keycloak-scim/docs/documentation/release_notes/topics/25_0_0.adoc

= Argon2 password hashing

Argon2 is now the default password hashing algorithm used by {project_name}

Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)
and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).

In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than
10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve
better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more
memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB
per-hashing request.

= Cookies updates

== SameSite attribute set for all cookies

The following cookies did not use to set the `SameSite` attribute, which in recent browser versions results in them
defaulting to `SameSite=Lax`:

* `KC_STATE_CHECKER` now sets `SameSite=Strict`
* `KC_RESTART` now sets `SameSite=None`
* `KEYCLOAK_LOCALE` now sets `SameSite=None`
* `KEYCLOAK_REMEMBER_ME` now sets `SameSite=None`

The default value `SameSite=Lax` causes issues with POST based bindings, mostly applicable to SAML, but also used in
some OpenID Connect / OAuth 2.0 flows.

== Removing KC_AUTH_STATE cookie

The cookie `KC_AUTH_STATE` is removed and it is no longer set by the {project_name} server as this server no longer needs this cookie.

= Deprecated cookie methods removed

The following methods for setting custom cookies have been removed:

* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
* `HttpCookie` - replaced by `NewCookie.Builder`
* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`

= Addressed 'You are already logged in' for expired authentication sessions

The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session
expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, {project_name} is able to redirect back to the client
application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more
details, see link:{adminguide_link}#_authentication-sessions[{adminguide_name} authentication sessions].

= Password policy for check if password contains Username

Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.

= Searching by user attribute no longer case insensitive

When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.

= Breaking fix in authorization client library

For users of the `keycloak-authz-client` library, calling `AuthorizationResource.getPermissions(...)` now correctly returns a `List<Permission>`.

Previously, it would return a `List<Map>` at runtime, even though the method declaration advertised `List<Permission>`.

This fix will break code that relied on casting the List or its contents to `List<Map>`. If you have used this method in any capacity, you are likely to have done this and be affected.

= IDs are no longer set when exporting authorization settings for a client

When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a
result, you can now import the settings from a client to another client.

= Management port for metrics and health endpoints

Metrics and health checks endpoints are no longer accessible through the standard {project_name} server port.
As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port `9000`.

It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments.
The new management interface provides a new set of options and is fully configurable.

{project_name} Operator assumes the management interface is turned on by default.
For more details, see https://www.keycloak.org/server/management-interface[Configuring the Management Interface].

= Syslog for remote logging

{project_name} now supports https://en.wikipedia.org/wiki/Syslog[Syslog] protocol for remote logging.
It utilizes the protocol defined in https://datatracker.ietf.org/doc/html/rfc5424[RFC 5424].
By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.

For more information, see the https://www.keycloak.org/server/logging[Configuring logging] guide.