JBoss.orgCommunity Documentation

Chapter 21. Migration from older versions

21.1. Migrating from 1.0 RC-1 to RC-2
21.2. Migrating from 1.0 Beta 4 to RC-1
21.3. Migrating from 1.0 Beta 1 to Beta 4
21.4. Migrating from 1.0 Alpha 4 to Beta 1
21.5. Migrating from 1.0 Alpha 2 to Alpha 3
21.6. Migrating from 1.0 Alpha 1 to Alpha 2
  • A lot of info level logging has been changed to debug. Also, a realm no longer has the jboss-logging audit listener by default. If you want log output when users login, logout, change passwords, etc. enable the jboss-logging audit listener through the admin console.
  • logout REST API has been refactored. The GET request on the logout URI does not take a session_state parameter anymore. You must be logged in in order to log out the session. You can also POST to the logout REST URI. This action requires a valid refresh token to perform the logout. The signature is the same as refresh token minus the grant type form parameter. See documentation for details.
  • LDAP/AD configuration is changed. It is no longer under the "Settings" page. It is now under Users->Federation. Add Provider will show you an "ldap" option.
  • Authentication SPI has been removed and rewritten. The new SPI is UserFederationProvider and is more flexible.
  • ssl-not-required property in adapter config has been removed. Replaced with ssl-required, valid values are all (require SSL for all requests), external (require SSL only for external request) and none (SSL not required).
  • DB Schema has changed again.
  • Created applications now have a full scope by default. This means that you don't have to configure the scope of an application if you don't want to.
  • Format of JSON file for importing realm data was changed. Now role mappings is available under the JSON record of particular user.
  • SkeletonKeyToken, SkeletonKeyScope, SkeletonKeyPrincipal, and SkeletonKeySession have been renamed to: AccessToken, AccessScope, KeycloakPrincipal, and KeycloakAuthenticatedSession respectively.
  • ServleOAuthClient.getBearerToken() method signature has changed. It now returns an AccessTokenResponse so that you can obtain a refresh token too.
  • Adapters now check the access token expiration with every request. If the token is expired, they will attempt to invoke a refresh on the auth server using a saved refresh token.
  • Subject in AccessToken has been changed to the User ID.
  • DB Schema has changed. We don't have any data migration utilities yet as of Alpha 2.
  • JBoss and Wildfly adapters are now installed via a JBoss/Wildfly subsystem. Please review the adapter installation documentation. Edits to standalone.xml are now required.
  • There is a new credential type "secret". Unlike other credential types, it is stored in plain text in the database and can be viewed in the admin console.
  • There is no longer required Application or OAuth Client credentials. These client types are now hard coded to use the "secret" credential type.
  • Because of the "secret" credential change to Application and OAuth Client, you'll have to update your keycloak.json configuration files and regenarate a secret within the Application or OAuth Client credentials tab in the administration console.