github sventorben/keycloak-home-idp-discovery v26.2.2

12 hours ago

Supply chain

Releases now ship verification material alongside the jar:

Asset Purpose
keycloak-home-idp-discovery.jar The extension
SHA256SUMS SHA-256 checksum of the jar
bom.json CycloneDX 1.6 SBOM

Builds are also attested with GitHub build provenance. To verify a download:

sha256sum -c SHA256SUMS
gh attestation verify keycloak-home-idp-discovery.jar -R sventorben/keycloak-home-idp-discovery

The jar published to GitHub Packages, the jar attached to this release, SHA256SUMS and the
provenance attestation all describe the same build.

Note
The SBOM lists no components. This is expected: the extension bundles no third-party code.
Everything it needs at runtime is supplied by the Keycloak server and covered by Keycloak's own SBOM.

Organizations

Two fixes for realms with organizations enabled, where a client requests an organization scope:

  • Users are no longer prompted to sign in again on page reload when they already hold a valid
    session. Keycloak 26.1 changed the cookie authenticator to defer completion to its own
    organization authenticator, which flows built around this extension do not contain.
  • Users belonging to more than one organization now receive an organization claim when
    requesting the bare organization scope. The organization resolved by domain discovery is
    recorded for the token mappers.

What's Changed

✨ New Features

  • Add SBOM, checksums, and build provenance to releases by @sventorben in #650

🐛 Bugfixes

  • fix: keep SSO session when an organization scope is requested by @sventorben in #662
  • fix: record discovered organization for the organization claim by @sventorben in #663

⬆️ Dependency Updates

Full Changelog: v26.2.1...v26.2.2

Don't miss a new keycloak-home-idp-discovery release

NewReleases is sending notifications on new releases.