130 lines
7.2 KiB
Text
130 lines
7.2 KiB
Text
= OpenID Connect / OAuth 2.0
|
|
|
|
== FAPI 2 drafts support
|
|
|
|
Keycloak has new client profiles `fapi-2-security-profile` and `fapi-2-message-signing`, which ensure Keycloak enforces compliance with
|
|
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.
|
|
|
|
== DPoP preview support
|
|
|
|
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to
|
|
https://github.com/tnorimat[Takashi Norimatsu] and https://github.com/dteleguin[Dmitry Telegin] for their contributions.
|
|
|
|
== More flexibility for introspection endpoint
|
|
|
|
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
|
|
switch `Add to token introspection` on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
|
|
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
|
|
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
|
|
so the behavior should be effectively the same by default after the migration. Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution.
|
|
|
|
== Feature flag for OAuth 2.0 device authorization grant flow
|
|
|
|
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
|
|
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
|
|
|
|
|
|
= Authentication
|
|
|
|
== Passkeys support
|
|
|
|
Keycloak has preview support for https://fidoalliance.org/passkeys/[Passkeys].
|
|
|
|
Passkey registration and authentication are realized by the features of WebAuthn.
|
|
Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.
|
|
|
|
Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication.
|
|
However, passkeys operations success depends on the user's environment. Make sure which operations can succeed in https://passkeys.dev/device-support/[the environment].
|
|
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution and thanks to https://github.com/thomasdarimont[Thomas Darimont] for the help with the
|
|
ideas and testing of this feature.
|
|
|
|
== WebAuthn improvements
|
|
|
|
WebAuthn policy now includes a new field: `Extra Origins`. It provides better interoperability with non-Web platforms (for example, native mobile applications).
|
|
Thanks to https://github.com/akunzai[Charley Wu] for the contribution.
|
|
|
|
== You are already logged-in
|
|
|
|
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them,
|
|
the attempt to authenticate in subsequent browser tabs opened the page `You are already logged-in`. This is improved now as
|
|
other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still
|
|
corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then
|
|
restarted just in one browser tab and hence other browser tabs won't follow automatically with the login.
|
|
So we still plan improvements in this area.
|
|
|
|
== Password policy for specify Maximum authentication time
|
|
|
|
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication.
|
|
When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means.
|
|
You can also specify a lower or higher value than the default value of 5 minutes. Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
|
|
|
|
|
|
= Deployments
|
|
|
|
== Preview support for multi-site active-passive deployments
|
|
|
|
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
|
|
This release adds preview-support for active-passive deployments for Keycloak.
|
|
|
|
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios.
|
|
To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
|
|
|
|
|
|
= Adapters
|
|
|
|
== OpenID Connect WildFly and JBoss EAP
|
|
|
|
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release.
|
|
It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from
|
|
Keycloak adapters.
|
|
|
|
== SAML WildFly and JBoss EAP
|
|
|
|
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack,
|
|
making it easier and more seamless to install.
|
|
|
|
See the link:{adapterguide_link}[{adapterguide_name}] for the details.
|
|
|
|
|
|
= Server distribution
|
|
|
|
== Load Shedding support
|
|
|
|
Keycloak now features `http-max-queued-requests` option to allow proper rejecting of incoming requests under high load.
|
|
For details refer to the https://www.keycloak.org/server/configuration-production[production guide].
|
|
|
|
== RESTEasy Reactive
|
|
|
|
Keycloak has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI's that depend directly on JAX-RS API should be compatible with this change. SPI's that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
|
|
|
|
|
|
= User profile
|
|
|
|
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
|
|
If you find any issues or have any improvements in mind, you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
|
|
ideally with the label `area/user-profile`. It is also recommended to check the link:{upgradingguide_link}[{upgradingguide_name}] with the migration changes for this
|
|
release for some additional informations related to the migration.
|
|
|
|
|
|
= Group scalability
|
|
|
|
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
|
|
paginated lookup of subgroups. Thanks to https://github.com/alice-wondered[Alice] for the contribution.
|
|
|
|
|
|
= Themes
|
|
|
|
== Localization files for themes default to UTF-8 encoding
|
|
|
|
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
|
|
|
|
See the migration guide for more details.
|
|
|
|
|
|
= Storage
|
|
|
|
== Removal of the Map Store
|
|
|
|
The Map Store has been an experimental feature in previous releases.
|
|
Starting with this release, it is removed and users should continue to use the current JPA store.
|
|
See the migration guide for details.
|