Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to KeyCloak - start after Feb25 #4343

Open
3 tasks
ninosamson opened this issue Feb 11, 2025 · 1 comment
Open
3 tasks

Updates to KeyCloak - start after Feb25 #4343

ninosamson opened this issue Feb 11, 2025 · 1 comment

Comments

@ninosamson
Copy link
Collaborator

ninosamson commented Feb 11, 2025
edited by andrewsignori-aot
Loading

The next keycloak upgrade is scheduled to take place between Feb 25 (Dev/TEST) & Mar 25 (PROD) 2025. SIMS team needs to review the notes for impact and make changes accordingly.

Summary:

  1. The Keycloak JS library is no longer served statically from the RedHat build of Keycloak server
  2. Support for legacy logout through redirect_uri parameter is removed
  3. Changes on token claims to reduce size of lightweight access token
  4. Limiting memory usage when consuming HTTP responses
  5. Default Client Prole for SAML clients

See notes in comments.

Technical

  • Review the comments added by @ninosamson below to check any possible impact.
  • Update keycloakjs lib can be done without any breaks. If the login is happening for all portals it should be good enough to proceed.
  • To be executed after Feb 25 (Dev/TEST) to check possible impacts.
@ninosamson ninosamson added Business Items under Business Consideration Dev & Architecture Development and Architecture and removed Business Items under Business Consideration labels Feb 11, 2025
@ninosamson
Copy link
Collaborator Author

Hello SSO Friends,

We are reaching out to share that we are moving to a new version of Red Hat Build of Keycloak 26 (RHBK 26). We plan to upgrade it in February - March 2025.

In preparation for this upgrade, we highlighted some important updates regarding RHBK 26 that may require action from you to keep the integration between the SSO service and your app working. The full release note can be found here.

  1. The Keycloak JS library is no longer served statically from the Red Hat build of Keycloak server

If your application links to Keycloak server with URLs such as:

/js/keycloak-authz.js

/js/keycloak-authz.min.js

/js/keycloak.js

/js/keycloak.min.js

/js/{version}/keycloak-authz.js

/js/{version}/keycloak-authz.min.js

/js/{version}/keycloak.js

/js/{version}/keycloak.min.js

you will not have access to the file(s) once we upgrade to RHBK26, and your users will not be able to authenticate through your app. By Red Hat build of Keycloak 26.0 Upgrading Guide, you should now include the library in your project using a package manager such as NPM. The library is available on the NPM registry as keycloak-js.

  1. Support for legacy logout through redirect_uri parameter is removed

Previous versions of Keycloak had supported automatic logout of the user and redirect to the application by opening logout endpoint URL with redirect_uri parameter. We communicated with the community that this functionality was deprecated in Keycloak 18 and now has been removed in RHBK 26. We recommend including id_token_hint and post_logout_redirect_uri parameters.

  1. You are already logged in message

When a user is already logged in to one browser tab and an authentication session expired in another browser tab, RHBK 26 redirects back to the client application with an OIDC/SAML error. Note that the message You are already logged in does not appear to the end user when an authentication session expires and user is already logged in. You may consider updating your applications to handle this error. Please reach out to us if you have more questions about this error.

  1. Changes on token claims to reduce size of lightweight access token

Claim sub and auth_time are added by protocol mapper, which are still added to the ID token and access token as before, but not to the lightweight access token

Claim nonce is added only to the ID token by default

Claim session_state is not added to any token now by default. The other dedicated claim sid is still supported by the specification, which was available in previous versions and has exactly the same value

For backward compatibility, through protocol mappers, SSO team adds nonce and session_state claims for standard clients. If you are a custom client, please review your token claim usage, and configure accordingly. More details can be found here.

  1. Limiting memory usage when consuming HTTP responses

RHBK now restricts responses to 10 MB by default. If you expect the payload from your app to be this big, please contact us.

  1. Default Client Profile for SAML clients

Through client profiles security best practices such as signatures, prohibition of SAML Redirect binding and prohibition of wildcard redirect URLs are enforced for SAML clients

@andrewsignori-aot andrewsignori-aot removed the Dev & Architecture Development and Architecture label Feb 20, 2025
@ninosamson ninosamson changed the title Updates to KeyCloak Updates to KeyCloak - start after Feb25 Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ninosamson @andrewsignori-aot