Keycloak 26.1.3 released
February 28 2025
To download the release go to Keycloak downloads.
Highlights
Send Reset Email force login again for federated users after reset credentials
In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated users and false for the internal database users. The new behavior is now the default. This way all users managed by user federation providers, whose implementation can be not so tightly integrated with Keycloak, are forced to login again after the reset credentials flow to avoid any issue. This change in behavior is due to the secure by default policy.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
- #32535 Invalid migration export for empty database core
- #36405 Redirect after linking account account/ui
- #36527 Viewing user events requires `view-realm`-role admin/ui
- #36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
- #36703 When linking IDP to an organization hide on login sets as off admin/ui
- #36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
- #36842 Comboxes do not display selected option after reset admin/ui
- #36927 MeterFilter is configured after a Meter has been registered dist/quarkus
- #36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
- #36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
- #37029 CI fails with "Problem creating zip: Execution exception: Java heap space" ci
- #37066 Error on import of a public key (pem) authentication
- #37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)",The server fails to start. storage
- #37169 Wrong organization claim assignment in JWT access token organizations
- #37207 Change default value for force-login option in reset-credential-email authentication
- #37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
- #37268 Problems changing pre-defined user profile attributes admin/ui
- #37285 Upgrade to latest JGroups patch version
- #37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
- #37431 Password policies like NoUsername consider case-sensitivity authentication
- #37434 External Link Test failing docs
- #37577 Property Name Casing Mismatch in ProtocolMapperUtils saml