Pull Request Explorer

Summary

Migrate ExportImportTest and related files

Reorganizes and updates export/import tests to improve reliability and maintainability of Keycloak's authorization features.

Health Assessment

• • The PR involved extensive test refactoring, requiring multiple review cycles and a long cycle time, indicating significant effort and potential integration complexity.

Summary

Upgrade to Quarkus 3.27.4

Upgrades Keycloak to Quarkus 3.27.4, resolving issues #49332 and #48805.

Health Assessment

• • Quick review and approval process despite a classloading issue mentioned by a reviewer.

Summary

Remove legacy PreAuthorizedGrantTest

This PR removes an obsolete pre‑authorized grant test, consolidating coverage into the newer OID4VC test suite and simplifying the test codebase.

Health Assessment

• • Quick review and merge, minimal changes, no blockers.

Summary

Remove test credential mappers JSON

Clean up obsolete test resources, reducing test suite size.

Health Assessment

• • Fast merge with single approval, indicating a straightforward cleanup.

Summary

Add internal readonly attributes for ADMIN_API context

Ensures internal readonly attributes are available when not explicitly set in ADMIN_API context, improving data consistency and security.

Health Assessment

• • Quick turnaround with minimal rework indicates a straightforward bug fix with clear intent.

Summary

Account API: Ignore userManagedAccessAllowed setting

Fixes resource sharing endpoints to correctly respect realm-level user access settings, improving security and consistency.

Health Assessment

• • The PR had a long cycle time with no review activity, indicating a bottleneck in the review process despite the small scope of the change.

Summary

Account API ignores userManagedAccessAllowed setting

Fixes account API to correctly respect realm setting for resource sharing, improving security and consistency.

Health Assessment

• • Long cycle time indicates delayed review; minimal changes suggest low complexity.

Summary

Fix missing server-side WebAuthn validation

Addresses a critical security flaw by adding server‑side validation for WebAuthn credential registration, preventing potential credential spoofing.

Health Assessment

• • Rapid resolution of a critical CVE with minimal review, indicating efficient security patching.

Summary

Fix missing server‑side WebAuthn validation

Adds critical server‑side checks for WebAuthn credential registration, eliminating a CVE‑level vulnerability that could allow credential spoofing.

Health Assessment

• • Merged within 2.5 hours with a single approval, indicating a high‑priority security fix with minimal review friction.

Summary

Increase token parameter size limit to 20000 characters

Expands the maximum size of the 'token' parameter in the OIDC token endpoint, allowing larger tokens and enforcing fail-fast behavior when limits are exceeded.

Health Assessment

• • Fast review and merge with minimal rework; medium scope change improves token handling without impacting other components.

Summary

Migrate LDCredentialSignerTest to new framework

Refactors OID4VCI signing tests to use a new framework, improving reliability. Removes legacy test helpers, reducing maintenance overhead.

Health Assessment

Summary

Enable dynamic scopes in TokenManager

Ensures dynamic scopes are correctly validated, improving CIBA authentication flow and preventing authorization failures.

Health Assessment

• • Resolved a critical CIBA scope validation issue with minimal rework and fast review turnaround.

Summary

Fix error log for unoptimized image

Corrects logging behavior when deploying unoptimized images, ensuring accurate error reporting.

Health Assessment

• • Quick fix with minimal changes, fast review and merge, indicating low complexity and risk.

Summary

Fix Themes cross-reference

Corrects broken documentation links for themes, ensuring developers find accurate guidance and reducing confusion.

Health Assessment

• • Documentation update with minimal changes, quick review turnaround, low risk.

Summary

Update CI action dependencies

Bumps several GitHub Actions to newer versions, ensuring CI pipelines use up-to-date tooling.

Health Assessment

• • Dependabot PR updated CI action dependencies; merged after a long review period with no review comments, indicating low complexity but delayed merge.

Summary

Fix Themes cross-reference

Corrects documentation cross‑references for Keycloak themes, improving clarity for administrators.

Health Assessment

• • Quick documentation fix with minimal changes and a single review, indicating low complexity and fast turnaround.

Summary

Add WebAuthn server-side validations for credential registration

Fixes a critical security vulnerability by adding server‑side checks for WebAuthn credential registration, ensuring only valid signatures and authenticators are accepted, reducing risk of credential spoofing.

Health Assessment

• • The PR was reviewed after a long wait but required minimal changes, indicating a straightforward security fix with low complexity.

Summary

Store OID4VCI credential offer once

Adds efficient storage of credential offers by embedding offer ID in nonce, reducing lookup overhead and improving performance.

Health Assessment

• • Quick approval with minimal changes indicates a straightforward enhancement with low risk to the codebase.

Summary

Add REST API for issued credentials

Enables users to view and revoke issued verifiable credentials via the Account REST API.

Health Assessment

• • Fast cycle time with single review, minimal rework, straightforward addition of new API endpoints.

Summary

Add cleanup method for ManagedRealm, remove attachTo

Improves test framework reliability by ensuring client cleanup and simplifying client attachment logic.

Health Assessment

• • PR had a quick review and single commit, but large code churn indicates significant refactoring of the test framework.

Summary

Fix error log for unoptimized image

Ensures deployment tests pass when using custom unoptimized images, improving reliability of operator integration tests.

Health Assessment

• • Quick fix with minimal changes, approved in a single review, indicating low complexity and risk.

Summary

Upgrade to Quarkus 3.33.2

Keycloak is upgraded to Quarkus 3.33.2, enhancing performance, security, and compatibility with modern Java ecosystems.

Health Assessment

• • Fast cycle time and quick approvals indicate a straightforward dependency upgrade with minimal risk.

Summary

Remove persistent sessions worker code

Eliminates legacy persistent session worker code, simplifying session handling and reducing potential bugs, improving system stability.

Health Assessment

• • The PR removed a substantial amount of legacy code, required multiple commits, and had a slow review cycle, indicating moderate complexity and potential risk to stability.

Summary

Correct option name for truststore type in mTLS guide

Fixes a documentation typo to improve clarity for users configuring mutual TLS.

Health Assessment

• • Rapid approval indicates minimal impact; documentation fix with no code changes.

Summary

Migrate JWTVCIssuerWellKnownProviderTest to new framework

Updates test suite to use new framework, improving test reliability and maintainability.

Health Assessment

• • Quick turnaround with single approval, indicating straightforward test migration.

Summary

Migrate OID4VCSdJwtIssuingEndpointTest to JUnit 5

Updates test framework for OID4VCI issuance endpoint, improving test reliability and aligning with current testing standards.

Health Assessment

• • Fast cycle time and single review round indicate smooth process; test refactor with minimal risk.

Summary

Add form revert logic for tab providers

Adds a revert button for tab providers in the admin UI, preventing unintended redirects and preserving form state.

Health Assessment

• • PR was reviewed quickly with minimal changes, indicating a straightforward implementation.

Summary

Add subject to email template attributes

Allows email templates to include a subject line, improving clarity and consistency for users.

Health Assessment

• • Quick turnaround with single commit and immediate approval indicates a straightforward change.

Summary

Cleanup issued verifiable credentials on entity deletion

Ensures that when related entities are removed, associated verifiable credentials are cleaned up, preventing orphaned data and improving data integrity.

Health Assessment

• • PR merged quickly with minimal changes and approvals, indicating low complexity and high confidence in the fix.

Summary

Ensure expiresAt set for issued credentials

Adds expiration timestamp to issued credentials, improving security and compliance.

Health Assessment

• • Quick approval with minimal changes indicates a straightforward bug fix.

Summary

Upgrade to Quarkus 3.33.2

Keycloak is upgraded to Quarkus 3.33.2, enhancing performance, security, and compatibility with the latest Java ecosystem.

Health Assessment

• • Fast review and merge with minimal changes, indicating low risk and high confidence.

Summary

Add Default Trust IDP admin console configuration

Adds a dedicated admin console configuration view for the Default Trust identity provider, reusing consistent JWKS settings and hiding irrelevant fields to streamline admin workflows.

Health Assessment

• • The PR was reviewed and merged within 5 hours, indicating efficient collaboration. The large code changes were handled with minimal back‑and‑forth.

Summary

Clear thread local variable before returning from async response

This change clears a thread‑local variable in the SAML service before returning from an async response, preventing memory leaks and ensuring thread safety in concurrent environments.

Health Assessment

• • The PR had a long review cycle, likely due to the need to understand thread‑local behavior in async contexts, but the change itself is minimal and low risk.

Summary

Migrate OID4VCAuthorizationCodeFlowWithPARTest to new framework

Updates the OID4VCI test to use the new framework, ensuring compatibility and improved test reliability.

Health Assessment

• • Quick review and merge indicate a straightforward test migration with minimal impact.

Summary

Migrate OID4VCCredentialOfferCorsTest to new framework

This PR updates the OID4VCCredentialOfferCorsTest to use the new testing framework, improving test reliability and reducing maintenance overhead for the OID4VCI protocol.

Health Assessment

• • Quick approval with minimal changes indicates a straightforward refactor with low risk.

Summary

Polish OID4VCI client scope consents

Enhances OID4VCI consent handling by adding tests, default texts, and revocation logic, improving security and user experience.

Health Assessment

• • Fast review and merge with minimal rework indicates a well‑scoped, low‑risk change.

Summary

Fix KeycloakContext getRequestHeader deprecation

Resolves deprecation issue in KeycloakContext, ensuring compatibility and preventing runtime errors.

Health Assessment

• • Quick fix with minimal changes, fast review and merge.

Summary

Prevent logging full PostgreSQL SQL statements

Reduces log verbosity and protects sensitive data by omitting SQL values from logs, improving security and performance.

Health Assessment

• • The PR addressed a security/logging concern with minimal code changes and was approved after a long review period, indicating a cautious review process.

Summary

Handle missing realm gracefully on deletion

This fix prevents crashes when a realm is deleted but its storage is missing. It improves system reliability and user experience during realm management.

Health Assessment

• • The PR had a long review time, indicating potential communication delays, but the change was small and straightforward, resulting in a low-risk merge.

Summary

Add role permission to list realm roles

Enables the manage-identity-providers role to list realm roles, enhancing role-based access control.

Health Assessment

• • Fast cycle time and minimal changes indicate a low-risk, straightforward update.

Summary

Migrate OID4VC metadata discovery test to new framework

This PR updates the OID4VC metadata discovery tests to a new framework, improving test reliability and ensuring continued compliance with OID4VC specifications.

Health Assessment

• • Fast cycle time and single review round indicate smooth integration.

Summary

Enable extensible JWT client validators

Allows downstream integrations to override specific validation steps, simplifying customization and reducing code duplication.

Health Assessment

• • Long cycle time due to extended review and test removal, but minimal code changes and low risk.

Summary

Add client libraries repository to README

Adds a reference to the client libraries repository in the main README, improving discoverability for developers.

Health Assessment

• • Quick review and merge with minimal changes; straightforward documentation update.

Summary

Ensure workflows can't be managed through the Component API

This change tightens security by blocking workflow management through the Component API, ensuring that workflow configurations can only be altered through the intended interfaces.

Health Assessment

• • The PR was reviewed immediately and merged within a day, indicating a smooth process with minimal friction.

Summary

Remove log-and-throw for Hibernate SQL exceptions

Prevents unnecessary logging and improves error handling for Hibernate SQL exceptions, enhancing performance and clarity. This change reduces noise in logs and ensures exceptions are propagated correctly.

Health Assessment

• • PR merged without review after a single commit, minimal changes, low risk.

Summary

Add admin UI for issued credentials

Adds a dialog in the admin UI to list issued credentials for each user, enabling admins to review and manage verifiable credentials directly. This enhances auditability and simplifies credential lifecycle management.

Health Assessment

• • Fast review and merge within 17 hours, minimal rework, indicating a straightforward feature addition.

Summary

Update commit-migration script

Improves reliability of migration scripts by updating commit-migration logic, allowing customizable commit messages and correcting class name parsing.

Health Assessment

• • Quick review and single commit indicate a straightforward change with minimal risk.

Summary

Format Terms and Conditions accepted timestamp

Formats the Terms and Conditions accepted timestamp in the Admin UI user details screen, converting raw milliseconds to a readable date/time for better user experience.

Health Assessment

• • Long review and merge cycle indicates slow process, but minimal rework and small scope suggest low risk.

Summary

Translations update from Hosted Weblate

Adds updated translation strings for multiple languages, enhancing internationalization for Keycloak Admin UI.

Health Assessment

• • The PR required over 8 days to merge with a single large commit, indicating a slow review process and potential bottlenecks in translation approvals.

Summary

Fix WebAuthn Page rewrite message in migration tests

Ensures migration tests correctly handle WebAuthn page rewrite messages, improving test reliability.

Health Assessment

• • Quick review and merge with minimal changes indicates a straightforward fix.