libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

document compatibility mode for oidc logout endpoint suppression (#1658)

Browse source 
Closes #1657

Co-authored-by: Marek Posolda <mposolda@gmail.com>

Co-authored-by: Markus Till <markus.till@bosch.io>
This commit is contained in:
Marek Posolda 2022-08-10 14:59:32 +02:00 committed by GitHub
parent be0724fdc8
commit 5a6a302d2f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
upgrading/topics/keycloak/changes-18_0_0.adoc
View file

@ -68,7 +68,7 @@ endif::[]
With this configuration, you can still use the format with the `redirect_uri` parameter. Note the confirmation screen will be needed if the `id_token_hint` is omitted.
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 21. You are encouraged to update your clients as soon as possible
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible
as described above rather than rely on this switch.
= Removal of the `upload-scripts` feature

31
upgrading/topics/keycloak/changes-19_0_2.adoc Normal file
View file

@ -0,0 +1,31 @@
= OpenID Connect Logout Prompt
At Keycloak 18.0.0, the logout is now compatible with the new OIDC specification, which changed the handling for the url parameters. However, to also remain compatible with earlier versions, a compatibility flag is introduced. See the link:{upgradingguide_link}#openid-connect-logout[{upgradingguide_name}] for further information for the backwards compatibility option, which allows your application to still use the old format for the url parameters.
While the url parameters can now be configured to be compatible, there was still one incompatibility with keycloak 17 and earlier releases. If the user does not provide an valid `idTokenHint`, a logout prompt appears instead of a successful logout redirect. Therefore, a new compatibility flag `suppress-logout-confirmation-screen` is introduced to suppress the logout screen.
ifeval::["{kc_dist}" == "quarkus"]
You can enable this parameter when you start the server by entering the following command:
```
bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true start
```
endif::[]
ifeval::["{kc_dist}" == "wildfly"]
You can enable this parameter by including the following configuration in the `standalone-*.xml` file
[source,bash,subs=+attributes]
----
<spi name="login-protocol">
<provider name="openid-connect" enabled="true">
<properties>
<property name="suppress-logout-confirmation-screen" value="true"/>
</properties>
</provider>
</spi>
----
endif::[]
With this configuration, you can still use the logout endpoint without a user prompt.
WARNING: The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.

4
upgrading/topics/keycloak/changes.adoc
View file

@ -1,5 +1,9 @@
== Migration Changes
=== Migrating to 19.0.2
include::changes-19_0_2.adoc[leveloffset=3]
=== Migrating to 19.0.0
include::changes-19_0_0.adoc[leveloffset=3]