail theme
Translation: Keycloak/Keycloak Login theme
Translation: Keycloak/Keycloak Welcome theme
Translation: Keycloak/Keycloak v2 Login theme
* Updated translation for Indonesian
Language: id
Updated translation for Indonesian
Language: id
Updated translation for Indonesian
Language: id
Updated translation for Indonesian
Language: id
Translated using Weblate (Indonesian)
Translation: Keycloak/Admin backend
Translate-URL: https://hosted.weblate.org/projects/keycloak/theme-baseadmin/id/
Updated translation for Indonesian
Language: id
Co-authored-by: Arif Budiman <arifpedia@gmail.com>
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Arif Budiman <arifpedia@gmail.com>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
* Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: Sylvain Pichon <service@spichon.fr>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Sylvain Pichon <service@spichon.fr>
* Updated translation for Slovenian
Language: sl
Updated translation for Slovenian
Language: sl
Co-authored-by: Hosted Weblate <hosted@weblate.org>
Co-authored-by: Lenart Bučar <lenart.bucar@gmail.com>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Lenart Bučar <lenart.bucar@gmail.com>
---------
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Christoph Kisfeld <spam@b-web.org>
Signed-off-by: Hosted Weblate <hosted@weblate.org>
Signed-off-by: Robin <39960884+robson90@users.noreply.github.com>
Signed-off-by: Oleksandr Bilko <git@bil.co.ua>
Signed-off-by: Peter Schiffer <peter@pschiffer.eu>
Signed-off-by: Arif Budiman <arifpedia@gmail.com>
Signed-off-by: Sylvain Pichon <service@spichon.fr>
Signed-off-by: Lenart Bučar <lenart.bucar@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Christoph Kisfeld <spam@b-web.org>
Co-authored-by: Robin <39960884+robson90@users.noreply.github.com>
Co-authored-by: Oleksandr Bilko <git@bil.co.ua>
Co-authored-by: Peter Schiffer <peter@pschiffer.eu>
Co-authored-by: Arif Budiman <arifpedia@gmail.com>
Co-authored-by: Sylvain Pichon <service@spichon.fr>
Co-authored-by: Lenart Bučar <lenart.bucar@gmail.com>
* demonstrates client side streaming
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* fix: adding client streaming support
closes: #47542
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Apply suggestion from @Copilot
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
* using onClose instead of the proxy close
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update integration/admin-client/src/main/java/org/keycloak/admin/client/spi/StreamMessageBodyReader.java
Co-authored-by: Peter Zaoral <pepo48@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Peter Zaoral <pepo48@gmail.com>
* Warn when running in a container without being PID 1
When KC_RUN_IN_CONTAINER=true but the process is not PID 1, graceful
shutdown may fail silently because signals are not forwarded correctly.
This adds a warning at startup to alert users to use exec in their
entrypoint scripts.
Closes#48059
Signed-off-by: Espen Roth <eroth1622@gmail.com>
* moving to java logic to avoid any command detection in the script
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Update quarkus/dist/src/main/content/bin/kc.sh
Co-authored-by: Peter Zaoral <pepo48@gmail.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Espen Roth <eroth1622@gmail.com>
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Steve Hawkins <shawkins@redhat.com>
Co-authored-by: Peter Zaoral <pepo48@gmail.com>
* Fix clients-initial-access returning 200 instead of 201
The POST /clients-initial-access endpoint was returning 200 OK instead of
201 Created. The server-side create() method has been updated to return a
proper JAX-RS Response with status 201 and a Location header pointing to
the created resource.
A doCreate() method is added to the ClientInitialAccessResource Java client
interface returning the raw JAX-RS Response, allowing callers to access
HTTP-level details such as the status code and Location header that the
existing create() method hides.
A test is added using doCreate() to verify the 201 status and Location
header without modifying the existing typed create() interface.
Closes#49185
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
* Removed doCreate method and corresponding test references
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
* Address reviewer feedback: drop noise, fix test cleanup, add HttpResponse javadocs
- Revert whitespace-only change in admin-client ClientInitialAccessResource
- Fix testCreateReturns201WithLocationHeader to null-initialize id and
delete in a finally block so cleanup always runs even if an assertion fails
- Add javadocs to HttpResponse.getStatus/setStatus warning that the value
is overwritten by JAX-RS when a plain object (not Response) is returned
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
* Update server-spi/src/main/java/org/keycloak/http/HttpResponse.java
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
* Update server-spi/src/main/java/org/keycloak/http/HttpResponse.java
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
---------
Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
* Move the rest of TestingResource methods to a utils-shared helper class (2/2)
Closes: #48942
Signed-off-by: Simon Vacek <simonvacky@email.cz>
* review fix
Signed-off-by: Simon Vacek <simonvacky@email.cz>
---------
Signed-off-by: Simon Vacek <simonvacky@email.cz>
Closes#49180
Signed-off-by: Ryan Emerson <remerson@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Auto-notify-on-login (and the subject-management endpoints) wrote the
ssf.notify.<clientId> attribute unconditionally, which threw a
ReadOnlyException for users backed by a read-only LDAP federation with
import disabled — surfacing as a per-login ERROR and failing to subscribe
the user.
- Guard the ssf.notify / tombstone writes (user + org) so they only run
when the stored value would actually change; redundant calls are now
no-ops instead of failing on read-only stores.
- autoNotifyOnLogin catches ReadOnlyException (WARN + skip) so a read-only
user no longer disrupts login; non-ReadOnlyException still propagates.
- Subject-management API returns SUBJECT_READ_ONLY (409) instead of a 500
when the subject is backed by a read-only store.
- Add unit tests for the write guards and the listener's read-only handling.
Fixes#49250
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Push Connect/Socket Timeout were only rendered on the Stream tab inside
the "stream exists" branch, so admins could not configure them before a
stream was created. Move both controls to the Receiver tab's Delivery
section, shown only when push delivery is allowed for the receiver.
The timeouts are already stored as receiver client attributes
(ssf.pushEndpointConnectTimeoutMillis / ssf.pushEndpointSocketTimeoutMillis),
so this is a UI-only relocation — no backend, representation, or save-path
change.
Fixes#49235
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
* moved AdminEnvironment to seperate file
fixes: #48038
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* code review
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* task: upgrading pnpm to 11.1.3
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* switching to 11.1.1
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* task: using a beanparam for client listing options
closes: #48650
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* just adding fluent methods
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* Tighten UNSAFE_PATH_PATTERN against encoded path-traversal terminators
Fixes#48978
Extends the regex to cover encoded forms that previously bypassed
detection:
- %3B / %3b (encoded semicolon)
- %09, %0A, %0D, %00 (control characters)
- %252E (double-encoded dot)
These encodings do not produce actual path traversal on conformant
servers per RFC 3986 (percent-encoded characters are literals, not
delimiters), but are semantically close enough to the patterns the
regex was designed to block to warrant defense-in-depth coverage.
The end-of-input anchor ($) is moved into the terminator class to
collapse the two pattern alternatives into one, keeping the diff
minimal.
Test changes:
- 8 new assertions covering encoded semicolons, control character
terminators, and double-encoded dots.
- 3 prior assertEquals flipped to assertNull (lines that previously
asserted %252E%252E/, %252E%252E/#fragment, and ..%3Bsomething/
were allowed are now expected to be blocked).
- 1 new negative test confirming %3B as legitimate path content (not
following a parent-folder sequence) still resolves.
Triple-encoded variants (e.g., %25252E) remain allowed; out of scope
for this issue.
Signed-off-by: Michał Kosiorek <michal.kosiorek@arklink.co>
* Update OAuthRedirectUriTest expectations for double-encoded dots
Follow-up to 36b0b10dd2 — Base IT (6) CI run for #49000 caught a
cross-module integration test that needed updating alongside the
regex change. Local verification of the previous commit covered the
services module (RedirectUtilsTest); testsuite/integration-arquillian
was outside that scope, so the existing OAuthRedirectUriTest.testWildcard
expectations for %252E%252E variants didn't flip with the regex.
Four assertions in testWildcard flipped from true → false to match the
Option A semantic introduced in 36b0b10dd2 (double-encoded dots are
now blocked by UNSAFE_PATH_PATTERN):
http://example.com/foo/%252E%252E/http://example.com/foo/%252E%252E/?some_query_param=some_valuehttp://example.com/foo/%252E%252E/?encodeTest=a%3Cbhttp://example.com/foo/%252E%252E/#encodeTest=a%3Cb
Triple-encoded (%25252E) and septuple-encoded variants remain
expected:true — recursive decoding is explicitly out of scope for
#48978.
Verified locally:
- mvn -pl services -Dtest=RedirectUtilsTest test → 11/11 green.
- Direct regex match against the four flipped URIs confirms
UNSAFE_PATH_PATTERN matches each rawPath, mechanically equivalent
to the verifyRedirectUri code path exercised by the arquillian test.
Refs #48978
Signed-off-by: Michał Kosiorek <michal.kosiorek@arklink.co>
---------
Signed-off-by: Michał Kosiorek <michal.kosiorek@arklink.co>
Closes#48684
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
