Supply chain
Releases now ship verification material alongside the jar:
| Asset | Purpose |
|---|---|
keycloak-home-idp-discovery.jar
| The extension |
SHA256SUMS
| SHA-256 checksum of the jar |
bom.json
| CycloneDX 1.6 SBOM |
Builds are also attested with GitHub build provenance. To verify a download:
sha256sum -c SHA256SUMS
gh attestation verify keycloak-home-idp-discovery.jar -R sventorben/keycloak-home-idp-discovery
The jar published to GitHub Packages, the jar attached to this release, SHA256SUMS and the
provenance attestation all describe the same build.
Note
The SBOM lists no components. This is expected: the extension bundles no third-party code.
Everything it needs at runtime is supplied by the Keycloak server and covered by Keycloak's own SBOM.
Organizations
Two fixes for realms with organizations enabled, where a client requests an organization scope:
- Users are no longer prompted to sign in again on page reload when they already hold a valid
session. Keycloak 26.1 changed the cookie authenticator to defer completion to its own
organization authenticator, which flows built around this extension do not contain. - Users belonging to more than one organization now receive an
organizationclaim when
requesting the bareorganizationscope. The organization resolved by domain discovery is
recorded for the token mappers.
What's Changed
✨ New Features
- Add SBOM, checksums, and build provenance to releases by @sventorben in #650
🐛 Bugfixes
- fix: keep SSO session when an organization scope is requested by @sventorben in #662
- fix: record discovered organization for the organization claim by @sventorben in #663
⬆️ Dependency Updates
- Update Keycloak dependencies to 26.7.0 by @sventorben in #660
Full Changelog: v26.2.1...v26.2.2