In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now most of protocol mappers include a new
`Add to token introspection` switch . This addition allows more flexibility because an introspection endpoint can return different
claims than an access token. This change is a first step towards "Lightweight access tokens" support because access tokens can omit lots of the claims, which would be still returned
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
== Feature flag for OAuth 2.0 device authorization grant flow
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
Both synced Passkeys and device-bound Passkeys can be used for both Same-Device and Cross-Device Authentication.
However, Passkeys operations success depends on the user's environment. Make sure which operations can succeed in https://passkeys.dev/device-support/[the environment].
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution and thanks to https://github.com/thomasdarimont[Thomas Darimont] for the help with the
WebAuthn policy includes a new field: `Extra Origins`. It provides better interoperability with non-Web platforms (for example, native mobile applications).
This release addresses an issue concerning when a user has a login page open in multiple browser tabs and authenticated in one browser tab. When the user tries to authenticate in another browser tab, a message appears: `You are already logged-in`. This is improved now as
other browser tabs automatically authenticate the user after authentication in the first tab. However, more improvements are still needed. For example, when an authentication session expires and is restarted in one browser tab, other browser tabs do not follow automatically with the login.
{project_name} supports a new password policy that allows you to specify the maximum age of an authentication with which a password may be changed by a user without re-authentication.
When this password policy is set to 0, the user is required to re-authenticate to change the password in the Account Console or by other means.
You can also specify a lower or higher value than the default value of 5 minutes.
ifeval::[{project_community}==true]
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
Deploying {project_name} to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
This release adds preview-support for active-passive deployments for {project_name}.
To get started, use the link:{highavailabilityguide_link}[{highavailabilityguide_name}] which also includes a comprehensive blueprint to deploy a highly available {project_name} to a cloud environment.
{project_name} has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPIs that depend directly on JAX-RS API should be compatible with this change. SPIs that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require an update. This update will also be needed for other implementation of the JAX-RS API like Jersey.
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
If you find any issues or have any improvements in mind, you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
ideally with the label `area/user-profile`. It is also recommended to check the link:{upgradingguide_link}[{upgradingguide_name}] with the migration changes for this
