keycloak-scim/docs/documentation/upgrading/topics/changes/changes-26_0_0.adoc

= Infinispan marshalling changes

Marshalling is the process of converting Java objects into bytes to send them across the network between {project_name} servers.
With {project_name} 26, the marshalling library has changed from JBoss Marshalling to Infinispan Protostream.
The libraries are not compatible between each other and, it requires some steps to ensure the session data is not lost.

WARNING: JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss.
Consequently, all caches are cleared when upgrading to this version.

To prevent losing user sessions upgrade to Keycloak 25 first and enable the persistent sessions feature as outlined in the migration guide for {project_name} 25.

= Operator no longer defaults to proxy=passthrough

The Operator will no longer default to the hostname v1 setting of proxy=passthrough. This allows deployments using hostname v2 for a fixed edge hostname to work as desired without additional options.

= New method in `ClusterProvider` API

The following method was added to `org.keycloak.cluster.ClusterProvider`:

* `void notify(String taskKey, Collection<? extends ClusterEvent> events, boolean ignoreSender, DCNotify dcNotify)`

When multiple events are sent to the same `taskKey`, this method batches events and just perform a single network call.
This is an optimization to reduce traffic and network related resources.

In {project_name} 26, the new method has a default implementation to keep backward compatibility with custom implementation.
The default implementation performs a single network call per an event, and it will be removed in a future version of {project_name}.

= Group-related events no longer fired when removing a realm

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm.
As a consequence, group-related events like the `GroupRemovedEvent` are no longer fired when removing a realm.

If you have extensions handling any group-related event when a realm is removed, make sure to use the `RealmRemovedEvent` instead
to perform any cleanup or custom processing when a realm, and their groups, are removed.

The `GroupProvider` interface is also updated with a new `preRemove(RealmModel)` method to force implementations to properly
handle the removal of groups when a realm is removed.

= Operator scheduling defaults

Keycloak Pods will now have default affinities to prevent multiple instances from the same CR from being deployed on the same node, and all Pods from the same CR will prefer to be in the same zone to prevent stretch cache clusters.

= Operator's default CPU and memory limits/requests

In order to follow the best practices, the default CPU and memory limits/requests for the Operator were introduced. It affects both non-OLM and OLM installs. To override the default values for the OLM install, edit the `resources` section in the operator's https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md#resources[subscription].

= Deprecations in `keycloak-common` module

The following items have been deprecated for removal in upcoming {project_name} versions with no replacement:

- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<T>)`
- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<?>, java.lang.String)`
- `org.keycloak.common.util.reflections.SetAccessiblePrivilegedAction`
- `org.keycloak.common.util.reflections.UnSetAccessiblePrivilegedAction`

= Consistent usage of UTF-8 charset for URL encoding

`org.keycloak.common.util.Encode` now always uses the `UTF-8` charset for URL encoding instead relying implicitly on the `file.encoding` system property.

= Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties. The main
reason is that the LDAP connection pool configuration is a JVM-level configuration rather than specific to an individual
realm or LDAP provider instance.

Compared to previous releases, any realm configuration related to the LDAP connection pool will be ignored.
If you are migrating from previous versions where any of the following settings are set to your LDAP provider(s), consider using system properties instead:

* `connectionPoolingAuthentication`
* `connectionPoolingInitSize`
* `connectionPoolingMaxSize`
* `connectionPoolingPrefSize`
* `connectionPoolingTimeout`
* `connectionPoolingProtocol`
* `connectionPoolingDebug`

For more details, see link:{adminguide_link}#_ldap_connection_pool[Configuring the connection pool].

= Custom Footer in Login Theme

This release introduced the capability to easily add a custom footer to the login pages for the `base/login` and `keycloak.v2/login` theme.
In order to use a custom footer, create a `footer.ftl` file in your custom login theme with the desired content.

For more details, see link:{developerguide_link}#_theme_custom_footer[Adding a custom footer to a login theme].

= Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

To disable this behavior, use the SPI option `spi-single-use-object-infinispan-persist-revoked-tokens` as outlined in the https://www.keycloak.org/server/all-provider-config[All provider configuration] {section}.

The SPI behavior of `SingleUseObjectProvider` has changed that for revoked tokens only the methods `put` and `contains` must be used.
This is enforced by default, and can be disabled using the SPI option `spi-single-use-object-infinispan-persist-revoked-tokens`.

= Admin Bootstrapping and Recovery

It used to be difficult to regain access to a {project_name} instance when all admin users were locked out. The process required multiple advanced steps, including direct database access and manual changes. In an effort to improve the user experience, {project_name} now provides multiple ways to bootstrap a new admin account, which can be used to recover from such situations.

Consequently, the environment variables `KEYCLOAK_ADMIN` and `KEYCLOAK_ADMIN_PASSWORD` have been deprecated. You should use `KC_BOOTSTRAP_ADMIN_USERNAME` and `KC_BOOTSTRAP_ADMIN_PASSWORD` instead. These are also general options, so they may be specified via the cli or other config sources, for example `--bootstrap-admin-username=admin`. For more information, see the new https://www.keycloak.org/server/bootstrap-admin-recovery[Bootstrap admin and recovery] guide.
Infinispan Protostream Marshaller (#29474) Closes #29394 Signed-off-by: Pedro Ruivo <pruivo@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> 2024-06-13 16:02:46 +00:00			`= Infinispan marshalling changes`

			`Marshalling is the process of converting Java objects into bytes to send them across the network between {project_name} servers.`
			`With {project_name} 26, the marshalling library has changed from JBoss Marshalling to Infinispan Protostream.`
			`The libraries are not compatible between each other and, it requires some steps to ensure the session data is not lost.`

			`WARNING: JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss.`
			`Consequently, all caches are cleared when upgrading to this version.`

			`To prevent losing user sessions upgrade to Keycloak 25 first and enable the persistent sessions feature as outlined in the migration guide for {project_name} 25.`
Batch cluster events Sending multiple events in a single network request should minimize latency and traffic. Closes #30445 Signed-off-by: Pedro Ruivo <pruivo@redhat.com> 2024-06-14 13:37:55 +00:00
fix: removes the operator's usage of the v1 proxy option closes: #30945 Signed-off-by: Steve Hawkins <shawkins@redhat.com> 2024-07-03 18:18:16 +00:00			`= Operator no longer defaults to proxy=passthrough`

			`The Operator will no longer default to the hostname v1 setting of proxy=passthrough. This allows deployments using hostname v2 for a fixed edge hostname to work as desired without additional options.`

Batch cluster events Sending multiple events in a single network request should minimize latency and traffic. Closes #30445 Signed-off-by: Pedro Ruivo <pruivo@redhat.com> 2024-06-14 13:37:55 +00:00			= New method in `ClusterProvider` API

			The following method was added to `org.keycloak.cluster.ClusterProvider`:

			* `void notify(String taskKey, Collection<? extends ClusterEvent> events, boolean ignoreSender, DCNotify dcNotify)`

			When multiple events are sent to the same `taskKey`, this method batches events and just perform a single network call.
			`This is an optimization to reduce traffic and network related resources.`

			`In {project_name} 26, the new method has a default implementation to keep backward compatibility with custom implementation.`
			`The default implementation performs a single network call per an event, and it will be removed in a future version of {project_name}.`
Add default CPU limit/request for the operator (#30601) Closes: #27432 Signed-off-by: Peter Zaoral <pzaoral@redhat.com> 2024-07-01 13:12:43 +00:00
Update migration and upgrade guides about GroupRemovedEvent no longer fired when removing a realm Closes #30919 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> 2024-06-28 13:54:55 +00:00			`= Group-related events no longer fired when removing a realm`

			`With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm.`
			As a consequence, group-related events like the `GroupRemovedEvent` are no longer fired when removing a realm.

			If you have extensions handling any group-related event when a realm is removed, make sure to use the `RealmRemovedEvent` instead
			`to perform any cleanup or custom processing when a realm, and their groups, are removed.`

			The `GroupProvider` interface is also updated with a new `preRemove(RealmModel)` method to force implementations to properly
			`handle the removal of groups when a realm is removed.`

fix: adds affinity and other scheduling to the operator (#29977) closes: #29258 Signed-off-by: Steve Hawkins <shawkins@redhat.com> 2024-07-03 18:07:03 +00:00			`= Operator scheduling defaults`

			`Keycloak Pods will now have default affinities to prevent multiple instances from the same CR from being deployed on the same node, and all Pods from the same CR will prefer to be in the same zone to prevent stretch cache clusters.`

Add default CPU limit/request for the operator (#30601) Closes: #27432 Signed-off-by: Peter Zaoral <pzaoral@redhat.com> 2024-07-01 13:12:43 +00:00			`= Operator's default CPU and memory limits/requests`

			In order to follow the best practices, the default CPU and memory limits/requests for the Operator were introduced. It affects both non-OLM and OLM installs. To override the default values for the OLM install, edit the `resources` section in the operator's https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/subscription-config.md#resources[subscription].
Fix deprecations in common module - Use charset in `Encode` class - Replace reflective call to protected `Liquibase#resetServices()` with call to exposed public method on a custom subclass `KeycloakLiquibase` - Remove usage of deprecated AccessController class in Reflections - Deprecated SetAccessibleProvilegedAction and UnsetAccessibleProvilegedAction Fixes #22209 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> Signed-off-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> 2024-07-02 16:02:35 +00:00
			= Deprecations in `keycloak-common` module

			`The following items have been deprecated for removal in upcoming {project_name} versions with no replacement:`

			- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<T>)`
			- `org.keycloak.common.util.reflections.Reflections.newInstance(java.lang.Class<?>, java.lang.String)`
			- `org.keycloak.common.util.reflections.SetAccessiblePrivilegedAction`
			- `org.keycloak.common.util.reflections.UnSetAccessiblePrivilegedAction`

			`= Consistent usage of UTF-8 charset for URL encoding`

			`org.keycloak.common.util.Encode` now always uses the `UTF-8` charset for URL encoding instead relying implicitly on the `file.encoding` system property.
Documenting LDAP connection pooling Closes #30995 Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com> 2024-07-02 11:34:59 +00:00
			`= Configuring the LDAP Connection Pool`

			`In this release, the LDAP connection pool configuration relies solely on system properties. The main`
			`reason is that the LDAP connection pool configuration is a JVM-level configuration rather than specific to an individual`
			`realm or LDAP provider instance.`

			`Compared to previous releases, any realm configuration related to the LDAP connection pool will be ignored.`
			`If you are migrating from previous versions where any of the following settings are set to your LDAP provider(s), consider using system properties instead:`

			* `connectionPoolingAuthentication`
			* `connectionPoolingInitSize`
			* `connectionPoolingMaxSize`
			* `connectionPoolingPrefSize`
			* `connectionPoolingTimeout`
			* `connectionPoolingProtocol`
			* `connectionPoolingDebug`

			`For more details, see link:{adminguide_link}#_ldap_connection_pool[Configuring the connection pool].`
fix: deprecate KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD closes: #30658 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: Steven Hawkins <shawkins@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> 2024-07-11 16:07:57 +00:00
Allow users to customize the footer of a login theme (#31391) Closes #31390 Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com> 2024-07-23 07:29:38 +00:00			`= Custom Footer in Login Theme`

			This release introduced the capability to easily add a custom footer to the login pages for the `base/login` and `keycloak.v2/login` theme.
			In order to use a custom footer, create a `footer.ftl` file in your custom login theme with the desired content.

			`For more details, see link:{developerguide_link}#_theme_custom_footer[Adding a custom footer to a login theme].`

Persisting revoked access tokens Closes #31296 Signed-off-by: Alexander Schwartz <aschwart@redhat.com> 2024-07-26 09:46:14 +00:00			`= Persisting revoked access tokens across restarts`

			`In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.`

			To disable this behavior, use the SPI option `spi-single-use-object-infinispan-persist-revoked-tokens` as outlined in the https://www.keycloak.org/server/all-provider-config[All provider configuration] {section}.

			The SPI behavior of `SingleUseObjectProvider` has changed that for revoked tokens only the methods `put` and `contains` must be used.
			This is enforced by default, and can be disabled using the SPI option `spi-single-use-object-infinispan-persist-revoked-tokens`.

Document admin bootstrapping and recovery Closes: #30011 Signed-off-by: Peter Zaoral <pzaoral@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> 2024-07-30 13:45:56 +00:00			`= Admin Bootstrapping and Recovery`
fix: deprecate KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD closes: #30658 Signed-off-by: Steve Hawkins <shawkins@redhat.com> Signed-off-by: Steven Hawkins <shawkins@redhat.com> Co-authored-by: Jon Koops <jonkoops@gmail.com> 2024-07-11 16:07:57 +00:00
Document admin bootstrapping and recovery Closes: #30011 Signed-off-by: Peter Zaoral <pzaoral@redhat.com> Co-authored-by: Alexander Schwartz <aschwart@redhat.com> Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> 2024-07-30 13:45:56 +00:00			`It used to be difficult to regain access to a {project_name} instance when all admin users were locked out. The process required multiple advanced steps, including direct database access and manual changes. In an effort to improve the user experience, {project_name} now provides multiple ways to bootstrap a new admin account, which can be used to recover from such situations.`

			Consequently, the environment variables `KEYCLOAK_ADMIN` and `KEYCLOAK_ADMIN_PASSWORD` have been deprecated. You should use `KC_BOOTSTRAP_ADMIN_USERNAME` and `KC_BOOTSTRAP_ADMIN_PASSWORD` instead. These are also general options, so they may be specified via the cli or other config sources, for example `--bootstrap-admin-username=admin`. For more information, see the new https://www.keycloak.org/server/bootstrap-admin-recovery[Bootstrap admin and recovery] guide.