22.0.5-nordix-4

This release is based on Keycloak 22.0.5

What's Changed

• 22.0.5-nordix-4 includes backports of fixes for CVE-2024-3656 (GHSA-2cww-fgmg-4jqc) and CVE-2024-4540 (GHSA-69fp-7c8p-crjr)
• 22.0.5-nordix-3 includes support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.
• 22.0.5-nordix-2 includes backports of fixes for CVE-2023-6291 and CVE-2024-2419
• 22.0.5-nordix-1 adds support for LDAP SASL EXTERNAL and hot-reload for HTTPS server and LDAP client credentials #234

Full Changelog:

• 22.0.5-nordix-4 22.0.5-nordix-3...22.0.5-nordix-4
• 22.0.5-nordix-3 22.0.5-nordix-2...22.0.5-nordix-3
• 22.0.5-nordix-2 22.0.5-nordix-1...22.0.5-nordix-2
• 22.0.5-nordix-1 22.0.5...22.0.5-nordix-1

Documentation

Following additions are implemented on top of upstream release:

• Add support for SASL EXTERNAL authentication for LDAP federation.
• Add support for using PEM files as LDAP client credentials.
• Add support for credential hot-reload for LDAP client credentials, including all credential types: PEM, PKCS#12 and JKS
• Add support for credential hot-reload for HTTPS server certificate, configured using the usual HTTPS server options.
• Add support for forced password change for LDAP federated users using LDAP password policy control pwdMustChange. It is disabled by default.

Credential hot-reload

Credential hot-reload is based on modification timestamp of the configured files and it is polled whenever credential is used, but at most once per second.

Following new provider configuration options are introduced for configuring LDAP client credentials:

Configure credentials as PEM files

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

or alternatively as keystore file

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

Password policy

Password policy control is enabled either via the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP config when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.