Adding this as a breaking change plus deprecation

Closes #43022 Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
2026-01-09 23:12:06 -03:30 · 2025-10-21 14:58:33 +02:00 · 2025-10-21 14:58:33 +02:00 · 4ad4ce5d58
commit 4ad4ce5d58
parent 489d10157a
3 changed files with 29 additions and 1 deletions
--- a/docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes-26_4_2.adoc
@ -0,0 +1,24 @@
+== Breaking changes
+
+Breaking changes are identified as those that might require changes for existing users to their configurations or applications.
+In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs.
+
+=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker
+
+In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC6749.
+You are not affected if you configured {project_name} to send the credentials in the request body.
+
+This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign.
+
+To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`).
+
+// ------------------------ Deprecated features ------------------------ //
+== Deprecated features
+
+The following sections provide details on deprecated features.
+
+=== Sending OpenID Connect client secret via basic authentication without URL encoding
+
+In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of {project_name}.
+
+This behavior is deprecated and will be removed in a future version of Keycloak.
--- a/docs/documentation/upgrading/topics/changes/changes.adoc
+++ b/docs/documentation/upgrading/topics/changes/changes.adoc
@ -1,6 +1,10 @@
 [[migration-changes]]
 == Migration Changes

+=== Migrating to 26.4.2
+
+include::changes-26_4_2.adoc[leveloffset=2]
+
 === Migrating to 26.4.1

 include::changes-26_4_1.adoc[leveloffset=2]
--- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
@ -122,7 +122,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
    /**
     * This is just for legacy setups which expect an unencoded, non-RFC6749 compliant client secret send from Keycloak to an IdP.
     */
-    @Deprecated(since = "26.5")
+    @Deprecated(since = "26.5", forRemoval = true)
    public static final String CLIENT_SECRET_BASIC_UNENCODED = "client_secret_basic_unencoded";

    // https://tools.ietf.org/html/rfc7636#section-4.3