KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
31,095 Commits 34 Branches 307 Tags
main
Commit Graph

1492 Commits

Author SHA1 Message Date
Martin Bartoš 629e86afd2 Disable the Account UI when the ACCOUNT feature is disabled (#48807) 
Closes #48806

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
 2026-05-25 15:37:15 +02:00
jimmychakkalakal 16b518b52d Issued credentials: Update db schema and admin rest api (#49201) 
closes #46204



Signed-off-by: Jimmy Chakkalakal <jimmy.chakkalakal@ibm.com>
Co-authored-by: Marek Posolda <mposolda@gmail.com>
 2026-05-25 09:41:15 +02:00
Dominik Schlosser a1bd1ab855 Introduce mechanism for different trust material sources (#48869) 
closes #48269



Signed-off-by: Dominik Schlosser <dominik.schlosser@gmail.com>
Signed-off-by: mposolda <mposolda@gmail.com>
Co-authored-by: mposolda <mposolda@gmail.com>
 2026-05-25 08:12:28 +02:00
jimmychakkalakal 5778a322fc Support for user attributes and updating them (#49066) 
Closes #48578


Signed-off-by: Jimmy Chakkalakal <jimmy.chakkalakal@ibm.com>
 2026-05-21 08:42:11 +02:00
Giuseppe Graziano a1405663f7 Token introspection now validates audience claim. UserInfo endpoint rejects lightweight access tokens. 
Closes #49113

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-05-20 18:23:06 +02:00
mposolda 6ef5a79876 [OID4VCI] Integration of user verifiable-credentials with credentials-endpoint and credential-offers 
closes #48547

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-05-20 16:06:19 +02:00
Ricardo Martin 2d1a24f501 Make all required actions one time action by default 
Closes CVE-2026-37982
Closes #49112

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-05-19 23:40:06 +02:00
vsaranchuk 61cf8dd6b1 Fix Keycloak Connection Timeout Issue to Prevent Hanging Connections 
Closes #47174

Signed-off-by: Vadym Saranchuk <vsaranchuk3@gmail.com>
Signed-off-by: vsaranchuk <vsaranchuk3@gmail.com>
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
Co-authored-by: Vadym Saranchuk <vsaranchuk3@gmail.com>
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com>
 2026-05-18 09:55:21 +02:00
Thomas Diesler ce12c7184c [OID4VCI] Add a client policy to require a credential offer (#47286) 
closes #44317


Signed-off-by: Thomas Diesler <tdiesler@proton.me>
 2026-05-14 17:04:36 +02:00
Giuseppe Graziano 3f26004e32 verifiable credential in account console (#48940) 
Closes #48576


Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-05-13 14:52:11 +02:00
Giuseppe Graziano 868db724f5 remove oid4vc protocol from create client form 
Closes #46853

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
 2026-05-12 15:22:49 +02:00
Martin Bartoš 9d1e562f03 Update WebAuthn Metadata service and show icons (#48551) 
* Update WebAuthn Metadata service and show icons

Closes #48539
Closes #48540

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>

* Revert back the transport type for providerId-less authenticators

Signed-off-by: Martin Bartoš <mabartos@redhat.com>

---------

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
Co-authored-by: rmartinc <rmartinc@redhat.com>
 2026-05-11 17:15:38 +02:00
vramik bdd4860502 Prevent setting different than default decisionStrategy for FGAP 
Closes #48749

Signed-off-by: vramik <vramik@redhat.com>
 2026-05-11 08:20:29 -03:00
Faseela K 15b785a17b Rename blacklist to denylist in password policy 
Replaces "blacklist" terminology with "denylist" across the password policy implementation as part of adopting more inclusive naming conventions. Changes include class names, method names, variable names, comments, and test fixtures.

Breaking changes have been intentionally avoided, this PR only includes internal renames that do not impact operators or public APIs.

Closes #48865

Signed-off-by: Faseela K <faseela.k@est.tech>
 2026-05-11 03:28:40 +02:00
Faseela K 26c2a9e3ed pre-compute password denylist Bloom filter to speed up server startup 
Fixes #47356

Signed-off-by: Faseela K <faseela.k@est.tech>
 2026-05-07 16:01:12 +02:00
Yike Gao 4692aeee5d Reject CORS requests with invalid Origin before endpoint logic runs 
Closes #45957

Signed-off-by: Yike Gao <yikegao8@gmail.com>
 2026-05-07 09:16:15 +02:00
Pedro Igor 1ccce63aa4 Resolve SA before resolving users from username or email 
Closes #48592

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-05-07 07:32:43 +02:00
mposolda f66ae8ab0b [OID4VCI] Support for credentials CRUD (DB and admin REST endpoints) 
closes #48546

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-05-05 16:49:31 +02:00
Sar 263d44be88 Changes to address Org subdomain matching (#45190) 
Signed-off-by: sar <sar.haidar@gmail.com>
 2026-05-05 08:53:15 +02:00
Iestyn e45bd9d6af Add @DefaultValue to max param used in Admin REST APIs (#47561) 
This is used to generate Keycloak Admin REST API.
Without this a 'null' value is used, which suggests that returning a paginated list is optional.

Closes #47560

Signed-off-by: Iestyn <33298011+IestynGage@users.noreply.github.com>
 2026-05-01 08:49:33 -04:00
vramik e1329516d5 Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions 
Closes #47284

Signed-off-by: vramik <vramik@redhat.com>
 2026-04-29 11:10:05 -03:00
Vranan 217d62c37c fix: validate resource type consistency when adding resources to FGAP permissions 
Previously, getOrCreateResource() would return any resource found by its
authz DB ID without verifying it belonged to the requested resource type.
This allowed resources of one type (e.g. Users) to be silently added to a
permission of a different type (e.g. Groups) by passing the internal authz
resource ID.

- For per-entity resources found by ID, validate the name resolves as the
  expected entity type via getResourceName(); throw ModelValidationException
  on mismatch

Closes #37243

Signed-off-by: Vinit Kumar <30852363+ThreeMangoTrees@users.noreply.github.com>
 2026-04-27 14:41:13 -03:00
Stefan Guilhen 33651e42c4 Synchronize workflow scheduled settings using cluster events (#48422) 
* Synchronize workflow scheduled settings using cluster events

Closes #48185
 2026-04-27 09:23:47 -03:00
Niko Köbler e5ca2a6709 Enable to set mediation property for WebAuthn passwordless authentication (#46960) 
possible values: conditional, optional, required, silent
conditional remains the default to not break the current behavior

when optional or required and the user dismissed the modal, it will stay hidden for this auth-session, can still be opened by button

adjusted all related resources, like JS files (also consolidated duplicated logic), Java classes and freemarker template

tests extended

passkey documentation extended/updated

closes #46959

Signed-off-by: Niko Köbler <niko@n-k.de>
 2026-04-27 10:07:09 +02:00
Pedro Igor 2e61d7daa1 Missing migration to update the group resource type with the manage-membership-of-members scope 
Closes #47987

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-04-23 10:16:52 +02:00
vramik 13560136cf Introduce manage-organizations, view-organizations admin roles for Organization management 
Closes #45497
Closes #31641

Signed-off-by: vramik <vramik@redhat.com>
 2026-04-21 11:45:35 -03:00
Thomas Diesler e9a30f1134 Initial support for OAuth 2.0 Attestation-based client authentication (#47962) 
closes #48265


Signed-off-by: Thomas Diesler <tdiesler@proton.me>
 2026-04-20 12:46:22 +02:00
Marek Posolda 72e0c26a35 Update password after email verification during registration of users (#47538) 
closes #45568

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-04-17 15:15:48 +02:00
Davide Piva 055dc0eb84 Handle resource IDs matching the resource type for "Enforce access to" -> "All" 
Closes #47901

Signed-off-by: Davide Piva <davide.piva@intesys.it>
 2026-04-15 09:56:49 -03:00
Pedro Igor ef730c6318 Allow deleting subflows and executions if the parent is not a built-in flow 
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-04-14 14:58:38 -03:00
Muhammed Oguz 698eb35a15 Add account-console to defaultClients to prevent deletion of built-in client 
Closes #47923

Signed-off-by: Muhammed Oguz <muhammed@keymate.io>
 2026-04-13 14:01:13 +02:00
Thomas Diesler 22e018cfdf [OID4VCI-HAIP] Pass oid4vci-1_0-issuer-metadata_test 
Signed-off-by: Thomas Diesler <tdiesler@proton.me>
 2026-04-10 13:54:43 +02:00
Mikkel Bernhof Jakobsen e771d15b6c Declarative UI: Avoid silent failure when adding additional path params (#47884) 
Issue occurs when implementer uses a read-only map, e.g. Map.of() to provide path parameters.

Closes #47914

Signed-off-by: Mikkel Bernhof Jakobsen <bernhof@gmail.com>
 2026-04-09 20:20:29 +02:00
Thomas Diesler 6fe5876f39 [OID4VCI] TokenResponse requires credential_identifiers in authorization_details (#47404) 
closes #47386


Signed-off-by: Thomas Diesler <tdiesler@proton.me>
 2026-04-09 11:50:53 +02:00
forkimenjeckayang f9e1879d4b [OID4VCI] Fix OID4VCI token typ defaults by credential format (#47779) 
closes #45420


Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2026-04-08 16:49:44 +02:00
Stefan Guilhen b92e062a39 Use pwdUpdateTime attribute for password modification time on 389 DS/RHDS 
Closes #47675

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-04-03 15:42:11 -03:00
Ryan Emerson 00c0dee3c4 Display Javascript policy description and code in admin UI 
Closes #47452

Signed-off-by: Ryan Emerson <remerson@ibm.com>
 2026-04-02 12:37:56 -03:00
forkimenjeckayang 8f90f98ab6 [OID4VCI] Make cryptographic binding & proofs explicitly configurable and spec-compliant (#47257) 
closes #45724


Signed-off-by: forkimenjeckayang <forkimenjeckayang@gmail.com>
 2026-04-01 12:14:30 +02:00
Stefan Guilhen d24d2697aa Add SPI option to setup the start time of the workflows step runner task 
Closes #47540

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-03-27 16:30:15 -03:00
vramik 43864c1375 Disabled organization should not execute invitations 
Closes #45760

Signed-off-by: vramik <vramik@redhat.com>
 2026-03-25 17:04:23 -03:00
vramik 8afd4be55a Reject invalid resource IDs in permission creation 
Closes #40921

Signed-off-by: vramik <vramik@redhat.com>
 2026-03-24 14:40:24 -03:00
Jakub Pietrzak 0369951480 Resolve nested keys in oauth2 identity provider claims 
Signed-off-by: Jakub Pietrzak <jakub@pietrzak.dev>
 2026-03-24 09:47:33 -03:00
mposolda 68f5779230 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion for the case of client overriden flow 
closes #47069

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-03-24 13:44:05 +01:00
vramik a4796fe801 Add view-realm admin role check to SCIM discovery endpoints 
Closes #46859

Signed-off-by: vramik <vramik@redhat.com>
 2026-03-24 08:56:43 -03:00
Stefan Guilhen 71385f2df3 Dont auto-disable workflows in case of errors thrown by condition and step providers 
- also prevent exceptions in these cases from rolling back the entire transaction

Closes #47232

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
 2026-03-24 08:55:28 -03:00
Tero Saarni 50517cf933 Reload password blacklist file on change without restart 
Fixes #47163

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
 2026-03-21 20:07:00 +01:00
Ricardo Martin b93695eb90 Add versioning to identity brokering api feature (#47281) 
Closes #47254

Signed-off-by: rmartinc <rmartinc@redhat.com>
 2026-03-20 16:55:56 +01:00
mposolda 302ff9f7c2 [OID4VCI] Small inconsistencies in some events 
closes #47203

Signed-off-by: mposolda <mposolda@gmail.com>
 2026-03-18 18:46:48 +01:00
Pedro Igor aba0b71ea2 Enforce realm admin roles and permission when managing resources 
Closes #47072

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
 2026-03-17 20:30:25 +01:00
Peter Skopek d11136f671 Separate password and OTP brute force protection to prevent OTP bypass attacks by default 
Closes #46164

Signed-off-by: Peter Skopek <peter.skopek@ibm.com>

Update model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/changes/remote/updater/loginfailures/LoginFailuresUpdater.java

Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com>
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>

Add recovery codes to the list of brute force checked authenticators.

Closes #46164
Signed-off-by: Peter Skopek <peter.skopek@ibm.com>
 2026-03-17 18:57:37 +01:00