keycloak-scim/docs/documentation/release_notes/topics/25_0_0.adoc

74 lines
4.3 KiB
Text
Raw Normal View History

= Argon2 password hashing
Argon2 is now the default password hashing algorithm used by {project_name}
Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)
and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than
10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve
better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more
memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB
per-hashing request.
= SameSite attribute set for all cookies
The following cookies did not use to set the `SameSite` attribute, which in recent browser versions results in them
defaulting to `SameSite=Lax`:
* `KC_STATE_CHECKER` now sets `SameSite=Strict`
* `KC_RESTART` now sets `SameSite=None`
* `KC_AUTH_STATE` now sets `SameSite=Strict`
* `KEYCLOAK_LOCALE` now sets `SameSite=None`
* `KEYCLOAK_REMEMBER_ME` now sets `SameSite=None`
The default value `SameSite=Lax` causes issues with POST based bindings, mostly applicable to SAML, but also used in
some OpenID Connect / OAuth 2.0 flows.
= Deprecated cookie methods removed
The following methods for setting custom cookies have been removed:
* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
* `HttpCookie` - replaced by `NewCookie.Builder`
* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`
= Password policy for check if password contains Username
Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.
= Searching by user attribute no longer case insensitive
When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.
= Breaking fix in authorization client library
For users of the `keycloak-authz-client` library, calling `AuthorizationResource.getPermissions(...)` now correctly returns a `List<Permission>`.
Previously, it would return a `List<Map>` at runtime, even though the method declaration advertised `List<Permission>`.
This fix will break code that relied on casting the List or its contents to `List<Map>`. If you have used this method in any capacity, you are likely to have done this and be affected.
= IDs are no longer set when exporting authorization settings for a client
When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a
result, you can now import the settings from a client to another client.
= Management port for metrics and health endpoints
Metrics and health checks endpoints are no longer accessible through the standard {project_name} server port.
As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port `9000`.
It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments.
The new management interface provides a new set of options and is fully configurable.
{project_name} Operator assumes the management interface is turned on by default.
For more details, see https://www.keycloak.org/server/management-interface[Configuring the Management Interface].
= Syslog for remote logging
{project_name} now supports https://en.wikipedia.org/wiki/Syslog[Syslog] protocol for remote logging.
It utilizes the protocol defined in https://datatracker.ietf.org/doc/html/rfc5424[RFC 5424].
By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.
For more information, see the https://www.keycloak.org/server/logging[Configuring logging] guide.