diff --git a/docs/documentation/release_notes/topics/26_4_0.adoc b/docs/documentation/release_notes/topics/26_4_0.adoc index 86482bc7fb6..373d3056110 100644 --- a/docs/documentation/release_notes/topics/26_4_0.adoc +++ b/docs/documentation/release_notes/topics/26_4_0.adoc @@ -3,16 +3,37 @@ Read on to learn more about each new feature, and https://www.keycloak.org/docs/latest/upgrading/index.html[find additional details in the upgrading guide] if you are upgrading from a previous release of {project_name}. -= Supported Update Email Workflow += Update Email Workflow is now supported -The Update Email Workflow is now a supported feature. The feature provides a more secure and consistent flow to update user emails -because they will be forced to re-authenticate as well as verify their emails before any update to their account. +This feature provides a more secure and consistent flow to update user +emails. Accounts are forced to both re-authenticate and verify their +emails before any account updates. -For more information, see the link:{adminguide_link}#_update-email-workflow[Update Email Workflow] chapter in the {adminguide_name}. +For more information, see link:{adminguide_link}#_update-email-workflow[Update Email Workflow]. + +== OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is now supported + +DPoP binds an access token and a refresh token together with the public part of a client’s key pair. This binding prevents an attacker from using stolen tokens. This type of token is a holder-of-key token. Unlike bearer tokens, the recipient of a holder-of-key token can verify if the sender of the token is legitimate. + +To enable this feature, start the server with `--features=preview` or `--features=dpop`. + +For more information, see link:{adminguide_link}#con-advanced-settings_server_administration_guide[Advanced configuration]. + += Passkeys integration is now supported + +This feature integrates passkeys seamlessly in the {project_name} forms using both conditional and modal UIs. To activate the integration in the realm, go to *Authentication*, *Policies*, *Webauthn Passwordless Policy* and switch *Enable Passkeys* to enabled. + +For more information, see link:{adminguide_link}#passkeys_server_administration_guide[Passkeys]. + += New conditional authenticator `Conditional - credential` + +The *Conditional - credential* is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the *Passkeys* feature. It is added by {project_name} to the default *browser* flow to skip 2FA in case a passkey was used to log in as the primary credential. + +For more information about conditional flows, see link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows]. = Option to force management interface to use HTTP. -There's a new option `http-management-scheme` that may be set to `http` to force the management interface to use HTTP rather than inheriting the HTTPS settings of the main interface. +A new option, `http-management-scheme`, may be set to `http` to force the management interface to use HTTP rather than inheriting the HTTPS settings of the main interface. = Option to expose health endpoints on the main HTTP(S) ports @@ -28,72 +49,76 @@ For more details on this opt-in feature, see the https://www.keycloak.org/server = Ability to specify a `tlsSecret` on the Keycloak CR `ingress` spec -In order to support basic TLS termination (edge) deployments via the operator, you may now set the Keycloak CR `spec.ingress.tlsSecret` field to a TLS Secret name in the namespace. +To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR `spec.ingress.tlsSecret` field to a TLS Secret name in the namespace. -= HTTP Access logging += HTTP access logging of incoming HTTP requests {project_name} supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring. -For more information, see the https://www.keycloak.org/server/logging[Logging guide]. +For more information, see https://www.keycloak.org/server/logging[Configuring logging]. +== Possibility to hide identity providers from the Account Console -= Supported passkeys +You can now control which identity providers appear in the Account Console based on different options using +the `Show in Account console` setting. You can choose to show only those linked with a user or hide them completely. -*Passkeys* integration is now a supported feature. This feature integrates passkeys seamlessly in the {project_name} forms using both conditional and modal UI. Although supported, *passkeys* are disabled by default. To activate the integration in the realm, the option *Enable Passkeys* in the *WebAuthn Passwordless Policy* (*Authentication* → *Policies* → *Webauthn Passwordless Policy*) needs to be enabled. - -For more information, see the link:{adminguide_link}#passkeys_server_administration_guide[Passkeys] chapter in the {adminguide_name}. - -= New conditional authenticator `Conditional - credential` - -The *Conditional - credential* is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the *Passkeys* feature. It is added by {project_name} to the default *browser* flow to skip 2FA in case a passkey was used to log in as the primary credential. - -For more information about conditional flows, see the link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows] chapter in the {adminguide_name}. - -= Possibility to hide identity providers from the account console - -It is now possible to change which identity providers are shown in the account console based on different options using -the `Show in Account console` setting. You can choose to show only those linked with a user or not show them at all. - -For more information, please see link:{adminguide_link}#_general-idp-config[General configuration] section in the {adminguide_name}. +For more information, see link:{adminguide_link}#_general-idp-config[General configuration]. = Email domain for organizations is now optional In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. +ifeval::[{project_community}==true] Thank you to https://github.com/SferaDev[@SferaDev] for contributing this. +endif::[] When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation. = Enhancements for single-cluster and multi-cluster setups This release renamed multi-az to multi-cluster. -It adds a separate guide for single-cluster setups, which includes details of how {project_name} clusters can be optionally "stretched" across multiple availability-zones for increased availability. +ifeval::[{project_community}==true] +The updated documentation includes a separate guide for single-cluster setups, which describes +endif::[] +ifeval::[{project_product}==true] +The updated documentation describes +endif::[] +how {project_name} clusters can be optionally "stretched" across multiple availability-zones for increased availability. The {project_name} Operator now deploys {project_name} across multiple availability zones within a Kubernetes cluster by default. {project_name} also detects split-brains within a cluster. -This should provide better availability for users who are running {project_name} in Kubernetes clusters that span multiple availability zones. +This change should provide better availability for users who are running {project_name} in Kubernetes clusters that span multiple availability zones. -= Translations managed via Weblate +ifeval::[{project_community}==true] += Translations managed by Weblate The {project_name} distribution now includes 35 community translations. With Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in https://hosted.weblate.org/projects/keycloak/[Weblate] to keep them up to date. -If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the https://github.com/keycloak/keycloak/blob/main/docs/translation.md[translation guide]. +If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the https://github.com/keycloak/keycloak/blob/main/docs/translation.md[translation guidelines]. +endif::[] = Setting up OTP can enfore set up of recovery codes If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. +ifeval::[{project_community}==true] Thank you to https://github.com/dasniko[@dasniko] for contributing this. +endif::[] = MDC logging to correlate messages with realms and clients As a new preview feature, you can include in all log messages in the mapped diagnostic context (MDC) of each message realm name, client ID and other information. This helps you to correlate error messages to a specific realm or client. +ifeval::[{project_community}==true] Thank you to https://github.com/eicki[@eicki] for contributing this. +endif::[] -See the https://www.keycloak.org/server/logging[Logging guide] for more information. +For more information, see https://www.keycloak.org/server/logging[Configuring logging]. +ifeval::[{project_community}==true] = Supported OAuth standards listed on one page -There is now a new guide listing https://www.keycloak.org/securing-apps/specifications[all implemented OpenID Connect related specifications]. +A new guide exist with a list of https://www.keycloak.org/securing-apps/specifications[all implemented OpenID Connect related specifications]. Thank you to https://github.com/tnorimat[@tnorimat] for contributing this. + +endif::[]