upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-04-13 13:06:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
keycloak/docs/documentation/upgrading/topics/changes/changes-26_5_7.adoc
Marek Posolda f29249f3d7
Improve performance of scope processing in TokenManager. Limit for maximum length of OIDC parameters in Token endpoint (#478) (#47799) 
closes #47716
Closes CVE-2026-4634


(cherry picked from commit b455ee4f28)

Signed-off-by: mposolda <mposolda@gmail.com>
2026-04-07 11:17:17 +02:00

12 lines
1 KiB
Text
Raw Blame History

== Notable changes
Notable changes may include internal behavior changes that prevent common misconfigurations, bugs that are fixed, or changes to simplify running {project_name}.
It also lists significant changes to internal APIs.
=== Maximum length of the parameters in the OIDC token endpoint
When the OIDC token endpoint request (or OAuth2 token endpoint request) is sent, a new limit exists for the maximum length of every OIDC/OAuth2 parameter. The maximum length of each parameter is 4,000 characters,
which is aligned with the same limit, which already exists for the parameters sent to OIDC/OAuth authentication request.
If you want to increase or lower those numbers, start the server with the option `req-params-default-max-size` for the default maximum length of the
OIDC/OAuth2 parameters or you can use something such as `req-params-max-size` for one specific parameter. For more details, see the `login-protocol` provider configuration in the link:{allproviderconfigguide_link}[{allproviderconfigguide_name}].
Reference in a new issue View git blame Copy permalink