All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Consider all authentication subflows during updates.
5.6.1 - 2023-03-05
5.6.0 - 2023-03-05
- Added support for keycloak 21
- Upgraded to latest keycloak 20 bugfix version
5.5.0 - 2022-11-12
- Added support for keycloak 20
- Realm export scripts now use the new kc.sh export command
- Support for Keycloak 16
5.4.0 - 2022-11-07
- Added latest Keycloak 19.0.3 library
- Added support for managing user profiles
5.3.1 - 2022-08-02
- Added latest Keycloak 19.0.1 library
5.3.0 - 2022-07-28
- Support for Keycloak 19
- Support for Keycloak 15
5.2.2 - 2022-07-25
- Added latest Keycloak 18.0.2 library
We now also consider auth flows referenced by post-broker login flow Identity Provider configurations for flow in-use checks.
5.2.1 - 2022-06-20
- Added latest Keycloak 18.0.1 library
5.2.0 - 2022-05-06
- Added Keycloak 18 support
5.1.0 - 2022-04-08
- Dump realm configuration on trace log level
5.0.0 - 2022-03-25
A lot of import properties are added over the years. this major release of keycloak will reorder all properties. You will find a translation table below.
- Support for managing fine-grained authorization rules with placeholders to reference identity providers by alias, realm role by name and groups by full path
- Docker base images changed from
openjdk
toeclipse-temurin
- Refactored import properties.
import.force=true
->import.cache.enabled=false
import.cache-key
->import.cache.key
import.path
->import.files.locations
import.hidden-files
->import.files.include-hidden-files
import.exclude
->import.files.excludes
import.file-type
-> removedimport.state
->import.remote-state.enabled
import.state-encryption-key
->import.remote-state.encryption-key
import.state-encryption-salt
->import.remote-state.encryption-salt
import.var-substitution
->import.var-substitution.enabled
import.var-substitution-in-variables
->import.var-substitution.nested
import.var-substitution-undefined-throws-exceptions
->import.var-substitution.undefined-is-error
import.var-substitution-prefix
->import.var-substitution.prefix
import.var-substitution-suffix
->import.var-substitution.suffix
import.remove-default-role-from-user
->import.behaviors.remove-default-role-from-user
import.skip-attributes-for-federated-user
->import.behaviors.skip-attributes-for-federated-user
import.sync-user-federation
->import.behaviors.sync-user-federation
- Changed loading of directories
path/to/dir
->path/to/dir/*
- Changed loading of zip files
path/to/file.zip
->zip:file:path/to/file.zip!**/*
- import path contains
..
- Java 8 Support
customImport
property in json import.- Directory import. Use
dir/*
insteaddir/
- Support for zip files from http locations
import.file-type
. Import files will always be parsed with YAML parser. JSON files are YAML compatible.
4.9.0 - 2022-03-21
- Support for managing fine-grained authorization rules with placeholders to reference identity providers by alias, realm role by name and groups by full path
- Remove
v
prefix docker image tags.
4.8.1 - 2022-03-09
- Docker Image for Keycloak 14, 15, 16 contains the version for Keycloak 17
4.8.0 - 2022-03-06
- Support for managing
Client Authorization Resources
like other resources by configuringimport.managed.client-authorization-resources=<full|no-delete>
. This prevents deletion of remote managed resources. - Support for managing fine granted authorization rules with placeholders to reference clients by client id.
- Compile keycloak-config-cli inside docker build to avoid the requirement to run maven before
- Manage
Client Authorization
without define aclientId
in import realm.
4.7.0 - 2022-02-14
- Added Keycloak 17 support, drop Keycloak 13 support
- Allow spring boot properties in string substitution.
- Supports YAML anchors in realm import file
- 404 not found, if roles have nested composites
4.6.1 - 2022-01-17
- NoClassDefFoundError: org/apache/commons/lang3/StringUtils if IMPORT_VARSUBSTITUTION=true
4.6.0 - 2022-01-16
- Support logout with confidential client if grant_type=password is used.
- Make read and connect timeout of Resteasy client configurable (defaults stay the same as before)
- Add
--import.validate
flag to disable pre validation checks inside keycloak-config-cli. - Change maven wrapper to official one (https://maven.apache.org/wrapper/)
- Skip logout if grant_type=client_credentials is used
4.5.0 - 2021-12-19
- Added Keycloak 16 support, drop Keycloak 12 support
- Support for multiple realm definitions inside one YAML file.
- Workaround for creating client authorization resources, if a username is defined an owner through
owner.name
. Keycloak exceptsowner.id
here insteadowner.name
. See #589
4.4.0 - 2021-12-04
- Cookie Management for http client to support clustered environments with cookie based sticky sessions
- Raise an exception, if authenticator is defined for a basic-flow execution
- Support for managing
Client Scope Mappings
like other resources by configuringimport.managed.client-scope-mapping=<full|no-delete>
. - Configuration profile for RedHat's maven repository to fetch RH SSO compatible keycloak versions
- Use java 17 as default and use docker image
openjdk:17-slim
- Stale client level roles assignment on a user, if the client is not present in the
clientRoles
JSON object in the config file. The Keycloak default client roles (e.g. realm-management) will remain untouched though.
4.3.0 - 2021-09-28
- Docker Images for arm64
- Managed realm level
defaultDefaultClientScopes
anddefaultOptionalClientScopes
- Introduce maven wrapper (
./mvnw
) to easy access maven for non developers
4.2.0 - 2021-08-09
- Support initial user password (only set doing user creation). See docs/FEATURE.md for more information.
- Flag
import.skip-attributes-for-federated-user
to set user attributes tonull
for federated users. Defaults tofalse
. - Validate composite client roles
- Update subComponents if config of parent is equal
4.1.0 - 2021-07-31
- Keycloak 15 support
- Print a warning if local keycloak-config-cli and keycloak are incompatible.
- Terminate admin-cli session through
logout
REST endpoint
- Realm attributes in configuration file overwrite the realm's state when the realm is updated.
- Custom realm attributes not updatable.
- Keycloak 11 support
4.0.1 - 2021-06-19
- Set
import.var-substitution-prefix=$(
andimport.var-substitution-suffix=)
as default to prevent incompatibility with keycloak variables. This change forgotten in release 4.0.0.
4.0.0 - 2021-06-18
- New keycloak support policy: keycloak-config-cli will officially support the 4 latest keycloak versions. In the future, if a new keycloak version is out, the oldest version will be removed without bump the major version of keycloak-config-cli
- New defaults:
import.var-substitution-prefix=$(
andimport.var-substitution-suffix=)
to prevent incompatibility with keycloak variables. TL;DR: If you import file containers variables like${env:USERNAME}
, you have to replace them with$(env:USERNAME)
.
- JSON logging
- Support Keycloak 14
- User federation can be automatically synchronized with
import.sync-user-federation
set totrue
- New flag
import.remove-default-role-from-user
. Default tofalse
. Keycloak 13 attach a default role nameddefault-role-$REALM
that contains some defaults from any user. Previously keycloak-config-cli remove that default role, if the role not defined inside the import json. The flag prevents keycloak-config-cli from excludedefault-roles-$REALM
from removal logic. This results that it's not longer possible to explicit remove the role from a user, if this flag set totrue
.
- Exclude
default-roles-$REALM
from user realm role removal
- Support Keycloak 9
- Support Keycloak 10
3.4.0 - 2021-05-12
- Support for Keycloak 13
Note: If you get an error like
client already exists
orjava.lang.IllegalStateException: Session/EntityManager is closed
, it's not an error in keycloak-config-cli. See https://issues.redhat.com/browse/KEYCLOAK-18035 - Define custom var substitution prefix and suffix through
import.var-substitution-prefix
andimport.var-substitution-suffix
. This prevents conflicts with keycloak builtin variables. Default to${
and}
and will be changed to$(
and)
. in keycloak-config-cli 4.0. - News image tag call
edge-build
that compile keycloak-config-cli run runtime. This useful to run keycloak-config-cli against unsupported keycloak versions. - Keycloak images additionally pushed to quay.io
- Versions specific images of keycloak-config-cli are not exists with keycloak version variations.
3.3.1 - 2021-05-04
- 409 Conflict on importing client role that already exists but not in state.
3.3.0 - 2021-04-24
- Do not reset eventsEnable if missing in import
- Client secrets mapping on the client scopes with the
clientScopeMappings
.
- Undetermined treatment of a client without the client id specified.
- Provisioning of a client with service account enabled when the
registrationEmailAsUsername
flag for the realm is set totrue
.
3.2.0 - 2021-03-12
- Support for
defaultGroups
- Using adoptopenjdk/openjdk11:alpine-jre as base image instead openjdk to reduce image footprint and vulnerabilities.
3.1.3 - 2021-03-08
- Add
v
prefix to docker images (restore breaking change)
3.1.2 - 2021-03-08
- Docker builds inside release pipeline
- 400 Bad Request while deleting a used client scope
3.1.1 - 2021-03-07
- Bump keycloak from 12.0.3 to 12.0.4
- Forbidden error while create a new realm with a keycloak service account.
- Do not try to remove effective user roles
3.1.0 - 2021-02-18
wget
inside docker container- If
keycloak.grant-type
is set toclient_credentials
the tool can use client_id and client_secret for obtaining its OAuth tokens ( default:password
) - The
keycloak.client-secret
can now be set for confidential OAuth clients (and it's required for theclient_credentials
flow together with ankeycloak.client-id
referring an OAuth client which supports the client_credentials OAuth flow). - import.path accepts now zip files and remote locations (http)
- Default development branch renamed from
master
tomain
- The docker tag
master
has been renamed toedge
- Bump keycloak from 12.0.2 to 12.0.3
- Cleanup old authenticator configs
- Ordering and execution flow authentication config if multiple execution have the same authenticator.
3.0.0 - 2021-01-20
- keycloak-config-cli does not auto append
/auth/
to the keycloak path. - Role and Clients are
fully managed
now. See: docs/MANAGED.md. Take care while upgrade exist keycloak instances. This upgrade should be tested carefully on existing instances. Ifimport.state
is enabled, only roles and clients created by keycloak-config-cli will be deleted. Set--import.managed.role=no-delete
and--import.managed.client=no-delete
will restore the keycloak-config-cli v2.x behavior.
- Support for Keycloak 12.0.1
- Set
import.managed.role
andimport.managed.client
tofull
as default - Remove experimental native builds
- Update to Resteasy to 4.5.8.Final
- Support for Keycloak 8
- Auto append
/auth/
url
2.6.3 - 2020-12-09
- Update Spring Boot to 2.4.0
- On client import
defaultClientScopes
andoptionalClientScopes
are ignored on existing clients. - Prevent 409 Conflict error with users if "email as username" is enabled
2.6.2 - 2020-11-18
- On client import
defaultClientScopes
andoptionalClientScopes
are ignored if referenced scope does not exist before import.
2.6.1 - 2020-11-17
- Pipeline related error inside release process. GitHub Blog
2.6.0 - 2020-11-17
- If
import.state-encryption-key
is set, the state will be stored in encrypted format. - If 'import.var-substitution-in-variables' is set to false var substitution in variables is disabled (default: true)
- If 'import.var-substitution-undefined-throws-exceptions' is set to false unknown variables will be ignored (default: true)
- Pre validate client with authorization settings
- Update to Keycloak 11.0.3
- Calculate import checksum after variable substitution
- Ignore the id from imports for builtin flows and identityProviderMappers if resource already exists
- Fix KEYCLOAK-16082
- Can't manage user membership of subgroups
2.5.0 - 2020-10-19
- Roles are fully managed now and could be deleted if absent from import (disabled by default)
- Clients are fully managed now and could be deleted if absent from import (disabled by default)
- client scope mapping can be managed through keycloak-config-cli
- DEPRECATION: Auto append
/auth
in server url.
- Required action providerId and alias can be different now
- ProviderId of required actions can be updated now
2.4.0 - 2020-10-05
- Builds are now reproducible.
- Provide checksums of prebuild artifacts.
import.var-substitution=true
to enable substitution of environment variables or system properties. (default: false)- Multiple file formats could be detected by file ending
- HTTP Proxies now supported. Use
-Dhttp.proxyHost
and-Dhttp.proxyHost
to specify proxy settings.
- On directory import, the order of files is consistent now. (default ordered)
- Allow custom sub paths of keycloak.
2.3.0 - 2020-09-22
- Allow loading Presentations (like RealmRepresentation) externally. See docs for more information.
- Update flow descriptions form builtin flows
- Update to Keycloak 11.0.2
- Update to Resteasy to 3.13.1.Final
- Fix update
authenticationFlowBindingOverrides
on clients issue-170 - Fix creation clientScopes with protocolMappers issue-183
- Fix could not update default clientScopes with protocolMappers issue-183
2.2.0 - 2020-08-07
- Add support for clients with fine-grained authorization
2.1.0 - 2020-07-23
- Keycloak 11 support
- Implement checkstyle to ensure consistent coding style.
- Subflow requirement forced to ‘DISABLED’ when importing multiple subflows
2.0.2 - 2020-07-15
- Realm creation with an idp and custom auth flow results into a 500 HTTP error
2.0.1 - 2020-07-09
- Incorrect Docker entrypoint. Thanks to jBouyoud.
2.0.0 - 2020-07-05
- The availability check in docker images based on a shell script. The functionality moved into the application now.
- The availability check is disabled by default and can be re-enabled with
keycloak.availability-check.enabled=true
. import.file
is removed. Useimport.path
instead for files and directories.keycloak.migrationKey
is removed. Useimport.cache-key
instead.keycloak.realm
is removed. Useimport.login-realm
to define the realm to login.- If you have defined requiredActions, components, authentications flows or subcomponents in your realm configure, make sure you have defined all in
your json files. All not defined actions will remove now by keycloak-config-cli unless
import.state=true
is set (default). See: docs/MANAGED.md
- Create, Update, Delete IdentityProviderMappers
- Support for only updating changed IdentityProviders
- Support for managed IdentityProviders
- Manage group membership of users
- Parallel import (only some resources are supported. To enable use
--import.parallel=true
) - Don't update client if not changed
- Don't update components config if not changed
- Don't update realm role if not changed
- Added Helm Chart
- Support yaml as configuration import format. (
--import.file-type=yaml
) - In some situations if Keycloak gives 400 HTTP error, pass error message from keycloak to log.
- Allow updating builtin flows and executions (keycloak allows to change some properties)
- Remove authentications config from keycloak if not defined in realm
- PMD for static source code analysis
- Experimental GraalVM support. Run keycloak-config-cli without Java!
- Throw errors on unknown properties in config files
- Add, update and remove clientScopes (thanks @spahrson)
- Remove required actions if they not defined in import json.
- Remove components if they not defined in import json.
- Remove subcomponents if they not defined in import json.
- Remove authentication flows if they not defined in import json.
- Control behavior of purging ressource via
import.manage.<type>
property. See: docs/MANAGED.md - State management for
requriedActions
,clients
,components
- Handle exit code in a spring native way.
- Improve error handling if keycloak returns a non 2xx http error
- The availability check in docker images is off by default. Re-enable with
keycloak.availability-check.enabled
. WAIT_TIME_IN_SECONDS
is replaced bykeycloak.availability-check.timeout
.- Set user to 1001 in Dockerfile
- Bump Keycloak from 8.0.1 to 8.0.2
- Define jackson version in pom.xml to avoid incompatibilities between
jackson-bom
andkeycloak-config-cli
dependencies. - Reduce docker image size
- Bump SpringBoot from 2.2.7 to 2.3.1
- Bump keycloak from 10.0.0 to 10.0.2
- Used keycloak parent pom instead manage versions of 3rd party libs
- Add experimental profile for spring native builds
- Human friendly error messages instead stack traces if log level is not debug.
- SHA2 instead SHA3 is now used for config checksums
- Rename
keycloak.migrationKey
toimport.cache-key
instead. - Rename
keycloak.realm
toimport.login-realm
instead.
- Fix import crash if last import crashed while a temporary flow was used.
- Do not delete authenticatorConfigs from builtin flows
- Don't update client if protocolMappers are not changed
- Don't update clientScope if protocolMappers are not changed
- Don't update groups config if subGroups are not changed
- Authentication configs in non-top-level flow are not created.
- Updating
protocolMappers
onclients
import.file
parameter
1.4.0 - 2020-04-30
- AuthenticatorConfig support (thanks @JanisPlots)
- Keycloak 10 support
- Bump keycloak 9.0.3
- Fix spotbugs and sonar findings
1.3.1 - 2020-04-02
- Bump Spring Boot version to 2.2.5
- Bump maven-javadoc-plugin from 3.1.1 to 3.2.0
- Use username filter for updating users, too.
1.3.0 - 2020-03-27
- Add and update groups
- Update composites in roles
- Add copyright header to all java classes
- Bump Keycloak to 9.0.2
1.2.0 - 2020-03-15
- Implement migrationKey property for different config files per realm
- Implement identity providers
- Add @SuppressWarnings("unchecked")
- Migrate to maven single module
- Use TestContainers
- Correct username on import
1.1.2 - 2020-02-25
- Use Java 8 inside container again
1.1.1 - 2020-02-25
- Re-add Keycloak 8
- Keycloak 9 support
- Use Java 11 inside container
- Bump hibernate-validator from 6.0.13.Final to 6.1.0.Final