keycloak-scim/docs/documentation/release_notes/topics/25_0_0.adoc

= Argon2 password hashing

Argon2 is now the default password hashing algorithm used by {project_name}

Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)
and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).

In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than
10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve
better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more
memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB
per-hashing request.

= Deprecated cookie methods removed

The following methods for setting custom cookies have been removed:

* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
* `HttpCookie` - replaced by `NewCookie.Builder`
* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`

= Password policy for check if password contains Username

Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.

= Searching by user attribute no longer case insensitive

When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.
Use Argon2 as default password hashing algorithm (#28162) Closes #28161 Signed-off-by: stianst <stianst@gmail.com> 2024-03-22 13:04:14 +00:00			`= Argon2 password hashing`

			`Argon2 is now the default password hashing algorithm used by {project_name}`
Argon2 password hashing provider (#28031) Closes #28030 Signed-off-by: stianst <stianst@gmail.com> 2024-03-22 06:08:09 +00:00
			`Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)`
			`and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).`

			`In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than`
			`10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve`
			`better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more`
Use Argon2 as default password hashing algorithm (#28162) Closes #28161 Signed-off-by: stianst <stianst@gmail.com> 2024-03-22 13:04:14 +00:00			`memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB`
Argon2 password hashing provider (#28031) Closes #28030 Signed-off-by: stianst <stianst@gmail.com> 2024-03-22 06:08:09 +00:00			`per-hashing request.`

Remove deprecated cookie code Closes #26813 Signed-off-by: stianst <stianst@gmail.com> 2024-03-12 07:36:06 +00:00			`= Deprecated cookie methods removed`

			`The following methods for setting custom cookies have been removed:`

			* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
			* `HttpCookie` - replaced by `NewCookie.Builder`
12671 querying by user attribute no longer forces case insensitivity for keys Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> 2024-03-13 16:42:01 +00:00			* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`

Password policy for not having username in the password closes #27643 Signed-off-by: Gilvan Filho <gfilho@redhat.com> 2024-03-07 17:26:14 +00:00			`= Password policy for check if password contains Username`

			`Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.`

12671 querying by user attribute no longer forces case insensitivity for keys Signed-off-by: Sebastian Schuster <sebastian.schuster@bosch.io> 2024-03-13 16:42:01 +00:00			`= Searching by user attribute no longer case insensitive`

Use Argon2 as default password hashing algorithm (#28162) Closes #28161 Signed-off-by: stianst <stianst@gmail.com> 2024-03-22 13:04:14 +00:00			`When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.`