Updates to release notes, including generating html file to upload to…

… GitHub releases

Signed-off-by: stianst <[email protected]>

cache/changelogs/changelog-21_0_0.json → cache/releases/21.0.0/changelog.json

@@ -2441,13 +2441,6 @@
   "kind" : "bug",
   "area" : "admin/client-js",
   "url" : "https://github.com/keycloak/keycloak/issues/16899"
-}, {
-  "number" : 16900,
-  "repository" : "keycloak",
-  "title" : "Documentation for handling errors",
-  "kind" : "enhancement",
-  "area" : "admin/client-js",
-  "url" : "https://github.com/keycloak/keycloak/issues/16900"
 }, {
   "number" : 16901,
   "repository" : "keycloak",

cache/changelogs/changelog-21_1_0.json → cache/releases/21.1.0/changelog.json

@@ -243,6 +243,13 @@
   "kind" : "task",
   "area" : null,
   "url" : "https://github.com/keycloak/keycloak/issues/16730"
+}, {
+  "number" : 16782,
+  "repository" : "keycloak",
+  "title" : "CVE-2020-29582 - Information Exposure vulnerability in org.jetbrains.kotlin:kotlin-stdlib",
+  "kind" : "cve",
+  "area" : "dependencies",
+  "url" : "https://github.com/keycloak/keycloak/issues/16782"
 }, {
   "number" : 16844,
   "repository" : "keycloak",

cache/releases/21.1.0/release-notes.html

@@ -0,0 +1,78 @@
+<div class="sect2">
+<h3 id="_monorepo">Monorepo</h3>
+<div class="paragraph">
+<p>In the past Keycloak was maintained across multiple GitHub repositories:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><a href="https://github.com/keycloak/keycloak-documentation">Documentation repository</a></p>
+</li>
+<li>
+<p><a href="https://github.com/keycloak/keycloak-ui">UI repository</a></p>
+</li>
+<li>
+<p><a href="https://github.com/keycloak/keycloak-nodejs-admin-client">Node.js admin client repository</a></p>
+</li>
+</ul>
+</div>
+<div class="paragraph">
+<p>Having multiple repositories introduced a lot of complexity and toil. For example frequently multiple pull requests had to be sent
+to different repositories for a single change.</p>
+</div>
+<div class="paragraph">
+<p>To simplify things we have now migrated everything into the <a href="https://github.com/keycloak/keycloak">main repository</a>.</p>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_fips_140_2_support">FIPS 140-2 support</h3>
+<div class="paragraph">
+<p>FIPS 140-2 support in Keycloak, which was preview in the previous release, is now promoted to be officially supported.</p>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_experimental_account_console_version_3">Experimental Account Console version 3</h3>
+<div class="paragraph">
+<p>The Account Console version 3 is now available as an experimental feature in Keycloak. This version supports custom fields created with the 'User Profile' feature. If you are looking to try it out and provide us with some early feedback you can enable it as follows:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code>bin/kc.sh start-dev --features=account3</code></pre>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_changes_to_keycloak_authorization_services_support_in_keycloak_java_based_adapters">Changes to Keycloak Authorization Services support in Keycloak Java-based Adapters</h3>
+<div class="paragraph">
+<p>As part of the removal of the <a href="https://www.keycloak.org/2023/03/adapter-deprecation-update">deprecated</a> adapters, the Keycloak Policy Enforcer was extracted from the adapters code base
+into a separate dependency:</p>
+</div>
+<div class="listingblock">
+<div class="content">
+<pre class="highlight"><code class="language-xml" data-lang="xml">&lt;dependency&gt;
+    &lt;groupId&gt;org.keycloak&lt;/groupId&gt;
+    &lt;artifactId&gt;keycloak-policy-enforcer&lt;/artifactId&gt;
+    &lt;version&gt;21.1.0&lt;/version&gt;
+&lt;/dependency&gt;</code></pre>
+</div>
+</div>
+<div class="paragraph">
+<p>By providing this dependency, we expect making it possible to integrate the policy enforcer with the Java stack of your preference.</p>
+</div>
+<div class="paragraph">
+<p>It also provides built-in support for enabling the policy enforcer to Jakarta applications protected with <a href="https://docs.wildfly.org/26/Admin_Guide.html#Elytron_OIDC_Client">Wildfly Elytron</a>.</p>
+</div>
+<div class="paragraph">
+<p>For now, this dependency is not yet GA as we are still working on the quickstarts and documentation.</p>
+</div>
+<div class="paragraph">
+<p>This work should not impact existing applications using the deprecated adapters.</p>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_javascript_engine_available_by_default">Javascript engine available by default</h3>
+<div class="paragraph">
+<p>In the previous version, when Keycloak was used on Java 17 with Javascript providers it was needed to add the Nashorn
+javascript engine to the distribution. This is no longer needed as Nashorn javascript engine is available in Keycloak server by default.</p>
+</div>
+</div>

cache/releases/21.1.2/release-notes.html

@@ -0,0 +1,6 @@
+<div class="sect2">
+<h3 id="_changes_in_validating_schemes_for_valid_redirect_uris">Changes in validating schemes for valid redirect URIs</h3>
+<div class="paragraph">
+<p>If an application client is using non http(s) custom schemes, from now on the validation requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing <code>custom</code> scheme are <code>custom:/test</code>, <code>custom:/test/*</code> or <code>custom:*</code>. For security reasons a general pattern like <code>*</code> does not cover them anymore.</p>
+</div>
+</div>

cache/releases/22.0.0/release-notes.html

@@ -0,0 +1,207 @@
+<div class="sect2">
+<h3 id="_server_distribution">Server Distribution</h3>
+<div class="sect3">
+<h4 id="_java_11_support_removed">Java 11 support removed</h4>
+<div class="paragraph">
+<p>Running the Keycloak server with Java 11 is no longer supported. Java 11 was deprecated in Keycloak 21 with the announced plan to be removed in Keycloak 22.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_upgrade_to_quarkus_3_x">Upgrade to Quarkus 3.x</h4>
+<div class="paragraph">
+<p>Keycloak upgraded to version 3.2.0.Final of the Quarkus Java framework.
+Quarkus 3.x continues the tradition of propelling Java development by moving fast and providing a cutting-edge user experience with the latest technologies.</p>
+</div>
+<div class="sect4">
+<h5 id="_transition_from_java_ee_to_jakarta_ee">Transition from Java EE to Jakarta EE</h5>
+<div class="paragraph">
+<p>As part of upgrading to Quarkus 3.x Keycloak migrated its codebase from Java EE (Enterprise Edition) to its successor Jakarta EE, which brings various changes into Keycloak.
+We have upgraded all Jakarta EE specifications in order to support Jakarta EE 10.</p>
+</div>
+</div>
+<div class="sect4">
+<h5 id="_context_and_dependency_injection_no_longer_enabled_to_jax_rs_resources">Context and dependency injection no longer enabled to JAX-RS Resources</h5>
+<div class="paragraph">
+<p>In order to provide a better runtime and leverage as much as possible the underlying stack,
+all injection points for contextual data using the <code>javax.ws.rs.core.Context</code> annotation were removed. The expected improvement
+in performance involves no longer creating proxies instances multiple times during the request lifecycle, and drastically reducing the amount of reflection code at runtime.</p>
+</div>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_upgrade_to_hibernate_orm_6">Upgrade to Hibernate ORM 6</h4>
+<div class="paragraph">
+<p>Keycloak now benefits from the upgrade to Hibernate ORM 6.2, which includes improved performance, better SQL, modern JDK support, and support for modern RDBMS features.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_elytron_credential_store_replacement">Elytron credential store replacement</h4>
+<div class="paragraph">
+<p>The previous and now removed WildFly distribution provided a built-in vault provider that reads secrets from a keystore-backed Elytron credential store. As this is no longer available, we have added a new implementation of the Keycloak Vault SPI called Keycloak KeyStore Vault. As the name suggests, this implementation reads secrets from a Java keystore file. Such secrets can be then used within multiple places of the Administration Console. For further details, see <a href="https://www.keycloak.org/server/vault">our guide</a> and the latest <a href="https://www.keycloak.org/docs/latest/server_admin/index.html#_vault-administration">documentation</a>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_keystore_config_source_added">KeyStore Config Source added</h4>
+<div class="paragraph">
+<p>In relation to the KeyStore Vault news, we also integrated Quarkus&#8217;s recently released feature called KeyStore Config Source. This means that among the already existing configuration sources (CLI parameters, environment variables and files), you can now configure your Keycloak server via configuration properties stored in a Java keystore file. You can learn more about this feature in the <a href="https://www.keycloak.org/server/configuration">Configuration guide</a>.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_hostname_debug_tool">Hostname debug tool</h4>
+<div class="paragraph">
+<p>As a number of users have had problems with configuring the hostname for the server correctly there is now a new helper tool to allow debugging the configuration.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_passthrough_proxy_mode_changes">Passthrough proxy mode changes</h4>
+<div class="paragraph">
+<p>Installations which use Keycloak&#8217;s <code>--proxy</code> configuration setting with mode <strong>passthrough</strong> should review the documentation as the behavior of this mode has changed.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_export_and_import_perform_an_automatic_build">Export and Import perform an automatic build</h4>
+<div class="paragraph">
+<p>In previous releases, the <code>export</code> and <code>import</code> commands required a <code>build</code> command to be run first.
+Starting with this release, the <code>export</code> and <code>import</code> commands perform an automatic rebuild of Keycloak if a build time configuration has changed.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_admin_console">Admin Console</h3>
+<div class="sect3">
+<h4 id="_account_console_v1_removal">Account Console v1 removal</h4>
+<div class="paragraph">
+<p>The old Account Console (v1) is now completely removed. This version of the Account Console was marked as deprecated
+in Keycloak 12.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_account_console_v3_promoted_to_preview">Account Console v3 promoted to preview</h4>
+<div class="paragraph">
+<p>In version 21.1.0 of Keycloak the new Account Console (version 3) was introduced as an experimental feature. Starting this version it has been promoted to a preview feature.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_account_console_template_variables_removed">Account Console template variables removed</h4>
+<div class="paragraph">
+<p>Two of the variables exposed to the Account Console V2 and V3 templates (<code>isEventsEnabled</code> and <code>isTotpConfigured</code>) were left unused, and have been removed in this release.</p>
+</div>
+<div class="paragraph">
+<p>It is possible that if a developer extended the Account Console theme, he or she could make use of these variables. So make sure that these variables are no longer used if you are extending the base theme.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_changes_to_custom_admin_console_messages">Changes to custom Admin Console messages</h4>
+<div class="paragraph">
+<p>The Admin Console (and soon also the new Account Console) works slightly different than the rest of Keycloak in regards to how keys for internationalized messages are parsed. This is due to the fact that it uses the <a href="https://www.i18next.com/">i18next</a> library for internationalization. Therefore when defining custom messages for the Admin Console under "Realm Settings" ➡ "Localization" best practices for i18next must be taken into account. Specifically, when defining a message for the Admin Console it is it important to specify a <a href="https://www.i18next.com/principles/namespaces">namespace</a> in the key of your message.</p>
+</div>
+<div class="paragraph">
+<p>For example, let&#8217;s assume we want to overwrite the <a href="https://github.com/keycloak/keycloak/blob/025778fe9c745316f80b53fe3052aeb314e868ef/js/apps/admin-ui/public/locales/en/dashboard.json#L3"><code>welcome</code></a> message shown to the user when a new realm has been created. This message is located in the <code>dashboard</code> namespace, same as the name of the original file that holds the messages (<code>dashboard.json</code>). If we wanted to overwrite this message we&#8217;ll have to use the namespace as a prefix followed by the key of the message separated by a colon, in this case it would become <code>dashboard:welcome</code>.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_javascript_adapter">JavaScript adapter</h3>
+<div class="sect3">
+<h4 id="_legacy_promise_api_removed">Legacy Promise API removed</h4>
+<div class="paragraph">
+<p>With this release, we have removed the legacy Promise API methods from the Keycloak JS adapter. This means that calling <code>.success()</code> and <code>.error()</code> on promises returned from the adapter is no longer possible.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_required_to_be_instantiated_with_the_new_operator">Required to be instantiated with the <code>new</code> operator</h4>
+<div class="paragraph">
+<p>In a previous release we started to actively log deprecation warnings when the Keycloak JS adapter is constructed without the <code>new</code> operator. Starting this release doing so will throw an exception instead. This is to align with the expected behavior of <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes">JavaScript classes</a>, which will allow further refactoring of the adapter in the future.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_admin_api">Admin API</h3>
+<div class="sect3">
+<h4 id="_renamed_admin_library_artifacts">Renamed Admin library artifacts</h4>
+<div class="paragraph">
+<p>After the upgrade to Jakarta EE, artifacts for Keycloak Admin clients were renamed to more descriptive names with consideration for long-term maintainability.
+We still provide two separate Keycloak Admin clients, one with Jakarta EE and the other with Java EE support.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_support_for_count_users_based_on_custom_attributes">Support for count users based on custom attributes</h4>
+<div class="paragraph">
+<p>The User API now supports querying the number of users based on custom attributes. For that, a new <code>q</code> parameter was added to the <code>/{realm}/users/count</code> endpoint.</p>
+</div>
+<div class="paragraph">
+<p>The <code>q</code> parameter expects the following format <code>q=&lt;name&gt;:&lt;value&gt; &lt;name&gt;:&lt;value&gt;</code>. Where <code>&lt;name&gt;</code> and <code>&lt;value&gt;</code> represent the attribute name and value, respectively.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_operator">Operator</h3>
+<div class="sect3">
+<h4 id="_k8s_keycloak_orgv2alpha1_changes">k8s.keycloak.org/v2alpha1 changes</h4>
+<div class="paragraph">
+<p>The are additional fields available in the keycloak.status to facilitate keycloak being a scalable resource. There are also additional fields that make the status easier to interpret such as observedGeneration and condition observedGeneration and lastTransitionTime fields.</p>
+</div>
+<div class="paragraph">
+<p>The condition status field was changed from a boolean to a string for conformance with standard Kubernetes conditions. In the CRD it will temporarily be represented as accepting any content, but it will only ever be a string.  Please make sure any of your usage of this field is updated to expect the values "True", "False", or "Unknown", rather than true or false.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_co_management_of_operator_resources">Co-management of Operator Resources</h4>
+<div class="paragraph">
+<p>In scenarios where advanced management is needed you may now directly update most fields on operator managed resources that have not been set by the operator directly. This can be used as an alternative to the unsupported stanza of the Keycloak spec. Like the unsupported stanza these direct modifications are not considered supported. If your modifications prevent the operator from being able to manage the resource, there Keycloak CR will show this error condition and the operator will log it.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_identity_brokering">Identity Brokering</h3>
+<div class="sect3">
+<h4 id="_essential_claim_configuration_in_openid_connect_identity_providers">Essential claim configuration in OpenID Connect identity providers</h4>
+<div class="paragraph">
+<p>OpenID Connect identity providers support a new configuration to specify that the ID tokens issued by the identity provider must have a specific claim,
+otherwise the user can not authenticate through this broker.</p>
+</div>
+<div class="paragraph">
+<p>The option is disabled by default; when it is enabled, you can specify the name of the JWT token claim to filter and the value to match
+(supports regular expression format).</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_support_for_jwe_encrypted_id_tokens_and_userinfo_responses_in_openid_connect_providers">Support for JWE encrypted ID Tokens and UserInfo responses in OpenID Connect providers</h4>
+<div class="paragraph">
+<p>The OpenID Connect providers now support <a href="https://datatracker.ietf.org/doc/html/rfc7516">Json Web Encryption (JWE)</a> for the ID Token and the UserInfo response. The providers use the realm keys defined for the selected encryption algorithm to perform the decryption.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_hardcoded_group_mapper">Hardcoded group mapper</h4>
+<div class="paragraph">
+<p>The new hardcorded group mapper allows adding a specific group to users brokered from an Identity Provider.</p>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_user_session_note_mapper">User session note mapper</h4>
+<div class="paragraph">
+<p>The new user session note mapper allows mapping a claim to the user session notes.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_ldap_federation">LDAP Federation</h3>
+<div class="sect3">
+<h4 id="_ldaps_only_truststore_option_removed">LDAPS-only Truststore option removed</h4>
+<div class="paragraph">
+<p>LDAP option to use truststore SPI <code>Only for ldaps</code> has been removed. This parameter is used to
+select truststore for TLS-secured LDAP connection: either internal Keycloak truststore is
+picked (<code>Always</code>), or the global JVM one (<code>Never</code>).</p>
+</div>
+<div class="paragraph">
+<p>Deployments where <code>Only for ldaps</code> was used will automatically behave as if <code>Always</code> option was
+selected for TLS-secured LDAP connections.</p>
+</div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_removed_openshift_integration_feature">Removed Openshift integration feature</h3>
+<div class="paragraph">
+<p>The <code>openshift-integration</code> preview feature that allowed replacing the internal IdP in OpenShift 3.x with Keycloak was removed from Keycloak codebase into separate extension project.</p>
+</div>
+</div>

cache/changelogs/changelog-22_0_2.json → cache/releases/22.0.2/changelog.json

@@ -173,13 +173,6 @@
   "kind" : "bug",
   "area" : "admin/ui",
   "url" : "https://github.com/keycloak/keycloak/issues/21693"
-}, {
-  "number" : 21710,
-  "repository" : "keycloak",
-  "title" : "Liquibase CustomChange are executed twice because of a Liquibase bug fixed in 4.21.0",
-  "kind" : "bug",
-  "area" : "storage",
-  "url" : "https://github.com/keycloak/keycloak/issues/21710"
 }, {
   "number" : 21719,
   "repository" : "keycloak",

cache/releases/22.0.2/release-notes.html

@@ -0,0 +1,7 @@
+<div class="sect2">
+<h3 id="_improvements_in_ldap_and_kerberos_integration">Improvements in LDAP and Kerberos integration</h3>
+<div class="paragraph">
+<p>Keycloak now supports multiple LDAP providers in a realm, which support Kerberos integration with the same Kerberos realm. When an LDAP provider is not able to find the user which was authenticated through
+Kerberos/SPNEGO, Keycloak ties to fallback to the next LDAP provider. Keycloak has also better support for the case when single LDAP provider supports multiple Kerberos realms, which are in trust with each other.</p>
+</div>
+</div>