Thursday, 16 March 2017

Keycloak 3.0.0.CR1 released

Keycloak 3.0.0.CR1 is released. Even though we've been busy wrapping up Keycloak 2.5 we've managed to include quite a few new features.

To download the release go to the Keycloak homepage.

This release is the first that comes without Mongo support.

Highlights

  • No import option for LDAP - This option allows consuming users from LDAP without importing into the Keycloak database
  • Initiate linking of identity provider from application - In the past adding additional identity brokering accounts could only be done through the account management console. Now this can be done from your application
  • Hide identity provider - It's now possible to hide an identity provider from the login page
  • Jetty 9.4 - Thanks to reneploetz we now have support for Jetty 9.4
  • Swedish translations - Thanks to Viktor Kostov for adding Swedish translations
  • Checksums for downloads - The website now has md5 checksums for all downloads
  • BOMs - We've added BOMs for adapters as well as Server SPIs

The full list of resolved issues is available in JIRA.

Upgrading

Before you upgrade remember to backup your database and check the migration guide.

11 comments:

  1. MD5? Why not something better?

    ReplyDelete
    Replies
    1. It's a file checksum! No need for something better.

      Delete
    2. Well, it is possible to create modifications to a file that preserves the MD5 hash. Se for example: https://natmchugh.blogspot.no/2015/05/how-to-make-two-binaries-with-same-md5.html

      Delete
    3. Probably, but it might be best to go for something even stronger: https://sites.google.com/site/itstheshappening/

      Delete
    4. But I guess the best reason is that both MD5 and SHA1 has a bad rep these days, even if the attack is not likely on this particular usecase.

      Delete
    5. Actually thinking more about this and there's simply no point in having "safer" checksum. To be safe simply make sure you download Keycloak from trusted sources (https://downloads.jboss.org). If that was compromised and someone somehow uploaded a compromised version there they could just as easily replace the checksum.

      I'll keep it as a md5 as that does the job of file integrity.

      Delete
  2. Standalone server distribution 3.0.0.CR1 not found, cannot download at home page

    ReplyDelete
  3. the download link is wrong, should be keycloak-3.0.0.CR1.zip
    https://downloads.jboss.org/keycloak/3.0.0.CR1/keycloak-3.0.0.CR1.zip.zip

    ReplyDelete
  4. Download links are incorrect

    change it from
    https://downloads.jboss.org/keycloak/3.0.0.CR1/keycloak-3.0.0.CR1.zip.zip
    to
    https://downloads.jboss.org/keycloak/3.0.0.CR1/keycloak-3.0.0.CR1.zip

    ReplyDelete

Please only add comments directly associated with the post. For general questions use the Keycloak user mailing list.