440f9a90f2
Move the rest of TestingResource methods to a utils-shared helper class (1/2) ( #48722 )
...
* Move the rest of TestingResource methods to a utils-shared helper class (1/2)
Closes : #48708
Signed-off-by: Simon Vacek <simonvacky@email.cz >
* rename runOnServer field
Signed-off-by: Simon Vacek <simonvacky@email.cz >
* remove realm name from method input
Signed-off-by: Simon Vacek <simonvacky@email.cz >
---------
Signed-off-by: Simon Vacek <simonvacky@email.cz >
2026-05-21 05:55:20 +00:00
a988875ac4
docs(workflows): fix offboarding example revoke-role role list format
...
Closes #49140
The revoke-role step expects multivalued role names, not a
comma-separated string.
Signed-off-by: Thomas DELORGE <thomas.delorge@orbeet.io >
2026-05-20 23:31:45 +02:00
a1405663f7
Token introspection now validates audience claim. UserInfo endpoint rejects lightweight access tokens.
...
Closes #49113
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2026-05-20 18:23:06 +02:00
23bac7b976
Add SPI option to disable FD_SOCK2 failure detection
...
Closes #49148
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
2026-05-20 15:10:59 +00:00
87160a4e84
Missing and incorrect permission checks on organization invitation endpoints
...
Closes #49069
Signed-off-by: vramik <vramik@redhat.com >
2026-05-20 11:22:13 -03:00
6ef5a79876
[OID4VCI] Integration of user verifiable-credentials with credentials-endpoint and credential-offers
...
closes #48547
Signed-off-by: mposolda <mposolda@gmail.com >
2026-05-20 16:06:19 +02:00
228286f570
Enable JGroups message stats
...
Closes #49163
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
2026-05-20 15:57:06 +02:00
75bc048774
Disable single thread sender in JGroups
...
Closes #49149
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
2026-05-20 15:55:36 +02:00
6aeccb28cd
[OID4VCI-HAIP] Treat attestation-based clients as confidential ( #49155 )
...
closes #49153
closes #48267
Signed-off-by: Thomas Diesler <tdiesler@proton.me >
2026-05-20 14:50:43 +02:00
59330ad543
Downgrade java version to 21 for the FIPS jobs
...
Closes #49151
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-20 13:44:14 +02:00
d0e0b0f1f7
Use EventAssertion in some remaining tests.
...
Closes #49142
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-20 13:44:14 +02:00
03624df8db
fix: simplifying quarkus integration test annotations ( #48977 )
...
* fix: simplifying quarkus integration test annotations
closes : #48796
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
* refining quarkus integration tests to use KeycloakDistributionDecorator
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
* implementing review feedback.
KeycloakRunner replaces KeycloakDistributionDecorator
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
---------
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2026-05-20 07:05:36 -04:00
710539ca14
Add bottom padding on Authorization Evaluate results page
...
Closes #49063
Signed-off-by: Muhammed Oguz <muhammed@keymate.io >
2026-05-20 10:29:27 +02:00
3119efdb13
Improve handling for backchannel logout requests ( #34104 ) ( #34105 )
...
- Guard against a null backchannel logout URL in
ResourceAdminManager#logoutClientSessionWithBackchannelLogoutUrl.
- When the host placeholder cannot be resolved, throw an IllegalStateException
with diagnostic context (clientId, clientSessionId, both note values) instead
of silently returning null. The exception is handled by
AuthenticationManager#backchannelLogoutClientSession, which logs it and
returns a 5xx response so the failure is visible to operators.
- Expand debug logging around the backchannel logout flow to make it easier
to correlate token requests with logout attempts.
Fixes #34104
Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com >
2026-05-20 08:13:21 +02:00
33f6f873fd
Prevent access to user info if not the owner or requested of a resource ( #49122 )
...
Closes #49116
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2026-05-20 07:54:53 +02:00
4796207690
Wildcards should not be allowed if authority cannot be parsed ( #607 ) ( #49130 )
...
Closes CVE-2026-7504
Closes #49109
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-20 07:50:38 +02:00
69182286ef
Refactor AssertEvents expect() and related methods to use EventAssertion equivalents. ( #48752 )
...
Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com >
2026-05-20 07:18:03 +02:00
4e9b17cbed
Enforce owner checks when calling the resource set service ( #49121 )
...
Closes #392
Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com >
2026-05-20 05:24:16 +02:00
d791b270b9
Better check for authSessionCookie in SessionCodeChecks ( #603 ) ( #49134 )
...
Closes CVE-2026-7507
Closes #49111
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-20 05:16:17 +02:00
7635dfbccc
Filtering out headers from external IP addresses
...
Closes #48683
Signed-off-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com >
Co-authored-by: Pedro Ruivo <1492066+pruivo@users.noreply.github.com >
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com >
2026-05-19 21:55:50 +00:00
2d1a24f501
Make all required actions one time action by default
...
Closes CVE-2026-37982
Closes #49112
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-19 23:40:06 +02:00
918a74f930
fix: updating the auto logic if the pod cannot be found ( #49030 )
...
closes : #48812
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2026-05-19 14:26:12 -04:00
c5bda802e9
fix not before validation
...
Closes #49118
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2026-05-19 19:39:54 +02:00
56bbfa3d8a
set only redirect_uri from client_data during restart
...
Closes #49110
Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com >
2026-05-19 19:17:44 +02:00
be84d28ce4
Fix parsing SAML11 incorrect requests. ( #609 ) ( #49119 )
...
Closes CVE-2026-7307
Signed-off-by: Peter Skopek <peter.skopek@ibm.com >
2026-05-19 16:44:10 +00:00
4e026e717e
Document AuthZEN experimental support
...
Closes #48999
Signed-off-by: Ryan Emerson <remerson@ibm.com >
2026-05-19 14:16:31 +01:00
5e8a7137fa
Revert "chore(quarkus): only show OTel Metrics in community build ( #49002 )" ( #49072 )
...
This reverts commit fc667a827a
2026-05-19 14:33:13 +02:00
4aff9a43ce
migrated RequiredActionUpdateProfileTest. Closes #48149 ( #48648 )
...
Signed-off-by: Yike Gao <yikegao8@gmail.com >
2026-05-19 11:12:12 +02:00
2a79636bbe
chore(mvn): drop unknown parameter 'createChecksum' ( #49079 )
...
* Closes: https://github.com/keycloak/keycloak/issues/49078
Signed-off-by: Michal Vavřík <michal.vavrik@aol.com >
2026-05-19 08:10:11 +02:00
2f6befa9bd
task: removing the approval test workaround ( #49071 )
...
closes : #48976
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2026-05-19 08:09:10 +02:00
ce38c5b135
fix: making the embedded resteasy server work again
...
closes : #49058
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2026-05-18 19:21:03 +02:00
f9e275318c
Read sid claim from ID token to support IdP backchannel logout ( #48674 )
...
closes #12142
Signed-off-by: Faseela K <faseela.k@est.tech >
2026-05-18 14:01:29 +02:00
a4d6c211ad
Add suggestions when features are incorrectly specified ( #48963 )
...
* Add suggestions when features are incorrectly specified
Closes #48962
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
* Address review comments
Co-authored-by: Peter Zaoral <pepo48@gmail.com >
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
Co-authored-by: Peter Zaoral <pepo48@gmail.com >
2026-05-18 12:20:36 +02:00
74cbbe75eb
fix: further rationalizing how we are creating temporary files ( #48608 )
...
closes : #48566
Signed-off-by: Steve Hawkins <shawkins@redhat.com >
2026-05-18 12:18:47 +02:00
e4e92460f9
Translations update from Hosted Weblate ( #48714 )
...
* Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Updated translation for German
Language: de
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
* Updated translation for Ukrainian
Language: uk
Updated translation for Ukrainian
Language: uk
Translated using Weblate (Ukrainian)
Translation: Keycloak/Admin backend
Translate-URL: https://hosted.weblate.org/projects/keycloak/theme-baseadmin/uk/
Updated translation for Ukrainian
Language: uk
Updated translation for Ukrainian
Language: uk
Updated translation for Ukrainian
Language: uk
Added translation using Weblate (Ukrainian)
Update translation files
Updated by "Cleanup translation files" hook in Weblate.
Update translation files
Updated by "Cleanup translation files" hook in Weblate.
Added translation using Weblate (Ukrainian)
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
* Updated translation for Japanese
Language: ja
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Co-authored-by: Kohei Tamura <ktamura.biz.80@gmail.com >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Kohei Tamura <ktamura.biz.80@gmail.com >
* Updated translation for Catalan
Language: ca
Updated translation for Catalan
Language: ca
Updated translation for Catalan
Language: ca
Translated using Weblate (Catalan)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Catalan)
Translated using Weblate (Catalan)
Currently translated at 100.0% (1 of 1 strings)
Translated using Weblate (Catalan)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Catalan)
Translated using Weblate (Catalan)
Currently translated at 100.0% (1 of 1 strings)
Translated using Weblate (Catalan)
Currently translated at 100.0% (1 of 1 strings)
Added translation using Weblate (Catalan)
Added translation using Weblate (Catalan)
Updated translation for Catalan
Language: ca
Updated translation for Catalan
Language: ca
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Co-authored-by: Ecron <ecron_89@hotmail.com >
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Co-authored-by: Jordi Mallach <jordi@mallach.net >
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Signed-off-by: Ecron <ecron_89@hotmail.com >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Jordi Mallach <jordi@mallach.net >
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-e-mail-theme/ca/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-login-theme/ca/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-v2-login-theme/ca/
Translate-URL: https://hosted.weblate.org/projects/keycloak/keycloak-welcome-theme/ca/
Translation: Keycloak/Keycloak E-mail theme
Translation: Keycloak/Keycloak Login theme
Translation: Keycloak/Keycloak Welcome theme
Translation: Keycloak/Keycloak v2 Login theme
* Updated translation for Czech
Language: cs
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Co-authored-by: Peter Schiffer <peter@pschiffer.eu >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Peter Schiffer <peter@pschiffer.eu >
* Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Updated translation for French
Language: fr
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Co-authored-by: Sylvain Pichon <service@spichon.fr >
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Sylvain Pichon <service@spichon.fr >
* Updated translation for Georgian
Language: ka
Updated translation for Georgian
Language: ka
Updated translation for Georgian
Language: ka
Co-authored-by: Hosted Weblate <hosted@weblate.org >
Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Temuri Doghonadze <temuri.doghonadze@gmail.com >
---------
Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Signed-off-by: Hosted Weblate <hosted@weblate.org >
Signed-off-by: Kohei Tamura <ktamura.biz.80@gmail.com >
Signed-off-by: Ecron <ecron_89@hotmail.com >
Signed-off-by: Jordi Mallach <jordi@mallach.net >
Signed-off-by: Peter Schiffer <peter@pschiffer.eu >
Signed-off-by: Sylvain Pichon <service@spichon.fr >
Signed-off-by: Temuri Doghonadze <temuri.doghonadze@gmail.com >
Co-authored-by: Alexander Schwartz <alexander.schwartz@gmx.net >
Co-authored-by: Kohei Tamura <ktamura.biz.80@gmail.com >
Co-authored-by: Ecron <ecron_89@hotmail.com >
Co-authored-by: Jordi Mallach <jordi@mallach.net >
Co-authored-by: Peter Schiffer <peter@pschiffer.eu >
Co-authored-by: Sylvain Pichon <service@spichon.fr >
Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com >
2026-05-18 11:30:55 +02:00
17429c28ba
HAProxy re-encrypt documentation
...
Closes https://github.com/keycloak/keycloak/issues/48124 .
Signed-off-by: Tomas Kyjovsky <tkyjovsk@ibm.com >
Signed-off-by: Tomáš Kyjovský <1867605+tkyjovsk@users.noreply.github.com >
Co-authored-by: Pedro Ruivo <pruivo@users.noreply.github.com >
2026-05-18 10:24:16 +02:00
42f3389fd6
Enable Enter key to trigger search in SearchInputComponent ( #49029 )
...
Signed-off-by: Tomohiko Ozawa <kota65535@gmail.com >
2026-05-18 10:19:45 +02:00
61cf8dd6b1
Fix Keycloak Connection Timeout Issue to Prevent Hanging Connections
...
Closes #47174
Signed-off-by: Vadym Saranchuk <vsaranchuk3@gmail.com >
Signed-off-by: vsaranchuk <vsaranchuk3@gmail.com >
Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com >
Co-authored-by: Vadym Saranchuk <vsaranchuk3@gmail.com >
Co-authored-by: Alexander Schwartz <alexander.schwartz@ibm.com >
2026-05-18 09:55:21 +02:00
5621e7f25e
UI should prevent admins from defining a dynamic client scope with type Default ( #48973 )
...
* UI should prevent admins from defining a dynamic client scope with type Default
Closes #22229
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
* Add Alert, and change to non-dynamic scope
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
* Unify the dynamic label usage
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
---------
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
2026-05-18 09:35:20 +02:00
0981d2411c
RAR scope parsing should explicitly accept client reference ( #48981 )
...
Closes #48980
Closes #45716
Signed-off-by: Martin Bartoš <mabartos@redhat.com >
2026-05-18 08:48:37 +02:00
f4a9bb3a65
Test migration util - Migrate timeoffset ( #48972 )
...
Closes : #48971
Signed-off-by: Simon Vacek <simonvacky@email.cz >
2026-05-18 07:43:02 +02:00
b5ca3a77cb
Test Migration tool - fixing MailServerRewrite ( #48959 )
...
Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com >
2026-05-18 07:20:30 +02:00
8f30fc76a2
Test Migration tool - adding AssertEvents Rewrite ( #48957 )
...
Signed-off-by: Lukas Hanusovsky <lhanusov@redhat.com >
2026-05-18 07:19:53 +02:00
213ff9267b
chore(quarkus): remove reactive routes extension ( #49024 )
...
* Closes: https://github.com/keycloak/keycloak/issues/49023
Signed-off-by: Michal Vavřík <michal.vavrik@aol.com >
2026-05-15 13:28:11 -04:00
6d3dd321e7
Return invalid_client for introspection client auth failures
...
Closes #48721
Signed-off-by: Palash Thakur <117917450+palasht75@users.noreply.github.com >
2026-05-15 15:42:13 +02:00
fc667a827a
chore(quarkus): only show OTel Metrics in community build ( #49002 )
...
* Closes: https://github.com/keycloak/keycloak/issues/48997
Signed-off-by: Michal Vavřík <michal.vavrik@aol.com >
2026-05-15 08:01:29 -04:00
ce12c7184c
[OID4VCI] Add a client policy to require a credential offer ( #47286 )
...
closes #44317
Signed-off-by: Thomas Diesler <tdiesler@proton.me >
2026-05-14 17:04:36 +02:00
4cca6f7088
Allow using the parameter in the consent text for dynamic scopes
...
Closes #9915
Signed-off-by: rmartinc <rmartinc@redhat.com >
2026-05-14 10:30:23 -03:00
bc5444d082
Fix NPE in OrganizationGroupMembershipMapper when no organization scope is requested
...
OrganizationGroupMembershipMapper.resolveFromRequestedScopes() calls
OrganizationScope.valueOfScope() which returns null when the request does
not include an organization scope. The method then calls
resolveOrganizations() on the null reference, causing a NullPointerException.
This mirrors the null guard already present in OrganizationMembershipMapper.
Closes #48834
Signed-off-by: Umberto Toniolo <amountainram@gmail.com >
2026-05-14 10:29:56 -03:00
b817355646
Override org.postgresql:postgresql version ( #48991 )
...
Closes #48802
Signed-off-by: Václav Muzikář <vmuzikar@ibm.com >
2026-05-14 14:50:16 +02:00
Šimon Vacek
Thomas DELORGE
Giuseppe Graziano
Pedro Ruivo
vramik
mposolda
Thomas Diesler
rmartinc
Steven Hawkins
Muhammed Oğuz
Thomas Darimont
Pedro Igor
Lukas Hanusovsky
Peter Skopek
Ryan Emerson
Václav Muzikář
Yike Gao
Michal Vavřík
Faseela K
Martin Bartoš
Weblate (bot)
Tomáš Kyjovský
Tomohiko Ozawa
vsaranchuk
Palash Thakur
Umberto Toniolo