REQUIRED and ALTERNATIVE executions not supported at same flow Users of the policy evaluation feature have to adapt their policies if they use the number of attributes in their evaluations since every user will now have four new attributes by default. Implementors of SPIs subclassing the UserModel directly or indirectly should ensure that the behavior between setUsername and setSingleAttribute(UserModel.USERNAME, …) (and similar for the other fields) is consistent. Similar implications exist for other fields. This situation implies that the username can now also be accessed and set via UserModel.getFirstAttribute(UserModel.USERNAME). Otherwise, they will not be read from the database anymore and possibly deleted. This migration does not occur automatically. If a database contains users with custom attributes of that exact name, the custom attributes will need to be migrated before upgrading. The fields username, email, firstName and lastName in the UserModel are migrated to custom attributes as a preparation for adding more sophisticated user profiles to Keycloak in an upcoming version.
Contact details removed from registration and account management.Option that refresh tokens are not reusable anymore.Element 'form-error-page' in web.xml not supported anymore.Option 'Update Profile On First Login' moved from Identity provider to Review Profile authenticator.Direct access grants disabled by default for clients.For adapters, session id changed after login.Session state parameter in authentication response renamed.Client Registration service endpoints moved.Adapter Subsystems only bring in dependencies if Keycloak is on.Adapter option auth-server-url-for-backend-requests removed.
Default password hashing interval increased to 20K.Upgrading from 1.0.0.Final no longer supported.Authenticate by default removed from Identity Providers.Changes in Client’s Valid Redirect URIs.realm-public-key adapter property not recommended.Default max results on paginated endpoints.Infinispan caches realms and users are always local.Key encryption algorithm in SAML assertions.
Server SPI split into Server SPI and Sever SPI Private.Authentication sessions and Action tokens.Added session_state parameter to OpenID Connect Authentication Response.Client Templates changed to Client Scopes.Microsoft Identity Provider updated to use the Microsoft Graph API.LinkedIn Social Broker Updated to Version 2 of LinkedIn APIs.Google Identity Provider updated to use Google Sign-in authentication system.Ability to propagate prompt=none to default IDP.Client Credentials in the JavaScript adapter.Deprecated methods in token representation Java classes.Non-standard token introspection endpoint removed.Client Credentials Grant without refresh token by default.Skip creation of user session for the Docker protocol authentication.Keycloak Operator examples including unsupported Metrics extension.Deprecated features in the Keycloak Operator.Automatic Relational Database Migration.