From 6080f21c64cd6c0b0ed116196ffc391c17e6b21b Mon Sep 17 00:00:00 2001 From: Alexander Schwartz Date: Tue, 21 Oct 2025 14:58:33 +0200 Subject: [PATCH] Adding this as a breaking change plus deprecation Closes #43022 Signed-off-by: Alexander Schwartz --- .../topics/changes/changes-26_5_0.adoc | 18 ++++++++++++++++++ .../protocol/oidc/OIDCLoginProtocol.java | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc b/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc index 290f08c1c27..2f8da5087bd 100644 --- a/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc +++ b/docs/documentation/upgrading/topics/changes/changes-26_5_0.adoc @@ -9,6 +9,18 @@ only the basic attributes in representations or all of them. The `UserProfile` interface is a private API and should not be implemented by custom code. However, if you have extensions that implement this interface, you will need to update your code to accommodate this new method. +Breaking changes are identified as those that might require changes for existing users to their configurations or applications. +In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs. + +=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker + +In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC6749. +You are not affected if you configured {project_name} to send the credentials in the request body. + +This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign. + +To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). + // ------------------------ Notable changes ------------------------ // == Notable changes @@ -40,6 +52,12 @@ To revert to the old behavior, change the client authentication to *Client secre The following sections provide details on deprecated features. +=== Sending OpenID Connect client secret via basic authentication without URL encoding + +In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of {project_name}. + +This behavior is deprecated and will be removed in a future version of Keycloak. + // ------------------------ Removed features ------------------------ // == Removed features diff --git a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java index 1c0ea7ddc87..29cdc11a301 100755 --- a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java +++ b/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java @@ -122,7 +122,7 @@ public class OIDCLoginProtocol implements LoginProtocol { /** * This is just for legacy setups which expect an unencoded, non-RFC6749 compliant client secret send from Keycloak to an IdP. */ - @Deprecated(since = "26.5") + @Deprecated(since = "26.5", forRemoval = true) public static final String CLIENT_SECRET_BASIC_UNENCODED = "client_secret_basic_unencoded"; // https://tools.ietf.org/html/rfc7636#section-4.3