26.0.7-nordix-1

This release is based on Keycloak 26.0.7

What's Changed

• 26.0.7-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials and includes support for forced password change for LDAP federated users using LDAP password policy control.

Full Changelog

• 26.0.7-nordix-1 https://github.com/Nordix/keycloak/commits/26.0.7-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

LDAP Password policy

LDAP password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-7

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-7 removes the X509 client certificate lookup for Envoy proxy which was added in 22.0.5-nordix-6 . The functionality is available as standalone project at https://github.com/Nordix/keycloak-client-cert-lookup-for-envoy.
• 22.0.5-nordix-6 includes backport of MaxAuthAge password policy from Keycloak 23.0.0 and adds support for X509 client certificate lookup for Envoy proxy keycloak#33159
• 22.0.5-nordix-5 allow plain-text HTTP requests from local IPv6 addresses when TLS is required for external requests only, fixes keycloak#30678
• 22.0.5-nordix-4 includes backports of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr)
• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-7 22.0.5-nordix-6...22.0.5-nordix-7
• 22.0.5-nordix-6 22.0.5-nordix-5...22.0.5-nordix-6
• 22.0.5-nordix-5 22.0.5-nordix-4...22.0.5-nordix-5
• 22.0.5-nordix-4 22.0.5-nordix-3...22.0.5-nordix-4
• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

LDAP Password policy

LDAP password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

26.0.0-nordix-1

This release is based on Keycloak 26.0.0

What's Changed

• 26.0.0-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials and includes support for forced password change for LDAP federated users using LDAP password policy control.

Full Changelog

• 26.0.0-nordix-1 26.0.0...26.0.0-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

LDAP Password policy

LDAP password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-6

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-6 includes backport of MaxAuthAge password policy from Keycloak 23.0.0 and adds support for X509 client certificate lookup for Envoy proxy keycloak#33159
• 22.0.5-nordix-5 allow plain-text HTTP requests from local IPv6 addresses when TLS is required for external requests only, fixes keycloak#30678
• 22.0.5-nordix-4 includes backports of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr)
• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-6 22.0.5-nordix-5...22.0.5-nordix-6
• 22.0.5-nordix-5 22.0.5-nordix-4...22.0.5-nordix-5
• 22.0.5-nordix-4 22.0.5-nordix-3...22.0.5-nordix-4
• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

LDAP Password policy

LDAP password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

X509 client certificate lookup for Envoy proxy

Following command line parameter enables the X509 client certificate lookup from Envoy's x-forwarded-client-cert HTTP header.

--spi-x509cert-lookup-provider=envoy

For further information about using the feature see here.

24.0.4-nordix-1

This release is based on Keycloak 24.0.4.

What's Changed

24.0.4-nordix-1

• Adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials. (upstream PR keycloak#7365)
• Includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default. (upstream PR [keycloak#15253]
• Allow plain-text HTTP requests from local IPv6 addresses when TLS is required for external requests only. (backport of upstream PR keycloak#30751)
• Backport of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr).

Full Changelog

• 24.0.4-nordix-1 https://github.com/Nordix/keycloak/commits/24.0.4-nordix-1

Documentation

Following new functionality is implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

Password policy

Password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-5

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-5 allow plain-text HTTP requests from local IPv6 addresses when TLS is required for external requests only, fixes keycloak#30678
• 22.0.5-nordix-4 includes backports of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr)
• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-5 22.0.5-nordix-4...22.0.5-nordix-5
• 22.0.5-nordix-4 22.0.5-nordix-3...22.0.5-nordix-4
• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

Password policy

Password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-4

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-4 includes backports of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr)
• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-4 22.0.5-nordix-3...22.0.5-nordix-4
• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

Password policy

Password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-3

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

Password policy

Password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

22.0.5-nordix-2

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practise is able to load both JKS and PKCS12 keystore files)

22.0.5-nordix-1

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5 nordix uplifts by @tsaarni in #234

Full Changelog: https://github.com/Nordix/keycloak/commits/22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practise is able to load both JKS and PKCS12 keystore files)