81 lines
3.6 KiB
Text
81 lines
3.6 KiB
Text
= Old Admin Console removed
|
|
|
|
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was
|
|
deprecated. In this release the old admin console has been removed completely.
|
|
|
|
= Keycloak uses Micrometer for metrics
|
|
|
|
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format.
|
|
In this release the implementation to provide this data switched from SmallRye to Micrometer.
|
|
Due to this change, metrics have been renamed.
|
|
|
|
See the migration guide for details.
|
|
|
|
= Java 11 support for Keycloak server deprecated
|
|
|
|
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.
|
|
|
|
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the
|
|
not too distant future.
|
|
|
|
= Hashicop Vault no longer supported
|
|
|
|
We removed the out-of-box support for Hashicorp vault in this release.
|
|
|
|
See this https://github.com/keycloak/keycloak/discussions/16446[discussion] for more details.
|
|
|
|
= SAML SP metadata changes
|
|
|
|
Prior to this release, SAML SP metadata contained the same key for both
|
|
signing and encryption use. Starting with this version of Keycloak,
|
|
we include only encryption intended realm keys for encryption use
|
|
in SP metadata. For each encryption key descriptor we also specify
|
|
the algorithm that it is supposed to be used with. The following table shows
|
|
the supported XML-Enc algorithms with the mapping to Keycloak realm keys.
|
|
See the link:{upgradingguide_link}[{upgradingguide_name}] for more details.
|
|
|
|
[cols="1,1"]
|
|
|===
|
|
|*XML-Enc algorithm*
|
|
|*Keycloak realm key algorithm*
|
|
|
|
|https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p[rsa-oaep-mgf1p]
|
|
|RSA-OAEP
|
|
|
|
|https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5[rsa-1_5]
|
|
|RSA1_5
|
|
|===
|
|
|
|
= Deprecated methods from user session provider were removed
|
|
|
|
Several deprecated methods were removed from user session provider. If not done already,
|
|
their usage needs to be replaced with the corresponding replacement documented in Javadoc
|
|
of Keycloak 20 release. See link:{upgradingguide_link}[{upgradingguide_name}] for more details.
|
|
|
|
= New storage: `IS_CLIENT_ROLE` searchable field was deprecated
|
|
|
|
The `IS_CLIENT_ROLE` searchable field from the `RoleModel` was deprecated. It
|
|
should be replaced with the `CLIENT_ID` searchable field used with the operators
|
|
`EXISTS` or `NOT_EXISTS`. See JavaDoc of Keycloak 21 for more details.
|
|
|
|
= FIPS 140-2 preview support
|
|
|
|
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version.
|
|
For the details, see the https://www.keycloak.org/guides#server[FIPS documentation]. Feedback is welcome!
|
|
|
|
Thanks again to https://github.com/david-rh[David Anderson], https://github.com/sudeepd[Sudeep Das] and https://github.com/isaacjensen[Isaac Jensen]
|
|
for their huge help with this feature.
|
|
|
|
= Support for the standard `Forwarded` header when running behind a reverse proxy
|
|
|
|
In addition to recognize the non-standard `X-Forwarded-*` to fetch information
|
|
added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak
|
|
can now leverage the standard `Forwarded` header for the same purpose.
|
|
|
|
For more details, see the https://www.keycloak.org/server/reverseproxy[Using a reverse proxy] guide.
|
|
|
|
Please, make sure your proxy is also overriding the `Forwarded` header when making requests to Keycloak nodes.
|
|
|
|
= Other improvements
|
|
|
|
* Option to disable client registration access token rotation. Thanks to https://github.com/reda-alaoui[Réda Housni Alaoui]
|