Closes#49180
Signed-off-by: Ryan Emerson <remerson@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Closes#48684
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Closeskeycloak/keycloak#48748
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Closes#49140
The revoke-role step expects multivalued role names, not a
comma-separated string.
Signed-off-by: Thomas DELORGE <thomas.delorge@orbeet.io>
Closes#48683
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Closes https://github.com/keycloak/keycloak/issues/48124.
Signed-off-by: Tomas Kyjovsky <tkyjovsk@ibm.com>
Signed-off-by: Tomáš Kyjovský <1867605+tkyjovsk@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
* documents the operator's support for TLS re-encryption.
closes#20128
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
* Update docs/guides/operator/basic-deployment.adoc
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
* Apply suggestions from code review
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
* Moving updated text to a callout
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
---------
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
* Update WebAuthn Metadata service and show icons
Closes#48539Closes#48540
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
* Revert back the transport type for providerId-less authenticators
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
Closes#48455
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
* Make OrganizationGroupMembershipMapper claim name configurable
The OrganizationGroupMembershipMapper introduced in 26.6.0 hardcoded
the token claim name to "organization", unlike OrganizationMembershipMapper
which already exposes the claim name as a configurable property.
- Add TOKEN_CLAIM_NAME config property to OrganizationGroupMembershipMapper
via OIDCAttributeMapperHelper.addTokenClaimNameConfig()
- Override getEffectiveModel() to default the claim name to
OAuth2Constants.ORGANIZATION when not set, preserving backward
compatibility for existing mapper configurations
- Set TOKEN_CLAIM_NAME default in the static create() factory method
- Refactor OIDCAttributeMapperHelper.getOrInitializeOrganizationClaimAsMap()
to accept a ProtocolMapperModel instead of a raw String, delegating
to mapClaim() for correct claim placement (including nested path support)
Closes#47851
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
* Fix nested claim path read and add custom claim name tests
The read side of getOrInitializeOrganizationClaimAsMap was doing a flat
Map.get() on the dotted claim name, while the write side (mapClaim) already
creates a nested structure by splitting on dots. This caused the group mapper
to find nothing when the claim name contained a dot, overwriting the
membership data written by OrganizationMembershipMapper.
Fix by splitting the claim path via splitClaimPath() and traversing the
nested map with a new private getNestedClaimValue() helper in
OIDCAttributeMapperHelper. The helper belongs there rather than in JsonUtils
because it operates on Map<String,Object>, not JsonNode.
Also add integration tests covering:
- Custom flat claim name ("my_orgs") for both OrganizationMembershipMapper
and OrganizationGroupMembershipMapper, verifying the claim appears at the
configured name and not at "organization"
- Dotted claim name ("custom.org") for OrganizationGroupMembershipMapper,
verifying the token contains nested otherClaims["custom"]["org"] and that
group composition is preserved
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
---------
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
- Introduce UserSearchPrefix enum in SearchQueryUtils pairing each prefix
(id:, username:, email:) with its UserProvider lookup,
plus a splitTerms helper backed by a precompiled "\\s+" pattern
- Collapse duplicate prefix branches in UsersResource#getUsers,
UsersResource#getUsersCount and BruteForceUsersResource#searchUser
- BruteForceUsersResource: support multi-term lookups (e.g. "username:foo bar"),
aligning with UsersResource
- Tests: add searchByUsernameSearch / searchByEmailSearch covering
single-term, multi-term and whitespace-tolerant variants
- Docs: add "Search by fields" section to proc-searching-user.adoc
Fixes#26602
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
If a rebalance is in progress, block the shutdown procedure until it finishes or a timeout is reached.
Closes#44620
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior
when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button
adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template
tests extended
passkey documentation extended/updated
closes#46959
Signed-off-by: Niko Köbler <niko@n-k.de>
Closes#48000
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
