External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 23:12:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

Adding this as a breaking change plus deprecation

Browse Source 
Closes #43022

Signed-off-by: Alexander Schwartz <alexander.schwartz@ibm.com>
This commit is contained in:
Alexander Schwartz 2025-10-21 14:58:33 +02:00 committed by GitHub
parent 4443834d06
commit 6080f21c64
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc
View File

@ -9,6 +9,18 @@ only the basic attributes in representations or all of them.
The `UserProfile` interface is a private API and should not be implemented by custom code. However, if you have extensions that
implement this interface, you will need to update your code to accommodate this new method.
Breaking changes are identified as those that might require changes for existing users to their configurations or applications.
In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs.
=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker
In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC6749.
You are not affected if you configured {project_name} to send the credentials in the request body.
This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign.
To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`).
// ------------------------ Notable changes ------------------------ //
== Notable changes
@ -40,6 +52,12 @@ To revert to the old behavior, change the client authentication to *Client secre
The following sections provide details on deprecated features.
=== Sending OpenID Connect client secret via basic authentication without URL encoding
In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of {project_name}.
This behavior is deprecated and will be removed in a future version of Keycloak.
// ------------------------ Removed features ------------------------ //
== Removed features

2
services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java
View File

@ -122,7 +122,7 @@ public class OIDCLoginProtocol implements LoginProtocol {
/**
* This is just for legacy setups which expect an unencoded, non-RFC6749 compliant client secret send from Keycloak to an IdP.
*/
@Deprecated(since = "26.5")
@Deprecated(since = "26.5", forRemoval = true)
public static final String CLIENT_SECRET_BASIC_UNENCODED = "client_secret_basic_unencoded";
// https://tools.ietf.org/html/rfc7636#section-4.3