* task: using a beanparam for client listing options
closes: #48650
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* just adding fluent methods
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com>
* UI should prevent admins from defining a dynamic client scope with type Default
Closes#22229
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* Add Alert, and change to non-dynamic scope
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
* Unify the dynamic label usage
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Adds Shared Signals Framework support to Keycloak in the **SSF Transmitter** role: Keycloak signs Security Event Tokens (SETs, RFC 8417) describing realm/user/session/credential events and delivers them to OAuth clients
registered as **SSF Receivers**, either by HTTP PUSH (RFC 8935) or HTTP POLL (RFC 8936).
Targets the OpenID Shared Signals Framework 1.0 (Final) specification plus the CAEP Interoperability Profile 1.0. Ships the legacy SSE CAEP profile alongside for Apple Business Manager / Apple School Manager interop, since Apple device-fleet enrolment is a concrete drive-use case.
Gated behind \`Profile.Feature.SSF\` experimental, opt-in.
Issue #43614 originally proposed SSF *Receiver* support (Keycloak ingesting SETs from upstream IdPs / risk engines). After exploring both sides, we're shipping the **Transmitter** first (see #48254) because it covers the strongest community asks (federate Keycloak events to downstream SaaS, Apple device fleet revoke flow) and lets us validate the SSF data-plane against real receivers before designing the harder "action mapping" question on the Receiver side. Receiver support remains on the roadmap and is tracked separately via #43614.
**In:**
- Compliance with SSF 1.0, CAEP 1.0, RISC 1.0, RFC 8935, RFC 8936, RFC 9493, RFC 8417
- SSF Transmitter support (Keycloak Realm can act as a SSF Transmitter)
- SSF Stream management (CRUD, status, verification)
- SSF Subjects management (subjects)
- SET delivery via HTTP PUSH (RFC 8935) and HTTP POLL (RFC 8936) with POLL in a return-immediately form
- SSF events temporarily stored in durable outbox with cluster-aware drainer and exponential backoff
- SSF Receivers managed as OIDC Clients with client credentials grant or auth code grant (currently only one stream per client)
- Support for SSF Stream, CAEP 1.0 and RISC 1.0 events (custom events via SPI)
- CAEP credential-change / session-revoked / (device-compliance-change) event mapping from native Keycloak events
- Support for RFC 9493 Subject Identifiers for Security Event Tokens
- Support for SSF Receiver subject event subscription with subject selection (per-user / per-orgssf.notify.<clientId>attribute, support fordefault_subjectspolicy (ALL, NONE))
- Support for Synthetic event emittance via REST endpoint for non-Keycloak-native event sources (external IAM solution)
- Per-receiver "Emit-only events" gate to suppress auto-emit per event type per receiver
- Support for legacy SSE CAEP profile for Apple Business Manager / Apple School Manager interop (verified)
- Per-realm SSF admin REST + Admin UI for SSF-enabled clients (Receiver / Stream / Subjects / Events)
- Prometheus metrics (dispatcher, drainer, poll, verification, outbox depth, delivery metrics)
**Out (tracked as separate follow-up issues):**
- SSF Receiver role for Keycloak (ingestion of SETs)
- POLL long-polling (\`returnImmediately=false\` honoured)
- Dedicated SSF signing key (separate from realm OIDC signing key)
- Chunked HELD release for very large backlogs
- Performance characterization + security review
- Formal interop matrix (caep.dev, ABM)
- [X] All code gated behind \`Profile.Feature.SSF\` (experimental, off by default)
- [X] Per-realm \`ssf.transmitterEnabled\` toggle; per-client \`ssf.enabled\` toggle
- [X] SSF event listener registered as global (not user-toggleable per realm)
- [X] Receiver-facing endpoints conformant with SSF 1.0
- [X] CAEP credential-change / session-revoked / device-compliance mapping pass interop testing against \`caep.dev\`
- [X] SSE CAEP profile narrowed shape works with Apple Business Manager
- [X] Integration test coverage for the dispatch / outbox / push / poll pipeline (100+ tests)
- [X] Prometheus metrics exposed under \`keycloak_ssf_*\`
- [X] Design notes published
Fixes#48901
This PR was partially co-authored with Claude AI
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
Enable the rule (previously "off") and fix all violations across the JS
workspace. The core change makes RealmContext.realmRepresentation
non-optional — guarded by the existing KeycloakSpinner in the provider —
allowing ~30 downstream consumers to drop redundant optional chains.
Where TypeScript types declare a value as non-nullable but runtime
behaviour can still produce undefined/null (API responses, react-hook-form
dynamic values, route params present on one route but not another, array
index access, DOM queries), the existing guards are preserved with
eslint-disable-next-line comments explaining the rationale.
Additional fixes surfaced during this work:
- PermissionConfigurationDetails: fix spinner blocking the "create
permission" form by distinguishing "loading" (null) from "new" ({})
- ResourceType: restore resourceIds?.some() guard — form.getValues
returns undefined when the field has no default value
- clients.ts createOrUpdatePolicy: narrow catch to 404 NetworkError
only instead of swallowing all errors
Closes#17770
Signed-off-by: Pierluigi Lenoci <pierluigilenoci@gmail.com>
When a user drags an authentication flow step and drops it back in its original position, the onDrop handler now returns early instead of calling executeChange(). This prevents an unnecessary refresh() call and the false "Flow successfully updated" success notification.
Closes#47710
Signed-off-by: chon3806 <93464148+chon3806@users.noreply.github.com>
* add validation to description based on the validation annotations
fixes: #47371
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added test and better encapsulation
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Remove applySchemaProperties() from ValidationAnnotationScanner
SmallRye handles this
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* change to use class instead of string
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added error when encountering group annotation that isn't in the map
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed test and added openapi.yaml from js folder
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* make it spotless
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* made the scanner more generic and use the validation message
kept special processing for constraints that have parameters
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* use interpolation for the other annotations
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* updated more PR reviews
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* more PR review comments
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed merge
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* moved class level validator descriptions
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* added field name to annotation, that we can then use in the schema
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* don't put validations that have an affectedField on the class
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* jandex default
Jandex returns null for annotation values that use the default, it only
returns values that were explicitly specified.
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* fixed test
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* even more PR review comments
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* small fix to get more validations in the description
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* better handle on parmeterised types
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
* Update generated spec
Signed-off-by: Václav Muzikář <vmuzikar@ibm.com>
---------
Signed-off-by: Erik Jan de Wit <erikjan.dewit@gmail.com>
Signed-off-by: Václav Muzikář <vmuzikar@ibm.com>
Co-authored-by: Václav Muzikář <vmuzikar@ibm.com>
Added message bundles to custom themes so descriptions are now automatically rendered to user
Sanitize theme names for dynamic paths to allow multiple themes rendering at once
Closes#47762
Signed-off-by: Benjamin DeWeese <benjamin@deweese.cc>
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior
when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button
adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template
tests extended
passkey documentation extended/updated
closes#46959
Signed-off-by: Niko Köbler <niko@n-k.de>
The Authorization Resources table was incorrectly duplicating the last
element of the current page as the first element of the next page.
This occurred because the fetching logic requests 'max + 1' items to
detect if a subsequent page exists. However, the UI was rendering the
entire array instead of limiting the display to the 'max' value.
Fixed by applying a .slice(0, max) before mapping the resources to
table rows. Added a Playwright E2E regression test to ensure unique
resource distribution across pages and prevent future regressions.
Closes#46088
---------
Signed-off-by: André Rocha <andre.queiroz.rocha@tecnico.ulisboa.pt>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Erik Jan de Wit
Steven Hawkins
bu6n
Martin Bartoš
Michal Vavřík
Ricardo Martin
Giuseppe Graziano
Muhammed Oğuz
Weblate (bot)
Tomohiko Ozawa
Thomas Diesler
Thomas Darimont
Oleksandr Bilko
Pierluigi Lenoci
Pedro Igor
Sar
Stan Silvert
HCL
Stefan Guilhen
Benjamin DeWeese
Jonathan Ciak
Niko Köbler
forkimenjeckayang
Peter Zaoral
vramik
Martin Kanis
André Rocha