Security issue with PAR clients using client_secret_post based authentication
This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together
with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is
highly encouraged to rotate the client secrets of your clients after upgrading to this version.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
#29073 Use cache.compute() method to improve the replace retry loop
#29280 Update Create Realm in Keycloak 24 Getting Started
Bugs
#29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
#29206 LDAP user creation reports error but user is created ldap
#29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
#29458 Empty CSP header value breaks security filter authentication
#29471 Cypress tests store videos even for passing tests ci
This PR contains the following updates:
24.0.4
->24.0.5
Release Notes
keycloak/keycloak (org.keycloak:keycloak-services)
### [`v24.0.5`](https://togithub.com/keycloak/keycloak/releases/tag/24.0.5) [Compare Source](https://togithub.com/keycloak/keycloak/compare/24.0.4...24.0.5)Highlights
Security issue with PAR clients using client_secret_post based authentication
This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together with PAR and you use client authentication based on
client_id
andclient_secret
sent as parameters in the HTTP request body (methodclient_secret_post
specified in the OIDC specification), it is highly encouraged to rotate the client secrets of your clients after upgrading to this version.Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
dist/quarkus
ldap
admin/ui
authentication
ci
ci
ci
docs
Configuration
📅 Schedule: Branch creation - "every weekend" in timezone US/Eastern, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.