keycloak-scim/docs/documentation/upgrading/topics/keycloak/changes-23_0_0.adoc

= Added iss parameter to OAuth 2.0/OpenID Connect Authentication Response

RFC 9207 OAuth 2.0 Authorization Server Issuer Identification specification adds the parameter `iss` in the OAuth 2.0/OpenID Connect Authentication Response for realizing secure authorization responses.

In past releases, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.

However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters, may have issues with this new parameter.

For example, the parameter will be always present in the browser URL after successful authentication to the client application.
In these cases, it may be useful to disable adding the `iss` parameter to the authentication response. This can be done
for the particular client in the {project_name} Admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
described in <<_compatibility_with_older_adapters>>. Dedicated `Exclude Issuer From Authentication Response` switch exists,
which can be turned on to prevent adding the `iss` parameter to the authentication response.

= Wildcard characters handling

JPA allows wildcards `%` and `_` when searching, while other providers like LDAP allow only `*`.
As `*` is a natural wildcard character in LDAP, it works in all places, while with JPA it only
worked at the beginning and the end of the search string. Starting with this release the only
wildcard character is `*` which work consistently across all providers in all places in the search
string. All special characters in a specific provider like `%` and `_` for JPA are escaped. For exact
search, with added quotes e.g. `"w*ord"`, the behavior remains the same as in previous releases.

= Language files for themes default to UTF-8 encoding

This release now follows the standard mechanisms of Java and later, which assumes resource bundle files to be encoded in UTF-8.

Previous versions of Keycloak supported specifying the encoding in the first line with a comment like `# encoding: UTF-8`, which is no longer supported and is ignored.

Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
If you are using a different encoding, convert the files to UTF-8.

= Changes to the value format of claims mapped by the realm and client role mappers

Before this release, both realm (`User Realm Role`) and client (`User Client Role`) protocol mappers
were mapping a stringfied JSON array when the `Multivalued` setting was disabled.

However, the `Multivalued` setting indicates whether the claim should be mapped as a list or, if disabled, only a single value
from the same list of values.

In this release, the role and client mappers now map to a single value from the effective roles of a user when
they are marked as single-valued (`Multivalued` disabled).

= Changes to password fields in Login UI

In this version we want to introduce a toggle to hide/show password inputs.

.Affected pages:
- login.ftl
- login-password.ftl
- login-update-password.ftl
- register.ftl
- register-user-profile.ftl

In general all `<input type="password" name="password" />` are encapsulated within a div now. The input element is followed by a button which toggles the visibility of the password input.

Old code example:
[source,html]
----
<input type="password" id="password" name="password" autocomplete="current-password" style="display:none;"/>
----

New code example:
[source,html]
----
<div class="${properties.kcInputGroup!}">
    <input type="password" id="password" name="password" autocomplete="current-password" style="display:none;"/>
    <button class="pf-c-button pf-m-control" type="button" aria-label="${msg('showPassword')}"
            aria-controls="password" data-password-toggle
            data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">
        <i class="fa fa-eye" aria-hidden="true"></i>
    </button>
</div>
----

= Default Keycloak CR Hostname

When running on OpenShift, with ingress enabled, and with the spec.ingress.classname set to openshift-default, you may leave the spec.hostname.hostname unpopulated in the Keycloak CR.
The operator will assign a default hostname to the stored version of the CR similar to what would be created by an OpenShift Route without an explicit host - that is ingress-namespace.appsDomain
If the appsDomain changes, or should you need a different hostname for any reason, then update the Keycloak CR.

= The deprecated `auto-build` CLI option was removed

The `auto-build` CLI option has been marked as deprecated for a long time.
In this release, it was completely removed, and it is no longer supported.

When executing the `start` command, the server is automatically built based on the configuration.
In order to prevent this behavior, set the `--optimized` flag.
FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification Closes #20584 2023-05-27 10:36:08 +00:00			`= Added iss parameter to OAuth 2.0/OpenID Connect Authentication Response`

			RFC 9207 OAuth 2.0 Authorization Server Issuer Identification specification adds the parameter `iss` in the OAuth 2.0/OpenID Connect Authentication Response for realizing secure authorization responses.

			`In past releases, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.`

			`However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters, may have issues with this new parameter.`

			`For example, the parameter will be always present in the browser URL after successful authentication to the client application.`
			In these cases, it may be useful to disable adding the `iss` parameter to the authentication response. This can be done
			for the particular client in the {project_name} Admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
			described in <<_compatibility_with_older_adapters>>. Dedicated `Exclude Issuer From Authentication Response` switch exists,
			which can be turned on to prevent adding the `iss` parameter to the authentication response.
Inconsistent Wildcard handling for JPA (#21671) * Inconsistent Wildcard handling for JPA Closes #20610 Co-authored-by: Alexander Schwartz <aschwart@redhat.com> 2023-07-27 15:03:22 +00:00
			`= Wildcard characters handling`

Use Java mechanisms to read language files and default to UTF-8 (#21755) Closes #21753 2023-08-01 09:27:10 +00:00			JPA allows wildcards `%` and `_` when searching, while other providers like LDAP allow only `*`.
			As `*` is a natural wildcard character in LDAP, it works in all places, while with JPA it only
			`worked at the beginning and the end of the search string. Starting with this release the only`
			wildcard character is `*` which work consistently across all providers in all places in the search
			string. All special characters in a specific provider like `%` and `_` for JPA are escaped. For exact
Inconsistent Wildcard handling for JPA (#21671) * Inconsistent Wildcard handling for JPA Closes #20610 Co-authored-by: Alexander Schwartz <aschwart@redhat.com> 2023-07-27 15:03:22 +00:00			search, with added quotes e.g. `"w*ord"`, the behavior remains the same as in previous releases.
Use Java mechanisms to read language files and default to UTF-8 (#21755) Closes #21753 2023-08-01 09:27:10 +00:00
			`= Language files for themes default to UTF-8 encoding`

			`This release now follows the standard mechanisms of Java and later, which assumes resource bundle files to be encoded in UTF-8.`

			Previous versions of Keycloak supported specifying the encoding in the first line with a comment like `# encoding: UTF-8`, which is no longer supported and is ignored.

			`Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.`
			`If you are using a different encoding, convert the files to UTF-8.`

Role mappers must return a single value when they are not multivalued Closes #20218 2023-08-31 12:50:51 +00:00			`= Changes to the value format of claims mapped by the realm and client role mappers`

			Before this release, both realm (`User Realm Role`) and client (`User Client Role`) protocol mappers
			were mapping a stringfied JSON array when the `Multivalued` setting was disabled.

			However, the `Multivalued` setting indicates whether the claim should be mapped as a list or, if disabled, only a single value
			`from the same list of values.`

			`In this release, the role and client mappers now map to a single value from the effective roles of a user when`
			they are marked as single-valued (`Multivalued` disabled).
Toggle visibility of password input fields in login-ftl-based pages Closes #22067 2023-07-28 09:48:51 +00:00
			`= Changes to password fields in Login UI`

			`In this version we want to introduce a toggle to hide/show password inputs.`

			`.Affected pages:`
			`- login.ftl`
			`- login-password.ftl`
			`- login-update-password.ftl`
			`- register.ftl`
			`- register-user-profile.ftl`

			In general all `<input type="password" name="password" />` are encapsulated within a div now. The input element is followed by a button which toggles the visibility of the password input.

			`Old code example:`
			`[source,html]`
			`----`
			`<input type="password" id="password" name="password" autocomplete="current-password" style="display:none;"/>`
			`----`

			`New code example:`
			`[source,html]`
			`----`
			`<div class="${properties.kcInputGroup!}">`
			`<input type="password" id="password" name="password" autocomplete="current-password" style="display:none;"/>`
			`<button class="pf-c-button pf-m-control" type="button" aria-label="${msg('showPassword')}"`
			`aria-controls="password" data-password-toggle`
			`data-label-show="${msg('showPassword')}" data-label-hide="${msg('hidePassword')}">`
			`<i class="fa fa-eye" aria-hidden="true"></i>`
			`</button>`
			`</div>`
			`----`
adds a default domain on openshift if one is not specified (#23324) Closes #21741 2023-09-21 12:43:29 +00:00
			`= Default Keycloak CR Hostname`

			`When running on OpenShift, with ingress enabled, and with the spec.ingress.classname set to openshift-default, you may leave the spec.hostname.hostname unpopulated in the Keycloak CR.`
			`The operator will assign a default hostname to the stored version of the CR similar to what would be created by an OpenShift Route without an explicit host - that is ingress-namespace.appsDomain`
			`If the appsDomain changes, or should you need a different hostname for any reason, then update the Keycloak CR.`
Remove deprecated auto-build CLI option (#23361) Closes #23360 2023-09-27 16:56:38 +00:00
			= The deprecated `auto-build` CLI option was removed

			The `auto-build` CLI option has been marked as deprecated for a long time.
			`In this release, it was completely removed, and it is no longer supported.`

			When executing the `start` command, the server is automatically built based on the configuration.
			In order to prevent this behavior, set the `--optimized` flag.