9c1790af68
* Enable syslog log handler Closes #27544 Signed-off-by: Martin Bartoš <mabartos@redhat.com> * Suggest an alternative to GELF Signed-off-by: Martin Bartoš <mabartos@redhat.com> --------- Signed-off-by: Martin Bartoš <mabartos@redhat.com>
49 lines
No EOL
3 KiB
Text
49 lines
No EOL
3 KiB
Text
= Argon2 password hashing
|
|
|
|
Argon2 is now the default password hashing algorithm used by {project_name}
|
|
|
|
Argon2 was the winner of the [2015 password hashing competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition)
|
|
and is the recommended hashing algorithm by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
|
|
|
|
In {project_name} 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than
|
|
10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve
|
|
better security, with almost the same CPU time as previous releases of {project_name}. One downside is Argon2 requires more
|
|
memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in {project_name} requires 7MB
|
|
per-hashing request.
|
|
|
|
= Deprecated cookie methods removed
|
|
|
|
The following methods for setting custom cookies have been removed:
|
|
|
|
* `LocaleSelectorProvider.KEYCLOAK_LOCALE` - replaced by `CookieType.LOCALE`
|
|
* `HttpCookie` - replaced by `NewCookie.Builder`
|
|
* `HttpResponse.setCookieIfAbsent(HttpCookie cookie)` - replaced by `HttpResponse.setCookieIfAbsent(NewCookie cookie)`
|
|
|
|
= Password policy for check if password contains Username
|
|
|
|
Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.
|
|
|
|
= Searching by user attribute no longer case insensitive
|
|
|
|
When searching for users by user attribute, {project_name} no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using {project_name}'s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.
|
|
|
|
= Breaking fix in authorization client library
|
|
|
|
For users of the `keycloak-authz-client` library, calling `AuthorizationResource.getPermissions(...)` now correctly returns a `List<Permission>`.
|
|
|
|
Previously, it would return a `List<Map>` at runtime, even though the method declaration advertised `List<Permission>`.
|
|
|
|
This fix will break code that relied on casting the List or its contents to `List<Map>`. If you have used this method in any capacity, you are likely to have done this and be affected.
|
|
|
|
= IDs are no longer set when exporting authorization settings for a client
|
|
|
|
When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a
|
|
result, you can now import the settings from a client to another client.
|
|
|
|
= Syslog for remote logging
|
|
|
|
{project_name} now supports https://en.wikipedia.org/wiki/Syslog[Syslog] protocol for remote logging.
|
|
It utilizes the protocol defined in https://datatracker.ietf.org/doc/html/rfc5424[RFC 5424].
|
|
By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.
|
|
|
|
For more information, see the https://www.keycloak.org/server/logging[Configuring logging] guide. |