= Argon2 password hashing Argon2 is now the default password hashing algorithm used by {project_name} Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition) and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id). In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB per-hashing request. = SameSite attribute set for all cookies The following cookies did not use to set the `SameSite` attribute, which in recent browser versions results in them defaulting to `SameSite=Lax`: * `KC_STATE_CHECKER` now sets `SameSite=Strict` * `KC_RESTART` now sets `SameSite=None` * `KC_AUTH_STATE` now sets `SameSite=Strict` * `KEYCLOAK_LOCALE` now sets `SameSite=None` * `KEYCLOAK_REMEMBER_ME` now sets `SameSite=None` The default value `SameSite=Lax` causes issues with POST based bindings, mostly applicable to SAML, but also used in some OpenID Connect / OAuth 2.0 flows. = Deprecated cookie methods removed The following methods for setting custom cookies have been removed: * `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE` * `HttpCookie` - replaced by `NewCookie.Builder` * `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)` = Password policy for check if password contains Username Keycloak supports a new password policy that allows you to deny user passwords which contains the user username. = Searching by user attribute no longer case insensitive When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before. = Breaking fix in authorization client library For users of the `keycloak-authz-client` library, calling `AuthorizationResource.getPermissions(...)` now correctly returns a `List`. Previously, it would return a `List` at runtime, even though the method declaration advertised `List`. This fix will break code that relied on casting the List or its contents to `List`. If you have used this method in any capacity, you are likely to have done this and be affected. = IDs are no longer set when exporting authorization settings for a client When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client. = Management port for metrics and health endpoints Metrics and health checks endpoints are no longer accessible through the standard {project_name} server port. As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port `9000`. It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable. {project_name} Operator assumes the management interface is turned on by default. For more details, see https://www.keycloak.org/server/management-interface[Configuring the Management Interface]. = Syslog for remote logging {project_name} now supports https://en.wikipedia.org/wiki/Syslog[Syslog] protocol for remote logging. It utilizes the protocol defined in https://datatracker.ietf.org/doc/html/rfc5424[RFC 5424]. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server. For more information, see the https://www.keycloak.org/server/logging[Configuring logging] guide.