Commit graph

5728 commits

Author SHA1 Message Date
Zorian Motso
8258fceb33
Fix duplicate client-uuid path parameter in OpenAPI spec
Some checks are pending
Weblate Sync / Trigger Weblate to pull the latest changes (push) Waiting to run
Rename {client-uuid} to {targetClientUuid} in RoleContainerResource to
avoid duplicate parameter names when the resource is mounted under
ClientResource. {clientUuid} is not sufficient because code generators
normalise {client-uuid} from the parent path to clientUuid as well.

Closes #46015

Signed-off-by: Zorian Motso <zorianmotso@gmail.com>
2026-02-16 16:28:15 +00:00
Geremia Taglialatela
418700b4f8
Fix duplicate header in VERIFY_EMAIL flow
Fix #46105

Signed-off-by: Geremia Taglialatela <tagliala.dev@gmail.com>
Co-authored-by: tagliala <556268+tagliala@users.noreply.github.com>
2026-02-16 16:26:22 +01:00
Ruchika Jha
f92c27e26d
Make rolling updates for patch releases fully supported and Updated docs, release notes and upgrading guide for zero-downtime patch releases
Closes #45381
Closes #45756

Signed-off-by: Ruchika <ruchika.jha1@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-02-16 15:11:16 +00:00
Steven Hawkins
c28cac9db3
fix: ensuring proper error handling for duplicate protocol mappers
closes: #26946

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2026-02-13 16:33:01 +00:00
Steven Hawkins
19118a097c
fix: adding admin role invalidation when a new realm is found (#46019)
* fix: adding admin role invalidation when a new realm is found

closes: #45966

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Update model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/RealmCacheSession.java

Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>

* adding a comment and a permission tweak for imported realms

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* checking getShouldUseLightweightToken

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
2026-02-13 15:52:52 +01:00
Thomas Diesler
d2150a19d5 [OID4VCI] Make natural_person configuration available in all formats
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
2026-02-13 15:30:55 +01:00
Giuseppe Graziano
a8418b251d Unique issuer for identity providers
Closes #45747

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2026-02-13 08:44:07 +01:00
Thomas Diesler
44e7cf2da9 [OID4VCI] Simplify OID4VCAuthorizationDetail handling
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
2026-02-12 17:09:07 +01:00
vramik
5a4685909e Ability to add attributes to organization groups
Closes #46263

Signed-off-by: vramik <vramik@redhat.com>
2026-02-12 10:43:18 -03:00
Steven Hawkins
115b260a47
fix: normalizing the baseUri to end with / (#46253)
closes: #46235

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2026-02-12 13:55:07 +01:00
Steven Hawkins
27fb8fae5c
fix: refining how the junit Keycloak is launched (#46182)
closes: #46160

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
2026-02-11 16:44:43 +01:00
Thomas Diesler
de0ae92ebe [OID4VCI] Wrong typ value for SD-JWT VC
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
2026-02-11 08:28:07 +01:00
Benjamin DeWeese
67bbdf3dd2
Added theme descriptions in the Admin UI
Closes #45909

Signed-off-by: Benjamin DeWeese <bdeweesevans@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-02-10 21:42:09 +00:00
Pedro Igor
295945773e
Make sure updates do not allow updating the resource associated with the uma policy (#46154)
Closes #46147

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-10 16:42:27 +00:00
Giuseppe Graziano
d6f07f27ec
User validation in JWT Authorization Grant (#46149)
Closes #46144

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2026-02-10 13:09:05 +00:00
Pedro Igor
8fc9a98026
Make sure registration tokens are verified before processing registration (#46155)
Closes #46145

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-10 14:02:03 +01:00
Valeria
05ff44b8a0
Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (#45787)
Closes #45649

Signed-off-by: Valeria Epifanova <lerkamandarinka24@gmail.com>
2026-02-10 13:10:29 +01:00
Giuseppe Graziano
176dc8902c
Check if idp is enabled for JWT Auth Grant and Federated Client Auth (#46148)
Closes #46146

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2026-02-10 13:01:42 +01:00
Marie Daly
7d6108d4b9
Redirect Wildcard changes and more https checks to secure-client-executor (#46082)
Closes #45587


Signed-off-by: Marie Daly <marie.daly1@ibm.com>
2026-02-10 13:00:06 +01:00
vramik
0669a7eb14 Organization group path handling
Closes #46025

Signed-off-by: vramik <vramik@redhat.com>
2026-02-10 08:11:07 -03:00
Thomas Diesler
b4c1a2a890 [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest()
Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
2026-02-10 11:50:55 +01:00
Ricardo Martin
f0381f8482
Check SubjectConfirmationData element for bearer type
Closes #45646

Signed-off-by: rmartinc <rmartinc@redhat.com>
2026-02-10 08:20:17 +01:00
Martin Kanis
586463b772 Protocol Mappers for Organization Groups (OIDC/SAML)
Closes #45511

Signed-off-by: Martin Kanis <mkanis@redhat.com>
2026-02-09 08:34:18 -03:00
Alexander Schwartz
fc7b1b1e83
Check if two IDPs with the same issuer URL exist before caching them
Closes #45453

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-02-09 11:30:09 +01:00
Nicola Beghin
464883079f
SAMLEndpoint - move some fields/methods from private to protected for easier extension of SAML-related protocols
Closes #45880

Signed-off-by: Nicola Beghin <nicolabeghin@gmail.com>
2026-02-06 19:46:40 +01:00
vramik
ca89a0cdc4 Organization Groups Caching
Closes #45509

Signed-off-by: vramik <vramik@redhat.com>
2026-02-06 08:12:55 -03:00
Giuseppe Graziano
955131b91f Remove warn for credential provider not found
Closes #45829

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
2026-02-06 12:00:33 +01:00
Hugo Hakim Damer
292a177b10
[OID4VCI] Add support for nested claims in OID4VCI user attribute mapper (#45751)
Closes #45748


Signed-off-by: Hugo Hakim Damer <HugoHakim.Damer@governikus.de>
2026-02-06 10:57:12 +01:00
Aggelos Sachtouris
6c003a41aa Format: apply code formatting using spotless
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
9d8d59f206 Remove unnecessary implemented functions
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
7b360adb19 Fix: implemented function name for supported resource types
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
2026-02-05 12:22:37 -03:00
Dimitris Papachristou
90404e9f4e Added unlink user workflow step to META-INF/services
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
2026-02-05 12:22:37 -03:00
Aggelos Sachtouris
664980bf0f Unlink User Worflow Step
Signed-off-by: Aggelos Sachtouris <aggelos_sachtouris@hotmail.com>
2026-02-05 12:22:37 -03:00
Awambeng
85d9360e45
[OID4VCI] Add replay protection for credential offers by reference (#45558)
closes #44660


Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
2026-02-05 10:06:58 +01:00
rmartinc
e30bb37443 Mark Token Exchange v1 as deprecated but in preview
Closes #45791

Signed-off-by: rmartinc <rmartinc@redhat.com>
2026-02-05 09:16:44 +01:00
Awambeng
c40590762e
[OID4VCI] Add comprehensive tests for OID4VC authorization code flow (#45391)
closes #44795


Signed-off-by: Awambeng Rodrick <awambengrodrick@gmail.com>
2026-02-04 11:50:49 +01:00
Pedro Ruivo
297d8ac95d
Refactor ClientResource for better performance
Closes #45838

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
2026-02-04 11:29:18 +01:00
Peter Zaoral
78299ae82d
Enhancement: normalize FilesPlaintextVaultProvider secret paths to prevent false positives in CSAs (#44345)
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
2026-02-03 21:21:04 +00:00
Stefan Guilhen
021d544000 Ensure required action is enabled at the realm level before adding it to the user via workflow step
Closes #45976

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2026-02-03 14:51:28 -03:00
rmartinc
c63f54ba3a Client policy executor to allow extra audiences for JWT authorization grant
Closes #45180

Signed-off-by: rmartinc <rmartinc@redhat.com>
2026-02-03 13:39:31 +01:00
Pedro Igor
072f547b71
Make sure disabled organization is ignored when re-authenticating
Closes #45924

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-02-03 12:41:39 +01:00
forkimenjeckayang
3adcca44a7
[OID4VCI] CredentialEndpoint can be invoked with incorrect access token (#45816)
closes #44670
closes #44580


Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
2026-02-02 19:29:40 +01:00
Steven Hawkins
9462f0f00b
updating to quarkus 3.31.1 (#45612)
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
* fix: updating to quarkus 3.31.0.CR1

closes: #45576

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* updating test containers for 3.31.0.CR1

also adding a managed version for microprofile-metrics-api

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* excluding quarkus-bootstrap-runner to prevent trace logging

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* changing to new logging context for hibernate jpa

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* switching to 3.31.0 release

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* switching to 3.31.1 release

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* Follow upgrading guide for Quarkus 3.31.0

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

* turning of specific hibernate logging

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

* removing quarkus-bootstrap-runner from the model test classpath

Signed-off-by: Steve Hawkins <shawkins@redhat.com>

---------

Signed-off-by: Steve Hawkins <shawkins@redhat.com>
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: Martin Bartoš <mabartos@redhat.com>
2026-02-02 17:50:56 +01:00
Stefan Guilhen
6e408dd7bc Introduce WorkflowEventSpi
- supports custom event handling beyond the built-in workflow capabilities.

Closes #43916

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2026-02-02 11:18:27 -03:00
rmartinc
d4e9b16ea9 Include version in system-info for manage-realm and restrict view-system mapping
Closes #45776

Signed-off-by: rmartinc <rmartinc@redhat.com>
2026-02-02 12:40:57 +01:00
Pedro Igor
13cf35ded3
Only realm admins can manage workflows
Some checks failed
Weblate Sync / Trigger Weblate to pull the latest changes (push) Has been cancelled
Closes #45875

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-01-30 21:18:06 +01:00
Pedro Igor
2dab08d5ed
Make sure disabled organizations are not available from selection
Closes #45874

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
2026-01-30 21:17:35 +01:00
NAMAN JAIN
c652adff78 Add format-specific credential metadata contribution for OID4VC
Introduce a CredentialBuilder hook that allows credential formats to
contribute format-specific metadata to the OID4VC issuer well-known
configuration. The issuer delegates metadata shaping to the
corresponding CredentialBuilder implementation.

Refactor metadata contribution to work directly with
SupportedCredentialConfiguration and CredentialScopeModel, improving
type-safety and avoiding unnecessary serialization.

Add integration tests to verify that SD-JWT credentials expose `vct`
without `credential_definition`, and JWT_VC credentials expose
`credential_definition` without `vct`.

Closes #45485

Signed-off-by: NAMAN JAIN <naman.049259@tmu.ac.in>
2026-01-30 19:39:07 +01:00
Thomas Diesler
c08ed20f78
[OID4VCI] Add support for user did as subject id (#45008)
closes #45006


Signed-off-by: Thomas Diesler <tdiesler@ibm.com>
2026-01-30 17:29:47 +01:00
mposolda
7b36fa174b Duplicate processing of authorization_details from AuthorizationDetailsProcessorManager
closes #45859

Signed-off-by: mposolda <mposolda@gmail.com>
2026-01-29 17:24:03 +01:00