Keycloak 21.0.0
Old Admin Console removed
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was deprecated. In this release the old admin console has been removed completely.
Keycloak uses Micrometer for metrics
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format. In this release the implementation to provide this data switched from SmallRye to Micrometer. Due to this change, metrics have been renamed.
See the migration guide for details.
Java 11 support for Keycloak server deprecated
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the not too distant future.
Hashicop Vault no longer supported
We removed the out-of-box support for Hashicorp vault in this release.
See this discussion for more details.
SAML SP metadata changes
Prior to this release, SAML SP metadata contained the same key for both signing and encryption use. Starting with this version of Keycloak, we include only encryption intended realm keys for encryption use in SP metadata. For each encryption key descriptor we also specify the algorithm that it is supposed to be used with. The following table shows the supported XML-Enc algorithms with the mapping to Keycloak realm keys. See the Upgrading Guide for more details.
XML-Enc algorithm |
Keycloak realm key algorithm |
RSA-OAEP |
|
RSA1_5 |
Deprecated methods from user session provider were removed
Several deprecated methods were removed from user session provider. If not done already, their usage needs to be replaced with the corresponding replacement documented in Javadoc of Keycloak 20 release. See Upgrading Guide for more details.
New storage: IS_CLIENT_ROLE
searchable field was deprecated
The IS_CLIENT_ROLE
searchable field from the RoleModel
was deprecated. It
should be replaced with the CLIENT_ID
searchable field used with the operators
EXISTS
or NOT_EXISTS
. See JavaDoc of Keycloak 21 for more details.
FIPS 140-2 preview support
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version. For the details, see the FIPS documentation. Feedback is welcome!
Thanks again to David Anderson, Sudeep Das and Isaac Jensen for their huge help with this feature.
Support for the standard Forwarded
header when running behind a reverse proxy
In addition to recognize the non-standard X-Forwarded-*
to fetch information
added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak
can now leverage the standard Forwarded
header for the same purpose.
For more details, see the Using a reverse proxy guide.
Please, make sure your proxy is also overriding the Forwarded
header when making requests to Keycloak nodes.
The container image is now based on ubi9-micro
To enhance security, the Keycloak Container Image has been modified in two ways: First, it is now based on UBI9, rather than UBI8. Second, we have switched to -micro
, whereas -minimal
was used before.
The change to UBI9 will not have any impact on most users. In rare cases the glibc error CPU does not support x86-64-v2 may appear. x86-64-v2
has been available from processors since 2009. You’re most likely to encounter this issue when your virtualization environment is misconfigured.
The change from -minimal
to -micro
has more potential impact. Users making simple customizations to the image won’t notice any difference, however any user that installs RPMs will need to change how they do that. The container guide has been updated to show you how.
As a result of these changes, there has been an 82% reduction in known CVEs affecting the Keycloak Container Image!
Other improvements
-
Option to disable client registration access token rotation. Thanks to Réda Housni Alaoui
Keycloak 20.0.0
WildFly distribution removed
In Keycloak 17.0.0 the new Quarkus based distribution of Keycloak, while the WildFly based distribution was deprecated. With this release the WildFly distribution has been removed, and is no longer supported.
If you are still using the WildFly distribution we highly encourage migrating to the Quarkus distribution as soon as possible, see the Migration Guide for more details.
New Keycloak Operator upgrade
We are happy to announce that the new Keycloak Operator for the Quarkus based distribution is no longer a preview feature. We added new functionality as well as a number of improvements, some which has resulted in breaking changes.
Realm Operator
As the new Operator currently lacks some of the CRs (e.g. Client and User), we’re introducing a temporary workaround in the form of a Realm Operator. Please see its GitHub Repository for more details. See also The future of Keycloak Operator CRs.
Supported OpenJDK versions
Keycloak now supports OpenJDK 17 both for the server and adapters.
With the removal of the WildFly based distribution there is no longer support for running the Keycloak server on OpenJDK 8. We also plan to remove support for Keycloak adapters on OpenJDK 8 in Keycloak 21.
Starting with Keycloak 22 we plan to only support the latest OpenJDK LTS release and aiming to quickly also support the latest OpenJDK release. That means we will be also removing OpenJDK 11 support for the Keycloak server in Keycloak 22.
Hostname provider now supports configuring the complete base URL
In this release, we are introducing two additional server options to set the base URL for frontend request and the Admin Console:
-
hostname-url
-
hostname-admin-url
More details can be found at the Configuring the Hostname Guide.
Improvements to kc.bat
when running Keycloak on Windows
In this release, we are making important changes to kc.bat
to give the same experience as when running on Linux.
Upgrade of embedded H2 database
Keycloak ships for development purposes with an H2 database driver. As it is intended for development purposes only, it should never be used in a production environment.
In this release, the H2 driver has been upgraded from version 1.x to version 2.x.
Feature guard for hosting the Keycloak JavaScript adapter
Applications are able to load keycloak.js
directly from the Keycloak server. As it’s not considered a best-practice
to load JavaScript libraries this way there is now a feature guard that allows disabling this ability.
In Keycloak 21 we will deprecate this option, and in Keycloak 22 we plan to completely remove the ability to load
keycloak.js
from the Keycloak server.
OTP Application SPI
In previous releases the list of OTP applications displayed to users was hard-coded in Keycloak. With the introduction of the OTP Application SPI it is now possible to disable built-in OTP applications, as well as adding custom OTP Applications.
Custom Identity Providers can now set an icon for the provider
A custom identity provider can now set the icon used on the login pages. Thanks to Klaus Betz, who happens also to maintain an extension to Keycloak to support log in with AppleID.
FIPS 140-2 experimental support
There is now experimental support for deploying Keycloak into a FIPS 140-2 enabled environment. There will be a blog post with the details shortly after the release with the details how you can try it. Feedback is welcome!
Thanks to David Anderson, who contributed parts of this feature. Also, thanks to Sudeep Das and Isaac Jensen for their initial prototype effort, which was used as an inspiration.
Search groups by attribute
It is now possible to search groups by attribute through the Admin REST API. Thanks to Alice for this contribution.
View group membership in the account console
It is now possible to allow users to view their group memberships in the account console. Thanks to cgeorgilakis for this contribution.
Deprecated methods from data providers and models were removed
Several deprecated methods were removed from data providers and models. If not done already, their usage needs to be replaced with the corresponding replacement documented in Javadoc of Keycloak 19 release. See Upgrading Guide for more details.
Keycloak 19.0.0
OpenID Connect and SAML Adapters End-of-life
Some Keycloak OpenID Connect adapters have reached end-of-life and are not included in this release.
Fuse 6 and 7 (OpenID Connect)
Keycloak will no longer be providing adapters for Fuse 6 or 7. If you need adapters for Fuse please leverage Red Hat Single Sign-On 7.x adapters.
JBoss AS 7 and EAP 6 (OpenID Connect and SAML)
JBoss AS 7 has been unmaintained for a very long time. If you are still using JBoss AS 7 we recommend migrating to WildFly and leveraging the native OIDC support in WildFly.
Red Hat customers using Red Hat JBoss Enterprise Application Platform 6.x should use Red Hat Single Sign-On 7.x adapters. These can be used in combination with the Keycloak server.
Jetty 9.2 and 9.3 (OpenID Connect and SAML)
Jetty 9.2 reached end of life in 2018, while Jetty 9.3 reached end of life in 2020. If you are still using these versions we recommend upgrading to Jetty 9.4 as soon as possible.
Spring Boot 1 (OpenID Connect)
Spring Boot 1.x reached end of life in 2019. If you are still using Spring Boot 1 we recommend upgrading to Spring Boot 2 as soon as possible.
WildFly legacy security layer (OpenID Connect and SAML)
In WildFly 25 the legacy security layer was removed, going forward only Elytron will be supported. We recommend anyone using an older version of WildFly to upgrade and leverage native OIDC support in WildFly.
Red Hat customers using Red Hat JBoss Enterprise Application Platform 7.x should use Red Hat Single Sign-On 7.x adapters. These can be used in combination with the Keycloak server.
New Admin Console graduation
The new Admin Console is now graduated to the default admin console, with the old console now deprecated. The old console will be removed in Keycloak 21.
Changes in Keycloak storage
The Keycloak storage is changing, and the current storage, while still supported, will eventually be replaced with a brand-new implementation. This change brings better support for cloud-native storages, no-downtime abilities, and better support for implementing custom storages for additional areas apart from users.
It means several deep changes in the supported features of the current store will become legacy features. The legacy store and the new store cannot be used simultaneously; only one store can be active at a time.
The most visible change is that the User Storage SPI is incompatible with the new storage API, the Map Storage API.
Thus, the User Storage SPI will be deprecated with legacy store and will move to a separate module called keycloak-model-legacy
.
This change impacts several areas, especially areas related to user federation and custom user providers.
Furthermore, APIs have been consolidated so that the details of the storage layer will be transparent to the REST service layer. Specifically, the services will not be able to differentiate cached and non-cached objects, nor specifically access federated versus local storage.
Hence, custom extensions that access objects in local storage or cache through KeycloakSession
methods must be reviewed.
See Upgrading Guide for details.
OIDC Logout changes
In the previous release, we added support for OIDC logout. This release contains a few other fixes and polishing. The highlights include:
-
Support for the
client_id
parameter, which was added in recent draft of the OIDC RP-Initiated Logout specification. As a result, no need exists to use theConsent Required
flag of the client to show the logout confirmation screen. -
Configuration option
Valid Post Logout Redirect URIs
added to the OIDC client. This change is aligned with the OIDC specification, which allows you to use a different set of redirect URIs for redirect after login and logout. Value+
used forValid Post Logout Redirect URIs
means that the logout will use the same set of redirect URIs as specified by the option ofValid Redirect URIs
. This change also matches the default behavior when migrating from a previous version due to backwards compatibility.
For more details, see the Server Administration Guide.
Update Email Workflow
There is new preview feature UPDATE_EMAIL
. When it is enabled and corresponding flag enabled in the realm, the users will be required
to confirm updating their email by clicking the link, which will be sent to their new email address. For more details, see the Server Administration Guide.
Thanks to Réda Housni Alaoui for the contribution.
Deprecated podDisruptionBudget
in the legacy Keycloak Operator
With this release, we have deprecated podDisruptionBudget
field in the Keycloak CR of the legacy Keycloak Operator.
This optional field will be ignored when the Operator is deployed on Kubernetes version 1.25 and higher.
As a workaround, you can manually create the Pod Disruption Budget in your cluster, for example:
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app: keycloak
name: keycloak
spec:
maxUnavailable: 1
selector:
matchLabels:
component: keycloak
See also the Kubernetes Documentation.
Initial Support for centralized logging
Starting with version 19, Keycloak supports sending logs using GELF to centralized logging solutions like ELK, EFK or Graylog out of the box.
You can find the documentation and examples to get you up and running quickly in the logging guide
Keycloak 18.0.0
New Operator preview
With this release, we’re introducing a brand new Keycloak Operator as a preview. Apart from being rewritten from scratch, the main user-facing change from the legacy Operator is the used Keycloak distribution – the new Operator uses the Quarkus distribution of Keycloak. With that, the API (in form of Custom Resource Definitions) has changed. For details, incl. installation and migration instructions, see the Operator related guides.
The legacy Operator will receive updates until Keycloak 20 when the Keycloak WildFly distribution reaches EOL.
OperatorHub versioning scheme
To avoid version conflicts with the legacy Operator, the 18.0.0 version of the new Operator is released as version
20.0.0-alpha.1
on OperatorHub. The legacy Operator versioning scheme remains the same, i.e. it is released as 18.0.0.
The same pattern will apply for future Keycloak 18 and 19 releases, until version 20 where the legacy Operator reaches EOL.
New Admin Console preview
The new Admin Console is now graduated to preview, with the plan for it to become the default admin console in Keycloak 19.
If you find any issues with the new console, or have some suggestions for improvements, please let us know through GitHub Discussions.
Step-up authentication
Keycloak now supports Step-up authentication. This feature was added in Keycloak 17, and was further polished in this version.
For more details, see Server Administration Guide.
Thanks to Cornelia Lahnsteiner and Georg Romstorfer for the contribution.
Client secret rotation
Keycloak now supports Client Secret Rotation through customer policies. This feature is now available as a preview feature and allows that confidential clients can be provided with realm policies allowing the use up to two secrets simultaneously.
For more details, see Server Administration Guide.
Recovery Codes
Recovery Codes as another way to do two-factor authentication is now available as a preview feature.
OpenID Connect Logout Improvements
Some fixes and improvements were made to make sure that Keycloak is now fully compliant with all the OpenID Connect logout specifications:
-
OpenID Connect RP-Initiated Logout 1.0
-
OpenID Connect Front-Channel Logout 1.0
-
OpenID Connect Back-Channel Logout 1.0
-
OpenID Connect Session Management 1.0
For more details, see Server Administration Guide.
WebAuthn improvements
Keycloak now supports WebAuthn id-less authentication. This feature allows that WebAuthn Security Key will identify the user during authentication as long as the security key supports Resident Keys. For more details, see Server Administration Guide. Thanks to Joaquim Fellmann for the contribution.
There are more WebAuthn improvements and fixes in addition to that.
The deprecated upload-script
feature was removed
The upload-script
feature has been marked as deprecated for a very long time. In this release, it was completely removed, and it is no longer supported.
If you are using any of these capabilities:
-
OpenID Connect Script Mapper
-
Script Authenticator (Authentication Execution)
-
JavaScript Policies
You should consider reading this documentation in order to understand how to still rely on these capabilities but deploying your scripts to the server rather than managing them through the management interfaces.
Session limits
Keycloak now supports limits on the number of sessions a user can have. Limits can be placed at the realm level or at the client level.
For more details, see Server Administration Guide. Thanks to Mauro de Wit for the contribution.
SAML ECP Profile is disabled by default
To mitigate the risk of abusing SAML ECP Profile, Keycloak now blocks this flow for all SAML clients that do not allow it explicitly. The profile can be enabled using Allow ECP Flow flag within client configuration, see Server Administration Guide.
Quarkus distribution
Import realms at startup
The Keycloak Quarkus distribution now supports importing your realms directly at start-up. For more information, check the corresponding guide.
JSON and File Logging improvements
The Keycloak Quarkus distribution now initially supports logging to a File and logging structured data using JSON.
For more information on the improvements, check the corresponding guide.
Environment variable expansion for values in keycloak.conf
The Keycloak Quarkus distribution now supports expanding values in keycloak.conf from environment variables.
For more information, check the corresponding guide.
Other improvements
-
Account console alignments with latest PatternFly release.
-
Support for encrypted User Info endpoint response. Thanks to Giacomo Altiero
-
Support for the algorithm RSA-OAEP with A256GCM used for encryption keys. Thanks to Filipe Bojikian Rissi
-
Support for login with GitHub Enterprise server. Thanks to Neon Ngo
Keycloak 17.0.0
Highlights
Quarkus distribution is now fully supported
The default Keycloak distribution is now based on Quarkus. The new distribution is faster, leaner, and a lot easier to configure!
We appreciate migrating from the WildFly distribution is not going to be straightforward for everyone, since how you start and configure Keycloak has radically changed. With that in mind we will continue to support the WildFly distribution until June 2022.
For information on how to migrate to the new distribution check out the Quarkus Migration Guide.
Quarkus distribution updates
A lot of effort went into polishing and improving the Quarkus distribution to make it as good as an experience as possible. A few highlights include:
-
A new approach to documentation in form of server guides to help you install and configure Keycloak
-
Upgraded Quarkus to 2.7.0.Final
-
Configuration file is no longer Java specific, and aligns configuration keys with CLI arguments
-
Clearer separation between
build options
andruntime configuration
. -
h2-mem
andh2-file
databases renamed todev-mem
anddev-file
. -
Simplified enabling and disabling features
-
Custom, and unsupported, Quarkus configuration is done through
conf/quarkus.properties
. -
Ability to add custom Java Options via JAVA_OPTS_APPEND (thanks to dasniko)
-
Initial logging capabilities
-
Initial support for Cross-DC
-
User-defined profiles are no longer supported but using different configuration files to achieve the same goal
-
Quickstarts updated to use the new distribution == Other improvements
Offline sessions lazy loaded
The offline sessions are now lazily fetched from the database by default instead of preloading during the server startup. To change the default behavior, see Server Administration Guide.
Keycloak 16.1.0
Highlights
Upgrade to Wildfly 26.0.0
Keycloak server was upgraded to use Wildfly 26.0.0.Final as the underlying container.
For more information on WildFly 26 refer to the WildFly 26 release notes.
Keycloak 16.0.0
Highlights
Upgrade to Wildfly 25.0.1
Keycloak server was upgraded to use Wildfly 25.0.1.Final as the underlying container.
WildFly 25 drops support for the legacy security subsystem, which is being replaced fully by Elytron. This requires significant changes to how Keycloak is configured. Please, refer to the migration guide for more details.
For more information on WildFly 25 refer to the WildFly 25 release notes.
Keycloak 15.1.0
Highlights
Quarkus distribution preview
Without comparison the biggest highlight of this release is all the improvements that have been made to the Quarkus distribution. So many in fact, that it will be hard to list them all.
The CLI has been polished to hell and back, and we believe it now provides a very simple and convenient approach to configuring and running Keycloak. It’s almost so simple that documentation shouldn’t be needed.
To get started, just unpack the distribution, then type bin/kc.[sh|bat] -h
to discover awesomeness!
That doesn’t mean we don’t plan to provide documentation for configuring Keycloak, but it didn’t quite make it this time around. In lack of documentation expect a blog post to follow the release introducing all the changes to the Quarkus distribution, as well as an overview on how to use it.
We are rapidly moving towards making the Quarkus distribution our default distribution, and will soon deprecate the WildFly distribution. With this in mind it is important that as many people as possible give it a test-run and provide us with feedback if you find any usability issues, are not able to configure something with it, or if you discover any bugs.
We’d love to hear your thoughts and get your feedback in GitHub Discussions!
New Admin Console preview
The new admin console is shaping up really nicely, and a preview is included in the main distribution. It is not quite feature complete yet, but there are still loads of things to try out.
WildFly update
Upgrading from WildFly 23 to WildFly 25 has taken a lot longer than we would have liked. We’re still working hard on this and are hoping to release Keycloak 16 as soon as possible with the upgrade, but as we wanted to get the updates to the Quarkus distribution out there we are doing this release in the meantime.
WildFly adapter deprecation
In WildFly 25 there is now excellent native OpenID Connect support without the need for the Keycloak adapter. With this in mind we are deprecating our WildFly adapter and will not support WildFly 25, but it will be around for a while for older WildFly versions and Red Hat JBoss Enterprise Application Platform 7.y.
Spring Security and Boot adapter deprecation
A long time ago, with Spring Security 5.0, there is now native support for OAuth 2.0 and OpenID Connect in Spring. With this in mind now is the time to start deprecating our Spring Boot and Security adapters.
OpenID Connect Front-Channel Logout Support
Keycloak now supports OpenID Connect Front-Channel Logout 1.0.
For more details, take a look at Server Administration Guide.
Thanks to Ronaldo Yamada for the contribution.
Keycloak 15.0.1
Highlights
This release contains some important bug fixes. In addition, We would like to thank Leandro José de Bortoli for his contributions to the FAPI related functionalities such as JARM support and improvements in CIBA.
Keycloak 15.0.0
Highlights
Financial-grade API (FAPI) Improvements, FAPI CIBA and Open Banking Brasil
The Keycloak server has improved support for the Financial-grade API (FAPI). More specifically, Keycloak is now compliant with FAPI CIBA and with OpenBanking Brasil. We also have support for CIBA ping mode. Thanks to Takashi Norimatsu, who did most of the work on FAPI CIBA and who is continually doing a really awesome job for the Keycloak project. Also thanks to Dmytro Mishchuk, Andrii Murashkin, Hryhorii Hevorkian and Leandro José de Bortoli, who did a great deal of the work on the FAPI compliance as well. Finally thanks to all the members of the FAPI Special interest group for their help and feedback.
Keycloak 14.0.0
Highlights
Client Policies and Financial-grade API (FAPI) Support
The Keycloak server has now official support for client policies and Financial-grade API (FAPI). This capability was previewed in earlier versions, but now it is more polished and properly documented. Thanks to Takashi Norimatsu, who did most of the work on this. Also thanks to Dmytro Mishchuk, Andrii Murashkin and Hryhorii Hevorkian, who did a great deal of the work on this feature as well. Finally thanks to all the members of the FAPI Special interest group for their help and feedback.
Improvements to User Profile SPI and support for declarative configuration
In this version, there were several improvements to the User Profile SPI in order to prepare the ground on how users profiles are managed in Keycloak.
One of these improvements is the support for configuring user profiles through the administration console. For more details proceed to Server Administration Guide
Thanks to the community and all the individuals involved in this effort.
Improvements to offline sessions
Offline session preloading has been improved and should be faster thanks to Peter Flintholm.
As a preview feature, offline session preloading can be skipped in favor of lazy loading thanks to Thomas Darimont's efforts. This feature has to be explicitly activated in the server configuration, see Server administration guide for details.
Keycloak 13.0.0
Highlights
Upgrade to Wildfly 23
The Keycloak server was upgraded to use Wildfly 23.0.2.Final as the underlying container.
OAuth 2.0 Device Authorization Grant (RFC 8628)
Support for OAuth 2.0 Device Authorization Grant is now available.
Thanks to Hiroyuki Wada, Łukasz Dywicki and Michito Okai.
OpenID Connect Client Initiated Backchannel Authentication (CIBA)
Support for OpenID Connect Client Initiated Backchannel Authentication (CIBA) is now available.
Thanks to Takashi Norimatsu, Andrii Murashkin, Christophe Lannoy and members of the FAPI WG for the implementation and feedback.
SAML Artifact binding in server to client communication
Keycloak now supports communication with clients using SAML Artifact binding. A new Force Artifact Binding
option
was introduced in the client configuration, that forces communication with the client using artifact messages. For more
details proceed to Server Administration Guide. Please note, that with
this version, Keycloak SAML client adapter does NOT support Artifact binding.
Thanks to AlistairDoswald and harture.
Support PKCE for identity brokering
Keycloak can now leverage PKCE when brokering to an external OpenID Connect IdP.
Thanks to thomasdarimont.
Default roles processing improvement
Default roles are now internally stored as composite roles of a new role usually named default-roles-<realmName>
. Instead of assigning
both realm and all client default roles directly to newly created users or users imported through Identity Brokering, just the role is
assigned to them and the rest of default roles are assigned as effective roles. This change improves performance of default roles processing,
especially with larger number of clients, because it is no longer necessary to go through all clients.
Keycloak 12.0.0
Highlights
Keycloak.X distribution preview
Introduction a preview of the new and upcoming Keycloak.X distribution. This distribution is powered by Quarkus, bringing significant improvements to startup time and memory consumption, as well as making it a lot easier to configure Keycloak.
New Account console is now the default
The new account console is no longer a preview feature and is now the default account console in Keycloak. The old account console will stay around for a while. For those that have a custom theme for the old account console the old console will be used by default, giving you the time to update your custom theme to the new account console.
OpenID Connect Back-Channel Logout
Support for OpenID Connect Back-Channel Logout is now available, thanks to DaSmoo and benjamin37.
Upgrade to Wildfly 21
The Keycloak server was upgraded to use Wildfly 21 as the underlying container.
Ability to request AuthnContext in SAML identity provider
Support for specification of AuthnContext section in authentication requests issued by SAML identity provider has been added.
Thanks to lscorcia
FAPI RW support and initial support to Client policies
There was lots of the work done to have support for Financial-grade API Read and Write API Security Profile (FAPI RW). This is available with the usage of Client policies and it is still in the preview state. You can expect more polishing in the next releases. Thanks to Takashi Norimatsu and all the members of the FAPI Special interest group.
Upgrade login theme to PatternFly 4
The Keycloak login theme components have been upgraded to PatternFly 4. The old PatternFly 3 runs simultaneously with the new one, so it’s possible to have PF3 components there.
There are also design changes in the login theme for better user experience. You can even define an icon for your custom Identity providers. For details, please refer to the docs.
Gatekeeper EOL
Gatekeeper reached end of life, in November 21. This means that we no longer support, or update it. The announcement is available here.
Other improvements
-
Support for OAuth2 Client Credentials grant without refresh token and without user session. Thanks to Thomas Darimont
-
Support for send access tokens to the OAuth2 Revocation endpoint
Keycloak 11.0.0
Highlights
LDAPv3 password modify operation
Support for LDAPv3 password modify operation was added. Also the ability in the admin console to request metadata from the configured LDAP server to see if it supports LDAPv3 password modify operation.
Thanks to cachescrubber
Namespace support for LDAP group mapper
Namespace support for LDAP group mapper allows you to map groups from LDAP under specified branch (namespace) of the Keycloak groups tree. Previously groups from LDAP were always added as the top level groups in Keycloak.
Thanks to Torsten Juergeleit
Upgrade to WildFly 20
Keycloak server was upgraded to use WildFly 20.0.1.Final under the covers. For more details, please take a look at Upgrading Guide.
SAML POST binding is broken in the latest versions of browsers
The SameSite
value None
for JSESSIONID
cookie is necessary for correct behavior of the Keycloak SAML adapter.
Usage of a different value is causing resetting of the container’s session with each request to Keycloak, when
the SAML POST binging is used. Refer to the following steps for
Wildfly and
Tomcat to keep the correct behavior. Notice, that this
workaround should be working also with the previous versions of the adapter.
Other improvements
-
Support for client offline session lifespan. Thanks to Yoshiyuki Tabata
-
Czech translation. Thanks to Jakub Knejzlík
-
Possibility to fetch additional fields from the Facebook identity provider. Thanks to Bartosz Siemieńczuk
-
Support for AES 192 and AES 256 algorithms used for signed and encrypted ID tokens. Thanks to Takashi Norimatsu
-
Ability to specify signature algorithm in Signed JWT Client Authentication. Thanks to Takashi Norimatsu
Keycloak 10.0.0
Highlights
Identity Brokering Sync Mode
With Identity Brokering Sync Mode it is now possible to control if user profiles are updated on first login, or every login from an external Identity Provider. It is also possible to override this behaviour on individual mappers.
Thanks to Martin Idel
Client Session Timeout for OpenID Connect / OAuth 2.0
Typically, an SSO session last for days if not months, while individual client sessions should ideally be a lot shorter. With the introduction of client session timeout it is now possible to configure a separate timeout for individual clients, as well as a default for all clients within a realm.
Thanks to Yoshiyuki Tabata
OAuth 2.0 Token Revocation (RFC 7009)
For applications that use Keycloak as an OAuth 2.0 Authorization Server there is now support to revoke refresh tokens through the token revocation endpoint.
Thanks to Yoshiyuki Tabata
Security Headers SPI and Response Filter
A new SPI was introduced to allow better flexibility when setting security related headers on responses. This provides a cleaner implementation within Keycloak, but also allows full customisation if needed. Security headers are now set by a response filter instead of within the code itself, which makes it less error-prone, removing the chance that some response are missing headers.
Keycloak 9.0.1
Highlights
PromiseType removed from JavaScript adapter
The promiseType init option has been removed from the JavaScript adapter. Instead a promise that supports both native promise API and legacy Keycloak promise API is returned. This allows gradually migration of applications from the legacy/deprecated API to the native promise API.
Other improvements
Reverted breaking API changes to LocaleSelectorSPI
In 9.0.0 a breaking API change was introduced to LocaleSelectorSPI. With 9.0.1 the changes to this API is now reverted, and a new LocaleUpdaterSPI has been introduced.
Fixed the automatic resolution of KeycloakConfigResolver
instances for Spring Boot Applications
In previous releases, Spring Boot applications had to manually implement the KeycloakConfigResolver
interface or extend the
built-in org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver
.
This release fixes the backward compatibility issue by resolving instances automatically in case none is provided. As well as still allowing applications to provide their own configuration resolver implementations.
Keycloak 9.0.0
Highlights
Drools Policy Removed
The Drools Policy was finally removed after the deprecation period. If you need more complex policies you can still use JavaScript-based policies.
Pagination support for clients
Pagination support was added to clients in the Admin Console and REST API. Thanks to saibot94.
New Elytron Credential Store Vault Provider
A new built-in vault provider that reads secrets from a keystore-backed Elytron credential store has been added as a WildFly
extension. The creation and management of the credential store is handled by Elytron using either the elytron
subsystem or the
elytron-tool.sh
script.
More updates to W3C WebAuthn and Authentication flows
In this release, we did some usability improvements to the authentication flows. It should be easier for the end user to choose between available authentication mechanisms for two-factor authentication. It should be more intuitive to log in with OTP or WebAuthn considering the fact that user can have more OTP or WebAuthn credentials. There is also better support for passwordless WebAuthn authentication. Finally, we did some work on defects related to the authentication flows.
Keycloak 8.0.2
Highlights
SameSite cookie changes with upcoming Google Chrome update
Starting with version 80, Google Chrome will change the default value for the SameSite
cookie parameter to Lax
.
Therefore, changes were required to several Keycloak cookies (especially those which are used within the
Javascript adapter for checking the session status using the iframe) to set SameSite
parameter to None
. Please note
that this setting also requires setting the Secure
parameter, hence starting with this version, the Javascript
adapter will only be fully functional when using the SSL / TLS connection on the Keycloak side.
Keycloak 8.0.1
Keycloak 8.0.0
Highlights
Vault
Several configuration fields can obtain their value from a vault instead of entering the value directly: LDAP bind password, SMTP password, and identity provider secrets.
Furthermore, new vault SPI has been introduced to enable development of extensions to access secrets from custom vaults.
New Default Hostname provider
The fixed and request hostname providers have been replaced with a single new default hostname provider. This provider comes with a number of improvements, including:
-
No need to change provider to set fixed base URL
-
Support different base URL for frontend and backend requests
-
Support changing context-path in cases where Keycloak is exposed on a different context-path through a reverse proxy
Messages in theme resources
Message bundles in theme resources enables internationalization of custom providers such as authenticators. They are also shared between all theme types, making it possible to for example share messages between the login and account console. Thanks to micedre.
RoleMappingsProvider SPI for the SAML adapters
We have added a new SPI that allows for the configuration of custom role mappers that are used by the SAML adapters to map
the roles extracted from the SAML assertion into roles that exist in the SP application environment. This is particularly useful
when the adapters need to communicate with third party IDPs and the roles set by the IDP in the assertion do not correspond to
the roles that were defined for the SP application. The provider to be used can be configured in the keycloak-saml.xml
file or in the keycloak-saml
subsystem. An implementation that performs the role mappings based on the contents of a properties
file was also provided.
Notice that when Keycloak acts as the IDP we can use the built-in role mappers to perform any necessary mappings
before setting the roles into the assertion, so this SPI will probably be redundant in this case. The RoleMappingsProvider
SPI was designed for situations when the IDP offer no way to map roles before adding them to the assertion.
W3C Web Authentication support
In this release, we added initial support for W3C Web Authentication (WebAuthn). There are a few limitations in current implementation, however we are working on further improvements in this area. Thanks to tnorimat for the contribution. Also thanks to ynojima for the help and feedback.
Support for password-less authentication, multi-factor authentication and multiple credentials per user
With the arrival of W3C Web Authentication support, we’ve refined the authentication flow system to be able to allow a user to select which authentication method is preferred for login (for example, the choice between an OTP credential and a WebAuthn credential). The new mechanisms also allow an administrator to craft flows for password-less login, for example just using WebAuthn as an authentication method. Please note that with these changes, any custom authentication flow you have created may need to be adapted to the new flow logic.
As a result of these changes, users can now have multiple OTP devices and multiple WebAuthn devices. The same system that allows a user to select which type of device to use during login also allows that user to select which specific device to use. Thanks to the Cloudtrust team: AlistairDoswald, sispeo and Fratt for their contributions, and to harture and Laurent for their help.
Other Improvements
System properties and environment variables support in theme.properties
It is now possible to use system properties and environment variables within theme.properties file. Thanks to Opa-
Support more signing algorithms for client authentication with signed JWT
Thanks to tnorimat, we support more signing algorithms for client authentication with signed JWT.
Configurable client authentication method for OIDC Identity providers
In this release, possibility to authenticate OIDC providers with signed JWT or basic authentication was added. So all the client authentication methods mentioned in the OIDC specification are supported now. Thanks to madgaet and rradillen for contributions.
Support enable/disable logging into the JavaScript adapter
Thanks to jonkoops now it’s possible to enable or disable logging for the JS adapter.
Credentials support removed from the JavaScript adapter
The option to provide client credentials in the JavaScript adapter was removed. Thanks to jonkoops
Updates for Gatekeeper
-
Secure token and logout endpoint were included in Gatekeeper. Thanks to fredbi
-
There was a bug on Gatekeeper which was making cookies to be applied to subdomains. Thanks to daniel-ac-martin the issue was fixed
-
Now Gatekeeper provides support to Same-site cookies. Thanks to fiji-flo
Deploying Scripts to the Server
Please take a look at 7.0.1 Release Notes for more details on how you can now deploy and run scripts to customize specific behavior.
Keycloak 7.0.1
Deploying Scripts to the Server
Until now, administrators were allowed to upload scripts to the server through the Keycloak Administration Console as well as through the RESTful Admin API.
For now on, this capability is disabled by default and users should prefer to deploy scripts directly to the server. For more details, please take a look at JavaScript Providers.
Keycloak 7.0.0
Highlights
Tomcat 9 adapter support
Java adapter for Apache Tomcat 8 and Apache Tomcat 9 was unified and now it serves for both of them.
New Account Console
A lot of work has been done on the new Account Console and Account REST API. It’s not quite ready yet, but it’s getting there and hopefully will be fully done for Keycloak 8.
Signed and Encrypted ID Token Support
Keycloak can support the signed and encrypted ID token according to the Json Web Encryption (JWE) specification. Thanks to tnorimat.
Other improvements
-
PKCE support added to JavaScript adapter. Thanks to thomasdarimont
-
Oracle database support added to Keycloak container image. Thanks to nerdstep
-
Clock Skew support added to SAML adapter. Thanks to steevebtib
-
TypeScript support for Node.js adapter. Thanks to evanshortiss
-
Gatekeeper now allows to provide unencrypted token in header, while encrypting in cookie. There was also a bug on Gatekeeper when
Revoke Refresh Token
is enabled on the Keycloak server. The issue was fixed. Thanks to fredbi -
New tab in the Admin console to display the list of users for client roles. Thanks to unly
Keycloak 6.0.0
PS256 support
Thanks to tnorimat Keycloak now has support for signing and verifying tokens with PS256.
Keycloak 4.8.0.Final
OpenShift Integration
It is now possible to fully secure OpenShift 3.11 with Keycloak, including the ability to automatically expose Service Accounts as OAuth clients as clients to Keycloak.
This is currently a technology preview feature.
Rules/Drools Policy Marked as a Technology Preview Feature
Until now, Drools policies were enabled by default. But now, this policy type is only available as a technology preview feature and to use it you need to enable the preview profile or the corresponding feature. Take a look at the Authorization Services Guide for more details.
Keycloak 4.7.0.Final
Enhanced Remember Me
Introduced the ability to specify different session idle and max timeouts for remember me sessions. This enables remember me sessions to live longer than regular sessions.
Keycloak 4.6.0.Final
Keycloak Gatekeeper
Keycloak Gatekeeper provides a security proxy that can be used to secure applications and services without an adapter. It can be installed locally alongside your application or as a sidecar on OpenShift or Kubernetes.
Huge thanks to gambol99 for contributing this work to Keycloak.
Keycloak 4.5.0.Final
Signature SPI
The Signature SPI makes it possible to plug-in additional signature algorithms. This enables additional signatures and also enables changing how signatures are generated. For example, using this allows using an HSM device to sign tokens.
Thanks to tnorimat for contributing a significant part of this work.
New Signature Algorithms
Alongside the Signature SPI there is now also support for additional signature algorithms.
Keycloak now has support for RS256, RS384, RS512, ES256, ES384, ES512, HS256, HS384 and HS512.
Elliptic Curve Digital Signature Algorithm (ES256/384/512) are very interesting as they provide similar security properties as RSA signatures, but use significantly less CPU.
HMAC (HS256/384/512) are also very useful when you do not want your application to verify the signature itself. Since these are symmetric signatures only Keycloak is able to verify the signature, which requires the application to use the token introspection endpoint to verify tokens.
Thanks to tnorimat for contributing a significant part of this work.
Better Audience Support for OpenID Connect clients
It is now possible to specify the audiences in the tokens issued for OpenID Connect clients. There is also support for verification of audience on the adapter side.
Minor improvements
-
Added LocaleSelector SPI, which allows to change the way how the locale will be resolved for a particular request. Thanks to knutz3n
-
Added an authenticator to automatically link Identity Provider identity to an existing account after first Idp authentication. Thanks to slominskir
Keycloak 4.4.0.Final
Upgrade to WildFly 13
The Keycloak server was upgraded to use WildFly 13 under the covers. This means update of the underlying dependencies and also some changes in the configuration. We now also support WildFly 13 adapter and we upgraded the underlying JDG/Infinispan server version for the Cross-DC setup. See Upgrading Guide for more details.
Authorization Services support in Node.js
Having authorization services support in Node.js makes it very easy to do fine-grained central authorization with the Node.js adapter.
Minor improvements
-
Update design for the welcome page
-
Allow passing current locale to OAuth2 IdPs. Thanks to knutz3n
-
Support Content-Security-Policy-Report-Only security header. Thanks to knutz3n
-
Script based ProtocolMapper for SAML. Thanks to AlistairDoswald
Keycloak 4.3.0.Final
Hostname SPI
The hostname SPI introduces a more flexible way to configure the hostname for Keycloak. There are two built-in providers. The first is request, which uses the request headers to determine the hostname. The second is fixed, which allows configuring a fixed hostname. The latter makes sure that only valid hostnames can be used and also allows internal applications to invoke Keycloak through an alternative URL.
For more details refer to the threat mitigation section in the Server Administration Guide.
X509 Client Authenticator
The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that the Keycloak Server validates Subject DN field of the client’s certificate.
Performance improvements to Authorization Services
For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions as soon as they happen. We also introduced a policy decision cache on a per-request basis, avoiding redundant decisions from policies previously evaluated.
We are also working on other layers of cache which should give a much better experience. See KEYCLOAK-7952.
Choosing the response mode when obtaining permissions from the server
In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release,
clients can use a response_mode
parameter to specify how the server should respond to an authorization request. This parameter accepts two values:
-
decision
Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a
403
HTTP status code is returned. -
permissions
Indicating that a response should contain every single permission granted by the server using a JSON format.
NodeJS Policy Enforcer
The keycloak-nodejs-connect, an adapter for NodeJS, now supports constructs to protect resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows:
app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) {
res.json({message: 'access granted'});
});
Support hosted domain for Google logins
Login with Google now supports the hd
parameter to restrict Google logins to a specific hosted domain at Google. When
this is specified in the identity provider any login from a different domain is rejected.
Thanks to brushmate for the contribution.
Escape unsafe tags in HTML output
Most HTML output is already escaped for HTML tags, but there are some places where HTML tags are permitted.
These are only where admin access is needed to update the value. Even though it would require admin access to update such
fields we have added an extra layer of defence and are now escaping unsafe elements like <script>
.
Keycloak 4.2.0.Final
Browser tab support for Cordova
We now have support for using browser tab and universal links in the JavaScript adapter for Cordova. This enables SSO between multiple applications as well as increases security.
Thanks to gtudan for the contribution.
Keycloak 4.0.0.Final
Client Scopes and support for OAuth 2 scope parameter
We added support for Client Scopes, which replaces Client Templates. Client Scopes are a more flexible approach and also provides
better support for the OAuth scope
parameter.
There are changes related to Client Scopes to the consent screen. The list on the consent screen is now linked to client scopes instead of protocol mappers and roles.
See the documentation and migration guide for more details.
OAuth 2 Certificate Bound Access Tokens
We now have a partial implementation of the specification
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens .
More accurately we have support for the Certificate Bound Access Tokens. If your confidential client is able to use 2-way SSL,
Keycloak will be able to add the hash of the client certificate into the tokens issued for the client. At this moment,
it’s just the Keycloak itself, which verifies the token hashes (for example during refresh token
requests).
We plan to add support to adapters as well. We also plan to add support for Mutual TLS Client Authentication.
Thanks to tnorimat for the contribution.
Authorization Services
UMA 2.0 Support
UMA 2.0 is now supported for Authorization Services. Check the documentation for more details if you are coming from previous versions of Keycloak.
User-Managed Access through the Keycloak Account Service
Now end-users are able to manage their resources and the permissions associated with them through the Keycloak Account Service. From there, resource owners can now check their resources, share resources with another users as well approve requests from other users.
Asynchronous Authorization Flow
When using UMA, client applications can now choose whether or not an authorization request should start an authorization flow to ask for the resource owner approval. This functionality allows applications to ask for resource owner approval when trying to access one of his resources on behalf of another user.
Pushed Claims
Clients applications are now able to send arbitrary claims to Keycloak along with an authorization request in order to evaluate permissions based on these claims. This is a very handy addition when access should be granted (or denied) in the scope of a specific transaction or based on information about the runtime.
Resource Attributes
It is now possible to associated attributes with resources protected by Keycloak and use these same attributes to evaluate permissions from your policies.
Policy enforcer now accepts regular access tokens
In some situations, you may want to just send regular access tokens to a resource server but still be able to enforce policies on these resources.
One of the main changes introduced by this release is that you are no longer required to exchange access tokens with RPTs in order to access resources protected by a resource server (when not using UMA). Depending on how the policy enforcer is configured on the resource server side, you can just send regular access tokens as a bearer token and permissions will still be enforced.
Policy enforcer can now load resources from the server on-demand
Until now, when deploying an application configured with a policy-enforcer
, the policy enforcer would either load all protected paths
from the server or just map these paths from the adapter configuration. Users can now decide to load paths on-demand from the server and avoid
map these resources in the adapter configuration. Depending on how many protected resources you have this functionality can also improve the time to
deploy an application.
Policy enforcer now supports configuring the resource cache
In order to avoid unnecessary hits to the server, the policy enforcer caches the mapping between protected resources and their corresponding paths in your application. Users can now configure the behaviour of the cache or even completely disable it.
Claim Information Points
The policy-enforcer
definition on the adapters (keycloak.json
) was also updated to support the concept of pushed claims. There
you have the concept of a claim-information-point
which can be set to push claims from different sources such as the HTTP request or even
from an external HTTP service.
Improvements to the Evaluation API
The Evaluation API used to implement policies in Keycloak, especially JavaScript and Drools policies, provides now methods to:
-
Access information from the current realm such as check for user roles, groups and attributes
-
Push back arbitrary claims to the resource server in order to provide additional information on how a specific permissions should be enforced
Authorization Services
UMA 2.0
UMA 2.0 is now supported for Authorization Services, including support for users to manage user access through the account management console. There are also other additions and improvements to authorization services.
Themes and Theme Resources
It is now possible to hot-deploy themes to Keycloak through a regular provider deployment. We have also added support for theme resources, which allows adding additional templates and resources without creating a theme. This is useful for custom authenticators that require additional pages to be added to the authentication flow.
We have also added support to override the theme for specific clients. If that is not adequate for your needs, then there is also a new Theme Selector SPI that allows you to implement custom logic to select the theme.
Instagram Identity Provider
We have added support to login with Instagram. Thanks to hguerrero for the contribution.
Search by User ID in Admin Console
To search for a user by id in the admin console you previously had to edit the URL. It is now possible to search directly in the user search field.
Adapters
JavaScript - Native Promise Support
The JavaScript adapter now supports native promises. It retains support for the old style promises as well. Both can be used interchangeably.
JavaScript - Cordova Options
It is now possible to pass Cordova-specific options to login and other methods in the JavaScript adapter. Thanks to loorent for the contribution.