keycloak/keycloak-js 26.2.2

on GitHub

A regression was introduced that caused an error when destructuring public methods from a Keycloak instance. This pattern is commonly used in applications:

This issue has been resolved by binding all public methods to the class instance using arrow functions, ensuring that this is always correctly scoped regardless of how the method is called.

keycloak/keycloak-js#202

A regression caused hash fragments in URLs to be stripped from redirect URIs, which broke navigation in applications that rely on fragment-based routing. For example, when logging in to the Keycloak Admin Console with a URL like http://localhost:8080/admin/master/console/#/demo/users/add-user, the user would be redirected to the default page instead of the intended fragment after authentication.

This also caused issues where redirect URIs would have a trailing slash added unexpectedly, breaking login flows for OIDC servers that perform strict URI matching.

The next major of Keycloak JS will start re-enforcing this constraint, as it is not allowed to pass fragments according to the specification.

keycloak/keycloak-js#151, keycloak/keycloak-js#205

A regression prevented redirect URLs from being on a different domain than the application origin the navigation to fail with a security error. This affected users who use redirect services that forward authentication requests from an intermediate domain back to the application.

This behavior is likely to be changed in the future to only allow redirect URLs that are on the same origin as where Keycloak JS is initialized, in order to prevent possible open redirects. If this issue affects you please join the discussion.

keycloak/keycloak-js#189