keycloak-scim/docs/documentation/upgrading/topics/changes/changes-25_0_0.adoc

= Metrics for embedded caches enabled by default

Metrics for the embedded caches are now enabled by default.
To enable histograms for latencies, set the option `cache-metrics-histograms-enabled` to `true`.

= Nonce claim is only added to the ID token

The nonce claim is now only added to the ID token strictly following the OpenID Connect Core 1.0 specification. As indicated in the specification, the claim is compulsory inside the https://openid.net/specs/openid-connect-core-1_0.html#IDToken[ID token] when the same parameter was sent in the authorization request. The specification also recommends to not add the `nonce` after a https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse[refresh request]. Previously, the claim was set to all the tokens (Access, Refresh and ID) in all the responses (refresh included).

A new `Nonce backwards compatible` mapper is also included in the software that can be assigned to client scopes to revert to the old behavior. For example, the JS adapter checked the returned `nonce` claim in all the tokens before fixing issue https://github.com/keycloak/keycloak/issues/26651[#26651] in version 24.0.0. Therefore, if an old version of the JS adapter is used, the mapper should be added to the required clients by using client scopes.

= Limiting memory usage when consuming HTTP responses

In some scenarios like brokering Keycloak uses HTTP to talk to external servers.
To avoid a denial of service when those providers send too much data, {project_name} now restricts responses to 10 MB by default.

Users can configure this limit by setting the provider configuration option `spi-connections-http-client-default-max-consumed-response-size`:

.Restricting the consumed responses to 1 MB
[source,bash]
----
bin/kc.[sh|bat] --spi-connections-http-client-default-max-consumed-response-size=1000000
----


= Removed a model module

The module `org.keycloak:keycloak-model-legacy` module was deprecated in a previous release and is removed in this release. Use the `org.keycloak:keycloak-model-storage` module instead.

= Removed offline session preloading

The old behavior to preload offline sessions at startup is now removed after it has been deprecated in the previous release.

= Removing custom user attribute indexes

When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. This means Keycloak's native index on the user attribute table will now be used when searching. If you have created your own index based on `lower(name)`to speed up searches, you can now remove it.
Enable Infinispan metrics automatically if overall metrics are enabled Closes #27724 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-03-08 15:09:07 +00:00			`= Metrics for embedded caches enabled by default`

			`Metrics for the embedded caches are now enabled by default.`
			To enable histograms for latencies, set the option `cache-metrics-histograms-enabled` to `true`.

Only add the nonce claim to the ID Token (mapper for backwards compatibility) Closes #26893 Signed-off-by: rmartinc <rmartinc@redhat.com> 2024-02-17 18:35:39 +00:00			`= Nonce claim is only added to the ID token`

			The nonce claim is now only added to the ID token strictly following the OpenID Connect Core 1.0 specification. As indicated in the specification, the claim is compulsory inside the https://openid.net/specs/openid-connect-core-1_0.html#IDToken[ID token] when the same parameter was sent in the authorization request. The specification also recommends to not add the `nonce` after a https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse[refresh request]. Previously, the claim was set to all the tokens (Access, Refresh and ID) in all the responses (refresh included).

			A new `Nonce backwards compatible` mapper is also included in the software that can be assigned to client scopes to revert to the old behavior. For example, the JS adapter checked the returned `nonce` claim in all the tokens before fixing issue https://github.com/keycloak/keycloak/issues/26651[#26651] in version 24.0.0. Therefore, if an old version of the JS adapter is used, the mapper should be added to the required clients by using client scopes.
Map Storage Removal: Remove deprecated model/legacy module (#27601) Closes #26657 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-03-08 15:17:24 +00:00
Limit the received content when handling the content as a String Closes #27293 Co-authored-by: rmartinc <rmartinc@redhat.com> Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-03-07 11:00:45 +00:00			`= Limiting memory usage when consuming HTTP responses`

			`In some scenarios like brokering Keycloak uses HTTP to talk to external servers.`
			`To avoid a denial of service when those providers send too much data, {project_name} now restricts responses to 10 MB by default.`

			Users can configure this limit by setting the provider configuration option `spi-connections-http-client-default-max-consumed-response-size`:

			`.Restricting the consumed responses to 1 MB`
			`[source,bash]`
			`----`
			`bin/kc.[sh\|bat] --spi-connections-http-client-default-max-consumed-response-size=1000000`
			`----`


Map Storage Removal: Remove deprecated model/legacy module (#27601) Closes #26657 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-03-08 15:17:24 +00:00			`= Removed a model module`

			The module `org.keycloak:keycloak-model-legacy` module was deprecated in a previous release and is removed in this release. Use the `org.keycloak:keycloak-model-storage` module instead.
Remove offline session preloading Closes #27602 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-03-06 13:57:44 +00:00
			`= Removed offline session preloading`

			`The old behavior to preload offline sessions at startup is now removed after it has been deprecated in the previous release.`
12671 querying by user attribute no longer forces case insensitivity for keys Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> 2024-03-13 16:42:01 +00:00
			`= Removing custom user attribute indexes`

			When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. This means Keycloak's native index on the user attribute table will now be used when searching. If you have created your own index based on `lower(name)`to speed up searches, you can now remove it.