Keycloak
118 строк · 6.2 Кб
1= New Operator preview
2
3With this release, we're introducing a brand new {project_operator} as a preview. Apart from being rewritten from
4scratch, the main user-facing change from the legacy Operator is the used {project_name} distribution – the new Operator
5uses the Quarkus distribution of {project_name}. With that, the API (in form of Custom Resource Definitions) has changed.
6For details, incl. installation and migration instructions, see the https://www.keycloak.org/guides#operator[Operator related guides].
7
8The link:{operatorRepo_link}[legacy Operator] will receive updates until Keycloak 20 when the {project_name} WildFly
9distribution reaches EOL.
10
11== OperatorHub versioning scheme
12To avoid version conflicts with the legacy Operator, the 18.0.0 version of the new Operator is released as version
13`20.0.0-alpha.1` on OperatorHub. The legacy Operator versioning scheme remains the same, i.e. it is released as 18.0.0.
14
15The same pattern will apply for future {project_name} 18 and 19 releases, until version 20 where the legacy Operator
16reaches EOL.
17
18= New Admin Console preview
19
20The new Admin Console is now graduated to preview, with the plan for it to become the default admin console in Keycloak 19.
21
22If you find any issues with the new console, or have some suggestions for improvements, please let us know through https://github.com/keycloak/keycloak/discussions/categories/new-admin-console[GitHub Discussions].
23
24= Step-up authentication
25
26{project_name} now supports Step-up authentication. This feature was added in Keycloak 17, and was further polished in this version.
27
28For more details, see link:{adminguide_link}#_step-up-flow[{adminguide_name}].
29
30Thanks to https://github.com/CorneliaLahnsteiner[Cornelia Lahnsteiner] and https://github.com/romge[Georg Romstorfer] for the contribution.
31
32= Client secret rotation
33
34{project_name} now supports Client Secret Rotation through customer policies. This feature is now available as a preview feature and allows that confidential clients can be provided with realm policies allowing the use up to two secrets simultaneously.
35
36For more details, see link:{adminguide_link}#_secret_rotation[{adminguide_name}].
37
38= Recovery Codes
39
40Recovery Codes as another way to do two-factor authentication is now available as a preview feature.
41
42= OpenID Connect Logout Improvements
43
44Some fixes and improvements were made to make sure that {project_name} is now fully compliant with all the OpenID Connect logout specifications:
45
46* OpenID Connect RP-Initiated Logout 1.0
47* OpenID Connect Front-Channel Logout 1.0
48* OpenID Connect Back-Channel Logout 1.0
49* OpenID Connect Session Management 1.0
50
51For more details, see link:{adminguide_link}#_oidc-logout[{adminguide_name}].
52
53= WebAuthn improvements
54
55{project_name} now supports WebAuthn id-less authentication. This feature allows that WebAuthn Security Key will identify the user during authentication as long as the
56security key supports Resident Keys. For more details, see link:{adminguide_link}#_webauthn_loginless[{adminguide_name}].
57Thanks to https://github.com/vanrar68[Joaquim Fellmann] for the contribution.
58
59There are more WebAuthn improvements and fixes in addition to that.
60
61= The deprecated `upload-script` feature was removed
62
63The `upload-script` feature has been marked as deprecated for a very long time. In this release, it was completely removed, and it is no longer supported.
64
65If you are using any of these capabilities:
66
67* OpenID Connect Script Mapper
68* Script Authenticator (Authentication Execution)
69* JavaScript Policies
70
71You should consider reading this https://www.keycloak.org/docs/latest/server_development/#_script_providers[documentation] in order to understand how to still rely
72on these capabilities but deploying your scripts to the server rather than managing them through the management interfaces.
73
74= Session limits
75
76{project_name} now supports limits on the number of sessions a user can have. Limits can be placed at the realm level or at the client level.
77
78For more details, see link:{adminguide_link}#_user_session_limits[{adminguide_name}].
79Thanks to https://github.com/mfdewit[Mauro de Wit] for the contribution.
80
81= SAML ECP Profile is disabled by default
82
83To mitigate the risk of abusing SAML ECP Profile, {project_name} now blocks
84this flow for all SAML clients that do not allow it explicitly. The profile
85can be enabled using _Allow ECP Flow_ flag within client configuration,
86see link:{adminguide_link}#_client-saml-configuration[{adminguide_name}].
87
88= Quarkus distribution
89
90== Import realms at startup
91
92The {project_name} Quarkus distribution now supports importing your realms directly at start-up. For more information, check the corresponding https://www.keycloak.org/server/importExport[guide].
93
94== JSON and File Logging improvements
95
96The {project_name} Quarkus distribution now initially supports logging to a File and logging structured data using JSON.
97
98For more information on the improvements, check the corresponding https://www.keycloak.org/server/logging[Logging] {section}.
99
100=== Environment variable expansion for values in keycloak.conf
101
102The {project_name} Quarkus distribution now supports expanding values in keycloak.conf from environment variables.
103
104For more information, check the corresponding https://www.keycloak.org/server/configuration[guide].
105
106== New Option db-url-port
107
108You can now change the port of your jdbc connection string explicitly by setting the new `db-url-port` configuration option. As for the other convenience options, this option will be overridden by the value of a full `db-url`, if set.
109
110== Split metrics-enabled option into health-enabled and metrics-enabled
111The `metrics-enabled` option now only enables the metrics for {project_name}. To enable the readiness and liveness probe, there's the new build option `health-enabled`. This allows more fine-grained usage of these options.
112
113= Other improvements
114
115* Account console alignments with latest PatternFly release.
116* Support for encrypted User Info endpoint response. Thanks to https://github.com/giacomoa[Giacomo Altiero]
117* Support for the algorithm RSA-OAEP with A256GCM used for encryption keys. Thanks to https://github.com/fbrissi[Filipe Bojikian Rissi]
118* Support for login with GitHub Enterprise server. Thanks to https://github.com/nngo[Neon Ngo]
119