Keycloak 26.0.6 released
November 22 2024
To download the release go to Keycloak downloads.
Highlights
Admin events might include now additional details about the context when the event is fired
In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should
expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.
Updates to documentation of X.509 client certificate lookup via proxy
Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy.
Additional configuration steps might be required depending on your current configuration. Make sure to review the updated
reverse proxy guide if you have configured
the client certificate lookup via a proxy header.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
- #34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
- #34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
- #34855 Add conditional text to Installation Locations
- #34873 Update Leveraging JaKarta EE in Server Development guide
- #34887 Apply QE edits to High Availability guide
Bugs
- #609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement quickstarts
- #11008 Incorrect get the members of a group imported from LDAP ldap
- #17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
- #19652 Members are inhereted from LDAP group with the same name ldap
- #23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
- #27856 Social login - Stack Overflow test fails ci
- #31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
- #32786 Organization Domain not marked as a required field in the Admin UI admin/ui
- #33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
- #34013 Add More Info to Organization Events organizations
- #34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
- #34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
- #34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
- #34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
- #34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
- #34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
- #34549 Quarkus dev mode does not work dist/quarkus
- #34572 Text in "Choose a policy type" is not wrapping admin/ui
- #34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
- #34624 Securing apps guide breaks downstream docs
- #34634 Missing downstream explicit name for anchors docs
- #34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
- #34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
- #34687 New credential templates broken in KC26 login/ui
- #34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
- #35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
- #35214 CVE-2024-10270 Potential Denial of Service
- #35215 CVE-2024-10492 Keycloak path trasversal
- #35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
- #35217 CVE-2024-10039 Bypassing mTLS validation