Keycloak

Форк
0
151 строка · 7.7 Кб
1
= OpenID Connect / OAuth 2.0
2

3
== FAPI 2 drafts support
4

5
{project_name} has new client profiles `fapi-2-security-profile` and `fapi-2-message-signing`, which ensure {project_name} enforces compliance with
6
the latest FAPI 2 draft specifications when communicating with your clients.
7
ifeval::[{project_community}==true]
8
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution.
9
endif::[]
10

11
== DPoP preview support
12

13
{project_name} has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP).
14
ifeval::[{project_community}==true]
15
Thanks to
16
https://github.com/tnorimat[Takashi Norimatsu] and https://github.com/dteleguin[Dmitry Telegin] for their contributions.
17
endif::[]
18

19
== More flexibility for introspection endpoint
20

21
In previous versions, introspection endpoint  automatically returned most claims, which were available in the access token. Now most of protocol mappers include a new
22
 `Add to token introspection` switch . This addition allows more flexibility because an introspection endpoint can return different
23
claims than an access token. This change is a first step towards "Lightweight access tokens" support because access tokens can omit lots of the claims, which would be still returned
24
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
25
so the behavior should be effectively the same by default after the migration.
26
ifeval::[{project_community}==true]
27
Thanks to https://github.com/skabano[Shigeyuki Kabano] for the contribution.
28
endif::[]
29

30
== Feature flag for OAuth 2.0 device authorization grant flow
31

32
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default.
33
ifeval::[{project_community}==true]
34
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
35
endif::[]
36

37
= Authentication
38

39
== Passkeys support
40

41
{project_name} has preview support for https://fidoalliance.org/passkeys/[Passkeys].
42

43
Passkey registration and authentication are realized by the features of WebAuthn.
44
Therefore, users of {project_name} can do Passkey registration and authentication by existing WebAuthn registration and authentication.
45

46
Both synced Passkeys and device-bound Passkeys can be used for both Same-Device and Cross-Device Authentication.
47
However, Passkeys operations success depends on the user's environment. Make sure which operations can succeed in https://passkeys.dev/device-support/[the environment].
48
ifeval::[{project_community}==true]
49
Thanks to https://github.com/tnorimat[Takashi Norimatsu] for the contribution and thanks to https://github.com/thomasdarimont[Thomas Darimont] for the help with the
50
ideas and testing of this feature.
51
endif::[]
52

53
== WebAuthn improvements
54

55
WebAuthn policy includes a new field: `Extra Origins`.  It provides better interoperability with non-Web platforms (for example, native mobile applications).
56
ifeval::[{project_community}==true]
57
Thanks to https://github.com/akunzai[Charley Wu] for the contribution.
58
endif::[]
59

60
== You are already logged-in
61

62
This release addresses an issue concerning when a user has a login page open in multiple browser tabs and authenticated in one browser tab. When the user tries to authenticate in another browser tab, a message appears: `You are already logged-in`. This is improved now as
63
other browser tabs automatically authenticate the user after authentication in the first tab. However, more improvements are still needed. For example, when an authentication session expires and is restarted in one browser tab, other browser tabs do not follow automatically with the login.
64

65
== Password policy for specify Maximum authentication time
66

67
{project_name} supports a new password policy that allows you to specify the maximum age of an authentication with which a password may be changed by a user without re-authentication.
68
When this password policy is set to 0, the user is required to re-authenticate to change the  password in the Account Console or by other means.
69
You can also specify a lower or higher value than the default value of 5 minutes.
70
ifeval::[{project_community}==true]
71
Thanks to https://github.com/thomasdarimont[Thomas Darimont] for the contribution.
72
endif::[]
73

74
ifeval::[{project_community}==true]
75
= Deployments
76

77
== Preview support for multi-site active-passive deployments
78

79
Deploying {project_name} to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures.
80
This release adds preview-support for active-passive deployments for {project_name}.
81

82
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios.
83
To get started, use the https://www.keycloak.org/guides#high-availability[high-availability guide] which also includes a comprehensive blueprint to deploy a highly available {project_name} to a cloud environment.
84

85
= Adapters
86

87
== OpenID Connect WildFly and JBoss EAP
88

89
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release.
90
It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from
91
{project_name} adapters.
92

93
== SAML WildFly and JBoss EAP
94

95
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack,
96
making it easier and more seamless to install.
97

98
See the link:{adapterguide_link}[{adapterguide_name}] for the details.
99

100
endif::[]
101

102

103
= Server distribution
104

105
== Load Shedding support
106

107
{project_name} now features `http-max-queued-requests` option to allow proper rejecting of incoming requests under high load.
108
For details refer to the https://www.keycloak.org/server/configuration-production[production guide].
109

110
== RESTEasy Reactive
111

112
{project_name} has switched to RESTEasy Reactive. Applications using `quarkus-resteasy-reactive` should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPIs that depend directly on JAX-RS API should be compatible with this change. SPIs that depend on RESTEasy Classic including `ResteasyClientBuilder` will not be compatible and will require an update.  This update will also be needed for other implementation of the JAX-RS API like Jersey.
113

114

115
ifeval::[{project_community}==true]
116
= User profile
117

118
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
119
If you find any issues or have any improvements in mind,  you are welcome to create https://github.com/keycloak/keycloak/issues/new/choose[Github issue],
120
ideally with the label `area/user-profile`. It is also recommended to check the link:{upgradingguide_link}[{upgradingguide_name}]  with the migration changes for this
121
release for some additional informations related to the migration.
122

123
endif::[]
124

125
= Group scalability
126

127
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow
128
paginated lookup of subgroups.
129
ifeval::[{project_community}==true]
130
Thanks to https://github.com/alice-wondered[Alice] for the contribution.
131
endif::[]
132

133
= Themes
134

135
== Localization files for themes default to UTF-8 encoding
136

137
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
138

139
See the migration guide for more details.
140

141
ifeval::[{project_community}==true]
142

143
= Storage
144

145
== Removal of the Map Store
146

147
The Map Store has been an experimental feature in previous releases.
148
Starting with this release, it is removed and users should continue to use the current JPA store.
149
See the migration guide for details.
150

151
endif::[]
152

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.