diff --git a/upgrading/topics/keycloak/changes.adoc b/upgrading/topics/keycloak/changes.adoc index 148e9b42af..29057b8ed0 100644 --- a/upgrading/topics/keycloak/changes.adoc +++ b/upgrading/topics/keycloak/changes.adoc @@ -1,5 +1,22 @@ == Migration Changes +=== Migrating to 3.4.2 + +==== Added session_state parameter to OpenID Connect Authentication Response + +The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response. + +In past releases, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification. + +However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters, may have issues with this new parameter. + +For example, the parameter will be always present in the browser URL after successful authentication to the client application. +In these cases, it may be useful to disable adding the `session_state` parameter to the authentication response. This can be done +for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`, +described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch, +which can be turned on to prevent adding the `session_state` parameter to the Authentication Response. + + === Migrating to 3.2.0 ==== New Password Hashing algorithms diff --git a/upgrading/topics/rhsso/changes-72.adoc b/upgrading/topics/rhsso/changes-72.adoc index b2de4aad90..1570c93c89 100644 --- a/upgrading/topics/rhsso/changes-72.adoc +++ b/upgrading/topics/rhsso/changes-72.adoc @@ -31,4 +31,18 @@ Microsoft JDBC Driver 6.0 requires additional dependency added to the JDBC drive [source,xml] ---- ----- \ No newline at end of file +---- + +=== Added session_state parameter to OpenID Connect Authentication Response + +The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response. + +In RH-SSO 7.1, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification. + +However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters (such as RH-SSO 7.1 and older), may have issues with this new parameter. + +For example, the parameter will be always present in the browser URL after successful authentication to the client application. +If you use RH-SSO 7.1 or a legacy OAuth2 / OpenID Connect adapter, it may be useful to disable adding the `session_state` parameter to the authentication response. +This can be done for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`, +described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch, +which can be turned on to prevent adding the `session_state` parameter to the Authentication Response. diff --git a/upgrading/topics/upgrade_adapters.adoc b/upgrading/topics/upgrade_adapters.adoc index c1726ce71e..4af4a67aba 100644 --- a/upgrading/topics/upgrade_adapters.adoc +++ b/upgrading/topics/upgrade_adapters.adoc @@ -4,6 +4,18 @@ It is important that you upgrade {project_name} server first, and then upgrade t adapter might work with later versions of {project_name} server, but earlier versions of {project_name} server might not work with later versions of the adapter. +[[_compatibility_with_older_adapters]] +== Compatibility with older adapters + +As mentioned above, we try to support newer release versions of {project_name} server working with older release versions of the adapters. +However, in some cases we need to include fixes on the {project_name} server side which may break compatibility with older versions +of the adapters. For example, when we implement new aspects of the OpenID Connect specification, which older client adapter versions +were not aware of. + +In those cases, we added Compatibility modes. For OpenId Connect clients, there is a section named `OpenID Connect Compatibility Modes` +in the {project_name} admin console, on the page with client details. Here, you can disable some new aspects of the {project_name} server +to preserve compatibility with older client adapters. More details are available in the tool tips of individual switches. + [[_upgrade_eap_adapter]] == Upgrading the EAP Adapter