Partial update to user attributes when updating users through the Admin User API is no longer supported
When updating user attributes through the Admin User API, you cannot execute partial updates when updating the
user attributes, including the root attributes like username, email, firstName, and lastName.
#23701 Attribute search does not work with federated users with ldap. admin/ui
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
#26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
#27117 user sessions not accessible in all cluster nodes infinispan
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
#27245 Account console does not correctly treat link / unlink account account/ui
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
#27275 Invalidating offline token is not working from client sessions tab authentication
#27366 Social login - test failures with unexpected status code testsuite
Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container
instead of 24.0.0.
As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily
disabled.
If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated
with the wrong versions. To check if you are affected connect to your database and run the following SQL command:
SELECT * from migration_model WHERE version = '999.0.0';
If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for
future releases. To resolve this run the following SQL command:
UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
The user profile preview feature is promoted to be fully supported and user profile is enabled by default.
In the past months, the Keycloak team spent a huge amount of effort in polishing the user
profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and
polishing were done based on the thorough testing and feedback from our awesome community.
The following are a few highlights of this feature;
Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any
attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a
particular attribute to be a URL or number.
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of scope parameter. This effectively allow progressive
profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client
applications that are used by the user.
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can
benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.
The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.
We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:
In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the
Upgrading Guide.
Changes to Freemarker templates to render pages based on the user profile and realm
In this release, the following templates were updated to make it possible to dynamically render attributes based
on the user profile configuration set to a realm:
New Freemarker template for the update profile page at first login through a broker
In this release, the server renders the update profile page when the user is authenticating through a broker for the
first time using the idp-review-user-profile.ftl template.
With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters.
As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
The generic Authorization Client library will continue to be supported, and aims to be used in combination with any
other OAuth 2.0 or OpenID Connect libraries.
The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning
for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution
from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
Jetty adapter removed
Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the
adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been
removed from this release.
New Welcome Page
The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.
If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.
New Account Console now the default
We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.
If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.
Keycloak JS
Using exports field in package.json
The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.
PKCE enabled by default
The Keycloak JS adapter now sets the pkceMethod option to S256 by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod option to false to disable it.
As part of this change, the default password hashing provider has changed from pbkdf2-sha256 to pbkdf2-sha512.
Also, the number of default hash iterations for pbkdf2 based password hashing algorithms changed. This change means better security aligned with latest recommendations, but
it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm and hashIterations to your realm. For more details, see the Upgrading Guide.
OAuth/OIDC related improvements
Lightweight access tokens support
This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few
claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.
This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight
access token. It is OFF by default, which means that most claims are not added.
Also, a client policy executor exists. Use it to specify if a particular client request
should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced
settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need
more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.
A previous release added an Add to token introspection switch. You use it to add
claims that are not present in the access token into the introspection endpoint response.
This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients.
Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.
Scope parameter supported in the refresh token flow
Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount
of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as
described in the OAuth2 specification.
Thanks to Konstantinos Georgilakis for the contribution.
Client policy executor for secure redirect URIs
A new client policy executor secure-redirect-uris-enforcer is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance,
you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on.
Thanks to Lex Cao and Takashi Norimatsu for the contribution.
Client policy executor for enforcing DPoP
A new client policy executor dpop-bind-enforcer is introduced. You can use it to enforce DPoP for a particular client if dpop preview
is enabled.
Thanks to Takashi Norimatsu for the contribution.
Supporting EdDSA
You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT.
This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt authentication to third party identity providers.
Thanks to
Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.
EC Keys supported by JavaKeystore provider
The provider JavaKeystoreProvider for providing realm keys now supports EC keys in addition to previously supported RSA keys.
Thanks to Stefan Wiedemann for the contribution.
Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers
OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful
for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT.
Thanks to MT for the contribution.
OAuth Grant Type SPI
The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types
supported by the Keycloak OAuth 2 token endpoint.
Thanks to Dmitry Telegin for the contribution.
CORS improvements
The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI is internal and may change at a future release.
Thanks to Dmitry Telegin for the contribution.
Truststore improvements
Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores, or use the new truststore-paths config option. For details refer to the relevant guide.
Versioned Features
Features now support versioning. To preserve backward compatibility, all existing features (including account2 and account3) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.
The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.
Automatic certificate management for SAML identity providers
The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL to ON. The certificates are automatically downloaded and cached in the public-key-storage SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.
See the documentation for more details about the new options.
Non-blocking health check for load balancers
A new health check endpoint available at /lb-check was added.
The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keyloak with the multi-site feature.
For more details, see Enabling and disabling features.
Keycloak CR Optimized Field
The Keycloak CR now includes an startOptimized field, which may be used to override the default assumption about whether to use the --optimized flag for the start command.
As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.
Enhanced reverse proxy settings
It is now possible to separately enable parsing of either Forwarded or X-Forwarded-* headers by using the new --proxy-headers option.
For details, see the Reverse Proxy Guide.
The original --proxy option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.
Changes to the user representation in both Admin API and Account contexts
In this release, we are encapsulating the root user attributes (such as username, email, firstName, lastName, and locale) by moving them to a base/abstract class in order to align how these attributes
are marshalled and unmarshalled when using both Admin and Account REST APIs.
This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile
configuration set to a realm.
Sequential loading of offline sessions and remote sessions
Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel.
If offline session preloading is enabled, those will be loaded sequentially as well.
Performing actions on behalf of another already authenticated user is not longer possible
In this release, you can no longer perform actions such as email verification if the user is already authenticated
and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link
is bound to a different account.
Changes to the email verification flow
In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message
will be shown.
In addition to that, a new error (EMAIL_ALREADY_VERIFIED) event will be fired to indicate an attempt to verify an already verified email. You can
use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.
Deprecated offline session preloading
The default behavior of Keycloak is to load offline sessions on demand.
The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.
Configuration option for offline session lifespan override in memory
To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.
There have been a couple of enhancements to the Brute Protection:
When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
The property failedLoginNotBefore has been added to the brute-force/users/{userId} endpoint
Authorization Policy
In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.
Keycloak CR cache-config-file option
The Keycloak CR now allows for specifying the cache-config-file option by using the cache spec configMapFile field, for example:
The Keycloak CR now allows for specifying the resources options for managing compute resources for the Keycloak container.
It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.
When no values are specified, the default requests memory is set to 1700MiB, and the limits memory is set to 2GiB.
You can specify your custom values based on your requirements as follows:
There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT when a user is temporarily locked out by the brute force protector.
The log with ID KC-SERVICES0053 has been removed as the new event offers the information in a structured form.
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency
for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting Name ID Format option to the following values:
However, Keycloak does not support receiving AuthnRequest document with one of these NameIDPolicy, therefore these
mappers would never be used. The supported options were updated to only include the following Name ID Formats:
Different JVM memory settings when running in container
Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container.
The JVM options -Xms, and -Xmx were replaced by -XX:InitialRAMPercentage, and -XX:MaxRAMPercentage.
With sunsetting of the underlying library providing integration
with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future
release. If you require an external log management, consider using file log parsing.
Support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
This release supports active-passive deployments for Keycloak.
To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - "before 4am on the first day of the month" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
22.0.5
->24.0.4
Release Notes
keycloak/keycloak (org.keycloak:keycloak-admin-client)
### [`v24.0.4`](https://togithub.com/keycloak/keycloak/releases/tag/24.0.4) [Compare Source](https://togithub.com/keycloak/keycloak/compare/24.0.3...24.0.4)Highlights
Partial update to user attributes when updating users through the Admin User API is no longer supported
When updating user attributes through the Admin User API, you cannot execute partial updates when updating the user attributes, including the root attributes like
username
,email
,firstName
, andlastName
.For more details, see the Upgrading Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
docs
dist/quarkus
docs
Bugs
admin/api
import-export
core
adapter/jee-saml
ci
ci
oidc
admin/ui
admin/ui
admin/api
infinispan
docs
admin/ui
admin/ui
admin/ui
admin/ui
admin/ui
dist/quarkus
admin/ui
core
ldap
docs
docs
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
ldap
Bugs
ldap
identity-brokering
admin/api
adapter/javascript
operator
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
authorization-services
docs
dist/quarkus
core
docs
docs
dist/quarkus
Bugs
account/ui
core
authentication
core
admin/ui
import-export
docs
admin/api
dist/quarkus
infinispan
authorization-services
core
account/ui
admin/ui
authentication
testsuite
authorization-services
docs
storage
docs
admin/ui
docs
core
user-profile
admin/ui
dist/quarkus
docs
login/ui
ci
core
docs
user-profile
account/ui
translations
core
oidc
docs
operator
dist/quarkus
authentication
docs
storage
user-profile
storage
user-profile
dist/quarkus
operator
authentication/webauthn
Highlights
Operator deploys nightly build instead of 24.0.0
Due to an issue in the release process when deploying Keycloak using the Operator it installed the
nightly
container instead of24.0.0
.As a quick fix to the issue, the
24.0.0
container was tagged withnightly
, and thenightly
releases was temporarily disabled.If you installed or upgraded to
24.0.0
using the Operator before 5pm CET yesterday the database may have been updated with the wrong versions. To check if you are affected connect to your database and run the following SQL command:If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
Highlights
Supported user profile and progressive profiling
The user profile preview feature is promoted to be fully supported and user profile is enabled by default.
In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.
The following are a few highlights of this feature;
Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of
scope
parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user.Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.
The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.
We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:
Vlastimil Eliáš
Alec Henninger
Thomas Darimont
Markus Till
Sebastian Schuster
Oliver
Patrick Jennings
Andrew
For more details about user profile capabilities, see the Server Administration Guide.
Breaking changes to the User Profile SPI
In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.
Changes to Freemarker templates to render pages based on the user profile and realm
In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:
login-update-profile.ftl
register.ftl
update-email.ftl
For more details, see the Upgrading Guide.
New Freemarker template for the update profile page at first login through a broker
In this release, the server renders the update profile page when the user is authenticating through a broker for the first time using the
idp-review-user-profile.ftl
template.For more details, see the Upgrading Guide.
Java adapter deprecation and removal
Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.
With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.
The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
Jetty adapter removed
Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.
New Welcome Page
The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.
If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.
New Account Console now the default
We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.
If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.
Keycloak JS
Using
exports
field inpackage.json
The Keycloak JS adapter now uses the
exports
field in itspackage.json
. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.PKCE enabled by default
The Keycloak JS adapter now sets the
pkceMethod
option toS256
by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set thepkceMethod
option tofalse
to disable it.Changes to Password Hashing
In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.
As part of this change, the default password hashing provider has changed from
pbkdf2-sha256
topbkdf2-sha512
. Also, the number of default hash iterations forpbkdf2
based password hashing algorithms changed. This change means better security aligned with latest recommendations, but it has impact on performance. It is possible to stick to the old behaviour by adding password policieshashAlgorithm
andhashIterations
to your realm. For more details, see the Upgrading Guide.OAuth/OIDC related improvements
Lightweight access tokens support
This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.
This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.
Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.
A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.
Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.
OAuth 2.1 support
This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.
Scope parameter supported in the refresh token flow
Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.
Client policy executor for secure redirect URIs
A new client policy executor
secure-redirect-uris-enforcer
is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance, you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on. Thanks to Lex Cao and Takashi Norimatsu for the contribution.Client policy executor for enforcing DPoP
A new client policy executor
dpop-bind-enforcer
is introduced. You can use it to enforce DPoP for a particular client ifdpop
preview is enabled. Thanks to Takashi Norimatsu for the contribution.Supporting EdDSA
You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT. This feature includes identity brokering where Keycloak itself signs client assertions that are used for
private_key_jwt
authentication to third party identity providers. Thanks to Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.EC Keys supported by JavaKeystore provider
The provider
JavaKeystoreProvider
for providing realm keys now supports EC keys in addition to previously supported RSA keys. Thanks to Stefan Wiedemann for the contribution.Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers
OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.
OAuth Grant Type SPI
The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.
CORS improvements
The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that
CorsSPI
is internal and may change at a future release. Thanks to Dmitry Telegin for the contribution.Truststore improvements
Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default
conf/truststores
, or use the newtruststore-paths
config option. For details refer to the relevant guide.Versioned Features
Features now support versioning. To preserve backward compatibility, all existing features (including
account2
andaccount3
) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.For details refer to the features guide.
Keycloak CR Truststores
You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:
Currently only Secrets are supported.
Trust Kubernetes CA
The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.
Automatic certificate management for SAML identity providers
The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the
Metadata descriptor URL
option in the provider (the URL where the IDP metadata information with the certificates is published) and setUse metadata descriptor URL
toON
. The certificates are automatically downloaded and cached in thepublic-key-storage
SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.See the documentation for more details about the new options.
Non-blocking health check for load balancers
A new health check endpoint available at
/lb-check
was added. The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.This endpoint is not available by default. To enable it, run Keyloak with the
multi-site
feature. For more details, see Enabling and disabling features.Keycloak CR Optimized Field
The Keycloak CR now includes an
startOptimized
field, which may be used to override the default assumption about whether to use the--optimized
flag for the start command. As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.Enhanced reverse proxy settings
It is now possible to separately enable parsing of either
Forwarded
orX-Forwarded-*
headers by using the new--proxy-headers
option. For details, see the Reverse Proxy Guide. The original--proxy
option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.Changes to the user representation in both Admin API and Account contexts
In this release, we are encapsulating the root user attributes (such as
username
,email
,firstName
,lastName
, andlocale
) by moving them to a base/abstract class in order to align how these attributes are marshalled and unmarshalled when using both Admin and Account REST APIs.This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.
For more details, see the Upgrading Guide.
Sequential loading of offline sessions and remote sessions
Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.
For more details, see the Upgrading Guide.
Performing actions on behalf of another already authenticated user is not longer possible
In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.
Changes to the email verification flow
In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.
In addition to that, a new error (
EMAIL_ALREADY_VERIFIED
) event will be fired to indicate an attempt to verify an already verified email. You can use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.Deprecated offline session preloading
The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.
For more details, see the Upgrading Guide.
Configuration option for offline session lifespan override in memory
To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.
For more details, see the Server Administration Guide.
Infinispan metrics use labels for cache manager and cache names
When enabling metrics for Keycloak8217;s embedded caches, the metrics now use labels for the cache manager and the cache names.
For more details, see the Upgrading Guide.
User attribute value length extension
As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.
For more details, see the Upgrading Guide.
Brute Force Protection changes
There have been a couple of enhancements to the Brute Protection:
When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
The property
failedLoginNotBefore
has been added to thebrute-force/users/{userId}
endpointAuthorization Policy
In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.
Keycloak CR cache-config-file option
The Keycloak CR now allows for specifying the
cache-config-file
option by using thecache
specconfigMapFile
field, for example:Keycloak CR resources options
The Keycloak CR now allows for specifying the
resources
options for managing compute resources for the Keycloak container. It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.When no values are specified, the default
requests
memory is set to1700MiB
, and thelimits
memory is set to2GiB
.You can specify your custom values based on your requirements as follows:
For more details, see the Operator Advanced configuration.
Temporary lockout log replaced with event
There is now a new event
USER_DISABLED_BY_TEMPORARY_LOCKOUT
when a user is temporarily locked out by the brute force protector. The log with IDKC-SERVICES0053
has been removed as the new event offers the information in a structured form.For more details, see the Upgrading Guide.
Updates to cookies
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting
Name ID Format
option to the following values:urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
However, Keycloak does not support receiving
AuthnRequest
document with one of theseNameIDPolicy
, therefore these mappers would never be used. The supported options were updated to only include the following Name ID Formats:urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Different JVM memory settings when running in container
Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container. The JVM options
-Xms
, and-Xmx
were replaced by-XX:InitialRAMPercentage
, and-XX:MaxRAMPercentage
.For more details, see the Running Keycloak in a container guide.
GELF log handler has been deprecated
With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.
Support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.
To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
admin/api
admin/client-js
user-profile
adapter/javascript
oidc
dist/quarkus
dist/quarkus
Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" (UTC), Automerge - "before 4am on the first day of the month" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
Job Summary for Gradle
Commit Stage 🤖 :: package
Deprecation warnings
This job uses deprecated functionality from the
gradle/actions/setup-gradle
action. Follow the links for upgrade details.Gradle Build Results
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Additional details and impacted files
```diff @@ Coverage Diff @@ ## main #282 +/- ## ======================================= Coverage 89.87% 89.87% ======================================= Files 197 197 Lines 2657 2657 Branches 286 286 ======================================= Hits 2388 2388 Misses 179 179 Partials 90 90 ```:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Job Summary for Gradle
Commit Stage 🤖 :: code-coverage
Deprecation warnings
This job uses deprecated functionality from the
gradle/actions/setup-gradle
action. Follow the links for upgrade details.Gradle Build Results