Pull Request Explorer

Summary

Hide client selection when realm roles mapping enabled

This change removes the client selection UI when realm roles mapping is active, simplifying the LDAP mapper configuration for administrators. It reduces confusion and streamlines the admin experience.

Health Assessment

• • The PR took over four days to review, indicating potential communication delays or complexity in the UI change.

Summary

Cache wireit to avoid recreating bindings each build

Adds caching to the Wireit build process to reduce CI build time by reusing bindings across builds, improving developer productivity.

Health Assessment

• • The PR required over 6 days to merge with multiple review comments and rework, indicating slow feedback loops. The change is small but involved several CI workflow updates, causing moderate review friction.

Summary

Add per-org FGAP filtering to organization endpoint

Ensures organization membership queries respect per-organization FGAP permissions, improving security and correct data exposure.

Health Assessment

• • Quick fix with minimal changes, resolved within same day, indicating efficient review and low complexity.

Summary

Fix permission check for organization group members endpoint

Ensures that the organization group members endpoint enforces user permissions, preventing unauthorized access and aligning with security requirements.

Health Assessment

• • Quick fix with minimal changes, resolved within a single review cycle.

Summary

Remove startup time check in rt reuse validation

Fixes a bug that incorrectly prevented token reuse during startup, improving authentication reliability.

Health Assessment

• • Quick fix with minimal changes, resolved within hours, indicating efficient review and low complexity.

Summary

Remove startup time check in rt reuse validation

Eliminates unnecessary startup time validation during refresh token reuse, reducing latency for token issuance.

Health Assessment

• • Quick fix with minimal changes, merged within 2 hours of opening, indicating low complexity and high confidence.

Summary

Add validation on Authorization Header with Bearer for client registration

Adds validation to ensure client registration requests include a Bearer token in the Authorization header, improving security for client registration flows.

Health Assessment

• • Fast cycle time and minimal review rounds indicate a straightforward change with low risk.

Summary

Add validation on Authorization Header with Bearer for client registration

Ensures client registration requests include a Bearer token in the Authorization header, strengthening security for client registration flows.

Health Assessment

• • Fast cycle time and minimal review rounds indicate a straightforward, low-risk change.

Summary

Extend Credential Offer Lifespan to 300 Seconds

Adjusts the default credential offer lifespan to reduce premature expiration, improving user experience for OID4VCI flows.

Health Assessment

• • Long review cycle indicates low priority or complexity; single commit suggests minimal rework after approval.

Summary

Fix Kubernetes JWT test on OpenShift

Ensures integration tests pass on OpenShift by adjusting token expectations, improving CI reliability.

Health Assessment

• • Long cycle time due to delayed review, but minimal code changes and low risk.

Summary

Fix Verify_email action for users with email

Ensures the Verify Email required action is only added when a user has an email address, preventing unnecessary prompts for users without email.

Health Assessment

• • Single commit, fast review, minimal changes, low risk.

Summary

Clean up ExportImport test JSON files

Improves test maintainability by removing duplicate JSON objects and reorganizing test resources.

Health Assessment

• • Quick turnaround with minimal rework; test cleanup improved maintainability.

Summary

Add HTTPS settings inheritance and overrides

Enables management endpoints to inherit HTTPS configuration, improving security consistency and allowing custom overrides.

Health Assessment

• • The PR introduced a substantial change to HTTPS configuration for management endpoints, requiring several rounds of review and rework, indicating moderate complexity and potential impact on security settings.

Summary

Add db_url_properties support for Oracle

Enables Oracle database configuration via db_url_properties, simplifying TLS test setup and improving consistency across data sources.

Health Assessment

• • The PR required multiple review rounds and a significant TLS test cleanup, indicating moderate complexity but ultimately resolved without blockers.

Summary

Fix AbstractPermissionTest inconsistency

Resolves flaky test issue in Keycloak's test framework

Health Assessment

• • Quick merge after a single review, indicating a straightforward fix

Summary

Use appropriate HTTP status codes in broker callback error responses

This change ensures broker callback error responses use correct HTTP status codes, improving error handling and client compatibility.

Health Assessment

• • Long review time indicates possible blocker or low priority; small scope suggests low risk.

Summary

Resolve CORS header reflection vulnerability

Removes a security flaw that allowed attackers to manipulate CORS headers via unverified JWT claims, strengthening token endpoint security.

Health Assessment

• • The PR had a long review cycle and slow response, indicating potential bottlenecks in security review process. The change was small but critical, and the review took over 3 days, suggesting a need for faster triage of security patches.

Summary

Validate sequence length against the remaining elements in the buffer

Ensures LDAP sequence decoding correctly validates buffer length, preventing potential buffer overrun vulnerabilities.

Health Assessment

• • Quick resolution with minimal changes, indicating a straightforward bug fix with low risk.

Summary

Add External ID to Email Verification Key

Ensures email verification tokens include external ID, improving account linking accuracy and preventing mismatches.

Health Assessment

• • PR took over 3 days to merge with a single review, indicating a slow review process but minimal rework.

Summary

Limit backoff retry to the specified timeout

This change caps retry backoff to a defined timeout, preventing indefinite retries and improving system stability for users.

Health Assessment

• • The PR required a single review cycle and modest code changes, but the overall cycle time of over a week suggests a delayed review process rather than technical complexity.

Summary

Stop logging full PostgreSQL SQL statements

Reduces log verbosity and protects sensitive data by omitting query values.

Health Assessment

• • Quick resolution with minimal changes, indicating a straightforward fix.

Summary

Migrate AccountRestServiceTest to new framework

Migrates account service tests to a new test framework, improving maintainability and reducing legacy code.

Health Assessment

• • PR required multiple review rounds and significant rework, indicating complexity and potential risk.

Summary

Clamp time policy inputs to minimum

Prevents negative or invalid time policy values in admin UI, ensuring accurate configuration and reducing user errors.

Health Assessment

• • Long cycle time indicates delayed review; small change but took 4+ days to merge.

Summary

Remove startup time check in token reuse validation

Eliminates startup time validation for refresh token reuse, simplifying session handling and improving reliability.

Health Assessment

• • Single commit with minimal changes, quick review and merge, indicating low complexity and risk.

Summary

Add Bearer token validation for client registration

Enhances security by enforcing Bearer token authentication on client registration endpoints, preventing unauthorized registrations.

Health Assessment

• • The PR required over 3 days for review and merge, indicating a slow process, but involved only a moderate amount of code and tests with no significant rework.

Summary

Store authentication session in the database

Adds persistent storage for authentication sessions using JPA and Infinispan, enabling sessions to survive restarts and improving reliability for production deployments.

Health Assessment

• • The PR introduced extensive changes to session persistence, requiring a single review cycle and a moderate review time, indicating moderate complexity but no significant back‑and‑forth.

Summary

Fix French translation for credentials related events

Corrects French email messages for credential events, improving user communication.

Health Assessment

• • The PR had a moderate review delay but minimal changes, indicating a straightforward fix with low risk.

Summary

Migrate OID4VCI export/import tests to new framework

Updates OID4VCI export/import tests to a dedicated test suite, enhancing test stability and simplifying future maintenance. This change ensures more reliable validation of credential offer creation and import/export flows.

Health Assessment

• • Fast cycle time and single review round indicate low complexity and high confidence in the test refactoring.

Summary

Update translations via Hosted Weblate

Adds updated language translations for Keycloak UI, improving internationalization and user experience.

Health Assessment

• • The PR took over five days to merge with no early review, indicating a slow process but low technical risk.

Summary

Slow start for HAProxy

Provides updated HAProxy configuration guides to improve deployment reliability and security for Keycloak users.

Health Assessment

• • Quick documentation update with minimal changes, merged within 13 hours.

Summary

Avoid iterating over cached sessions when user removed

This change improves performance and reliability by preventing unnecessary iteration over cached sessions when a user is removed, reducing memory usage and potential errors.

Health Assessment

• • The PR had a long cycle time but minimal review friction, indicating a straightforward change that was delayed by other factors.

Summary

Delegate JWK claim validation to signature provider factories

Dynamic SPI-driven approach replaces hardcoded claims, improving flexibility and security for OID4VCI JWT validation. Unit tests confirm correct claim detection across algorithms.

Health Assessment

• • The PR took over 11 days to merge, with a single review cycle and moderate scope, indicating a cautious but straightforward integration.

Summary

Migrate ClientRegistrationTest to new tests module

Reorganizes client registration tests into a new module, enhancing maintainability and reducing build times.

Health Assessment

• • PR completed quickly with a single review and no rework, indicating a straightforward test refactor.

Summary

Pass OID4VCI HAIP happy flow

Enhances OIDC4VC issuer security by adding certificate headers, DPoP support, and nonce usage, ensuring stronger authentication and compliance.

Health Assessment

• • The PR required a rebase and multiple review comments, causing a long cycle time but a single commit and moderate scope.

Summary

Enforce user profile permissions on group endpoints

Ensures sensitive user attributes are hidden from admin views, aligning with security policy and reducing data leakage risk.

Health Assessment

• • The PR required over four days for review and merge, with a large code change affecting multiple endpoints and tests, indicating significant review friction and potential risk.

Summary

Fix medium‑severity npm dependency vulnerabilities

Removes security vulnerabilities in transitive npm dependencies by updating or overriding packages, ensuring safer runtime for Keycloak.

Health Assessment

• • Quick resolution of security vulnerabilities with minimal changes and no review back‑and‑forth.

Summary

Move database writes to current transaction

Ensures that all database writes occur within the current transaction, improving data consistency and reducing race conditions during session persistence.

Health Assessment

• • The PR required multiple iterations and a significant number of commits to address flaky tests and review feedback, indicating moderate complexity and potential risk to stability.
• • Cycle time of nearly four days suggests a slower resolution compared to typical PRs.

Summary

Fix NullPointerException in UMA permission grant

Resolves a crash when stale permission tickets reference removed scopes, improving stability for authorization services.

Health Assessment

• • Single small bugfix with quick review but long cycle due to scheduling and backlog.

Summary

Account resource sharing resolves recipient by username before email

Fixes a bug where resource sharing incorrectly resolved recipients by username before email, potentially granting access to the wrong user.

Health Assessment

• • Long review time indicates delayed review; single commit suggests minimal rework; small scope but critical security fix.

Summary

Document Kubernetes limitations

Adds documentation on Kubernetes limitations for the Keycloak operator, improving operator deployment guidance.

Health Assessment

• • Merged within 4 hours with a single review, indicating a straightforward documentation update with minimal impact.

Summary

Fix account sharing recipient resolution bug

Corrects a bug where resource sharing incorrectly resolved recipients by username before email, preventing unauthorized access.

Health Assessment

• • Long review cycle indicates delayed feedback; small scope suggests straightforward fix but delayed due to review backlog.

Summary

Update uuid dependency to >=13.0.1

This PR updates the uuid library to a newer version, addressing security and compatibility issues.

Health Assessment

• • Quick dependency bump with minimal review, indicating low risk and high confidence.

Summary

Clear thread local variable before returning from async response

Fixes thread local leakage in async responses, improving stability and resource cleanup.

Health Assessment

• • Quick fix with minimal changes, approved in a single review, indicating low complexity and risk.

Summary

Clear thread local variable before returning from async response

Ensures thread‑local state is cleared after async SAML responses, preventing stale data leakage and improving reliability.

Health Assessment

• • Quick resolution with minimal changes, indicating a straightforward bug fix with low risk.

Summary

Update uuid dependency to >=13.0.1

Bumps the uuid library to the latest major version, improving security and compatibility for the admin UI and theme packages.

Health Assessment

• • Fast cycle time and minimal changes indicate a low-risk dependency update.

Summary

Improve token endpoint parameter handling

Enhances security and compatibility of token requests by ensuring correct parameter validation, reducing errors for clients.

Health Assessment

• • Review took over 66 hours, indicating a lengthy review process, but the single commit and lack of rework suggest the change was straightforward and accepted after a thorough review.

Summary

Improve token endpoint parameter handling

Enhances security and compatibility by correctly processing token parameters, ensuring robust authentication flows.

Health Assessment

• • The PR had a long review cycle with minimal iterations, indicating potential complexity or oversight in initial submission.

Summary

Update uuid dependency to >=13.0.1

Bumps the uuid library to version 13.0.1 or higher, ensuring compatibility and security updates for the Keycloak admin UI.

Health Assessment

• • Merged within 0.9 hours after a 0.2 hour review, indicating a straightforward, low‑risk dependency update.

Summary

Update to simple-git 3.36.0

Bumps simple-git to 3.36.0 to incorporate security and bug fixes, maintaining compatibility and stability for Keycloak deployments.

Health Assessment

• • Quick dependency bump with minimal changes, merged within an hour, indicating low complexity and risk.

Summary

Update to simple-git 3.36.0

Updates the simple-git dependency to version 3.36.0, ensuring compatibility and security fixes.

Health Assessment

• • Quick merge with no review comments indicates a straightforward dependency bump.