2024-03-22 13:04:14 +00:00
= Argon2 password hashing
Argon2 is now the default password hashing algorithm used by {project_name}
2024-03-22 06:08:09 +00:00
Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)
and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than
10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve
better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more
2024-03-22 13:04:14 +00:00
memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB
2024-03-22 06:08:09 +00:00
per-hashing request.
2024-04-09 10:29:19 +00:00
= SameSite attribute set for all cookies
The following cookies did not use to set the `SameSite` attribute, which in recent browser versions results in them
defaulting to `SameSite=Lax`:
* `KC_STATE_CHECKER` now sets `SameSite=Strict`
* `KC_RESTART` now sets `SameSite=None`
* `KC_AUTH_STATE` now sets `SameSite=Strict`
* `KEYCLOAK_LOCALE` now sets `SameSite=None`
* `KEYCLOAK_REMEMBER_ME` now sets `SameSite=None`
The default value `SameSite=Lax` causes issues with POST based bindings, mostly applicable to SAML, but also used in
some OpenID Connect / OAuth 2.0 flows.
2024-03-12 07:36:06 +00:00
= Deprecated cookie methods removed
The following methods for setting custom cookies have been removed:
* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
* `HttpCookie` - replaced by `NewCookie.Builder`
2024-03-13 16:42:01 +00:00
* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`
2024-03-07 17:26:14 +00:00
= Password policy for check if password contains Username
Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.
2024-03-13 16:42:01 +00:00
= Searching by user attribute no longer case insensitive
2024-03-22 13:04:14 +00:00
When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.
2024-03-12 12:25:21 +00:00
= Breaking fix in authorization client library
For users of the `keycloak-authz-client` library, calling `AuthorizationResource.getPermissions(...)` now correctly returns a `List<Permission>`.
Previously, it would return a `List<Map>` at runtime, even though the method declaration advertised `List<Permission>`.
2024-04-03 20:23:29 +00:00
This fix will break code that relied on casting the List or its contents to `List<Map>`. If you have used this method in any capacity, you are likely to have done this and be affected.
= IDs are no longer set when exporting authorization settings for a client
When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a
result, you can now import the settings from a client to another client.
2024-04-08 15:38:20 +00:00
= Syslog for remote logging
{project_name} now supports https://en.wikipedia.org/wiki/Syslog[Syslog] protocol for remote logging.
It utilizes the protocol defined in https://datatracker.ietf.org/doc/html/rfc5424[RFC 5424].
By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.
For more information, see the https://www.keycloak.org/server/logging[Configuring logging] guide.
