User Story
SSO is moving to the much anticipated Red Hat Build of Keycloak (RHBK 24) which is built upon Keycloak Quarkus
Quarkus is a Java framework tailored for deployment on Kubernetes. It was designed around the container first philosophy. It allows for running Java code on a very small resource footprint (CPU/Mem), while retaining excellent performance and pod startup times.
Upgrade timeline
DEV/TEST September 4 2024 20:00 -2030PROD September 18 20:00 - 2030ACTION by July 31, 2024: Review your redirects and replace with your app's custom scheme something like custom://test, custom://test/
In preparation for this:
General pattern no longer covers custom scheme in redirect uris
Context 5.1.1.2. Changes in validating schemes for valid redirect URIs
If an application client is using non http(s) custom schemes, the validation now requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing custom scheme are custom:/test, custom:/test/ or custom:. For security reasons, a general pattern such as * no longer covers them.
What you might see: You may get the error message 'invalid redirect uri' in your dev and test environment.
ACTION by July 31, 2024: Review your redirects and replace with your app's custom scheme something like custom://test, custom://test/
Custom Service/Realm Community
We've got 4 things for you below and a reminder on the Custom Service/Realm Community Ways of Working
a) if you missed our community chat on June 5th, please review the notes below and/or watch the recording note we've updated our wiki help since we met.
b) Please take note of our planned upgrade timeline --- we will need you to do your part in testing your apps between September 4 -17th
DEV/TEST September 4 2024 20:00 - 20:30
PROD September 18, 2024 20:00 -20:30
c) As a committed community member, please update your contact information with us
d) Redirect Changes -- be aware of the future horizon
Since many Gov teams make use of the redirect_uri parameter to log out the users in their applications, we applied an available patch to support the backwards compatibility option with redirect_uri; we also want to highlight that this option will be completely deprecated in the future Keycloak releases.
User Story SSO is moving to the much anticipated Red Hat Build of Keycloak (RHBK 24) which is built upon Keycloak Quarkus Quarkus is a Java framework tailored for deployment on Kubernetes. It was designed around the container first philosophy. It allows for running Java code on a very small resource footprint (CPU/Mem), while retaining excellent performance and pod startup times.
Upgrade timeline DEV/TEST September 4 2024 20:00 -2030 PROD September 18 20:00 - 2030 ACTION by July 31, 2024: Review your redirects and replace with your app's custom scheme something like custom://test, custom://test/
In preparation for this:
General pattern no longer covers custom scheme in redirect uris Context 5.1.1.2. Changes in validating schemes for valid redirect URIs If an application client is using non http(s) custom schemes, the validation now requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing custom scheme are custom:/test, custom:/test/ or custom:. For security reasons, a general pattern such as * no longer covers them.
What you might see: You may get the error message 'invalid redirect uri' in your dev and test environment.
ACTION by July 31, 2024: Review your redirects and replace with your app's custom scheme something like custom://test, custom://test/
Custom Service/Realm Community
We've got 4 things for you below and a reminder on the Custom Service/Realm Community Ways of Working
a) if you missed our community chat on June 5th, please review the notes below and/or watch the recording note we've updated our wiki help since we met.
b) Please take note of our planned upgrade timeline --- we will need you to do your part in testing your apps between September 4 -17th
c) As a committed community member, please update your contact information with us
d) Redirect Changes -- be aware of the future horizon Since many Gov teams make use of the redirect_uri parameter to log out the users in their applications, we applied an available patch to support the backwards compatibility option with redirect_uri; we also want to highlight that this option will be completely deprecated in the future Keycloak releases.
We recommend to include id_token_hint and post_logout_redirect_uri parameters. (recommended) https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/logout?post_logout_redirect_uri=http://localhost:3000&id_token_hint=xxxxxxxxxxxxxxxxxxxxx
For more information go to : https://www.keycloak.org/docs/latest/securing_apps/index.html#logout