Keycloak 26.2.0 released

April 11 2025

To download the release go to Keycloak downloads.

Highlights

Supported Standard Token Exchange

In this release, we added support for the Standard token exchange! The token exchange feature was in preview for a long time, so we are glad to finally support the standard token exchange. For now, this is limited to exchanging the Internal token to internal token compliant with the Token exchange specification. It does not yet cover use cases related to identity brokering or subject impersonation. We hope to support even more token exchange use cases in subsequent releases.

For more details, see the Standard token exchange.

For information on how to upgrade from the legacy token exchange used in previous Keycloak versions, see the Upgrading Guide.

Fine-grained admin permissions supported

This release introduces support for a new version of fine-grained admin permissions. Version 2 (V2) provides enhanced flexibility and control over administrative access within realms. With this feature, administrators can define permissions for administering users, groups, clients, and roles without relying on broad administrative roles. V2 offers the same level of access control over realm resources as the previous version, with plans to extend its capabilities in future versions. Some key points follow:

Centralized Admin Console Management - New Permissions section was introduced to allow management from a single place without having to navigate to different places in the Admin Console.
Improved manageability - Administrators can more easily search and evaluate permissions when building a permission model for realm resources.
Resource-Specific and Global Permissions – Permissions can be defined for individual resources (such as specific users or groups), or entire resource types (such as all users or all groups).
Explicit Operation Scoping – Permissions are now independent, removing hidden dependencies between operations. Administrators must assign each scope explicitly, making it easier to see what is granted without needing prior knowledge of implicit relationships.
Per-Realm Enablement – Fine-Grained Admin Permissions can be enabled on a per-realm basis, allowing greater control over adoption and configuration.

For more details, see fine-grained admin permissions.

For more information about migration, see the Upgrading Guide.

Guides for metrics and Grafana dashboards

In addition to the list of useful metric names the Observability guides category now also contains a guide on how to display these metrics in Grafana. The guide contains two dashboards.

Keycloak troubleshooting dashboard - showing metrics related to service level indicators and troubleshooting.
Keycloak capacity planning dashboard - showing metrics related to estimating the load handled by Keycloak.

Zero-configuration secure cluster communication

For clustering multiple nodes, Keycloak uses distributed caches. Starting with this release for all TCP-based transport stacks, the communication between the nodes is encrypted with TLS and secured with automatically generated ephemeral keys and certificates.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

For more information, check the Securing Transport Stacks in the distributed caches guide.

Rolling updates for optimized and customized images

When using an optimized or customized image, the Keycloak Operator can now perform a rolling update for a new image if the old and the new image contain the same version of Keycloak. This is helpful when you want to roll out, for example, an updated theme or provider without downtime.

To use the functionality in the Operator, enable the Auto update strategy and the Keycloak Operator will on image change briefly start up the old and the new image to determine if a rolling update without downtime is possible. Read the section Managing Rolling Updates in the Keycloak Operator Advanced Configuration guide for more details on this functionality.

The checks to determine if a rolling update is possible are also available on the Keycloak command line so you can use them in your deployment pipeline. Continue reading in the Update Compatibility Tool guide for more information about the functionality available on the command line.

Additional query parameters in Admin Events API

The Admin Events API now supports filtering for events based on Epoc timestamps in addition to the previous yyyy-MM-dd format. This provides more fine-grained control of the window of events to retrieve.

A direction query parameter was also added, allowing controlling the order of returned items as asc or desc. In the past the events where always returned in desc order (most recent events first).

Finally, the returned event representations now also include the id, which provides a unique identifier for an event.

Logs support ECS format

All available log handlers now support ECS (Elastic Common Schema) JSON format. It helps to improve Keycloak’s observability story and centralized logging.

For more details, see the Logging guide.

New cache for CRLs loaded for the X.509 authenticator

Now the Certificate Revocation Lists (CRL), that are used to validate certificates in the X.509 authenticator, are cached inside a new infinispan cache called crl. Caching improves the validation performance and decreases the memory consumption because just one CRL is maintained per source.

Check the crl-storage section in the All provider configuration guide to know the options for the new cache provider.

Operator creates NetworkPolicies to restrict traffic

The Keycloak Operator now creates by default a NetworkPolicy to restrict traffic to internal ports used for Keycloak’s distributed caches.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

You can restrict the access to the management and HTTP endpoints further using the Kubernetes NetworkPolicies rule syntax.

Read more about this in the Operator Advanced configuration.

Option to reload trust and key material for the management interface

The https-management-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-management-* options for the management interface. Use -1 to disable reloading. Defaults to https-certificates-reload-period, which defaults to 1h (one hour).

For more information, check the Configuring the Management Interface guide.

Dynamic Authentication Flow selection using Client Policies

Introduced the ability to dynamically select authentication flows based on conditions such as requested scopes, ACR (Authentication Context Class Reference) and others. This can be achieved using Client Policies by combining the new AuthenticationFlowSelectorExecutor with conditions like the new ACRCondition. For more details, see the Server Administration Guide.

JWT Client authentication aligned with the latest OIDC specification

The latest version of the OpenID Connect Core Specification tightened the rules for audience validation in JWT client assertions for the Client Authentication methods private_key_jwt and client_secret_jwt . Keycloak now enforces by default that there is single audience in the JWT token used for client authentication.

For information on the changed audience validation in JWT Client authentication Keycloak versions, see the Upgrading Guide.

Many thanks to Thomas Darimont for the contribution.

Federated credentials are available now when fetching user credentials

Until now, querying user credentials using the User API will not return credentials managed by user storage providers and, as a consequence, prevent fetching additional metadata associated with federated credentials like the last time a credential was updated.

In this release, we are adding a new method getCredentials(RealmModel, UserModel) to the org.keycloak.credential.CredentialInputUpdater interface so that user storage providers can return the credentials they manage for a specific user in a realm. By doing this, user storage providers can indicate whether the credential is linked to it as well as provide additional metadata so that additional information can be shown when managing users through the administration console.

For LDAP, it should be possible now to see the last time the password was updated based on the standard pwdChangedTime attribute or, if using Microsoft AD, based on the pwdLastSet attribute.

In order to check if a credential is local - managed by Keycloak - or federated, you can check the federationLink property available from both CredentialRepresentation and CredentialModel types. If set, the federationLink property holds the UUID of the component model associated with a given user storage provider.

Token based authentication for SMTP (XOAUTH2)

The Keycloak outgoing link:Configuring email for a realm[SMTP mail configuration] now supports token authentication (XOAUTH2). Many service providers (Microsoft, Google) are moving towards SMTP OAuth authentication and end the support for basic authentication. The token is gathered using Client Credentials Grant.

Many thanks to Sebastian Rose for the contribution.

New client configuration for access token header type

A new admin setting has been added: Clients → Advanced → Fine grain OpenID Connect configuration → Use "at+jwt" as access token header type

If enabled, access tokens will get header type at+jwt in compliance with rfc9068#section-2.1. Otherwise, the access token header type will be JWT.

This setting is turned off by default.

Many thanks to Laurids Møller Jepsen for the contribution.

OpenID for Verifiable Credential Issuance documentation

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it received further improvements and especially the The documentation, with the steps how to try this feature.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join and provide the feedback.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Awambeng Rodrick and Ingrid Kamga.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#10438 Release process for OperatorHub operator
#17171 Traefik SPI Provider
#35507 Token exchange - permissions token-exchange
#36306 New CLI command: update-compatibility
#36520 New operator spec: upgrade strategy
#36696 Support token type "at+jwt" for OAuth 2 access tokens oidc
#36750 Create CA certificate for JGroups encryption
#38523 Expose OTP Policy in FreeMarker Context for Login Themes login/ui

Enhancements

#17432 Add support for SMTP OAuth 2.0 authentication for outgoing email core
#19127 Improve docs about audience docs
#19148 Token Exchange in "Securing Applications and Services" should mention admin_fine_grained_authz token-exchange
#21728 Removal of X-XSS-Protection header core
#23144 Review and document how refresh tokens are issued when executing token exchanges token-exchange
#24297 Add authentication flow mapping to existing ACR implementation authentication
#25154 `VERIFY_EMAIL` is not supported as an Application Initiated Action
#26473 The way CRLs are currently loaded is slow and uses large amounts of memory authentication
#27734 Use separate OLM channels for each major Keycloak release operator
#28569 Ability to set DN for new users/groups seperate to DN used for search
#30226 Admin-UI: disable Direct Access Grant by default when creating a new client
#31797 Improved consent handling in token exchange (OIDC to OIDC Client) token-exchange
#33357 Create some mechanism to catch duplicate keys in .properties file translations
#33804 Support multiple mail domains for linked IDPs per organization organizations
#33833 Replace `RTL_LANGUAGE_CODE` with Intl request
#33946 Keycloak Admin Client: Close Session when Client is Closed
#34132 Signed SAML metadata saml
#34202 Improve useability of authentication flow UI admin/ui
#34275 Organizations: Allow Organization Selection organizations
#34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
#34720 Include broker session ID in IDENTITY_PROVIDER_LOGIN events
#34764 Do not remove users in LDAP when queries return an empty result ldap
#34922 IPv6 support: OLM tests not passing operator
#34971 Extend InfiniSpan ProtoSchema with custom types
#34989 Not email password policy provider: case insensitive comparison
#35505 Support for multiple values of audience token-exchange
#35861 Make client cert lookup honor the `proxy-trusted-addresses` option dist/quarkus
#35901 Document how Keycloak is upgraded when Operator is upgraded via OLM docs
#35995 Review usages of `ref` in `Inject` annotations as they not always translate to the identifier of the object being injected test-framework
#36036 Make Network policy supported
#36126 Add OpenSSF Scorecard badge to README
#36262 Introduce guide for metrics provided by Keycloak docs
#36266 Make user events feature supported
#36440 Remove Node.js adapter documentation from main repo docs
#36456 Clarify IPv6 JGroups requirements in Keycloak documenation
#36501 Upgrade to Quarkus 3.17.x dist/quarkus
#36557 Polishing of CreatedResponseUtil.getCreatedId admin/client-java
#36600 Extend REST API for login and admin events to support sync scenarios
#36671 Translation guide should show a more detailed translation status translations
#36691 Upstream KC main docs to ROSA 4.17 in the sizing guide docs
#36748 Operator: automatic upgrade strategy
#36775 Add option to enable debugging for distribution server mode test-framework
#36786 SPI for compatibility metadata
#36794 Upgrade to Quarkus 3.20 LTS
#36798 Add detail on dependencyManagement section for POM files
#36840 Update Compatibility CLI: add feature flag
#36854 Enable QUARKUS_LOG_JSON_LOG_FORMAT = ecs when logging in Keycloak dist/quarkus
#36885 Improve UX of realm selector
#36904 Add APIResponse annotations to User resources
#36905 Add APIResponse annotations to Role resources
#36906 Add APIResponse annotations to Client Scope resources
#36907 Add APIResponse annotations to Realm resources
#36908 Add APIResponse annotations to Organization resources
#36941 Organization membership for federated users organizations
#36996 Updated translation for "noAccount" in messages_ko.properties
#37005 Login[v2]: Worsen appearance of list of Identity Providers login/ui
#37011 Missing language: Slovenian translations
#37014 Improve readability of relevant options in guides docs
#37034 Remove redundant information from cache entries
#37056 Upgrade to Quarkus 3.18.2 dist/quarkus
#37062 Slow query when checking if a realm has brokers and brokering is enabled identity-brokering
#37079 Improve docs about JPA provider configuration for DB migration strategy core
#37083 Update screens for new realm selector
#37087 Test logs for Quarkus IT are huge and cannot be viewed testsuite
#37089 Stabilize `QuarkusPropertiesDistTest` for Windows in Quarkus IT testsuite
#37093 Avoid sending JSON for user and client sessions to the database
#37129 Create new guide for Keycloak Grafana dashboards
#37145 Simplify translations by removing leading blanks in strings translations
#37220 Operator: new CR status condition for upgrades
#37225 Refactor OAuthClient used for testing test-framework
#37306 Add full Keycloak CR HPA example to docs
#37316 JGroups certificate rotation
#37389 Make event metrics supported
#37416 Operator: Implement an explicit update stategy
#37428 Add a HTML sanitizer for translated message resources translations
#37433 Allow admin to disable automatic refresh of event views admin/ui
#37436 Quarkus 3.19.x upgrade
#37458 Prevent proxy-protocol-enabled=true from being used proxy-headers set
#37535 Add CLOMonitor Badge to the README
#37582 Check surplus blanks in source strings translations
#37584 Support RTL in HTML generated for emails translations
#37624 Suppress info message about mapper config synchronizer core
#37645 Changes needed for new realm selector admin/ui
#37696 Document default key length (2048 bits) and key type (RSA) and make JGroups encryption enabled by default
#37711 Upgrade to Infinispan 15.0.14
#37850 Upgrade to Quarkus 3.19.2 dist/quarkus
#37998 Improve Documentation for Email Event Listner
#38107 Upgrade to Quarkus 3.20.0.CR1
#38168 Make make the rolling updates feature supported versioned and supported
#38212 Improve message when evaluating permission results admin/fine-grained-permissions
#38263 Login[v2]: Use SVG Keycloak logo
#38273 Support partial evaluation for the group resource type admin/fine-grained-permissions
#38355 Add Italian and Romanian language to translations.md
#38366 Polish the events thrown by client policies oidc
#38398 Update javadoc of java admin-client for Keycloak 26.2 admin/client-java
#38415 Login[v2]: WebAuthn/Passkeys screens are not polished
#38426 New realm creation should validate the name uniqueness before hitting the DB
#38445 Not possible to delegate creating or deleting RecoveryKeys credential to userStorage authentication
#38459 Docker image creation simplification
#38490 Support decoding EC private keys and PEM bundles in PEM/DER utilities
#38540 Validate placeholder usage in frontend and backend messages
#38568 Clear persistent user sessions cache on Keycloak cluster merge
#38583 Rework titles in the observability guide
#38596 Prevent NPE in `CryptoIntegration.setProvider(null)`
#38644 Do not allow delete the FGAP client admin/fine-grained-permissions
#38688 Adding a guide on how to use and enable exemplars
#38732 Improvements to partial evaluation admin/fine-grained-permissions
#38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus
#38792 Add Janher to Dutch translation
#38798 Update FGAP documentation admin/fine-grained-permissions
#38819 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication oidc
#38837 Cache resource names associated to policies to improve partial evaluation admin/fine-grained-permissions

Bugs

#26104 Improper Input Validation for Recovery Codes Setup authentication
#26105 Users Can Change Recovery Codes Generation Timestamp authentication
#26106 Recovery Code Validation Race Possible authentication
#29585 Passkeys conditional UI authenticator: NullPointerException when filling some random username authentication/webauthn
#29586 Passkeys conditional UI authenticator: NullPointerException when authenticated as removed user authentication/webauthn
#32262 SAML Frontchannel Logout missing via Redirect or Post Binding is missing signature if login happened via artifact binding saml
#32535 Invalid migration export for empty database core
#32766 Translation error in messages_fr.properties translations
#32921 Update realm erases browser security header fields admin/api
#33332 External token (not issued by Keycloak) cannot be validated in token exchange flow in case user info check is disabled token-exchange
#33432 UI Build complains about Typescript issue (TS2742) admin/ui
#33475 quarkus-next: SunCertPathBuilderException: unable to find valid certification path to requested target ci
#33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
#33524 Social login - several tests failing constantly ci
#33743 Linked accounts displayed when there are no providers available account/ui
#34364 User import gets exponentially slow import-export
#34396 com.google.code.findbugs:jsr305 is old and no longer under active maintenance dependencies
#34454 quarkus-next: StackOverflowError causes build failure dist/quarkus
#34512 Keycloak OpenAPI specification doesn't match actual API implementation admin/api
#34868 [Jenkins Operator CI] - Test remote - ClusteringTest on OpenShift ci
#35020 Pasword creation date from active directory is wrong ldap
#35261 liveness probe /health/live not UP while DB migrations initialization core
#35580 AvailableRoleMappingResource.listAvailableUserRoleMappings returns the wrong roles when using fine grained permissions admin/fine-grained-permissions
#35700 Very uncommon new german Weblate translation 'Berechtigungsnachweis' for login data /account credential translations
#35833 Install on oracle database with custom schema fails on clean install storage
#36103 Translation resolution bug in keycloak-admin-ui admin/ui
#36159 Realm not found while exists and works if entered directly in the URL admin/ui
#36195 CVE-2024-12397 - HTTP Request Smuggling in io.quarkus.http:quarkus-http-core dist/quarkus
#36284 Fail to import realm during the startup with specific name file import-export
#36285 Permission editor shows resource IDs instead of names admin/ui
#36338 Scrollbar missing so I can't scroll to the last menu item on the left admin/ui
#36345 [Keycloak CI] - Cookies tests - KcOidcBrokerTokenExchangeTest ci
#36383 Operator tests failing on IPV6 environment operator
#36405 Redirect after linking account account/ui
#36409 Verify email required action shows presents message that email was sent even on errors core
#36413 Empty state in new events tabs admin/ui
#36447 ClientProtocolCondition.getProviderId() typo authentication
#36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
#36464 Remove a duplicate code block
#36475 DPoP: Refresh token created with DPoP can be refreshed without proof oidc
#36476 DPoP: User Info Endpoint authorization type mismatch oidc
#36478 Spelling and grammar mistakes in admin UI messages admin/ui
#36482 The root cause of error is suppressed in KC 26 at building dependencies
#36483 Wrong link for tracing in 26.1.0 release notes docs
#36486 ExternalLinksTest is broken after Keycloak 26.1.0 release docs
#36498 Duplicated code due to typo in DefaultHttpClientFactory core
#36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
#36517 Custom ClientAuthenticatorFactory with ProviderConfigProperty broken admin/ui
#36518 Duplicate groups needs fine grained authorisation admin/ui
#36527 Viewing user events requires `view-realm`-role admin/ui
#36531 WebAuthN and dark mode: device icons are hardly readable login/ui
#36535 Duplicate message keys for FA email template translations
#36541 Unable to build from source using instructions core
#36559 keycloak.v2 forms are too small for mobile view login/ui
#36560 Policy enforcer do not handle suppressed server resources authorization-services
#36569 Organization invite link leads to non-defined page, when clicked second time organizations
#36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
#36596 Client session list doesn't show all sessions (again..) admin/ui
#36598 Duplicated warning banner for temporary admin admin/ui
#36611 TimeOffsetSupplier for new test framework doesn't reset time offset test-framework
#36615 Unable to regenerate secret after changing client authenticator admin/ui
#36621 Multi-valued control in user attributes doesn't sort entries and doesn't support autocomplete admin/ui
#36629 All IDPs shown when reloading login page login/ui
#36633 JGroups warning on startup infinispan
#36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
#36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
#36675 Links error for https://jwt.io in documentation docs
#36679 FIPS docs is incorrect docs
#36697 kc.bat script doesn't allow multiple log level entries dist/quarkus
#36703 When linking IDP to an organization hide on login sets as off admin/ui
#36708 After importing SAML client certificate the client is broken and can't be saved admin/ui
#36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
#36725 IPA-Tuura federation README needs a few fixes core
#36728 Logging errors on DB transaction retries core
#36732 External (IDP) token-exchange is possible even for clients needing user consents token-exchange
#36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
#36752 Addition of crl cache is a breaking change infinispan
#36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
#36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
#36789 Seaching users in the user selector will not show the username for users already selected admin/ui
#36811 OAuth 2.0 Device Authorization Grant Issues: Token Issued After Authorization Denial and Browser Back oidc
#36826 NullPointerException when registering a oid4vc CredentialBuilder provider component oid4vc
#36834 Documentation about ImportSynchronization mentions wrong interface UserStorageProvider storage
#36837 Remove resources from permissions when updating the associated resources admin/fine-grained-permissions
#36838 Update FGAP v2 to not grant permissions of all users when permission is granted only for a single user admin/fine-grained-permissions
#36842 Comboxes do not display selected option after reset admin/ui
#36843 Login with x-forwarded-for: IP address in user login event is null admin/cli
#36844 Provide an option to force login after reset credentials authentication
#36858 JDBC Ping with Docker infinispan
#36861 AuthenticationFlowContext.getRefreshUrl(true) - adds auth_session_id query param in an old non-supported format core
#36865 Error pulling from docker.io in DockerClientTest ci
#36872 Duplicate admin UI message keys admin/ui
#36874 Unrecognized configuration key "quarkus.smallrye-health.extensions.enabled" was provided dist/quarkus
#36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
#36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
#36916 [FGAP] User can see itself even though he has negative permission to view itself
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#36927 MeterFilter is configured after a Meter has been registered dist/quarkus
#36945 Bad escape apostrophe character in messages_fr.properties login/ui
#36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
#36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
#36988 Typos in English email message templates translations
#36998 UI tests failing admin/ui
#37002 RawKeycloakDistribution creates empty directory when copying provider testsuite
#37039 Certificate reloading dosen't work for management interface related certificate dist/quarkus
#37066 Error on import of a public key (pem) authentication
#37072 AccountRestService.supportedLocales is missing @Produces account/api
#37073 Account console not working on embedded Keycloak server account/ui
#37081 Review how all resource type permissions are evaluated admin/fine-grained-permissions
#37127 Organization invitation flow -> changing locale / language does not work organizations
#37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
#37136 Password Setting modal box title is "Reset Password..." admin/ui
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan
#37169 Wrong organization claim assignment in JWT access token organizations
#37207 Change default value for force-login option in reset-credential-email authentication
#37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
#37268 Problems changing pre-defined user profile attributes admin/ui
#37285 Upgrade to latest JGroups patch version
#37298 Main is broken because of the OAuthClient changes testsuite
#37320 Cannot fetch realm role that was renamed admin/api
#37337 Make sure resources are properly managed when updating permissions admin/fine-grained-permissions
#37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
#37392 [Jenkins Operator CI] - UpgradeTest#testImageChange ci
#37393 Organizations: Adding LDAP federated user to org leads to org group being pushed to LDAP core
#37415 Typo in English text for admin UI key resourceAttributeHelp translations
#37431 Password policies like NoUsername consider case-sensitivity authentication
#37434 External Link Test failing docs
#37449 'Registration Flow' forms on organization invites should have the 'token' query parameter added to forms 'url.loginAction' organizations
#37508 Allow refresh of session list in admin ui even if list is corrently empty admin/ui
#37530 Missing translation for INVITE_ORG event in admin console admin/ui
#37544 INVALID_REQUEST error code returned but not INVALID_SCOPE authentication
#37546 new warnings with simple start-dev dist/quarkus
#37552 The token exchange grant type not available in well-known endpoint when token-exchange-standard feature enabled oidc
#37560 Flaky test OrganizationInvitationLinkTest testsuite
#37570 Requested locale applied on first login page but not on following pages admin/ui
#37571 Flaky test: org.keycloak.testsuite.actions.RequiredActionPriorityTest#executeRequiredActionWithCustomPriorityAppliesSamePriorityToSessionAndUserActions ci
#37577 Property Name Casing Mismatch in ProtocolMapperUtils saml
#37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage
#37656 [Keycloak Integration CI] - Extension - Start keycloak failed ci
#37673 `ClientPolicyProvider` doesn't check for deleted Clients - throws NPE authorization-services
#37675 Keycloak Fails to Load HTTPS Key Material (Incorrect Path Resolution) dist/quarkus
#37690 [Operator] Test UpgradeTest is unstable ci
#37694 Session type incorrectly set in access-token context when token created with scope=offline_access oidc
#37710 Code editor is not displaying when viewing a policy from Clients → Authorization → Policies admin/ui
#37715 Quick Theme needs icon support admin/ui
#37744 Group search of nested groups does not work as expected core
#37749 "remember me" session are reset as standard session after browser restart authentication
#37766 API docs don't build after adding new ISPN compile time annotations ci
#37772 Configuring log levels for package names with underscores dist/quarkus
#37780 keycloak.conf allows for some quarkus. properties dist/quarkus
#37781 Config expression may use the wrong value dist/quarkus
#37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "Counter Based" admin/ui
#37802 Add User to Organisation documentation wrong admin/api
#37816 Compilation failure: KeycloakModelSchema cannot find symbol KeycloakModelSchemaImpl infinispan
#37817 internal options are settable in non-cli config sources dist/quarkus
#37824 Organization - Identity-First Flow automatic redirect only works with domain in login name organizations
#37834 URI template for paths shouldn't allow nested braces core
#37839 OIDC Backchannel Logout does not honour pairwise subject identifier oidc
#37842 webauthn-authenticate.ftl broken login/ui
#37843 Admin events: resource type filter does not work admin/ui
#37869 ConditionalOtpFormAuthenticator fails to set CONFIGURE_TOTP required action for LDAP read-only users
#37890 Add search filter to Organizations page admin/ui
#37898 [Keycloak CI] - SSSD tests ci
#37911 Unwanted placeholder texts in user profile fields admin/ui
#37920 When testing/evaluating permissions UMA resources are not resolved properly authorization-services
#37922 KeycloakModelUtils.findUserByNameOrEmail() returns null for email as "username" (realm setting: login with email disabled) core
#37928 Custom Authenticator SPI MAP_TYPE default value ignored in Admin UI admin/ui
#37930 Inconsistent use of single quotes in message resources translations
#37941 Repeated info logs running an import infinispan
#37944 KC_HTTPS_TRUST_STORE_TYPE not working dist/quarkus
#37988 For external-to-internal token exchange when using the userinfo endpoint, information from access or ID token can't be extracted token-exchange
#37992 Id of user federations not respecting UUID format, consequently warning logs "The given key is not a valid key per specification, future migration might fail" are raised core
#38006 Polynomial regex in KeycloakUriBuilder core
#38020 [FGAP] [UI] Remove the requirement for mandatory fields in admin console when creating policies
#38029 User created with undefined locale except when they explicitely select their language login/ui
#38030 Need a better 403 page for admin console admin/ui
#38038 The default setting of the client request object parameter is empty admin/ui
#38041 [Keycloak CI] - WebAuthn tests ci
#38061 Selecting an indvidual Client Policy selects all client policies admin/ui
#38063 Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task
#38065 Login with admin-cli not possible with password starting with "@@" admin/cli
#38078 Custom UI Tab Incorrectly Displayed Under Multiple Tabs admin/ui
#38112 Worse UX with new realm selector admin/ui
#38117 Login[v2]: Worsen UI design for login screens core
#38119 Login[v2]: Keycloak logo is not fully visible core
#38120 Login[v2]: Missing info section for screens core
#38121 Login[v2]: Worsen login screen layout core
#38127 Profile Custom Attribute Group: Click on attribute group changes URL, breaking the navigation in AdminUI admin/ui
#38137 Cannot authenticate to "admin-cli" client due to Java null pointer exception admin/cli
#38141 Account UI doesn't show max length validation for user profile account/ui
#38143 Message format must not be used for UI messages account/ui
#38152 Broken guides link on reverseproxy page docs
#38162 Missing Space in Role Attribute View After Refresh admin/ui
#38180 Unstable test TimeOffsetTest testsuite
#38190 [Documentation CI] - External links check docs
#38193 Managed resource not injected if a dependency is incompatible testsuite
#38195 Injected HttpClient is always re-created testsuite
#38208 Attribute added to managed test client with rollback is not removed testsuite
#38240 [FGAP] [UI] Searching for permissions doesn't clear `Resource` field upon changing `Resource type` admin/fine-grained-permissions
#38243 Updating a client with rollback in a test doesn't reset all values testsuite
#38247 Keycloak rotate certificate without delay when rotation time is less then 100s infinispan
#38249 Unable to activate user-event-metrics with optimized container image using the operator dist/quarkus
#38250 Unexpected transformation of user labels in the Account UI account/ui
#38253 ERROR Hostname v1 options [hostname-strict-https] are still in use on startup dist/quarkus
#38257 Can not set user email to blank organizations
#38260 File upload in realm settings is not working admin/ui
#38269 Fine-Grain Admin Permissions: Difference in Policy Evaluation in v1 vs v2 admin/fine-grained-permissions
#38281 [Keycloak CI] - AuroraDB IT - Error deleting AuroraDB ci
#38282 [Keycloak JavaScript CI] - Admin UI E2E (chrome) - Upload Playwright report error ci
#38284 `PartialEvaluator` ignores `view-*` and `manage-*` roles admin/fine-grained-permissions
#38298 Fix leaking 5s rotation period to other tests
#38304 Filtering not working when using view-member permission with a permission that denies access to a resource admin/fine-grained-permissions
#38319 Authorization Settings (ResourceServerRepresentation) Import doesn't reflected into all keycloak functionalities without server restart authorization-services
#38320 Locale RTL does not work properly login/ui
#38323 Regression in the "client selector" UI component admin/ui
#38331 Not Recently Used (In Days) "user" is null on registration core
#38333 When calling the user info endpoint, the DPoP is not bound to the access token core
#38353 Keycloak email message ID contains the local host name or IP address core
#38369 [FGAP] User not visible when permission with different scope exists admin/fine-grained-permissions
#38381 Recovery Codes messages in account console are not displayed / API change account/ui
#38394 JWKSUtils.computeThumbprint(..) broken for ECPublicKeys oidc
#38417 Cookie “KC_AUTH_SESSION_HASH” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict” authentication
#38454 Keycloak account console is missing the Keycloak logo account/ui
#38463 Frontend endpoint redirects to admin endpoint core
#38467 PersistenceExceptionConverter#convert NPE if SQLState is null storage
#38500 Impossible to update client settings after previously updated client in tab "Advanced" admin/ui
#38501 Disabled switch for "Allow refresh token for token exchange" after client is created admin/ui
#38517 [Keycloak CI] - Quarkus IT - ProxyHostnameV2DistTest.testForwardedProxyHeaders ci
#38550 Cluster is not correctly formed with JDBC_PING2 infinispan
#38572 Missing explicit target for cross-reference 2FA in server admin guide docs
#38576 Define a max expiration window for Signed JWT client authentication oidc
#38591 Persistent User Sessions doesn't track staleness of client sessions core
#38607 Recaptcha secret key configuration lost when migrating from 24.0.5 to 26.1.4 authentication
#38617 Set the correct revision number in stateful set operator
#38648 Can not delete users using the administration consle admin/ui
#38677 [FGAP] Documentation contains redundant sentense admin/fine-grained-permissions
#38695 Export failing if the realm has FGAP enabled admin/fine-grained-permissions
#38712 Can not add or remove groups when updating a group resource type permission admin/fine-grained-permissions
#38721 Obsolete pinned guides and wrong ordering in downstream docs
#38740 OTelHttpClientFactory not configured properly when tracing enabled dist/quarkus
#38760 POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API not working with some REST clients admin/api
#38765 Client 'admin-permissions' doesn't have protocol set. admin/fine-grained-permissions