Closes#49140
The revoke-role step expects multivalued role names, not a
comma-separated string.
Signed-off-by: Thomas DELORGE <thomas.delorge@orbeet.io>
* Make OrganizationGroupMembershipMapper claim name configurable
The OrganizationGroupMembershipMapper introduced in 26.6.0 hardcoded
the token claim name to "organization", unlike OrganizationMembershipMapper
which already exposes the claim name as a configurable property.
- Add TOKEN_CLAIM_NAME config property to OrganizationGroupMembershipMapper
via OIDCAttributeMapperHelper.addTokenClaimNameConfig()
- Override getEffectiveModel() to default the claim name to
OAuth2Constants.ORGANIZATION when not set, preserving backward
compatibility for existing mapper configurations
- Set TOKEN_CLAIM_NAME default in the static create() factory method
- Refactor OIDCAttributeMapperHelper.getOrInitializeOrganizationClaimAsMap()
to accept a ProtocolMapperModel instead of a raw String, delegating
to mapClaim() for correct claim placement (including nested path support)
Closes#47851
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
* Fix nested claim path read and add custom claim name tests
The read side of getOrInitializeOrganizationClaimAsMap was doing a flat
Map.get() on the dotted claim name, while the write side (mapClaim) already
creates a nested structure by splitting on dots. This caused the group mapper
to find nothing when the claim name contained a dot, overwriting the
membership data written by OrganizationMembershipMapper.
Fix by splitting the claim path via splitClaimPath() and traversing the
nested map with a new private getNestedClaimValue() helper in
OIDCAttributeMapperHelper. The helper belongs there rather than in JsonUtils
because it operates on Map<String,Object>, not JsonNode.
Also add integration tests covering:
- Custom flat claim name ("my_orgs") for both OrganizationMembershipMapper
and OrganizationGroupMembershipMapper, verifying the claim appears at the
configured name and not at "organization"
- Dotted claim name ("custom.org") for OrganizationGroupMembershipMapper,
verifying the token contains nested otherClaims["custom"]["org"] and that
group composition is preserved
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
---------
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
- Introduce UserSearchPrefix enum in SearchQueryUtils pairing each prefix
(id:, username:, email:) with its UserProvider lookup,
plus a splitTerms helper backed by a precompiled "\\s+" pattern
- Collapse duplicate prefix branches in UsersResource#getUsers,
UsersResource#getUsersCount and BruteForceUsersResource#searchUser
- BruteForceUsersResource: support multi-term lookups (e.g. "username:foo bar"),
aligning with UsersResource
- Tests: add searchByUsernameSearch / searchByEmailSearch covering
single-term, multi-term and whitespace-tolerant variants
- Docs: add "Search by fields" section to proc-searching-user.adoc
Fixes#26602
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior
when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button
adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template
tests extended
passkey documentation extended/updated
closes#46959
Signed-off-by: Niko Köbler <niko@n-k.de>
Closes#47274
Signed-off-by: Asish Kumar <officialasishkumar@gmail.com>
Signed-off-by: Marek Posolda <mposolda@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
- also change name of add/remove required action providers to better align with other step providers.
Closes#47655
Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Update model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/changes/remote/updater/loginfailures/LoginFailuresUpdater.java
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Add recovery codes to the list of brute force checked authenticators.
Closes#46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
Add the missing Users FGAP scope alias from manage-group-membership to Groups manage-membership so deny permissions on group members apply during user membership updates.
Add a regression test covering a protected group member, an unrelated user, and the no-mutation postcondition after a forbidden request.
Closes keycloak#46693
This PR is mostly based on 303446b465.
Additionally, I made few tweaks to documentation and introduce a doc variable for the recommended Java version so limit required changing when migrating the recommended JDK version.
* Closes: https://github.com/keycloak/keycloak/issues/45830
Signed-off-by: Michal Vavřík <michal.vavrik@aol.com>
