KeyCloak/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-26 13:50:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
keycloak/js/libs
T
History
Michal Vavřík 8171999894 feat(admin api v2): stricter Client v2 contracts (#48935) 
* Closes: https://github.com/keycloak/keycloak/issues/48786
* Changes:

| Schema#Property | New Validation Constraint | Reasoning |
|-----------------|--------------------------|-----------|
| BaseClientRepresentation#clientId | `@Size(min=1, max=255)` | DB VARCHAR(255) |
| BaseClientRepresentation#displayName | `@Size(max=255)` | DB NVARCHAR(255) |
| BaseClientRepresentation#description | `@Size(max=255)` | DB NVARCHAR(255) |
| BaseClientRepresentation#appUrl | `@Size(max=255)` | DB VARCHAR(255) |
| BaseClientRepresentation#redirectUris | `@Size(max=100)` on set, `@Size(max=255)` on elements | DB VARCHAR(255) per element, bound collection |
| BaseClientRepresentation#roles | `@Size(max=300)` on set, `@Size(max=255)` on elements | DB VARCHAR(255) per element, bound collection |
| OIDCClientRepresentation#webOrigins | `@Size(max=100)` on set, `@Size(max=255)` on elements | DB VARCHAR(255) per element, bound collection |
| OIDCClientRepresentation#webOrigins | `@ValidWebOrigin` | RFC 6454 format, invalid origins silently break CORS |
| OIDCClientRepresentation#serviceAccountRoles | `@Size(max=300)` on set, `@Size(max=255)` on elements | DB VARCHAR(255) per element, bound collection |
| OIDCClientRepresentation.Auth#method | `@NotBlank` | must be specified when auth object is present |
| OIDCClientRepresentation.Auth#method | `@ValidAuthMethod` | open SPI, dynamic check against registered providers |
| OIDCClientRepresentation.Auth#secret | `@Size(min=6, max=255)` | DB VARCHAR(255), min=6 prevents trivially weak secrets |
| OIDCClientRepresentation.Auth#certificate | `@Size(max=65536)` | NCLOB unlimited, practical upper bound |
| OIDCClientRepresentation (class-level) | `@ConfidentialFlowsRequireAuth` | SERVICE_ACCOUNT/TOKEN_EXCHANGE fail at runtime without auth |
| OIDCClientRepresentation (class-level) | `@RedirectFlowsRequireUris` | STANDARD/IMPLICIT fail at runtime without redirect URIs |
| OIDCClientRepresentation (class-level) | `@ServiceAccountRolesRequireFlow` | roles silently ignored without SERVICE_ACCOUNT flow |
| SAMLClientRepresentation#nameIdFormat | type changed to enum `NameIdFormat` | SAML 2.0 spec frozen since 2005, unlikely to change |
| SAMLClientRepresentation#signatureAlgorithm | type changed to enum | enum could change due to PQC, but we can simply update enum |
| SAMLClientRepresentation#signatureCanonicalizationMethod | `@ValidCanonicalizationMethod` | finite set from JDK constants, W3C standard unchanged since 2008 |
| SAMLClientRepresentation#signingCertificate | `@Size(max=65536)` | NCLOB unlimited, practical upper bound |

Signed-off-by: Michal Vavřík <michal.vavrik@aol.com>
2026-05-25 07:48:48 +00:00
..
keycloak-admin-client
feat(admin api v2): stricter Client v2 contracts (#48935)
2026-05-25 07:48:48 +00:00
ui-shared
Add Shared Signals Framework Transmitter capability (#48901)
2026-05-12 13:00:19 -03:00