Keycloak 26.1.0 released

January 15 2025

To download the release go to Keycloak downloads.

Highlights

Transport stack `jdbc-ping` as new default

Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.

Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.

Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak’s database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated.

The Keycloak Operator will continue to configure kubernetes as a transport stack.

See the Configuring distributed caches guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools

Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported

In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default.

There were made multiple improvements to the tracing capabilities in Keycloak such as:

Configuration via Keycloak CR in Keycloak Operator
Custom spans for:
- Incoming/outgoing HTTP requests including Identity Providers brokerage
- Database operations and connections
- LDAP requests
- Time-consuming operations (passwords hashing, persistent sessions operations, …)

For more information, see the Enabling Tracing guide.

Infinispan default XML configuration location

Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided.

Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels

It is now possible to set category-specific log levels as individual log-level-category options.

For more details, see the Logging guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Francis Pouatcha, Ingrid Kamga, Pascal Knüppel, Thomas Darimont, Ogen Bertrand, Awambeng Rodrick and Takashi Norimatsu.

Minimum ACR Value for the client

The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.

Many thanks to Simon Levermann for the contribution.

Support for prompt=create

Support now exists for the Initiating user registration standard, which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms/<realm>/protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak.

Many thanks to Thomas Darimont for the contribution.

Option to create certificates for generated EC keys

A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.

Many thanks to Pascal Knüppel for the contribution.

Authorization Code Binding to a DPoP Key

Support now exists for Authorization Code Binding to a DPoP Key including support for the DPoP with Pushed Authorization Requests.

Many thanks to Takashi Norimatsu for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.

Many thanks to Manuel Schallar and Patrick Weiner for the contribution.

Network Policy support added to the Keycloak Operator

Note	Preview feature.

To improve the security of your Kubernetes deployment, Network Policies can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`

The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see Conditions in conditional flows.

Defining dependencies between provider factories

When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme

We’ve now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.

If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

darkMode=false

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings.

Metrics on password hashing

There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.

See Keycloak metrics and Concepts for sizing CPU and memory resources for more details.

Sign out all active sessions in admin console now effectively removes all sessions

In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated.

This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter

From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server.

Updates in quickstarts

The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.

The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.

These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file

The robots.txt file, previously included by default, is now removed. The default robots.txt file blocked all crawling, which prevented the noindex/nofollow directives from being followed. The desired default behaviour is for Keycloak pages to not show up in search engine results and this is accomplished by the existing X-Robots-Tag header, which is set to none by default. The value of this header can be overridden per-realm if a different behaviour is needed.

If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired cetificate

The key providers that allow to import externally generated keys (rsa and java-keystore factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in Keycloak anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.

The default generated key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

OpenShift v3 identity brokering removed

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#24992 Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core
#25006 Use optional realm attribute for authenticationrequest parameter max size/number validation configuration
#26178 Support dark mode, at least for the login pages login/ui
#26466 Operator support for setting default value of `http-pool-max-threads` operator
#27736 Used encrypted JGroups connection by default in Operator deployments operator
#29399 JDBC_PING2 as default discovery protocol
#32135 Option to specify trusted proxies dist/quarkus
#32488 Enabling authorization_details for client grant tokens until RAR is fully implemented
#33043 Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener
#34957 Ability to specify log category levels through separate options dist/quarkus
#35110 Enhance WebAuthn registration to support custom FIDO2 origin validation
#35231 Ability to reject authentication to users without 2FA configured authentication
#35639 Allow users to specify the start page of a custom account-console theme account/ui
#36081 Authentication flow condition for client scope authentication

Enhancements

#10138 Align admin console for client for backchannel and frontchannel logout oidc
#10701 AuthenticationRequest add "create" prompt for sign-up oidc
#13852 js adapter just sets error to true upon error updateToken adapter/javascript
#16545 Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc
#16884 Support to enforce LoA in authentication flow for a client (Step-up) authentication
#17014 Allow custom message for brute force temporary lockout authentication
#23805 H2 Database should be opt-in and well-documented storage
#23881 Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage
#26780 Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services
#29511 Allow to restrict ProviderConfigProperty input to int values
#29570 Generalize or remove stack trace information found in error message exception handling
#29859 Keycloak native verification of an SD-JWT based vp_token oid4vc
#31764 Run tests with original `keycloak` login theme in nightly
#31842 Allow to create certificates for provider-keys authentication
#32092 OTEL: Add Keycloak CR support for Tracing options operator
#32094 OTEL: Apache HTTP client OpenTelemetry instrumentation
#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
#32114 OTEL: Instrument parts of Keycloak with OTEL spans
#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#32657 Readonly profile attribute profile has unwanted not translated placeholder account/ui
#32773 [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33233 Add ui to override patternfly colors and logo
#33275 Better logging when error happens during transaction commit storage
#33484 Consolidate the logic for determining a local address core
#33492 Remove retry in LoginPage.resetPassword testsuite
#33496 Add CopyToClipboardButton to UserID in Admin UI
#33498 Expose membership type in the Admin UI for organization members admin/ui
#33559 Add an example nginx reverse proxy configuration
#33569 Show User Events on dedicated tab on Client-/User-Details
#33605 Add a reference to http-enabled in TLS/SSL setup
#33646 Upgrade Infinispan to 15.0.10.Final
#33651 Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments
#33678 Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn
#33702 Prevent Keycloak from starting with wrong `work` cache configuration
#33717 Create a new base login theme
#33821 Add switch to disable dark mode
#33932 Background SQL statements show without a connected trace dist/quarkus
#33939 Enable virtual threads in Infinispan and JGroups by default
#34026 Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication
#34027 Sign the AUTH_SESSION_ID cookie value authentication
#34091 Username Form should support autocomplete login/ui
#34137 Standardize error messages from client and server in login theme (keycloak.v2) login/ui
#34253 Deprecate other transport stacks (ec2, azure, google)
#34265 Add JDBC_PING2 stacks for both TCP and UDP
#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34330 Delete Openshift 3.x identity provider
#34351 Support for the Croatian language
#34380 Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times
#34382 Make the organization chapter of Server Admin guide available on downstream
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34393 Improve build time of the js module
#34524 Add ability to enable support for Verifiable Credentials per Realm account/ui
#34536 Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34583 Microsoft login - add prompt param configure
#34630 Avoid multi-release and java16 specific sources in the core module oidc
#34640 Update certain email templates for password recovery to match English translation format
#34658 Document network ports for Keycloak clustering
#34659 [Operator] Enhance the Keycloak Operator with Network Policies operator
#34695 Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering
#34711 OTEL: Provide Tracing SPI
#34755 Disable trim_trailing_whitespace in editorconfig to reduce noise in PRs
#34760 Improving the error message when failing to query an LDAP provider ldap
#34804 Allow a request object by considering a clock skew for smooth interoperability oidc
#34805 Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc
#34848 Too many exceptions created when validating user profile
#34850 Avoid throwing exceptions when issuing reflection on user model
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34880 Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus
#34882 Edits to Authorization Services guide
#34894 Allow a DPoP Proof by considering a clock skew for smooth interoperability
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final
#34990 Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc
#35003 Expose templateName in attributes when rendering freemarker templates login/ui
#35077 Upgrade to Quarkus 3.15.2 dist/quarkus
#35080 Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core
#35103 [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui
#35180 Improve test method signature and gather more info about assertions testsuite
#35192 Resolve scopes from authenticated client sessions when selecting attributes
#35225 Allow configuring retries for JavaScript tests using environment variable ci
#35243 Allow asking for additional scopes when querying the account console root URL
#35252 Add WHY issues are important for each PR no matter how small to CONTRIBUTING.md docs
#35254 CONTRIBUTING.md has confusing ordered list with two times point 5
#35331 Updated tested PostgreSQL version to 17
#35333 Updated tested MariaDB version to 11.4
#35335 Updated tested MySQL version to 8.4
#35402 Consistent use of log.debugf to avoid generating too much GC overhead
#35415 Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later
#35419 OTEL: Enhance traces with spans for each RestEASY resource
#35425 OTEL: Show spans in transaction completion at the end of a request
#35430 OTEL: Group persistent session work activities in parent span or link them
#35457 Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details
#35478 Add password validation to update-password
#35506 Support for multiple values of some parameters in the grant SPI oidc
#35573 Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors
#35588 Update release notes for Keycloak 26.1.0 with new community additions docs
#35598 [Operator] Network Policy Rules operator
#35604 Removing unnecessary configuration from auth servers
#35640 Update the sizing guide with an indicator on which user events to use
#35676 Reduce debounce time in RealmSelector
#35714 Replace `uuid` module with `crypto.randomUUID()`
#35758 Set the LDAP connection pooling protocols by default to plain and tls
#35775 Document the performance numbers from the ARM based ROSA cluster runs
#35807 Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start)
#35834 Use MeterProvider as suggested by the Micrometer team to avoid GC overhead
#35852 Enable LDAP Connection pooling by default
#35856 Release note about node.js adapter and javascript adapter released independently of keycloak server docs
#35859 Update upgrading notes with the changes related to core clients docs
#35939 Rescue dutch translations from aborted Weblate PR
#36015 Update the CA translation translations
#36039 Tune caching guide list of stacks for the upcoming release
#36047 Align realm name placeholder in the docs docs
#36048 Add metric for number of password validations
#36059 OTEL: Add tracing for credential validation
#36079 Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci
#36087 Allow tracing packets sent to and from LDAP for troubleshooting purposes
#36211 Help texts in the admin UI should end with a dot admin/ui
#36263 OTEL: merge Operator tracing test cases
#36388 Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework
#36389 Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework
#36425 Make @EnableFeature to handle the case with added provider of currently non-used SPI testsuite
#36442 Prepare a new guide for Keycloak's own metrics in the observability guide

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#10233 Locale Setting for Update Password Mail admin/api
#10417 Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage
#11008 Incorrect get the members of a group imported from LDAP ldap
#12309 IllegalArgumentException on canceled Account Linking oidc
#12919 Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication
#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#15058 Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc
#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#16451 Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#17433 robots.txt causes indexing authentication/webauthn
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#19652 Members are inhereted from LDAP group with the same name ldap
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#24493 Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage
#25085 Inconsistent TypeScript definitions in the module @keycloak/keycloak-admin-client while compiling admin/client-js
#25675 Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#27378 update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication
#27856 Social login - Stack Overflow test fails ci
#28241 NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange
#28328 Declining terms and conditions in account-console results in error account/ui
#28978 some GUI validation check missing admin/ui
#29289 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci
#29290 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci
#30037 Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci
#30204 When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core
#30364 Make sure it is not possible to run snapshot server against production DB by default core
#30453 Event type not set in reset-credential flow under some conditions resulting in an error page authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#30832 Organization API not available from OpenAPI documentation admin/api
#30994 Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci
#31091 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci
#31180 token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange
#31359 Offline sessions are not removed from admin console after sign out all active sessions core
#31415 Selection list does not close after outside click admin/ui
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#31469 Show account page before login core
#31492 Misleading docs and functionality around cache-ispn.xml dist/quarkus
#31638 Error when non-admin user accesses admin console admin/fine-grained-permissions
#31724 Logout not working after removing Identity Provider of user identity-brokering
#31727 KC doesn’t enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication
#31835 Windows builds fail too often due to problems with the download of Node ci
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32270 High CPU usage on logout when using remote Infinispan only setup infinispan
#32348 none of the enabled features are shown as such in the admin console docs
#32356 creating short admin password in BCFIPS approved mode gives "Internal server error" page core
#32462 "Cookie not found" in multi-step auth flows / mobile browsers core
#32476 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci
#32550 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci
#32610 addExecutionFlow endpoint does not return right ID admin/api
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32650 Requesting `offline_access` without an established session results in two sessions oidc
#32658 Authentication sessions do not handle concurrent writes core
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#32677 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci
#32767 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#32801 Requested `grant_types` inconsistent with created `grant_types` for OpenID Connect Dynamic Client Registration oidc
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32901 Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#32992 Role descriptions do not wrap in the UI admin/ui
#33020 Incorrect Disclosure Handling in SdJwtVP.of(String) Method oid4vc
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33125 Duplicate principals not allowed in keystore authentication
#33132 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithEmailUserAndRememberMe ci
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33232 400 error logged as 500 identity-brokering
#33282 Icons for social providers broken in login screen if the provider is created with non-default alias admin/ui
#33309 Admin UI e is undefined if required action recreated with own alias admin/ui
#33349 Double scroll bar due to warning banner admin/ui
#33352 Wrong translation issues in greek translation translations
#33404 Permission cannot be evaluated when only role and client are provided authorization-services
#33408 Link to existing account form: IDP Alias displayed instead of IDP Display Name login/ui
#33435 404 in admin console when unlinking managed user from organizations admin/ui
#33505 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2 ci
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33596 Cleanup how static state is set for import / export dist/quarkus
#33599 Upgrade Selenium testsuite
#33603 Repeated "to a" in the help text for the "User Attribute" mapper admin/ui
#33607 Fix v2 login layout login/ui
#33614 Client Secret Required Bug When Using "JWT Signed with Private Key" for (Keycloak/) OpenID Connect Provider admin/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#33642 RTL not working on keycloak.v2 login template login/ui
#33649 Validation of http truststore or keystore file masks if the file exists dist/quarkus
#33653 Test "Duplicate Group" unstable in Admin UI / job is failing admin/ui
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33729 Not possible to configure custom client authenticator in Admin UI authentication
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33734 Client Policy throws "Invalid Redirect Uri" if Standard Flow is disabled oidc
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33767 Aurora IT tests failing periodically with download of node ci
#33775 Admin client returns HTTP code `400 Bad Request` when using x509 certificate admin/client-java
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33793 FOUC in Firefox on login UI login/ui
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33810 Stabilise my-resources.spec test account/ui
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33820 client-jwt ES256 error when doing CODE_TO_TOKEN oidc
#33844 Wrong documentation link in keycloak-js readme docs
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33902 Not persisted config settings prevent server start dist/quarkus
#33907 NPE thrown in whoami endpoint admin/ui
#33933 Recovery authentication codes are numbered inconsistently login/ui
#33940 ResetPasswordTest.resetPasswordExpiredCode Error -> AbstractKeycloakTest.deleteAllCookiesForRealm:297 core
#33941 Cannot install latest version (26.0.0) of the adapter using Galleon adapter/jee
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33967 password is a required field admin/ui
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33970 Windows kc.bat handling of serveral parameter types is not correct dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#33991 Doc CI - broken links error docs
#34000 Handle removal of online session for the directGrant and clientCredentials
#34001 Handle removal of online session for authorization_code when `scope=offline_access`is used oidc
#34009 grammatical error in "Managing Organizations" documentation docs
#34013 Add More Info to Organization Events organizations
#34015 Home URL for security-admin-console is broken admin/ui
#34017 [Admin UI] Broken autocomplete input on the "Create resource-based permission" form admin/ui
#34023 Flaky Test ResetPasswordTest.resetPasswordLoggedUser:188->openResetPasswordUrlAndDoFlow:252 testsuite
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34041 [Windows] Wrong expansion of ${kc.home.dir} causes NoSuchFile exception dist/quarkus
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34054 Onclick focus issue in the Username field of Clients / / Client Scopes / Evaluate admin/ui
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34149 Group select dialog: Subgroups not displayed initially due to pagination admin/ui
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34176 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" token service endpoint returns NullPointerException authorization-services
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34224 Deleting a user leads to ISPN marshalling exception
#34229 Group search in user view doesn't work as expected for nested groups admin/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34257 Docs: Dead link docs
#34273 Flaky Test: BrowserFlowTest.testAlternativeNonInteractiveExecutorInSubflow() testsuite
#34276 PEM files distributed as part of SAML adapter configs are missing -----BEGIN and -----END blocks saml
#34298 NullPointerException in ConditionalOtpFormAuthenticator.java authentication
#34301 Remove inaccurate statement about master realm imports docs
#34304 Fix DB overflow for EVENT_ENTITY table and SESSION_ID column in case that incorrect data are sent core
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34352 ParEndpoint#request corrupts values added in request object oidc
#34356 Admin UI doesn't show realms when using login through identity provider admin/fine-grained-permissions
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap
#34432 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34440 [Trivy] - Workflow failure ci
#34444 NullPointerException in RoleResolveUtil when admin-cli uses lightweight token admin/cli
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34460 kc.config.args exposed in show-config dist/quarkus
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap
#34474 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34508 Username and password should be optional for multi-site deployment infinispan
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34530 Flaky test: org.keycloak.testsuite.actions.TermsAndConditionsTest#termsDeclined ci
#34540 Renaming realm in UI broken admin/api
#34547 Non compliant OpenID Client Authentication when `client_secret_jwt` with PAR (Pushed Authorization Requests) oidc
#34549 Quarkus dev mode does not work dist/quarkus
#34558 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkTestAppWithoutRedirectUriParam ci
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34592 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34602 Rework global event listener for metrics core
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34605 Error on testsuite "group_test" on Cypress admin/ui
#34611 AdminEventQueryTest test fails after adding global event listener core
#34614 Remove duplicate lines in userprofile freemarker template login/ui
#34616 Fix typo in log message account/ui
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34635 Feature in higher version takes precedence even if it has lower type order
#34636 Client Protocol Mappers with non UUID ids cannot be edited admin/ui
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34652 Continuous reload when KC_AUTH_SESSION_HASH expires authentication
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34687 New credential templates broken in KC26 login/ui
#34750 calling openid-connect/auth with previous version valid cookies generate internal server error authorization-services
#34769 Invalid flag for addDefaultRequiredActions infinispan
#34776 GroupMappersTest test fails in keycloak-client core
#34794 CVE-2024-10973 - Cleartext Transmission of Sensitive Information in org.keycloak:keycloak-quarkus-server
#34811 AdminUI: Alphabetically sort "Event saved type" in the events listing admin/ui
#34817 Log handler specific log levels support only lower-case levels dist/quarkus
#34818 Liquibase outputs update summary directly to standard out dist/quarkus
#34824 [Keycloak CI] - Base IT - KerberosLdapCrossRealmTrustTest.test03SpnegoLoginUsernamePassword ldap
#34832 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerPrivateKeyJwtCustomAudienceTest ci
#34834 [Jenkins Keycloak CI] - Cookies Tests - KcSamlBrokerTest
#34835 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerLdapTest ci
#34842 Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof oidc
#34844 [Keycloak CI] - Quarkus IT - StartCommandDistTest and BuildAndStartDistTest dist/quarkus
#34853 [Jenkins Keycloak CI] - Adapter Cookies Tests - Failures with Firefox strict cookies ci
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34875 Clients invalidated on each client credential grant core
#34876 Incomplete registration form when edit email is disabled and email is set as username user-profile
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34968 Unable to scroll/swipe through the main menu on macOS admin/ui
#34973 ES256 key continue to be used to sign token even after expiry oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#34995 MySQL database migration issue core
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35047 PersistentSessionsWorker: retry with 0 backoff ms. core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35060 Cannot request additional scopes when using the account console account/api
#35068 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled core
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35088 Flaky test: org.keycloak.testsuite.adapter.servlet.SAMLClockSkewAdapterTest#testTokenTimeIsValid ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation
#35219 Account UI E2E / `personal-info/personal-info.spec.ts` is unstable ci
#35226 Typo www.recatcha.net -> www.recaptcha.net in docs docs
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35240 Links to guides in Observability section are still pointing to server section docs
#35256 Typos in `.md` and `.adoc` files, detected using codespell and manual review docs
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35276 Your login attempt timed out authentication
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35289 Maven clean shouldn't be skipped by default on Windows
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services
#35340 Errors in persian and tukish translations in account translations
#35352 Multiselect Checkboxes in user profile don't allow to unset value user-profile
#35357 Resolve scopes from bearer tokens when processing requests to the Account API
#35386 log-syslog-max-length is ignored dist/quarkus
#35405 [Keycloak CI] - Quarkus UT (windows-latest) - Keycloak Quarkus Server Deployment ci
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35414 Capitalization in Hungarian translation needs improvement translations
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35427 OTEL: OTelTracingProvider should be request-scoped dist/quarkus
#35429 access token or refresh token will be reset when another is set admin/ui
#35448 Flaky test: org.keycloak.testsuite.model.DBLockTest.testTwoLocksCurrently ci
#35451 Update Infinispan examples in the High Availability guide docs
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35483 Event Representation is not shown for Admin Events in UI admin/ui
#35486 When using the token revocation endpoint with refresh-token, all sessions from the user+client are terminated oidc
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35496 `QuarkusPropertiesDistTest` fails on Windows testsuite
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35529 IPA-Tuura federation: password field shows password in plaintext core
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35550 JVM crash when running base testsuite test from command line using auth-server-quarkus-embedded dist/quarkus
#35570 Invoking `BaseUpdater.markDeleted()` more than once cause the transient status to be lost infinispan
#35591 Embedded test server fails when running from `mvn` dist/quarkus
#35611 Code quote for http-enabled is incorrect, missing relevant option in reverse proxy documentation docs
#35612 Fix broken Dependabot configuration
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35637 Inconsistency when returning user attributes when executing a seach or fetching users by ID from external user storage providers ldap
#35643 Improve sssd note about synchronization of groups docs
#35664 realm_test.spec fails on firefox admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35704 token exchange response expires_in inconsistent behavior token-exchange
#35706 Support for X-Forwarded-Prefix should not be implied docs
#35723 POST create client with id exceed 36 characters length response status 500 instead of 403 admin/api
#35732 Missing userId in LOGIN_ERROR event for permanent lockout authentication
#35745 GET .../organizations/{id}/members/{id} multiple ids organizations
#35760 Event for setting up recovery codes authentication
#35766 Fix grammar in documentation page docs
#35767 Typo in using custom Keycloak image for Operator guide docs
#35770 Quarkus.properties should not use -cf or --config-file flag docs
#35793 Update to KC 26.x from <26 fails if admin-cli client deleted core
#35796 Keycloak incorrect usage of UserPolicy and cache. authorization-services
#35802 Keycloak arquillian testsuite not working with the default profile testsuite
#35813 Token revocation may not correctly revoke related access tokens
#35822 Exact searches should be the default when querying user by attributes admin/api
#35827 Regression Mysql 8 support as the upgrade script do not use temporary table storage
#35830 Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization organizations
#35854 Unused LDAP provider options are still exposed
#35863 Selecting one role selects all admin/ui
#35874 MapComponent UI Not Displaying Saved Values in Keycloak React Admin UI admin/ui
#35876 Typo in username pt_BR translation in account console account/ui
#35904 Failing since may be reported incorrectly on health probe dist/quarkus
#35914 Map Configuration Property in Custom UserStorageProviderFactory Not Displayed in UI After Saving admin/ui
#35935 Organization Scope mismatch organizations
#35937 Duplicate entry in admin message properties admin/ui
#35947 Broken links in getting-started guide pointing to quickstarts latest branch docs
#35964 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testExceedMaxTemporaryLockouts ci
#35971 Wrong content-type for content.json account/ui
#36009 Unable to use custom handlers for HTTP OPTIONS method in subresources dist/quarkus
#36012 Double submit on otp form causes error login/ui
#36037 Translations specified in the admin console do not override the translations specified in a theme translations
#36038 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTokenExchangeTest#testInternalExternalTokenExchangeStoredToken ci
#36053 IDPs can not be found anymore by "Issuer" value when exchanging tokens identity-brokering
#36055 Unnecessary text in documentation docs
#36061 NPE when Kerberos Server is unreachable core
#36090 Incompatible method of admin-client in Keycloak 26.1 and missing javadoc admin/client-java
#36117 max-count for session caches is not set by default for local Infinispan config dist/quarkus
#36121 Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} admin/api
#36168 Fix invalid url in keycloak.js log message adapter/javascript
#36172 "Remove role" alert text is wrong admin/ui
#36241 Profile attribute inputs incorrectly marked as required when minimum length is configured admin/ui
#36249 Error when re-authenticating when organization is enabled organizations
#36297 PasswordAgePolicy triggering NullPointerException when credentail does not have createdDate core
#36301 KeycloakServer application not working anymore testsuite
#36332 PersistentSessionsWorker: Cannot access delegate without a transaction ldap
#36347 Roll-back change to startup timeout operator
#36375 [Keycloak CI] - Bse IT/Store IT - IdentityProviderTest ci
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
#36401 Metric `vendor_jgroups_*` is unstable and can change in upcoming releases infinispan
#36410 When running Keycloak in testutils with Undertow, the admin UI thows NoMessageBodyWriterFoundFailure admin/ui
#36432 Too much space around "Forgot Password" button (keycloak.v2) login/ui