v3.0.0
3.0.0 (2026-05-25)
- feat(auth)!: require Keycloak Organizations for every session (7806545)
Bug Fixes
- admin-users: exclude ORG_ROOT_SCOPE from per-user group memberships (94562de)
- admin-users: sort group lists hierarchically by path segments (c9413c4)
- admin: enumerate org subgroups via /children recursion (778c5e7)
- admin: force full group representation when populating org hierarchy (cb9ac2d)
- admin: paginate Keycloak organization list endpoints (654c53d)
- admin: populate org-group subtree before walking for membership checks (aa147c5)
- admin: send only membership diff from user-detail save (1bf74a0)
- admin: use native checkboxes for user-detail group membership (475a2d9)
- auth: org-root-owned resources are visible to every org member (9bd85fe)
- connections: filter by organization before authorization check (d063bc0)
- session-policy: throw on empty organization (274ff57)
Features
- admin: admin/users route handles
*org-root admin scope (f5945e5) - admin: invite users via Keycloak Organization invite (f489210)
- admin: route createGroup through Keycloak 26.6 Organization Groups API (0836170)
- auth: condition STS session policy on aws:PrincipalTag/ORG (44808a5)
- auth: redirect zero-org sessions to /onboarding (0799a20)
- connections: scope ConnectionConfig by Keycloak organization (7350e52)
BREAKING CHANGES
- sessions without an active Keycloak organization are
redirected to/onboardinginstead of resolving connection or admin
routes. Existing realms must enable the Organizations feature
(KC_FEATURES=organizationsplus the per-realm toggle), grant the
cytario-web-adminservice accountview-realm+manage-realmon
therealm-managementclient, and assign every user to at least one
organization before deploying. The legacy realm-wideSCOPESenv var
is no longer read.
Refs: C-221