Just a heads-up that the RHBK 24 server may not work OOTB with the RH-SSO 7.6 OIDC client adapters.

Mitigation

There is the mitigation that people will need to enable the switch "Exclude Issuer From Authentication Response" in the admin console, which should be done for every RHBK client pointed to application secured by RH-SSO 7.6 adapters. It can be done in the admin console when going to the particular client -> tab "Advanced" -> section "OpenID Connect Compatibility Modes" .

Details

This is the side-effect of adding the `iss` parameter to OIDC authentication response, which is supported by the OAuth 2.1 specification [1] to avoid mix-up attacks [2]. This is documented in the documentation of Keycloak 23 [3] and it would be documented also in RHBK 24 migration documentation, but it is not explicitly documented that this affects all the RH-SSO 7.6 clients.

Bug description

Customers will detect if they have such issue that they would not be able to login to their application due the code-to-token request sent by the adapter would fail. They will see errors in their RH-SSO 7.6 log like:
```
[OAuthRequestAuthenticator] failed to turn code into token
[OAuthRequestAuthenticator] status from server: 403
```
due the incorrect redirect_uri and in the server.log they would see CODE_TO_TOKEN_ERROR event.

[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10#name-authorization-response
[2] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-24#section-4.4
[3] https://www.keycloak.org/docs/latest/upgrading/index.html#added-iss-parameter-to-oauth-2-0openid-connect-authentication-response