upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-18 18:37:54 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 17
30197 commits 24 branches 294 tags 871 MiB
Commit graph

5725 commits

Author SHA1 Message Date
Steven Hawkins
c28cac9db3
fix: ensuring proper error handling for duplicate protocol mappers 
closes: #26946

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2026-02-13 16:33:01 +00:00
Steven Hawkins
19118a097c
fix: adding admin role invalidation when a new realm is found (#46019) 
* fix: adding admin role invalidation when a new realm is found

closes: #45966

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheSession.java

Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

* adding a comment and a permission tweak for imported realms

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* checking getShouldUseLightweightToken

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
 2026-02-13 15:52:52 +01:00
Thomas Diesler
d2150a19d5 [OID4VCI] Make natural_person configuration available in all formats 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-13 15:30:55 +01:00
Giuseppe Graziano
a8418b251d Unique issuer for identity providers 
Closes #45747

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-13 08:44:07 +01:00
Thomas Diesler
44e7cf2da9 [OID4VCI] Simplify OID4VCAuthorizationDetail handling 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-12 17:09:07 +01:00
vramik
5a4685909e Ability to add attributes to organization groups 
Closes #46263

Signed-off-by: vramik <vramik@redhat.com>
 2026-02-12 10:43:18 -03:00
Steven Hawkins
115b260a47
fix: normalizing the baseUri to end with / (#46253) 
closes: #46235

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2026-02-12 13:55:07 +01:00
Steven Hawkins
27fb8fae5c
fix: refining how the junit Keycloak is launched (#46182) 
closes: #46160

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
 2026-02-11 16:44:43 +01:00
Thomas Diesler
de0ae92ebe [OID4VCI] Wrong typ value for SD-JWT VC 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-11 08:28:07 +01:00
Benjamin DeWeese
67bbdf3dd2
Added theme descriptions in the Admin UI 
Closes #45909

Signed-off-by: Benjamin DeWeese <bdeweesevans@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-02-10 21:42:09 +00:00
Pedro Igor
295945773e
Make sure updates do not allow updating the resource associated with the uma policy (#46154) 
Closes #46147

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-02-10 16:42:27 +00:00
Giuseppe Graziano
d6f07f27ec
User validation in JWT Authorization Grant (#46149) 
Closes #46144

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-10 13:09:05 +00:00
Pedro Igor
8fc9a98026
Make sure registration tokens are verified before processing registration (#46155) 
Closes #46145

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-02-10 14:02:03 +01:00
Valeria
05ff44b8a0
Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (#45787) 
Closes #45649

Signed-off-by: Valeria Epifanova <lerkamandarinka24@gmail.com>
 2026-02-10 13:10:29 +01:00
Giuseppe Graziano
176dc8902c
Check if idp is enabled for JWT Auth Grant and Federated Client Auth (#46148) 
Closes #46146

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-10 13:01:42 +01:00
Marie Daly
7d6108d4b9
Redirect Wildcard changes and more https checks to secure-client-executor (#46082) 
Closes #45587


Signed-off-by: Marie Daly <marie.daly1@ibm.com>
 2026-02-10 13:00:06 +01:00
vramik
0669a7eb14 Organization group path handling 
Closes #46025

Signed-off-by: vramik <vramik@redhat.com>
 2026-02-10 08:11:07 -03:00
Thomas Diesler
b4c1a2a890 [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest() 
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-02-10 11:50:55 +01:00
Ricardo Martin
f0381f8482
Check SubjectConfirmationData element for bearer type 
Closes #45646

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-10 08:20:17 +01:00
Martin Kanis
586463b772 Protocol Mappers for Organization Groups (OIDC/SAML) 
Closes #45511

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2026-02-09 08:34:18 -03:00
Alexander Schwartz
fc7b1b1e83
Check if two IDPs with the same issuer URL exist before caching them 
Closes #45453

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-02-09 11:30:09 +01:00
Nicola Beghin
464883079f
SAMLEndpoint - move some fields/methods from private to protected for easier extension of SAML-related protocols 
Closes #45880

Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>
 2026-02-06 19:46:40 +01:00
vramik
ca89a0cdc4 Organization Groups Caching 
Closes #45509

Signed-off-by: vramik <vramik@redhat.com>
 2026-02-06 08:12:55 -03:00
Giuseppe Graziano
955131b91f Remove warn for credential provider not found 
Closes #45829

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-02-06 12:00:33 +01:00
Hugo Hakim Damer
292a177b10
[OID4VCI] Add support for nested claims in OID4VCI user attribute mapper (#45751) 
Closes #45748


Signed-off-by: Hugo Hakim Damer <HugoHakim.Damer@governikus.de>
 2026-02-06 10:57:12 +01:00
Aggelos Sachtouris
6c003a41aa Format: apply code formatting using spotless 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
9d8d59f206 Remove unnecessary implemented functions 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
7b360adb19 Fix: implemented function name for supported resource types 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Dimitris Papachristou
90404e9f4e Added unlink user workflow step to META-INF/services 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
664980bf0f Unlink User Worflow Step 
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
 2026-02-05 12:22:37 -03:00
Awambeng
85d9360e45
[OID4VCI] Add replay protection for credential offers by reference (#45558) 
closes #44660


Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
 2026-02-05 10:06:58 +01:00
rmartinc
e30bb37443 Mark Token Exchange v1 as deprecated but in preview 
Closes #45791

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-05 09:16:44 +01:00
Awambeng
c40590762e
[OID4VCI] Add comprehensive tests for OID4VC authorization code flow (#45391) 
closes #44795


Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
 2026-02-04 11:50:49 +01:00
Pedro Ruivo
297d8ac95d
Refactor ClientResource for better performance 
Closes #45838

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-02-04 11:29:18 +01:00
Peter Zaoral
78299ae82d
Enhancement: normalize FilesPlaintextVaultProvider secret paths to prevent false positives in CSAs (#44345) 
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
 2026-02-03 21:21:04 +00:00
Stefan Guilhen
021d544000 Ensure required action is enabled at the realm level before adding it to the user via workflow step 
Closes #45976

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-03 14:51:28 -03:00
rmartinc
c63f54ba3a Client policy executor to allow extra audiences for JWT authorization grant 
Closes #45180

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-03 13:39:31 +01:00
Pedro Igor
072f547b71
Make sure disabled organization is ignored when re-authenticating 
Closes #45924

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-02-03 12:41:39 +01:00
forkimenjeckayang
3adcca44a7
[OID4VCI] CredentialEndpoint can be invoked with incorrect access token (#45816) 
closes #44670
closes #44580


Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2026-02-02 19:29:40 +01:00
Steven Hawkins
9462f0f00b
updating to quarkus 3.31.1 (#45612)
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
Details 
* fix: updating to quarkus 3.31.0.CR1

closes: #45576

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* updating test containers for 3.31.0.CR1

also adding a managed version for microprofile-metrics-api

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* excluding quarkus-bootstrap-runner to prevent trace logging

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* changing to new logging context for hibernate jpa

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* switching to 3.31.0 release

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* switching to 3.31.1 release

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Follow upgrading guide for Quarkus 3.31.0

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* turning of specific hibernate logging

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* removing quarkus-bootstrap-runner from the model test classpath

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
 2026-02-02 17:50:56 +01:00
Stefan Guilhen
6e408dd7bc Introduce WorkflowEventSpi 
- supports custom event handling beyond the built-in workflow capabilities.

Closes #43916

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-02-02 11:18:27 -03:00
rmartinc
d4e9b16ea9 Include version in system-info for manage-realm and restrict view-system mapping 
Closes #45776

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-02-02 12:40:57 +01:00
Pedro Igor
13cf35ded3
Only realm admins can manage workflows
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
Details 
Closes #45875

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-01-30 21:18:06 +01:00
Pedro Igor
2dab08d5ed
Make sure disabled organizations are not available from selection 
Closes #45874

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-01-30 21:17:35 +01:00
NAMAN JAIN
c652adff78 Add format-specific credential metadata contribution for OID4VC 
Introduce a CredentialBuilder hook that allows credential formats to
contribute format-specific metadata to the OID4VC issuer well-known
configuration. The issuer delegates metadata shaping to the
corresponding CredentialBuilder implementation.

Refactor metadata contribution to work directly with
SupportedCredentialConfiguration and CredentialScopeModel, improving
type-safety and avoiding unnecessary serialization.

Add integration tests to verify that SD-JWT credentials expose `vct`
without `credential_definition`, and JWT_VC credentials expose
`credential_definition` without `vct`.

Closes #45485

Signed-off-by: NAMAN JAIN <naman.049259@tmu.ac.in>
 2026-01-30 19:39:07 +01:00
Thomas Diesler
c08ed20f78
[OID4VCI] Add support for user did as subject id (#45008) 
closes #45006


Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
 2026-01-30 17:29:47 +01:00
mposolda
7b36fa174b Duplicate processing of authorization_details from AuthorizationDetailsProcessorManager 
closes #45859

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-01-29 17:24:03 +01:00
Tero Saarni
cb4c533464
Add support for looking up client secrets via Vault SPI (#39650) 
Fixes #13102


Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2026-01-28 16:45:30 +01:00
Awambeng
d14e1d56a0
[OID4VCI] Fix OID4VCI credential requests to restrict Default client scopes (#45011) 
Closes #44737


Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
 2026-01-28 15:50:02 +01:00
Martin Kanis
d73b1f926f Update email AIA: Back to Application URL invokes OIDC callback with missing parameters 
Closes #44488

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2026-01-28 08:24:57 -03:00