This release is based on upstream Keycloak 26.2.12.

What's Changed Compared to Upstream

• 26.2.12-nordix-1
  • Added support for LDAP SASL EXTERNAL and hot-reload for LDAP client credentials. keycloak#7365
  • Added support for forced password change for LDAP federated users using LDAP password policy control. keycloak#15253
  • Added Vault SPI support for client secrets. keycloak#39650.
  • Backport of keycloak#39556 "[OID4VCI] Fix creation of clientScopes with protocol oid4vc" to fix protocol validation during client scope creation, allowing docker-v2 to be used.
  • Reverted keycloak#35853 "Enable LDAP connection pool by default when using the Admin UI" for backwards compatibility reasons.
  • Backport of keycloak#43126 "Filter invalid resources and scopes when processing entries from the cache" to fix a race condition bug that caused login errors.

Full Changelog

• 26.2.12-nordix-1 26.2.12...26.2.12-nordix-1

Documentation

LDAP Client Certificate Authentication

Set authType to EXTERNAL to enable SASL EXTERNAL client certificate authentication for LDAP federation.

LDAP credential hot-reload is supported and triggered when the modification timestamp of the configured credential files changes. The check occurs whenever the credential is used, but no more than once per second.

New provider configuration options are available for specifying LDAP client credentials:

Using PEM files:

--spi-keystore-default-ldap-certificate-file=CERTIFICATE_PEM_FILENAME
--spi-keystore-default-ldap-certificate-key-file=PRIVATE_KEY_PEM_FILENAME

Or using a keystore file:

--spi-keystore-default-ldap-keystore-file=KEYSTORE_FILENAME
--spi-keystore-default-ldap-keystore-password=PASSWORD
--spi-keystore-default-ldap-keystore-type=TYPE (optional, defaults to "JKS" which in practice is able to load both JKS and PKCS12 keystore files)

LDAP Password Policy

The LDAP password policy control can be enabled either through the admin console LDAP settings or by setting enableLdapPasswordPolicy to true in LDAP configuration when creating the LDAP user storage provider via the REST API.

The feature uses existing update password flow by automatically setting UPDATE_PASSWORD required action for the user when LDAP server indicates that the user must update their password. LDAP server does this by responding with PasswordPolicyResponseValue error changeAfterReset. When the required action is set for the user and the user logs in, the user is (forcibly) forwarded to update password page.

Following limitations apply:

• Federation must be configured with edit mode WRITABLE: federated users can only change their passwords when Keycloak is configured to synchronize attributes back to the LDAP server.
• Federation must be configured with import users enabled: required user actions can be set only for users that exist in Keycloak database.

Vault SPI Support for OIDC Client Secrets

An OIDC client secret can now reference a value stored in an external vault using the syntax ${vault.<id>}. For more information on how to enable Vault SPI, see the Keycloak documentation.