External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-10 15:32:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Update documentation after changes to RFC8414 handling

Browse Source 
Closes #42323

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
This commit is contained in:
Alexander Schwartz 2025-09-03 19:44:32 +02:00 committed by Pedro Igor
parent 3d88846732
commit 78dce37197
3 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
docs/documentation/upgrading/topics/changes/changes-26_4_0.adoc
View File

@ -58,6 +58,28 @@ Custom caches can still be added without setting this option.
When upgrading an existing deployment, remove all default cache configurations from your existing `conf/cache-ispn.xml`
and use the `+--cache-...+` options to make changes for example to the cache sizes.
=== RFC8414 compliant lookup of metadata
{project_name} now exposes an RFC8414-compliant endpoint at the root URL level `/.well-known/` to allow clients to discover OAuth 2.0 Authorization Server Metadata by the issuer URL.
Previously information was exposed via:
[source]
----
https://keycloak.example.com/realms/{realm}/.well-known/oauth-authorization-server
----
It is now available in addition to the legacy URL via:
[source]
----
https://keycloak.example.com/.well-known/oauth-authorization-server/realms/{realm}
----
To benefit from this, expose the path `/.well-known/` in your reverse proxy configuration.
NOTE: If a `http-relative-path` is configured, configure a reverse proxy to map the `/.well-known/` path to the path with the prefix on the server.
=== Operator default affinity configuration changed
The default affinity strategy has been updated so that a `preferredDuringSchedulingIgnoredDuringExecution` anti-affinity rule

7
docs/guides/securing-apps/partials/oidc/available-endpoints.adoc
View File

@ -16,9 +16,12 @@ The most important endpoint to understand is the `well-known` configuration endp
/realms/{realm-name}/.well-known/openid-configuration
....
To obtain the full URL, add the base URL for {project_name} and replace `{realm-name}` with the name of your realm. For example:
To obtain the full URL, add the base URL for {project_name} and replace `+{realm-name}+` with the name of your realm. For example:
\http://localhost:8080{kc_realms_path}/master/.well-known/openid-configuration
[subs="attributes,quotes+"]
....
http://localhost:8080{kc_realms_path}/\{realm-name}/.well-known/openid-configuration
....
Some RP libraries retrieve all required endpoints from this endpoint, but for others you might need to list the endpoints individually.

7
docs/guides/server/reverseproxy.adoc
View File

@ -121,6 +121,11 @@ The following table shows the recommended paths to expose.
|Yes
|This path is needed to serve assets correctly. It may be served from a CDN instead of the {project_name} path.
|/.well-known/
|/.well-known/
|Yes
|This path is needed to resolve Authorization Server Metadata and other information via RFC8414.
|/metrics
|-
|No
@ -136,6 +141,8 @@ The following table shows the recommended paths to expose.
We assume you run {project_name} on the root path `/` on your reverse proxy/gateway's public API.
If not, prefix the path with your desired one.
NOTE: If you configured a `http-relative-path` on the server, proceed as follows to use discovery wih RFC8414: Configure a reverse proxy to map the `/.well-known/` path without the prefix to the path with the prefix on the server.
== Trusted Proxies
To ensure that proxy headers are used only from proxies you trust, set the `proxy-trusted-addresses` option to a comma separated list of IP addresses (IPv4 or IPv6) or Classless Inter-Domain Routing (CIDR) notations.