9

Keycloak 18.0.0 released

 2 years ago
source link: https://www.keycloak.org/2022/04/keycloak-1800-released
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Keycloak 18.0.0 released

April 20 2022

To download the release go to Keycloak downloads.

Release notes

New Operator preview

With this release, we’re introducing a brand new Keycloak Operator as a preview. Apart from being rewritten from scratch, the main user-facing change from the legacy Operator is the used Keycloak distribution – the new Operator uses the Quarkus distribution of Keycloak. With that, the API (in form of Custom Resource Definitions) has changed. For details, incl. installation and migration instructions, see the Operator related guides.

The legacy Operator will receive updates until Keycloak 20 when the Keycloak WildFly distribution reaches EOL.

OperatorHub versioning scheme

To avoid version conflicts with the legacy Operator, the 18.0.0 version of the new Operator is released as version 20.0.0-alpha.1 on OperatorHub. The legacy Operator versioning scheme remains the same, i.e. it is released as 18.0.0.

The same pattern will apply for future Keycloak 18 and 19 releases, until version 20 where the legacy Operator reaches EOL.

New Admin Console preview

The new Admin Console is now graduated to preview, with the plan for it to become the default admin console in Keycloak 19.

If you find any issues with the new console, or have some suggestions for improvements, please let us know through GitHub Discussions.

Step-up authentication

Keycloak now supports Step-up authentication. This feature was added in Keycloak 17, and was further polished in this version.

For more details, see Server Administration Guide.

Client secret rotation

Keycloak now supports Client Secret Rotation through customer policies. This feature is now available as a preview feature and allows that confidential clients can be provided with realm policies allowing the use up to two secrets simultaneously.

For more details, see Server Administration Guide.

Recovery Codes

Recovery Codes as another way to do two-factor authentication is now available as a preview feature.

OpenID Connect Logout Improvements

Some fixes and improvements were made to make sure that Keycloak is now fully compliant with all the OpenID Connect logout specifications:

  • OpenID Connect RP-Initiated Logout 1.0

  • OpenID Connect Front-Channel Logout 1.0

  • OpenID Connect Back-Channel Logout 1.0

  • OpenID Connect Session Management 1.0

For more details, see Server Administration Guide.

WebAuthn improvements

Keycloak now supports WebAuthn id-less authentication. This feature allows that WebAuthn Security Key will identify the user during authentication as long as the security key supports Resident Keys. For more details, see Server Administration Guide. Thanks to Joaquim Fellmann for the contribution.

There are more WebAuthn improvements and fixes in addition to that.

The deprecated upload-script feature was removed

The upload-script feature has been marked as deprecated for a very long time. In this release, it was completely removed, and it is no longer supported.

If you are using any of these capabilities:

  • OpenID Connect Script Mapper

  • Script Authenticator (Authentication Execution)

  • JavaScript Policies

You should consider reading this documentation in order to understand how to still rely on these capabilities but deploying your scripts to the server rather than managing them through the management interfaces.

Session limits

Keycloak now supports limits on the number of sessions a user can have. Limits can be placed at the realm level or at the client level.

For more details, see Server Administration Guide. Thanks to Mauro de Wit for the contribution.

SAML ECP Profile is disabled by default

To mitigate the risk of abusing SAML ECP Profile, Keycloak now blocks this flow for all SAML clients that do not allow it explicitly. The profile can be enabled using Allow ECP Flow flag within client configuration, see Server Administration Guide.

Quarkus distribution

Import realms at startup

The Keycloak Quarkus distribution now supports importing your realms directly at start-up. For more information, check the corresponding guide.

JSON and File Logging improvements

The Keycloak Quarkus distribution now initially supports logging to a File and logging structured data using JSON.

For more information on the improvements, check the corresponding guide.

Environment variable expansion for values in keycloak.conf

The Keycloak Quarkus distribution now supports expanding values in keycloak.conf from environment variables.

For more information, check the corresponding guide.

New Option db-url-port

You can now change the port of your jdbc connection string explicitly by setting the new db-url-port configuration option. As for the other convenience options, this option will be overridden by the value of a full db-url, if set.

Split metrics-enabled option into health-enabled and metrics-enabled

The metrics-enabled option now only enables the metrics for Keycloak. To enable the readiness and liveness probe, there’s the new build option health-enabled. This allows more fine-grained usage of these options.

Other improvements

  • Account console alignments with latest PatternFly release.

  • Support for encrypted User Info endpoint response. Thanks to Giacomo Altiero

  • Support for the algorithm RSA-OAEP with A256GCM used for encryption keys. Thanks to Filipe Bojikian Rissi

  • Support for login with GitHub Enterprise server. Thanks to Neon Ngo

Migration from 17.0

Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.

Step-up authentication

Step-up authentication is a new feature. This feature provides the acr client scope, which contains a protocol mapper that is supposed to add the acr claim in the token. The acr claim is not added automatically now as it was before this version, but it is added with the usage of this client scope and protocol mapper.

The client scope is added as a realm "default" client scope and hence will be added to all newly created clients. For performance reasons, the client scope is not automatically added to all existing clients during migration. The clients will not have an acr claim by default after the migration. Consider these possible actions:

  • If you do not plan to use step-up authentication feature, but you rely on the acr claim in the token, you can disable step_up_authentication feature as described in the Server Installation and Configuration Guide. The claim will be added with the value 1 in case of normal authentication and 0 in case of SSO authentication.

  • Add acr client scope to your clients manually by admin REST API or admin console. This is needed especially if you want to use step-up authentication. If you have a large number of clients in the realm and want to use acr claim for all of them, you can trigger some SQL similar to this against your DB. However, remember to clear the cache or restart the server if Keycloak is already started:

insert into CLIENT_SCOPE_CLIENT (CLIENT_ID, SCOPE_ID, DEFAULT_SCOPE) select CLIENT.ID as CLIENT_ID, CLIENT_SCOPE.ID as SCOPE_ID, true as DEFAULT_SCOPE
from CLIENT_SCOPE, CLIENT where CLIENT_SCOPE.REALM_ID='test' and CLIENT_SCOPE.NAME='acr' and CLIENT.REALM_ID='test' and CLIENT.PROTOCOL='openid-connect';

OpenID Connect Logout

Previous versions of Keycloak had supported automatic logout of the user and redirecting to the application by opening logout endpoint URL such as http(s)://example-host/auth/realms/my-realm-name/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri. While that implementation was easy to use, it had potentially negative impact on performance and security. The new version has better support for logout based on the OpenID Connect RP-Initiated Logout specification. The parameter redirect_uri is no longer supported; also, in the new version, the user needs to confirm the logout. It is possible to omit the confirmation and do automatic redirect to the application when you include parameter post_logout_redirect_uri together with the parameter id_token_hint with the ID Token used for login.

The existing deployments are affected in the following ways:

  • If your application directly uses links to logout endpoint with the redirect_uri parameter, you may be required to change this as described above. Consider either removing the redirect_uri parameter entirely or replacing it with the id_token_hint and post_logout_redirect_uri parameters.

  • If you use java adapters and your application does logout by call httpServletRequest.logout(), you are not affected because this call uses the backchannel variant of the logout endpoint and that one was not changed.

  • If you use the latest javascript adapter, you are also not affected. However if your application uses an older version of the JavaScript adapter, you are affected as this adapter uses the variant of the logout endpoint with the deprecated redirect_uri parameter. In this case, you may need to upgrade to the latest version of the JavaScript adapter.

  • For the Node.js adapter, the same guideline applies as for the JavaScript adapter. You are encouraged to update to the latest version as the older version of the adapter uses the deprecated redirect_uri parameter. With the latest Node.js adapter, you are not affected as long as you use the logout based on the /logout URL as described in the documentation or in the Node.js adapter example. However, in the case when your application directly uses the method keycloak.logoutUrl, you can consider adding idTokenHint as the second argument to this method. The possibility to add idTokenHint as second argument was newly added in this version. The idTokenHint needs to be a valid ID Token that was obtained during the login. Adding idTokenHint is optional, but if you omit it, your users will need to confirm the logout screen as described earlier. Also they will not be redirected back to the application after logout.

There is a backwards compatibility option, which allows your application to still use the old format of the redirect_uri parameter.

You can enable this parameter when you start the server by entering the following command:

bin/kc.[sh|bat] --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true start

With this configuration, you can still use the format with the redirect_uri parameter. Note the confirmation screen will be needed if the id_token_hint is omitted.

Warning

The backwards compatibility switch will be removed in some future version - probably Keycloak 21. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.

Removal of the upload-scripts feature

Previous versions of Keycloak had supported managing JavaScript code through the management interfaces like the administrations console and REST API. Starting from this version this is no longer possible, and you should now deploy your scripts to the server in order to configure the following providers:

  • OpenID Connect Script Mapper

  • Script Authenticator (Authentication Execution)

  • JavaScript Policies

More details about how to deploy scripts to the server are available in the documentation. Note that to use scripts, you are still required to enable the scripts technology preview feature.

kc.[sh|bat] start --auto-build --features=preview

When deploying scripts, the server is going to automatically create their corresponding providers so that you can select them when configuring authentication flows, mappers, and authorization policies.

In general, the steps to update your realms are the following:

  • Before upgrading, remove any script provider you are using.

  • After the upgrade, deploy your scripts following the instructions in the documentation.

  • Update your authentication flows, mappers, and the client authorization settings to use the providers created from the scripts deployed to the server.

Account console Patternfly upgrade

The Patternfly (PF) React libraries have been updated updated, @patternfly/react-core from v3.153.3 to v4.147.0, @patternfly/react-icons from v3.15.16 to v 4.11.8, and @patternfly/react-styles from v3.7.14 to v4.11.8. Several minor UI updates were made to bring the account console into alignment with PF design standards.

Custom developed account UIs might not be compatible with these updates due to the breaking changes in PF. Most breaking changes should be resovlable by updating props on PF components.

Resources:

Components known to have breaking changes:

  • Alert

  • action prop changed to actionClose

  • Expandable

  • renamed to ExpandableSection

  • Title

  • size attr now uses TitleSizes

  • DataListContent

  • noPadding changed to hasNoPadding

  • Grid, Stack, Level, Gallery

  • gutter attr changed to hasGutter

  • Modal

  • sizing control changed from, e.g. isLarge, to use ModalVariant, e.g. variant={ModalVariant.large}

  • Select

  • ariaLabelTypeAhead to typeAheadAriaLabel

  • isExpanded to isOpen

  • ariaLabelledBy to aria-labelledby

  • DataListContent

  • noPadding to hasNoPadding

Quarkus distribution: Split metrics-enabled option into health-enabled and metrics-enabled

The metrics-enabled option now only enables the metrics for Keycloak. To enable the readiness and liveness health endpoints, there’s a new boolean option health-enabled. This allows more fine-grained usage of these options, e.g. enabling metrics but not enabling readiness/liveness probes for on-premise use cases. In order to keep the same behaviour as before when metrics-enabled=true was set, you need to additionally set health-enabled=true when building Keycloak.

All resolved issues

New features

  • #1433 Add documentation for recovery codes keycloak-documentation
  • #1442 OIDC RP-Initiated logout endpoint keycloak-documentation
  • #1450 Documentation for session-limits-feature keycloak-documentation
  • #9540 Recovery authentication codes keycloak
  • #9660 JPA map storage: Groups no-downtime store keycloak storage
  • #9661 JPA map storage: Realm no-downtime store keycloak storage
  • #9665 JPA map storage: Authentication session no-downtime store keycloak storage
  • #9670 Hot Rod map storage: Realm no-downtime store keycloak storage
  • #9671 Hot Rod map storage: User no-downtime store keycloak storage
  • #9672 Hot Rod map storage: Client scope no-downtime store keycloak storage
  • #9673 Hot Rod map storage: Login failure no-downtime store keycloak storage
  • #9674 Hot Rod map storage: Authentication session no-downtime store keycloak storage
  • #9675 Hot Rod map storage: User / client session no-downtime store keycloak storage
  • #9677 Hot Rod map storage: Roles no-downtime store keycloak storage
  • #9726 Secret references in `serverConfiguration` in the Keycloak CRD keycloak operator
  • #9727 Improve naming in `serverConfiguration` in the Keycloak CRD keycloak operator
  • #9729 Pod Templates in operator keycloak operator
  • #9730 Clustering support in operator keycloak operator
  • #9731 Ingress in operator keycloak operator
  • #9732 Tests for Keycloak Deployment keycloak operator
  • #9736 Convert realm entities into interface keycloak storage
  • #9737 Convert login failure entities into interface keycloak storage
  • #9738 Convert authentication session entities into interface keycloak storage
  • #9739 Convert user / client session entities into interface keycloak storage
  • #9780 SSL config in the operator keycloak operator
  • #9782 Use prod profile in Quarkus dist keycloak operator
  • #9785 Extensions support in the operator keycloak operator
  • #9826 Generate CRDs compatible with the previous keycloak operator
  • #9843 Initial admin user bootstrapping via the operator keycloak operator
  • #9929 Read-write LDAP implementation for roles keycloak storage
  • #10159 Support for acr_values_supported in OIDC well-known endpoint keycloak
  • #10160 Option for client to specify default acr level keycloak
  • #10205 Replace 'Store LoA in User Session' with 'Max Age' keycloak
  • #10395 Enable Health endpoints even with metrics disabled keycloak dist/quarkus
  • #10436 Release process for operator image keycloak operator
  • #10517 Support for UserInfo response encrypted keycloak
  • #10764 Automatic scan Keycloak docker image for vulnerabilities keycloak
  • #10772 Add expiration field for root authentication session keycloak storage
  • #10832 Allow WebAuthn idless login flow keycloak
  • #10885 Improve OIDC RP-Initiated Logout keycloak
  • #10908 Prepare scripts for generating OLM resources keycloak operator
  • #11303 Operator 18.0.0 release notes keycloak docs

Enhancements

  • #358 Adjust nodejs adapter with OIDC RP-Initiated Logout keycloak-nodejs-connect
  • #374 Update MS SQL JDBC driver version to 10.2.0 keycloak-containers
  • #1431 Revise documentation for WebAuthn keycloak-documentation
  • #1437 Release notes for WebAuthn idless keycloak-documentation
  • #1453 Update migration documentation for node.js adapter about logout keycloak-documentation
  • #8800 Remove node_modules folder from the Keycloak repository keycloak admin/ui
  • #9091 Client Policies : An executor rejecting a request based on a client role keycloak
  • #9097 Client Policies : An executor rejecting all requests keycloak
  • #9100 Client Policies : Negative logic by a policy keycloak
  • #9261 Import realm at startup keycloak
  • #9869 Improve readability of CacheExpirationTest keycloak storage
  • #9934 Test more recent versions of Spring Boot keycloak testsuite
  • #9993 Make Keycloak Model Map JPA module JDK 17 ready keycloak storage
  • #10036 Hide 'unknown' transport media type label for WebAuthn authenticators keycloak authentication/webauthn
  • #10039 JPA map storage: Add support for CockroachDB keycloak storage
  • #10050 Remove values from error message in CLI when key is unknown keycloak dist/quarkus
  • #10058 Keycloak configuration in testsuite doesn't provide properties for supported map storages keycloak storage
  • #10062 Test WebAuthn with multiple browsers keycloak testsuite
  • #10075 Review Configuring outgoing HTTP requests keycloak
  • #10092 Provide readme to container submodule of quarkus dist keycloak dist/quarkus
  • #10100 Review Keycloak X Configuration Guide keycloak
  • #10101 Add prefix "kc_" to all existing tables keycloak storage
  • #10111 Update Quarkus to 2.7.1 keycloak dist/quarkus
  • #10132 Ensure that Liquibase is only called once per area keycloak storage
  • #10133 Improvements to maven repository settings keycloak
  • #10137 Support for frontchannel_logout_session_required OIDC client parameter keycloak
  • #10141 Test operator running locally in GHA keycloak operator
  • #10154 Support for acr in keycloak.js keycloak
  • #10161 Protocol mapper and client scope for "acr" claim keycloak
  • #10213 Possibility to ignore tests for particular browsers keycloak testsuite
  • #10224 Separate probes toggle from metrics keycloak dist/quarkus
  • #10266 Allow Account V2 theme to be built conditionally keycloak account/ui
  • #10282 Update postgresql.version to 42.3.3 for quarkus distribution keycloak dist/quarkus
  • #10309 Edit Configuring for Production keycloak
  • #10312 Allow adding custom headers in HTTP Requests performed by keycloak-js adapter keycloak
  • #10315 Introduce Keycloak "feature" for step-up authentication keycloak
  • #10333 getParameterCount() can be used instead of getParameterTypes().length and getParameters().length keycloak core
  • #10437 Update to Quarkus 2.7.2 keycloak dist/quarkus
  • #10439 Release K8s resources for installing operator without OLM keycloak operator
  • #10442 Change String client.id to ClientModel client in ResourceServerStore keycloak storage
  • #10458 container guide: missing paragraph about initial admin bootstrap in a container keycloak
  • #10500 Disable Infinispan caching layer for Authorization Map storage keycloak storage
  • #10523 Add File Log Support keycloak dist/quarkus
  • #10539 Allow Edge tests in Admin Console tests keycloak admin/ui
  • #10571 Allow exposing some initial provider config options via web site keycloak dist/quarkus
  • #10588 Reduce log size for the model tests keycloak storage
  • #10641 Update Quarkus Distribution to 2.7.3 keycloak dist/quarkus
  • #10666 Add secret rotation to JWTClientSecretAuthenticator keycloak
  • #10695 Make WebAuthn feature default for the product version keycloak authentication/webauthn
  • #10702 Mismatch between RESTEasy dependency on Operator and Quarkus distribution keycloak operator
  • #10744 Attributes field can be stored with empty value in some cases keycloak storage
  • #10793 Disable auto-build when custom image is provided keycloak operator
  • #10807 Introduce an additional dependency scanner for Keycloak keycloak ci
  • #10829 Add merge tasks optimization to ConcurrentHashMapKeycloakTransaction.delete keycloak storage
  • #10867 Add missing `JsonPropertyDescription` to fields in Keycloak CRD keycloak operator
  • #10896 Support Filtering by Enabled Attribute on /Users/Count Endpoint keycloak admin/api
  • #10939 Fix CVEs and change base image for the operator keycloak operator
  • #10945 Set autofocus on the 'Sign In With Security Key' button keycloak authentication/webauthn
  • #10960 Data type for timestamp and expiration in Map Storage keycloak storage
  • #10968 Usage of raw quarkus runtime properties without a build keycloak dist/quarkus
  • #10971 Update to the latest version of the official actions used by Keycloak keycloak ci
  • #10987 Replace the dependency cache on GitHub Actions keycloak ci
  • #10999 Upgrade to WildFly 26.1.0.Final keycloak dist/wildfly
  • #11000 Graduate new Admin Console to preview keycloak admin/ui
  • #11011 Trigger Trivy workflow after the build of our nightly images keycloak ci
  • #11016 CI should run on the same Java distribution we use to publish keycloak
  • #11032 Possibility to add scope to admin-client TokenManager keycloak
  • #11038 Review the pinned guides of the operator docs keycloak operator
  • #11043 Update Kubernetes Client to 5.12.1 keycloak operator
  • #11049 Detail how to include extensions in custom images in server docs keycloak operator
  • #11103 Keycloak account console PatternFly design system alignment keycloak
  • #11105 Add new german locales keycloak translations
  • #11127 Keep Github Actions up-to-date keycloak ci
  • #11131 keycloak-js download should be installable through npm keycloak
  • #11134 Document usage of hostname has to comply with standards keycloak dist/quarkus
  • #11144 Identity brokering support for GitHub Enterprise server keycloak
  • #11217 Change the CRD API group in the operator keycloak operator
  • #11225 Ignore license compliance warnings keycloak ci
  • #11251 keycloak-x - unable to modify mssql/SQLServer port to anything other than 1433 keycloak dist/quarkus
  • #11257 Remove deployment module dependency from server module keycloak
  • #11261 Avoid initializing the OWASP HTML Sanitizer at startup keycloak
  • #11263 Obtaining the resource version using native SQL during startup keycloak
  • #11287 Determine Keycloak image tag from Operator version keycloak operator
  • #11297 Ignore WebAuthnIdLessTest for Firefox keycloak testsuite
  • #300 Latest openshift-examples/keycloak.yaml of 17.0.0 does not work keycloak-quickstarts
  • #311 Some tests broken due the OIDC RP-Initiated Logout keycloak-quickstarts
  • #393 CVE-2022-21724 vulnerability related to postgresql dependency keycloak-containers dependencies
  • #1425 Typo in LDAP documentation regarding WRITABLE mode keycloak-documentation
  • #8724 Unknown essential acr claim does not result in an error keycloak authentication
  • #8776 Pre-loaded sessions live forever in cache keycloak storage
  • #8893 Exact match user query by email is doing a full table scan keycloak storage
  • #9045 Keycloak import in TypeScript without allowSyntheticDefaultImports keycloak adapter/javascript
  • #9063 Page layout may be unexpected due to Quirks Mode keycloak oidc
  • #9339 Definition of keycloak-wildfly-adapter-dist in keycloak-adapter-bom doesn't work keycloak adapter/jee
  • #9364 includeInAccessTokenResponse.label and includeInAccessTokenResponse.label.tooltip english messages are missing keycloak admin/ui
  • #9692 OTPPolicyTest failures in pipeline keycloak testsuite
  • #9756 lifespan property in PathCacheConfig is missing @JsonProperty annotation keycloak authorization-services
  • #9841 JavaDoc API not published on keycloak.org (starting with 15.1) keycloak docs
  • #9848 Allow keycloak-js default export to be used as a constructor keycloak adapter/javascript
  • #9895 Auth execution "Condition - User Attribute" missing keycloak authentication
  • #9899 LDAP Integration tests fail on OpenJDK 17 keycloak testsuite
  • #9920 Bug when updating user attributes with duplicated values keycloak storage
  • #9942 IDELauncher not loading Resources when opening welcomepage keycloak dist/quarkus
  • #10016 GHA Model Tests are still sometimes failing due to timeout keycloak ci
  • #10051 White-space separated CLI options are treated as 2 separate options in errorcase keycloak dist/quarkus
  • #10055 Path parameter is missing in the get account endpoint keycloak account/api
  • #10103 Configure CodeQL to perform the analysis of the main branch keycloak
  • #10136 French translation issues for email verification keycloak translations
  • #10143 Nonce parameter should be required in authorizationEndpoint only when "id_token" is included in response_type keycloak oidc
  • #10144 Handle OIDC authz request with "response_type" missing and "response_mode=form_post" keycloak oidc
  • #10203 The CodeQL analysis is broken due to the large content of the generated SARIF file keycloak ci
  • #10218 AccountLinkSpringBootTest failures in pipeline keycloak testsuite
  • #10225 Unstable AuthenticationFlowCallbackProviderTest for undertow-map keycloak testsuite
  • #10246 ConfigurationTest can not run on Windows keycloak testsuite
  • #10260 Missing javadoc artifact for spring-boot-container-bundle and spring-boot-legacy-container-bundle keycloak adapter/spring
  • #10268 Properly execute AuthenticationFlowCallbackProviderTest with Map storage keycloak testsuite
  • #10289 Container Guide still references old keycloak-x repository keycloak docs
  • #10314 keycloak-js 17.0.0: Can't import the named export 'sha256' from non EcmaScript module keycloak adapter/javascript
  • #10318 Client offline sessions are stored with wrong client id after server restart when custom ClientStorageProvider is used keycloak storage
  • #10328 Realm localization translations are not available in the Account console keycloak account/ui
  • #10335 IP:8080/auth page not found keycloak dist/quarkus
  • #10341 Kubernetes cache-stack documentation update keycloak dist/quarkus
  • #10371 NPE when viewing flow executions and authentication provider not deployed keycloak
  • #10406 Test failures in Operator CI keycloak testsuite
  • #10485 Operator CI is broken keycloak ci
  • #10531 Chapter about the initial configuration misses setup of the initial admin user keycloak docs
  • #10564 docs: Container documentation refers to multiple image sources keycloak
  • #10569 docs: Getting started with OpenShift keycloak docs
  • #10573 Wrong spelling in StringKeyConvertor keycloak storage
  • #10587 Flaky KeycloakServicesE2EIT.testDiscoveryServiceDurability keycloak ci
  • #10608 Password blacklists folder keycloak dist/quarkus
  • #10613 java.io.FileNotFoundException: ..../keycloak-17.0.0/model/jpa/target/test-classes/log4j.properties keycloak storage
  • #10616 Incorrect username logged for federated accounts keycloak authentication
  • #10625 Bad performance of admin event view in large environments keycloak storage
  • #10630 DeleteAccountTest failure in the test pipeline keycloak testsuite
  • #10717 Failure to upload the SARIF file on pull requests keycloak ci
  • #10743 Saml AuthnContextDecl in SAML Assertion is ommitted keycloak saml
  • #10762 Hang Detection Timeout kicks in Operator Tests keycloak operator
  • #10779 Attestation Conveyance Verification with YubiKey keycloak dist/quarkus
  • #10802 Keycloak is not fully supporting XML boolean values for SAML keycloak saml
  • #10806 Keycloak Quarkus distribution fail to start using h2 on OpenShift keycloak dist/quarkus
  • #10840 keycloak-common module has Java 1.8 API calls while the module is set to use Java 1.7 keycloak core
  • #10879 MigrationModelTest broken with version 999 keycloak storage
  • #10894 SAML Adapters tests start failing in recent versions of EAP/wildfly keycloak saml
  • #10915 [Docs] conflict between best practices regarding the JavaScript adapter keycloak docs
  • #10927 AbstractClientyEntity is missing isUpdated implementation keycloak storage
  • #10951 Getting 404 not found when using templates in custom provider deployed under providers folder keycloak dist/quarkus
  • #10961 Various NPEs using the realm create REST API keycloak admin/api
  • #10997 Allow overriding the host header using X-Forwarded-Host keycloak dist/quarkus
  • #11005 Script Mapper Performance Issues - Java 8 and Java 11 keycloak
  • #11030 Webauthn tests broke because of RP-Initiated logout changes keycloak
  • #11041 Account console not functional when running KeyCloak behind a reverse proxy keycloak docs
  • #11063 Update Infinispan to 13.0.8 to fix vulnerabilities reported on XStream (CVE-2021-43859) keycloak dist/quarkus
  • #11070 Testsuite failures when JPA Map Storage is used for realms keycloak storage
  • #11071 Update jackson-databind dependency to fix CVE-2020-36518 keycloak dist/quarkus
  • #11083 Blank admin console page in Keycloak 17.0.1 keycloak
  • #11090 SOAPBindingTest is failing with NoClassDefFoundError - SOAPException keycloak saml
  • #11091 keycloak-core module is using Java 1.8 class while it is set to use Java 1.7 keycloak
  • #11108 Admin console loads keycloak.js from authUrl keycloak dist/quarkus
  • #11118 AbstractClientEntity should implement clearUpdatedFlag keycloak storage
  • #11123 CodeQL analysis always fails keycloak
  • #11137 Nullpointer exceptions on resource page keycloak authorization-services
  • #11148 The associated policies of a resource returns wrong policies keycloak
  • #11157 The operator should go in CrashLoopBackoff if the CRDs are not present keycloak operator
  • #11171 Model tests for LDAP fail with a message "Could not unbind DN" and "ignoring the message MessageType UNBIND_REQUEST" keycloak storage
  • #11180 NPE when caching policies based on scopes without a resource keycloak
  • #11188 Update jackson-databind dependency in the main POM file to fix CVE-2020-36518 keycloak dependencies
  • #11191 LdapStorageProvider should fail authenticate if credentialInput is not of type UserCredentialModel keycloak ldap
  • #11192 CodeQL is failing due to missing dependency keycloak storage
  • #11196 Update wildfly-elytron dependency in the main Quarkus distribution (CVE-2021-3642) keycloak dependencies
  • #11206 Operator CI is broken reporting docker login failures keycloak
  • #11211 Handling LDAP Map storage problems when removing roles keycloak storage
  • #11245 Update jackson-databind dependency to fix CVE-2020-36518 in Operator keycloak operator
  • #11249 Update WildFly Elytron on the legacy distribution (CVE-2021-3642) keycloak dependencies
  • #11252 Unmatched braces in error log formatter in DefaultKeyManager keycloak core
  • #11284 Failed to list UMA policies when a user who was used in a policy got deleted. keycloak
  • #11288 Mistyping correction keycloak core
  • #11290 Replace the cryptographic algorithm by SHA-2 keycloak storage
  • #11294 Missing a duplicated parameter check in device authorization endpoint. keycloak
  • #11298 WebAuthnSigningInTest failures caused by different titles keycloak testsuite
  • #11343 kc.sh Does Not Allow Spaces in Filenames keycloak
  • #11344 Typo in HostnamePropertyMappers.java keycloak
  • #11502 Operator CI broken on main keycloak operator
  • #11530 Fix error response for invalid characters keycloak core
  • #11532 Disallow special characters in usernames to prevent confusion with similarly looking usernames keycloak

Upgrading

Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK