Highlights
Security issue with PAR clients using client_secret_post based authentication
This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together
with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is
highly encouraged to rotate the client secrets of your clients after upgrading to this version.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #29073 Use cache.compute() method to improve the replace retry loop
- #29280 Update Create Realm in Keycloak 24 Getting Started
Bugs
- #29129 JGroups creates log messages as it switched internally to "trace"
dist/quarkus - #29206 LDAP user creation reports error but user is created
ldap - #29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs"
admin/ui - #29458 Empty CSP header value breaks security filter
authentication - #29471 Cypress tests store videos even for passing tests
ci - #29525 Maven clean build doesn't clean admin client generated files
ci - #29554 Cypress failing on video recording
ci - #29625 Database driver install examples can lead to permission errors in some circumstances
docs