keycloak-scim/upgrading/topics/rhsso/changes-72.adoc

== RH-SSO 7.2

The following changes have occurred from RH-SSO 7.1 to RH-SSO 7.2.

=== New Password Hashing algorithms

We have added two new password hashing algorithms (pbkdf2-sha256 and pbkdf2-sha512). New realms will use the pbkdf2-sha256
hashing algorithm with 27500 hashing iterations. Since pbkdf2-sha256 is slightly faster than pbkdf2 the iterations was
increased to 27500 from 20000.

Existing realms are upgraded if the password policy contains the default value for the hashing algorithm (not specified) and
iteration (20000). If you have changed the hashing iterations, you need to manually change to pbkdf2-sha256 if you'd like
to use the more secure hashing algorithm.

=== ID Token requires scope=openid

In RH-SSO 7.0, the ID Token was returned regardless if `scope=openid` query parameter was present or not in authorization
request. This is incorrect according to the OpenID Connect specification.

In RH-SSO 7.1, we added this query parameter to adapters, but left the old behavior to accommodate migration.

In RH-SSO 7.2, this behavior has changed and the `scope=openid` query parameter is now required to mark the request as an
OpenID Connect request. If this query parameter is omitted the ID Token will not be generated.

=== Microsoft SQL Server requires extra dependency

Microsoft JDBC Driver 6.0 requires additional dependency added to the JDBC driver module. If you observe an
`NoClassDefFoundError` error when using Microsoft SQL Server please add the following dependency to your JDBC driver
`module.xml` file:

[source,xml]
----
<module name="javax.xml.bind.api"/>
----

=== Added session_state parameter to OpenID Connect Authentication Response

The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response.

In RH-SSO 7.1, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.

However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters (such as RH-SSO 7.1 and older), may have issues with this new parameter.

For example, the parameter will be always present in the browser URL after successful authentication to the client application.
If you use RH-SSO 7.1 or a legacy OAuth2 / OpenID Connect adapter, it may be useful to disable adding the `session_state` parameter to the authentication response.
This can be done for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch,
which can be turned on to prevent adding the `session_state` parameter to the Authentication Response.
KEYCLOAK-5846 2017-12-04 12:11:34 +00:00			`== RH-SSO 7.2`

			`The following changes have occurred from RH-SSO 7.1 to RH-SSO 7.2.`

			`=== New Password Hashing algorithms`

			`We have added two new password hashing algorithms (pbkdf2-sha256 and pbkdf2-sha512). New realms will use the pbkdf2-sha256`
			`hashing algorithm with 27500 hashing iterations. Since pbkdf2-sha256 is slightly faster than pbkdf2 the iterations was`
			`increased to 27500 from 20000.`

			`Existing realms are upgraded if the password policy contains the default value for the hashing algorithm (not specified) and`
			`iteration (20000). If you have changed the hashing iterations, you need to manually change to pbkdf2-sha256 if you'd like`
			`to use the more secure hashing algorithm.`

			`=== ID Token requires scope=openid`

			In RH-SSO 7.0, the ID Token was returned regardless if `scope=openid` query parameter was present or not in authorization
			`request. This is incorrect according to the OpenID Connect specification.`

			`In RH-SSO 7.1, we added this query parameter to adapters, but left the old behavior to accommodate migration.`

			In RH-SSO 7.2, this behavior has changed and the `scope=openid` query parameter is now required to mark the request as an
			`OpenID Connect request. If this query parameter is omitted the ID Token will not be generated.`

			`=== Microsoft SQL Server requires extra dependency`

			`Microsoft JDBC Driver 6.0 requires additional dependency added to the JDBC driver module. If you observe an`
			`NoClassDefFoundError` error when using Microsoft SQL Server please add the following dependency to your JDBC driver
			`module.xml` file:

			`[source,xml]`
			`----`
			`<module name="javax.xml.bind.api"/>`
KEYCLOAK-6286 Added docs for OIDC Compatibility Modes to the Upgrade guide 2018-01-22 09:57:03 +00:00			`----`

			`=== Added session_state parameter to OpenID Connect Authentication Response`

			The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response.

			`In RH-SSO 7.1, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.`

			`However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters (such as RH-SSO 7.1 and older), may have issues with this new parameter.`

			`For example, the parameter will be always present in the browser URL after successful authentication to the client application.`
			If you use RH-SSO 7.1 or a legacy OAuth2 / OpenID Connect adapter, it may be useful to disable adding the `session_state` parameter to the authentication response.
			This can be done for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
			described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch,
			which can be turned on to prevent adding the `session_state` parameter to the Authentication Response.