diff --git a/server_development/topics/providers.adoc b/server_development/topics/providers.adoc index 340298851d..e533817791 100644 --- a/server_development/topics/providers.adoc +++ b/server_development/topics/providers.adoc @@ -209,6 +209,7 @@ bin/kc.[sh|bat] build --spi-user-cache-infinispan-enabled=false * Authenticator * JavaScript Policy * OpenID Connect Protocol Mapper +* SAML Protocol Mapper ==== Authenticator @@ -296,6 +297,13 @@ The `META-INF/keycloak-scripts.json` is a file descriptor that provides metadata "fileName": "my-script-mapper.js", "description": "My Mapper from a JS file" } + ], + "saml-mappers": [ + { + "name": "My Mapper", + "fileName": "my-script-mapper.js", + "description": "My Mapper from a JS file" + } ] } ``` @@ -313,6 +321,10 @@ For JavaScript Policies when using {project_name} Authorization Services. You ca * `mappers` + For OpenID Connect Script Protocol Mappers. You can have one or multiple mappers in the same JAR file ++ +* `saml-mappers` ++ +For SAML Script Protocol Mappers. You can have one or multiple mappers in the same JAR file For each script file in your `JAR` file, you need a corresponding entry in `META-INF/keycloak-scripts.json` that maps your scripts files to a specific provider type. For that you should provide the following properties for each entry: @@ -380,19 +392,6 @@ cp target/keycloak-server-copy/providers/*.jar KEYCLOAK_HOME/providers/ ``` After re-augment the distribution with `kc.sh build`, the script engine should be deployed and your script providers should work. -==== Using the {project_name} Admin Console to upload scripts - -NOTE: Ability to upload scripts through the Admin Console is deprecated and will be removed in a future version of {project_name}. - -Administrators cannot upload scripts to the server. This behavior prevents potential harm to the system in case -malicious scripts are accidentally executed. Administrators should always deploy scripts directly to the server using a -JAR file to prevent attacks when you run scripts at runtime. - -Ability to upload scripts can be explicitly enabled. This should be used with great care and plans should be created to -deploy all scripts directly to the server as soon as possible. - -For more details about how to enable the `upload_scripts` feature, see the https://www.keycloak.org/server/features[Enabling and disabling features] guide. - === Available SPIs If you want to see list of all available SPIs at runtime, you can check `Server Info` page in Admin Console as described in <<_providers_admin_console,Admin Console>> section. diff --git a/upgrading/topics/keycloak/changes-19_0_2.adoc b/upgrading/topics/keycloak/changes-19_0_2.adoc index 698f79fdec..f21306987f 100644 --- a/upgrading/topics/keycloak/changes-19_0_2.adoc +++ b/upgrading/topics/keycloak/changes-19_0_2.adoc @@ -11,4 +11,12 @@ bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation With this configuration, you can still use the logout endpoint without a user prompt. -WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch. \ No newline at end of file +WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch. + += Deploying scripts through SAML javascript protocol mapper + +Until now, administrators, which used SAML javascript protocol mapper on their SAML clients or client scopes, were allowed to upload scripts to the server through the {project_name} Administration Console as well as +through the RESTful Admin API. + +For now on, this capability is *disabled* and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details, +please take a look at link:{developerguide_jsproviders_link}[{developerguide_jsproviders_name}]. \ No newline at end of file