TideCloak 0.13.26
Addition of support in Tide DPoP and upgrade of Keycloak version.
Highlights
- Standard DPoP support + Tide enhancements
- Upgrade TideCloak with Keycloak version 26.5.5
- Quorum-Governance now supports Keycloak's groups
Try the TideCloak dev Playground demo:
TideCloak changes
Upgrade to Keycloak 26.5.5
TideCloak has been updated to incorporate the latest upstream Keycloak enhancements and security patches that primarily improve edge-routing security, OIDC protocol compliance, observability, and administrative user experience.
Security & Vulnerability Fixes
This release includes critical security patches:
- CVE-2025-14559: Fixed a business logic flaw that could allow unauthorized token issuance for disabled users.
- CVE-2026-0707: Fixed an Authorization Header parsing vulnerability leading to potential security control bypasses.
- CVE-2025-66560: Addressed a Quarkus REST Worker Thread Exhaustion Vulnerability.
- CVE-2025-67735: Fixed a Request Smuggling vulnerability via CRLF Injection.
- CVE-2026-3009: Fixed improper enforcement of Disabled Identity Providers.
- CVE-2025-5416: Fixed an environment information disclosure vulnerability.
- OIDC Config Endpoint: Resolved an information disclosure bug that leaked Client Secrets on unauthenticated config endpoints.
OIDC & Protocol Enhancements
- DPoP Clock Skew Fix: DPoP proof replay checks now properly account for clock skew.
- JWT Authorization Grants (Preview): Added support for RFC 7523, allowing the use of external signed JWT assertions to request OAuth 2.0 access tokens. This is the recommended alternative to external-to-internal token exchange.
- Discovery Endpoint Privacy: Administrators can now hide specific OpenID Connect scopes from the public discovery endpoint to prevent discovery via public APIs.
- CORS Enhancements: OpenID Connect Dynamic Client Registration now supports granular CORS header configuration via access policies.
- IDToken Fix: Resolved an issue where OIDC IDTokens contained duplicate address claims.
Performance & Observability
- Optimized Session Deletion: Expired user sessions are now deleted from the database in small batches rather than via full-table delete statements, significantly improving database response times for large realms.
- OpenTelemetry Integration: Added extensive support for OpenTelemetry Logs, Metrics (experimental), and Traces. This allows exporting TideCloak telemetry to any OpenTelemetry-compatible backend.
- MDC Logging: Promoted to fully supported. MDC enriches logs with contextual information such as realm, client, user ID, and IP address to improve debugging.
- HTTP JSON Performance (Preview): A new
http-optimized-serializersfeature increases throughput by ~5% and reduces system resource usage during JSON data handling.
Administration & User Experience
- Organization Invitations: Organization administrators can now view, resend, and delete persistent organization invitations through the Admin Console and the REST API.
- Logout Confirmation: The client logout configuration now includes an option to show a “You are logged out” confirmation page upon successful logout.
- Keycloak JS Routing Fix: Fixed a regression in Keycloak JS where URL hash fragments were incorrectly URL-encoded after the OAuth callback, which broke client-side routing for React/Angular applications using the
fragmentresponse mode. - New Session Event: Added a
USER_SESSION_DELETEDevent that fires 3-10 minutes after a session expires.
Deprecations & Removals
- PostgreSQL 13.x Support Removed: Ensure your underlying TideCloak database is running PostgreSQL 14 or higher before upgrading.
Tide-enhanced DPoP support
In addition to the RFC9449 Demonstratable Proof of Possession (DPoP) support provided in Keycloak, TideCloak has bound that proof into the authentication process and extended its utility all the way to the consumption of services from the Resource Server. While sounding trivial, this provides the most hermetic security guarantee against session hijacking. This body of work binds the browser (or any terminal) the user is using to authenticate to Tide to the session, throughout its authorization process with TideCloak, all the way to the eventual server it consumes services from (a website, API, SSH protocol, etc). This enhancement provides several layers of security:
- Declassifies the session token - with this improvements, JWT or any session token is no longer a secret. It's an attestation that binds a user, a terminal, authorizations and authority guarantee.
- No-gap process - Unlike WebAuthn/Passkey that binds the authentication to the terminal and hands it off to OIDC to bind the terminal to the user (leaving a gap in the middle for hijacking the session) - this process binds the session all the way from user authentication to the eventual consumption of services with no gap.
- End-to-End Confidentiality - Tide's use of DPoP extends beyond just signing API requests as the standard requires. With Tide, DPoP non-extractable keys can be used to encrypt data or create secure tunnels to the resources they consume.
Quorum-Enforced Governance over Groups
Groups are logical collections of users used to simplify administrative tasks in TideCloak by managing permissions and attributes at scale. Now, an TideCloak administrator may assign users to groups on one hand, and separately assign these groups roles and clients. TideCloak will identify the changes made to each of the users in the group individually and create a (bulk) change-request for each user individually in order to create an immutable authority of that assignment. This change-request is handled as standard one in TideCloak's Quorum-Governance where the admin group will need to review, approve and commit it in order for it to take effect.
Quorum-Enforced Governance bulk requests
Administrators may now tick more than one change-request in their review and commit processes.
Quorum-Enforced Governance comments
Each change request has now an optional comment field to allow for better governance and compliance.
Cybersecurity Fabric changes
DPoP explicit verification
As part of the entire support in Tide-enhanced DPoP functionality, the network validates by proof that the DPoP used in the JWT is identical to the one used to authenticate the Tide user its been given.
Detailed changelog
For a granular per-repository breakdown of changes (Midgard, Heimdall, ORK, Ragnarok, TideJS, TideCloakJS, Asgard, master-libs, tidecloak-override, and upstream Keycloak), see the detailed changelog.