Release notes editorial for 23 (#24972)
Signed-off-by: stianst <stianst@gmail.com>
This commit is contained in:
Stian Thorgersen
GitHub
parent
834ef79509
commit
f41383a851
1 changed files with 93 additions and 55 deletions
|
|
@ -1,26 +1,32 @@
|
|||
= OIDC and SAML adapter changes for WildFly and JBoss EAP
|
||||
= OpenID Connect / OAuth 2.0
|
||||
|
||||
OIDC adapter for the WildFly and JBoss EAP, which was deprecated in previous versions, is removed in this release. It is being replaced by the Elytron OIDC adapter,
|
||||
which is included in WildFly. The SAML adapter ZIP download for WildFly/EAP is removed as it is being replaced by the Galleon feature pack.
|
||||
See the link:{adapterguide_link}[{adapterguide_name}] for the details.
|
||||
|
||||
= Localization files for themes default to UTF-8 encoding
|
||||
|
||||
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
|
||||
|
||||
See the migration guide for more details.
|
||||
|
||||
= FAPI 2 drafts support
|
||||
== FAPI 2 drafts support
|
||||
|
||||
Keycloak has new client profiles `fapi-2-security-profile` and `fapi-2-message-signing`, which ensure Keycloak enforces compliance with
|
||||
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.
|
||||
|
||||
= DPoP preview support
|
||||
== DPoP preview support
|
||||
|
||||
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to
|
||||
https://github.com/tnorimat[Takashi Norimatsu] and https://github.com/dteleguin[Dmitry Telegin] for their contributions.
|
||||
|
||||
= Passkeys support
|
||||
== More flexibility for introspection endpoint
|
||||
|
||||
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
|
||||
switch `Add to token introspection` on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
|
||||
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
|
||||
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
|
||||
so the behavior should be effectively the same by default after the migration. Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution.
|
||||
|
||||
== Feature flag for OAuth 2.0 device authorization grant flow
|
||||
|
||||
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
|
||||
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
|
||||
|
||||
|
||||
= Authentication
|
||||
|
||||
== Passkeys support
|
||||
|
||||
Keycloak has preview support for https://fidoalliance.org/passkeys/[Passkeys].
|
||||
|
||||
|
|
@ -32,61 +38,93 @@ However, passkeys operations success depends on the user's environment. Make sur
|
|||
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution and thanks to https://github.com/thomasdarimont[Thomas Darimont] for the help with the
|
||||
ideas and testing of this feature.
|
||||
|
||||
= WebAuthn improvements
|
||||
== WebAuthn improvements
|
||||
|
||||
WebAuthn policy now includes a new field: `Extra Origins`. It provides better interoperability with non-Web platforms (for example, native mobile applications).
|
||||
Thanks to https://github.com/akunzai[Charley Wu] for the contribution.
|
||||
|
||||
= RESTEasy Reactive
|
||||
== You are already logged-in
|
||||
|
||||
Keycloak has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI's that depend directly on JAX-RS API should be compatible with this change. SPI's that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
|
||||
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them,
|
||||
the attempt to authenticate in subsequent browser tabs opened the page `You are already logged-in`. This is improved now as
|
||||
other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still
|
||||
corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then
|
||||
restarted just in one browser tab and hence other browser tabs won't follow automatically with the login.
|
||||
So we still plan improvements in this area.
|
||||
|
||||
= More flexibility for introspection endpoint
|
||||
|
||||
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
|
||||
switch `Add to token introspection` on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
|
||||
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
|
||||
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
|
||||
so the behavior should be effectively the same by default after the migration. Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution.
|
||||
|
||||
= Feature flag for OAuth 2.0 device authorization grant flow
|
||||
|
||||
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
|
||||
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
|
||||
|
||||
= Group scalability improvements
|
||||
|
||||
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
|
||||
paginated lookup of subgroups. Thanks to https://github.com/alice-wondered[Alice] for the contribution.
|
||||
|
||||
= User profile improvements
|
||||
|
||||
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
|
||||
If you find any issues or have any improvements in mind, you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
|
||||
ideally with the label `area/user-profile`. It is also recommended to check the link:{upgradingguide_link}[{upgradingguide_name}] with the migration changes for this
|
||||
release for some additional informations related to the migration.
|
||||
|
||||
= Removal of the Map Store
|
||||
|
||||
The Map Store has been an experimental feature in previous releases.
|
||||
Starting with this release, it is removed and users should continue to use the current JPA store.
|
||||
See the migration guide for details.
|
||||
|
||||
= Load Shedding support
|
||||
|
||||
Keycloak now features `http-max-queued-requests` option to allow proper rejecting of incoming requests under high load.
|
||||
For details refer to the https://www.keycloak.org/server/configuration-production[production guide].
|
||||
|
||||
= Password policy for specify Maximum authentication time
|
||||
== Password policy for specify Maximum authentication time
|
||||
|
||||
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication.
|
||||
When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means.
|
||||
You can also specify a lower or higher value than the default value of 5 minutes. Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
|
||||
|
||||
= Preview support for multi-site active-passive deployments
|
||||
|
||||
= Deployments
|
||||
|
||||
== Preview support for multi-site active-passive deployments
|
||||
|
||||
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
|
||||
This release adds preview-support for active-passive deployments for Keycloak.
|
||||
|
||||
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios.
|
||||
To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
|
||||
|
||||
|
||||
= Adapters
|
||||
|
||||
== OpenID Connect WildFly and JBoss EAP
|
||||
|
||||
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release.
|
||||
It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from
|
||||
Keycloak adapters.
|
||||
|
||||
== SAML WildFly and JBoss EAP
|
||||
|
||||
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack,
|
||||
making it easier and more seamless to install.
|
||||
|
||||
See the link:{adapterguide_link}[{adapterguide_name}] for the details.
|
||||
|
||||
|
||||
= Server distribution
|
||||
|
||||
== Load Shedding support
|
||||
|
||||
Keycloak now features `http-max-queued-requests` option to allow proper rejecting of incoming requests under high load.
|
||||
For details refer to the https://www.keycloak.org/server/configuration-production[production guide].
|
||||
|
||||
== RESTEasy Reactive
|
||||
|
||||
Keycloak has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI's that depend directly on JAX-RS API should be compatible with this change. SPI's that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
|
||||
|
||||
|
||||
= User profile
|
||||
|
||||
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
|
||||
If you find any issues or have any improvements in mind, you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
|
||||
ideally with the label `area/user-profile`. It is also recommended to check the link:{upgradingguide_link}[{upgradingguide_name}] with the migration changes for this
|
||||
release for some additional informations related to the migration.
|
||||
|
||||
|
||||
= Group scalability
|
||||
|
||||
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
|
||||
paginated lookup of subgroups. Thanks to https://github.com/alice-wondered[Alice] for the contribution.
|
||||
|
||||
|
||||
= Themes
|
||||
|
||||
== Localization files for themes default to UTF-8 encoding
|
||||
|
||||
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
|
||||
|
||||
See the migration guide for more details.
|
||||
|
||||
|
||||
= Storage
|
||||
|
||||
== Removal of the Map Store
|
||||
|
||||
The Map Store has been an experimental feature in previous releases.
|
||||
Starting with this release, it is removed and users should continue to use the current JPA store.
|
||||
See the migration guide for details.
|
||||
|
|
|
|||
Loading…
Reference in a new issue