KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
31,095 Commits 34 Branches 307 Tags
main
Commit Graph

1771 Commits

Author SHA1 Message Date
Ricardo Martin 00afdeeb0b Use datatracker.ietf.org instead of www.rfc-editor.org for specs 
Closes #49288

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-05-26 12:38:49 +02:00
Angel-Tornero 577bddb8e5 Fix broken SAML 2.0 specification links in documentation 
Closes #48611

Signed-off-by: Angel-Tornero <angeltornerohdez@gmail.com>
 2026-05-25 14:42:22 +02:00
AndyMunro 6b3241ea1f Fix Themes cross-reference 
Closes #49222

Signed-off-by: AndyMunro <amunro@redhat.com>
 2026-05-22 15:00:06 +02:00
Ryan Emerson 4090a86495 Remove explicit --shutdown-timeouts configuration from proxy example configurations 
Closes #49177

Signed-off-by: Ryan Emerson <remerson@ibm.com>
 2026-05-21 16:08:34 +02:00
Pedro Ruivo 8d24c2f13e Prevent access to the Admin API from external IP addresses for HAProxy 
Closes #48684

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
 2026-05-21 16:01:01 +02:00
Ruchika Jha f94a4a9a67 Traefik reencrypt documentation based on the quickstart 
Closes keycloak/keycloak#48748

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-05-21 14:30:35 +02:00
Pedro Igor 492d1f04cd Enforce access check when resolving users during client scope evaluation (#49124) 
Closes CVE-2026-37978

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-05-21 08:01:46 +02:00
Thomas DELORGE a988875ac4 docs(workflows): fix offboarding example revoke-role role list format 
Closes #49140

The revoke-role step expects multivalued role names, not a
comma-separated string.

Signed-off-by: Thomas DELORGE <thomas.delorge@orbeet.io>
 2026-05-20 23:31:45 +02:00
Giuseppe Graziano a1405663f7 Token introspection now validates audience claim. UserInfo endpoint rejects lightweight access tokens. 
Closes #49113

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-05-20 18:23:06 +02:00
Pedro Ruivo 7635dfbccc Filtering out headers from external IP addresses 
Closes #48683

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-05-19 21:55:50 +00:00
Ricardo Martin 2d1a24f501 Make all required actions one time action by default 
Closes CVE-2026-37982
Closes #49112

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-05-19 23:40:06 +02:00
Ryan Emerson 4e026e717e Document AuthZEN experimental support 
Closes #48999

Signed-off-by: Ryan Emerson <remerson@ibm.com>
 2026-05-19 14:16:31 +01:00
Václav Muzikář 5e8a7137fa Revert "chore(quarkus): only show OTel Metrics in community build (#49002)" (#49072) 
This reverts commit fc667a827a.
 2026-05-19 14:33:13 +02:00
Tomáš Kyjovský 17429c28ba HAProxy re-encrypt documentation 
Closes https://github.com/keycloak/keycloak/issues/48124.

Signed-off-by: Tomas Kyjovsky <tkyjovsk@ibm.com>
Signed-off-by: Tomáš Kyjovský <1867605+tkyjovsk@users.noreply.github.com>
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
 2026-05-18 10:24:16 +02:00
vsaranchuk 61cf8dd6b1 Fix Keycloak Connection Timeout Issue to Prevent Hanging Connections 
Closes #47174

Signed-off-by: Vadym Saranchuk <vsaranchuk3@gmail.com>
Signed-off-by: vsaranchuk <vsaranchuk3@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Vadym Saranchuk <vsaranchuk3@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-05-18 09:55:21 +02:00
Michal Vavřík fc667a827a chore(quarkus): only show OTel Metrics in community build (#49002) 
* Closes: https://github.com/keycloak/keycloak/issues/48997

Signed-off-by: Michal Vavřík <michal.vavrik@aol.com>
 2026-05-15 08:01:29 -04:00
Peter Skopek 480c730efb Mention SHA1 is deprecated in the documentation 
Closes #40706

Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
 2026-05-13 10:58:36 +02:00
Gilvan Filho 7e10133bbc Documents the operator's support for TLS re-encryption. (#47565) 
* documents the operator's support for TLS re-encryption.

closes #20128

Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>

* Update docs/guides/operator/basic-deployment.adoc

Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>

* Apply suggestions from code review

Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>

* Moving updated text to a callout

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>

---------

Signed-off-by: Gilvan Filho <gilvan.sfilho@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-05-12 09:30:16 -04:00
Ricardo Martin 1cec184455 Do not allow wildcards in the hostname for Valid Redirect Address (#48793) 
Closes #48430

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-05-12 09:46:21 +02:00
Martin Bartoš 9d1e562f03 Update WebAuthn Metadata service and show icons (#48551) 
* Update WebAuthn Metadata service and show icons

Closes #48539
Closes #48540

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>

* Revert back the transport type for providerId-less authenticators

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
 2026-05-11 17:15:38 +02:00
Ryan Emerson 81af44c0e9 Allow Token Exchange of sender constrained tokens issued for the 
original client

Closes #47314

Signed-off-by: Ryan Emerson <remerson@ibm.com>
 2026-05-11 13:47:22 +02:00
vramik 10d50847df Improve documentation for cases when migrating from FGAP:V1 to V2 
Closes #48588

Signed-off-by: vramik <vramik@redhat.com>
 2026-05-11 08:10:39 -03:00
Ryan Emerson e977267092 Document provided ProtocolMapper implementations (#47331) 
Closes #47330

Signed-off-by: Ryan Emerson <remerson@ibm.com>
Co-authored-by: Stian Thorgersen <stianst@gmail.com>
 2026-05-11 10:49:10 +00:00
Ryan Emerson b84db13104 Document how to check MSSQL transaction isolation level 
Closes #48730

Signed-off-by: Ryan Emerson <remerson@ibm.com>
 2026-05-08 08:24:40 +02:00
Faseela K 26c2a9e3ed pre-compute password denylist Bloom filter to speed up server startup 
Fixes #47356

Signed-off-by: Faseela K <faseela.k@est.tech>
 2026-05-07 16:01:12 +02:00
Alexander Schwartz 202b64d372 Simplifying session context handling, ensuring an always started transaction 
Closes #48455

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Co-authored-by: Steven Hawkins <shawkins@redhat.com>
 2026-05-07 15:54:55 +02:00
Faseela K 33edd62a78 Ignore oasis-open.org in ExternalLinksTest (#48682) 
Fixes #48681

Signed-off-by: Faseela K <faseela.k@est.tech>
 2026-05-07 14:01:10 +02:00
Yike Gao 4692aeee5d Reject CORS requests with invalid Origin before endpoint logic runs 
Closes #45957

Signed-off-by: Yike Gao <yikegao8@gmail.com>
 2026-05-07 09:16:15 +02:00
Sar 263d44be88 Changes to address Org subdomain matching (#45190) 
Signed-off-by: sar <sar.haidar@gmail.com>
 2026-05-05 08:53:15 +02:00
Giuseppe Graziano 7691ba4840 DPoP for implicit flow 
Closes #48428

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-05-05 08:44:04 +02:00
Sven-Torben Janus 67ef87bd21 Make OrganizationGroupMembershipMapper claim name configurable (#47852) 
* Make OrganizationGroupMembershipMapper claim name configurable

The OrganizationGroupMembershipMapper introduced in 26.6.0 hardcoded
the token claim name to "organization", unlike OrganizationMembershipMapper
which already exposes the claim name as a configurable property.

- Add TOKEN_CLAIM_NAME config property to OrganizationGroupMembershipMapper
  via OIDCAttributeMapperHelper.addTokenClaimNameConfig()
- Override getEffectiveModel() to default the claim name to
  OAuth2Constants.ORGANIZATION when not set, preserving backward
  compatibility for existing mapper configurations
- Set TOKEN_CLAIM_NAME default in the static create() factory method
- Refactor OIDCAttributeMapperHelper.getOrInitializeOrganizationClaimAsMap()
  to accept a ProtocolMapperModel instead of a raw String, delegating
  to mapClaim() for correct claim placement (including nested path support)

Closes #47851

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>

* Fix nested claim path read and add custom claim name tests

The read side of getOrInitializeOrganizationClaimAsMap was doing a flat
Map.get() on the dotted claim name, while the write side (mapClaim) already
creates a nested structure by splitting on dots. This caused the group mapper
to find nothing when the claim name contained a dot, overwriting the
membership data written by OrganizationMembershipMapper.

Fix by splitting the claim path via splitClaimPath() and traversing the
nested map with a new private getNestedClaimValue() helper in
OIDCAttributeMapperHelper. The helper belongs there rather than in JsonUtils
because it operates on Map<String,Object>, not JsonNode.

Also add integration tests covering:
- Custom flat claim name ("my_orgs") for both OrganizationMembershipMapper
  and OrganizationGroupMembershipMapper, verifying the claim appears at the
  configured name and not at "organization"
- Dotted claim name ("custom.org") for OrganizationGroupMembershipMapper,
  verifying the token contains nested otherClaims["custom"]["org"] and that
  group composition is preserved

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>

---------

Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
 2026-05-04 16:30:59 +02:00
Ruchika Jha 168da578a8 Traefik-passthrough doc file 
Closes #48128

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-30 19:36:14 +00:00
Alexander Schwartz afe94e5ae3 Adding blank lines at the beginning to render content correctly (#48531) 
Closes #48529

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-30 07:21:42 +02:00
Thomas Darimont 8b357d610a Generalize user search prefix lookups via UserSearchPrefix enum (#26602) 
- Introduce UserSearchPrefix enum in SearchQueryUtils pairing each prefix
(id:, username:, email:) with its UserProvider lookup,
plus a splitTerms helper backed by a precompiled "\\s+" pattern
- Collapse duplicate prefix branches in UsersResource#getUsers,
UsersResource#getUsersCount and BruteForceUsersResource#searchUser
- BruteForceUsersResource: support multi-term lookups (e.g. "username:foo bar"),
aligning with UsersResource
- Tests: add searchByUsernameSearch / searchByEmailSearch covering
single-term, multi-term and whitespace-tolerant variants
- Docs: add "Search by fields" section to proc-searching-user.adoc

Fixes #26602

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
 2026-04-29 15:12:53 -03:00
vramik e1329516d5 Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions 
Closes #47284

Signed-off-by: vramik <vramik@redhat.com>
 2026-04-29 11:10:05 -03:00
Martin Bartoš 46069e23ec Conditional modal for passkeys platform authenticator 
Closes #29558

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2026-04-28 19:57:28 +02:00
Stian Thorgersen e1adb5f2ce Refactor builders in testsuite part 2 (#48454) 
Closes #48452

Signed-off-by: stianst <stianst@gmail.com>
 2026-04-28 10:19:41 +02:00
Pedro Ruivo 6229e678ab Block shutdown if the Infinispan cluster is not stable 
If a rebalance is in progress, block the shutdown procedure until it finishes or a timeout is reached.

Closes #44620

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-27 16:50:12 +02:00
rmartinc e03bc86579 Changes for rebase and review. 
Closes #48388

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-04-27 08:52:24 -03:00
rmartinc 3ba245c39c Make acceptable AAGUID ckeck in WebAuthn stricter 
Closes #48388

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-04-27 08:52:24 -03:00
Niko Köbler e5ca2a6709 Enable to set mediation property for WebAuthn passwordless authentication (#46960) 
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior

when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button

adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template

tests extended

passkey documentation extended/updated

closes #46959

Signed-off-by: Niko Köbler <niko@n-k.de>
 2026-04-27 10:07:09 +02:00
foliengriller 7c1a226823 Update SAML documentation with default cache TTL (#48373) 
Added default cache TTL for SAML metadata to documentation.

Signed-off-by: foliengriller <info@simpelwebservice.de>
 2026-04-23 17:23:36 +02:00
Stian Thorgersen 17a3738592 Refactor builders in testsuite part 1 (#48315) 
Refactor builders in testsuite part 1

Closes #48323

Signed-off-by: stianst <stianst@gmail.com>
 2026-04-23 12:35:16 +02:00
Pedro Ruivo 71192ca988 HAProxy tls-passthrough blueprint 
Closes #48000

Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-21 21:19:59 +02:00
Ruchika Jha f03cdca35b Add documentation changes for verifying the keycloak email for user 
Closes #45856

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-21 21:18:38 +02:00
vramik 13560136cf Introduce manage-organizations, view-organizations admin roles for Organization management 
Closes #45497
Closes #31641

Signed-off-by: vramik <vramik@redhat.com>
 2026-04-21 11:45:35 -03:00
Yike Gao fa58c07000 Disable FreeMarker ?new() built-in in themes. Closes #47915 (#48280) 
Signed-off-by: Yike Gao <yikegao8@gmail.com>
 2026-04-21 15:45:23 +02:00
tre2man 024a9026e6 Search realms by displayName 
closes #45292

Signed-off-by: tre2man <kimtree3940@gmail.com>
 2026-04-20 19:34:05 -03:00
Martin Kanis 493ed19799 Make IDP alias immutable in REST API 
Closes #47733

Signed-off-by: Martin Kanis <mkanis@redhat.com>
 2026-04-20 16:43:45 -03:00
Alexander Schwartz 57917d982c Remove preview feature sections from Kubernetes docs 
Closes #48259

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-04-20 13:01:49 +02:00