Closes#49140
The revoke-role step expects multivalued role names, not a
comma-separated string.
Signed-off-by: Thomas DELORGE <thomas.delorge@orbeet.io>
* Make OrganizationGroupMembershipMapper claim name configurable
The OrganizationGroupMembershipMapper introduced in 26.6.0 hardcoded
the token claim name to "organization", unlike OrganizationMembershipMapper
which already exposes the claim name as a configurable property.
- Add TOKEN_CLAIM_NAME config property to OrganizationGroupMembershipMapper
via OIDCAttributeMapperHelper.addTokenClaimNameConfig()
- Override getEffectiveModel() to default the claim name to
OAuth2Constants.ORGANIZATION when not set, preserving backward
compatibility for existing mapper configurations
- Set TOKEN_CLAIM_NAME default in the static create() factory method
- Refactor OIDCAttributeMapperHelper.getOrInitializeOrganizationClaimAsMap()
to accept a ProtocolMapperModel instead of a raw String, delegating
to mapClaim() for correct claim placement (including nested path support)
Closes#47851
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
* Fix nested claim path read and add custom claim name tests
The read side of getOrInitializeOrganizationClaimAsMap was doing a flat
Map.get() on the dotted claim name, while the write side (mapClaim) already
creates a nested structure by splitting on dots. This caused the group mapper
to find nothing when the claim name contained a dot, overwriting the
membership data written by OrganizationMembershipMapper.
Fix by splitting the claim path via splitClaimPath() and traversing the
nested map with a new private getNestedClaimValue() helper in
OIDCAttributeMapperHelper. The helper belongs there rather than in JsonUtils
because it operates on Map<String,Object>, not JsonNode.
Also add integration tests covering:
- Custom flat claim name ("my_orgs") for both OrganizationMembershipMapper
and OrganizationGroupMembershipMapper, verifying the claim appears at the
configured name and not at "organization"
- Dotted claim name ("custom.org") for OrganizationGroupMembershipMapper,
verifying the token contains nested otherClaims["custom"]["org"] and that
group composition is preserved
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
---------
Signed-off-by: Sven-Torben Janus <sven-torben.janus@conciso.de>
- Introduce UserSearchPrefix enum in SearchQueryUtils pairing each prefix
(id:, username:, email:) with its UserProvider lookup,
plus a splitTerms helper backed by a precompiled "\\s+" pattern
- Collapse duplicate prefix branches in UsersResource#getUsers,
UsersResource#getUsersCount and BruteForceUsersResource#searchUser
- BruteForceUsersResource: support multi-term lookups (e.g. "username:foo bar"),
aligning with UsersResource
- Tests: add searchByUsernameSearch / searchByEmailSearch covering
single-term, multi-term and whitespace-tolerant variants
- Docs: add "Search by fields" section to proc-searching-user.adoc
Fixes#26602
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior
when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button
adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template
tests extended
passkey documentation extended/updated
closes#46959
Signed-off-by: Niko Köbler <niko@n-k.de>
Ricardo Martin
Angel-Tornero
Pedro Igor
Thomas DELORGE
Giuseppe Graziano
vsaranchuk
Peter Skopek
Martin Bartoš
Ryan Emerson
vramik
Faseela K
Alexander Schwartz
Yike Gao
Sar
Sven-Torben Janus
Thomas Darimont
Stian Thorgersen
Pedro Ruivo
Niko Köbler
foliengriller
Ruchika Jha
tre2man
Martin Kanis
Marek Posolda
Oluwatobi Mustapha
Alexander Schwartz
fjf2002
Asish Kumar
Thomas Riccardi
forkimenjeckayang
Rahul Ramkumar