nightly

Improve tests to ensure managed users disabled upon disabling the org…

… can't be updated

Closes #28891

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

24.0.3

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap

Bugs

• #24201 Cannot disable LDAP-backed user if importEnabled=false ldap
• #28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
• #28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
• #28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
• #28638 Missing permission to read configmaps in `keycloak-operator-role` operator

24.0.2

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
• #27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
• #27481 Edit High Availability guide
• #27484 Edit 23.0 changes part of Upgrading Guide
• #27632 Integrate downstream Upgrading Guide changes into upstream
• #27696 Upgrade to Quarkus 3.8.2 dist/quarkus
• #27867 Corrections to Securing Apps Guide
• #27871 Upgrade to Infinispan 14.0.26 core
• #27953 Address feedback to Keycloak Server guide docs
• #27955 Address term Keycloak in Server Administration Guide docs
• #28009 Address edits to the Operator Guide
• #28033 Upgrade Infinispan to 14.0.27.Final
• #28084 Upgrade to Quarkus 3.8.3 dist/quarkus

Bugs

• #14501 Getting failed to initialize js message if consent is rejected by user account/ui
• #15403 No email send on TOTP/Authenticator app removal core
• #20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
• #22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
• #23701 Attribute search does not work with federated users with ldap. admin/ui
• #23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
• #25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
• #25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
• #26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
• #27117 user sessions not accessible in all cluster nodes infinispan
• #27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
• #27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
• #27245 Account console does not correctly treat link / unlink account account/ui
• #27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
• #27275 Invalidating offline token is not working from client sessions tab authentication
• #27366 Social login - test failures with unexpected status code testsuite
• #27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
• #27504 Cpu and memory sizing typo docs
• #27529 LegacyUserCredentialManager class not found storage
• #27540 URL change for liquibase docs docs
• #27548 Custom Browser Flow not working anymore admin/ui
• #27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
• #27597 dropping KC_PROXY=edge causes startup error core
• #27611 Cannot modify realm email settings since keycloak 24 user-profile
• #27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
• #27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
• #27719 Wrong Welcome page image in the documentation docs
• #27745 Registration template in login2 is broken login/ui
• #27761 Snyk workflow failure ci
• #27779 Broken Migration "MigrateTo24_0_0" core
• #27780 Fixing downstream documentation build docs
• #27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
• #27820 Account console confusing with WebAuthn account/ui
• #27841 ES translation causes FreeMarker rendering issues translations
• #27852 VerifyUserProfile invalidates user cache on every login core
• #27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
• #27882 Incorrect version of bctls-fips in the docs docs
• #27892 Truststore handling for the Operator is not documented operator
• #27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
• #27900 Performance impact in changed hashing measured wrong authentication
• #27925 Keycloak docs state that there are http metrics, but they are disabled docs
• #27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
• #27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
• #27967 ORA-01450 when updating keycloak 23 -> 24 storage
• #27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
• #28001 MySQL connector artifact should be ignored dist/quarkus
• #28012 Keycloak CR Truststore should not have a name operator
• #28113 We...

24.0.1

Highlights

Operator deploys nightly build instead of 24.0.0

Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0.

As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled.

If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with the wrong versions. To check if you are affected connect to your database and run the following SQL command:

SELECT * from migration_model WHERE version = '999.0.0';

If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:

UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

24.0.0

Highlights

Supported user profile and progressive profiling

The user profile preview feature is promoted to be fully supported and user profile is enabled by default.

In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.

The following are a few highlights of this feature;

• Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.

• Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.

• Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.

• Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.

• Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.

• Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of scope parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user.

• Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.

The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.

We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:

• Vlastimil Eliáš

• Alec Henninger

• Thomas Darimont

• Markus Till

• Sebastian Schuster

• Oliver

• Patrick Jennings

• Andrew

For more details about user profile capabilities, see the Server Administration Guide.

Breaking changes to the User Profile SPI

In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.

Changes to Freemarker templates to render pages based on the user profile and realm

In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:

• login-update-profile.ftl

• register.ftl

• update-email.ftl

For more details, see the Upgrading Guide.

New Freemarker template for the update profile page at first login through a broker

In this release, the server renders the update profile page when the user is authenticating through a broker for the first time using the idp-review-user-profile.ftl template.

For more details, see the Upgrading Guide.

Java adapter deprecation and removal

Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.

With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.

The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.

The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.

Jetty adapter removed

Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.

New Welcome Page

The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.

If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.

New Account Console now the default

We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.

This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.

If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.

Keycloak JS

Using exports field in package.json

The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.

PKCE enabled by default

The Keycloak JS adapter now sets the pkceMethod o...

23.0.7

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #26810 Shorter lifespan for offline session cache entries in memory storage

Bugs

• #22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
• #23786 Failure: FipsDistTest ci
• #25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
• #25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
• #25883 ldap-group-mapper fails when empty member: attribute is present ldap
• #25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
• #25961 Native SQL Schema names broken on MySQL storage
• #26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
• #26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
• #26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
• #27120 Microsoft social login failure testsuite

23.0.6

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

• #26427 Operator CSV uses wrong format for `createdAt` field operator
• #26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
• #26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core

23.0.5

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

23.0.4

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

23.0.3

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.