A new health check endpoint available at /lb-check was added.
The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keycloak with feature multi-site.
Proceed to Enabling and disabling features guide for more details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.
DPoP preview support
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to
Takashi Norimatsu and Dmitry Telegin for their contributions.
More flexibility for introspection endpoint
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
switch Add to token introspection on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.
Feature flag for OAuth 2.0 device authorization grant flow
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
Thanks to Thomas Darimont for the contribution.
Passkey registration and authentication are realized by the features of WebAuthn.
Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.
Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication.
However, passkeys operations success depends on the user8217;s environment. Make sure which operations can succeed in the environment.
Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the
ideas and testing of this feature.
WebAuthn improvements
WebAuthn policy now includes a new field: Extra Origins. It provides better interoperability with non-Web platforms (for example, native mobile applications).
Thanks to Charley Wu for the contribution.
You are already logged-in
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them,
the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in. This is improved now as
other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still
corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then
restarted just in one browser tab and hence other browser tabs won8217;t follow automatically with the login.
So we still plan improvements in this area.
Password policy for specify Maximum authentication time
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication.
When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means.
You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.
Deployments
Preview support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
This release adds preview-support for active-passive deployments for Keycloak.
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios.
To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Adapters
OpenID Connect WildFly and JBoss EAP
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release.
It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from
Keycloak adapters.
SAML WildFly and JBoss EAP
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack,
making it easier and more seamless to install.
Keycloak now features http-max-queued-requests option to allow proper rejecting of incoming requests under high load.
For details refer to the production guide.
RESTEasy Reactive
Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI8217;s that depend directly on JAX-RS API should be compatible with this change. SPI8217;s that depend on RESTEasy Classic including ResteasyClientBuilder will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
User profile
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
If you find any issues or have any improvements in mind, you are welcome to create Github issue,
ideally with the label area/user-profile. It is also recommended to check the Upgrading Guide with the migration changes for this
release for some additional informations related to the migration.
Group scalability
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
paginated lookup of subgroups. Thanks to Alice for the contribution.
Themes
Localization files for themes default to UTF-8 encoding
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
See the migration guide for more details.
Storage
Removal of the Map Store
The Map Store has been an experimental feature in previous releases.
Starting with this release, it is removed and users should continue to use the current JPA store.
See the migration guide for details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
#23155 [WebAuthn] origin validation not support for non-Web platforms core
Enhancements
#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
This PR contains the following updates:
22.0.5
->23.0.3
Release Notes
keycloak/keycloak (org.keycloak:keycloak-server-spi)
### [`v23.0.3`](https://togithub.com/keycloak/keycloak/releases/tag/23.0.3) [Compare Source](https://togithub.com/keycloak/keycloak/compare/23.0.2...23.0.3)Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
Highlights
Non-blocking health check for load balancers
A new health check endpoint available at
/lb-check
was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.This endpoint is not available by default. To enable it, run Keycloak with feature
multi-site
. Proceed to Enabling and disabling features guide for more details.Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
saml
core
oidc
dist/quarkus
admin/ui
docs
account/ui
user-profile
user-profile
operator
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
admin/ui
oidc
admin/ui
admin/ui
saml
operator
admin/ui
oidc
Highlights
OpenID Connect / OAuth 2.0
FAPI 2 drafts support
Keycloak has new client profiles
fapi-2-security-profile
andfapi-2-message-signing
, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.DPoP preview support
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.
More flexibility for introspection endpoint
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new switch
Add to token introspection
on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token, so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.Feature flag for OAuth 2.0 device authorization grant flow
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.
Authentication
Passkeys support
Keycloak has preview support for Passkeys.
Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.
Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user8217;s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.
WebAuthn improvements
WebAuthn policy now includes a new field:
Extra Origins
. It provides better interoperability with non-Web platforms (for example, native mobile applications). Thanks to Charley Wu for the contribution.You are already logged-in
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them, the attempt to authenticate in subsequent browser tabs opened the page
You are already logged-in
. This is improved now as other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then restarted just in one browser tab and hence other browser tabs won8217;t follow automatically with the login. So we still plan improvements in this area.Password policy for specify Maximum authentication time
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.
Deployments
Preview support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Adapters
OpenID Connect WildFly and JBoss EAP
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.
SAML WildFly and JBoss EAP
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.
See the Securing Applications and Services Guide for the details.
Server distribution
Load Shedding support
Keycloak now features
http-max-queued-requests
option to allow proper rejecting of incoming requests under high load. For details refer to the production guide.RESTEasy Reactive
Keycloak has switched to RESTEasy Reactive. Applications using
quarkus-resteasy-reactive
should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI8217;s that depend directly on JAX-RS API should be compatible with this change. SPI8217;s that depend on RESTEasy Classic includingResteasyClientBuilder
will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.User profile
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome. If you find any issues or have any improvements in mind, you are welcome to create Github issue, ideally with the label
area/user-profile
. It is also recommended to check the Upgrading Guide with the migration changes for this release for some additional informations related to the migration.Group scalability
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.
Themes
Localization files for themes default to UTF-8 encoding
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
See the migration guide for more details.
Storage
Removal of the Map Store
The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
core
Enhancements
web
quickstarts
quickstarts
docs
operator
user-profile
storage
user-profile
authentication
authorization-services
operator
user-profile
operator
storage
import-export
oidc
admin/ui
identity-brokering
oidc
identity-brokering
adapter/javascript
oidc
storage
dist/quarkus
admin/ui
authentication
user-profile
oidc
user-profile
identity-brokering
user-profile
core
user-profile
core
user-profile
adapter/jee-saml
Bugs
quickstarts
quickstarts
quickstarts
quickstarts
oidc
oidc
adapter/javascript
authentication
user-profile
authorization-services
admin/api
admin/api
oidc
admin/api
docs
docs
authentication
admin/client-js
oidc
account/api
admin/api
user-profile
ci
token-exchange
user-profile
storage
storage
admin/api
core
admin/ui
account/ui
authentication
authentication
ldap
account/ui
ldap
operator
ci
oidc
admin/ui
docs
core
core
admin/ui
account/ui
saml
admin/api
account/ui
admin/api
admin/ui
infinispan
authentication
dist/quarkus
core
admin/ui
dist/quarkus
admin/ui
storage
dependencies
admin/ui
user-profile
core
admin/api
core
user-profile
oidc
user-profile
admin/ui
admin/ui
admin/ui
user-profile
core
core
user-profile
admin/ui
core
user-profile
admin/ui
storage
admin/ui
login/ui
oidc
admin/cli
authentication
user-profile
infinispan
authentication
admin/client-js
Configuration
📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.