Enabling and disabling features

Enabling features

Some supported features, and all preview features, are disabled by default. You can enable feature either via single option or including it into the list of enabled feature.

Single option

You can enable the specific feature <name> as follows:

bin/kc.[sh|bat] build --feature-<name>=enabled|disabled|vX

Possible values are enabled, disabled, or a specific version of the feature that should be enabled. For example, to enable rolling-updates:v2 and token-exchange, enter this command:

bin/kc.[sh|bat] build --feature-rolling-updates=v2 --feature-token-exchange=enabled

The single-option mechanism is useful when updating long feature lists is cumbersome or when you want to modify a specific feature without overriding the entire list in a pre-built image.

List of enabled features

bin/kc.[sh|bat] build --features="<name>[,<name>]"

For example, to enable docker and token-exchange, enter this command:

bin/kc.[sh|bat] build --features="docker,token-exchange"

To enable all preview features, enter this command:

bin/kc.[sh|bat] build --features="preview"

Versioning

Enabled feature may be versioned, or unversioned. If you use a versioned feature name, e.g. feature:v1, that exact feature version will be enabled as long as it still exists in the runtime. If you instead use an unversioned name, e.g. just feature, the selection of the particular supported feature version may change from release to release according to the following precedence:

The highest default supported version
The highest non-default supported version
The highest deprecated version
The highest preview version
The highest experimental version

Disabling features

To disable a feature that is enabled by default, you can use a single option or a list of disabled features. When a feature is disabled, all versions of that feature are disabled.

Single option

You can disable the specific feature <name> as follows:

bin/kc.[sh|bat] build --feature-<name>=disabled

For example, to disable dpop and recovery-codes, enter this command:

bin/kc.[sh|bat] build --feature-dpop=disabled --feature-recovery-codes=disabled

The single-option mechanism is useful when updating long feature lists is cumbersome or when you want to modify a specific feature without overriding the entire list in a pre-built image.

List of disabled features

bin/kc.[sh|bat] build --features-disabled="<name>[,<name>]"

For example to disable impersonation, enter this command:

bin/kc.[sh|bat] build --features-disabled="impersonation"

It is not allowed to have a feature in both the features-disabled list and the features list.

Supported features

The following list contains supported features that are enabled by default, and can be disabled if not needed.

Feature	Description
account-api:v1	Account Management REST API
account:v3	Account Console version 3
admin-api:v1	Admin API
admin-fine-grained-authz:v2	Fine-Grained Admin Permissions version 2
admin:v2	New Admin Console
authorization:v1	Authorization Service
ciba:v1	OpenID Connect Client Initiated Backchannel Authentication (CIBA)
client-policies:v1	Client configuration policies
device-flow:v1	OAuth 2.0 Device Authorization Grant
dpop:v1	OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
hostname:v2	Hostname Options V2
impersonation:v1	Ability for admins to impersonate users
kerberos:v1	Kerberos
login:v2	New Login Theme
opentelemetry:v1	OpenTelemetry Tracing
organization:v1	Organization support within realms
par:v1	OAuth 2.0 Pushed Authorization Requests (PAR)
passkeys:v1	Passkeys
persistent-user-sessions:v1	Persistent online user sessions across restarts and upgrades
recovery-codes:v1	Recovery codes
rolling-updates:v1	Rolling Updates
step-up-authentication:v1	Step-up Authentication
token-exchange-standard:v2	Standard Token Exchange version 2
update-email:v1	Update Email Action
user-event-metrics:v1	Collect metrics based on user events
web-authn:v1	W3C Web Authentication (WebAuthn)

Feature

Description

account-api:v1

Account Management REST API

account:v3

Account Console version 3

admin-api:v1

Admin API

admin-fine-grained-authz:v2

Fine-Grained Admin Permissions version 2

admin:v2

New Admin Console

authorization:v1

Authorization Service

ciba:v1

OpenID Connect Client Initiated Backchannel Authentication (CIBA)

client-policies:v1

Client configuration policies

device-flow:v1

OAuth 2.0 Device Authorization Grant

dpop:v1

OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer

hostname:v2

Hostname Options V2

impersonation:v1

Ability for admins to impersonate users

kerberos:v1

Kerberos

New Login Theme

opentelemetry:v1

OpenTelemetry Tracing

organization:v1

Organization support within realms

par:v1

OAuth 2.0 Pushed Authorization Requests (PAR)

passkeys:v1

Passkeys

persistent-user-sessions:v1

Persistent online user sessions across restarts and upgrades

recovery-codes:v1

Recovery codes

rolling-updates:v1

Rolling Updates

step-up-authentication:v1

Step-up Authentication

token-exchange-standard:v2

Standard Token Exchange version 2

update-email:v1

Update Email Action

user-event-metrics:v1

Collect metrics based on user events

web-authn:v1

W3C Web Authentication (WebAuthn)

Disabled by default

The following list contains supported features that are disabled by default, and can be enabled if needed.

Feature	Description
docker:v1	Docker Registry protocol
fips:v1	FIPS 140-2 mode
multi-site:v1	Multi-site support

Feature

Description

docker:v1

Docker Registry protocol

fips:v1

FIPS 140-2 mode

multi-site:v1

Multi-site support

Preview features

Preview features are disabled by default and are not recommended for use in production. These features may change or be removed at a future release.

Feature	Description
admin-fine-grained-authz:v1	Fine-Grained Admin Permissions
client-auth-federated:v1	Authenticates client based on assertions issued by identity provider
client-secret-rotation:v1	Client Secret Rotation
http-optimized-serializers:v1	Optimized JSON serializers for better performance of the HTTP layer
kubernetes-service-accounts:v1	Kubernetes service accounts trust relationship provider
log-mdc:v1	Mapped Diagnostic Context (MDC) information in logs
rolling-updates:v2	Rolling Updates for patch releases
scripts:v1	Write custom authenticators using JavaScript
spiffe:v1	SPIFFE trust relationship provider
token-exchange:v1	Token Exchange Service

Feature

Description

admin-fine-grained-authz:v1

Fine-Grained Admin Permissions

client-auth-federated:v1

Authenticates client based on assertions issued by identity provider

client-secret-rotation:v1

Client Secret Rotation

http-optimized-serializers:v1

Optimized JSON serializers for better performance of the HTTP layer

kubernetes-service-accounts:v1

Kubernetes service accounts trust relationship provider

log-mdc:v1

Mapped Diagnostic Context (MDC) information in logs

rolling-updates:v2

Rolling Updates for patch releases

scripts:v1

Write custom authenticators using JavaScript

spiffe:v1

SPIFFE trust relationship provider

token-exchange:v1

Token Exchange Service

Deprecated features

The following list contains deprecated features that will be removed in a future release. These features are disabled by default.

Feature	Description
instagram-broker:v1	Instagram Identity Broker
login:v1	Legacy Login Theme
logout-all-sessions:v1	Logout all sessions logs out only regular sessions
passkeys-conditional-ui-authenticator:v1	Passkeys conditional UI authenticator

Feature

Description

instagram-broker:v1

Instagram Identity Broker

Legacy Login Theme

logout-all-sessions:v1

Logout all sessions logs out only regular sessions

passkeys-conditional-ui-authenticator:v1

Passkeys conditional UI authenticator

Relevant options

Type or Values Default

	Type or Values	Default
`feature-<name>` Enable/Disable specific feature <feature>. It takes precedence over the `features`, and `features-disabled` options. Possible values are: `enabled`, `disabled`, or specific version (lowercase) that will be enabled (f.e. `v2`) CLI: `--feature-<name>` Env: `KC_FEATURE_<NAME>`	String
`features` Enables a set of one or more features. CLI: `--features` Env: `KC_FEATURES`	`account-api[:v1]`, `account[:v3]`, `admin-api[:v1]`, `admin-fine-grained-authz[:v1,v2]`, `admin[:v2]`, `authorization[:v1]`, `ciba[:v1]`, `client-admin-api[:v2]`, `client-auth-federated[:v1]`, `client-policies[:v1]`, `client-secret-rotation[:v1]`, `client-types[:v1]`, `clusterless[:v1]`, `db-tidb[:v1]`, `declarative-ui[:v1]`, `device-flow[:v1]`, `docker[:v1]`, `dpop[:v1]`, `dynamic-scopes[:v1]`, `fips[:v1]`, `hostname[:v2]`, `http-optimized-serializers[:v1]`, `impersonation[:v1]`, `instagram-broker[:v1]`, `ipa-tuura-federation[:v1]`, `jwt-authorization-grant[:v1]`, `kerberos[:v1]`, `kubernetes-service-accounts[:v1]`, `log-mdc[:v1]`, `login[:v2,v1]`, `logout-all-sessions[:v1]`, `multi-site[:v1]`, `oid4vc-vci[:v1]`, `openapi[:v1]`, `opentelemetry[:v1]`, `organization[:v1]`, `par[:v1]`, `passkeys-conditional-ui-authenticator[:v1]`, `passkeys[:v1]`, `persistent-user-sessions[:v1]`, `preview`, `quick-theme[:v1]`, `recovery-codes[:v1]`, `rolling-updates[:v1,v2]`, `scripts[:v1]`, `spiffe[:v1]`, `step-up-authentication[:v1]`, `token-exchange-external-internal[:v2]`, `token-exchange-standard[:v2]`, `token-exchange[:v1]`, `transient-users[:v1]`, `update-email[:v1]`, `user-event-metrics[:v1]`, `web-authn[:v1]`, `workflows[:v1]`
`features-disabled` Disables a set of one or more features. CLI: `--features-disabled` Env: `KC_FEATURES_DISABLED`	`account`, `account-api`, `admin`, `admin-api`, `admin-fine-grained-authz`, `authorization`, `ciba`, `client-admin-api`, `client-auth-federated`, `client-policies`, `client-secret-rotation`, `client-types`, `clusterless`, `db-tidb`, `declarative-ui`, `device-flow`, `docker`, `dpop`, `dynamic-scopes`, `fips`, `http-optimized-serializers`, `impersonation`, `instagram-broker`, `ipa-tuura-federation`, `jwt-authorization-grant`, `kerberos`, `kubernetes-service-accounts`, `log-mdc`, `login`, `logout-all-sessions`, `multi-site`, `oid4vc-vci`, `openapi`, `opentelemetry`, `organization`, `par`, `passkeys`, `passkeys-conditional-ui-authenticator`, `persistent-user-sessions`, `preview`, `quick-theme`, `recovery-codes`, `rolling-updates`, `scripts`, `spiffe`, `step-up-authentication`, `token-exchange`, `token-exchange-external-internal`, `token-exchange-standard`, `transient-users`, `update-email`, `user-event-metrics`, `web-authn`, `workflows`

feature-<name>

Enable/Disable specific feature <feature>.

It takes precedence over the features, and features-disabled options. Possible values are: enabled, disabled, or specific version (lowercase) that will be enabled (f.e. v2)

CLI: --feature-<name>
Env: KC_FEATURE_<NAME>

String

features

Enables a set of one or more features.

CLI: --features
Env: KC_FEATURES

account-api[:v1], account[:v3], admin-api[:v1], admin-fine-grained-authz[:v1,v2], admin[:v2], authorization[:v1], ciba[:v1], client-admin-api[:v2], client-auth-federated[:v1], client-policies[:v1], client-secret-rotation[:v1], client-types[:v1], clusterless[:v1], db-tidb[:v1], declarative-ui[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v2], http-optimized-serializers[:v1], impersonation[:v1], instagram-broker[:v1], ipa-tuura-federation[:v1], jwt-authorization-grant[:v1], kerberos[:v1], kubernetes-service-accounts[:v1], log-mdc[:v1], login[:v2,v1], logout-all-sessions[:v1], multi-site[:v1], oid4vc-vci[:v1], openapi[:v1], opentelemetry[:v1], organization[:v1], par[:v1], passkeys-conditional-ui-authenticator[:v1], passkeys[:v1], persistent-user-sessions[:v1], preview, quick-theme[:v1], recovery-codes[:v1], rolling-updates[:v1,v2], scripts[:v1], spiffe[:v1], step-up-authentication[:v1], token-exchange-external-internal[:v2], token-exchange-standard[:v2], token-exchange[:v1], transient-users[:v1], update-email[:v1], user-event-metrics[:v1], web-authn[:v1], workflows[:v1]

features-disabled

Disables a set of one or more features.

CLI: --features-disabled
Env: KC_FEATURES_DISABLED

account, account-api, admin, admin-api, admin-fine-grained-authz, authorization, ciba, client-admin-api, client-auth-federated, client-policies, client-secret-rotation, client-types, clusterless, db-tidb, declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips, http-optimized-serializers, impersonation, instagram-broker, ipa-tuura-federation, jwt-authorization-grant, kerberos, kubernetes-service-accounts, log-mdc, login, logout-all-sessions, multi-site, oid4vc-vci, openapi, opentelemetry, organization, par, passkeys, passkeys-conditional-ui-authenticator, persistent-user-sessions, preview, quick-theme, recovery-codes, rolling-updates, scripts, spiffe, step-up-authentication, token-exchange, token-exchange-external-internal, token-exchange-standard, transient-users, update-email, user-event-metrics, web-authn, workflows

Nightly release

Enabling and disabling features

Enabling features

Single option

List of enabled features

Versioning

Disabling features

Single option

List of disabled features

Supported features

Disabled by default

Preview features

Deprecated features

Relevant options