Keycloak 19.0.2 released

Migration from 19.0

Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.

OpenID Connect Logout Prompt

At Keycloak 18.0.0, the logout is now compatible with the new OIDC specification, which changed the handling for the url parameters. However, to also remain compatible with earlier versions, a compatibility flag is introduced. See the Upgrading Guide for further information for the backwards compatibility option, which allows your application to still use the old format for the url parameters.

While the url parameters can now be configured to be compatible, there was still one incompatibility with keycloak 17 and earlier releases. If the user does not provide a valid idTokenHint, a logout prompt appears instead of a successful logout redirect. Therefore, a new compatibility flag suppress-logout-confirmation-screen is introduced to suppress the logout screen.

You can enable this parameter when you start the server by entering the following command:

bin/kc.[sh|bat] --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true start

With this configuration, you can still use the logout endpoint without a user prompt.

Warning

The backwards compatibility switch will be removed in some future version - probably Keycloak 23. You are encouraged to update your clients as soon as possible as described above rather than rely on this switch.

Deploying scripts through SAML javascript protocol mapper

Until now, administrators, which used SAML javascript protocol mapper on their SAML clients or client scopes, were allowed to upload scripts to the server through the Keycloak Administration Console as well as through the RESTful Admin API.

For now on, this capability is disabled and users should deploy scripts directly to the server. This behaviour is aligned with other script based providers. For more details, please take a look at JavaScript Providers.

UserInfo Endpoint Changes

Error response changes

The UserInfo endpoint is now returning error responses fully compliant with RFC 6750 (The OAuth 2.0 Authorization Framework: Bearer Token Usage). Error code and description (if available) are provided as WWW-Authenticate challenge attributes rather than JSON object fields. The responses will be the following, depending on the error condition:

In case no access token is provided:

401 Unauthorized
WWW-Authenticate: Bearer realm="myrealm"

In case several methods are used simultaneously to provide an access token (for example, Authorization header + POST access_token parameter), or POST parameters are duplicated:
```
400 Bad Request
WWW-Authenticate: Bearer realm="myrealm", error="invalid_request", error_description="..."
```

In case an access token is missing openid scope:

403 Forbidden
WWW-Authenticate: Bearer realm="myrealm", error="insufficient_scope", error_description="Missing openid scope"

In case of inability to resolve cryptographic keys for UserInfo response signing/encryption:
```
500 Internal Server Error
```
In case of a token validation error, a 401 Unauthorized is returned in combination with the invalid_token error code. This error includes user and client related checks and actually captures all the remaining error cases:
```
401 Unauthorized
WWW-Authenticate: Bearer realm="myrealm", error="invalid_token", error_description="..."
```

Other Changes

It is now required for access tokens to have the openid scope, which is stipulated by UserInfo being a feature specific to OpenID Connect and not OAuth 2.0. If the openid scope is missing from the token, the request will be denied with a 403 Forbidden (see above).
UserInfo now checks the user status, and returns the invalid_token response if the user is disabled.

All resolved issues

Enhancements

#1659 Document compatibility mode for oidc logout endpoint suppression keycloak-documentation

#1889 A flow can be created with seemly the same name of another keycloak-ui

#1920 Sort the realm localization texts alphabetically keycloak-ui

#3141 Better fine-grained permission support keycloak-ui section/groups

#13524 Allow setting a URL to configure frontend and admin URLs keycloak dist/quarkus

#13657 Make compatibility mode for oidc logout endpoint fully compatible to previous keyloak versions keycloak oidc

#14247 Add basic auth compliant RFC 6749 keycloak

Bugs

#1676 SAML javascript protocol mapper: disable uploading scripts through admin console by default keycloak-documentation

#1969 [UX Review] Add 3 new settings in the Advanced tab of OIDC client keycloak-ui section/clients

#2777 Navigation links cannot be opened in new tab keycloak-ui section/other

#2811 View client > Client scopes > Setup > Removing client scope from the list is not showing a standard Delete dialog keycloak-ui section/clients

#2815 [UX Review] Mark the select option with a right mark keycloak-ui section/authentication

#2839 [Accessibility Review] Serious - Home page issues keycloak-ui section/other

#2841 [Accessibility Review] Serious - Clients page issues keycloak-ui section/clients

#2850 [Accessibility Review] Serious - Client scopes page issues keycloak-ui section/client scopes

#2926 [UX Review] Consider changing the layout of Groups from table to tree view keycloak-ui section/groups

#2953 Removal of English language not possible keycloak-ui section/realm settings

#2958 UI crash when lots of subgroups keycloak-ui section/groups

#2983 Save/Revert toolbar covers content keycloak-ui section/clients

#2986 Cannot see roles of user when lots of clients keycloak-ui section/clients

#2988 New admin UI : no support for array in custom attributes keycloak-ui

#3003 New admin console - Client credentials: Page is missing components keycloak-ui section/clients

#3004 [UX Review] Fine-tuning of the multiple values field keycloak-ui

#3022 Identity Provider Mapper can not save name of Hardcoded Attribute keycloak-ui section/identity providers

#3024 [Fine grain admin permissions] Can't view the client details with the "view" permission. Permission required: "view-clients" keycloak-ui section/other

#3029 Constants for clientAuthenticationTypes differ from backend keycloak-ui section/identity providers

#3030 Fix forgotPassword label in the new admin console keycloak-ui section/realm settings

#3034 Importing realms is buggy with the new keycloak.v2 theme keycloak-ui section/realm settings

#3048 "Unexpected token u in JSON at position 0" error when opening identity provider mappers created in a previous Keycloak version keycloak-ui section/identity providers

#3050 Missing Options "Use PKCE" and "PKCE Method" in new Admin UI keycloak-ui section/identity providers

#3057 Homepage URL is wrong in Client list in ClientSection keycloak-ui section/clients

#3059 User Storage Provider settings not visible in admin UI keycloak-ui section/user federation

#3061 The new GUI does not support -http-relative-path keycloak-ui section/other

#3077 Cancel button wrong variant keycloak-ui section/realm settings

#3081 There is no spacing between the table row and navigation. keycloak-ui section/users

#3082 Identity provider "Sync Mode" not visible keycloak-ui

#3090 Admin2: Fine Grained permissions/policies are ignored keycloak-ui section/other

#3097 Realm Email doesn't default to port 25 keycloak-ui section/realm settings

#3163 Group search endpoints don't return access. keycloak-ui section/groups

#3180 Cannot update user on new Keycloak Administration Console theme keycloak-ui section/users

#3228 Assign roles filter causes crash keycloak-ui section/users

#3323 Release failed due to missing javadoc and sources jar keycloak-ui

#9855 PolicyEnforcer sometimes looses provided adapterconfig while executing resource matching keycloak authorization-services

#11096 Do not empty attributes if they are not provided when user profile is enabled keycloak user-profile

#11185 [Quarkus | CLI | Windows] `-` abbreviations not recognized for start, build and start-dev keycloak dist/quarkus

#12204 ConcurrentModificationException in script cache of JSPolicyProviderFactory keycloak authorization-services

#13364 Unable to configure URL scheme for admin console keycloak

#13401 Failed to process template in Authentication SPI in v19.0.0 keycloak

#13472 Align kc.bat with latest changes to kc.sh keycloak

#13659 Health checks fail when using relative paths in 19.0.0-1 keycloak

#13786 Old admin console does not find keycloak.js when url is not set with a tailing / keycloak

#13807 Can't set storage-deployment-state-version-seed for map storage via environment variable keycloak storage

#13940 `--optimized` is not supported by `kc.sh export` keycloak dist/quarkus

#14011 Requests to health endpoint still dispatched to worker threads when `http-relative-path` is set keycloak

#14246 post_logout_redirect_uri causes "invalid redirect_uri" for clients created in keycloak 19 with old admin console keycloak oidc

#14288 Old administration console not loading keycloak admin/ui

#14292 SAML javascript protocol mapper: disable uploading scripts through admin console by default keycloak saml

#14309 Credential validation not taking into account if the user is already cached keycloak storage