From 2f81a2fb76a6baf109d9d84bb8aea9ddcf7cfc74 Mon Sep 17 00:00:00 2001 From: Alexander Schwartz Date: Mon, 8 Dec 2025 10:55:33 +0100 Subject: [PATCH] Updating and ordering the release notes Closes #44706 Signed-off-by: Alexander Schwartz --- .../release_notes/topics/26_5_0.adoc | 131 +++++++++++++----- .../server_admin/topics/threat/scope.adoc | 2 +- .../topics/changes/changes-26_4_1.adoc | 10 ++ .../topics/changes/changes-26_4_2.adoc | 24 ++++ .../topics/changes/changes-26_4_3.adoc | 59 ++++++++ .../topics/changes/changes-26_4_6.adoc | 21 +++ .../topics/changes/changes-26_5_0.adoc | 108 ++++----------- .../topics/changes/changes-template.adoc | 1 + .../upgrading/topics/changes/changes.adoc | 16 +++ .../services/cors/DefaultCorsFactory.java | 7 +- 10 files changed, 264 insertions(+), 115 deletions(-) create mode 100644 docs/documentation/upgrading/topics/changes/changes-26_4_1.adoc create mode 100644 docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc create mode 100644 docs/documentation/upgrading/topics/changes/changes-26_4_3.adoc create mode 100644 docs/documentation/upgrading/topics/changes/changes-26_4_6.adoc diff --git a/docs/documentation/release_notes/topics/26_5_0.adoc b/docs/documentation/release_notes/topics/26_5_0.adoc index 9548926ecc6..5d545ce3110 100644 --- a/docs/documentation/release_notes/topics/26_5_0.adoc +++ b/docs/documentation/release_notes/topics/26_5_0.adoc @@ -1,7 +1,92 @@ // Release notes should contain only headline-worthy new features, // assuming that people who migrate will read the upgrading guide anyway. -= Preview of enhanced HTTP performance +//// + +// TODO +This release features new capabilities focused on ... The highlights of this release are: + +// TODO +// ... + +Read on to learn more about each new feature. If you are upgrading from a previous release, https://www.keycloak.org/docs/latest/upgrading/index.html[review also the changes listed in the upgrading guide]. + +//// + += Security and Standards + +== Logout confirmation page + +The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a "`You are logged out`" confirmation page upon successful logout. + +== CORS enhancements +// https://github.com/keycloak/keycloak/pull/43767 +// https://github.com/keycloak/keycloak/issues/8863 + +For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies. + +For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option `+spi-cors--default--allowed-headers+`. + +== Hiding OpenID Connect scopes from the discovery endpoint +// https://github.com/keycloak/keycloak/issues/10388 + +Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint. + +In some situation you might want to avoid it, as the calling client, for example, an MCP server might not support it, or you might want to hide some scopes for preventing their discovery via public APIs. + +You can now prevent this by disabling *Include in OpenID Provider Metadata*. + += Administration + +//// +// TODO += Federated client authentication (preview) +//// + +== Organization invitation management + +Organization administrators can now manage organization invitations through both the Admin Console and REST API: + +* View all sent invitations with their current status (Pending, Expired) +* Resend pending invitations to recipients +* Delete invitation records from the system +* Filter invitations by status for easier management + +All invitations are now persistently stored in the database, providing better tracking and management capabilities. + +The invitation management features are available in the *Invitations* tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under `+/admin/realms/{realm}/orgs/{orgId}/invitations+`. + +== New event `USER_SESSION_DELETED` + +For each expired user session there is a new user event `USER_SESSION_DELETED` fired. +This event is published approximately 3-10 minutes after the session has expired depending on job scheduling and load on the system. +By default, this event is not persisted. + +As part of this change, the process now deletes rows from the table in small batches, instead of issuing a delete statements that affects the whole table. +This should allow for better response times when there are a lot of sessions in the table. + += Configuring and Running + +== Containers for PowerPC 64-bit Little Endian architecture + +The containers for both the {project_name} and its operator are not available as well for the PowerPC 64-bit Little Endian (ppc64le) architecture. This is in addition to the existing amd64 and arm64. + +We expect this to allow users to optimize their usage of open hardware and power consumption. + +== Session cache affinity + +Authentication, user, and client sessions are now created on the respective {project_name} node and avoid extra remote calls to neighbors when reading or writing them to the embedded caches. + +When you have sticky sessions enabled in your loadbalancer, you will benefit from this feature automatically, and you should see reduced response times when authenticating users. + +== PostgreSQL version updates + +The latest major release of PostgreSQL 18 is now supported. +As PostgreSQL 13 is end-of-life it is now longer supported. + +We also updated the docs on how to use a TLS certificate for the JDBC-connection when connecting to a PostgreSQL database. + +== Enhanced HTTP performance (preview) You can now enable a more efficient way to handle JSON data in the HTTP layer. This change increases throughput by ~5%, stabilizes response times, and reduces system resource usage. @@ -15,22 +100,7 @@ endif::[] For more details, see the https://www.keycloak.org/server/configuration-production[Configuring Keycloak for production] guide. -= Breaking Fix for Windows in Loopback Hostname Verification - -This release introduces a breaking change for Windows users: setups that previously relied on custom machine names or non-standard hostnames for loopback (e.g., `127.0.0.1` resolving to a custom name) may require updates to their trusted domain configuration. Only `localhost` and `*.localhost` are now recognized for loopback verification. - -Keycloak now consistently normalizes loopback addresses to `localhost` for domain verification across all platforms. This change ensures predictable behavior for trusted domain checks, regardless of the underlying OS. - -= Export traces with custom request headers - -It is now possible to set request headers for exporting traces via Open Telemetry Protocol (OTLP). -It is mainly useful for providing tokens in the request. - -You can specify these headers via the `tracing-header-
` wildcard option, accepting any custom header name. - -For more details, see the link:{tracingguide_link}[{tracingguide_name}] guide. - -= Enable/disable features via a single option +== Enable/disable features via a single option You can now enable or disable individual features using the `feature-` option (like `feature-spiffe=enabled`). @@ -40,6 +110,17 @@ The `feature-` option takes precedence over both `features` and `features- For more details, see the https://www.keycloak.org/server/features[Enabling and disabling features] guide. += Observability + +== Export traces with custom request headers + +It is now possible to set request headers for exporting traces via Open Telemetry Protocol (OTLP). +It is mainly useful for providing tokens in the request. + +You can specify these headers via the `tracing-header-
` wildcard option, accepting any custom header name. + +For more details, see the link:{tracingguide_link}[{tracingguide_name}] guide. + == MDC Logging feature (supported) The `log-mdc:v1` feature has been promoted from a preview feature to a supported feature. @@ -48,19 +129,3 @@ MDC enables Keycloak to enrich log entries with contextual information such as r For more details, see the https://www.keycloak.org/server/logging#_adding_context_for_log_messages[Adding context for log messages] guide. -= Organization invitation management - -Organization administrators can now manage organization invitations through both the Admin Console and REST API: - -* View all sent invitations with their current status (Pending, Expired) -* Resend pending invitations to recipients -* Delete invitation records from the system -* Filter invitations by status for easier management - -All invitations are now persistently stored in the database, providing better tracking and management capabilities. - -The invitation management features are available in the *Invitations* tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under `/admin/realms/{realm}/orgs/{orgId}/invitations`. - -= Logout confirmation - -The client logout configuration page now includes an option to enable logout confirmation. When enabled, users will see "You are logged out" confirmation page upon successful logout. diff --git a/docs/documentation/server_admin/topics/threat/scope.adoc b/docs/documentation/server_admin/topics/threat/scope.adoc index 92d771f1777..f1437294c6f 100644 --- a/docs/documentation/server_admin/topics/threat/scope.adoc +++ b/docs/documentation/server_admin/topics/threat/scope.adoc @@ -12,4 +12,4 @@ Removing the offline scope for a client also removes the ability to issue long-l ==== Scope visibility By default, all scopes are included in the OpenID Connect discovery endpoint. -To reduce the discoverability and OSINT-exposure, you can configure each scope to be excluded. +To reduce the discoverability and OSINT-exposure, you can configure each scope to be excluded by disabling *Include in OpenID Provider Metadata*. diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_1.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_1.adoc new file mode 100644 index 00000000000..1aa31d248bd --- /dev/null +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_1.adoc @@ -0,0 +1,10 @@ +// ------------------------ Notable changes ------------------------ // +== Notable changes + +Notable changes where an internal behavior changed to prevent common misconfigurations, fix bugs or simplify running {project_name}. + +=== User sessions created with "Remember Me" are no longer valid if "Remember Me" is disabled for the realm + +When the "Remember Me" option is disabled in the realm settings, all user sessions previously created with the "Remember Me" flag are now considered invalid. +Users will be required to log in again, and any associated refresh tokens will no longer be usable. +User sessions created without selecting "Remember Me" are not affected. diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc new file mode 100644 index 00000000000..25e45f313c7 --- /dev/null +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc @@ -0,0 +1,24 @@ +== Breaking changes + +Breaking changes are identified as those that might require changes for existing users to their configurations or applications. +In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs. + +=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker + +In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC6749. +You are not affected if you configured {project_name} to send the credentials in the request body. + +This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign. + +To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). + +// ------------------------ Deprecated features ------------------------ // +== Deprecated features + +The following sections provide details on deprecated features. + +=== Sending OpenID Connect client secret via basic authentication without URL encoding + +In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of {project_name}. + +This behavior is deprecated and will be removed in a future version of Keycloak. diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_3.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_3.adoc new file mode 100644 index 00000000000..6c74934a68f --- /dev/null +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_3.adoc @@ -0,0 +1,59 @@ +// ------------------------ Breaking changes ------------------------ // +== Breaking changes + +Breaking changes are identified as those that might require changes for existing users to their configurations or applications. +In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs. + +=== Accepting only normalized paths in requests + +Previously {project_name} accepted HTTP requests with paths containing double dots (`..`) or double slashes (`//`). When processing them, it normalized the path by collapsing double slashes and normalized the path according to RFC3986. +As this has led to a hard-to-configure URL filtering, for example, in reverse proxies, the normalization is now disabled, and {project_name} responds with an HTTP 400 response code. + +To analyze rejected requests in the server log, enable debug logging for `org.keycloak.quarkus.runtime.services.RejectNonNormalizedPathFilter`. + +To revert to the previous behavior and to accept non-normalized URLs, set the option `http-accept-non-normalized-paths` to `true`. With this configuration, enable and review the HTTP access log to identify problematic requests. + +// ------------------------ Notable changes ------------------------ // +== Notable changes + +Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. + +=== Allowing realm administrators granted with the `realm-admin` role to assign admin roles + +In previous versions, realm administrators granted with the `realm-admin` role were not able to grant admin roles for delegated realm administrators. +This was only possible by granting the `admin` role to a master realm user, making this user a server admin. + +In this release, realm administrators with the `realm-admin` role can assign admin roles to users in their realm, allowing them to delegate administrative tasks without needing server admin privileges. + +If you are using FGAP to delegate administration to users in a realm other than the master realm, +make sure the users granted with the `realm-admin` role are expected to have this role to avoid privilege scalation. + +The documentation is also updated with additional information about the different types of realm administrators. +For more information, see link:{adminguide_link}#_fine_grained_permissions[Delegating realm administration using permissions]. + +=== Added database indexes on `OFFLINE_CLIENT_SESSION` table + +This adds new indexes on the `OFFLINE_CLIENT_SESSION` table to improve performance when retrieving or deleting client sessions. + +If those tables contain more than 300000 entries, {project_name} will skip the index creation by default during the automatic schema migration and instead log the SQL statement on the console during migration to be applied manually after {project_name}'s startup. +See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. + +// ------------------------ Deprecated features ------------------------ // +== Deprecated features + +The following sections provide details on deprecated features. + +=== Accepting HTTP requests with non-normalized paths + +The option `http-accept-non-normalized-paths` was introduced to restore the previous behavior where {project_name} accepted non-normalized URLs. + +As this behavior can be problematic for URL filtering, it is deprecated and will be removed in a future release. + +// ------------------------ Removed features ------------------------ // +//// +== Removed features + +The following features have been removed from this release. + +=== +//// diff --git a/docs/documentation/upgrading/topics/changes/changes-26_4_6.adoc b/docs/documentation/upgrading/topics/changes/changes-26_4_6.adoc new file mode 100644 index 00000000000..574074fccc7 --- /dev/null +++ b/docs/documentation/upgrading/topics/changes/changes-26_4_6.adoc @@ -0,0 +1,21 @@ +// ------------------------ Breaking changes ------------------------ // +== Notable changes + +Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. + +=== LDAP referrals filtered to allow only LDAP referrals + +LDAP referrals now by default are only allowed to include LDAP URLs. +This change enhances security and aligns with best practices for LDAP configurations. + +This also prevents other JDNI references from being used in case you have written custom extensions. +To restore the original behavior, set the option `spi-storage--ldap--secure-referral` to `false`. +When doing this, we recommend to disable LDAP referrals in all LDAP providers. + +== Deprecated features + +The following sections provide details on deprecated features. + +=== Disabling filtering of LDAP referrals + +The option `spi-storage--ldap--secure-referral` to disable filtering referrals is deprecated. It will be removed in a future release and filtering will then be enforced. diff --git a/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc index 58a9ad83f91..5ce75f22313 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc @@ -1,6 +1,18 @@ // ------------------------ Breaking changes ------------------------ // == Breaking changes += Loopback Hostname Verification on Windows + +Setups on Windows that previously relied on custom machine names or non-standard hostnames for loopback (for example, `127.0.0.1` resolving to a custom name) may require updates to their trusted domain configuration. Only `localhost` and `*.localhost` are now recognized for loopback verification. + +{project_name} now consistently normalizes loopback addresses to `localhost` for domain verification across all platforms. This change ensures predictable behavior for trusted domain checks, regardless of the underlying OS. + +// ------------------------ Notable changes ------------------------ // +== Notable changes + +Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. +It also lists significant changes to internal APIs. + === Method `UserProfile#toRepresentation(boolean)` added The `UserProfile` interface has a new method `toRepresentation(boolean)`. This method allows clients to specify whether to include @@ -12,18 +24,9 @@ implement this interface, you will need to update your code to accommodate this Breaking changes are identified as those that might require changes for existing users to their configurations or applications. In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs. -=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker - -In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC 6749. -You are not affected if you configured {project_name} to send the credentials in the request body. - -This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign. - -To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). - === Identity Provider refactoring -The private SPI for identity providers have been refactored. This is to allow identity providers to support more use +The private SPI for identity providers has been refactored. This is to allow identity providers to support more use -cases than federated user authentication. For anyone implementing a custom federated user authentication identity provider and are not extending one provided @@ -34,20 +37,6 @@ Additionally, both `IdentityProviderModel` and `IdentityProviderRepresentation` configuration like `isHideOnLogin` to be null in order to not include these in Identity Provider types that do not need these configurations. -=== Accepting only normalized paths in requests - -Previously {project_name} accepted HTTP requests with paths containing double dots (`..`) or double slashes (`//`). When processing them, it normalized the path by collapsing double slashes and normalized the path according to RFC 3986. -As this has led to a hard-to-configure URL filtering, for example, in reverse proxies, the normalization is now disabled, and {project_name} responds with an HTTP 400 response code. - -To analyze rejected requests in the server log, enable debug logging for `org.keycloak.quarkus.runtime.services.RejectNonNormalizedPathFilter`. - -To revert to the previous behavior and to accept non-normalized URLs, set the option `http-accept-non-normalized-paths` to `true`. With this configuration, enable and review the HTTP access log to identify problematic requests. - -// ------------------------ Notable changes ------------------------ // -== Notable changes - -Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. - === SPIFFE Identity Provider configuration changed The SPIFFE Identity Provider preview feature now uses the `trustDomain` configuration instead of `issuer`. This change @@ -85,20 +74,6 @@ The following message keys in translations no longer support HTML entities: `bac The default themes have already been updated. If you used them in your translations, please update your translation to use the UTF-8 equivalent. -=== User sessions created with "Remember Me" are no longer valid if "Remember Me" is disabled for the realm - -When the "Remember Me" option is disabled in the realm settings, all user sessions previously created with the "Remember Me" flag are now considered invalid. -Users will be required to log in again, and any associated refresh tokens will no longer be usable. -User sessions created without selecting "Remember Me" are not affected. - -=== Correct encoding for OpenID Connect client credentials when acting as a broker - -In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC 6749. - -This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign. - -To revert to the old behavior, change the client authentication to *Client secret sent as HTTP Basic authentication without URL encoding (deprecated)* (`client_secret_basic_unencoded`). - === Permissions of the database user for PostgreSQL If you are running on PostgreSQL as a database for {project_name}, ensure that the database user has `SELECT` permissions to the following tables to ensure an efficient upgrade: `pg_class`, `pg_namespace`. @@ -111,32 +86,24 @@ If {project_name} does not have permissions to access these tables, it will log If you have user storage extension and you reference the class `org.keycloak.credential.UserCredentialManager` from your providers, it is recommended to avoid using this class directly as it might be moved to the private modules in the future releases. The class may be typically used in the method `credentialManager()` of the implementations of `UserModel` interface. In that case, it is recommended to replace the code like this: -``` + +[source,java] +---- @Override public SubjectCredentialManager credentialManager() { return new UserCredentialManager(keycloakSession, realmModel, this); } -``` +---- + with the code similar to this: -``` + +[source,java] +---- @Override public org.keycloak.models.UserCredentialManager credentialManager() { return keycloakSession.users().getUserCredentialManager(this); } -``` - -=== Allowing realm administrators granted with the `realm-admin` role to assign admin roles - -In previous versions, realm administrators granted with the `realm-admin` role were not able to grant admin roles for delegated realm administrators. -This was only possible by granting the `admin` role to a master realm user, making this user a server admin. - -In this release, realm administrators with the `realm-admin` role can assign admin roles to users in their realm, allowing them to delegate administrative tasks without needing server admin privileges. - -If you are using FGAP to delegate administration to users in a realm other than the master realm, -make sure the users granted with the `realm-admin` role are expected to have this role to avoid privilege escalation. - -The documentation is also updated with additional information about the different types of realm administrators. -For more information, see link:{adminguide_link}#_fine_grained_permissions[Delegating realm administration using permissions]. +---- === OCSP request timeouts follow HTTP client configuration @@ -148,16 +115,9 @@ In this release, OCSP requests inherit timeouts from the outgoing HTTP client co If you relied on the previous 10-second behavior, explicitly set the HTTP client timeouts. -=== Added database indexes on `OFFLINE_CLIENT_SESSION` table - -This adds new indexes on `OFFLINE_CLIENT_SESSION` table to improve performance when retrieving or deleting client sessions. - -If those tables contain more than 300000 entries, {project_name} will skip the index creation by default during the automatic schema migration and instead log the SQL statement on the console during migration to be applied manually after {project_name}'s startup. -See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. - === Default authorization policies and resources are no longer auto-created -When enabling authorization on a new client (creating a Resource Server), {project_name} no longer automatically creates a "Default Resource", a "Default Policy," and a "Default Permission." +When enabling authorization on a new client (creating a Resource Server), {project_name} no longer automatically creates a "`Default Resource`", a "`Default Policy`", and a "`Default Permission`". === Deleting expired sessions from the database @@ -174,6 +134,11 @@ Previously, {project_name} deleted sessions from the database only once the sess With the new setup and persistent user sessions enabled, sessions are deleted more timely based on the realm settings on session lifetime and idle time, including the remember me settings. For this, the table `OFFLINE_USER_SESSION` now has a new column `REMEMBER_ME`, that is filled for new sessions and updated incrementally for existing sessions. The deletion is triggered currently three minutes after the session has expired to allow for clock skew between instances. Note that this interval can change in future release as we optimize this functionality. +This adds new indexes on `OFFLINE_USER_SESSION` table to improve performance when retrieving or deleting client sessions. + +If those tables contain more than 300000 entries, {project_name} will skip the index creation by default during the automatic schema migration and instead log the SQL statement on the console during migration to be applied manually after {project_name}'s startup. +See the link:{upgradingguide_link}[{upgradingguide_name}] for details on how to configure a different limit. + For each expired user session there is a new user event `USER_SESSION_DELETED` fired. As part of this change, the process now deletes rows from the table in small batches, instead of issuing a delete statements that affects the whole table. This should allow for better response times when there are a lot of sessions in the table. @@ -182,23 +147,11 @@ As part of this change, the process now deletes rows from the table in small bat The following sections provide details on deprecated features. -=== Sending OpenID Connect client secret via basic authentication without URL encoding - -In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC 6749, it can be used to keep the default behavior of earlier versions of {project_name}. - -This behavior is deprecated and will be removed in a future version of {project_name}. - === `AuthenticationManager.AuthResult` is now a record The inner class `AuthenticationManager.AuthResult` in the `keycloak-services` module is now a record. The getter methods like `getSession()` have been deprecated in favor of the `session()` accessors. -=== Accepting HTTP requests with non-normalized paths - -The option `http-accept-non-normalized-paths` was introduced to restore the previous behavior where {project_name} accepted non-normalized URLs. - -As this behavior can be problematic for URL filtering, it is deprecated and will be removed in a future release. - === Deprecation of methods for removing expired authentication sessions from `AuthenticationSessionProvider` The methods `removeAllExpired()` and `removeExpired(RealmModel realm)` are annotated with the `@Deprecated` annotation. @@ -220,7 +173,6 @@ It is still triggered in this {project_name} version, but will be removed in a f // ------------------------ Removed features ------------------------ // == Removed features -The following features have been removed from this release. - -=== +=== PostgreSQL 13 (end of life) +Version PostgreSQL is end-of-life since November 2025 and therefore no longer supported. diff --git a/docs/documentation/upgrading/topics/changes/changes-template.adoc b/docs/documentation/upgrading/topics/changes/changes-template.adoc index a1db228b4ae..a77aa565c28 100644 --- a/docs/documentation/upgrading/topics/changes/changes-template.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-template.adoc @@ -10,6 +10,7 @@ In minor or patch releases, {project_name} will only introduce breaking changes == Notable changes Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}. +It also lists significant changes to internal APIs. === diff --git a/docs/documentation/upgrading/topics/changes/changes.adoc b/docs/documentation/upgrading/topics/changes/changes.adoc index 5e1638b60f0..6ce4e127381 100644 --- a/docs/documentation/upgrading/topics/changes/changes.adoc +++ b/docs/documentation/upgrading/topics/changes/changes.adoc @@ -5,6 +5,22 @@ include::changes-26_5_0.adoc[leveloffset=2] +=== Migrating to 26.4.6 + +include::changes-26_4_6.adoc[leveloffset=2] + +=== Migrating to 26.4.3 + +include::changes-26_4_3.adoc[leveloffset=2] + +=== Migrating to 26.4.2 + +include::changes-26_4_2.adoc[leveloffset=2] + +=== Migrating to 26.4.1 + +include::changes-26_4_1.adoc[leveloffset=2] + === Migrating to 26.4.0 include::changes-26_4_0.adoc[leveloffset=2] diff --git a/services/src/main/java/org/keycloak/services/cors/DefaultCorsFactory.java b/services/src/main/java/org/keycloak/services/cors/DefaultCorsFactory.java index 84686d7f631..09482d8fcec 100644 --- a/services/src/main/java/org/keycloak/services/cors/DefaultCorsFactory.java +++ b/services/src/main/java/org/keycloak/services/cors/DefaultCorsFactory.java @@ -34,6 +34,7 @@ import org.keycloak.provider.ProviderConfigurationBuilder; public class DefaultCorsFactory implements CorsFactory { private static final String PROVIDER_ID = "default"; + private static final String ALLOWED_HEADERS = "allowedHeaders"; private String allowedHeaders; @Override @@ -45,7 +46,7 @@ public class DefaultCorsFactory implements CorsFactory { public void init(Config.Scope config) { Set allowedHeaders = new HashSet<>(Cors.DEFAULT_ALLOW_HEADERS); - String[] customAllowedHeaders = config.getArray("allowedHeaders"); + String[] customAllowedHeaders = config.getArray(ALLOWED_HEADERS); if (customAllowedHeaders != null) { allowedHeaders.addAll(Arrays.asList(customAllowedHeaders)); } @@ -70,10 +71,10 @@ public class DefaultCorsFactory implements CorsFactory { public List getConfigMetadata() { return ProviderConfigurationBuilder.create() .property() - .name("allowedHeaders") + .name(ALLOWED_HEADERS) .type("string") .helpText("A comma-separated list of additional allowed headers for CORS requests") - .defaultValue(false) + .defaultValue("") .add() .build(); }