…quest algorithms matching FAPI compliant algorithms

…lude auth_time claim

UserProfile Provider

…t as audience

…needs to be evaluated on CIBA backchannel authentication request and token request

…tion should allow Backchannel Authentication endpoint as audience

…ype=code when using JARM and response_mode=jwt

…tion

… to be evaluated on PAR endpoint

… user authentication is not successfully completed

- Fix `oauthGrantTitle` typo error

This reverts commit 3e07ca3

…pStorage

…ecutor needs to be executed on CIBA token request

…signed authentication request

…ror=invalid_client if client authentication is not successfully completed on Backchannel Authentication endpoint

…s sent by clients and JWK does not hold an algorithm

even though the "return null" at the top of the method is called if no truststore is set, the finally block is still executed. And since the keystore is not there an NPE is thrown when calling the remove method.

…ForChanges to CHM transaction

Signed-off-by: ruromero <[email protected]>

…roperty names

…r api

…tadata section

…t on Backchannel Authentication endpoint

… pipeline

…aluated on CIBA backchannel authentication request and token request

…the OIDC adapter schemas

* added group as attribute metadata
* validation for groups and references to groups
* adapted template to use show attribute groups
* test and integration tests for attribute groups

…r to CHM)

The LDAPOperationManager does not encode GUID correctly when looking up
federated users from Novell eDirectory.

The correct encoding can be found here:
https://support.novell.com/docs/Tids/Solutions/10096551.html

…RL should fail

…s grant. Client policies support for client credentials grant

…final server distribution

…tionSession when MSAD requires user to change password

…he discovery document

…ant clients

…ly attributes

… in URIs

- Makes adapters bahavior consistent with containers that allow unescaped characters in URIs

…icated wrong expiration

Czech translations for base login theme:
themes/src/main/resources-community/theme/base/login/messages/messages_cs.properties

Co-Authored-By: dklika <[email protected]>
Co-Authored-By: Hynek Mlnařík <[email protected]>

…ypes

…t to user

…older

while working on cordova+angular+ios the keycloak logout is not working. as the user clicks logout the user can again see the app instead of the inappbrowser page for login.
with clearcache=yes in the inappbrowser open the issue appears no more.

NPE when existing user from LDAP is found (same LDAP_ID, but with changed username) and session.userCache() is null.

If you register without an password or delete your last token your account can be hijacked. This is can be done by simply trying to login in that moment where the account is without a token. You get the "normal" registration dialog and can capture the complete account.

…null when remove or modify username mapper

… contains some required actions

Previously the group search did not apply a given search query as filter
for groups along the group path.

We now filter the found groups with the given group search query if present.

…anup test, skip tests on map storage provider feature

Signed-off-by: Thomas Darimont <[email protected]>

Signed-off-by: Thomas Darimont <[email protected]>

…sage

…key loading method

…y of the timestamps

…cheInitializer

texts in pattern and length validators

…oundsException when there is more then one href in a sanitized message

github => bitbucket

…ntModificationException

This avoids a ConcurrentModificationException to be thrown in UserResource.getConsents()
calls that got introduced in 4e8b18f by filtering
the resulting stream explicitly instead of removing items from the collection
that we iterate over, which triggered the CME in the first place.

Signed-off-by: Thomas Darimont <[email protected]>

…s consents

Signed-off-by: Thomas Darimont <[email protected]>