Skip to content

Commit

Permalink
Merge branch 'main' into issue-24431
Browse files Browse the repository at this point in the history
  • Loading branch information
agagancarczyk authored Nov 6, 2023
2 parents c581b52 + 848e9fe commit 64136be
Show file tree
Hide file tree
Showing 155 changed files with 1,649 additions and 4,008 deletions.
11 changes: 7 additions & 4 deletions .github/ISSUE_TEMPLATE/bug.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,14 @@ body:
- type: checkboxes
attributes:
label: Before reporting an issue
description: Please search to see if the issue is already reported, and try to reproduce the issue on the latest release.
description: |
Please search to see if the issue is already reported, and try to reproduce the issue on the latest release.
Any reported issues must be reproducible in the [latest](https://github.com/keycloak/keycloak/releases/latest) or [nightly](https://github.com/keycloak/keycloak/releases/nightly) version of Keycloak.
**⚠️ Failing to follow these guidelines may result in your issue being closed without action. ⚠️**
options:
- label: I have searched existing issues
required: true
- label: I have reproduced the issue with the [latest nightly release](https://github.com/keycloak/keycloak/releases/tag/nightly)
- label: I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
required: true
- type: dropdown
id: area
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapperUpdater;

import java.util.*;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletContext;
Expand All @@ -32,6 +31,8 @@
import org.infinispan.persistence.remote.RemoteStore;
import org.jboss.logging.Logger;

import java.util.Set;

/**
*
* @author hmlnarik
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

import org.keycloak.adapters.spi.SessionIdMapper;

import java.util.*;
import java.util.Queue;
import java.util.concurrent.*;
import org.infinispan.Cache;
import org.infinispan.client.hotrod.annotation.ClientCacheEntryCreated;
Expand Down
2 changes: 1 addition & 1 deletion common/src/main/java/org/keycloak/common/Profile.java
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ public enum Feature {

DEVICE_FLOW("OAuth 2.0 Device Authorization Grant", Type.DEFAULT),

TRANSIENT_USERS("Transient users for brokering", Type.PREVIEW),
TRANSIENT_USERS("Transient users for brokering", Type.EXPERIMENTAL),
;

private final Type type;
Expand Down
2 changes: 1 addition & 1 deletion common/src/test/java/org/keycloak/common/ProfileTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ public void checkDefaults() {
disabledFeatures.add(Profile.Feature.KERBEROS);
}
assertEquals(profile.getDisabledFeatures(), disabledFeatures);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.ACCOUNT3, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL, Profile.Feature.DPOP, Profile.Feature.TRANSIENT_USERS);
assertEquals(profile.getPreviewFeatures(), Profile.Feature.ACCOUNT3, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.RECOVERY_CODES, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.DECLARATIVE_USER_PROFILE, Profile.Feature.CLIENT_SECRET_ROTATION, Profile.Feature.UPDATE_EMAIL, Profile.Feature.DPOP);
}

@Test
Expand Down
5 changes: 4 additions & 1 deletion core/src/main/java/org/keycloak/TokenVerifier.java
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,10 @@
import javax.crypto.SecretKey;

import java.security.PublicKey;
import java.util.*;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;

Expand Down
40 changes: 38 additions & 2 deletions docs/documentation/release_notes/topics/23_0_0.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,43 @@ https://github.com/tnorimat[Takashi Norimatsu] and https://github.com/dteleguin[
Keycloak has preview support for https://fidoalliance.org/passkeys/[Passkeys].

Passkey registration and authentication are realized by the features of WebAuthn.
Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registraton and authentication.
Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication.
However, passkeys operations success depends on the user's environment. Make sure which operations can succeed in https://passkeys.dev/device-support/[the environment].
However, passkeys operations success depends on the user's environment. Make sure which operations can succeed in https://passkeys.dev/device-support/[the environment].
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution and thanks to https://github.com/thomasdarimont[Thomas Darimont] for the help with the
ideas and testing of this feature.

= WebAuthn improvements

WebAuthn policy now includes a new field: `Extra Origins`. It provides better interoperability with non-Web platforms (for example, native mobile applications).
Thanks to https://github.com/akunzai[Charley Wu] for the contribution.

= RESTEasy Reactive

Keycloak has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI's that depend directly on JAX-RS API should be compatible with this change. SPI's that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.

= More flexibility for introspection endpoint

In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
switch `Add to token introspection` on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
so the behavior should be effectively the same by default after the migration. Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution.

= Feature flag for OAuth 2.0 device authorization grant flow

The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.

= Group scalability improvements

Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
paginated lookup of subgroups. Thanks to https://github.com/alice-wondered[Alice] for the contribution.

= User profile improvements

Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
If you find any issues or have any improvements in mind, you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
ideally with label `area/user-profile`.

Binary file removed docs/documentation/server_admin/images/cache-tab.png
Binary file not shown.
3 changes: 0 additions & 3 deletions docs/documentation/server_admin/topics/admin-console.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,6 @@ include::realms/proc-using-admin-console.adoc[leveloffset=1]
include::realms/master.adoc[leveloffset=2]
include::realms/proc-creating-a-realm.adoc[leveloffset=2]
include::realms/ssl.adoc[leveloffset=2][]
ifeval::[{project_product}==true]
include::realms/cache.adoc[leveloffset=2][]
endif::[]
include::realms/email.adoc[leveloffset=2]
include::realms/themes.adoc[leveloffset=2]
include::realms/proc-configuring-internationalization.adoc[leveloffset=2]
Expand Down
14 changes: 0 additions & 14 deletions docs/documentation/server_admin/topics/events/login.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -171,17 +171,3 @@ You can exclude events by using the `--spi-events-listener-email-exclude-events`
kc.[sh|bat] --spi-events-listener-email-exclude-events=UPDATE_TOTP,REMOVE_TOTP
----

You can set a maximum length of each Event detail in the database by using the `--spi-events-store-jpa-max-detail-length` argument. This setting is useful if a detail (for example, redirect_uri) is long. For example:

[source,bash]
----
kc.[sh|bat] --spi-events-store-jpa-max-detail-length=1000
----

Also you can set a maximum length of all Event's details by using the `--spi-events-store-jpa-max-field-length` argument. This setting is useful if you want to adhere to the underlying storage limitation. For example:

[source,bash]
----
kc.[sh|bat] --spi-events-store-jpa-max-field-length=2500
----

16 changes: 0 additions & 16 deletions docs/documentation/server_admin/topics/realms/cache.adoc

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,13 @@
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URL;
import java.util.*;
import java.util.Map;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.HashMap;
import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,13 @@ Stream<GroupModel> getTopLevelGroupsStream(RealmModel realm,

Endpoint `GET {keycloak server}/realms/{realm}/groups/{group_id}/children` added as a way to get subgroups of specific groups that support pagination

= RESTEeasy Reactive
Relying on RESTEasy Classic is not longer an option because it is not available anymore. Migration will be needed for SPI's and code that is relying on RESTEasy Classic and related packages part of `org.jboss.resteasy.spi.*`.

= Partial export requires manage-realm permission

The endpoint `POST {keycloak server}/realms/{realm}/partial-export` and the corresponding action in the admin console now require `manage-realm` permission for execution instead of `view-realm`. This endpoint exports the realm configuration into a JSON file and the new permission is more appropriate. The parameters `exportGroupsAndRoles` and `exportClients`, which include the realm groups/roles and clients in the export respectively, continue managing the same permissions (`query-groups` and `view-clients`).
The endpoint `POST {keycloak server}/realms/{realm}/partial-export` and the corresponding action in the admin console now require `manage-realm` permission for execution instead of `view-realm`. This endpoint exports the realm configuration into a JSON file and the new permission is more appropriate. The parameters `exportGroupsAndRoles` and `exportClients`, which include the realm groups/roles and clients in the export respectively, continue managing the same permissions (`query-groups` and `view-clients`).

= Removal of the options to trim the event's details length

Since this release, Keycloak supports long value for `EventEntity` details column. Therefore, it no longer supports options for trimming event detail length `--spi-events-store-jpa-max-detail-length` and `--spi-events-store-jpa-max-field-length`.
5 changes: 2 additions & 3 deletions docs/guides/getting-started/templates/first-app.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,11 @@ To secure the first application, you start by registering the application with y
. Fill in the form with the following values:
** *Client type*: `OpenID Connect`
** *Client ID*: `myclient`
+
image::add-client-1.png[Add Client]
. Click *Next*
. Confirm that *Standard flow* is enabled.
. Click *Next*.
+
image::add-client-1.png[Add Client]

. Make these changes under *Login settings*.
* Set *Valid redirect URIs* to `+https://www.keycloak.org/app/*+`
* Set *Web origins* to `+https://www.keycloak.org+`
Expand Down
2 changes: 1 addition & 1 deletion docs/guides/operator/customizing-keycloak.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ spec:

[NOTE]
====
With custom images, every build time option passed either through a dedicated field or the `additionalOptions` is ignored.
With custom images, every build time option is passed either through a dedicated field or the `additionalOptions` is ignored.
====

</@tmpl.guide>
10 changes: 5 additions & 5 deletions docs/guides/server/caching.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ The current distributed cache implementation is built on top of https://infinisp
== Enable distributed caching
When you start Keycloak in production mode, by using the `start` command, caching is enabled and all Keycloak nodes in your network are discovered.
By default, caches are using a `UDP` transport stack so that nodes are discovered using IP multicast transport based on UDP. For most production environments, there are better discovery alternatives to UDP available. Keycloak allows you to either choose from a set of pre-defined default transport stacks, or to define your own custom stack, as you will see later in this {section}.
By default, caches are using a UDP transport stack so that nodes are discovered using IP multicast transport based on UDP. For most production environments, there are better discovery alternatives to UDP available. Keycloak allows you to either choose from a set of pre-defined default transport stacks, or to define your own custom stack, as you will see later in this {section}.
To explicitly enable distributed infinispan caching, enter this command:
Expand Down Expand Up @@ -156,7 +156,7 @@ To apply a specific cache stack, enter this command:

<@kc.build parameters="--cache-stack=<stack>"/>

The default stack is set to `UDP` when distributed caches are enabled.
The default stack is set to `udp` when distributed caches are enabled.

=== Available transport stacks

Expand All @@ -181,9 +181,9 @@ The following table shows transport stacks that are available using the `--cache

=== Additional transport stacks
The following table shows transport stacks that are supported by Keycloak, but need some extra steps to work.
Note that _none_ of these stacks are Kubernetes / OpenShift stacks, so no need exists to enable the "google" stack if you want to run Keycloak on top of the Google Kubernetes engine.
Note that _none_ of these stacks are Kubernetes / OpenShift stacks, so no need exists to enable the `google` stack if you want to run Keycloak on top of the Google Kubernetes engine.
In that case, use the `kubernetes` stack.
Instead, when you have a distributed cache setup running on AWS EC2 instances, you would need to set the stack to `ec2`, because ec2 does not support a default discovery mechanism such as `UDP`.
Instead, when you have a distributed cache setup running on AWS EC2 instances, you would need to set the stack to `ec2`, because ec2 does not support a default discovery mechanism such as UDP.

[%autowidth]
|===
Expand All @@ -197,7 +197,7 @@ Instead, when you have a distributed cache setup running on AWS EC2 instances, y
Cloud vendor specific stacks have additional dependencies for Keycloak.
For more information and links to repositories with these dependencies, see the https://infinispan.org/docs/dev/titles/embedding/embedding.html#jgroups-cloud-discovery-protocols_cluster-transport[Infinispan documentation].

To provide the dependencies to Keycloak, put the respective JAR in the `providers` directory and `build` Keycloak by entering this command:
To provide the dependencies to Keycloak, put the respective JAR in the `providers` directory and build Keycloak by entering this command:

<@kc.build parameters="--cache-stack=<ec2|google|azure>"/>

Expand Down
2 changes: 1 addition & 1 deletion docs/guides/server/fips.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ earlier. If you prefer to avoid this option, you can for instance ask all your u

== Keycloak FIPS mode on the non-fips system

Keycloak is tested on a FIPS enabled RHEL 8 system and `ubi8` image. It is supported with RHEL 9 (and `ubi9` image) as well. Running on
Keycloak is supported and tested on a FIPS enabled RHEL 8 system and `ubi8` image. It is supported with RHEL 9 (and `ubi9` image) as well. Running on
the non-RHEL compatible platform or on the non-FIPS enabled platform, the FIPS compliance cannot be strictly guaranteed and cannot be officially supported.

If you are still restricted to running Keycloak on such a system, you can at least update your security providers configured in `java.security` file. This update does not amount to FIPS compliance, but
Expand Down
4 changes: 2 additions & 2 deletions js/apps/account-ui/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,14 @@
"react-dom": "^18.2.0",
"react-hook-form": "^7.47.0",
"react-i18next": "^13.3.1",
"react-router-dom": "^6.15.0",
"react-router-dom": "^6.18.0",
"ui-shared": "workspace:*"
},
"devDependencies": {
"@keycloak/keycloak-admin-client": "workspace:*",
"@playwright/test": "^1.39.0",
"@types/lodash-es": "^4.17.10",
"@types/react": "^18.2.33",
"@types/react": "^18.2.34",
"@types/react-dom": "^18.2.14",
"@vitejs/plugin-react-swc": "^3.4.1",
"lightningcss": "^1.22.0",
Expand Down
2 changes: 1 addition & 1 deletion js/apps/account-ui/playwright.config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export default defineConfig({
forbidOnly: !!process.env.CI,
retries: process.env.CI ? 2 : 0,
workers: 1,
reporter: process.env.CI ? "github" : "list",
reporter: process.env.CI ? [["github"], ["html"]] : "list",
use: {
baseURL: process.env.CI
? "http://localhost:8080/realms/master/account/"
Expand Down
2 changes: 1 addition & 1 deletion js/apps/account-ui/src/root/ErrorPage.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ function getErrorMessage(error: unknown): string | null {
}

if (isRouteErrorResponse(error)) {
return error.error ? getErrorMessage(error.error) : null;
return error.statusText;
}

if (error instanceof Error) {
Expand Down
1 change: 0 additions & 1 deletion js/apps/admin-ui/cypress/e2e/i18n_test.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,6 @@ describe("i18n tests", () => {

goToUserFederationPage();

// check key "user-federation:addProvider_other"
providersPage.assertCardContainsText("ldap", "Add Ldap providers");
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -213,7 +213,6 @@ describe("User profile tabs", () => {
cy.get(".pf-c-form__label-text")
.contains("newAttribute2")
.should("not.exist");
cy.findByTestId("firstName").type("testuser9");
cy.findByTestId("email").clear();
cy.findByTestId("email").type("[email protected]");
cy.findByTestId("save-user").click();
Expand Down
4 changes: 2 additions & 2 deletions js/apps/admin-ui/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
"react-error-boundary": "^3.1.4",
"react-hook-form": "^7.47.0",
"react-i18next": "^13.3.1",
"react-router-dom": "^6.15.0",
"react-router-dom": "^6.18.0",
"reactflow": "^11.9.4",
"ui-shared": "workspace:*",
"use-react-router-breadcrumbs": "^4.0.1"
Expand All @@ -96,7 +96,7 @@
"@types/dagre": "^0.7.51",
"@types/file-saver": "^2.0.6",
"@types/lodash-es": "^4.17.10",
"@types/react": "^18.2.33",
"@types/react": "^18.2.34",
"@types/react-dom": "^18.2.14",
"@types/uuid": "^9.0.6",
"@vitejs/plugin-react-swc": "^3.4.1",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import { fetchWithError } from "@keycloak/keycloak-admin-client";
import type AuthenticationFlowRepresentation from "@keycloak/keycloak-admin-client/lib/defs/authenticationFlowRepresentation";
import RealmRepresentation from "@keycloak/keycloak-admin-client/lib/defs/realmRepresentation";
import {
Expand Down Expand Up @@ -101,7 +102,7 @@ export default function AuthenticationSection() {
]);

const loader = async () => {
const flowsRequest = await fetch(
const flowsRequest = await fetchWithError(
`${addTrailingSlash(
adminClient.baseUrl,
)}admin/realms/${realmName}/ui-ext/authentication-management/flows`,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ export const EmptyExecutionState = ({
<Title headingLevel="h2" size={TitleSizes.md}>
{t(`${section}Title`)}
</Title>
<p>{t(`authentication-help:${section}`)}</p>
<p>{t(section)}</p>
</FlexItem>
<Flex alignSelf={{ default: "alignSelfCenter" }}>
<FlexItem>
Expand Down
2 changes: 1 addition & 1 deletion js/apps/admin-ui/src/authentication/policies/PolicyRow.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ export const PolicyRow = ({
labelIcon={
<HelpItem
helpText={t(`passwordPoliciesHelp.${id}`)}
fieldLabelId={`authentication:${id}`}
fieldLabelId={id!}
/>
}
>
Expand Down
Loading

0 comments on commit 64136be

Please sign in to comment.