42 lines
2.8 KiB
Text
42 lines
2.8 KiB
Text
= Added iss parameter to OAuth 2.0/OpenID Connect Authentication Response
|
|
|
|
RFC 9207 OAuth 2.0 Authorization Server Issuer Identification specification adds the parameter `iss` in the OAuth 2.0/OpenID Connect Authentication Response for realizing secure authorization responses.
|
|
|
|
In past releases, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.
|
|
|
|
However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters, may have issues with this new parameter.
|
|
|
|
For example, the parameter will be always present in the browser URL after successful authentication to the client application.
|
|
In these cases, it may be useful to disable adding the `iss` parameter to the authentication response. This can be done
|
|
for the particular client in the {project_name} Admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
|
|
described in <<_compatibility_with_older_adapters>>. Dedicated `Exclude Issuer From Authentication Response` switch exists,
|
|
which can be turned on to prevent adding the `iss` parameter to the authentication response.
|
|
|
|
= Wildcard characters handling
|
|
|
|
JPA allows wildcards `%` and `_` when searching, while other providers like LDAP allow only `*`.
|
|
As `*` is a natural wildcard character in LDAP, it works in all places, while with JPA it only
|
|
worked at the beginning and the end of the search string. Starting with this release the only
|
|
wildcard character is `*` which work consistently across all providers in all places in the search
|
|
string. All special characters in a specific provider like `%` and `_` for JPA are escaped. For exact
|
|
search, with added quotes e.g. `"w*ord"`, the behavior remains the same as in previous releases.
|
|
|
|
= Language files for themes default to UTF-8 encoding
|
|
|
|
This release now follows the standard mechanisms of Java and later, which assumes resource bundle files to be encoded in UTF-8.
|
|
|
|
Previous versions of Keycloak supported specifying the encoding in the first line with a comment like `# encoding: UTF-8`, which is no longer supported and is ignored.
|
|
|
|
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
|
|
If you are using a different encoding, convert the files to UTF-8.
|
|
|
|
= Changes to the value format of claims mapped by the realm and client role mappers
|
|
|
|
Before this release, both realm (`User Realm Role`) and client (`User Client Role`) protocol mappers
|
|
were mapping a stringfied JSON array when the `Multivalued` setting was disabled.
|
|
|
|
However, the `Multivalued` setting indicates whether the claim should be mapped as a list or, if disabled, only a single value
|
|
from the same list of values.
|
|
|
|
In this release, the role and client mappers now map to a single value from the effective roles of a user when
|
|
they are marked as single-valued (`Multivalued` disabled).
|