From e3863a4ac34ce531609e2e62fd10545e212a20f6 Mon Sep 17 00:00:00 2001 From: AndyMunro Date: Sat, 25 Jun 2022 17:24:53 -0400 Subject: [PATCH] Update Upgrading Guide for 7.6 Closes #1563 --- .../document-attributes-product.adoc | 13 +- upgrading/master-docinfo.xml | 2 +- upgrading/topics/rhsso/changes-76.adoc | 171 ++++++++++++++++++ upgrading/topics/rhsso/changes.adoc | 2 +- upgrading/topics/rhsso/intro.adoc | 2 +- 5 files changed, 181 insertions(+), 9 deletions(-) create mode 100644 upgrading/topics/rhsso/changes-76.adoc diff --git a/topics/templates/document-attributes-product.adoc b/topics/templates/document-attributes-product.adoc index 3f3fd9cb6c..3d74fb98d9 100644 --- a/topics/templates/document-attributes-product.adoc +++ b/topics/templates/document-attributes-product.adoc @@ -1,19 +1,20 @@ :project_community: false :project_product: true :project_name: Red Hat Single Sign-On -:project_versionMvn: 15.0.2.redhat-00001 -:project_versionNpm: 15.0.2.redhat-00001 +:project_versionMvn: 18.0.0.redhat-00001 +:project_versionNpm: 18.0.0.redhat-00001 :project_images: rhsso-images +:cdate: 2022 :standalone: :api-management!: :on-prem: :project_name_full: Red Hat Single Sign-On -:project_version_base: 7.5 -:project_version: 7.5.0 -:keycloak_upgrade_version: 15.0.2 -:project_versionDoc: 7.5 +:project_version_base: 7.6 +:project_version: 7.6.0 +:keycloak_upgrade_version: 18.0.0 +:project_versionDoc: 7.6 :project_templates_base_url: https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso75-dev/templates :project_latest_image_tag: {project_versionDoc} :project_doc_base_url: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/{project_versionDoc}/html-single diff --git a/upgrading/master-docinfo.xml b/upgrading/master-docinfo.xml index b83c4e75d9..080a1125cd 100644 --- a/upgrading/master-docinfo.xml +++ b/upgrading/master-docinfo.xml @@ -10,7 +10,7 @@ Red Hat Customer Content Services - Copyright 2021 Red Hat, Inc. + Copyright {cdate} Red Hat, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at diff --git a/upgrading/topics/rhsso/changes-76.adoc b/upgrading/topics/rhsso/changes-76.adoc new file mode 100644 index 0000000000..9d457c7ee8 --- /dev/null +++ b/upgrading/topics/rhsso/changes-76.adoc @@ -0,0 +1,171 @@ +== RH SSO 7.6 + +The following changes have occurred from {project_name} 7.5 to {project_name} 7.6. + +=== Step-up authentication + +Step-up authentication is a new feature. This feature provides the `acr` client scope, which contains a protocol mapper that is supposed to add the `acr` +claim in the token. The `acr` claim is not added automatically now as it was before this version, but it is added with the usage +of this client scope and protocol mapper. + +The client scope is added as a realm "default" client scope and hence will be added to all newly created clients. For performance reasons, +the client scope is not automatically added to all existing clients during migration. The clients will not have an `acr` claim by default after +the migration. Consider these possible actions: + +- If you do not plan to use step-up authentication feature, but you rely on the `acr` claim in the token, you can disable `step_up_authentication` + feature as described in the link:{installguide_link}#profiles[{installguide_name}]. The claim will be added with the value `1` in case of normal authentication and `0` in case of SSO authentication. +- Add `acr` client scope to your clients manually by admin REST API or admin console. This is needed especially if you want to use step-up authentication. + If you have a large number of clients in the realm and want to use `acr` claim for all of them, you can trigger some SQL similar to this against your DB. + However, remember to clear the cache or restart the server if {project_name} is already started: + +``` +insert into CLIENT_SCOPE_CLIENT (CLIENT_ID, SCOPE_ID, DEFAULT_SCOPE) select CLIENT.ID as CLIENT_ID, CLIENT_SCOPE.ID as SCOPE_ID, true as DEFAULT_SCOPE +from CLIENT_SCOPE, CLIENT where CLIENT_SCOPE.REALM_ID='test' and CLIENT_SCOPE.NAME='acr' and CLIENT.REALM_ID='test' and CLIENT.PROTOCOL='openid-connect'; +``` + +=== OpenID Connect Logout + +Previous versions of {project_name} had supported automatic logout of the user and redirecting to the application by opening logout endpoint URL such as +`http(s)://example-host/auth/realms/my-realm-name/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri`. While that implementation was easy to use, it had potentially negative impact +on performance and security. The new version has better support for logout based on the OpenID Connect RP-Initiated Logout specification. The parameter `redirect_uri` is no longer supported; also, +in the new version, the user needs to confirm the logout. It is possible to omit the confirmation and do automatic redirect to the application when you include parameter `post_logout_redirect_uri` +together with the parameter `id_token_hint` with the ID Token used for login. + +The existing deployments are affected in the following ways: + +- If your application directly uses links to logout endpoint with the `redirect_uri` parameter, you may be required to change this as described above. + Consider either removing the `redirect_uri` parameter entirely or replacing it with the `id_token_hint` and `post_logout_redirect_uri` parameters. +- If you use java adapters and your application does logout by call `httpServletRequest.logout()`, you are not affected because this call uses the backchannel variant of the logout endpoint + and that one was not changed. +- If you use the latest javascript adapter, you are also not affected. However if your application uses an older version of the JavaScript adapter, you are affected as this + adapter uses the variant of the logout endpoint with the deprecated `redirect_uri` parameter. In this case, you may need to upgrade to the latest version of the JavaScript adapter. +- For the Node.js adapter, the same guideline applies as for the JavaScript adapter. You are encouraged to update to the latest version as the older version of the adapter uses the deprecated `redirect_uri` parameter. + With the latest Node.js adapter, you are not affected as long as you use the logout based on the `/logout` URL as described in the documentation or in the Node.js adapter example. However, in the case + when your application directly uses the method `keycloak.logoutUrl`, you can consider adding `idTokenHint` as the second argument to this method. The possibility to add `idTokenHint` as second argument was newly + added in this version. The `idTokenHint` needs to be a valid ID Token that was obtained during the login. Adding `idTokenHint` is optional, but if you omit it, your users will need to confirm the logout screen as + described earlier. Also they will not be redirected back to the application after logout. + +There is a backwards compatibility option, which allows your application to still use the old format of the `redirect_uri` parameter. + +You can enable this parameter by including the following configuration in the `standalone-*.xml` file + +[source,bash,subs=+attributes] +---- + + + + + + + +---- + +With this configuration, you can still use the format with the `redirect_uri` parameter. Note the confirmation screen will be needed if the `id_token_hint` is omitted. + +WARNING: The backwards compatibility switch will be removed in some future version. You are encouraged to update your clients as soon as possible +as described above rather than rely on this switch. + +=== Removal of the `upload-scripts` feature + +Previous versions of {project_name} had supported managing JavaScript code through the management interfaces like the administrations console and REST API. Starting from this version +this is no longer possible, and you should now deploy your scripts to the server in order to configure the following providers: + +* OpenID Connect Script Mapper +* Script Authenticator (Authentication Execution) +* JavaScript Policies + +More details about how to deploy scripts to the server are available in the https://www.keycloak.org/docs/latest/server_development/#_script_providers[documentation]. Note that to use scripts, you are still +required to enable the `scripts` technology preview feature. + +``` +./standalone.sh -Dkeycloak.profile=preview +``` +When deploying scripts, the server is going to automatically create their corresponding providers so that you can select them when configuring authentication flows, mappers, and authorization policies. + +In general, the steps to update your realms are the following: + +* Before upgrading, remove any script provider you are using. +* After the upgrade, deploy your scripts following the instructions in the https://www.keycloak.org/docs/latest/server_development/#_script_providers[documentation]. +* Update your authentication flows, mappers, and the client authorization settings to use the providers created from the scripts deployed to the server. + +=== Account console Patternfly upgrade + +The Patternfly (PF) React libraries have been updated updated, `@patternfly/react-core` from v3.153.3 to v4.147.0, `@patternfly/react-icons` from v3.15.16 to v 4.11.8, and `@patternfly/react-styles` from v3.7.14 to v4.11.8. Several minor UI updates were made to bring the account console into alignment with PF design standards. + +Custom developed account UIs might not be compatible with these updates due to the breaking changes in PF. Most breaking changes should be resovlable by updating props on PF components. + +Resources: + +- [Patternfly docs](https://www.patternfly.org) + + +Components known to have breaking changes: + +- Alert + + - `action` prop changed to `actionClose` + +- Expandable + + - renamed to `ExpandableSection` + +- Title + + - size attr now uses `TitleSizes` + +- DataListContent + + - `noPadding` changed to `hasNoPadding` + +- Grid, Stack, Level, Gallery + + - `gutter` attr changed to `hasGutter` + +- Modal + + - sizing control changed from, e.g. `isLarge`, to use `ModalVariant`, e.g. `variant={ModalVariant.large}` + +- Select + + - `ariaLabelTypeAhead` to `typeAheadAriaLabel` + + - `isExpanded` to `isOpen` + + - `ariaLabelledBy` to `aria-labelledby` + +- DataListContent + + - `noPadding` to `hasNoPadding` + +=== Client Policies Migration : client-scopes + +If you used a policy including client-scopes condition and edited JSON document directly, you will need to change the "scope" field name in a JSON document to "scopes". + +=== Liquibase upgraded to version 4.6.2 + +Liquibase was updated from version 3.5.5 to 4.6.2, which includes, among other things, several bug fixes, and a new way of registering custom extensions using `ServiceLoader`. + +Closely follow the <<_upgrading,Upgrading Guide>>, specifically of *backing up +existing database before upgrade*. While we did our best to test the consequences of the Liquibase upgrade, some installations could be using specific setup unknown to us. + +=== Deprecated features in the {project_operator} + +With this release, we have deprecated `podDisruptionBudget` field in the Keycloak CR of {project_operator}. +This optional field will be ignored when the Operator is deployed on OCP 4.12 and higher versions. + +As a workaround, you can manually create the Pod Disruption Budget in your cluster, for example: +```yaml +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app: keycloak + name: keycloak +spec: + maxUnavailable: 1 + selector: + matchLabels: + component: keycloak +``` +See also the https://kubernetes.io/docs/tasks/run-application/configure-pdb/[Kubernetes Documentation]. + diff --git a/upgrading/topics/rhsso/changes.adoc b/upgrading/topics/rhsso/changes.adoc index 639247c609..c00239a99e 100644 --- a/upgrading/topics/rhsso/changes.adoc +++ b/upgrading/topics/rhsso/changes.adoc @@ -4,7 +4,7 @@ Review these changes carefully before upgrading. - +include::changes-76.adoc[leveloffset=1] include::changes-75.adoc[leveloffset=1] include::changes-74.adoc[leveloffset=1] include::changes-73.adoc[leveloffset=1] diff --git a/upgrading/topics/rhsso/intro.adoc b/upgrading/topics/rhsso/intro.adoc index d310d3d7b8..c194423c53 100644 --- a/upgrading/topics/rhsso/intro.adoc +++ b/upgrading/topics/rhsso/intro.adoc @@ -52,7 +52,7 @@ You can migrate to Red Hat Single Sign-On, the supported Red Hat product, from K .Prerequisites * To learn about new features before the upgrade, review the xref:release_changes[changes]. -* Verify that you have installed the correct version of Keycloak as a starting point. To migrate to Red Hat Single Sign-On {project_versionDoc}, you need Keycloak {keycloak_upgrade_version}. +* Verify that you have installed the correct version of Keycloak as a starting point. To migrate to Red Hat Single Sign-On {project_versionDoc}, first install Keycloak {keycloak_upgrade_version}. .Procedure