Keycloak 26.1.1 released
February 05 2025
To download the release go to Keycloak downloads.
Highlights
New option in X.509 authenticator to abort authentication if CRL is outdated
The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL next update field, see RFC5280, Section-5.1.2.5.
The value false is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to false, but the Admin Console will add the default value true on edit.
New option in Send Reset Email to force a login after reset credentials
The reset-credential-email (Send Reset Email) is the authenticator used in the reset credentials flow (forgot password feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option force-login (Force login after reset). When this option is set to true, the authenticator terminates the session and forces a new login.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #552 Clean up old release code from Node.js adapter repo nodejs-connect
- #34275 Organizations: Allow Organization Selection organizations
- #34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
- #36440 Remove Node.js adapter documentation from main repo docs
- #36456 Clarify IPv6 JGroups requirements in Keycloak documenation
- #36798 Add detail on dependencyManagement section for POM files
Bugs
- #558 The draft nightly untagged release is created by "Release nightly" GH action nodejs-connect
- #562 Incorrectly resolved {project_versionNpm} expression in the documentation nodejs-connect
- #32766 Translation error in messages_fr.properties translations
- #33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
- #36159 Realm not found while exists and works if entered directly in the URL admin/ui
- #36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
- #36483 Wrong link for tracing in 26.1.0 release notes docs
- #36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
- #36531 WebAuthN and dark mode: device icons are hardly readable login/ui
- #36559 keycloak.v2 forms are too small for mobile view login/ui
- #36629 All IDPs shown when reloading login page login/ui
- #36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
- #36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
- #36675 Links error for https://jwt.io in documentation docs
- #36728 Logging errors on DB transaction retries core
- #36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
- #36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
- #36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
- #36844 Provide an option to force login after reset credentials authentication
- #36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
- #36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
- #36945 Bad escape apostrophe character in messages_fr.properties login/ui
- #36988 Typos in English email message templates translations
- #36998 UI tests failing admin/ui