mirror of
https://github.com/keycloak/keycloak.git
synced 2026-04-12 12:36:35 -04:00
24 lines
1.6 KiB
Text
24 lines
1.6 KiB
Text
== Breaking changes
|
|
|
|
Breaking changes are identified as those that might require changes for existing users to their configurations or applications.
|
|
In minor or patch releases, {project_name} will only introduce breaking changes to fix bugs.
|
|
|
|
=== Corrected encoding when sending OpenID Connect client secrets when acting as a broker
|
|
|
|
In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, it now sends the client credentials via basic authentication in the correct encoding as specified in RFC6749.
|
|
You are not affected if you configured {project_name} to send the credentials in the request body.
|
|
|
|
This prevents problems with client IDs or passwords that contain, for example, a colon or a percentage sign.
|
|
|
|
To revert to the old behavior, change the client authentication to the deprecated option *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`).
|
|
|
|
// ------------------------ Deprecated features ------------------------ //
|
|
== Deprecated features
|
|
|
|
The following sections provide details on deprecated features.
|
|
|
|
=== Sending OpenID Connect client secret via basic authentication without URL encoding
|
|
|
|
In a scenario where {project_name} acts as a broker and connects via OpenID Connect to another identity provider, you can choose to send the client secret as *Client secret sent as HTTP Basic authentication without URL encoding* (`client_secret_basic_unencoded`). While this violates RFC6749, it can be used to keep the default behavior of earlier versions of {project_name}.
|
|
|
|
This behavior is deprecated and will be removed in a future version of Keycloak.
|