keycloak-scim/docs/documentation/upgrading/topics/changes/changes-24_0_3.adoc

ifeval::[{project_community}==true]
= Changes to the `org.keycloak.userprofile.UserProfileDecorator` interface

To properly support multiple user storage providers within a realm, the `org.keycloak.userprofile.UserProfileDecorator`
interface has changed.

The `decorateUserProfile` method is no longer invoked when parsing the user profile configuration for the first time (and caching it),
but every time a user is being managed through the user profile provider. As a result, the method changed its contract to:

```java
List<AttributeMetadata> decorateUserProfile(String providerId, UserProfileMetadata metadata)
```

Differently than the previous contract and behavior, this method is only invoked for the user storage provider from where the user
was loaded from.

endif::[]
= Changes in redirect URI verification when using wildcards

Because of security concerns, the redirect URI verification now performs a exact string matching (no wildcard involved) if the passed redirect uri contains a `userinfo` part or its `path` accesses parent directory (`/../`).

The full wildcard `*` can still be used as a valid redirect in development for http(s) URIs with those characteristics. In production environments a exact valid redirect URI without wildcard needs to be configured for any URI of that type.

Please note that wildcard valid redirect URIs are not recommended for production and not covered by the OAuth 2.0 specification.

= Deprecated Account REST endpoint for removing credential

The Account REST endpoint for removing the credential of the user is deprecated. Starting at this version, the Account Console no longer uses this endpoint. It is replaced by the `Delete Credential` application-initiated
action, which is triggered by the Account Console when a user want to remove the credential of a user.
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> 2024-04-04 23:11:33 +00:00			`ifeval::[{project_community}==true]`
			= Changes to the `org.keycloak.userprofile.UserProfileDecorator` interface

			To properly support multiple user storage providers within a realm, the `org.keycloak.userprofile.UserProfileDecorator`
			`interface has changed.`

			The `decorateUserProfile` method is no longer invoked when parsing the user profile configuration for the first time (and caching it),
Fix typos found by codespell in docs (#28890) Run `chmod -x` on files that need not be executable. Signed-off-by: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> 2024-05-03 12:41:16 +00:00			`but every time a user is being managed through the user profile provider. As a result, the method changed its contract to:`
Make sure attribute metadata from user storage providers are added only for the provider associated with a federated user Closes #28248 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> 2024-04-04 23:11:33 +00:00
			```java
			`List<AttributeMetadata> decorateUserProfile(String providerId, UserProfileMetadata metadata)`
			```

			`Differently than the previous contract and behavior, this method is only invoked for the user storage provider from where the user`
			`was loaded from.`

			`endif::[]`
Perform exact string match if redirect URI contains userinfo, encoded slashes or parent access (#131) (#28872) Closes keycloak/keycloak-private#113 Closes keycloak/keycloak-private#134 Signed-off-by: rmartinc <rmartinc@redhat.com> Co-authored-by: Stian Thorgersen <stianst@gmail.com> 2024-04-18 14:02:24 +00:00			`= Changes in redirect URI verification when using wildcards`

			Because of security concerns, the redirect URI verification now performs a exact string matching (no wildcard involved) if the passed redirect uri contains a `userinfo` part or its `path` accesses parent directory (`/../`).

			The full wildcard `*` can still be used as a valid redirect in development for http(s) URIs with those characteristics. In production environments a exact valid redirect URI without wildcard needs to be configured for any URI of that type.

			`Please note that wildcard valid redirect URIs are not recommended for production and not covered by the OAuth 2.0 specification.`
Documentation for Delete Credential action and related changes (#31719) closes #31718 Signed-off-by: mposolda <mposolda@gmail.com> Signed-off-by: Marek Posolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> 2024-07-30 08:05:14 +00:00
			`= Deprecated Account REST endpoint for removing credential`

			The Account REST endpoint for removing the credential of the user is deprecated. Starting at this version, the Account Console no longer uses this endpoint. It is replaced by the `Delete Credential` application-initiated
			`action, which is triggered by the Account Console when a user want to remove the credential of a user.`