From d8ab12eab7325de62142b80fc5a563e33d0ad4fb Mon Sep 17 00:00:00 2001 From: Marek Posolda Date: Fri, 16 Feb 2024 08:34:20 +0100 Subject: [PATCH] Release notes for Keycloak 24 with OIDC contributions (#27047) closes #25729 Signed-off-by: mposolda Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> --- .../release_notes/topics/24_0_0.adoc | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/documentation/release_notes/topics/24_0_0.adoc b/docs/documentation/release_notes/topics/24_0_0.adoc index 036008e515..c94348885e 100644 --- a/docs/documentation/release_notes/topics/24_0_0.adoc +++ b/docs/documentation/release_notes/topics/24_0_0.adoc @@ -103,6 +103,46 @@ The Keycloak JS adapter now uses the https://webpack.js.org/guides/package-expor The Keycloak JS adapter now sets the `pkceMethod` option to `S256` by default. This enables Proof Key Code Exchange (https://datatracker.ietf.org/doc/html/rfc7636[PKCE]) for all applications using the adapter. If you are using the adapter on a system that doesn't support PKCE, you can set the `pkceMethod` option to `false` to disable it. += OAuth/OIDC related improvements + +== Lightweight access tokens support + +This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few +claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims. + +This release introduces an *Add to lightweight access token* flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight +access token. It is *OFF* by default, which means that most claims are not added. Also, a client policy executor exists. Use it to specify if a particular client request +should use lightweight access tokens or regular access tokens. A previous release added an *Add to token introspection* switch. You use it to add +claims that are not present in the access token into the introspection endpoint response. Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution and Thanks to +https://github.com/tnorimat[Takashi Norimatsu] for a help and review of this feature. + +== Scope parameter supported in the refresh token flow + +Starting with this release, we support the`scope` parameter in the OAuth2/OIDC endpoint for token refresh. You can use this parameter to request access tokens with a smaller amount +of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as +described in the OAuth2 specification. Thanks to https://github.com/cgeorgilakis[Konstantinos Georgilakis] for the contribution. + +== Client policy executor for enforcing DPoP + +A new client policy executor `dpop-bind-enforcer` is introduced. You can use it to enforce DPoP for a particular client if `dpop` preview + is enabled. Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution. + +== Supporting EdDSA + +You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT. +This feature includes identity brokering where {project_name} itself signs client assertions that are used for `private_key_jwt` authentication to third party identity providers. Thanks to +https://github.com/tnorimat[Takashi Norimatsu] and https://github.com/MuhammadZakwan[Muhammad Zakwan Bin Mohd Zahid] for the contribution. + +== Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers + +OIDC identity providers now have the option *Add X.509 Headers to the JWT* for the case when client authentication with JWT signed by private key is used. This option can be useful +for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to https://github.com/MikeTangoEcho[MT] for the contribution. + += Cors improvements + +The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that `CorsSPI` is internal and may change in the +future. Thanks to https://github.com/dteleguin[Dmitry Telegin] for the contribution. + = Truststore Improvements Keycloak introduces an improved truststores configuration options. The Keycloak truststore is now used across the server: for outgoing connections, mTLS, database drivers and more. It's no longer needed to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default `conf/truststores`, or use the new `truststore-paths` config option. For details refer to the relevant https://www.keycloak.org/server/keycloak-truststore[guide].