Deploying to main from @ 61b030d3d2bc5cc71d2cd3e27863b86517c0f7e5 🚀

ahus1 · ahus1 · commit fbcc83706d3a · 2026-05-20T06:29:13.000Z
diff --git a/extensions.html b/extensions.html
@@ -564,7 +564,7 @@ <h5 class="card-title">Magic Link Login</h5>
                                     <div class="d-flex align-items-center">
                                         <img src="resources/images/github.png" width="16px" alt="GitHub logo"
                                              class="me-2"/>
-                                        <span data-nosnippet>405 stars</span>
+                                        <span data-nosnippet>406 stars</span>
                                     </div>
                                 </div>
                         </div>
diff --git a/nightly/guides.html b/nightly/guides.html
@@ -1050,6 +1050,21 @@ <h5 class="card-title">
                             </div>
                         </div>
                     </div>
+                    <div class="col-sm-4">
+                        <div class="card shadow-sm mb-4">
+                            <div class="card-body">
+                                <h5 class="card-title">
+                                    AuthZEN Authorization
+                                    
+                                    
+                                </h5>
+                                <span class="card-text">Using Keycloak as an AuthZEN Policy Decision Point (PDP) to evaluate authorization requests.</span>
+                                <div>
+                                </div>
+                                <a href="https://www.keycloak.org/nightly/securing-apps/authzen-authorization"  class="stretched-link link-dark"></a>
+                            </div>
+                        </div>
+                    </div>
                     <div class="col-sm-4">
                         <div class="card shadow-sm mb-4">
                             <div class="card-body">
diff --git a/nightly/securing-apps/authzen-authorization.html b/nightly/securing-apps/authzen-authorization.html
diff --git a/nightly/securing-apps/specifications.html b/nightly/securing-apps/specifications.html
@@ -139,7 +139,7 @@ <h1>Specifications implemented</h1>
 </div>
 </div>
 <div class="sect1">
-<h2 id="_openid_connect"><a class="anchor" href="#_openid_connect"></a>OpenID Connect</h2>
+<h2 id="_openid"><a class="anchor" href="#_openid"></a>OpenID</h2>
 <div class="sectionbody">
 <table class="tableblock frame-all grid-all fit-content">
 <colgroup>
@@ -235,6 +235,12 @@ <h2 id="_openid_connect"><a class="anchor" href="#_openid_connect"></a>OpenID Co
 <td class="tableblock halign-left valign-top"></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">See <a href="https://www.keycloak.org/nightly/securing-apps/mcp-authz-server">Integrating with Model Context Protocol (MCP)</a>.</p></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://openid.net/specs/authorization-api-1_0.html">OpenID AuthZEN Authorization API 1.0</a></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Experimental</p></td>
+<td class="tableblock halign-left valign-top"></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">See <a href="https://www.keycloak.org/nightly/securing-apps/authzen-authorization">AuthZEN Authorization</a>.</p></td>
+</tr>
 </tbody>
 </table>
 </div>
diff --git a/nightly/server/haproxy-reencrypt.html b/nightly/server/haproxy-reencrypt.html
@@ -140,12 +140,24 @@ <h2 id="haproxy-configuration-reencrypt"><a class="anchor" href="#haproxy-config
 frontend https_front
     bind *:8443 ssl crt /path/to/haproxy-external-certificate <i class="conum" data-value="1"></i><b>(1)</b>
     mode http <i class="conum" data-value="2"></i><b>(2)</b>
+
+    # Prevent external spoofing
     http-request del-header Forwarded <i class="conum" data-value="3"></i><b>(3)</b>
-    http-request del-header x-forwarded-for
-    http-request del-header x-forwarded-proto
-    http-request del-header x-forwarded-host
-    http-request del-header x-forwarded-port
-    http-request del-header x-forwarded-server
+    http-request del-header x-forwarded-.* -m reg
+    http-request del-header x-original-.* -m reg
+    http-request del-header x-real-ip
+
+    # Prevent external tracing context injection (W3C Trace Context / Baggage)
+    http-request del-header traceparent
+    http-request del-header tracestate
+    http-request del-header baggage
+
+    # Prevent external tracing context injection (Zipkin, Jaeger, OpenTracing)
+    http-request del-header b3
+    http-request del-header x-b3-.* -m reg
+    http-request del-header uber-trace-id
+    http-request del-header x-ot-span-context
+
     default_backend keycloak_back
 
 backend keycloak_back
@@ -175,8 +187,9 @@ <h2 id="haproxy-configuration-reencrypt"><a class="anchor" href="#haproxy-config
 </tr>
 <tr>
 <td><i class="conum" data-value="3"></i><b>3</b></td>
-<td>The <code>http-request del-header &lt;HEADER&gt;</code> entries remove particular HTTP headers from the incoming requests before passing them on.
-The example shows removing of the <code>Forwarded</code> and <code>x-forwarded-</code> headers in order to prevent a security vulnerability to IP spoofing attacks, where the client is able to impersonate the proxy or other services.</td>
+<td>The <code>http-request del-header</code> directives remove HTTP headers from incoming requests before forwarding them to Keycloak.
+This prevents external clients from spoofing proxy identity headers (such as <code>Forwarded</code>, <code>X-Forwarded-*</code>, and <code>X-Real-IP</code>), injecting authentication-related headers (such as <code>X-Forwarded-Access-Token</code>), or injecting distributed tracing context (such as W3C Trace Context, Zipkin B3, or Jaeger headers).
+For the full list of recommended headers to filter, see the <a href="https://www.keycloak.org/nightly/server/reverseproxy#header-filtering-recommendations">Configuring a reverse proxy</a> guide.</td>
 </tr>
 <tr>
 <td><i class="conum" data-value="4"></i><b>4</b></td>
diff --git a/nightly/server/reverseproxy.html b/nightly/server/reverseproxy.html
@@ -452,6 +452,114 @@ <h3 id="_trusted_proxies"><a class="anchor" href="#_trusted_proxies"></a>Trusted
 </div>
 </div>
 <div class="sect2">
+<h3 id="header-filtering-recommendations"><a class="anchor" href="#header-filtering-recommendations"></a>Header filtering recommendations</h3>
+<div class="paragraph">
+<p>When using TLS re-encrypt, the proxy can inspect and modify HTTP traffic.
+Use this capability to prevent external clients from injecting headers that affect identity resolution, access control, or observability.</p>
+</div>
+<div class="admonitionblock note">
+<table>
+<tr>
+<td class="icon">
+<i class="fa icon-note" title="Note"></i>
+</td>
+<td class="content">
+The following assumes that there is only a single proxy layer in front of Keycloak, and that it is not receiving traffic from another trusted proxy layer with trusted headers.
+</td>
+</tr>
+</table>
+</div>
+<div class="paragraph">
+<p>Configure the proxy to apply the following rules to incoming requests before forwarding them to Keycloak:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p><strong>Overwrite</strong> <code>Forwarded</code> and <code>X-Forwarded-*</code> headers with the proxy&#8217;s own values rather than removing them, because Keycloak relies on these headers when <code>--proxy-headers</code> is configured.</p>
+</li>
+<li>
+<p><strong>Strip</strong> all other headers listed below entirely.</p>
+</li>
+</ul>
+</div>
+<table class="tableblock frame-all grid-all fit-content">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Header(s)</th>
+<th class="tableblock halign-left valign-top">Category</th>
+<th class="tableblock halign-left valign-top">Risk if not filtered</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>Forwarded</code>, <code>X-Forwarded-For</code>, <code>X-Forwarded-Proto</code>, <code>X-Forwarded-Host</code>, <code>X-Forwarded-Port</code>, <code>X-Forwarded-Prefix</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Proxy identity</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Clients can spoof their IP address, protocol, or host, affecting access control and audit logging.
+<strong>Overwrite</strong> these headers rather than stripping them.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>X-Original-Forwarded-For</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Proxy identity</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Variant of <code>X-Forwarded-For</code> recognized by some proxies.
+Can be spoofed to bypass IP-based access controls.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>X-Real-IP</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Proxy identity</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Trusted by some applications for rate limiting and audit logging.
+Can be spoofed to bypass IP-based restrictions.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>X-Original-URL</code>, <code>X-Original-Method</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Proxy identity</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Used by authentication sub-request mechanisms in some proxies.
+Can be spoofed to manipulate path-based authorization decisions.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>X-Forwarded-Access-Token</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Proxy identity</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Injected by some OAuth2 proxies.
+Can be spoofed to inject forged access tokens.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>traceparent</code>, <code>tracestate</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Distributed tracing</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.w3.org/TR/trace-context/">W3C Trace Context</a> headers.
+External injection allows attackers to correlate requests in the tracing backend and map internal service dependencies.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>baggage</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Distributed tracing</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.w3.org/TR/baggage/">W3C Baggage</a> header.
+Can inject arbitrary key-value pairs into the trace context propagated to downstream services.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>b3</code>, <code>x-b3-traceid</code>, <code>x-b3-spanid</code>, <code>x-b3-parentspanid</code>, <code>x-b3-sampled</code>, <code>x-b3-flags</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Distributed tracing</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://github.com/openzipkin/b3-propagation">Zipkin B3</a> propagation headers.
+External injection inflates observability costs and enables cross-service correlation.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>uber-trace-id</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Distributed tracing</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www.jaegertracing.io/sdk-migration/#propagation-format">Jaeger</a> propagation header (deprecated in favor of W3C Trace Context).
+Same risks as other tracing headers.</p></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-ot-span-context</code></p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">Distributed tracing</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">OpenTracing propagation header (deprecated in favor of W3C Trace Context).
+Same risks as other tracing headers.</p></td>
+</tr>
+</tbody>
+</table>
+</div>
+<div class="sect2">
 <h3 id="_exposed_path_recommendations"><a class="anchor" href="#_exposed_path_recommendations"></a>Exposed path recommendations</h3>
 <div class="paragraph">
 <p>When using a reverse proxy, Keycloak only requires certain paths to be exposed.
diff --git a/translations.html b/translations.html
@@ -271,14 +271,10 @@ <h1>Translations</h1>
                     &check;
                 </td>
                 <td style="text-align: right">
-                    <a rel="nofollow" href="https://hosted.weblate.org/translate/keycloak/theme-baseaccount/cs/?q=state:%3Ctranslated">
-                        96 %
-                    </a>
+                    &check;
                 </td>
                 <td style="text-align: right">
-                    <a rel="nofollow" href="https://hosted.weblate.org/translate/keycloak/admin-ui/cs/?q=state:%3Ctranslated">
-                        93 %
-                    </a>
+                    &check;
                 </td>
                 <td style="text-align: right">
                     &check;
@@ -896,7 +892,7 @@ <h1>Translations</h1>
         </tbody>
     </table>
 
-    <p  data-nosnippet>(Statistics updated daily. Last update: 2026-05-19T17:39:34Z)</p>
+    <p  data-nosnippet>(Statistics updated daily. Last update: 2026-05-20T06:25:49Z)</p>
 
 </div>
 
