Keycloak Blog

Organization Groups: Structure Your Organizations with Hierarchical Group Management

Vlasta Ramik — Wed, 29 Apr 2026 00:00:00 GMT

Introduced in Keycloak 26.6.0, Organization Groups bring hierarchical group management to the Organizations feature. While Organizations already let you model Business-to-Business (B2B) relationships where external companies, partners, or departments each manage their own users, Organization Groups take this further by letting you organize members within each organization into logical teams, departments, or any structure that fits your needs.

Why Organization Groups?

Before Organization Groups, structuring members within an organization required workarounds using realm-level groups, which are shared across the entire realm. This creates problems in multi-tenant scenarios: if Organization A and Organization B both need an "Engineering" group, they’d collide at the realm level.

Organization Groups solve this by giving each organization its own isolated group hierarchy. Organization A’s /Engineering/Backend and Organization B’s /Engineering/Backend are completely separate groups with their own members, attributes, and identifiers. No naming conflicts, no cross-organization leakage.

Creating a Group Hierarchy

Groups can be nested to mirror real-world organizational structures:

/Engineering
  /Engineering/Backend
  /Engineering/Frontend
/Sales
  /Sales/APAC
  /Sales/EMEA
  /Sales/LATAM
  /Sales/NA

Creating groups is straightforward: navigate to your organization, click the Groups tab, and click Create group. To build hierarchies, select a parent group before creating a child group, or use Move to to reorganize existing groups.

Automatic Group Assignment via Identity Providers

One of the most powerful capabilities is automatic group assignment during federated authentication. When an identity provider is linked to an organization, two mapper types are available:

Hardcoded Group assigns every user authenticating through the IdP to a specific organization group. Useful for scenarios like "everyone from this corporate IdP goes into the Engineering team."
Advanced Claim to Group maps users to groups based on claim values from the external IdP. For example, you can map users with a department=backend claim to /Engineering/Backend.

When selecting target groups in these mappers, Keycloak automatically shows both realm groups and groups from the organization linked to the IdP.

Groups in Tokens

Organization group memberships can be included in both OIDC tokens and SAML assertions.

OIDC

Add the Organization Group Membership mapper to a scope that also contains the Organization Membership mapper (the built-in organization scope is the easiest choice). When a user authenticates and requests the organization scope, groups appear within the organization claim:

{
  "organization": {
    "acme-corp": {
      "id": "f8d3c4e1-...",
      "groups": ["/Engineering/Backend"]
    }
  }
}

Group paths are relative to the organization, and multiple organizations can be included using scope=organization:* or by specifying multiple aliases like scope=organization:org-a organization:org-b.

SAML

Add the Organization Group Membership mapper to the built-in saml_organization scope (which already includes the Organization Membership mapper). Groups are automatically included in assertions for all organizations the user is a member of:

<Attribute Name="organization.acme-corp.groups">
  <AttributeValue>/Engineering/Backend</AttributeValue>
</Attribute>

Viewing a Member’s Group Memberships

To see which organization groups a specific member belongs to, use the kebab menu next to the member in the organization’s Members tab and select Show group memberships. This provides a quick overview without navigating away from the member list.

How Organization Groups Differ from Realm Groups

Organization Groups Realm Groups

	Organization Groups	Realm Groups
Scope	Belong to a single organization	Shared across the entire realm
Isolation	Same paths can exist in different organizations	Paths must be unique within the realm
Authorization policies	Cannot be used in Keycloak authorization policies	Supported in authorization policies
Token mapping	Appear within the `organization` claim context	Available via standard group mappers

Scope

Belong to a single organization

Shared across the entire realm

Isolation

Same paths can exist in different organizations

Paths must be unique within the realm

Authorization policies

Cannot be used in Keycloak authorization policies

Supported in authorization policies

Token mapping

Appear within the organization claim context

Available via standard group mappers

REST API

Organization groups are fully manageable via the Admin REST API under /admin/realms/{realm}/organizations/{orgId}/groups. The API supports creating, listing, updating, moving, and deleting groups, as well as managing group members. This makes it straightforward to automate organization structure provisioning from external systems.

Getting Started

Organization Groups are available starting with Keycloak 26.6.0 as part of the Organizations feature. Enable Organizations in your realm settings, create an organization, and start building your group hierarchy from the Groups tab.

For full details, see the Organizations documentation.

Keycloak JS 26.2.4 released

Wed, 22 Apr 2026 00:00:00 GMT

Highlights

This release of Keycloak JS addresses two regressions in the Cordova adapter that were introduced in version 26.2.1.

Bug Fixes

Cordova adapter no longer triggers duplicate authentication requests

A regression introduced in version 26.2.1 caused the Cordova in-app browser to fire multiple loadstart events before the token exchange completed, resulting in concurrent authentication requests that could fail the login flow. The completed flag is now set before awaiting the token exchange, preventing duplicate processing of the redirect URI.

keycloak/keycloak-js#208

Cordova in-app browser now closes before awaiting token exchange

A regression introduced in version 26.2.1 caused the Cordova in-app browser to remain open during the asynchronous token exchange, resulting in a brief "Web page not available" error flashing on Android before the browser eventually closed. The browser is now closed immediately after the redirect URI is captured, before the token exchange begins.

keycloak/keycloak-js#209

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak Client Libraries 26.0.9 released

Fri, 17 Apr 2026 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#203 Sync after Keycloak server 26.6.0 release client
#205 Update dependencies client

Keycloak 26.6.1 released

Wed, 15 Apr 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#47276 CVE-2026-4366 Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling core
#47619 CVE-2026-4633 Keycloak user enumeration via identity-first login core

Enhancements

#47839 Update CloudNativePG to 1.29
#47909 Database data at rest encryption

Bugs

#47435 AuroraDB IT CI workflow not cleaning up databases testsuite
#47737 deploy-testsuite profile is incomplete, causing discrete testsuite execution to fail testsuite
#47776 False session type of access token in offline_access refresh token flow with scope parameter without offline_access scope oidc
#47827 az vm create fails with JSON parsing error ci
#47872 v26.6.0 Operator flood logs with warnings operator
#47889 Not possible to sync latest keycloak-admin-client to keycloak-client admin/client-java
#47904 @keycloak/keycloak-admin-client fails to install in version 26.6.0 admin/client-js
#47905 invalid package reference in keycloak-admin-ui admin/ui
#47908 MigrateTo26_6_0 modifies custom browser flows, breaking existing realm authentication organizations
#47929 User profile multiselect options not highlighted as selected in dropdown admin/ui
#47955 IdentityProviderAuthenticator creates an infinite redirect loop when an IdP returns an error (e.g. access_denied) and the login was initiated with kc_idp_hint identity-brokering
#48015 Missing explicit docs anchor for organizations docs
#48032 Endpoint Response Text during Bootstrap contains Typo: Boostrap dist/quarkus

SCIM Realm API as an Experimental Feature

Keycloak Core IAM Team — Fri, 10 Apr 2026 00:00:00 GMT

If you have been following the latest blog posts, you may have noticed that we have been working on implementing the System for Cross-domain Identity Management (SCIM) protocol in Keycloak. We are excited to announce that the SCIM Realm API is now available as an experimental feature in Keycloak 26.6.

The SCIM Realm API allows you to manage users and groups in Keycloak using the SCIM protocol. This means that you can use any SCIM client to manage the user and group resource types in your realm. This is a great step towards improving the integrability of Keycloak with other (cross-domain) IAM solutions and downstream applications, thereby enabling common cloud use cases for identity (de)provisioning.

In terms of integration, we focused on making the API as compatible as possible with Microsoft Entra ID, which is the integration most demanded by the community. To do that, we have used the EntraID SCIM Validator to validate our implementation and ensure that it meets the requirements of Microsoft Entra ID.

In essence, the SCIM Realm API is the Admin API but compliant with SCIM.

How to try it out?

Since this is an experimental feature (not enabled by default), you need to enable it when starting the server:

docker run --name kc-scim-api -d \
  -e KEYCLOAK_ADMIN=admin \
  -e KEYCLOAK_ADMIN_PASSWORD=admin \
  -p 8080:8080 \
  quay.io/keycloak/keycloak:nightly \
  start-dev --features=scim-api

Let us create a realm myrealm and enable the SCIM API for it. To do that, you can use the kcadm.sh script to create the realm and enable the API. First, you need to configure the credentials for the kcadm.sh script to be able to connect to the server:

./kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin --password admin

Create the realm myrealm:

./kcadm.sh create realms -s realm=myrealm -s enabled=true -s scimApiEnabled=true

Using the administration console, go to the Realm Settings page of your realm, and check that the SCIM API setting is enabled. Once the API is enabled, you can look up the SCIM base URL in the same page from the link SCIM Endpoint at the bottom of the page. When running on localhost, you should see something like http://localhost:8080/realms/myrealm/scim/v2 as the SCIM base URL.

Connecting a SCIM client

Let us create a service account with enough permissions to access the SCIM API. To do that, you can create a client with the manage-users role, and use the credentials of this client to obtain an access token that you can use to make requests to the SCIM API:

./kcadm.sh create clients -r myrealm -s clientId=scim-client -s serviceAccountsEnabled=true -s publicClient=false -s secret=secret

To allow access to manage users and groups, grant the manage-users role to the service account of the client. You also need to grant view-realm role to allow access to non-resource-type endpoints such as the /ServiceProviderConfig, /Schemas, or /ResourceTypes endpoints:

./kcadm.sh add-roles -r myrealm --uusername service-account-scim-client --cclientid realm-management --rolename manage-users
./kcadm.sh add-roles -r myrealm --uusername service-account-scim-client --cclientid realm-management --rolename view-realm

Understanding SCIM Permissions

In this release, there is no specific role or permission for the SCIM API yet.

The SCIM API uses the same permissions as the Admin API, so you can use the same roles and permissions to control access to the realm resources (users and groups) via the SCIM Realm API. For example, if you want to allow read-only access to users via the SCIM API, you can grant them the view-users role in the realm. The same is true if you are using Fine-Grained Admin Permissions, where you can grant specific permissions to individual realm resources.

You should also be able to only allow a specific set of users or groups to be accessible and manageable via SCIM. For that, consider enabling Fine-Grained Admin Permissions to your realm.

Accessing the SCIM Realm API

Once you have a client and subject with enough access to the SCIM API, you can use any SCIM client to manage users and groups in your realm.

Let us obtain a token for the service account of the scim-client client we created in the previous step, and use it to make a request to the SCIM API. You can obtain a token for the service account with the following command:

ACCESS_TOKEN=$(curl -s -X POST "http://localhost:8080/realms/myrealm/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'grant_type=client_credentials&client_id=scim-client&client_secret=secret' \
  | jq -r .access_token)

Now you can use this token to make a request to the SCIM API, for example, to create a user with the following command:

curl -v -X POST "http://localhost:8080/realms/myrealm/scim/v2/Users" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -H "Accept: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
    "userName": "jdoe",
    "name": { "givenName": "John", "familyName": "Doe" },
    "displayName": "John Doe",
    "emails": [
      { "value": "jdoe@example.com" }
    ]
  }'

The same is true for groups, where you can create a group with the following command:

curl -v -X POST "http://localhost:8080/realms/myrealm/scim/v2/Groups" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -H "Accept: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
    "displayName": "mygroup"
  }'

And, for example, to add a user to a group with the following command. Make sure to replace {group_id} and {user_id} with the actual ID of the group and the user you want to add as a member of the group, respectively:

curl -v -X PATCH "http://localhost:8080/realms/myrealm/scim/v2/Groups/{group_id}" \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -H "Content-Type: application/scim+json" \
  -H "Accept: application/scim+json" \
  -d '{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
    "Operations": [
      {
        "op": "add",
        "path": "members",
        "value": [
          { "value": "{user_id}" }
        ]
      }
    ]
  }'

As mentioned before, the view-realm role is required to access non-resource-type endpoints, so if you have granted this role to the service account of the scim-client client, you can access the /ServiceProviderConfig, /Schemas, and /ResourceTypes endpoints with the following commands:

curl -v -X GET "http://localhost:8080/realms/myrealm/scim/v2/ServiceProviderConfig" \
  -H "Authorization: Bearer $ACCESS_TOKEN"

curl -v -X GET "http://localhost:8080/realms/myrealm/scim/v2/Schemas" \
  -H "Authorization: Bearer $ACCESS_TOKEN"

curl -v -X GET "http://localhost:8080/realms/myrealm/scim/v2/ResourceTypes" \
  -H "Authorization: Bearer $ACCESS_TOKEN"

Mapping User Attributes to SCIM Attributes

Thanks to the user profile feature, you can easily map user attributes to SCIM attributes. To do that, you can add a kc.scim.schema.attribute annotation to a user profile attribute where the value is the name of the SCIM attribute you want to map to.

By default, the user root attributes are automatically mapped to the corresponding SCIM attributes. For example, the username attribute is automatically mapped to the userName SCIM attribute, and the firstName attribute is automatically mapped to the name.givenName SCIM attribute. The same applies to the lastName and email attributes.

The list of supported SCIM attributes can be found by querying the /Schemas or /ResourceTypes endpoints of the SCIM API.

For instance, if you want to map an attribute from the enterprise user schema, such as employeeNumber, you can add the kc.scim.schema.attribute annotation to the corresponding user profile attribute with the value urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.employeeNumber, and this attribute will be available as an extension attribute in user resources in the SCIM API.

In future releases, we plan to add support for mapping custom attributes to SCIM attributes, so you will be able to map any user profile attribute to a SCIM attribute, and create your own custom schemas and attributes.

Mapping Group Attributes to SCIM Attributes

Unlike users, the group resource type is limited to only the displayName and members attributes, as per the group core schema.

Groups do not have a user-profile-like feature, so there is no way to map custom attributes to SCIM attributes for groups without using a different — not ideal — approach. This is one of the key design aspects we will be looking at in the next release, so that we build a common mechanism for mapping both user and group attributes to SCIM attributes, and that we can support custom schemas and attributes for both users and groups.

What is being delivered?

The capabilities delivered in 26.6 are based on the RFC 7643 and RFC 7644 specifications, and include support for most of both specs. We aimed to deliver this initial set of capabilities in a way that is compatible with Microsoft Entra ID, so that SCIM clients can perform the following operations:

POST, GET, PATCH, PUT, and DELETE operations for managing users and groups
Support for the core user, enterprise user, and group schemas
Add and remove users from groups
Search for users and groups using the SCIM filtering and pagination syntax
Query the supported Service Provider Configuration, Schemas, and Resource Types

There are missing capabilities from the RFCs, a highlight being:

Bulk Operations
Password Management
Sorting
Manage service provider config settings
Custom Schemas and Attributes

In regard to custom schemas and attributes, we have delivered support for mapping user profile attributes to SCIM attributes, but there is no support for custom schemas and attributes yet. This means that you can only map user profile attributes to the existing SCIM attributes defined in the core and enterprise user schemas, but you cannot create your own custom schemas and attributes.

The feature’s roadmap includes additional capabilities such as UIs for the administration console, support for custom schemas and attributes, support for organizations, and more.

You can find the full roadmap in GitHub issue #45287.

How does it map to other features?

The scim-api feature turns a realm into an upstream or downstream (cross-domain) identity store. Thanks to the workflows feature, it will also be possible to enhance and automate administrative tasks when onboarding or offboarding identities from different channels, using a different workflow if needed.

In terms of authorization, being a SCIM-compliant version of the Admin API, it leverages the same mechanisms to enforce access to realm resources such as users and groups. These mechanisms are based on the server/realm admin roles and Fine-Grained Admin Permissions.

In terms of attribute management, mainly for users, the SCIM API leverages the user profile feature to centralize how user attributes are managed. Unfortunately, we do not yet have a similar mechanism for groups.

We want to hear from you!

The next releases will also be based on the feedback we receive from the community, so we encourage you to try out the SCIM Realm API and share your thoughts with us. While the feature remains experimental, we will be closely monitoring the feedback and usage to understand how it is being used and what the most important capabilities and fixes to deliver are.

Please, provide your feedback about the feature’s roadmap on the following issue:

https://github.com/keycloak/keycloak/issues/45287

Or open issues with the area/scim label if you encounter any problems or enhancements in the current set of capabilities.

This is particularly important to help us prioritize the next capabilities to be added, and to ensure that we are delivering the features that are most important to you.

Thanks for your support and feedback (including contributions) during the last sprints!

Keycloak 26.6.0 released

Wed, 8 Apr 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
The Keycloak Test Framework, replacing the previous Arquillian-based solution.

All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (supported)

JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.

In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.

Federated client authentication (supported)

Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.

Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.

Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.

New guide about Demonstrating Proof-of-Possession (DPoP)

A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.

See Securing applications with DPoP for more details.

Identity Brokering APIs V2 (preview)

A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).

For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.

Step-up authentication for SAML (preview)

The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.

OAuth Client ID Metadata Document (experimental)

OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.

See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.

Many thanks to Takashi Norimatsu for the contribution.

Administration

Workflows (supported)

Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.

In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.

For more details, see the Managing workflows chapter in the Server Administration Guide.

Organization groups

Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.

For more details, see the Managing organization groups guide.

New Groups scope for user membership changes

Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.

This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user’s current group memberships. The existing manage-membership scope keeps its current behavior for target group membership management operations.

Looking up client secrets via the Vault SPI

Secrets for clients can now be managed and looked up by the Vault SPI.

Thank you to Tero Saarni for contributing this change.

Forcing password change for LDAP users

There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.

Thank you to Tero Saarni for contributing this change.

Configuring and Running

Java 25 support

Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.

Zero-downtime patch releases (supported)

Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.

In this release, zero-downtime patch releases are promoted to supported and enabled by default. When using the Keycloak Operator, set the update strategy to Auto to benefit from this functionality.

For more details on the Operator configuration, see the Avoiding downtime with rolling updates guide.

Installation instructions for CloudNativePG

For those running Keycloak on Kubernetes, there is now a guide on how to deploy a PostgreSQL database on Kubernetes by leveraging the CloudNativePG Operator and how to connect Keycloak to the database.

See Deploying CloudNativePG in multiple availability zones in the High Availability Guide for details.

Simplified database operations

Several new command line options simplify the database operations for Keycloak and remove the need to use raw JDBC connection options:

Configure TLS for the database connection.
Database connection timeouts.
Transaction timeouts with production-ready defaults.

It also verifies the correct UTF-8 character encoding of the database at startup and prints a warning if this is not the case.

When running on orchestrators like Kubernetes, the startup and liveness probes return UP during database migrations, simplifying upgrades by removing the need to adjust the probes during upgrades.

See the migration guide for additional details on each aspect.

Graceful shutdown of HTTP stack

To allow rolling updates for configuration changes or version updates, a graceful shutdown of Keycloak nodes prevents users from seeing error responses when logging in or refreshing their tokens when nodes shut down.

Starting with this version, Keycloak supports a graceful shutdown of the HTTP stack. This includes delaying a shutdown after receiving a termination signal, connection draining for HTTP/1.1 and HTTP/2 connections during that period, and a shutdown timeout to finish ongoing requests.

The defaults are a shutdown delay and a shutdown timeout of one second each. This should be a good fit for setups where the reverse proxy is using TLS edge termination or re-encryption and the reverse proxy is notified about the Keycloak node shutting down at the same time as the Keycloak node. This is a common setup, for example, in Kubernetes environments.

Users should adjust those values depending on their proxy setup. See the section Graceful HTTP shutdown in the reverse proxy guide for more information.

New `KCRAW_` prefix for environment variables to preserve literal values

Keycloak now supports a KCRAW_ prefix for environment variables to preserve values containing $ characters exactly as written, without expression evaluation.

When using the standard KC_ prefix, Keycloak (via SmallRye Config) evaluates expressions in values (for example, ${some_key} is resolved and $$ is collapsed to $). This can silently modify passwords or secrets injected by a secrets manager or orchestration tool where manual escaping is not feasible.

Setting KCRAW_<KEY> instead of KC_<KEY> preserves the value exactly as provided.

See the Preserving literal values with the KCRAW_ prefix section in the Server Configuration guide for details.

Automatic reload of lists with disallowed passwords

When a list of disallowed passwords (also known as blacklist) changes, it is automatically reloaded. This avoids the need for a server restart when the list changes.

Thank you to Tero Saarni for contributing this change.

Automatic truststore initialization on Kubernetes and OpenShift

Keycloak now automatically discovers and trusts cluster certificate authorities when running on Kubernetes or OpenShift, without requiring the Operator to preconfigure the truststore.

If present in the container filesystem, the following certificates are added to the system truststore at startup:

/var/run/secrets/kubernetes.io/serviceaccount/ca.crt (Kubernetes service account CA)
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt (OpenShift service CA)

This behavior is enabled by default and can be controlled with the server option --truststore-kubernetes-enabled=true|false (default: true).

Most deployments do not require any action. If you relied on the Operator to manage these truststore entries previously, the server now performs the same function directly.

Client certificate lookup providers for Traefik and Envoy

You can now use new client certificate lookup providers for Traefik and Envoy proxies. For details, see the Enabling Client Certificate Lookup section of the documentation.

Configurable Kubernetes Service name and port in the Keycloak Operator

The Keycloak Operator now supports overriding the name and port of the Kubernetes Service it creates for a Keycloak deployment.

Previously, the Service name was always derived as <cr-name>-service and the Service port always matched the container port. You can now use the spec.http.serviceName, spec.http.serviceHttpsPort, and spec.http.serviceHttpPort fields to configure these independently.

For more details, see the Advanced configuration guide.

Sensitive information is not displayed in the HTTP Access log

If you are using the HTTP Access logging capability, sensitive information is omitted. This means that tokens in the 'Authorization' HTTP header and specific sensitive cookies are not shown.

For more information, see Configuring HTTP access logging.

Configurable log file rotation

It is now possible to configure log file rotation when using Keycloak’s built-in file logging handler. This includes a simple option to fully disable log rotation, which is useful when using an external log rotation solution such as logrotate.

To disable log file rotation:

bin/kc.sh start --log="console,file" --log-file-rotation-enabled=false

For more information, see the File logging guide.

HTTP access logs in a dedicated file

HTTP access logs can now be written to a dedicated file, separate from the server logs. This makes it easier to process and archive access logs independently for security auditing and compliance monitoring.

For more information, see Configuring HTTP access logging.

Customizable service fields in JSON log output

Keycloak now provides native options to customize the service.name and service.environment fields in JSON log output across all log handlers (console, file, and syslog).

Previously, when using the ECS format, service.name and service.environment could not be overridden through Keycloak configuration. This made it difficult to align JSON log fields with OpenTelemetry resource attributes.

You can now set these fields using log-service-name and log-service-environment.

For more information, see the Configuring logging guide.

New and updated translations

New translations for Indonesian and Armenian were added. A warm welcome to the new language maintainers for these languages! There are also new language maintainers for the Swedish translation, who translated all remaining message keys. Thank you so much!

Follow the translation progress on the translation status page, help translate, and read the translation guide on how to add additional languages.

Right-to-left language support in the Account UI

Support for right-to-left (RTL) languages was added to the Login UI, Admin UI, and email templates several releases ago. This release adds initial RTL support to the Account UI, which completes this effort.

Observability

Telemetry configuration via the Keycloak CR

Keycloak now supports configuring the OpenTelemetry properties via the Keycloak CR when using the Operator. These properties are shared among the available OpenTelemetry components - logs, metrics, and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Custom request headers for OpenTelemetry

It is now possible to set request headers for exporting telemetry via OpenTelemetry Protocol (OTLP). This is mainly useful for providing tokens in the request.

You can specify these headers via the telemetry-header-<header> wildcard option, which accepts any custom header name. Alternatively, use telemetry-logs-header-<header> for OpenTelemetry Logs or telemetry-metrics-header-<header> for OpenTelemetry Metrics.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Service Monitor annotations and labels via the Keycloak CR

It is now possible to configure service monitor labels and annotations via the Keycloak CR when using the Operator.

For more details, see the Advanced Configuration Operator guide.

Extension Development

Keycloak Test Framework (supported)

The Keycloak Test Framework, based on JUnit 6, is now fully supported.

It replaces the previous solution built on top of Arquillian and JUnit 4. Behind the scenes, the framework handles the lifecycle of Keycloak, the database, and any injected resources such as realms and clients.

Tests simply declare what they want, including specific configuration, and the framework takes care of the rest.

For more information, see Keycloak Test Framework.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

#45156 Deprecate Token Exchange v1

New features

#10155 Step-up authentication for SAML clients authentication
#13102 Add support for specifying `client.secret` using vault core
#39888 Workflows
#42634 Federated client authentication
#43144 OAuth Identity and Authorization Chaining Across Domains
#43146 New test framework
#43152 Authorization Grants
#43252 Zero-downtime upgrades between patch releases of Keycloak
#43257 Support a Kubernetes Native Database
#43507 Add support for Organization-specific Groups
#43576 Authorization grant for social providers token-exchange/federated
#44833 [OID4VCI] Make natural_person configuration available in all formats oid4vc
#45106 OAuth Client ID Metadata Document
#45284 CIMD - Persistent CIMD oidc
#46633 keycloak operator: add support for different port and name for the kubernetes service definition in the keycloak CRD
#47011 Add debug helper utility to the test framework test-framework

Enhancements

#10618 Enhancements to logging config dist/quarkus
#14523 Add support for enforced password change with LDAP federation ldap
#17904 Support RTL UI account/ui
#19374 Allow absolute path for cache-config-file? dist/quarkus
#19453 The default database transaction timeout should not be applied to Liquibase or data migrations dist/quarkus
#20618 Support enabling access logs dist/quarkus
#27986 Remove Liquibase dependency version from Keycloak root pom
#33160 Add support for X509 client certificate lookup for Envoy
#33198 Introduce `resourcesCommonUrl` for E-Mail templates core
#33818 Request for Enhancement: Make x509cert-lookup SPI public
#34435 OTEL: Add tracing ID to user facing error message observability
#35298 Reverse proxy provided context path not working despite setting X-Forwarded-Prefix header dist/quarkus
#36226 Provide a read only view of Identity Provider Mappers configuration screen to the Keycloak Admin UI
#36710 Have a first-class CLI option to change Keycloak's transaction timeout dist/quarkus
#38884 Upgrade command rolling updates for patch releases / step 3: Infinispan/JGroups support
#38888 Avoid breaking DB changes during patch releases
#40902 More fully document operator upgrade scenarios, in particular with custom images docs
#41330 Improve logging of JpaUserSessionPersisterProvider#expire
#41353 Provide HTTP access logs written to file with rotation dist/quarkus
#41629 Remove Tracing workaround in Infinispan/JGroups classes
#42256 DB Connection Pool acquisition timeout errors on database failover core
#42626 Provide a way to add custom labels to generated ServiceMonitor
#42747 Make DPoP docs more detailed oidc
#42876 dev mode should bind only to localhost if possible
#42900 Move the logic of scanning Kubernetes CA to Keycloak dist/quarkus
#43589 Gracefully shutting down HTTP stack
#43701 Improve SimpleHttp API core
#43829 Add createdTimestamp filter (before/after) to /admin/realms/{realm}/users
#44090 ErrorId for error screens and logging
#44101 Allow re-using server when running tests with the new framework
#44364 Improve client creation with PKCE in admin console core
#44424 findClientSessionsClientIds performance issue storage
#44459 Adding the log to the required action to show the cause of syntax violation of the LDAP policy ldap
#44846 [OID4VCI]: Ensure OID4VCI optional fields are saved cleanly and use defaults oid4vc
#44849 [OID4VCI] Add UI support for `vc.credential_signing_alg` in OID4VCI client scopes oid4vc
#44973 Hide Remember Me session settings when Remember Me is disabled in realm login settings
#45006 [OID4VCI] Add support for user did as subject id oid4vc
#45188 Upgrade to quarkus 3.30.5
#45220 OTEL: Ability to specify headers for exporters observability
#45231 [OID4VCI] Generate pre-authorized codes using the JWT format oid4vc
#45254 Admin UI javascript bundle should have source mapping
#45278 Upgrade to Quarkus 3.33.x LTS
#45281 Add missing Swedish translations for admin theme messages translations
#45322 Linking user with idp fails with generic message if user is already linked identity-brokering
#45337 Upgrade to Quarkus 3.31
#45348 OTEL: Add Telemetry options to Keycloak CR observability
#45360 Document that the the HA architectures are tested with Openshift 4.18
#45467 Management interface endpoint lists available endpoints dist/quarkus
#45620 Change default not-before validation to 10 second instead of 0 oidc
#45623 Avoid unnecessary warning logs during the operator tests execution testsuite
#45629 HTTP access log written to file should be in a separate directory dist/quarkus
#45689 When a user joins a role or group, it should not read all existing roles and groups from the database
#45704 Invite existing users from Admin UI organizations
#45718 Improve error message when organization name cannot be used as alias
#45795 Promote Keycloak and KeycloakRealmImport CRDs to v2beta1
#45841 Add revert button to client credentials page
#45880 SAMLEndpoint - increase extensibility by increasing accessibility of some private fields/methods
#45882 Use GroupResource context in Groups so that Group components can be reused
#45884 Testframework core has dependency on testcontainers
#45898 Supported Configurations guide
#45909 Add theme clarification blurb to Realm Settings admin/ui
#45941 Do not use deprecated test containers in tests testsuite
#45944 OTEL: Use suggested 'code.function.name' for span attributes observability
#45965 [OID4VCI] Revisit and fix OAuthClient.credentialRequest() oid4vc
#45992 Clarify operator instructions involving Wildcard certificates and OpenShift
#45996 Enforce `LF` line endings on `*.tsx` files with `.gitattributes`
#45999 [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest() oid4vc
#46001 [OID4VCI] Revisit and fix OAuthClient.credentialOfferRequest() oid4vc
#46043 Upgrade to Quarkus 3.31.2 dist/quarkus
#46055 [OID4VCI] Confine test realm setup to TestCase.configureTestRealm()
#46156 Add node count and next-node selection to LoadBalancer API
#46164 Separate password and OTP brute force protection to prevent OTP bypass attacks by default
#46255 Upgrade to Quarkus 3.32.0.CR1 dist/quarkus
#46292 Allow to expose WellKnown provider via ServerMetadataResource
#46304 SPIFFE Identity Provider default TTL too low
#46355 [OID4VCI] Add support for CredentialScopeRepresentation oid4vc
#46395 X509 Certificates passed from Traefik PassTlsClientCert middleware broken since 26.5.0 authentication
#46421 Revisit Infinispan session idle and lifetime settings
#46429 Add username to BrokeredIdentityContext created from JWTBearer Grant token-exchange/federated
#46471 Aggregate client-id field for improved Infinispan query
#46494 Allow customizing federated identity lookup in JWTAuthorizationGrantType
#46531 Consider exposing UUID for admin api v2 resources
#46556 For MSSQL Server, set `sendStringParametersAsUnicode` to `false` by default storage
#46557 Keycloak should check the Unicode setup of the database on startup
#46603 Add Database CLI options for TLS encryption for databases
#46617 MCP Documentation for 26.6
#46626 Allow to configure Client Assertion max expiration for Kubernetes Identity Provider
#46627 Allow to configure Client Assertion max expiration for OIDC Identity Provider
#46657 Passwords containing `$$` or `${` patterns are mangled when set via environment variables (SmallRye expression evaluation) dist/quarkus
#46671 Allow custom timeouts in DBLockProvider
#46689 Remove user input reflection in Token Introspection error responses oidc
#46693 Group-level deny policies do not block `manage-group-membership` on group members admin/fine-grained-permissions
#46699 CIMD - Performance: Avoid repeated convertContentFilledList() in verifyUri()
#46701 CIMD - Performance: Single-pass HTTP Cache-Control header lookup
#46703 CIMD - Performance: Eliminate double URI parsing in ClientIdUriSchemeCondition.applyPolicy()
#46708 CIMD - Performance: Avoid streaming the directive list multipul times
#46711 Upgrade to Quarkus 3.32.1 dist/quarkus
#46728 Use quarkus properties ahead of keycloak defaults or map from values
#46757 Upgrade to jackson-core 2.21.1
#46765 Adding missing question mark
#46781 IdP alias is not clickable in organization's Identity Providers tab admin/ui
#46796 Document that export is not a backup
#46809 Set a default connection timeout for all databases types
#46872 Be more explicit on how to enable OTel Logs and Metrics in Operator observability
#46874 Be more explicit in using the OTel Logs level observability
#46890 Upgrade to Quarkus 3.32.2 dist/quarkus
#46936 Reduce tightly coupling between client policy contexts and conditions/executors oidc
#46964 Adding more Hungarian translations
#46972 Clarify credentials field availability in GET /admin/realms/{realm}/users documentation
#47038 Translation support for UI theme descriptions translations
#47081 Upgrade to Quarkus 3.32.3 dist/quarkus
#47130 Upgrade to Quarkus 3.33.0.CR1 dist/quarkus
#47140 Add CLI option for database connection timeout and provide it into quarkus.datasource.jdbc.login-timeout
#47146 Keycloak: no native option to customize JSON log service.name and service.environment fields observability
#47163 Enhancement: Password denylist file changes should not require server restart
#47187 Asynchronous server initialization
#47229 Identity Provider redirection via kc_idp_hint in Pushed Authorization Request oidc
#47416 Async startup doesn't be enabled when the health check is not enabled
#47535 Polishing CNPG installation docs
#47667 Update release-notes for CIMD

Bugs

#22569 Provide descriptions for default realm-management roles admin/ui
#26946 Multiple protocolMappers with the same name. admin/api
#28970 Documention about the default db-schema is ambiguous docs
#36593 Built-in authentication flows are not updated for KC 26 organizations
#37231 Set New Password Multiple Times via Password Reset Function login/ui
#38991 [Test framework] Embedded server -> dependency download error when no version is specified test-framework
#39127 Incorrect return code with JWT algorithm set to none authentication
#40510 Organization flow do not redirect when credentials exist organizations
#40753 Resource leak: FileInputStream in Util.readProperties(File) is never closed .SAST core
#40921 Reject invalid resource IDs in permission creation
#41165 Feishu login has been continuously failing as an identity provider identity-brokering
#41630 Warning log message SRCFG01008: The value default has been converted by a Boolean Converter to "false" dist/quarkus
#41924 Internal server error after changing Admin UI theme to "base" - An old, persisted problem admin/ui
#42222 Federation Cache Policy details not shown when editing provider in Keycloak 26.3+ admin/ui
#42836 Organization selection changes after token refresh organizations
#42839 UserInfo endpoint returns incorrect organization claim organizations
#43198 Operator status patching of keycloak failed operator
#43201 entity mappings not working on 26.4 core
#43356 Keycloak tests framework - issue to identify distribution directory inside ZIP file when version string uses suffix test-framework
#43613 case insensitive match on organization identity provider domain - In case 'ANY' option is chosen organizations
#43726 Slow evaluation of client roles with dots for role mapper and others identity-brokering
#43757 Code Examples in Authentication SPI Documentation Don't Match Quickstarts Repository authentication
#43854 OID4VCI credentials have invalid subject id value oid4vc
#43949 MultivaluedString in mappers is not saved to backend with shown default value admin/ui
#43991 Keycloak operator - Reconciliation failure operator
#44099 Out of memory after 3-4 restarts of embedded server testsuite
#44100 Issue with starting server results in connection refused exception in test testsuite
#44132 Bug -> Keycloak preview feature "scripts" is enabled by default authentication
#44283 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPGroupMapperTest#test06_addingUserToNewKeycloakGroup ci
#44403 DCR endpoint ignores client's requested token_endpoint_auth_method oidc
#44425 [Keycloak JS CI] Admin UI E2E Firefox failure ci
#44498 [quick-theme] Logo and Favicon problem login/ui
#44574 Unable to find contextual data of type: org.keycloak.models.KeycloakSession testsuite
#44598 SAML user created with null username when mapped attribute missing saml
#44622 OID4VCI functionality should be disabled for the realm when "Verified Credentials" switch is disabled oid4vc
#44637 Fail to import the realm with OID4VCI enabled import-export
#44670 CredentialEndpoint can be invoked with incorrect access token oid4vc
#44678 Inconsistent search when using wildcards admin/api
#44699 Not able to find key for credential signature if client scope was saved from admin console admin/ui
#44737 CredentialRequest requires that client scope is assigned as 'Optional' oid4vc
#44784 link to reset-credentials ignores default locale AND ui_locales login/ui
#44803 Unhandled IllegalArgumentException in SAMLRequestParser saml
#44807 [OID4VCI] Default values are not set for ClientScope core
#44819 Missing validation error label on UI when editing a user user-profile
#44824 Keycloak retains mapped firstName value and does not nullify it when upstream identity provider stops sending the claim identity-brokering
#44875 [OID4VCI] CredentialSignerException: Proof Type null is not supported for format ldp_vc oid4vc
#44905 Email is not updated based on upstream IdP email identity-brokering
#44961 Authorization_details added to token-response even when should not be oid4vc
#45005 [OID4VCI] Revisit and fix /credential_offer_uri endpoint oid4vc
#45058 Base theme: "user properties" and "register" required mark is missing the required class login/ui
#45069 Base theme: `login-config-totp`, `label`s have hardcoded `control-label` instead of `${properties.kcLabelClass!}` login/ui
#45160 NullPointer when using JwsHeader.builder().withx5c(certificate) oidc
#45162 Missing icons in v2 keycloak login theme login/ui
#45163 Guide refers to no longer existing Docker Registry oidc
#45164 Base theme: `login-config-totp`, buttons are not wrapped in a `kcFormGroupClass` login/ui
#45209 [OID4VCI] Issuer metadata contains unwanted 'id' for credential_configurations_supported oid4vc
#45219 User REST Admin API - count and search returns different amount of users account/api
#45227 Accessibility: Improve authenticator selector for screen readers and keyboard navigation login/ui
#45252 `.env.test` overrides values from environment testsuite
#45272 EventOptionsTest failing due to missing verifiable_credential options testsuite
#45324 Affirmative Aggregated Policies do not evaluate correctly for admin console admin/fine-grained-permissions
#45385 [OID4VCI] No key for id ... and algorithm ... available oid4vc
#45406 SearchDropdown clear button doesn't reset form fields, URI search broken authorization-services
#45422 Organizations login leaks IdP aliases when no Organization is resolved (IdP/tenant enumeration) organizations
#45425 OpenApiDistTest fails in CI ci
#45428 Admin UI: Wrong redirect for permissions accessed via resource details authorization-services
#45446 [OID4VCI] Default value for vc.credential_build_config.hash_algorithm causes _sd_alg to be invalid due to case sensitivity oid4vc
#45485 [OID4VCI] Inconsistencies in well-known OID4VC metadata (Same metadata for all formats) oid4vc
#45488 Filename not being displayed during imports admin/ui
#45501 ConcurrentModificationException in KeycloakProcessor#configureProfile dist/quarkus
#45519 User profile Attribute multiselect inputType not working since 26.4.0 user-profile
#45522 LoggingDistTest.httpAccessLogNotNamedPattern is not stable dist/quarkus
#45539 Avoid using some blacklist/whitelist wording in UI and docs admin/ui
#45561 NPE in Authorization Evaluation when parentPolicy is null during concurrent authz deletes authorization-services
#45564 Wrong nesting of semaphore release handling in Argon2 hashing core
#45586 Missing help text in Admin UI for adding client policy conditions admin/ui
#45587 SecureClientUrisExecutor doesn't allow for "+" weborigin oidc
#45606 Document back channel request limitations docs
#45669 Unable to resolve current project as a dependency to test framework server config testsuite
#45694 Unvalidated URL Construction in ResourceAdminManager via Matrix Parameter Injection core
#45724 [OID4VCI] Inconsistencies in OID4VCI metadata related to cryptographic bindings and proofs oid4vc
#45727 Refactor `SessionsResource` for better memory usage and performance infinispan
#45733 Admin UI theme logo not displaying from theme properties admin/ui
#45738 clients-registrations/default GET endpoint does not rotate Registration Access Token as documented oidc
#45740 `client-access-type` condition in Client Policy does not trigger for token request events core
#45747 Confusing admin behavior when multiple IDPs in a realm have the same issuer URL core
#45748 [OID4VCI] OpenID4VCI User Attribute Mapper does not support nested claims oid4vc
#45750 Test framework doesn't stop running Keycloak instance if reuse is turned off testsuite
#45760 Disabled organisation should not execute invitations organizations
#45812 ROPC: invalid_grant Error Response not RFC Compliant oidc
#45818 There is no save button on the TokenTab admin/ui
#45829 Useless warning logged when querying credentials for a user in a realm with password history enabled authentication
#45859 [OID4VCI] Duplicate processing of authorization_details from AuthorizationDetailsProcessorManager oid4vc
#45875 Workflows execution bypasses admin permission boundaries (manage-realm -> realm-admin) workflows
#45877 UiPageProvider components not filtered by implementation in the Admin UI admin/api
#45881 Flaky test: org.keycloak.testsuite.oauth.OfflineTokenTest#offlineTokenBrowserFlow ci
#45888 ServiceMonitor is not created due to missing fields docs
#45917 LDAP mapper of type "group-ldap-mapper" does not expose "objectGUID" for group in GUID format ldap
#45921 `Config should not be initialized until profile is determined` throw from Maven using embedded Keycloak dist/quarkus
#45922 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#optionalClaimNotReachedSucceeds ci
#45924 Make sure disabled organization is ignored when re-authenticating organizations
#45947 Selecting condition type when creating a client policy is too wide core
#45971 Paths with spaces are not decoded when trying to discover providers JAR file dist/quarkus
#45986 [KEYCLOAK CI] - AuroraDB IT - Run Aurora new database tests on EC2 ci
#45993 [quarkus-next] Fix build failure due to missing build step ordering constraints dist/quarkus
#46006 JpaOrganizationProvider.searchGroupsByName ignores search parameter organizations
#46009 Client sessions pagination does not work admin/ui
#46010 Missing anti-ID phishing check for getting client admin/api
#46015 Duplicate `{client-uuid}` path parameter in OpenAPI spec admin/api
#46040 Assign realm users to organization organizations
#46050 AuthorizationServices should prevent org group ids for group policies organizations
#46051 [OIDC4VCI] - Types in JWT_VC oid4vc
#46075 [quarkus-next] Tests fail due to missing build step ordering constraint on disableHealthCheckBean dist/quarkus
#46081 [Keycloak JS CI] `fetchWithError` throwing `NetworkError` ci
#46084 [quarkus-next] DatasourcesDistTest fails due to Quarkus stdout/stderr capture changes dist/quarkus
#46089 Deleting a resource on page 2 shows "No resources found" empty state while resources still exist in Authorization Resources tab authorization-services
#46095 [quarkus-next] configureResteasy() missing Quarkus build step dependency dist/quarkus
#46110 Distribution server sometimes uses wrong pid for started Keycloak server test-framework
#46121 Unable to initialize 'jakarta.el.ExpressionFactory' when starting the server in Quarkus' development mode dist/quarkus
#46159 Docs: authorization_services/topics/resource-server-default-config.adoc authorization-services
#46160 Keycloak from `quarkus/tests/junit5` doesn't throw exception when there's a startup failure dist/quarkus
#46175 AdminClient in MANAGED_REALM mode has bugs test-framework
#46187 [quarkus-next] Update error message for invalid duration in certificate reload test dist/quarkus
#46192 Checking non-converted FROM address when sending emails core
#46193 [UI Bug] Microsoft/OIDC IdP "Prompt" dropdown saves human-readable label instead of technical value admin/ui
#46235 Welcome screen URL is not correct with hostname set to url admin/ui
#46297 [OID4VCI] Attribute did should be added to user profile just if OID4VCI is enabled for the realm
#46314 Bundle issue in account-ui account/ui
#46321 [Keycloak CI] Azure and Aurora Migration tests failing ci
#46322 [Keycloak CI] New database tests fail on Aurora and Azure ci
#46350 The RestartLoginCookie does not allow for key rotation as it always uses the active key for verification login/ui
#46366 Missing `parentId` in the GroupRepresentation of @keycloak/keycloak-admin-client admin/client-js
#46374 [quick-theme] Background is not hot redeployed admin/ui
#46384 Resource selection not displayed in scope-based permission creation when resource is not in initial results admin/ui
#46403 Caching or role parsing should be realm specific infinispan
#46413 [Admin UI] User's organizations list is delayed/empty until an N+1 cascade of API calls completes admin/ui
#46445 Org Groups API does not return subGroupCount organizations
#46454 Organization groups not included in user's groups query. organizations
#46455 REST API doesn't allow moving org group to root organizations
#46493 show-config contains log related entries with null values dist/quarkus
#46503 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportUSB ci
#46512 Identity provider display names are not localized in Account Console account/ui
#46517 Inconsistent authentication error ordering core
#46542 Update dynamic client scope timeout admin/api
#46571 NPE when finding an org group by path when Organization feature disabled organizations
#46579 The PR not including arquillian integration tests does not pass GHA Testsuite Deprecation Check testsuite
#46606 Admin Console Admin associated roles is not usable for a large number of realms admin/ui
#46614 Base theme template uses inline styles in delete-account-confirm.ftl login/ui
#46628 When renaming the ClientPolicy, added conditions and profiles shouldn't disappear. oidc
#46639 [OID4VCI] Broken issuance due to errnoeous credential_identifier check oid4vc
#46644 Kiota fails silently when generation fails admin/client-js
#46647 Rfc9440 cert lookup should not treat exceeding the cert length as an error core
#46658 SCIM PUT endpoint allows resource modification via body ID override (IDOR) core
#46667 IntegrationTest sub class @TestSetup called before super class testsuite
#46673 Raise minimum maximum number of `poolMaxSize` as value 3 shown in Keycloak example leads to acquisition timeout after switch to JDBC Ping docs
#46695 CIMD - Config Description Corrections: wildcard instead of regex oidc
#46697 CIMD - typos in comment lines oidc
#46716 UMA permission grant accepts expired ID token claim_token and issues RPT core
#46717 UMA permission grant accepts ID token issued to a different client core
#46718 UnsupportedOperationException in V1 Token Exchange Audience Validation (FGAPv2 Incompatibility) token-exchange
#46738 NullPointerException Crash in SessionCodeChecks When Client is Disabled During Authentication Flow authentication
#46745 Enhance network validation for SAML metadata descriptor URLs saml
#46750 OIDC error responses do not have no-cache headers set (at least not for the userinfo endpoint) oidc
#46774 Drawer splitter does not extend full page height in organization groups admin/ui
#46775 "Duplicate" function does not work correctly for organization groups admin/ui
#46776 Cannot select a group from search results in "Move to" dialog admin/ui
#46777 Organization group tree does not show expand toggles for groups with children admin/ui
#46778 Stale search results persist after clearing search in organization group tree admin/ui
#46780 Organization group tree search returns flat results instead of hierarchy organizations
#46792 Delete operation does not fire admin event v2 admin/api
#46808 Mute noisy "Unable to decode token, payload not found." log adapter/javascript
#46819 ArrayIndexOutOfBoundsException in ArtifactBindingUtils when SAMLart parameter is too short
#46848 NullPointerException in DPoPUtil oidc
#46857 Identity Provider mapper edit form loses ID and Name field values on save admin/ui
#46860 Cannot run /testsuite anymore - value of org.keycloak.common.Profile.getInstance() is null testsuite
#46861 Metadata check: cacheEmbedded.configFile always incompatible because of path infinispan
#46883 Flaky test: org.keycloak.testsuite.model.infinispan.EmbeddedInfinispanSplitBrainTest#testLocalCacheClearedOnMergeEvent ci
#46933 Client-scopes client policy condition not triggered during resource-owner-password-credentials grant request oidc
#46969 Authentication Failure with Mixed-Case Email Domain in Organizations organizations
#46997 Privilege Escalation via silent group resolution fallback in Identity Provider mappers when linked to Organizations organizations
#47002 [quarkus-next] Prometheus rejects user event metrics with inconsistent tag keys dist/quarkus
#47025 createCurlContainer method implicitly depends on DockerHub testsuite
#47043 Searching for organization groups with `populateHierarchy=true` exposes internal org group organizations
#47045 [OID4VCI] Credential definition must not contain `@context` when not using JSON-LD oid4vc
#47047 Unused message keys from console based logins login/ui
#47051 Search for organization group membership ignores search param organizations
#47055 `Include sub-group users` button does not work for org groups organizations
#47063 NPE when regenerating client secret when client policy with client-updater-context exists oidc
#47080 Do not allow managing invitations if not an invitation of the current organization organizations
#47084 Missing output encoding for organization name in login error messages organizations
#47085 Pin actions/checkout by commit SHA in translation-notify.yml ci
#47108 Org Groups children API does not return subGroupCount organizations
#47110 LDAP federation configuratation vendor dependent default values not visible in form ldap
#47114 ImmutableAttributeValidator doesn't lowercase emails when checking for changes ldap
#47137 Ensure org group membership checks the org the user is member of organizations
#47139 Performance regression when editing authentication flows after cherry-picking #46654 (realm invalidation triggers expensive role reload) core
#47157 Composite client role mappings endpoint is slow and degrades under concurrency with many client roles admin/api
#47162 Impersonation via Token Exchange fails after upgrade to KC 26.5 (form 26.3): java.lang.UnsupportedOperationException: Not supported in V2 at org.keycloak.services.resources.admin.fgap.ClientPermissionsV2.canExchangeTo( token-exchange
#47164 New test framework DisabledForServers annotation does not work testsuite
#47201 Env var default gets cut of at {} replacement login/ui
#47203 [OID4VCI] Small inconsistencies in some events oid4vc
#47221 Kiota generate client in calls github admin/client-js
#47251 [OID4VCI] Reduce log volume in CredentialScopeModelUtils oid4vc
#47271 Use of java.util.Random / Math.random() in OID4VC Nonce and Time Claim Generation oid4vc
#47321 [KEYCLOAK CI] - Account UI - unknown_error thrown by NetworkError account/ui
#47332 Missing release notes entry for OpenTelemetry span attributes location change observability
#47379 RetryConfig is ignored core
#47398 When adding a ClientProfile the Save button functionality is inconsistent admin/ui
#47412 Typos in docs: OpenTelementry docs
#47418 Agroal: Login timeout should be smaller than acquisition timeout dist/quarkus
#47427 New link error in documentation to facebook docs
#47444 Inaccuracies in client federation documentation and tooltips oidc
#47452 Deployed Javascript policy description not displayed in the Keycloak console authorization-services
#47454 Workflows editor uses proportional font instead of monospace admin/ui
#47473 [quarkus-next] Fix operator controller stalling after JOSDK 5.3.0 event filtering upgrade operator
#47495 JavaKeystoreKeyProvider generates a new random KID for symmetric keys (HMAC) on every restart or config change authorization-services
#47536 SCIM Authorization Bypass in User Group Management core
#47544 NullPointerException in OID4VCMapper when mapper configuration is missing or empty oid4vc
#47572 Possible NPE in DefaultKeycloakSession.getComponentProvider() core
#47587 [Operator CI] - Test remote - Waiting for more replicas timeout
#47646 Both Clusterless and Volatile-Session suites contains reference to removed test file. testsuite
#47675 LDAP Federation: time of the password change is not being read correctly for "389 DS/RHDS" ldap backend ldap
#47685 NPE when using HttpClient and enabled tracing observability
#47708 Failing test testNoConfigNoServerShowsV2Hint on Windows admin/api
#47720 Release nightly build for API docs is broken ci
#47753 Decorating LDAP user profile throws NPE preventing login ldap

Keycloak 26.5.7 released

Thu, 2 Apr 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#45493 CVE-2025-14083 keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure admin/api
#45569 CVE-2026-1002 - io.vertx/vertx-core: static handler component cache can be manipulated to deny the access to static files
#47069 CVE-2026-3429 Improper Access Control for LoA During Credential Deletion account/api
#47716 CVE-2026-4634 Keycloak Application-Level DoS via Scope Processing
#47717 CVE-2026-4636 UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
#47718 CVE-2026-3872 Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
#47719 CVE-2026-4282 Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Enhancements

#46631 Upgrade to Quarkus 3.27.3 dist/quarkus

Bugs

#45204 Call without Host header throws uncaught error core

Keycloak 26.5.6 released

Thu, 19 Mar 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#45645 CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc
#45647 CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc
#45650 CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting
#45653 CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure
#46719 CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission
#46723 CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core
#46922 CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile
#47062 CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations

Bugs

#45889 Federated user disabled when external DB unavailable, never re-enabled storage
#46239 AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication
#46296 UsersResource.search briefRepresentation started to return user attributes admin/api
#46379 Unexpected error when logging out with offline session and external IDP oidc
#46459 Operator-built DB config: targetServerType=primary not applied / connection validation not working after master-replica failover (26.5.0) operator
#46588 Partial LDAP sync duration does not follow the defined value in user federation ldap
#46605 26.5.4 startup regression with many realms: RealmCacheSession.prepareCachedRealm() scans master admin role composites per realm (O(N²)) core
#46656 Em-Hyphens in SPI options on cache configuration page docs
#46663 JGroups bind port configuration ignored when --cache-embedded-network-bind-port set infinispan
#46669 SPIFFE Client assertion throws a NullPointerException if no client is found token-exchange
#47079 Do not allow fetching organizations of a member if not a member of the current organization organizations

Distribution Survey: The Results are In!

Keycloak Cloud Native team — Wed, 18 Mar 2026 00:00:00 GMT

Earlier this year, we conducted a survey to better understand how the community deploys and manages Keycloak in the real world.

With over 360 respondents (!!), the results provide a better understanding of the community’s needs and wishes.

What we learned

The survey results highlight a community that is deeply invested in the containerized ecosystem but is facing specific challenges in day-to-day operations.

Key Findings:

The Helm Charts: A significant portion of the community explicitly requested official Helm Charts, particularly for managing Keycloak installation and managing deployments via tools like ArgoCD.
Operator: Adoption of the Keycloak Operator is not very high in the community, which is mainly caused by the fact that the Operator setup is hard to grasp, and do not provide the required functionality.
GitOps & Configuration: There is a strong desire for more robust GitOps flows, especially when it comes to managing Keycloak resources like Realms and Clients.

The whole Keycloak team is aware of these results and is discussing the next steps.

Thank you to everyone who shared their feedback in this survey!

More details:

You can browse the detailed breakdown of the survey results in the slides below:

Submit to KeycloakCon Japan Call-for-Papers!

Alexander Schwartz — Sun, 15 Mar 2026 00:00:00 GMT

The call for papers and the registration for KeycloakCon Japan 2026 is now open! Submit your talks to KeycloakCon in Japan.

KeycloakCon Japan 2026 is a half-day single-track conference in Yokohama, Japan on July 28 where the community of Keycloak gathers. It provides opportunities for technical presentations, growth, and networking with talks related to Identity and Access Management (IAM) and Single Sign On (SSO).

This event is designed to share insights from developers and maintainers, as well as the latest features, updates, and real-world use cases of Keycloak. Participants will have the valuable opportunity to interact directly with Keycloak experts and other users, deepening their knowledge.

Accepted session formats include presentations (25 min), panel discussions (35 min), and lightning talks (10 min).

The call for papers deadline is April 12, 2026 (23:59 JST).

Submit now!

Registration

KeycloakCon is a co-located event at KubeCon + CloudNativeCon Japan and requires a separate registration in addition to a KubeCon + CloudNativeCon Japan ticket.

Accepted speakers receive a full access pass to KubeCon + CloudNativeCon Japan and the co-located event.

Related Events

The next day, on July 29-30, KubeCon Japan 2026 takes place in Yokohama as well. The Keycloak team will be on-site for KubeCon Japan, so join us and a lot of other CNCF projects for this event as well.

See you in Yokohama!

Keycloak 26.5.5 released

Thu, 5 Mar 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#46909 CVE-2026-3047 SAML broker: Authentication bypass due to disabled SAML client completing IdP-initiated login
#46910 CVE-2026-3009 Improper Enforcement of Disabled Identity Provider in IdentityBrokerService
#46911 CVE-2026-2603 Disabled SAML IdP still allows IdP-initiated broker login
#46912 CVE-2026-2092 saml broker encrypted assertion injection

Thanks for your feedback on SCIM support in Keycloak!

Keycloak Core IAM Team — Thu, 26 Feb 2026 00:00:00 GMT

First of all, we want to thank everyone who took the time to fill out our survey on SCIM support in Keycloak. Your feedback is invaluable to us as we work on implementing this feature. We are currently in the early stages of development, and we are using your feedback to guide our efforts.

The survey results have shown us that there is a strong demand for SCIM support in Keycloak, and one of the most common use case is to use Keycloak as a SCIM service provider to manage user provisioning and deprovisioning for external applications. We are prioritizing this use case and driving the design and implementation of SCIM support in Keycloak to meet core set of requirements for this use case.

In parallel, we are also exploring other use cases and requirements for SCIM support in Keycloak, such as using Keycloak as a SCIM client to integrate with external identity providers. As a result of this initial work, we are implementing a SCIM client that will allow in the future to address use cases where Keycloak can act as a SCIM client to integrate external SCIM service providers.

Even though we are still delivering this feature as an experimental feature in the 26.6 release, the feedback we have received should allow us to deliver a solid implementation that meets the core requirements for the most common use case of using Keycloak as a SCIM service provider, and enable integrations any SCIM-compliant client, such as Microsoft Entra ID.

That said, we have identified the initial scope for SCIM support in Keycloak targeting the 26.6 release, which will include the following capabilities:

Expose realm users via the /Users endpoint with support for POST, PUT, PATCH, GET, and DELETE operations
Expose realm groups via the /Groups endpoint with support for POST, PUT, PATCH, GET, and DELETE operations
Support for a limited set of SCIM filters for querying resource types
Support for pagination of results when querying resource types
Support for fine-grained permissions to control access to SCIM resource types and operations based on realm admin roles and FGAP
Support for bearer-token authorization

In regard to SCIM schemas, we are implementing support for the core SCIM schemas:

urn:ietf:params:scim:schemas:core:2.0:User
urn:ietf:params:scim:schemas:core:2.0:Group
urn:ietf:params:scim:schemas:core:2.0:EnterpriseUser

In regard to the User resource type, we are leveraging the User Profile feature to allow for flexible mapping of realm user attributes to SCIM user attributes. It should be possible to support custom extensions to the User core schema by defining custom user attributes and mapping them to SCIM user attributes via annotations in the attribute configuration in the user profile.

In terms of schema validation, for now we are not respecting the metadata attributes in the SCIM schemas, such as required, mutability, and uniqueness. However, for the User resource type, you should be able to leverage the validations provided by the User Profile feature to enforce constraints on user attributes that are mapped to SCIM user attributes.

In terms of integration, the survey shown that one of the key integrations we should be considering is with Microsoft Entra ID. Sometimes is hard to us to test capabilities of Keycloak that rely on Entra ID, and we would also appreciate any early feedback on nightly builds to ensure that we are on the right track in terms of meeting the requirements for this integration.

Last but not least, this work is also taking into account the amazing extensions (and their capabilities) that our community is using today to provide SCIM support in Keycloak, such as the ones provided by:

With this in mind, we are delivering a scim module in the Keycloak codebase that should be flexible enough to allow for custom extensions to be implemented on top of it.

For more details on the initial scope of SCIM support in Keycloak, please refer to the following issues:

For additional comments and feedback, please comment on:

https://github.com/keycloak/keycloak/issues/46227

Follow-ups, after Keycloak 26.6, will be tracked by the following issue:

https://github.com/keycloak/keycloak/issues/46229

Deprecating Arquillian Testsuite, Keycloak Test Framework Full Support

Lukas Hanusovsky — Wed, 25 Feb 2026 00:00:00 GMT

What’s changing?

The testsuite module, with all related dependents, like Arquillian testsuite, is now officially deprecated.

At the same time Test Framework full support is starting from the upcoming Keycloak 26.6.0 release.

The New Test Framework

Based on JUnit 6, the Keycloak Test Framework makes it easy to write tests for Keycloak and extensions. Behind the scenes the framework handles the lifecycle of Keycloak, the database, and any injected resources such as realms and clients.

Tests simply declare what they want, including specific configuration, and the framework takes care of the rest.

Contributors are asked to start using new Test Framework and write tests within the new tests module.

What’s new?

Since the initial announcement these new features have been added:

Improved documentation
Improved registry with dependency graph
Hot deploy with external providers
Re-use support for distribution server, for faster execution times
Re-use support for H2 database, for faster execution times
Managed OAuth client
Managed Admin client factory
Support for conditional execution (e.g.disable tests for certain databases)
@TestSetup and @TestCleanup method annotation to configure a specific test class
TimeOffset support
Test framework unit and integration tests
Test framework injection validation
Run on Server functionality
TLS and mTLS with managed certificates
FIPS with managed crypto keys
Managed Infinispan server
Managed Email server
Managed HTTP client and HTTP server
Events and Admin Events assertions
Custom providers support
GitHub Actions summary report
Test suites support
Clustering support
WebAuthn support
Migration util

On top of that, the whole admin tests package has been migrated.

My first test

The following shows a very simply test that deploys a realm to Keycloak and creates a user within the realm.

@KeycloakIntegrationTest
public class MyInitialTest {

    @InjectRealm
    ManagedRealm realm;

    @InjectUser
    ManagedUser user;

    @Test
    public void myFirstTest() {
        Assertions.assertNotNull(realm.admin().users().get(user.getId()));
    }
}

OAuth Access Token Request example

This test shows on how to use the newly created user to get an access or refresh token, with checking the latest fired event.

@KeycloakIntegrationTest
public class OAuthRefreshTokenTest {

    @InjectRealm
    ManagedRealm realm;

    @InjectUser(config = OAuthUserConf.class)
    ManagedUser user;

    @InjectOAuthClient
    OAuthClient oAuthClient;

    @InjectEvents
    Events events;

    @Test
    public void testTokenRefresh() {
        AuthorizationEndpointResponse response = oAuthClient
            .doLogin(user.getUsername(), user.getPassword());

        AccessTokenResponse accessTokenResponse = oAuthClient
            .doAccessTokenRequest(response.getCode());

        EventAssertion.assertSuccess(events.poll()).userId(user.getId()).hasSessionId();

        AccessTokenResponse refreshTokenResponse = oAuthClient
            .doRefreshTokenRequest(accessTokenResponse.getRefreshToken());

        EventAssertion.assertSuccess(events.poll()).userId(user.getId()).hasSessionId();

        oAuthClient.doLogout(refreshTokenResponse.getRefreshToken());

        EventAssertion.assertSuccess(events.poll()).userId(user.getId()).hasSessionId();
    }

    private static class OAuthUserConf implements UserConfig {

        @Override
        public UserConfigBuilder configure(UserConfigBuilder builder) {
            return builder.username("oauth-user").name("OAuth", "User")
                    .password("strong-password").email("oauth@user")
                    .emailVerified(true);
        }
    }
}

Looking for help?

Meet us on Slack or Email:

Community

Github Discussion:

Link

Guidelines:

Keycloak 26.5.4 released

Fri, 20 Feb 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#45646 CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData saml
#45649 CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass
#45776 CVE-2025-5416 keycloak-core: Keycloak Environment Information
#46372 CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression saml
#46462 CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol

Enhancements

#46090 New key affinity for session ids

Bugs

#44488 "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc
#45065 Client deletion timeout due to large number of client roles storage
#45680 auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml
#45728 Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc
#45874 Disabled organizations still resolve in organization‑aware login flows organizations
#45966 KeycloakRealmImport: Realm created in DB but not visible in Admin Console until restart operator
#45980 Keycloak cluster with 3 nodes and jdbc-ping stack fails to rejoin after temporary network partition infinispan
#46100 Makes Database Query on Every Login Page Load Instead of Using Cache infinispan
#46150 Move upgrading note for SAML to 26.5.4 docs
#46178 Regression: cannot authenticate in keycloak-admin-client adapter/javascript
#46290 Incorrect code used error, leading to "400 / Code already used" during Infinispan state transfers infinispan
#46303 JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens oidc
#46312 io.fabric8:docker-maven-plugin:0.40.3:start failed: Cannot invoke "com.google.gson.JsonElement.isJsonNull()" because the return value of "com.google.gson.JsonObject.get(String)" is null ci

Keycloak tightened its security with the GitHub Secure Open Source Fund

Alexander Schwartz — Tue, 17 Feb 2026 00:00:00 GMT

Keycloak is the open-source IAM backbone for countless applications, and provides single sign-on, strong authentication and user federation across organizations.

We were part of the GitHub Secure Open Source Fund Session 3, participated in the three-week training and gained insights into how other projects handle incidents and implement security best practices. 67 projects were part of the training, so we received a lot of feedback.

What we improved

For Keycloak, we strengthened several aspects of our security posture. My personal highlights were:

Tighter control with CodeQL: We already had CodeQL running for Java and JavaScript sources. The training gave us better insights into how it is working, and we cleaned up existing findings and enabled additional queries. A key takeaway for us: CodeQL can scan your GitHub Actions!
Refreshing the incident response plan: An incident response plan (IRP) helps you to get things right when a vulnerability is reported, you suspect a leaked credential, or some other security incident happens. We already had an IRP, but got feedback what other steps we wanted to add to it. We might even make parts of it public in the future to better collaborate with security researchers.
Asking GitHub Copilot: When analyzing for example CodeQL reports, it was helpful for us to ask GitHub Copilot to provide explanations and tips how to mitigate it.

If you are a software developer or a user of Keycloak: When was the last time you reviewed your incident response plan?

Looking forward

Thank you to those who funded the training, and presented demos and tools. Special thanks to the GitHub security team that delivered several trainings and acted as security buddies during the program and answered individual questions!

Keycloak 26.5.3 released

Tue, 10 Feb 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#46144 CVE-2026-1609 Disabled users can still obtain tokens via JWT Authorization Grant
#46145 CVE-2026-1529 Forged invitation JWT enables cross-organization self-registration
#46146 CVE-2026-1486 Logic Bypass in JWT Authorization Grant Allows Authentication via Disabled Identity Providers
#46147 CVE-2025-14778 Incorrect ownership checks in /uma-policy/

Enhancements

#45892 Upgrade minikube for CI tests operator

Bugs

#44379 Node.js admin client does not refresh tokens admin/client-js
#45459 k8s multiple restart (oomkilled) in v26.5.0-0 during startup because of RAM dist/quarkus
#45662 Increase in startup memory consumption in post 26.5 versions dist/quarkus
#45677 Hibernate Validator is enabled by default when not used dist/quarkus
#45708 Unpexted value '' in mixed-cluster-compatibility-tests testsuite
#45745 mixed-cluster-compatibility-tests fail due to incorrectly masked content in 26.5 branch ci
#45755 Broken YAML indentation in operator rolling updates doc docs
#45780 Remove fatal log messages from `ConsistentHash`

Meet Keycloak at KubeCon EU, Amsterdam in March 2026

Alexander Schwartz — Sat, 7 Feb 2026 00:00:00 GMT

The Keycloak project is back at KubeCon EU Amsterdam with all highlights: Talks, our kiosk in the Project Pavilion, and this time also with KeycloakCon, our very-own co-located event! If you are new to Keycloak, or already a user, join us for this exciting event to learn and connect.

Half-day KeycloakCon packed with all-things-Keycloak

KeycloakCon is a co-located event happening on Monday, March 22 from 09:00 to 12:30. It brings together the Keycloak community with case studies and talks featuring the latest features. Join this event for technical talks, professional growth, and networking opportunities.

Book your ticket as part of the All-Access In-Person KubeCon + CloudNativeCon pass.

Community Meet & Greet at the Project Pavilion

This is the place to meet people who use Keycloak, contribute to Keycloak, take our survey about new Keycloak features, and get some cool swag!

Takashi Norimatsu and Yoshiyuki Tabata from Hitachi, Alexander Schwartz from IBM, Sebastian Łaskawiec from Defense Unicorns, and other contributors will host a Keycloak kiosk at the Project Pavilion.

Keycloak Kiosk (P-21A) in Halls 1-5 opening hours:

Tuesday, March 23: 15:10 - 19:00
Wednesday, March 24: 14:00 - 17:00
Thursday, March 25: 12:30 - 14:00

Technical talks about Agents, Sovereign Identity, Securing Proxies, and SPIFFE

These talks are part of the main conference. Join the speakers on-site!

Sovereign Identities for Your Cloud Native Architecture With Keycloak: Alexander Schwartz, IBM & Sebastian Łaskawiec, Defense Unicorns
Wednesday March 25, 2026 11:45 - 12:15 CET

Keycloak serves as a central hub for managing human and machine identities across sovereign cloud-native architectures using OpenID Connect, SAML, and trust brokering. This talk shows how to implement strong authentication, use the latest OpenTelemetry features, and leverage Kubernetes service accounts to authenticate clients.
Signed, Sealed, Delivered: Why Reverse Proxies Outperform VPNs: Peter ONeill, Teleport & Boris Kurktchiev, Independent
Wednesday March 25, 2026 17:30 - 18:00 CET

Traditional VPNs often grant excessive network access once a user is "inside," whereas reverse proxies provide a more secure, granular approach by verifying identity for every specific resource. This session will use a demo featuring Envoy and Keycloak to illustrate how reverse proxies enforce precise authorization and logging for modern, cloud-native systems.
SPIFFE Meets OAuth: Federated Identity for Cloud Native Workloads: Yoshiyuki Tabata, Hitachi, Ltd.
Thursday March 26, 2026 11:00 - 11:30 CET

This session explores federated identity patterns designed to solve the complexity of propagating authorization across multi-cluster Kubernetes environments. By combining SPIFFE JWT SVIDs with emerging OAuth Identity Chaining and assertion frameworks, the talk shows how to achieve secure, multi-hop identity propagation without relying on static credentials. Attendees will see a practical integration of Keycloak and SPIRE that enhances interoperability and security in dynamic cloud-native architectures.
When an Agent Acts on Your Behalf, Who Holds the Keys?: Mariusz Sabath & Maia Iyer, IBM Research
Tuesday March 24, 2026 11:15 - 11:45 CET

This session addresses the security risks of anonymous AI actions by introducing an architecture that cryptographically links agent identity with delegated user identity. By combining SPIRE for workload attestation, Keycloak for managing user context, and an MCP Gateway for policy enforcement, the framework ensures every action is fully traceable. Attendees will learn how to move beyond static API keys to create a verifiable audit trail for both the executing code and the authorizing user.

See you soon!

We’re preparing for KubeCon EU 2026 and can’t wait to connect with our community. Mark your calendars and join us.

See you in Amsterdam!

Keycloak JS 26.2.3 released

Thu, 5 Feb 2026 00:00:00 GMT

Highlights

This release of Keycloak JS addresses a regression that was introduced in version 26.2.2 affecting applications that use hash-based routing in combination with the fragment response mode.

Bug Fixes

URL hash fragments are now preserved correctly with 'fragment' response mode

A regression was introduced in version 26.2.2 that caused URL fragments with path-style routing (e.g., #/admin/maintenance/scripts) to be URL-encoded after the OAuth callback, breaking applications that use hash-based routing. This issue affected Angular, React, and other applications that rely on the hash portion of the URL for client-side routing.

keycloak/keycloak-js#241

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Federated client authentication - no more secrets

Stian Thorgersen — Mon, 26 Jan 2026 00:00:00 GMT

Keycloak has from day one supported identity brokering, allowing users to authenticate via an external OpenID Connect or SAML 2.0 identity provider. With federated client authentication it is now possible to authenticate OpenID Connect clients through external identity providers as well.

Depending on the environment the clients is running in this can eliminate the need for managing secrets for clients altogether.

A number of cloud vendors for example support injecting tokens automatically for workloads, Kubernetes have support for service accounts, and last but not least there is SPIFFE that can be leveraged in most environments.

How does federated client authentication work?

The first step to setting up federated client authentication is to define a trust relationship between Keycloak and the external identity providers. This is done by creating a new identity provider in the realm.

Keycloak currently has three types of identity providers that support federated client authentication:

OpenID Connect
SPIFFE
Kubernetes

Clients can retrieve a token from the external identity providers that the client can then use to authenticate with Keycloak. In many cases clients can retrieve these tokens automatically through workload identity capabilities enabled for particular environments.

Let’s look at an example decoded JWT that can be used to authenticate a client:

{
  "iss" : "https://my-external-idp"
  "aud" : [
    "http://my-keycloak/realms/myrealm"
  ],
  "exp" : 1769149961,
  "iat" : 1769149661,
  "sub" : "client-id-in-my-external-idp"
}

The most relevant claims are iss, aud and sub. Keycloak uses the iss claim to identity the external party that issued the token as well as retrieving the external parties signing keys to verify the token.

The aud claim is to make sure the token was issued to be used by Keycloak and not other applications. It is important that this contains a single audience that uniquely identifies Keycloak as the target audience, as leaking this token to other parties can then allow them to authenticate as the client.

Finally, the sub claim is used to lookup the local client associated with this external identifier. When configuring a client in Keycloak it will have a local client id, as well as a reference to the external client id.

Once the client has obtained the token it can now send the token in the client_assertion parameter instead of using client_id and client_secret parameters.

When Keycloak receives the token it verifies the signature using the registered identity providers public keys and looks-up the associated client.

OpenID Connect

Leverage any identity provider supporting OpenID Connect for federated client authentication as long as it is able to issue signed json-web tokens with the following claims:

iss - Must uniquely identify the external identity provider.
aud - Must be set to the Keycloak Realm issuer URL; alternatively there’s an option to allow the ID of the client in the external identity provider.
sub - Must uniquely identify the client in the external identity provider.
exp - Must contain a future time when the token expires.
jti - May contain a unique identifier for the token, which is used by Keycloak to prevent re-use of tokens.

For more details on how to configure an OpenID Connect identity provider check out the Keycloak Documentation.

SPIFFE

Leverage any identity provider supporting SPIFFE APIs for federated client authentication as long as it can issue SPIFFE JWT SVIDs and provides a SPIFFE Bundle Endpoint accessible by Keycloak.

One important distinction between SPIFFE and other providers is the lack of an iss claim. Instead the sub claim contains both the SPIFFE Trust Domain as well as the client ID. An example sub claim is spiffe://my-trust-domain/my-client where the first part is the trust-domain (spiffe://my-trust-domain) that is equivalent to the standard iss claim.

If you want to try out using Keycloak and SPIFFE/SPIRE together check out the demo available in the Keycloak Playground.

For more details on how to configure a SPIFFE identity provider check out the Keycloak Documentation.

Kubernetes Service Accounts

For workloads running on Kubernetes, Kubernetes Service Accounts can be leveraged for federated client authentication. Applications can retrieve service account tokens through the TokenRequest API or Token Volume Projection.

One requirement for using Kubernetes Service Accounts is Keycloak needs to be able to access the <ISSUER URL>/.well-known/openid-configuration endpoint to retrieve the public keys used to sign the service account tokens. By default, this endpoint requires authentication. If Keycloak is running in the same Kubernetes cluster as the client, Keycloak leverages its own Kubernetes Service Account to authenticate to this endpoint. When Keycloak is running externally the Kubernetes cluster must be configured with an Issuer URL accessible by Keycloak, and Keycloak needs to be able to reach the .well-known/openid-configuration endpoint without requiring authentication.

When clients retrieve service account tokens they must request the Keycloak Realm Issuer URL as the audience, and additionally request short-lived tokens.

If you want to try out using Keycloak and Kubernetes check out the demo available in the Keycloak Playground.

For more details on how to configure a Kubernetes identity provider check out the Keycloak Documentation.

How secure is federated client authentication?

There is an implicit trust relationship with the external identity provider. If the external identity provider is compromised attackers can potentially generate tokens to authenticate as any clients in Keycloak leveraging this provider for authentication.

Tokens used as client assertions can potentially be leaked or intercepted. As tokens are short-lived the risk is reduced. For additional protection replay prevention can be leverage. However, bear in mind there is a performance penalty replay prevention. For every request the client sends to Keycloak it must then retrieve a new token from the external provider, additionally Keycloak has to keep track of previously used tokens until they expire.

Neither SPIFFE or Kubernetes Service Accounts supports reuse protection. Both SPIFFE and Kubernetes limit how often a client can retrieve new tokens. In both cases this is configurable, but make sure token lifespans are configured to be shorted lived and not long lived. Recommendations here would be a maximum 10 minutes lifespan, which brings a good balance between security and performance.

End-to-end encryption between the client, the external identity provider, and Keycloak provides a good level of protection against tokens being leaked. Combined with short-lived tokens and preventing clients from sharing or storing tokens insecurely, a high level of security can be achieved.

In general federated client authentication eliminates the need for clients to manage secrets to authenticate with Keycloak, are short-lived, and cryptographically signed, which provides a high level of security compared to client secrets.

Compared to self-signed client assertions, where a client signs client assertions using its own private keys it depends on the environment which is more secure. Federated client authentication introduces a third-party into the mix as well as additional points where tokens can be leaked. On the other hand how frequently are private keys for clients rotated and how securely are they stored?

What’s next?

We would love feedback on the preview federated client authentication feature, both the good and the bad. Let us know if you’ve successfully tried the feature out and with what environment, or if you failed to get it working let us know. We’ll try to help and improve the feature for the future.

To provide feedback go to the GitHub Discussion or report a bug.

Federated client authentication with OpenID Connect and Kubernetes Service Accounts is planned to be fully supported in Keycloak 26.6. However, SPIFFE will remain preview until the OAuth SPIFFE Client Authentication is finalized.

Meet Keycloak at FOSDEM on Jan 30/Feb 01!

Alexander Schwartz — Mon, 26 Jan 2026 00:00:00 GMT

FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event.

Several Keycloak related talks happen at FOSDEM in Brussels on January 31st and February 1st, and meet us and help out at the stand. To get the latest updates, subscribe to our discussion on GitHub.

Meet the community at the Sovereign Identity stand

On Saturday, January 31st 2026, the Keycloak project will co-host the “Sovereign Identity for server, desktop, and a cloud” stand together with the FreeIPA, SSSD and OpenWallet project. We’ll be open from 1000 in the morning until around 1800 in the early evening.

We will be at K building on level 1 in group C. Visit this stand to interact with the teams of several popular solutions in this space.

Keycloak: Extensible self-hosted Single-Sign-On for your applications. Supporting Passkeys, OpenID Connect, OAuth 2.0, SAML 2.0 and Kerberos. Integrating with other Identity Providers through brokerage via SAML or OpenID Connect, or via LDAP.
FreeIPA: Manage Linux users and client hosts in your realm from one central location, define Kerberos authentication and authorization policies for your identities, create mutual trust with other Identity Management systems. Issue certificates to your users and services.
SSSD: Open Source Client for Enterprise Identity Management. Enroll your Linux machine into an Active Directory, FreeIPA or LDAP domain. Use remote identities, policies and various authentication and authorization mechanisms to access your computer.
OpenWallet Foundation: We drive global adoption of open, secure and interoperable digital wallet solutions. We set best practices for digital wallet technology through collaboration on standards-based OSS components that issuers, wallet providers and relying parties can use to bootstrap implementations that preserve user choice, security and privacy.

Talks about Keycloak and related topics

FOSDEM is a big event divided into smaller, single-track conferences with their own call for papers and organizers. Submit by November 30th to be part it!

Here a short list of those dev rooms that might be of interest for you if you are into Keycloak:

Identity and Access Management Devroom (Sunday)

This is all about identity, integration of identities and the various open source technologies available for that. There are two Keycloak-related talks on the schedule:

An Introduction to the OpenID Shared Signals Framework by Thomas Darimont (Sunday, 09:05): As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We’ll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.
Keeping applications secure by evolving OAuth 2.0 and OpenID Connect by Alexander Schwartz (Sunday, 10:05): OAuth 2.0 and OpenID Connect have been around for years to secure web and mobile applications alike with growing popularity.

To keep your applications and their data secure, these standards are evolving to align with security best practices.

Join this talk to see how the FAPI 2.0 Security Profile and the upcoming OAuth 2.1 standard promotes and enforces best practices, how to adapt your applications, and how Keycloak as an Open Source IAM can help you. Expect a demo and examples for some of the enhancements.

Security Devroom (Saturday)

Everything that is relevant to security in the free software and open source world. Talks cover topics like cryptography, supply chain, secure development and hardening.

Open Source & EU Policy Devroom (Sunday)

Connecting developers and EU lawmakers from the European institutions to discuss the impact of past, ongoing, and upcoming EU laws affecting the Open Source community. The day will feature interventions from lawmakers from the European Commission and Parliament, as well as from the community, and will include presentations, workshops, short talks and Q&As.

Building Europe’s Public Digital Infrastructure (Saturday)

The Building Europe’s Public Digital Infrastructure devroom is for discussing topics and issues related to full-stack digital sovereignty, from secure and interoperable digital workspaces to sovereign cloud infrastructure, including standards, technologies, and best practices for designing, deploying, and operating independent and resilient digital ecosystems for the public sector.

Stay in touch with our latest activities

We hope to see a lot of you either online or on site in Brussels at FOSDEM!

To get the latest updates, subscribe to our discussion on GitHub.

JWT Authorization Grant and Identity Chaining in Keycloak 26.5

Giuseppe Graziano — Fri, 23 Jan 2026 00:00:00 GMT

Modern applications and AI agents increasingly operate across distributed trust domains, where each domain is protected by its own OAuth 2.0 Authorization Server. A single request may also traverse multiple resource servers to complete a task.

This raises an important challenge: every protected resource must understand who initiated the request, which authorization was granted, and optionally which other resources were accessed before making an authorization decision. Preserving this information across domains is critical.

Keycloak 26.5 introduces preview support for the new feature JWT Authorization Grant, implementing RFC 7523. This feature allows a client to present a signed JWT from an external issuer and obtain a Keycloak access token, providing a standard and secure way to authorize requests based on external assertions.

However, exchanging a token alone does not fully solve the problem of propagating identity and authorization context across multiple trust domains.

The IETF draft OAuth Identity and Authorization Chaining Across Domains defines a standardized flow that combines JWT Authorization Grant (RFC 7523) with OAuth 2.0 Token Exchange (RFC 8693), which Keycloak already supports, to preserve the original user’s identity, claims, and authorization throughout the chain.

JWT Authorization Grant

The JWT Authorization Grant feature allows a client to present a signed JWT assertion to the token endpoint and obtain an access token without an interactive authorization step. To initiate this flow, the client sends a request to the token endpoint with the grant_type set to urn:ietf:params:oauth:grant-type:jwt-bearer and the external token passed in the assertion parameter.

It provides a standard and secure alternative to the preview feature External-to-Internal Token Exchange V1 which will be deprecated.

Trust relationships in Keycloak are defined through Identity Providers. The JWT Authorization Grant can be enabled and configured in a dedicated section of the existing OpenID Connect v1.0 Identity Provider, or via a new dedicated JWT Authorization Grant Identity Provider.

A confidential client can request a JWT Authorization Grant by enabling the dedicated option in the client settings and selecting the allowed identity providers.

The JWT Authorization Grant is a preview feature. Full configuration details are available in a dedicated guide: JWT Authorization Grant.

OAuth Identity and Authorization Chaining Across Domains

Although the JWT Authorization Grant allows a client to obtain a Keycloak access token based on an external JWT, it does not by itself solve the broader problem of propagating identity and authorization context across multiple trust domains.

To propagate identity across multiple trust domains, the JWT Authorization Grant (RFC 7523) is combined with Standard Token Exchange (RFC 8693), already supported by Keycloak.

This integration implements the flow defined in the IETF draft OAuth Identity and Authorization Chaining Across Domains.

A typical scenario involves Domain A (an external IdP or Keycloak realm) and Domain B (an internal Keycloak realm). The goal is to allow a client in Domain A to access resources in Domain B while preserving the original user’s identity.

Step 1: Token Exchange in Domain A

In this first step, the client requests a token for Domain B using a Token Exchange request.

The client in Domain A must be configured to allow the target audience, typically by assigning a Client Scope with an Audience Mapper if you are using Keycloak for Domain A. The audience parameter in the request is then used to restrict the resulting token to that specific target, ensuring it contains the correct aud claim for Domain B.

# Request to Domain A
POST /realms/domain-a/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&subject_token=$ORIGINAL_ACCESS_TOKEN
&audience=http://localhost:8080/realms/domain-b

Domain A issues a new JWT access token, which acts as the assertion for Domain B.

Step 2: JWT Authorization Grant in Domain B

The client uses this token to authenticate with Domain B using the JWT Authorization Grant.

# Request to Domain B
POST /realms/domain-b/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
&assertion=$TOKEN_FROM_STEP_1

Domain B validates the token and issues a local access token. Identity and authorization context are now securely propagated from Domain A to Domain B.

This flow can be fully configured with Keycloak. For more configuration details check the dedicated guide: OAuth Identity and Authorization Chaining Across Domains.

Why this new feature?

The JWT Authorization Grant solves an important problem in cross-domain OAuth flows. It lets an Authorization Server issue tokens based on a signed JWT assertion, making authorization decisions explicit and verifiable. Combined with Identity Chaining, it allows each domain to check and extend authorization context in a standards-based way.

JWT Authorization Grant brings several advantages:

Preserves user identity. Cross-domain access often relies on generic service accounts to call APIs. With a signed JWT assertion, a service can request tokens on behalf of a user, keeping identity and intent clear when moving across domains.
Standards-based cross-domain support. The JWT Authorization Grant with the support of the RFC 7523 is part of ongoing OAuth work on cross-domain identity and authorization chaining, including OAuth Identity and Authorization Chaining Across Domains and Identity Assertion Authorization Grant. This allows workflows that are traceable, constrained, and aligned with least-privilege principles, ideal for distributed systems and AI agents.

Next Steps

Promote JWT Authorization Grant from preview to a fully supported feature in the next Keycloak release
Deprecate Token Exchange version 1
Enable JWT Authorization Grant for social Identity Providers (e.g., Google)
Monitor and follow the evolution of the Identity Chaining draft to ensure full compliance

Try It Out

As the JWT Authorization Grant is currently in preview, your feedback is helpful to help to refine the feature before it reaches full support.

We encourage you to test this new feature and share your experience. Feedback and contributions from the community are always welcome.

Keycloak 26.5.2 released

Fri, 23 Jan 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#44994 CVE-2025-67735 - netty-codec-http: Request Smuggling via CRLF Injection dependencies

Enhancements

#43443 Keycloak should warn when ISPN or JGROUPS is running in debug level logging
#45498 Ignore OpenAPI artifacts when disabled dist/quarkus

Bugs

#44785 Can not get through SSO login if using a custom attribute with default value user-profile
#45015 Deadlock in Infinispan virtual threads infinispan
#45250 IDToken contains duplicate address claims oidc
#45333 User admin events don't show role, group mapping, reset password like events admin/ui
#45396 Database Migration fails when updating to 26.5.0 on MS SQL core
#45415 cache-remote-host becomes mandatory at build time when using clusterless feature infinispan
#45417 Unmanaged Attributes Type (Only administrators can view) allows admin API to set Unmanaged Attributes user-profile
#45474 Admin REST API document is not up to date docs
#45526 Regression (26.5.1): Organizations domain resolution fails on MariaDB/MySQL due to ORG/ORG_DOMAIN collation mismatch organizations
#45533 Keycloak should not allow matrix parameters in URLs as we don't use them dist/quarkus
#45570 CVE-2025-66560 - io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability
#45584 Keycloak supported specs should list DPoP as supported oidc
#45590 OIDCIdentityProviderConfig issuer configuration token-exchange
#45597 Possible mismatch of charset/collation between columns on mysql/mariadb organizations
#45651 CVE-2025-14559 keycloak-services: Keycloak keycloak-services: Business logic flaw allows unauthorized token issuance for disabled users

SCIM Support Survey

Keycloak Core IAM Team — Mon, 19 Jan 2026 00:00:00 GMT

We are targeting Keycloak 26.6 to start supporting System for Cross-domain Identity Management (SCIM).

The initial scope have been defined in this issue, but we want to ensure that we are addressing the most important use cases for our community.

In order to better understand your needs and use cases around SCIM, we would greatly appreciate your participation in a brief survey. Your feedback will be invaluable in helping us to prioritize capabilities and ensure we are addressing the use cases that matter most to you.

You can find the survey here.

Keycloak's Bug Bounty Program on YesWeHack

Alexander Schwartz — Fri, 16 Jan 2026 00:00:00 GMT

As a Cloud Native Computing Foundation (CNCF) project, Keycloak is the open-source IAM backbone for countless applications. This is your chance to secure a core piece of the cloud-native ecosystem in this public bug bounty program!.

We are proud to be part of this EU sponsored initiative. Projects like ours fuel a lot of public and private infrastructure in the EU and worldwide. Thank you for choosing our project for this initiative to help us to improve and provide secure services to our users!

We received a lot of good submissions to the program. While we sort out the submissions, the program is paused.

Setting Up Keycloak as a Credential Issuer with OpenID4VCI

Rodrick Awambeng, Forkim Enjeckayang, Ingrid Kamga, Bertrand Ogen — Fri, 16 Jan 2026 00:00:00 GMT

Before configuring Keycloak, it is helpful to understand its role in decentralized identity ecosystems. As a verifiable credential issuer, Keycloak can issue digitally signed credentials using the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol, allowing relying parties (also known as verifiers) to independently verify them without contacting the issuer.

Keycloak implements OpenID4VCI, enabling the issuance of verifiable credentials (VCs) as digital proofs of identity or attributes. Configuring this functionality requires consistent setup across the realm, clients, and issuable credentials (client scopes).

For example, consider the following scenario: The Keycloak OAuth SIG team wants to issue verifiable membership credentials to its members, including their name and email, which can later be presented at onsite or virtual events as proof of active membership.

At the time of writing this blog, Keycloak’s support for OpenID4VCI is still experimental. This guide uses the Keycloak 26.5.0 release. The feature is under active development and is expected to be promoted to preview in the future.

Introduction to OpenID4VCI & OpenID4VP

OpenID4VCI is a protocol developed by the OpenID Foundation that extends the OAuth 2.0 framework to support the secure and interoperable issuance of Verifiable Credentials (VCs). VCs are digital, tamper-evident representations of information, such as identity attributes or qualifications, which can be cryptographically verified without needing to contact the issuer at verification time.

While this guide primarily focuses on OpenID for Verifiable Credential Issuance (OpenID4VCI), the overall trust architecture also includes OpenID for Verifiable Presentations (OpenID4VP), which governs how holders present credentials to verifiers. Together, these protocols enable decentralized identity ecosystems in which users (holders) retain control of their data and can share it selectively with verifiers.

Figure 1. Triangle of trust or Issuer-Holder-Verifier model

In this model:

Issuer ↔ Holder interactions are governed by OpenID4VCI, covering credential issuance.
Holder ↔ Verifier interactions are governed by OpenID4VP, covering credential presentation and verification.

From a privacy perspective, this separation of concerns is fundamental. By decoupling credential issuance from credential presentation, issuers are unable to track where, when, or how a holder uses their credentials. This architecture prevents correlation and profiling, and ensures that users remain in control of how their data is shared.

Why Use OpenID4VCI

The primary motivations for adopting OpenID4VCI include:

Interoperability: Builds on established OpenID Connect (OIDC) standards, simplifying integration with existing identity providers.
Privacy and Security: Supports selective disclosure (e.g., proving age without revealing birthdate) and offline verification.
Compliance: Aligned with regulations like eIDAS 2.0.
Efficiency: Leverages OIDC mechanisms to streamline issuance while maintaining trust in the "triangle of trust" model (Issuer-Holder-Verifier).

Verifiable Credential Formats

OpenID4VCI supports multiple credential formats, which define how verifiable credentials are encoded and issued.

SD-JWT VC – Selective Disclosure JSON Web Token Verifiable Credential
JWT VC – JSON Web Token Verifiable Credential
mDL/mdoc – Mobile driver’s license / mobile document format

These formats allow issuers to provide portable, verifiable digital proofs that support selective disclosure and offline verification in decentralized identity ecosystems.

Keycloak currently supports both SD-JWT VC and JWT VC for issuance. mDL/mdoc, which is part of the OpenID4VCI specification, is expected to be supported in the future.

Concrete Use-Cases Enabled by OpenID4VCI

Verifiable credentials open a variety of real-world applications. Examples include:

Governments or non-government organisations issuing digital identity cards or driver’s licenses that citizens can present when booking hotels, opening bank accounts, or accessing public services, while revealing only the information necessary for the transaction (e.g., age or residency) without exposing full personal details.
City councils issuing verifiable birth certificates that universities and hospitals can validate without a central lookup.
Universities issuing digital diplomas that employers can instantly verify for authenticity.
Companies issuing employee badges as verifiable credentials for office access or remote authentication.
Event organizers issuing verifiable tickets that can be validated offline.
Professional associations issuing membership credentials such as in our OAuth SIG example for verifying access to gated resources or conference venues.
Digital movie or event tickets that are tamper-evident and can be verified offline.

These examples illustrate the variety of situations where verifiable credentials remove the need for direct communication between verifier and issuer while preserving trust.

Key Flows in OpenID4VCI

OpenID4VCI defines two primary flows for credential issuance: the Authorization Code Flow and the Pre-Authorized Code Flow. These flows determine how a wallet (holder’s application) obtains an access token to request a VC from the issuer.

Authorization Code Flow

The Authorization Code Flow is interactive and requires the holder to authenticate and consent at the issuer’s authorization endpoint. It is ideal for scenarios where explicit user approval is required, or additional claims must be collected.

Steps:

The Wallet sends an Authorization Request to the Issuer’s Authorization Endpoint, requesting credentials.
The Issuer authenticates the User and requests consent for the issuance.
The User provides credentials and grants consent.
The Issuer returns an Authorization Code to the Wallet.
The Wallet exchanges the code at the Issuer Token Endpoint for an Access Token.
The Issuer returns the Access Token to the Wallet.
The Wallet requests the Verifiable Credential from the Issuer Credential Endpoint using the Access Token.
The Issuer returns the VC to the Wallet.

Figure 2. Credential issuance via Authorization Code Flow

Pre-Authorized Code Flow

The Pre-Authorized Code Flow is non-interactive. The issuer pre-authenticates and authorizes the user, providing a pre-authorized code (often via QR code). It is faster and suitable for pre-approved credential issuance.

Steps:

The Issuer provides a Pre-Authorized Code to the Wallet (e.g., via QR code or link).
The Wallet exchanges the code at the Issuer Token Endpoint for an Access Token.
The Issuer returns the Access Token to the Wallet.
The Wallet requests the Verifiable Credential from the Issuer Credential Endpoint using the Access Token.
The Issuer returns the VC to the Wallet.

Figure 3. Credential issuance via Pre-Authorized Code Flow

Now that we have covered the technical flows, the rest of this guide walks through configuring Keycloak to issue verifiable credentials using the Pre-Authorized Code Flow, including realm, client scope, and client-level setup.

Configuring Keycloak for OpenID4VCI

OpenID4VCI in Keycloak is offered via the feature flag oid4vc-vci, which consequently needs to be enabled at startup.

--features=oid4vc-vci

That said, we now assume that you have a running Keycloak instance with the oid4vc-vci feature flag enabled.

Beyond enabling the feature flag, the following configuration steps need to be taken consistently, in accordance with your use case:

Configure OpenID4VCI at the realm level
Configure an issuable verifiable credential (as a dedicated client scope)
Enable and configure OpenID4VCI at the client level

Because some configurations are not yet supported via the Keycloak Admin Console, we may often use the Admin REST API to communicate required configurations.

Configuring OpenID4VCI at the realm level

Let’s assume you have already created a realm named oauth-sig-realm to represent the OAuth SIG group, and that a couple of users have also been created in this realm, each with a password assigned, to represent members of the group.

In addition, any user who is intended to create credential offers must be granted the built-in credential-offer-create role. This role is provided by the OpenID4VCI extension and does not need to be created manually. Assigning it ensures that only authorized users can generate credential offers, maintaining the security of the issuance process.

Figure 4. Screenshot: Realm and Users

The behavior of OpenID4VCI across the entire realm can be modulated via realm attributes. On the Admin Console, find the OID4VCI Attributes section under the Realm Settings > Tokens tab.

Figure 5. Screenshot: OID4VCI Attributes

Sensible defaults apply out of the box, but for the sake of this demo, we would want, for instance, to increase the value of Pre-Authorized Code Lifespan to 3 minutes so that the issuance flow expires less quickly. To learn more about the Nonce Lifetime and other realm attributes for OpenID4VCI, please refer to the main Keycloak documentation.

Lastly, because EC cryptography is highly encouraged in the OpenID4VC ecosystem, we also invite you to add a P-256 Elliptic Curve key pair to the realm’s set of keys under Realm Settings > Keys > Providers. This will later enable configuring the signing of issued VCs with algorithm ES256.

Figure 6. Screenshot: Adding ECDSA Key Provider

Configuring an issuable verifiable credential (as a dedicated client scope)

Different credential types can be configured for issuance depending on what data the credential should embed, what format it should have, or other criteria. Each credential type is configured as a dedicated client scope of protocol type "OpenID for Verifiable Credentials".

We will configure our membership credential to be issued as an SD-JWT credential carrying a user’s first name, last name, and email. Each claim to be added to the credential requires a corresponding protocol mapper from the User Model to the credential. Other fields such as the time of issuance or a unique identifier for the credential are supported via other types of protocol mappers.

Since we will be using the Admin REST API to configure the client scope, we first need to obtain a valid Admin Token from the master realm to authorize our requests.

ADMIN_TOKEN=$(curl -s -X POST "http://<keycloak.instance>/realms/master/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=<admin-username>" \
  -d "password=<admin-password>" \
  -d "grant_type=password" \
  -d "client_id=admin-cli" | jq -r '.access_token' )
echo "Admin Token obtained: $ADMIN_TOKEN"

Now, let’s proceed with adding the membership credential type as a dedicated client scope using the Admin REST API.

curl -X POST "http://<keycloak.instance>/admin/realms/oauth-sig-realm/client-scopes" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  -d '{
    "name": "membership-credential",
    "protocol": "oid4vc",
    "attributes": {
      "include.in.token.scope": "true",
      "vc.format": "dc+sd-jwt",
      "vc.verifiable_credential_type": "https://credentials.example.com/oauth-sig-membership",
      "vc.credential_signing_alg": "ES256",
      "vc.display": "[{\"name\": \"OAuth SIG Membership\", \"locale\":\"en\"}]",
      "vc.credential_build_config.token_jws_type": "dc+sd-jwt"
    },
    "protocolMappers": [
      {
        "name": "given_name-mapper",
        "protocol": "oid4vc",
        "protocolMapper": "oid4vc-user-attribute-mapper",
        "config": {
          "claim.name": "given_name",
          "userAttribute": "firstName",
          "vc.display": "[{\"name\":\"Given Name\",\"locale\":\"en\"}]"
        }
      },
      {
        "name": "family_name-mapper",
        "protocol": "oid4vc",
        "protocolMapper": "oid4vc-user-attribute-mapper",
        "config": {
          "claim.name": "family_name",
          "userAttribute": "lastName",
          "vc.display": "[{\"name\":\"Family Name\",\"locale\":\"en\"}]"
        }
      },
      {
        "name": "email-mapper",
        "protocol": "oid4vc",
        "protocolMapper": "oid4vc-user-attribute-mapper",
        "config": {
          "claim.name": "email",
          "userAttribute": "email",
          "vc.display": "[{\"name\":\"Email\",\"locale\":\"en\"}]"
        }
      },
      {
        "name": "iat-mapper",
        "protocol": "oid4vc",
        "protocolMapper": "oid4vc-issued-at-time-claim-mapper",
        "config": {
          "claim.name": "iat",
          "truncateToTimeUnit": "HOURS",
          "valueSource": "COMPUTE"
        }
      }
    ]
  }'

Commenting on the above configuration:

The vc.format attribute defines the credential format (e.g. dc+sd-jwt).
The vc.verifiable_credential_type attribute defines the value of the vct claim inside the credential.
The vc.credential_signing_alg attribute specifies the cryptographic algorithm used to sign the credential.
All vc.display entries are intended to be used by a wallet to display intelligible descriptions.

To learn more about other used or available configuration attributes, please refer to the main Keycloak documentation.

Verify that the client scope was created successfully by checking the Admin Console under Client Scopes.

Additionally, check the Credential Issuer Metadata Endpoint by navigating to Realm Settings, toggling the Verifiable Credentials option, and saving the changes. Once done, the endpoint will be listed, allowing you to verify that the newly created credential type appears among the issuable credentials, as shown below.

Figure 7. Screenshot: Enable Verifiable Credentials in Realm Settings

The credential type should appear in the metadata like the following:

{
  // ...
  "credential_configurations_supported": {
    "membership-credential": {
      "id": "membership-credential",
      "format": "dc+sd-jwt",
      "scope": "membership-credential",
      "cryptographic_binding_methods_supported": [
        "jwk"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "vct": "https://credentials.example.com/oauth-sig-membership",
      // ...
    }
  }
  // ...
}

Enabling OpenID4VCI at the client level

Next, let’s create a new client in the oauth-sig-realm realm to represent an application that members of the OAuth SIG will use to request and receive their membership credentials. We will name this client oauth-sig-client and configure it as a standard OpenID Connect client.

During client creation, make sure to check the Direct Access Grants box, as we will use the Resource Owner Password Credentials flow to obtain a user access token in a later step. All other fields are left unchanged.

Figure 8. Screenshot: Client Creation

One important point to note is that clients must explicitly enable OpenID4VCI to be able to use it. Navigate to the Advanced tab of the oauth-sig-client client and toggle the Enable OID4VCI switch under the OpenID for Verifiable Credentials section.

Figure 9. Screenshot: Enable OID4VCI on Client

Finally, we need to assign the previously created membership-credential client scope to the oauth-sig-client client. To do this, navigate to the Client Scopes tab of the oauth-sig-client client and add membership-credential as an Optional Client Scope.

Figure 10. Screenshot: Assigning membership-credential client scope to the client

Obtaining a User Access Token

Before obtaining the user access token, ensure that the user has the credential-offer-create role, as only users with this role can create credential offers.

With the client configured and the user’s password set, we can now request a user access token. This token will later be used to authorize the credential offer request.

USER_TOKEN=$(curl -s -X POST "http://<keycloak.instance>/realms/oauth-sig-realm/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=<user-username>" \
  -d "password=<user-password>" \
  -d "grant_type=password" \
  -d "client_id=oauth-sig-client" | jq -r '.access_token' )
echo "User Access Token obtained: $USER_TOKEN"

Now that we have a user access token issued to the user with the credential-offer-create role, we can use it to request a credential offer from the issuer in the next step.

Retrieving a credential offer to start the issuance flow

For Pre-Authorized Code flows, OpenID4VCI issuance can be initiated by retrieving a credential offer from Keycloak at the Credential Offer Endpoint. The endpoint requires a valid user access token and the username of the target user for whom the pre-authorized offer will be generated. In our case, we will be using the same user for both credential offer creation and retrieval.

curl -X GET "http://<keycloak.instance>/realms/oauth-sig-realm/protocol/oid4vc/credential-offer-uri?credential_configuration_id=membership-credential&type=qr-code&username=<username>" \
  -H "Authorization: Bearer $USER_TOKEN" \
  --output credential-offer-qr.png

Replace <username> with the user you created earlier. The QR code image is saved as credential-offer-qr.png. Open this file and use your wallet to redeem the credential.

With the query parameter type=qr-code, the endpoint returns a direct binary representation of the QR code image. If omitted, the endpoint returns JSON, which requires extra steps to construct the QR code from the offer data.

Figure 11. QR Code Generation Overview

Upon scanning the QR code with a compatible wallet, a membership credential is issued to the requesting user.

⚠️ Wallet Compatibility Notice

Keycloak implements the final OpenID4VCI specification and includes a limited Draft-15 compatibility patch with partial support.

Tested Draft-15 wallets that work with the compatibility patch:

Wallet	Compatibility
Heidi Wallet	✅ Works via Draft-15 compatibility patch
Valera Wallet	✅ Works via Draft-15 compatibility patch
Lissi Wallet	✅ Works via Draft-15 compatibility patch

Wallet

Compatibility

Heidi Wallet

✅ Works via Draft-15 compatibility patch

Valera Wallet

✅ Works via Draft-15 compatibility patch

Lissi Wallet

✅ Works via Draft-15 compatibility patch

Full support requires wallets providers to implement the final OpenID4VCI specification.

Figure 12. Screenshot: Lissi Wallet Test

Before You Go

In this blog post, we have illustrated how to set up Keycloak for issuing verifiable credentials over OpenID4VCI, using a simple scenario of issuing membership credentials to members of the Keycloak’s OAuth SIG group. We covered the necessary configuration steps at the realm, client scope, and client levels, and demonstrated how to retrieve a credential offer to initiate the issuance flow.

If you are looking into streamlining this configuration process for OpenID4VCI in Keycloak, take a look at our OID4VCI Deployment project, which provides solid examples for both the pre-authorization and authorization code flows. You may also find the Keycloak Playground OID4VCI demo useful as a hands-on demo.

Feedback & Discussion

We’d love to hear your thoughts on this guide! You can provide feedback or ask questions through:

Slack: Join the Cloud Native Computing Foundation (CNCF) Slack and discuss with us in the channel #keycloak-oauth-sig.
GitHub: Inspect and participate in recent OpenID4VCI-related GitHub discussions. Review existing OpenID4VCI-related GitHub issues and feel free to comment on or upvote them, or create a new issue if you have ideas for enhancements or discover a bug.

Your input will help us to improve the OpenID4VCI experience in Keycloak.

Important Note on OpenID4VCI Development Status

OpenID4VCI support in Keycloak is still under active development. The instructions and configuration options described in this blog post are based on Keycloak 26.5.0 and may change in future Keycloak versions as the feature evolves.

If you want to explore the latest updates to the OID4VCI feature, you can use the latest Keycloak nightly release. However, be aware that the instructions in this blog post may not work with that version.

Keycloak 26.5.1 released

Wed, 14 Jan 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#44863 x-robots HTTP header missing for static Keycloak resources, and REST endpoint responses
#45009 Performance improvement: Missing indexes on BROKER_LINK table columns
#45182 Allow full managing of realms from master realm without global admin role

Bugs

#43975 Test Framework -> Embedded server -> Maven execution failure: Failed to read script file from: scripts/default-policy.js test-framework
#44371 403 Forbidden when assigning realm-management client roles despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
#44417 Security issue with Organization feature exposes and fills the account name automatically in user/password form organizations
#44783 Create Realm button is missing when user has create-realm role admin/ui
#44860 Admin UI: slow response time listing second user page admin/ui
#45003 Bug in JWTClientAuthenticator and JWTClientSecretAuthenticator causes NPE authentication
#45093 Enable visibility of Role Mapping tab for users with view-users role admin/ui
#45107 Failed upgrade to 26.4.7 - sql generated for manual database upgrade contains invalid statements storage
#45116 Realm-level admininistrators can no longer use Admin Console since 26.3.0 (UI fails to render) admin/ui
#45185 ExternalLinkTest fails due to missing _adding_context_for_log_messages anchor docs
#45226 Failure when decrypting SAML Response since 26.5.0 saml
#45239 Upgrade to 26.5.0 failing due to FK_ORG_INVITATION_ORG constraint organizations
#45257 Creating IdentityProvider with latest java admin-client may fail against Keycloak server 26.4 or older admin/client-java
#45307 UI Bug: WebAuthn passkey list is broken in keycloak v2 theme login/ui

Keycloak Client Libraries 26.0.8 released

Fri, 9 Jan 2026 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#193 Sync keycloak-client after Keycloak server 26.5.0 release client

Bugs

#190 The policy enforcer rejects the request the first time, but after the cache invalidation interval, it allows it. client

New Keycloak Maintainer: Steven Hawkins

Stian Thorgersen — Tue, 6 Jan 2026 00:00:00 GMT

Although Steven has only been on the Keycloak team for a relatively short period of time he’s managed to get the #15 place as the top contributor overall. Now, if you narrow that to the last two years he’s in #3rd place.

Steven is the go-to guy when it comes to the Operator where his knowledge is above most. He’s also regularly helping out the community, whether joining discussions, fixing bugs, or just generally making our distribution better for everyone.

Congratulations to Steven becoming an official Keycloak Maintainer.

Keycloak 26.5.0 released

Tue, 6 Jan 2026 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

Workflows to automate administrative tasks and process within a realm.
JWT Authorization Grants, our recommended alternative to external to internal token exchange.
Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (preview)

Keycloak 26.5 introduces a new feature called JWT Authorization Grant, which adds support for RFC 7523 to use external signed JWT assertions to request OAuth 2.0 access tokens.

To accept signed JWT assertions, a trust relationship must be established between the external provider and Keycloak. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider.

JWT Authorization Grant is recommended as an alternative to External to internal token exchange V1. This feature is in preview, and additional details are available in the dedicated documentation.

Using Keycloak as an authorization server for Model Context Protocol (MCP) servers

Using Keycloak as an authorization server for Model Context Protocol (MCP) servers is becoming popular, so this release ships additional documentation on how to do this.

See Integrating with Model Context Protocol (MCP) for the new guide.

Many thanks to Takashi Norimatsu for the contribution.

CORS enhancements

CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.

For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.

For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option spi-cors--default--allowed-headers.

Logout confirmation page

The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a “You are logged out” confirmation page upon successful logout.

Many thanks to Sebastian Łaskawiec for the contribution.

Hiding OpenID Connect scopes from the discovery endpoint

Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.

In some situation you might want to avoid it, as the calling client, for example, an MCP server might not support it, or you might want to hide some scopes for preventing their discovery via public APIs.

You can now prevent this by disabling Include in OpenID Provider Metadata.

Administration

Workflows (preview)

Keycloak introduces a new preview feature called Workflows, which allows administrators to automate administrative tasks and process within a realm, introducing a key capability for Identity Governance and Administration (IGA).

For more details, see the Server Administration Guide.

Federated client authentication (preview)

Federated client authentication remains preview due to receiving a number of enhancements and fixes.

There is now preview support to use Kubernetes service accounts tokens as credentials for clients, which avoids static secrets for OpenID Connect clients.

See Kubernetes identity providers in the Server Administration Guide for details.

Organization invitation management

Organization administrators can now manage organization invitations through both the Admin Console and REST API:

View all sent invitations with their current status (Pending, Expired)
Resend pending invitations to recipients
Delete invitation records from the system
Filter invitations by status for easier management

All invitations are now persistently stored in the database, providing better tracking and management capabilities.

The invitation management features are available in the Invitations tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under /admin/realms/{realm}/orgs/{orgId}/invitations.

New event `USER_SESSION_DELETED`

For each expired user session there is a new user event USER_SESSION_DELETED fired. This event is published approximately 3-10 minutes after the session has expired depending on job scheduling and load on the system. By default, this event is not persisted.

Configuring and Running

Containers for PowerPC 64-bit Little Endian architecture

The containers for both the Keycloak and its operator are not available as well for the PowerPC 64-bit Little Endian (ppc64le) architecture. This is in addition to the existing amd64 and arm64.

We expect this to allow users to optimize their usage of open hardware and power consumption.

Improved server response times

Authentication, user, and client sessions are now created on the respective Keycloak node and avoid extra remote calls to neighbors when reading or writing them to the embedded caches. When you have sticky sessions enabled in your loadbalancer, you will benefit from this feature automatically, and you should see reduced response times when authenticating users.

Expired user sessions are now deleted from the database in small batches, instead of issuing a delete statements that affects the whole table. This should allow for better response times when there are a lot of sessions in the table.

Enhanced HTTP performance (preview)

You can now enable a more efficient way to handle JSON data in the HTTP layer. This change increases throughput by ~5%, stabilizes response times, and reduces system resource usage.

In order to apply it, you need to explicitly enable the feature http-optimized-serializers.

Note	This feature is preview. We gather more feedback about potential issues in this discussion. We appreciate any feedback.

For more details, see the Configuring Keycloak for production guide.

Configure retry behavior for outgoing HTTP requests

Keycloak has now more flexibility how to configure retrying of outgoing HTTP requests. This is useful for handling transient network errors or temporary unavailability of the service where Keycloak needs to send HTTP request. Retry behavior is disabled by default and must be explicitly enabled. More details are available in the Outgoing HTTP requests documentation.

Many thanks to Chance Coleman for the contribution.

Enable/disable features via a single option

You can now enable or disable individual features using the feature-<name> option (like feature-spiffe=enabled).

This provides a more fine-grained way to manage features and eliminates the need to maintain long lists of enabled or disabled features.

The feature-<name> option takes precedence over both features and features-disabled.

For more details, see the Enabling and disabling features guide.

Client certificate lookup compliant with RFC 9440

You can now use a new client certificate lookup provider that is compliant with RFC 9440. This enables native support e.g. for Caddy and other reverse proxies that follow the RFC. For details, navigate to Enabling Client Certificate Lookup section of the documentation.

Running Keycloak as a Windows service

Keycloak can now be installed and run as a Windows service using Apache Commons Daemon (Procrun). The new tools windows-service CLI subcommand simplifies service installation and uninstallation.

The service runs kc.bat start as an external process, ensuring all environment variables and configuration files are respected. This provides seamless integration with the Windows Services management console and enables automatic startup on system boot without requiring a user to be logged on.

For more information, see the Running Keycloak as a Windows Service guide.

Observability

OpenTelemetry enhancements

OpenTelemetry Logs (preview)

Keycloak now supports exporting logs to OpenTelemetry collectors, enabling centralized log management. This preview feature allows you to export Keycloak logs to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

OpenTelemetry Metrics (experimental)

Keycloak now provides the experimental support for exporting metrics to OpenTelemetry collectors by using the Micrometer-to-OpenTelemetry bridge. This experimental feature allows you to export Keycloak metrics to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Export traces with custom request headers

It is now possible to set request headers for exporting traces via OpenTelemetry Protocol (OTLP). It is mainly useful for providing tokens in the request.

You can specify these headers via the tracing-header-<header> wildcard option, accepting any custom header name.

For more details, see the Root cause analysis with tracing guide.

MDC Logging feature (supported)

The log-mdc:v1 feature has been promoted from a preview feature to a supported feature.

MDC enables Keycloak to enrich log entries with contextual information such as realm, client, user ID and IP address, significantly improving debugging and observability.

For more details, see the Adding context for log messages guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

#44121 Deprecate Fine-Grained Admin Permissions v1 admin/fine-grained-permissions

Removed features

#42905 Remove PostgreSQL 13.x support

New features

#20761 Support Caddy as a Reverse Proxy Provider for Client Certificate Authentication core
#37704 Support for running Keycloak as a Windows Service
#38809 Feature Request: Track Pending Organization Invitations in Keycloak Admin Console
#39221 Admin API v2: Blueprint
#41261 OpenTelemetry Support observability
#42482 Possibility to backchannel logout the clients belonging to a specific user session
#42912 Containers for ppc64le
#43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus
#43106 Expose scheduled tasks and start time
#44312 Add support to use `kcw` with remote test server test-framework
#44458 Expose a configuration option to always display a logout confirmation screen

Enhancements

#8863 Add CORS support to OIDC dynamic client registration endpoints
#10388 Allow to hide client scopes from scopes_supported in discovery endpoint
#12682 Allow CORS Access-Control-Allow-Headers customization core
#14509 Allow configuration for SMTP timeouts via configuration
#15502 Ability to remove offline_access tokens from the Account Management client and/or Admin interface core
#17268 [KC 20+] Obsolete/wrong documentation about service accounts?
#22938 Fine-grained admin permission client manage does not work for an Authorization enabled client admin/fine-grained-permissions
#33009 Delete Client and role's admin event doesn't have representation while other delete entities have the representation admin/ui
#33146 Prevent users configuring max-count=-1 for caches with a default upper-bound infinispan
#35836 SMTP Timeout Override
#38843 Set `automountServiceAccountToken: false` on Keycloak pods operator
#39881 Picture of the token-exchange flow in the documentation docs
#40799 Provide a way to add custom labels to Realm Import job of Keycloak operator
#41006 [OTel] Micrometer to OpenTelemetry bridge support for metrics observability
#41007 Including OTLP headers for authorization
#41019 Validate client session session timeout and lifetime settings on edit authentication
#41205 Make MDC logging supported
#41263 [OTel] Provide general options for telemetry settings observability
#41264 [OTel] Introduce preview support for OpenTelemetry Logs observability
#41425 Add more fields to the Welcome Page
#42124 Add operation to cancel a workflow execution for a resource
#42223 Create a LocalCacheProvider SPI
#42386 [RLM] Review the action execution thread model
#42401 Add configurable retry logic for OCSP certificate validation checks core
#42445 Default to log color enabled
#42446 Make picocli auto color match the quarkus logic
#42618 [RLM] - Allow updating workflow conditions
#42644 No longer able to set a Keycloak Admin Client timeout admin/client-js
#42687 [RLM] - Ability to define workflows with YAML
#42694 Workflows: review test coverage workflows
#42695 Workflows: Add OpenAPI annotations to all API methods
#42696 [RLM] Review implemented conditions and add toPredicate implementation
#42704 SELECT COUNT(*) FROM called multiple times for an index creation core
#42715 incorrect flow with login_hint specified for user in org email domain organizations
#42776 Session cache affinity
#42835 Make API endpoint linkable in documentation docs
#42910 [RLM] - Restarting a workflow for a resource based on the step chain workflows
#42911 [RLM] - Canceling workflows for a given resources when a new event is triggered
#42913 [RLM] - Allow using time-based tokens when setting fields that expect a period or time
#42917 Chore: Add missing translations for Korean (ko)
#42945 [PERF] Jackson reflection-free serialization/deserialization dist/quarkus
#42961 [RLM] - Cache expressions using as a component note
#42990 Hide read-only email attribute in update profile context with update email enabled user-profile
#42991 Final review and update for UPDATE_EMAIL documentation docs
#43015 Log FIPS provider using info debug level
#43076 Add rate limiter for sending verification emails in context of update email
#43125 Divide logging guide to sub-guides for every log handler observability
#43137 [RLM] Review naming of events to be in the past tense workflows
#43156 [Docs] Warn users about printing headers in HTTP access logs docs
#43183 Relax CORS policy on credential offer endpoint
#43214 [OID4VC] Ensure authorization_details from PAR requests are properly returned in token responses for conformace tests oid4vc
#43256 Expiry event for user sessions and timely DB removal of sessions
#43351 Make pending email verification attribute removable by admin user-profile
#43357 JDBC_PING should publish its physical address on startup
#43360 Add the user session in the session context when it is validated or created
#43362 Reduce the number entity manager flushes when creating a realm
#43365 When reading events for the database, read them read-only
#43421 All config formatting for list options could be improved
#43450 Workflows UI needs to implement authorization admin/ui
#43456 Run time comparisons in SD-JWT and SD-JWT VP verification with account of possible clock skew
#43466 Picocli refinements
#43509 Role authorization for workflows. admin/api
#43512 Export default routes from npm UI packages
#43536 Remove need to specify workflow condition parameter in double quotes workflows
#43537 Fix inconsistencies in workflow condition evaluation workflows
#43538 Ensure delete-user step doesn't trigger removal of federated user from federation provider workflows
#43541 Ability to enable/disable feature via single property
#43559 Add validation for Workflwow, Condition and Steps fields workflows
#43604 Warn or error on duplicate options dist/quarkus
#43611 Allow non-optimized start to run without a separate vm launch
#43643 Upgrade to Quarkus 3.27.1 dist/quarkus
#43650 SPIFFE should support OIDC JWK endpoint
#43660 Add operation to retrieve the workflows that are currently active for a resource workflows
#43661 Allow groups to be referenced by path in workflow conditions workflows
#43665 Workflows UI must allow for definition of workflows using YAML admin/ui
#43666 Admin client should be able to handle YAML payloads for workflows workflows
#43694 Avoid using UserCredentialManager from user storage extensions
#43715 Provide a way to evaluate event properties when matching events to workflows workflows
#43777 Add missing secret warning status
#43801 [OID4VCI] Handling KeyAttestationRequired properly oid4vc
#43802 Add autofocus property to "Sign in with passkey" button in keycloak.v2 login theme.
#43843 [Login UI v2] Configurable Password Visibility-Toggle Icons
#43912 Store workflows YAML definition as a blob workflows
#43931 Downscoping for standard token exchange token-exchange/standard
#44005 Improve error message for the HTTPS material loading observability
#44164 Add pagination and search by name capabilities to the workflows endpoint workflows
#44183 Allow UI to retrieve Workflow definitions without their ids workflows
#44266 Provide additional benchmarks for more than 100k users
#44274 Keycloak compatibility with PostgreSQL 18
#44296 Avoid un-escaped strings in the login templates for HTML entities login/ui
#44396 Ignore null values when serializing workflows using YAML workflows
#44494 Support EDB 18
#44500 HttpClient provider should allow connectionRequestTimeout to be settable
#44518 Disable state transfer for session caches when persistent sessions are enabled
#44548 Add MariaDB to MySQL description and specify SQL to support UTF-8
#44571 MCP Documentation for 26.5
#44611 Document recommended transaction isolation level for MS SQL in guides and warn if wrong level is detected on startup
#44621 [OID4VCI] Realign naming of attribute configuring algorithms for credential signing oid4vc
#44634 Enhance health check docs
#44645 Improve workflow concurrency settings to allow cancelling a workflow based on an event workflows
#44708 Improvements to the notify step workflows
#44736 Fix OID4VCI Wallet Interoperability Issues (Draft 15 Compatibility & Metadata Compliance) oid4vc
#44753 Avoid using HTML in backend messages in the login theme
#44787 Avoid flushing user information in batch mode
#44789 Allow restarting the step chain at a specific position workflows
#44801 Infinispan: LoginFailures entries should expire
#44842 Publish an event for logging out a single session or all sessions or all sessions via the Account Console events
#44843 Publish an event when the UserSessionLImitsAuthenticator terminates an older session events
#44865 Allow running scheduled workflows workflows
#44890 Update the Quarkus README for better clarity
#44910 Validate client session timeout and lifetime settings on realm settings edit
#44915 Add Basque (eu) translation support for Keycloak UI
#44936 Support running test methods on the server side
#45070 ServiceMonitor is not created by keycloak operator docs

Bugs

#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#30939 Vulnerability in brute force detection settings authentication
#31401 Kcadm.sh: (Better) Error messages on 302 redirect responses
#34868 [Jenkins Operator CI] - Test remote - ClusteringTest on OpenShift ci
#38438 Avoid 'duplicated mappers' Quarkus message for kc.dir dist/quarkus
#38506 keycloak-test-framework-bom manages more dependencies than intended test-framework
#38991 [Test framework] Embedded server -> dependency download error when no version is specified test-framework
#39660 Failed shouldPreventPathFileSeparatorInVaultSecretId test on Windows testsuite
#40058 [FGAP] Make additional rest endpoints respect permissions admin/fine-grained-permissions
#40712 Authorization -> Evaluate: always returns "No search results" authorization-services
#40756 Wrong dependency registering in the testsuite testsuite
#40965 Group permission denies to view user admin/fine-grained-permissions
#40990 Fallback to English translations for unknown locale despite German being the realm default translations
#41270 Cannot save new attribute group admin/ui
#41271 Changing user profile attribute results in an error everytime admin/ui
#41292 openid-connect flow is missing response type on language change authentication
#42000 Incorrect logic of getArray() in ComponentModelScope core
#42166 [Keycloak CI - Store MSSQL] GroupTest.createMultiDeleteMultiReadMulti:157 testsuite
#42225 Slow initial GET /admin/realms/{realm}/users with cache enabled and large max parameter admin/api
#42470 UserStorageProviderModel parameter in ImportSynchronization.sync() method contains stale configuration data core
#42541 Searching by non-searchable attributes returns all clients core
#42552 Missing license field and miscellaneous fields in NPM packages admin/ui
#42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
#42588 Key Type is not EC: ECDSA oidc
#42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci
#42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
#42794 [Windows] Make TrustedHostClientRegistrationPolicyTest Robust to Canonical Hostname localhost testsuite
#42795 [Windows] Stabilize ResourceLoaderTest testsuite
#42851 Group description missing on partial import import-export
#42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
#42914 Make sure TestEventsListenerProvider does not reuse the events in memory testsuite
#42960 KC_VERBOSE is not honored for a fast start dist/quarkus
#42971 create clients without required value admin/ui
#43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
#43034 Saving Client “Advanced” sets Request Object signature/encryption attributes to “any” even when not changed oidc
#43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
#43061 Option description stuck with link admin/ui
#43070 Update email page with pending verification email messages prefilled with old email user-profile
#43080 Fix punctuation for deleteConfirmGroup_one message admin/ui
#43082 ExternalLinksTest is broken due to missing path parameters docs
#43084 Fix anchors in the documentation docs
#43087 "Service accounts roles" should be "Service account roles" translations
#43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
#43096 keycloak-operator 26.4.0 missing clusterrole permissions docs
#43104 Release notes fix for update email docs
#43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
#43161 Restarting an user session broken for persistent sessions infinispan
#43164 Keycloak docs state that only TLSv1.3 is used docs
#43166 Backend url misses the path with reverse proxy admin/api
#43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement docs
#43195 Field "Created at" shows "Invalid Date" when created through KeycloakRealmImport
#43202 IntComponent doesn't show if a field is required admin/ui
#43212 Document missing artifact dependency for UserStoragePrivateUtil docs
#43218 Cannot revoke access token generated by Standard Token Exchange oidc
#43244 UI crash on admin `/users/add-user` since 26.4.0 admin/ui
#43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object ldap
#43262 XPathAttributeMapperTest fails on Ubuntu with OpenJDK 17 saml
#43263 FIPS1402JWKTest and FIPS1402SecureRandomTest fails on Ubuntu with OpenJDK 25 oidc
#43264 SdJwtTest and UndisclosedClaimTest fails on Windows with OpenJDK 17
#43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
#43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
#43286 Broken links on DB server configuration guide docs
#43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) saml
#43323 Sessions not removed when user is deleted infinispan
#43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled authentication
#43331 NullPointerException when disabling Admin Permissions (FGAP) in Realm - GET /users returns 500 admin/fine-grained-permissions
#43335 First JDBC_PING initialization happens in the JTA transaction context infinispan
#43349 Client session may be lost during session restart infinispan
#43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
#43417 Spotless fails on `main` ci
#43447 [quarkus-next] DatasourcesConfigurationTest fails dist/quarkus
#43459 Invalid YAML in advanced Operator configurations docs
#43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
#43477 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#setUpLinksTest ci
#43505 DPoP proof replay check doesn't consider clock skew oidc
#43515 Social provider icons not displayed when alias differs from provider type login/ui
#43516 Deleting Client is slow and fails when a lot of client sessions exist core
#43523 [Keycloak JavaScript CI] - Admin UI E2E (chromium) ci
#43532 kcadm.ssh config credentials fails when there is a % in the client secret admin/cli
#43544 Intra-document links not rendered in downstream docs
#43547 Unrecognized field "kty" (class org.keycloak.jose.jwk.JSONWebKeySet), not marked as ignorable (one known property: "keys"]) oidc
#43561 Server does not shutdown gracefully when started with --optimized core
#43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml core
#43578 "admin" client role now requires server admin user admin/api
#43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
#43596 FGAP: user can no longer open account management page, broken by `reset-password` admin/fine-grained-permissions
#43621 Version 26.4.1 breaks existing ldap users with capital letters in username ldap
#43637 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled ci
#43639 Local user can't login when ldap error ldap
#43674 Setting "Backchannel logout session required" displayed incorrectly admin/ui
#43682 When syncing roles, the database layer can see deadlocks
#43687 H2 database URL augmentation does not consider db-url-properties dist/quarkus
#43698 Role Mapper is updating the user every time on login identity-brokering
#43713 Flaky test: org.keycloak.testsuite.oauth.ClientAuthSignedJWTTest#testClientWithGeneratedKeysJKS ci
#43717 Unused message properties for the LDAP mappers admin/ui
#43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled user-profile
#43720 Wrongly spelled LDAP edit mode in the docs ldap
#43723 Only add the none verifier when attestation conveyance preference is none (or default) authentication/webauthn
#43734 Refresh token allowed for offline session even the related scope is removed
#43736 FGAP V2: reset-password scope error when viewing users with Group permissions only core
#43738 UPDATE_EMAIL action invalidates old email login/ui
#43744 Increased memory usage due to leaking KeycloakSession instances admin/api
#43752 LDAP synchronization happens too often in a cluster and always clears the cache ldap
#43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest ci
#43755 Flaky test: org.keycloak.testsuite.account.AccountRestServiceTest#listApplicationsWithoutPermission ci
#43759 QuarkusKeycloakSession not garbage collected when running Liquibase dist/quarkus
#43761 QuarkusKeycloakSession kept in memory for each timer core
#43763 Normalizing of Keycloak URLs not documented dist/quarkus
#43774 Under OLMv1 service monitor check uses wrong namespace operator
#43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider user-profile
#43793 import does not seem to run db migration import-export
#43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
#43818 typos in Docs: server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc oidc
#43819 partial import fails to overwrite existing groups import-export
#43832 Cannot issue vc of type oid4vc_natural_person oid4vc
#43835 useHash hook does not correctly extract hash from pushState URL admin/ui
#43845 [quarkus-next] Removed exception escaped OTel attribute dist/quarkus
#43853 Ensure the logout endpoint removes the authentication session oidc
#43863 JS CI failing after normalization testsuite
#43867 JS Policy is used in the "Default Policy" for Authorization authorization-services
#43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled authorization-services
#43886 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testLoadUserSessionsWithNotDeletedOfflineClientSessions ci
#43933 AUTH_SESSION_ID cookie has the incorrect route core
#43948 Adding a client mapper stays on creation screen, with error on second save admin/ui
#43973 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci
#43993 MessageFormatterMethod does not detect/map SimpleNumber causing IllegalArgumentException login/ui
#44010 Ordering attributes will unset the unmanaged attribute policy user-profile
#44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true dist/quarkus
#44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol admin/ui
#44057 Retrieving row count to evaluate index creation takes a long time on PostgreSQL and big tables core
#44113 Missing message properties when redenring pages for organization invites organizations
#44116 [OID4VCI] Credential Offer must be created by Issuer not Holder oid4vc
#44117 DockerClientTest failure testsuite
#44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
#44127 [Test Framework] Distribution server - logger output exception test-framework
#44156 [BUG] 'master' realm lockout due to NullPointerException when "Conditional 2FA" is moved before "Username Password Form" authentication/webauthn
#44163 Disabling/enabling workflows result in validation errors and the name is missing from representation core
#44179 Test failure in operator KeycloakIngressTest.testIngressTLSTermination operator
#44187 [Keycloak Docs CI] Broken links docs
#44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
#44217 OIDC identity provider should allow to setup JWKS URL (or hardcoded keys) when JWT authorization grant enabled identity-brokering
#44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
#44246 Inconsistent formatting or RFC references docs
#44256 [OID4VCI] JWT VC Issuer Metadata well-known endpoint should be available at /.well-known/jwt-vc-issuer/realms/{realm} oid4vc
#44257 OIDC Dynamic Client Registration update problem when Service Account was enabled/ disabled oidc
#44268 Tests for Admin Client fail testsuite
#44269 Admin Client creates malformed paths for requests admin/client-js
#44278 Stack trace in browser console when updating password admin/ui
#44280 Unsupported Pod template can cause AUTO logic to keep StatefulSet at 0 replicas operator
#44287 Caching of static theme resources in dev mode is disabled core
#44289 Failure when decrypting SAML Assertions with HSM provided key saml
#44329 View-Group Permission shows Users in User-List admin/fine-grained-permissions
#44341 Grammar error in LDAP federation group mapper ldap
#44342 Logical error in Danish email verification message - tells users to ignore if they DID create account translations
#44349 Upgrade with Mysql and migration-strategy=manual when db user has non alter table permissions core
#44377 Unlocalized date format in (email messages) translations
#44387 Description of Passkey is not escaped on the login screen login/ui
#44398 Delete user step in workflows is not removing other scheduled steps the user might have workflows
#44399 Workflows are restarting on any event instead of the one that activates it workflows
#44400 Removing a user's group is not activating workflows that use the user-group-membership-removed event workflows
#44419 Compilation failure in OID4VCTimeNormalizationSdJwtTest
#44430 NPE when importing SAML EntityDescriptor without SPSSODescriptor saml
#44438 Intermittent ConcurrentModificationException during SAML initialization causing status code 400 for clients saml
#44455 ClassCastException on mixing AddressMapper with ClaimMapper oidc
#44480 Wrong persistent group permissions when multiple group membership changes happen in the same request core
#44522 The existence of an organization attribute called “id” is not validated organizations
#44540 [admin-api-v2] Create client does not return 201 status code admin/api
#44543 Missing Romanian locale from Supported locales translations
#44552 Manual sync not executed because of the last sync time ldap
#44558 LDAP group mapper executed multiple times in the same request ldap
#44577 Remote Infinispan should return count per client only for the current realm infinispan
#44586 [admin-api-v2] Incorrect DTO/DAO mapping admin/api
#44606 Unhandled error caused by unknown SAML tag during XML parsing saml
#44626 Compilation failure in JWTAuthorizationGrantJWTClaimsClientPoliciesTest authentication
#44642 Credential offer endpoint has parameter user_id, but expects username oid4vc
#44661 Moved link in developer.mozilla.org docs
#44700 ModelTests are broken after consolidating config logic testsuite
#44702 Alias in JWT Authorization Grant idp should not be editable token-exchange
#44712 Keycloak throws a 500 when invalid Accept header dist/quarkus
#44725 Typo: missing '>' on closing in keycloak.v2 link-idp-action.ftl login/ui
#44735 No "Sign in with Passkey" on first step with organization: scope authentication/webauthn
#44742 OID4VCIssuerEndpoint.getCredentialOfferPreflight uses incorrect name of the parameter oid4vc
#44776 Chrome and Firefox broken with new test framework on GtiHub Actions
#44779 OID4VC metadata endpoint returns deferred_credential_endpoint even if not supported oid4vc
#44791 Workflows look up entries from the database on each event
#44793 CredentialRequest with credentialIdentifier does not work when credential-offer was created by OAuth2 authorization_code grant oid4vc
#44796 Claims configued by OID4VCI protocol mappers as mandatory are not enforced to be mandatory oid4vc
#44802 Notification_id returned from the credential response oid4vc
#44908 Run on server with remote uses old classes testsuite
#44918 Workflow tests failing in CI testsuite
#44940 JWTClientSecretAuthenticator throws NPE if client assertion is not set oidc
#44947 Test framework supplier dependencies broken test-framework
#44956 Remove unused azure-credentials input from azure-create-database action ci
#44966 Missing message keys for USER_SESSION_DELETED admin/ui
#44971 DefaultCryptoSdJwsTest.shouldValidateAgeSinceIssued_IfJwtIsTooOld() sometimes fails in CI ci
#44990 Cannot run arquillian testsuite with quarkus-embedded due to dependency conflict testsuite
#45001 Workflows documentation references wrong events core
#45020 ${kc.org} Organisation Confirm Membership Title in messages_de.properties should be ${kc.org.name} translations
#45023 [Docs CI] ExternalLinksTest.checkExternalLinks:41 Broken links (1) in guide 'server_admin' docs
#45040 Docs: upgrading/topics/changes/changes-26_4_6.adoc docs
#45052 Default redirect URI for an organization should be the Home URL of the account client organizations
#45077 Workflows documentation has non-working workflow examples core
#45085 Missing repeatHelp translation key in Time policy admin/ui
#45108 Admin UI: User attribute filter reset does not refresh user list admin/ui
#45114 AdminEvent.getResourcePath() returns paths with duplicated slashes (//) after upgrading Keycloak (26.4.1 → 26.4.7) admin/client-java
#45133 AdminUI test Sessions › Add session data is broken admin/ui

Distribution Survey

Keycloak Cloud Native Team — Fri, 19 Dec 2025 00:00:00 GMT

The different ways of distribution – be it the Operator, container images, or plain ZIP file – play a pivotal role in all Keycloak deployments. It is often the first touchpoint for users and sets the tone for their overall experience. The selected distribution method then affects the whole lifecycle of the deployment – upgrades, scaling, configuration, and more.

As we continue to evolve Keycloak to better serve cloud native environments, we are seeking your valuable input to understand your preferences and requirements regarding Keycloak distribution and deployment methods. Help us shape the cloud native future of Keycloak by participating in our survey! You can find the survey here.

Keycloak JS 26.2.2 released

Thu, 11 Dec 2025 00:00:00 GMT

Highlights

This release of Keycloak JS focuses on addressing several regressions that were introduced by accident. We apologize for any inconvenience these issues may have caused and thank our community for reporting them quickly and helping to verify the fixes.

Bug Fixes

Destructuring public methods now works correctly

A regression was introduced that caused an error when destructuring public methods from a Keycloak instance. This pattern is commonly used in applications:

const { login, logout } = keycloak;
login(); // Previously failed with "Cannot read properties of undefined"

This issue has been resolved by binding all public methods to the class instance using arrow functions, ensuring that this is always correctly scoped regardless of how the method is called.

keycloak/keycloak-js#202

Hash fragments are now preserved in redirect URIs

A regression caused hash fragments in URLs to be stripped from redirect URIs, which broke navigation in applications that rely on fragment-based routing. For example, when logging in to the Keycloak Admin Console with a URL like http://localhost:8080/admin/master/console/#/demo/users/add-user, the user would be redirected to the default page instead of the intended fragment after authentication.

This also caused issues where redirect URIs would have a trailing slash added unexpectedly, breaking login flows for OIDC servers that perform strict URI matching.

The next major of Keycloak JS will start re-enforcing this constraint, as it is not allowed to pass fragments according to the specification.

keycloak/keycloak-js#151, keycloak/keycloak-js#205

Redirect URLs on different domains now work correctly

A regression prevented redirect URLs from being on a different domain than the application origin the navigation to fail with a security error. This affected users who use redirect services that forward authentication requests from an intermediate domain back to the application.

This behavior is likely to be changed in the future to only allow redirect URLs that are on the same origin as where Keycloak JS is initialized, in order to prevent possible open redirects. If this issue affects you please join the discussion.

keycloak/keycloak-js#189

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak 26.4.7 released

Mon, 1 Dec 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#43156 [Docs] Warn users about printing headers in HTTP access logs docs
#43643 Upgrade to Quarkus 3.27.1 dist/quarkus

Bugs

#44438 Intermittent ConcurrentModificationException during SAML initialization causing status code 400 for clients saml
#44480 Wrong persistent group permissions when multiple group membership changes happen in the same request core

Keycloak 26.4.6 released

Tue, 25 Nov 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

This release adds filtering of LDAP referrals by default. This change enhances security and aligns with best practices for LDAP configurations.

If you can not upgrade to this release yet, we recommend disabling LDAP referrals in all LDAP providers in all of your realms.

For detailed upgrade instructions, review the upgrading guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#44478 CVE-2025-13467 Deserialization of untrusted data in ldap user federation

Bugs

#43323 Sessions not removed when user is deleted infinispan
#43738 UPDATE_EMAIL action invalidates old email login/ui
#43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest ci
#43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
#44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
#44187 [Keycloak Docs CI] Broken links docs
#44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
#44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
#44269 Admin Client creates malformed paths for requests admin/client-js
#44287 Caching of static theme resources in dev mode is disabled core

Keycloak DevDay 2026: Schedule is ready! Grab the last tickets!

Sebastian Rose — Mon, 24 Nov 2025 00:00:00 GMT

We (Niko and Sebastian) want to give you the chance to grab one of the last available tickets for the Keycloak DevDay 2026! DevDay is taking place for the third time, on March 5th and 6th, 2026. Again, in Darmstadt, Germany, just 30 minutes away from Frankfurt/Main, see https://www.keycloak-day.dev for details.

Our schedule is ready!

Check out the great talks lined up for the first day at the conference schedule

As already announced, the Keycloak DevDay — the Keycloak community conference — expands to an exciting two-day event.

Composing the schedule was really hard work for us. We took our time — and rejecting proposals was one of the hardest parts. Thanks, everyone! And please submit your proposals again next year — we’d love to hear from you. The number and quality of submissions was absolutely awesome.

Limited amount of tickets left

Tickets are running out quickly, sales may end soon. Be quick! Unfortunately, the two-day ticket variant is already sold out.

We can’t wait to welcome you in Darmstadt in March 2026! 🚀

Keycloak 26.4.5 released

Wed, 12 Nov 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci
#43212 Document missing artifact dependency for UserStoragePrivateUtil docs
#43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml core
#43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled user-profile
#43793 import does not seem to run db migration import-export
#43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled authorization-services
#44010 Ordering attributes will unset the unmanaged attribute policy user-profile
#44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true dist/quarkus
#44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol admin/ui
#44117 DockerClientTest failure testsuite

Keycloak 26.4.4 released

Fri, 7 Nov 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#10388 Allow to hide client scopes from scopes_supported in discovery endpoint
#43076 Add rate limiter for sending verification emails in context of update email
#43509 Role authorization for workflows. admin/api

Bugs

#41270 Cannot save new attribute group admin/ui
#41271 Changing user profile attribute results in an error everytime admin/ui
#43082 ExternalLinksTest is broken due to missing path parameters docs
#43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
#43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
#43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
#43505 DPoP proof replay check doesn't consider clock skew oidc
#43516 Deleting Client is slow and fails when a lot of client sessions exist core
#43578 "admin" client role now requires server admin user admin/api
#43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
#43596 FGAP: user can no longer open account management page, broken by `reset-password` admin/fine-grained-permissions
#43621 Version 26.4.1 breaks existing ldap users with capital letters in username ldap
#43682 When syncing roles, the database layer can see deadlocks
#43698 Role Mapper is updating the user every time on login identity-brokering
#43723 Only add the none verifier when attestation conveyance preference is none (or default) authentication/webauthn
#43734 Refresh token allowed for offline session even the related scope is removed
#43736 FGAP V2: reset-password scope error when viewing users with Group permissions only core
#43744 Increased memory usage due to leaking KeycloakSession instances admin/api
#43759 QuarkusKeycloakSession not garbage collected when running Liquibase dist/quarkus
#43761 QuarkusKeycloakSession kept in memory for each timer core
#43763 Normalizing of Keycloak URLs not documented dist/quarkus
#43774 Under OLMv1 service monitor check uses wrong namespace operator
#43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider user-profile
#43853 Ensure the logout endpoint removes the authentication session oidc
#43863 JS CI failing after normalization testsuite

Keycloak 26.4.2 released

Thu, 23 Oct 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#42991 Final review and update for UPDATE_EMAIL documentation docs
#43351 Make pending email verification attribute removable by admin user-profile
#43650 SPIFFE should support OIDC JWK endpoint

Bugs

#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#30939 Vulnerability in brute force detection settings authentication
#43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
#43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement docs
#43244 UI crash on admin `/users/add-user` since 26.4.0 admin/ui
#43544 Intra-document links not rendered in downstream docs
#43561 Server does not shutdown gracefully when started with --optimized core

Recovery Authentication Codes

Ricardo Martin Camarero — Mon, 20 Oct 2025 00:00:00 GMT

Recovery Codes are a supported authentication method in Keycloak since version 26.3.0. At that time, the new feature was not properly presented in this blog, but this new entry tries to address that oversight.

If you prefer watching a video instead of reading this blog, Niko Köbler published Keycloak Recovery Authentication Codes in youtube. Although the video is two years old, when the feature was in preview, it still stands for almost everything and it is very recommendable. This entry updates the recovery codes status when the feature is finally supported.

What are Recovery authentication codes?

Recovery codes are a Second Factor Authentication (2FA) method which can be used as a backup option to avoid losing access to your account. Therefore, they can be configured or enabled in the authentication flow to give another chance to login in case the OTP or WebAuthn device is unavailable (for example your phone or yubikey are broken or lost).

Technically the recovery codes are twelve sequential one-time passwords auto-generated by Keycloak. The authentication process asks the user for the next generated code in order. When that code is introduced, it is removed and the following code will be required in the subsequent login.

Enable recovery codes for authentication

The default browser flow already contains recovery codes as a 2FA sub-step, but the authenticator is disabled by default. You just need to enable it to make it available for the login. In the administration console, Authentication → Flows, select the browser flow. Under the step Browser - Conditional 2FA, OTP Form is set to Alternative, but Recovery Authentication Code Form is Disabled. Change the latter to Alternative too.

With this configuration, both alternative methods are available to login. Recovery codes can be integrated in more complex authentication flows if needed.

Setup recovery codes for the final user

The administrator can force any account to setup the recovery codes credentials assigning the Recovery Authentication Codes required action to that specific user. The administrator can also enforce the action to all new users setting the action as a default action (Authentication → Required Actions → Recovery Authentication Codes). In this regard, the recovery codes are just another required action that can be used normally inside Keycloak.

Via required action or just manually clicking this credential type in the account console, the user can setup and store the codes. The twelve passwords should be saved in a secure place.

In the account console, Account Security → Signing in, the Recovery authentication codes section will appear as soon as the step is enabled in the authentication flow. Click the Set up Recovery authentication codes link to start the setup.

Keycloak generates and presents the codes. The list of passwords needs to be copied or saved by the final user. To ensure this step is done, a checkbox is displayed: I have saved these codes somewhere safe. It needs to be acknowledged to complete the setup.

Now the recovery codes are configured in the account and can be used as 2FA to login.

The list of codes can be re-generated in the account console at any time.

Login

With the previous steps completed, the user can access the Keycloak login page. The username and password form is presented.

If OTP is also configured for the account, the OTP form is displayed for the 2FA step. But this time, the OTP application is not available, because my phone is out of battery for example. The user clicks the Try Another Way button.

The Recovery Authentication Code option is selected.

Code #1 is requested because recovery codes are used for the first time. Remember they are requested and consumed in order.

The user enters the code, clicks Sign in, and the login will be completed successfully.

Extra information

The account console warns you when the recovery codes are running out. The default warning threshold is four (less than four codes remaining), but this value can be modified in the required action configuration.

Recovery Codes and OTP can be configured by the user at the same time. The Configure OTP required action has a switch to enable this feature (Authentication → Required actions). When activated, the setup for OTP enforces the user to also configure recovery codes if the account has not configure them before.

As a final comment, the setup for recovery codes is also presented when the last code is used to login. This way, the list is re-generated again when all the passwords are consumed.

Keycloak 26.4.1 released

Thu, 16 Oct 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus

Enhancements

#42990 Hide read-only email attribute in update profile context with update email enabled user-profile
#43357 JDBC_PING should publish its physical address on startup

Bugs

#40965 Group permission denies to view user admin/fine-grained-permissions
#41292 openid-connect flow is missing response type on language change authentication
#42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
#42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
#42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
#43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
#43070 Update email page with pending verification email messages prefilled with old email user-profile
#43096 keycloak-operator 26.4.0 missing clusterrole permissions docs
#43104 Release notes fix for update email docs
#43161 Restarting an user session broken for persistent sessions infinispan
#43164 Keycloak docs state that only TLSv1.3 is used docs
#43218 Cannot revoke access token generated by Standard Token Exchange oidc
#43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object ldap
#43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
#43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
#43286 Broken links on DB server configuration guide docs
#43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) saml
#43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled authentication
#43335 First JDBC_PING initialization happens in the JTA transaction context infinispan
#43349 Client session may be lost during session restart infinispan
#43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
#43459 Invalid YAML in advanced Operator configurations docs

Official Support for DPoP in Keycloak 26.4

Giuseppe Graziano — Thu, 9 Oct 2025 00:00:00 GMT

DPoP has been available in Keycloak since version 23.0.0, but only as a preview feature. With the release of Keycloak 26.4, we’re happy to share that OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) is now officially supported.

What is DPoP? 🔑

DPoP is a Proof-of-Possession mechanism that improves OAuth token security by binding a token (access or refresh) to a public/private key pair controlled by the client. By requiring a signed DPoP proof with each request, DPoP ensures that a stolen bearer token cannot be used without possession of the associated private key. This significantly improves token security in distributed systems.

What’s New for DPoP in 26.4 🆕

DPoP is now a supported feature and includes some improvements and minor capabilities:

Support for all Keycloak endpoints that accept bearer tokens, including the Admin REST API and the Account API.
Option to bind only refresh tokens for public clients, while leaving access tokens as bearer if required.
Ability to request the dpop_jkt parameter in OIDC authorization requests.

For full details, see the official documentation.

How to enable and use DPoP in Keycloak 🚀

If you want to force a client to use DPoP, you need to enable the Require DPoP bound tokens switch in the Admin Console Settings tab under Capability config.

If Require DPoP bound tokens is off, the client can still send a DPoP proof in the token request. In that case, Keycloak verifies it and adds the thumbprint to the token, but DPoP binding is not enforced.

Try It Out 🔍

If you want to experiment with DPoP in practice, you can try it out using the Keycloak FAPI Playground, which includes example client configurations and test flows that demonstrate how DPoP works end-to-end.

We’d love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.

Keycloak JS 26.2.1 released

Thu, 9 Oct 2025 00:00:00 GMT

Highlights

This release of Keycloak JS is the first release after our initial announcement to split if off from the main project release cycle. This release is the result of a large internal refactor to make the code more maintainable and make use of modern JavaScript language features, as well as to introduce a new test suite with more comprehensive test coverage. Even though much has changed under the hood, this is a patch releases, and there should be no breaking changes for users, only bugfixes and small enhancements.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak celebrates 30k stars! 🎉

Keycloak Team — Wed, 8 Oct 2025 00:00:00 GMT

This is a huge moment for all of us! 🚀🎉

Reaching 30,000 stars on GitHub is not just another number — it is a powerful signal of how far Keycloak has come, how much trust the community has placed in it, and how essential it has become in the world of open source Identity and Access Management (IAM).

30,000 stars is a testament to a thriving global community, the trust of developers and enterprises, and Keycloak’s place as the go-to open source solution for securing apps and services. It is a milestone that reflects years of collaboration, contribution, and community passion — and we couldn’t be prouder.

We’re deeply grateful to our users and contributors whose support and contributions turned this milestone into reality — this wouldn’t have been possible without you!

As seen on the graph below, Keycloak just keeps getting more and more love on GitHub, with stars growing faster every year. It is clear that more people are discovering and relying on it for their IAM needs.

Keycloak is on a great track and the community momentum is stronger than ever. 🚀

Thank YOU!

Over the years, more than 1,350+ contributors have shaped Keycloak into what it is today. From fixing bugs and adding features to improving docs and helping others, every contribution has played a role in making the project thrive.

This incredible community effort is what turned Keycloak into one of the most trusted open source solutions for securing applications and services.

We’re grateful to every single contributor who has helped make Keycloak better and better! 🎉

Let’s give it up for Keycloak’s top contributors (more than 10 contributions):

Thank you all!

Meet Keycloak at KubeCon NA in Atlanta, Georgia November 2025

Ryan Emerson — Fri, 3 Oct 2025 00:00:00 GMT

We are thrilled to announce that Keycloak will be at this year’s KubeCon NA, November 10-13th 2025, in Atlanta, Georgia.

Keycloak’s presence at previous KubeCons was a huge success, and we are always eager to meet Keycloak enthusiasts, users and newcomers alike. At this year’s event we will be hosting a Kiosk in the Project Pavilion, as well as presenting multiple Keycloak talks.

Keycloak community Meet & Greet at the Project Pavilion

Yoshiyuki Tabata from Hitachi, Ryan Emerson and Martin Bartos from IBM, and other contributors will be hosting a Keycloak kiosk at the Project Pavilion. This is a great chance to meet people who use Keycloak, contribute to Keycloak, take our survey about new Keycloak features, and get some cool swag!

Keycloak Kiosk (booth 11B) opening hours:

Tuesday, November 11: 15:30 - 19:45
Wednesday, November 12: 14:00 - 17:00
Thursday, November 13: 12:30 - 14:00

Presentations

A Journey to Zero-Downtime Upgrades with Keycloak

Martin Bartos and Ryan Emerson will be presenting a talk on A Journey to Zero-Downtime Upgrades with Keycloak.

Wednesday, November 12, 16:00 - 16:30pm
A Journey to Zero-Downtime Upgrades with Keycloak
By Martin Bartos & Ryan Emerson from IBM.

Modern PostgreSQL Authorization With Keycloak

Yoshiyuki Tabata and Gabriele Bartolini will be preseneting a talk on Modern PostgreSQL Authorization With Keycloak: Cloud Native Identity Meets Database Security.

Tuesday, November 11, 17:45 - 18:15pm
Modern PostgreSQL Authorization With Keycloak: Cloud Native Identity Meets Database Security
By Yoshiyuki Tabata, Hitachi & Gabriele Bartolini, EnterpriseDB

See you soon!

We’re preparing for KubeCon NA 2025 and can’t wait to connect with our community. Mark your calendars and join us.

See you in Atlanta!

Automating Administrative Tasks with Workflows in Keycloak 26.4 (experimental)

Stefan Guilhen — Thu, 2 Oct 2025 00:00:00 GMT

What are Workflows and What Problems Do They Solve?

At its core, the Workflows feature is an automation engine for administrative tasks. It empowers Keycloak administrators to define a series of steps that run automatically in response to specific events. The primary motivation behind this feature is to build a robust identity governance model within Keycloak while reducing manual, repetitive work.

In any organization, managing the lifecycle of users and other resources is a critical but often time-consuming task. For example, failing to disable or remove inactive user accounts can create significant security vulnerabilities. Similarly, manually onboarding new users to specific roles or groups is inefficient and prone to error. Workflows aim to solve these problems by providing a flexible framework to automate these essential processes.

Workflows and Identity Governance and Administration (IGA)

The introduction of Workflows is a significant step forward for Keycloak in the realm of Identity Governance and Administration (IGA). IGA is a policy-based approach to identity management and access control that helps organizations strengthen security, meet compliance requirements, and improve operational efficiency.

By allowing administrators to define automated processes for managing the user lifecycle, Workflows directly address key IGA principles. This automation not only enhances security by addressing inactive accounts but also reduces the administrative burden on processes that can be fully automated, like onboarding and offboarding users.

Core Capabilities

In its initial experimental release, the Workflows feature focuses on the following core capabilities:

User-Centric Automation: In this first iteration, the feature is primarily targeted at automating tasks related to the management of user resources. However, the concept is designed to be extensible and could be enhanced in the future to manage other realm components like clients, organizations, or identity providers.

Event-Driven Triggers: Workflows are triggered by events within the realm. This includes not only user-triggered events, such as logins, but also administrative events, such as a user being added to a group or being assigned a role.

Configurable Steps and Conditions: A workflow consists of one or more steps that are executed in sequence if the conditions are satisfied. The conditions are evaluated in addition to the event trigger, allowing for the definition of workflows for resources that match specific set of conditions (e.g. users not in the 'admin' role or users from a specific identity provider).

Schedulable Steps: Steps can be configured to run immediately or after a specified delay. This is particularly useful for scenarios like notifying users of impending account deactivation after a period of inactivity.

The steps and conditions have their own SPIs, allowing for custom implementations to be plugged in if the built-in options do not meet your requirements. Implementations are referenced by their providerId in the respective uses property in the workflow definition - more on that in the example below.

For the first iteration, the goal was to provide a set of capabilities to allow administrators to detect and act on inactive accounts. To achieve that, the following built-in steps can be configured within a workflow:

notify-user: Sends automated email notifications to users to inform their accounts can be disabled/deleted.
disable-user: Disables the user account.
delete-user: Automatically removes an account from the system.

Future release will introduce other built-in steps to aid in onboarding and offboarding users, such as join/leave groups, assign/unassign roles, add/remove user attributes, join/leave organizations, etc.

As for the events that can trigger a workflow, the following are supported in this first release:

USER_LOGIN: Triggered when a user successfully logs in
USER_ADD: Triggered when a user is created or registered
USER_GROUP_MEMBERSHIP_ADD: Triggered when a user is added to a group
USER_ROLE_ADD: Triggered when a user is assigned a role

The conditions that can be used to filter the resources that will be affected by a workflow include:

is-member-of(group): Checks if a user is a member of a specific group
has-role(role): Checks if a user has a specific role
has-user-attribute(key, value): Checks if a user has a specific attribute with a given value
has-identity-provider-link(identity-provider): Checks if a user is linked to a specific identity provider

Example in Action 🚀

Let’s walk through a practical example of how to use the feature by setting up a workflow that notifies and disables users who are not admins after some period of inactivity. For the purposes of this demonstration, we will use short timespans, but in a real-world scenario, you would likely use longer periods (e.g., 60 days, 90 days, etc).

Enable Workflows:

The first step is to enable the feature when starting Keycloak:

./kc.sh start-dev --features=workflows --spi-events-listener--workflow-event-listener--step-runner-task-interval=1000 --log-level="INFO,org.keycloak.models.workflow:DEBUG"

The step-runner-task-interval configuration is optional and is used to change the interval at which the background task that executes the scheduled steps runs. By default, it is set to 12 hours, but for demonstration purposes we are setting it to run every second.

The log-level was also adjusted so we can see what is happening during the execution of the workflow.

Create a Workflow:

As this is an experimental feature, it is recommended that you test it using a new realm in a non-production environment.

Access the Admin Console, then create a new realm and add two users to it:
- User 1: alice (no special roles)
- User 2: bob (assign the realm-management/realm-admin role to this user)
Make sure to set up the email settings for the realm so the notification step can send emails.
In the new realm, navigate to the Workflows section under the Configure menu:
Click on Create Workflow to define a new workflow. At this moment the UI is very simple and takes a JSON representation of the workflow as input.

Paste the following JSON into the editor to create the test workflow:

{
  "name": "disable inactive users",
  "uses": "event-based-workflow",
  "on": "USER_LOGIN",
  "reset-on": "USER_LOGIN",
  "if": [
    {
      "uses":"expression",
      "with": {
        "expression": "!has-role(\"realm-management/realm-admin\")"
      }
    }
  ],
  "steps":[
    {
      "uses":"notify-user",
      "after": "30000",
      "with":{
        "custom_message": "Your account can be disabled due to inactivity!"
      }
    },
    {
      "uses":"disable-user",
      "after":"30000"
    }
  ]
}

Click on Save to save the workflow.

Most of the workflow definition is self-explanatory, but it is worth highlighting a few points:

The reset-on property is also set to USER_LOGIN, which means that if the user logs in again before the workflow completes, it will be reset and started over. This is important when we track inactive users, as we want to reset the workflow if they become active again.
As mentioned before, the uses property references the providerId of the step or condition implementation to be used.
The condition is using an expression to check if the user does not have the realm-admin role. The expression can be used to combine multiple conditions using the logical operators AND, OR, !(NOT) and parentheses. So it is possible to do something like !has-role("admin") AND has-user-attribute("department","engineering").
The steps can have an after property that defines when the step should run. The value is always relative to the previous step, so in the example above, the disable-user step will run 30 seconds after the notify-user step completes.
Additional properties of steps can be specified in the with section. In the example above, we are customizing the notification email message.

Test the Workflow

Go to the account console (realms/{your-realm}/account) and log in as alice. You should see the following in the server logs:

2025-10-01 12:33:46,320 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (executor-thread-37) Started workflow 'disable inactive users' for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:33:46,320 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (executor-thread-37) Scheduling step notify-user to run in 30000 ms for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)

This indicates the workflow was activated for alice when they logged in as they do not have the realm-admin role.

If you wait 30 seconds, the notification email should be sent, and you should see the following in the logs:

2025-10-01 12:34:16,425 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (Timer-0) Running step notify-user on resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:34:16,433 DEBUG [org.keycloak.models.workflow.NotifyUserStepProvider] (Timer-0) Notification email sent to user alice (alice@keycloak.org)
2025-10-01 12:34:16,433 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (Timer-0) Step notify-user completed successfully (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:34:16,433 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (Timer-0) Scheduling step disable-user to run in 30000 ms for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)

At this point, the notification step was executed, and the disable step was scheduled to run in another 30 seconds. To simulate alice reacting to the e-mail, we will reload the account page to force a new login, which should reset the workflow as seen in the logs:

2025-10-01 12:34:46,997 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (executor-thread-39) Restarted workflow 'disable inactive users' for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:34:46,997 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (executor-thread-39) Scheduling step notify-user to run in 30000 ms for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)

As can be seen, once alice became active again, the workflow was restarted, and the steps were rescheduled.

If we now wait for a whole minute, we should see the entire workflow executing:

2025-10-01 12:35:17,430 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (Timer-0) Running step notify-user on resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:35:17,441 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (Timer-0) Step notify-user completed successfully (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:35:17,442 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (Timer-0) Scheduling step disable-user to run in 30000 ms for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:35:48,435 DEBUG [org.keycloak.models.workflow.WorkflowsManager] (Timer-0) Running step disable-user on resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:35:48,436 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (Timer-0) Step disable-user completed successfully (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)
2025-10-01 12:35:48,436 DEBUG [org.keycloak.models.workflow.WorkflowExecutionContext] (Timer-0) Workflow 'disable inactive users' completed for resource 8bddd017-5e0d-493d-a8d5-a657721299e4 (execution id: ea42006c-b7e1-421a-b6dc-44ece45f4011)

At this point, the workflow has completed, and `alice’s account has been disabled.

Repeating the steps with user bob should show that the workflow is not activated for this user, as they have the realm-admin role. So nothing should be printed in the logs when bob logs in.

Roadmap and Future Features

The roadmap for the Workflows feature is to get it to supported status in Keycloak 26.5. It is under active development, so it is possible that some details shown in this blog post change before it becomes supported. Among the planned improvements are:

Additional built-in steps to cover more use cases, particularly around onboarding and offboarding users.
Additional events that can trigger workflows, such as USER_UPDATED, USER_GROUP_MEMBERSHIP_REMOVE, USER_ROLE_REMOVE, USER_ORGANIZATION_ADD/REMOVE, etc.
Support for workflow templates to simplify the creation of common workflows.
Support for workflows in YAML format in addition to JSON.
Allow admins to assign workflows to existing resources, not only have them triggered by events.
Improvements to the UI.
Quality of life improvements - e.g., ability to use 30d or 12h instead of the time in milliseconds, along with other simplifications to the workflow definition.
Allow better control over the background task that runs the scheduled steps, going beyond just the time interval and allowing configuration of the exact time of day it runs, etc.

You can follow the progress of the feature on GitHub: https://github.com/keycloak/keycloak/issues/39888.

Join the discussion and development

We highly encourage our users to try out the feature and provide feedback. We’ve opened a dedicated discussion thread in Github, so feel free to comment/discuss the features there or even in the Epic linked above. As usual, contributions and feedback are more than welcome! Let’s together make Keycloak even better with Workflows!

Keycloak Performance Benchmarks: A Deep Dive into Scaling and Sizing (26.4)

Pedro Ruivo — Wed, 1 Oct 2025 00:00:00 GMT

When deploying a mission-critical component like Keycloak, performance is a top concern. Questions about resource requirements, high availability, and network latency are crucial for a successful and stable production environment. To provide a clear, data-driven perspective on these topics, we conducted a series of benchmarks on the latest Keycloak version 26.4. In this post, we’ll share our findings on how Keycloak scales with increasing load, performs under artificial network latency, and leverages caching to optimize database usage.

Share your feedback about this blog post in our forum!

Environment

OpenShift 4.17 deployed across three availability zones in eu-west-1.
- Provisioned using Red Hat OpenShift Service on AWS (ROSA), with ROSA HCP.
- At least one worker node in each availability zone.
Amazon Aurora PostgreSQL 17.5 database.
- Configured for high availability, with a primary DB instance in one availability zone and synchronously replicated readers in the other availability zones.
- Database populated with 100,000 users.
Keycloak Benchmark as the load generator.
- The benchmark ran on 20 to 50 t4g.small AWS instances in the same region.

Scaling Keycloak

One of the most common questions when deploying Keycloak is: how many resources do I need? The answer, as you may have guessed, is that it depends on your specific use case.

For this test, we scaled only the login and refresh token requests. Based on Keycloak’s Concepts for sizing CPU and memory resources documentation, we determined that you need 1 vCPU to handle 15 logins per second and an additional 1 vCPU to handle 120 refresh token requests per second.

After computing the total number of vCPUs required, we divided the value by the desired number of Pods, which was three in this case (one for each availability zone). We allocated slightly more vCPU to each Pod than the calculated value to account for JVM background tasks like compilations and garbage collection.

Because our test used a constant load, we did not allocate as much CPU as we typically recommend. We strongly recommend leaving 150% extra headroom for CPU usage to handle spikes in load, as mentioned in our documentation.

Memory was increased when we observed high CPU usage by the garbage collector (GC). It is difficult to formulate a precise memory requirement because it depends not only on the Keycloak data but also on the number of concurrent requests.

The database instance type was chosen based on observation. If we observed failing requests or a 99th percentile response time above 100ms with database CPU usage exceeding 80%, we repeated the test using the next larger database instance type.

A summary of the results can be observed in the table below.

Table 1. Keycloak performance with load
OCP Instance Type	DB Instance Type	Pod CPU limit	Pod Memory Limit (GB)	# Pods	Logins/sec	Token Refreshes/sec
`c8g.8xlarge`	`db.r8g.2xlarge`	24	4	3	500	2500
`c8g.8xlarge`	`db.r8g.4xlarge`	40	8	3	1000	5000
`c8g.24xlarge`	`db.r8g.16xlarge`	74	8	3	2000	10000

Based on the overall results, we can confirm that Keycloak scales vertically almost linearly in the tested range.

Except the last test, we used the default Keycloak configuration. For the final test, we had to increase the number of threads (using the http-pool-max-threads option) to 330 for the scenario with the 2,000 logins and 10,000 token refreshes.

We scaled up the OpenShift Ingress Routers because we were observing connection errors on the load generator.

The following images illustrate how the requests correlated with the configured CPU and memory limits.

CPU limits

Memory limits

Latency

Now that we have an understanding of the resources needed, our focus shifts to achieving high availability. A key aspect of this is deploying Keycloak across different availability zones, which, by its nature, introduces additional latency between Keycloak’s Pods. This leads us to a crucial question: how does Keycloak behave under these conditions?

To find out, we used Chaos Mesh to introduce an artificial delay to all outgoing network packets. The table below specifies the round-trip delay increase, corresponding to the first column. Since Keycloak 26.4 includes performance improvements for high availability deployments across different availability zones, we compare the results with the previous release, Keycloak 26.3.5. For Keycloak 26.3, we set spi-user-sessions—infinispan—use-batches to false to achieve a better response time (this option is disabled by default in Keycloak 26.4).

For this test, we used the 500 logins/second and 2,500 token refreshes/second setup. The table below summarizes the gathered data, where the 99th percentile of the response time is taken from the Gatling report.

Table 2. Network latency - Response Time (ms, 99th pct)
Round-Trip Delay (ms)	Keycloak 26.3	Keycloak 26.4
0	51	47
10	116	84
20	1076	130

As anticipated, Keycloak’s performance degrades under high-latency network conditions. Round-trip delays of 10ms already push response times into the three-digit millisecond range.

For multi-availability zone deployments, Keycloak performs well because most cloud providers offer very low latency networks within the same region. However, we do not recommend deploying Keycloak across different regions as the increased latency and potential for network instability can significantly degrade performance and reliability.

A visual representation of these results can be found below.

Latency impact on response time

Caching

Finally, let’s look at the impact of caching.

Have you ever wondered how large your Keycloak cache should be? While we don’t have a clear answer on that, we can tell you that increasing the cache size did not lead to any visible improvements in request response times during our tests.

However, it had a significant impact on something that is not directly visible to users: the Aurora Database peak CPU usage. The table below illustrates how the database’s peak CPU usage changed as we varied the Keycloak cache size.

For this benchmark, we used the 500 logins/second and 2,500 token refreshes/second setup.

Table 3. Cache size impact in DB usage
Cache Size	Aurora CPU usage (%, peak)
10000	77.77
20000	76.92
50000	75.13
100000	66.12
200000	63.77

Our tests show that increasing the Keycloak cache size significantly reduces the Aurora Database’s peak CPU usage, which dropped from 77% to 63%.

While this change had a minimal impact on overall memory usage, increasing it from 1.30 GB to 1.45 GB, we did observe an expected rise in average Garbage Collection (GC) pauses, from 3.99ms to 4.91ms. Both of these behaviors are expected, as a larger cache naturally requires more memory, leading to slightly longer GC pauses.

A visual representation of these results can be found in the chart below.

Cache size and Aurora peak CPU usage

To monitor the number of entries in the caches and how often entries are evicted to make space for new entries, see our metrics guide for embedded caches. This information is also visualized in our Grafana dashboard.

Conclusion

Our benchmark results confirm that Keycloak is a robust and highly scalable identity and access management solution. We have shown that with careful planning and proper resource allocation, Keycloak can handle significant loads while scaling almost linearly to 12,000 requests per second.

The data also underscores the importance of a low-latency network for multi-zone deployments and the significant role of caching in reducing database strain. By taking these factors into account, you can deploy and operate Keycloak with more confidence.

The tools and scripts we used for this are available in the Keycloak Benchmark GitHub repository, so you can use them to test your specific loads in your own environment.

Share your feedback about this blog post in our forum!

Keycloak Client Libraries 26.0.7 released

Wed, 1 Oct 2025 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#176 Update RELEASE-CHECKLIST.md and README.md files client
#187 Sync after Keycloak server 26.4.0 release client

Bugs

#184 EdECUtilsImpl is not included in keycloak-client-common-synced client

Keycloak 26.4.0 released

Tue, 30 Sep 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:

Passkeys for seamless, passwordless authentication of users.
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
Simplified deployments across multiple availability zones to boost availability.
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

Passkeys integration (supported)

Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.

For more information, see Passkeys.

FAPI 2 Final (supported)

Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.

Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.

Thank you to Takashi Norimatsu for contributing this.

For more details, see the Securing applications Guides.

DPoP (supported)

Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:

Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
Possibility to require the dpop_jkt parameter in the OIDC authentication request.

Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.

For more information, see the DPoP section in the documentation.

FIPS 140-2 mode now supports EdDSA

With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.

Listing supported OAuth standards on one page

A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.

Integration

Federated client authentication (preview)

Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.

This feature is currently preview, and expected to become supported in 26.5.

Automatic certificate management for SAML clients

The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL. This also allows for seamless rotation of certificates.

For more information, see Creating a SAML client in the Server Administration Guide.

Serving as an authorization server in MCP

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.

To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.

The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.

Administration

Update Email Workflow (supported)

Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.

For more information, see Update Email Workflow.

Optional email domain for organizations

In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.

When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.

Hiding identity providers from the Account Console

You can now control which identity providers appear in the Account Console based on different options using the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.

For more information, see General configuration.

Enforce recovery codes setup after setting up OTP

If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.

New conditional authenticator

The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.

For more information about conditional flows, see Conditions in conditional flows.

Translations managed by Weblate

The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.

If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.

Configuring and Running

Enhancements for single-cluster and multi-cluster setups

This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.

This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.

Support for additional databases and versions

With this release, we added support for the following new database vendors:

EnterpriseDB (EDB) Advanced 17.6
Azure SQL Database and Azure SQL Managed Instance

Where the previous documentation stated only tested database version, it now states all the supported database versions as well.

Expose management interface via HTTP

Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.

Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface. This allows monitoring those endpoints in environments where no TLS client is available.

Expose health endpoints on the main HTTP(S) port

With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the management port. When this option is false you should block unwanted external traffic to /health at your proxy.

This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.

Specify a `tlsSecret` on the Keycloak CR `ingress` spec

To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.

Additional datasources configuration (supported)

Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.

Read more about it in the Configure multiple datasources guide.

Observability

Operator creates a ServiceMonitor automatically

The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.

HTTP access logging of incoming HTTP requests

Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.

For more information, see Configuring logging.

Showing context information in log messages (preview)

You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.

For more details on this opt-in feature, see Configuring logging.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#19732 "linked-accounts" endpoint displays all Identity providers account/api
#40237 Add option "Requires short state parameter" to OIDC IDP authentication
#40696 Wrap deprecated passkeys authenticator behind the feature authentication/webauthn
#41316 Test suites config for the new test framework test-framework
#41357 Disable tests for specific databases and servers in test framework test-framework
#42313 Experimental SPIFFE identity provider
#42742 Supported EnterpriseDB Advanced 17
#42743 Supported Azure SQL

Enhancements

#10063 Display transport media for WebAuthn authenticators in Account console account/ui
#14644 External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token identity-brokering
#17028 SAML: Adapter SP seamless certificate rotation saml
#19213 Allow enabling debug and verbose via environment variables dist/quarkus
#21816 Expose Keycloak config errors in the Keycloak CR status field operator
#22730 REST API returns different amount of users admin/api
#23972 Improve handling config options in scripts preventing re-augmentation
#25668 Remove duplication of MP config initialization dist/quarkus
#26277 DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer oidc
#26995 Bad performance when requesting events of a user
#27025 Move import/export validation to the Property Mappers dist/quarkus
#28846 Allow the target attribute on in the kcSanitize core

#29295 Exact match in users/count
#30095 High Availability guides should make distinction between single-site and multi-site deployments docs
#31285 Make domains for organisations optional
#32129 Automatically create external caches for MULTI_SITE deployments
#32569 Verify email when using UPDATE_EMAIL action without depending on realm wide setting
#33942 Make sure Keycloak endpoints have DPoP validation oidc
#34114 Operator: Support ConfigMaps for `Keycloak.spec.truststores`
#34206 Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `` tags core
#34244 Enable branding without code changes
#34777 [Operator] Use TLS secret for Ingress operator
#35441 Add FAPI 2.0 + DPoP security profile as default profile of client policies oidc
#36160 Default values for User attributes.
#36268 Configuration is not available outside of quarkus modules
#37363 Allow custom labels on Operator Ingress operator
#37600 Experimental support for authenticating clients with Kubernetes Service Accounts
#38126 Improve documentation for the HEALTHCHECK Dockerfile directive docs
#38897 Add WASM support to the MimeTypeUtil
#39293 [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt` oid4vc
#39299 Improve docs, and possibly defaults, around ldap pooling
#39342 Description for using too many threads / connections is incomplete core
#39658 OpenTelemetry Tracing: Visualize JGroups communication infinispan
#39812 Add filter to include/fill MDC with request specific data for json logging
#40061 Redundant null-checks. SAST
#40067 Always null field in KeySelectorUtilizingKeyNameHint. SAST
#40069 Possible dereference of Null
#40226 Review and update the documentation regarding the UPDATE EMAIL feature
#40227 Make UPDATE_EMAIL a supported feature
#40231 Improve javadoc for admin-client methods with injecting own resteasyClient admin/client-java
#40296 Update docs how to verify that a cluster has formed
#40377 Allow to expose IDP custom config values to Keycloak themes
#40388 Write documentation for additional datasources docs
#40406 Create ServiceMonitor via KC Operator
#40464 Improve extensibility of custom AccountConsole endpoint handling account/ui
#40481 Provide CLI Parameters for jgroups.* options infinispan
#40592 Upgrade to the Quarkus 3.24.2 version dist/quarkus
#40619 When editing protocol mappers, shows required properties admin/ui
#40629 Signs of fall-through behavior. SAST
#40630 Double check when working with multithreading. SAST
#40659 Possible Dereference of Null. SAST
#40660 Resources leak. SAST
#40677 Redundant null checks - operator new. SAST
#40683 Remove workaround for handling Syslog counting framing
#40687 Remove workaround for PostgreSQL and Liquibase
#40739 Avoid floating promises in UI code account/ui
#40761 Change naming for disabling additional datasource
#40792 Changing default passwordless webauthn policy to follow recommended values in the documentation authentication/webauthn
#40851 Upgrade to Infinispan 15.0.16.Final
#40855 External-internal token exchange independent from FGAP v1 token-exchange/federated
#40858 Check cluster is correctly formed in ClusteredKeycloakServer test-framework
#40874 Update code and documentation for import of a new realm
#40875 Improve memory footprint of single file realm import
#40923 Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm} core
#40926 More secure call of Facebook debug token token-exchange/federated
#40933 Allow configure encryption details for SAML clients saml
#40962 Update limitations of the preview feature rolling updates for patch releases infinispan
#40970 Run clustering compatibility tests on release/x.y branches
#41014 Operator auto update hash operator
#41022 Allow Features to declare that they support Rolling upgrades
#41034 Improve logging for client sessions load
#41045 Update email feature only enabled if the required action is enabled at the realm
#41074 Import client sessions into Infinispan concurrently for persistent sessions
#41119 FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions oidc
#41120 FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies oidc
#41121 FAPI 2.0 Security Profile Final - Documentation oidc
#41138 Implement CompatibilityMetadataProvider for Cache CLI args
#41151 Update Traditional Chinese locale to latest version
#41161 Require setting DB kind for additional datasources dist/quarkus
#41172 Upgrade to Quarkus 3.24.3
#41176 Document supported OIDC/OAuth2 standards oidc
#41186 Upgrade to Quarkus 3.25.0 dist/quarkus
#41192 Improve handling of datasource name specified in `persistence.xml` files dist/quarkus
#41208 MDC logging should contain the authentication session and user session ID
#41214 Document configuration changes that prevent rolling updates
#41219 Document spi-user-sessions--infinispan--use-batches
#41222 Provide DB SQL options support for additional datasources dist/quarkus
#41229 Remove obsolete code for the Liquibase LogHistoryService core
#41239 Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese translations
#41246 Upgrade to Quarkus 3.24.4 dist/quarkus
#41257 Upgrade to Infinispan 15.0.18.Final infinispan
#41259 Passkeys support in IdpUsernamePasswordForm authentication/webauthn
#41283 Update ua-parser to 1.6.1
#41293 Remove obsolete Liquibase FK snapshot generator storage
#41297 Implement CompatibilityMetadataProvider for DB options
#41303 Allow for health check on main interface
#41312 FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies oidc
#41313 FAPI 2.0 Message Signing Final - Documentation oidc
#41328 Utilise table to display Features
#41335 Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
#41352 Provide simple HTTP access logs dist/quarkus
#41354 Avoid OTP when logging in with passkey
#41374 Upgrade to Quarkus 3.24.5 dist/quarkus
#41405 Add log details about client assertion for client authentication with Client-JWT
#41455 Adds TiDB into the database test matrix
#41459 Query parameter "claims" not forwarded to external provider identity-brokering
#41551 Support for key size 3072 in rsa-generated key providers
#41556 Switch passkeys to supported authentication/webauthn
#41557 Update passkeys documentation after they are supported docs
#41558 Ensure cache configuration has correct number of owners
#41559 Simplify Cache Configuration file by removing built-in cache configurations
#41561 Detect and handle KC split brain clusters
#41585 Refactor high-availability guide to include both single and multi cluster architectures
#41613 Ability to display 'authenticator provider' of the WebAuthn credential authentication/webauthn
#41625 Login[v2]: "Update email" screen is not polished login/ui
#41666 Default to stretched clusters on Kubernetes when possible
#41670 Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
#41717 Upgrade to Quarkus 3.25.2 dist/quarkus
#41729 Define default topologySpreadConstraints
#41765 Add Azerbaijani translations translations
#41766 Add the ability to set abritrary environment variables in Keycloak CR
#41820 Add a warning about provider jars
#41831 Improve autocomplete on mobile for OTP field
#41836 Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
#41837 Remove OIDCLoginProtocolService.certsHead() oidc
#41870 Kazakh (kk) locale support with translations translations
#41898 Clarify the documentation on automatic database schema downgrades core
#41901 FGAP v2: RESET_PASSWORD capability for USERS
#41933 Configure topology information in Infinispan
#41934 Infinispan 15.0.19.Final
#41950 Log applied cache configurations as part of debug logs
#42016 More flexible handling of params, headers and entities for SimpleHTTP
#42030 Could the list of supported DPoP algorithms be dynamically retrieved? oidc
#42031 Minor enhancements in the DPoP related codebase oidc
#42032 Switch DPoP feature to supported oidc
#42047 Skip configuring `jdbc-ping` stack in local mode
#42094 keycloak oob (out-of-band) copy button login/ui
#42096 Concurrently update the remote caches
#42180 Cache UserAgent parsing result
#42186 Document network latency requirements for stretched clusters
#42191 Document mtls considerations for probes
#42203 Upgrade to Quarkus 3.27 LTS
#42269 Some 409 API responses are missing from the OpenAPI spec core
#42274 Session IDs and auth codes have less than 128 bits of entropy
#42283 More efficient secure ID generator
#42286 Support EdDSA for DPoP oidc
#42293 Set Liquibase DB type based on the `db` option storage
#42300 Validate wait_timeout parameter on MySQL and MariaDB
#42304 Document tested and supported configurations for single-cluster deployments
#42305 Document that single-cluster deployments expect all Keycloak instances to serve traffic
#42308 Support Aurora PostgreSQL 17.5 in Keycloak's nightly run
#42342 Upgrade to Quarkus 3.26.2 dist/quarkus
#42356 Support MariaDB 11.8 LTS
#42358 Remove usage of the term "stretched" from single-cluster HA guides
#42374 Concurrent update embedded caches and database
#42381 [RLM] - Validate actions that support aggregating actions
#42382 [RLM] - Immediate policies should not allow setting a time to their actions
#42384 [RLM] Allow adding and removing actions to existing policies
#42385 [RLM] Scheduled time of actions should be based on the previous action
#42389 [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to
#42392 Link to quay IO website for the Keycloak image in upstream docs
#42409 Wrong form to enter username and password for an unknown user organizations
#42499 Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec oidc
#42525 Catch specific expeception and add logging when there is no active request context
#42532 Edit Keycloak 26.4 release notes
#42547 Replace UUID with composite key for client session cache infinispan
#42564 Edit Keycloak 26.4 Upgrading Guide
#42628 Lazy load client sessions
#42697 [RLM] - Improve the Workflow JSON schema
#42705 Document Caffeine cache metrics
#42728 DPoP: documentation update oidc
#42733 Test JDK 25 in CI ci
#42740 Possibility to enforce authorization code binding to DPoP oidc
#42746 Polishing of client switch on DPoP oidc
#42751 Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients core
#42755 [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms oid4vc
#42756 Add missing Swedish translation for login theme
#42888 [RLM] - Allow defining steps in a workflow that can run immediate or scheduled
#42916 [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps workflows
#42927 Update OID4VCI documentation with new .well-known URL format oid4vc
#42955 Use JDK 25 Temurin in GHA CI ci
#43017 OID4VCI in the release notes for 26.4.0 docs
#43035 Allow setting max age to the update email action

Bugs

#26972 NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores core
#35825 Per client session idle time capped by realm level client idle timeout core
#35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
#36716 invalid_request when authenticating using PAR (Pushed Authorization Request) while Kerberos is enabled authentication
#38016 User session limit exceeded for both realm and client removes the wrong session core
#38556 Consistent behaviour for User API getUsers and count admin/api
#38924 `--debug` does not work with docker container version of Keycloak core
#38928 Can't install Keycloak Operator on OpenShift via OperatorHub on ARM operator
#39079 AuthenticationFlowException when a user tries a password grant using a service account authentication
#39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci
#39122 Export fails with an unexpected error if the realm does not exist core
#39608 Getting Keycloak exception with request 500 status code on /account with semicolon in URL dist/quarkus
#39609 Users searchAttributes broken for empty value admin/client-java
#39766 [Keycloak Operator CI] - Test local apiserver - Kube API Server did not start properly ci
#39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci
#39864 IdP redirect fails when user belongs to multiple organizations with organization:* scope organizations
#40160 Action Tokens Copy Nonce Into JTI core
#40192 REST Admin API - ClientsResource response with 200 OK even needed roles are missing admin/api
#40368 NPE during loading user groups with concurrent deletion storage
#40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors authentication
#40383 KC should connect to a writer instance of PostgreSQL automatically dist/quarkus
#40398 ModelDuplicateException on next login after deleting an account and back-channel logout authentication
#40463 Login to Account Console produces two consecutive LOGIN events account/ui
#40557 Uploading JSON import in UI causes extreme lag or entirely unresponsive page since 26.1 admin/ui
#40680 Inconsistency between UserModel.isMemberOf and RoleUtils.isMember (with LDAP involved) authentication
#40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
#40754 UserSession Offline removed from DB if not in cache infinispan
#40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci
#40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
#40786 Typo in Consent Scope Representation account/api
#40788 Custom scope display name not shown in Account UI account/ui
#40818 Identity provider links list is limited to 100 entries for a user in the admin UI admin/ui
#40838 Mark options for additional datasources as preview dist/quarkus
#40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
#40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
#40903 Proxy detection needs tweaked for insecure context warning dist/quarkus
#40930 Docs: server_development/topics/themes.adoc docs
#40932 [Operator] UpdateTest.testImageChange throws TimeoutException operator
#40935 NPE thrown when encoding a token without having a client set in the session oidc
#40945 Unclear documentation for setting management server as http when main server is https dist/quarkus
#40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core
#40959 Update "Enabling and disabling features" documentation docs
#40975 Make passkeys feature dependent on web_authn authentication/webauthn
#40977 Loglevel recorded from build phase dist/quarkus
#40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
#40984 Backchannel logout token with an unexpected signature algorithm key oidc
#40995 LDAP / ModelException: At least one condition should be provided to OR query core
#40997 Wildcard mappers should be implicitly handled and value propagated dist/quarkus
#41008 Missing signin with passkeys feature when FORCED_REAUTHENTICATION = true authentication/webauthn
#41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover ci
#41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
#41029 DOC: 'Running Keycloak in a Container' inconsistent docs
#41035 Skip update email required action if email attribute is not writable
#41037 WebAuthN Setup: OperationError: A request is already pending. authentication/webauthn
#41038 FIPS errors in CI
#41041 Able to create a client without entering Client ID admin/ui
#41044 Federated users incorrectly listed on first load due to uninitialized userProfileProvidersEnabled admin/ui
#41080 Permission evaluatio for resource type Clients broken admin/fine-grained-permissions
#41082 Multiple primary key defined when attempting to upgrade after 26.3.0 core
#41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
#41103 Service Account users now showing in the User List admin/ui
#41105 Unknown relation when removing realm role with --db-schema configured storage
#41117 NUL byte characters are sent from query parameters to the database causing SQL exception core
#41140 Blank Tab in Client Registration Access Policies admin/ui
#41148 org.keycloak.authentication.forms.RegistrationPassword#validate -> java.lang.UnsupportedOperationException authentication
#41152 Docs use em-dashes instead of double dashes for SPI options in regular text docs
#41170 'exp' and 'iat' missing from claims_supported entry in OpenID Endpoint Configuration oidc
#41181 FAPI 2.0 Message Singing Final - PAR endpoind does not return an appropriate error regarding a request object oidc
#41184 CVE-2025-48924 - Uncontrolled Recursion vulnerability in Apache Commons Lang
#41188 UserResources.addFederatedIdentity is missing OpenApi @Consumes annotation admin/api
#41204 UpdateTest CI failures ci
#41228 [quarkus-next] Migration tests failed for MySQL-based DB drivers dist/quarkus
#41235 Group imports performance import-export
#41242 Re-authentication with passkeys not easily possible authentication/webauthn
#41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date` dist/quarkus
#41287 Failing test in account console account/ui
#41289 Account test failing account/ui
#41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
#41295 Avoid additional execution of Liquibase changelog lock table statement storage
#41299 [quarkus-next] Missing comment generated by Liquibase executor in the custom script storage
#41331 Prevent sending massive amount of emails if a user clicks multiple times to get a new verify email link core
#41339 Add and delete bundle test failing admin/ui
#41388 Welcome page creates an temporary user core
#41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
#41418 Access to user details for restricted admin fails after enabling organizationin realm organizations
#41421 Broken link securing-cache-communication in caching docs docs
#41423 Duplicate IDs in generated all configuration docs docs
#41427 Parallel token exchange fails if client session is expired token-exchange
#41466 [quarkus-next] @QuarkusTest fetches JARs again when executed dist/quarkus
#41468 [quarkus-next] [windows] ClassNotFoundException: JvmOptionsBuilder dist/quarkus
#41469 Uncaught exception cases unclosed spans in tracing dist/quarkus
#41474 File choosing tests fail on Windows admin/ui
#41488 Synchronize Maven surefire plugin with Quarkus dist/quarkus
#41491 ExternalLinks are broken in documentation docs
#41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation ldap
#41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min) ldap
#41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method oidc
#41598 Kerberos playwright test flaky admin/ui
#41609 RejectImplicitGrantExecutor does not return an error when a PAR request includes Implicit or Hybrid response type oidc
#41620 Typos and AsciiDoc formatting in token exchange docs
#41624 Duplicate fields in RealmRepresentation in OpenAPI JSON file docs
#41641 Cannot use `dev-file` for additional datasources storage
#41643 Test SMTP connection fails when no port is specified admin/api
#41648 Flaky user profile test admin/ui
#41653 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerWellKnownProviderTest#testMetaDataEndpointIsCorrectlySetup ci
#41662 TiDB Many WAITING threads during high load scenario core
#41663 Typo in the caching doc docs
#41669 Keycloak SAML Adapter subsystem does not work in WildFly 37 adapter/saml
#41677 Provider default regression dist/quarkus
#41683 SAML test is flaky admin/ui
#41701 The same text shows up twice on the e-mail validity confirmation screen account/ui
#41711 Another flaky SAML test admin/ui
#41728 Node.js v22.18.0 causes JavaScript CI to fail
#41744 Weblate does not show zh_hant for the admin UI translations
#41752 Flaky Organization test admin/ui
#41755 Forwarded `claims` parameter from the initial authorization request to brokered OPs is not URL encoded identity-brokering
#41792 docs: Non interactive logout options missing documentation oidc
#41799 Authorization filtering causes NullPointerException with "Null keys are not supported!" in searchForUserStream (26.3.1+) account/api
#41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
#41804 OIDC identity provider token refresh fails with JsonMapperException identity-brokering
#41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages core
#41821 Fix Jandex version collision to allow running tests using auth-server-quarkus-embedded testsuite
#41823 Test flaky due to dual certificates admin/ui
#41834 Clicking email confirmation links in Outlook results in a "stale link" error core
#41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles ldap
#41854 KeycloakSession javadoc references keycloak-server.json core
#41860 Unbalanced HTML in login form templates login/ui
#41897 Hibernate 7.1 breaks TiDB support ci
#41903 [Operator CI] - Test local apiserver - Could not load class with name KeycloakDistConfiguratorTest ci
#41906 Backwards incompatible changes to 26.3.0 cause NullPointerException when requesting /certificates/jwt.credential/generate-and-download authentication
#41909 Admin console provider info shows "Add providers" admin/ui
#41913 [Store IT] - UserSessionRefreshTimePolicyTest unstable ci
#41914 Role mapping `account.manage-account-links` not sufficient for Client initiated account linking authentication
#41937 Display name for requireAction.idp_link, requireAction.delete_credential and requireAction.update_user_locale not mapping correctly admin/ui
#41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
#41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label login/ui
#41994 Check for non-ascii local part on emails depending on SMTP configuration core
#42006 Fix flaky tests for personal info in account console account/ui
#42012 Client session timestamp not updated in the database if running multiple nodes infinispan
#42018 Realm overrides test is flaky admin/ui
#42033 [RLM] NPE during user authentication core
#42044 Dynamic client authentication configuration uses wrong config admin/ui
#42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables. operator
#42050 Recovery Codes are shown as "another way" even if not configured login/ui
#42052 User Profile attribute annotation "inputType" yields in not savable attribute user-profile
#42057 [Operator] Update job incorrectly inherits podTemplate configuration from unsupported.podTemplate operator
#42069 Fix common failures when running the admin console tests on Firefox
#42114 "Session/EntityManager is closed" during application startup "singleFile" users import testsuite
#42139 Backwards compatibility awareness identity-brokering
#42142 Dedicated client scope mappers missing oidc
#42158 Bug in configuration keycoak via keycloak.conf dist/quarkus
#42159 Docs: authorization_services/topics/permission-typed-resource-permission.adoc authorization-services
#42164 [Keycloak CI - Docs] Broken links core
#42165 [Keycloak CI - Admin UI, Account UI, Account E2E UI] Installing PNMP Error ci
#42178 Integer validation error not shown for user profile fields user-profile
#42182 Validation errors for required actions don't show translated messages admin/ui
#42201 Local access required if KC_BOOTSTRAP_ADMIN_CLIENT_ID is set but not KC_BOOTSTRAP_ADMIN_USERNAME login/ui
#42208 Audience mapper not honored when requesting organization scope authentication
#42213 Importing SAML IdP metadata sets Validate Signatures to false even if signing certificate is provided saml
#42263 Quarkus config (quarkus.properties) not picked up after 26.3.0 dist/quarkus
#42270 Missing double-dash in the events documentation core
#42276 Admin UI hides local users when LDAP provider fails (generic error shown; forces workaround) admin/ui
#42278 Flaky test: org.keycloak.testsuite.model.session.UserSessionConcurrencyTest#testConcurrentNotesChange ci
#42334 Experimental features enabled warning shown multiple times dist/quarkus
#42335 Colored output is lost during startup dist/quarkus
#42339 Allowed Client Scopes add openid scope in scope list oidc
#42360 LDAP mapper test is flaky admin/ui
#42369 Missing client session offline settings on realm level in the admin UI admin/ui
#42375 Client to be included cannot be configured for the OID4VCITargetRoleMapper anymore oid4vc
#42390 OIDC fails if doens't have email mapper if a LDAP exists ldap
#42403 ui-shared: Accessibility of Switch control admin/ui
#42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui core
#42408 Organization without email domain shows an error when trying to link an Identity Provider organizations
#42419 Client authenticators executed multiple times oidc
#42426 Guides contain broken ha links docs
#42496 Compilation error in RolePolicyConditionProvider core
#42575 Locale selector displays incorrect label for Chinese translations
#42650 Failing device-activitiy test in account-ui tests oidc
#42652 NullPointerException when persisting a client session infinispan
#42678 Operator ClusterRoleBinding contains hardcoded namespace operator
#42706 Incorrect scheme in the WWW-Authenticate when Authorization: DPoP used oidc
#42716 The core class EdECUtilsImpl is not present in the sources jar core
#42726 Update of sssd should add IFP section to the configuration core
#42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name' core
#42737 The new email is mandatory error for update profile action with enabled update email user-profile
#42752 Keycloak build broken ci
#42765 Can't log in to admin and account console due to Web Crypto API not being available account/ui
#42769 Missing switch "ID Token as detached signature" in the admin console client settings oidc
#42770 Introduce pending email verification message for UPDATE_EMAIL core
#42786 Inconsistent spelling auth WebAuthn core
#42792 IDX_EVENT_ENTITY_USER_ID_TYPE missing column EVENT_TIME core
#42828 Remove environment information from the server-info admin/api
#42833 Add validation of workflow steps also when adding single step to workflow workflows
#42837 Identify-First form should disallow empty entry organizations
#42856 Broken external link in documentation for npm.js.com docs
#42867 LOGIN event without a user session oidc
#42877 Valid scope parameter in access token request is rejected with invalid_scope error oidc
#42887 SPIFFE IdP added to login screen when created via browser identity-brokering
#42918 Typo in the latest documentation docs
#42922 Dynamic Client Registration invalidates the realm cache core
#42949 Username containing a '#' is truncated in Admin Console when hiding inherited roles user-profile
#42958 Upgrade bc-fips dependencies dependencies
#43002 Delete workflow has wrong messages. admin/ui

Keycloak 26.3.5 released

Thu, 25 Sep 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#41371 Upgrade to Quarkus 3.20.3 LTS dist/quarkus
#41373 Remove explicit MariaDB connector dependency dist/quarkus

Bugs

#41418 Access to user details for restricted admin fails after enabling organizationin realm organizations
#42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui core
#42491 CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability dist/quarkus
#42492 CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability dist/quarkus
#42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name' core
#42769 Missing switch "ID Token as detached signature" in the admin console client settings oidc
#42922 Dynamic Client Registration invalidates the realm cache core

Passkeys support in upcoming Keycloak release (26.4)

Peter Skopek — Tue, 16 Sep 2025 00:00:00 GMT

Passkeys have been available in Keycloak since version 23.0.0 as a preview feature. We are happy to announce official support for passkeys in upcoming Keycloak 26.4.0.

What is passkey?

Definition from FIDO Alliance

A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same process that they use to unlock their device (biometrics, PIN, or pattern). Passkeys are FIDO cryptographic credentials that are tied to a user’s account on a website or application.

More info

What’s new?

Passkeys are now seamlessly integrated to Keycloak using both conditional and modal UI. There is no need to modify default browser flow to use passkeys. Passkeys support is not enabled by default. It needs to be enabled in the WebAuthn Passwordless Policy (Authentication → Policies → Webauthn Passwordless Policy).

There is new Conditional - credential authenticator that checks if a specific credential type (passkey) has been used during the authentication process. It is added to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.

Further quite hidden passkey support is also in the re-authentication form, where users can choose passkey as well as password.

For more information check Keycloak Server Administration Guide.

A few examples

Let’s start form the fresh Keycloak database. The first steps are obvious ones.

create admin user
create one test user
enable passkey support in (Authentication → Policies → Webauthn Passwordless Policy)
set default required action in (Authentication → Required actions → Webauthn Register Passwordless)
(This step is not necessary, one can use Account Console to register a passkey.)

No need for any other changes.

Conditional UI

Conditional UI is displayed when other components of the platform supports this UI style and username input field is present. It can be achieved for example on Linux using Google Chrome browser and 1password password manager with Chrome extension for 1password.

Registering passkey stored in 1password manager

Using passkey stored in 1password manager:

Modal UI

Modal UI is an older style and it is used mainly with hardware keys asking for PIN or biometric (such as Yubikeys). It is directly supported in all major browsers. This style of UI is displayed on browser screen when username input field is present (same situations than conditional) but also when the username is already selected and password is requested (re-authentication for example). The modal UI is initiated clicking the button labelled Sign in with Passkey.

The modal UI can also be slightly different depending on data stored in your hardware key.

Using hardware security key (Yubikey) in case of login (PIN entering)

Using hardware security key (Yubikey) in case of login (touch the key to activate transfer)

Re-authenticating using passkey

Leave your window with no actions to pass timeout. Then you see re-authentication window with passkey button (conditional UI style and modal UI are supported) .

Conclusion

All examples here show the passkeys usage with minimal configuration. There are much more options to change behavior of passkeys in Keycloak authentication. For more information see Keycloak Server Administration Guide.

Let us know of possible issues or what you like, please. We are looking for different combinations of operating systems, browsers, password managers and hardware keys. All issues should be reported at our project. Thank you in advance.

Keycloak 26.3.4 released

Fri, 12 Sep 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#40630 Double check when working with multithreading. SAST
#42245 Upgrade to Quarkus 3.20.2.2

Bugs

#35825 Per client session idle time capped by realm level client idle timeout core
#40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors authentication
#40463 Login to Account Console produces two consecutive LOGIN events account/ui
#40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
#41427 Parallel token exchange fails if client session is expired token-exchange
#41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
#41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
#42012 Client session timestamp not updated in the database if running multiple nodes infinispan
#42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables. operator
#42158 Bug in configuration keycoak via keycloak.conf dist/quarkus
#42164 [Keycloak CI - Docs] Broken links core
#42178 Integer validation error not shown for user profile fields user-profile
#42182 Validation errors for required actions don't show translated messages admin/ui
#42270 Missing double-dash in the events documentation core
#42339 Allowed Client Scopes add openid scope in scope list oidc
#42369 Missing client session offline settings on realm level in the admin UI admin/ui

Keycloak 26.3.3 released

Wed, 20 Aug 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#41558 Ensure cache configuration has correct number of owners
#41934 Infinispan 15.0.19.Final
#41963 Upgrade to Quarkus 3.20.2.1 dist/quarkus

Bugs

#39562 Breaking template change: Unknown `locale` input field added to user-profile registration page user-profile
#40984 Backchannel logout token with an unexpected signature algorithm key oidc
#41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
#41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
#41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date` dist/quarkus
#41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
#41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
#41421 Broken link securing-cache-communication in caching docs docs
#41423 Duplicate IDs in generated all configuration docs docs
#41469 Uncaught exception cases unclosed spans in tracing dist/quarkus
#41488 Synchronize Maven surefire plugin with Quarkus dist/quarkus
#41491 ExternalLinks are broken in documentation docs
#41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation ldap
#41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min) ldap
#41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method oidc
#41643 Test SMTP connection fails when no port is specified admin/api
#41663 Typo in the caching doc docs
#41677 Provider default regression dist/quarkus
#41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages core
#41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles ldap
#41906 Backwards incompatible changes to 26.3.0 cause NullPoointerException when requesting /certificates/jwt.credential/generate-and-download authentication
#41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label login/ui

Keycloak DevDay 2026 Announcement and Call-for-Papers

Sebastian Rose — Thu, 14 Aug 2025 00:00:00 GMT

We (Niko and Sebastian) are excited to announce the next edition of Keycloak DevDay! DevDay is expanding to a 2-day event taking place again in Darmstadt, Germany, on March 5th and 6th, 2026.

The conference takes place again in Darmstadt, about 30 minutes away from Frankfurt/Main, see https://www.keycloak-day.dev for details.

What’s New for 2026?

Keycloak DevDay - the Keycloak community conference - expands to an exciting two days:

Day 1 (February 5th) - Traditional Conference Format

Full day of talks, presentations, and panels featuring maintainers, industry-leading speakers, and community experts. Dive deep into Keycloak developments, best practices, real-world use cases, and the latest innovations in and around Keycloak.

Day 2 (February 6th) - Unconference & Open Space

Interactive format shaped entirely by YOU, the participants! Join fellow Keycloakers in an Unconference/Open Space environment where you can:

Pitch your own topics and ideas
Lead discussions about the challenges you’re facing
Collaborate on solutions in small groups
Share knowledge through informal sessions
Network intensively with community members
Work on hands-on projects together

This has been a successful pre-conf event in 2025. From the feedback of all DevDay participants, we made it an official part of the DevDay.

What to Expect

DevDay 2026 continues our tradition of bringing together the vibrant Keycloak community with lots of opportunities for networking and exchange among like-minded people. As always, there will be plenty of drinks 🥤🍹 and food 🍔🌮🥗, an evening event on the first day, as well as an exclusive surprise gift 🎁 for all participants.

Meet and connect with:

Keycloak maintainers and core developers
Extension developers and contributors
Operators running Keycloak in production
Security architects and IAM specialists
Fellow community members from around the world

Call for Papers 📝

The call for papers is now open: https://sessionize.com/keycloak-devday-2026! We’re looking for talks covering:

Keycloak core features and new developments
Real-world implementation case studies
Extension development and customization
Security best practices and patterns
Performance optimization and scaling
Integration with cloud-native technologies
Identity standards and protocols
Migration experiences and lessons learned

Submission deadline: Mid-October 2025

If you would like to submit a talk proposal, you should not wait too long, as we will regularly review and publish the submitted proposals. Submitting early gives you the best chance of being part of DevDay 2026!

Registration & Tickets 🎟️

Ticket sales will start in mid-September 2025. Given the expanded 2-day format, we’ll have different types of tickets available and they remain limited.

Keep an eye on https://www.keycloak-day.dev for:

Early bird discounts
Registration opening announcements
Speaker announcements
Schedule updates
Newsletter subscription

About KEYCLOAK DevDay

KEYCLOAK DevDay is organized by active community members for the community. It’s the premier gathering for anyone involved in using Keycloak to provide identity and access management value to customers and employees in digital products and services.

Whether you’re a seasoned Keycloak expert or just getting started with identity and access management, DevDay 2026 offers something for everyone. Join us for two days of learning, sharing, and building the future of the Keycloak ecosystem together!

More details and updates will be published on https://www.keycloak-day.dev. Follow us for the latest news and announcements!

We can’t wait to see you in Darmstadt in March 2026! 🚀

BRZ Keycloak case study published

Alexander Schwartz — Tue, 5 Aug 2025 00:00:00 GMT

BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak.

The Austrian Business Service Portal (USP) is the central online eGovernment platform for entrepreneurs and businesses. It connects businesses with various Austrian online government services, where businesses can access all digital services and information in one place.

The USP was launched in 2010 by the Austrian Federal Computing Center (BRZ, abbreviated from the German name Bundesrechenzentrum). The BRZ is the market-leading eGovernment partner of the Austrian federal administration and is both developing and operating the portal.

Authenticating and authorizing 2+ million users for 130+ public services is the most important key feature of the USP which now uses Keycloak, microservices and GitOps under the hood.

Read on to learn why the team chose to migrate to this solution, how they managed the migration and the benefits of the new setup in this CNCF case study!

We are now starting to collect all case studies at our case studies page. If you want to share your case study with the Keycloak community, contact me to sort out the details.

Keycloak 26.3.2 released

Thu, 24 Jul 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#40237 Add option "Requires short state parameter" to OIDC IDP authentication

Enhancements

#40970 Run clustering compatibility tests on release/x.y branches
#41034 Improve logging for client sessions load
#41257 Upgrade to Infinispan 15.0.18.Final infinispan

Bugs

#39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci
#39634 Update MariaDB connector to 3.5.3 dist/quarkus
#39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci
#40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies
#40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies
#40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci
#40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
#40977 Loglevel recorded from build phase dist/quarkus
#40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
#40995 LDAP / ModelException: At least one condition should be provided to OR query core
#41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover ci
#41038 FIPS errors in CI
#41082 Multiple primary key defined when attempting to upgrade after 26.3.0 core
#41103 Service Account users now showing in the User List admin/ui
#41105 Unknown relation when removing realm role with --db-schema configured storage
#41152 Docs use em-dashes instead of double dashes for SPI options in regular text docs
#41204 UpdateTest CI failures ci
#41370 [26.3] MariaDB connector dependency is not properly overriden dist/quarkus

Keycloak 26.3.1 released

Thu, 10 Jul 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#40851 Upgrade to Infinispan 15.0.16.Final
#40962 Update limitations of the preview feature rolling updates for patch releases infinispan

Bugs

#35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
#40368 NPE during loading user groups with concurrent deletion storage
#40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
#40838 Mark options for additional datasources as preview dist/quarkus
#40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
#40930 Docs: server_development/topics/themes.adoc docs
#40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core

Keycloak Client Libraries 26.0.6 released

Fri, 4 Jul 2025 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#134 Can we create automatically GH Issue for the PR sent by ""Sync with Keycloak Server and send PR with changes" ? client
#166 Improve documentation of keycloak-admin-client and add compatibility section client
#170 Sync with Keycloak server release/26.3 branch client
#172 Test with supported keycloak server versions client

Bugs

#165 Test failures in last Keycloak-client-ci client

Keycloak 26.3.0 released

Thu, 3 Jul 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

This release delivers advancements to optimize your system and improve the experience of users, developers and administrators:

Account recovery with 2FA recovery codes, protecting users from lockout.
Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.

Read on to learn more about each new feature, and find additional details in the upgrading guide if you are upgrading from a previous release of Keycloak.

Recovering your account if you lose your 2FA credentials

When using for example a one-time-password (OTP) generators as a second factor for authenticating users (2FA), a user can get locked out of their account when they, for example, lose their phone that contains the OTP generator. To prepare for such a case, the recovery codes feature allows users to print a set of recovery codes as an additional second factor. If the recovery codes are then allowed as an alternative 2FA in the login flow, they can be used instead of the OTP generated passwords.

With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature.

For more information about this 2FA method, see the Recovery Codes chapter in the Server Administration Guide.

Performance improvements to import, export and migration

The time it takes to run imports, exports or migrations involving a large number of realms has been improved. There is no longer a cumulative performance degradation for each additional realm processed.

Simplified registration for WebAuthn and Passkeys

Both WebAuthn Register actions (webauthn-register and webauthn-register-passwordless) which are also used for Passkeys now support a parameter skip_if_exists when initiated by the application (AIA).

This should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type.

For more information, see the Registering WebAuthn credentials using AIA chapter in the Server Administration Guide.

Simplified linking of the user account to an identity provider

Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality and simplifies the error handling the calling of the client application, making it more useful for a broader audience.

The custom protocol, which was previously used for client-initiated account linking, is now deprecated.

Brokering with OAuth v2 compliant authorization servers

In previous releases Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google which are based on OAuth 2.0.

The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. This then allows you to federate, for example, with Amazon or other providers. As this is a generic provider, you will need to specify the different claims and a user info endpoint in the provider’s configuration.

For more information, see the OAuth v2 identity providers chapter in the Server Administration Guide.

Trusted email verification when brokering OpenID Connect Providers

Until now, the OpenID Connect broker did not support the standard email_verified claim available from the ID Tokens issued by OpenID Connect Providers.

Starting with this release, Keycloak supports this standard claim as defined by the OpenID Connect Core Specification for federation.

Whenever users are federated for the first time or re-authenticating and if the Trust email setting is enabled, Sync Mode is set to FORCE and the provider sends the email_verified claim, the user account will have their email marked according to the email_verified claim. If the provider does not send the claim, it defaults to the original behavior and sets the email as verified.

Asynchronous logging for higher throughput and lower latency

All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency.

For more details on this opt-in feature, see the Logging guide.

Rolling updates for patch releases for minimized downtime (preview)

In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code.

In this release, we extended this to perform rolling update when the new image contains a future patch release from the same major.minor release stream as a preview feature. This can reduce the service’s downtime even further, as downtime is only needed when upgrading from a different minor or major version.

Read more on how to enable this feature in update compatibility command.

Passkeys integrated in the default username forms

In this release Keycloak integrates Passkeys in the default authentications forms. A new switch Enable Passkeys is available in the configuration, Authentication → Policies → Webauthn Passwordless Policy, that seamlessly incorporates passkeys support to the realm. With just one click, Keycloak offers conditional and modal user interfaces in the default login forms to allow users to authenticate with a passkey.

The Passkeys feature is still in preview. Follow the Enabling and disabling features guide to enable it.

For more information, see Passkeys section in the Server Administration Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#238 EMBARGOED CVE-2025-3501 keycloak: Keycloak hostname verification private

New features

#21995 Configurable probes in the Operator operator
#29116 Add supported config options for additional datasources dist/quarkus
#29596 Passkeys conditional UI: integration with username/password form authentication/webauthn
#38465 Name for OTP device should be unique account/api
#38985 Possibility to log details and representation to the jboss-logging listener
#39408 make MaxAuthAge configurable for required actions authentication
#40021 Passkeys conditional UI: integration with independent username and password form authentication/webauthn
#40033 Deprecate or remove the current conditionalUI authenticator authentication/webauthn

Enhancements

#12025 Get multiple users by Ids admin/api
#21277 Support IPv6 only environments dist/quarkus
#23283 Allow Keycloak operator to parameterize the Service annotations and labels
#28713 Temporarily Locked out users change the enabled flag of the user account/api
#28851 Support Syslog async properties dist/quarkus
#30227 Admin-UI: move PKCE Code Challenge Method setting from Advanced to Settings tab
#33978 Migration progress missing
#34160 Remove CACHE_EMBEDDED_REMOTE_STORE Feature
#35446 Ensure Client Initiated Account Linking behaves like other Application Initiated Actions authentication
#36635 Change User details page drop-down filter to make it easier to find the 'admin' role admin/ui
#37532 Remove user event types from admin UI is unusable admin/ui
#37716 Add ability for Quick Theme to import theme from a jar admin/ui
#37717 Quick Theme should allow naming the jar before download admin/ui
#38091 Add more validation for proxy-headers
#38228 Auto submit the "Organization Identity-First Login" form with pre-filled username field organizations
#38259 Enhance mapping from env variables to wildcards
#38262 Add `count` endpoint for organizations organizations
#38433 Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden core
#38496 Create CacheRemoteConfigProvider
#38497 Create CacheEmbeddedConfigProvider
#38578 Support Asynchronous logging
#38614 Improve Dutch translation for Theme base/login and base/email translations
#38620 Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm authentication
#38621 Client secret generation provides lower than expected entropy authentication
#38649 Improve migration performance core
#38663 Access Token IDs have less than 128 bits of entropy core
#38714 Add feedback when user sync process is triggered in user federation
#38863 Allow logging of slow database operations
#38882 Upgrade command rolling updates for patch releases / step 1: experimental
#38883 Upgrade command rolling updates for patch releases / step 2: preview
#38956 Clarify upgrade instructions
#38981 Allow setting locale when edit mode is `READ_ONLY`
#38994 Make recovery codes supported authentication
#39057 Change the title for Grafana dashboards guide to plural docs
#39059 Document operator `Auto` update strategy when used with `podTemplate`
#39080 Standardize introductory text in Keycloak guides
#39136 Update LDAP configuration with a hint how to enable password hashing in ApacheDS
#39142 Make distribution startup timeout configurable testsuite
#39172 Add description to groups
#39191 Ability to skip AIA for adding WebAuthn security key in case that user already has one authentication
#39198 Better tooltip for Strategy to increase wait time in brute force settings
#39213 Polishing recovery codes authentication
#39214 Use required action configuration instead of password policy for warning threshold authentication
#39243 Should we improve metadata of recovery code credential? authentication
#39338 Keycloak Operator: TTL for KeycloakRealmImport jobs docs
#39405 Message bundle hot reloading
#39418 Clarify when to use podman docs
#39469 Fix Securing Apps links to adapters docs
#39486 Email server credentials can be harvested through host/port manipulation admin/api
#39541 Fix doc link to FGAP v1 docs
#39543 Apply edits to Operators Guide docs
#39544 Change discovery in Kubernetes to `jdbc-ping`
#39545 JGroups: Switch to "per-destination" bundler for `jdbc-ping`
#39563 Protocol `openid-connect` should be selected as default for ClientScopes oid4vc
#39572 Edit Observability Guide docs
#39587 Make slow SQL and SQL comment prefix configurable
#39590 Fix callouts in Operator guide docs
#39595 Build user representations when searching based on the user profile settings user-profile
#39617 OpenTelemetry Tracing: Spans as part of the "commit" should be nested dist/quarkus
#39619 OpenTelementry Tracing: Show calls within a rest resource as nested dist/quarkus
#39638 Sessions from Infinispan should be mapped lazily for the Admin UI
#39641 Return only manage permissions when listing users via administration console
#39651 Speed up Infinispan list of all sessions be more eagerly remove old client sessions
#39653 Pass notifications in batches to remote and local ISPN cache infinispan
#39665 When logging in, all client sessions are loaded which is slow oidc
#39670 Add re-authentication when updating email via UPDATE_EMAIL feature
#39723 Redirect request from wrong version to the right version
#39748 Docs: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc oidc
#39761 Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method oidc
#39817 Document that a shell wrapper must not start replace PID 1 in containers
#39826 Revise DPoP Codes - refactor remove unused methods oidc
#39855 Revise Client Policies Codes - AbstractClientPoliciesTest oidc
#39872 Improve JGroups network bind address documetion
#39885 Identity provider with FORCE sync mode does not detect verified email change identity-brokering
#39889 Revise Client Policies Codes - ClientPoliciesAdminTest oidc
#39891 Revise Client Policies Codes - ClientPoliciesConditionTest oidc
#39909 Add missing id attributes for button elements of keycloak.v2 login theme
#39962 Create a POC of running 2 containers in the new testsuite
#39965 Create test cases for OIDC flows
#39975 Make the checkbox "Sign out from other devices" unchecked by default authentication
#39980 Revise Client Policies Codes - ClientPoliciesExecutorTest oidc
#39982 Revise Client Policies Codes - ClientPoliciesExtendedEventTest oidc
#39987 Unnecessary boxing/unboxing to parse a primitive. SAST saml
#40012 Revise Client Policies Codes - ClientPoliciesLoadUpdateTest oidc
#40014 Revise Client Policies Codes - ClientPoliciesTest oidc
#40016 Revise Client Policies Codes - SecureRedirectUrisEnforcerExecutorTest oidc
#40022 Passkeys conditional UI: integration with the organization authenticator authentication/webauthn
#40023 Upgrade webauthn4j to a newer version authentication/webauthn
#40024 Throw an exception if transport mTLS keystore or Truststore does not exist
#40027 Unrelated Types. SAST
#40030 Potential thread safety Issue with lazy init of transformerFactory at TransformerUtil. SAST
#40034 Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST
#40039 Abbreviate text in PKCE method configuration label in OIDC Client configuration admin/ui
#40050 Revise Client Policies Codes - OAuth 2.1 tests oidc
#40052 Revise Client Policies Codes - FAPI1Test oidc
#40054 Revise Client Policies Codes - FAPI2Test oidc
#40056 Revise Client Policies Codes - FAPICIBATest oidc
#40060 Sign of a bad copy/paste in logging of usserSessionLimitsAuthenticator authentication
#40108 Support more i18n keys for messages_ru.properties
#40129 Refactor the key value input so that it has an override for key and value component
#40165 Upgrade to Infinispan 15.0.15
#40166 Upgrade Aurora PostgreSQL to a supported release
#40188 Document security implications of Keycloak CR operator
#40191 Icon for default role should have a separator to the role name admin/ui
#40208 ServerInfo View in Admin-Console should show CPU information
#40233 Make `ProviderConfigurationBuilder` fail when a duplicate property is added.
#40336 Support all i18n keys for messages_ru.properties translations
#40419 Update links specs in OIDC guide docs
#40440 Add link to OIDC Discovery Spec in the documentation of the certs endpoint oidc
#40441 Add templates for release notes and migration guide docs
#40446 Review Profile makes users prone to phishing attacks authentication
#40448 add (ky )kyrgyz language support translations
#40472 Default to num_owners=2 when the persistent-user-sessions feature is disabled infinispan
#40487 Clarify OpenShift v4 Identity Provider instructions
#40489 When redirecting old resource versions, keep query parameters
#40533 Clarify FIPS instructions
#40564 Add clarifying language around jgroups failure detection ports
#40566 Synchronization of Polish language in login template translations
#40579 Add missing translations in email and account theme for Polish lang translations
#40639 Update documentation about volatile sessions
#40641 [docs] fix spelling error in hostname.adoc
#40705 Documentation for passkeys for 26.3.0 authentication
#40709 Update javadoc of java admin-client for Keycloak 26.3 admin/client-java
#40765 Make abstract class AbstractUserRoleMappingMapper public

Bugs

#27945 Passkey "Avoid same authenticator registration" doesn't work authentication/webauthn
#32600 OpenAPI spec: Missing attributes in ClientPolicyConditionRepresentation and ClientPolicyExecutorRepresentation schemas admin/api
#33078 account/ui spinner use patternfly v3 classes instead of patternfly v5 classes account/ui
#35266 Amazon Identity Provider does not accept scope = openid and Keycloak always sets it identity-brokering
#35278 Double click on social provider link causes page has expired error login/ui
#36150 wrong redirect after login timeout for parallel logins authentication
#36320 [Keycloak CI] - User Federation Tests - LDAPUserProfileTest.testMultipleLDAPProviders ci
#36396 "identity-provider-redirector" does not forward LOGIN_HINT of authentication session authentication
#36562 Social login - Instagram Login test fails, API changed ci
#36609 Keycloak container incorrectly read CGroups settings on Kernel 6.12 dist/quarkus
#36622 Login UI edit profile textarea doesn't have styles applied login/ui
#36986 Localization: when the user has forgotten the password, the email is sent in default language, instead of the selected one login/ui
#37202 Client scopes evaluate function shows sub claim in access token even if "basic" client scope is not selected admin/ui
#37269 External IDP error during Step-Up Authentication does no longer route back to browser flow authentication
#37447 account-console no longer provides nonce/state parameter account/ui
#37490 [Keycloak CI] - Quarkus IT (windows-latest, win) - QuarkusPropertiesDistTest ci
#37526 Unexpected Application Initiated Actions Cause Server Errors authentication
#37537 LDAP group mapper skips configured filter and imports all groups with memberOf strategy when fetching the user's groups ldap
#37555 User Federation: Remove imported users modal has wrong text admin/ui
#37559 Linking user in different browser doesn't work if original window/tab is closed identity-brokering
#37598 Realm context uses route and can't be used in libary admin/ui
#37648 User Attribute option of SAML "User Attribute Mapper for NameID" should be required admin/ui
#37720 MSADUserAccountControlStorageMapper attempts to persist a userAccountControl value of 0 on user create, resulting in LDAP error and incomplete user provisioning ldap
#37899 User email not registered when user has not the permission to edit his email core
#38049 Upload of JKS keystore fails with a server error admin/ui
#38104 Temporary failure in name resolution with nip.io ci
#38145 Unknown error on authentication-flow delete action admin/ui
#38161 RawKeycloakDistribution exit code is always 0 testsuite
#38251 Importing a realm from a directory fail if the realm contain organizations with users. import-export
#38351 Mail settings can't be provided via environment variables testsuite
#38382 Disable user row if not allowed to delete admin/ui
#38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
#38482 SAML client certificate not persisted admin/ui
#38487 [Keycloak Operator CI] - Test remote (slow) - UpdateTest.testExplicitStrategy ci
#38542 JWK Subtypes fail when mapping JWK to PublicKey core
#38602 Keycloak fails to start on MySQL Cluster due to missing primary key in databasechangelog dist/quarkus
#38616 Fix alignment of the 'Action' selectbox with the 'Enabled' switch for User federation admin/ui
#38660 Ldap federation seems to open and keep open a new thread/connection for each ldap request ldap
#38662 Update commands trigger build checks dist/quarkus
#38671 Duplicate Key Violation When Reauthenticating After Account Deletion via Google identity-brokering
#38676 Dropdown search input is not cleared after selecting with mouse admin/ui
#38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
#38703 Password Policy Changes get overwritten in the UI admin/ui
#38757 Keycloak statefulset is not mapped to any headless service if installed via operator operator
#38767 Make group required when selecting a specific group creating a premission admin/ui
#38783 `content.json`'s isVisible flags are ignored in `Root.tsx`'s `mapRoutes` function, which makes the pages still accessible account/ui
#38789 [Keycloak JS CI] Admin UI E2E tests on Firefox have failures ci
#38799 Kerberos principal attribute value "comes back" when cleared. admin/ui
#38801 Building docker image of keycloak with curl using 2 stage process hangs docs
#38812 Test failures in CI in Chrome tests ci
#38846 StatefulSet reconciliation infinitely looping operator
#38850 Changing a password with the option log out all other sessions doesn't log out offline sessions core
#38852 [Organization] Failed authentication (ModelDuplicateException) when e-mail duplicates are allowed on the realm organizations
#38873 Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load admin/ui
#38893 Multi-stage docker builds fail --optimized validation dist/quarkus
#38910 Bug: Hosted Domain Validation Logic Issue in Keycloak Google Identity Provider identity-brokering
#38911 Filtering of user- and admin-events by dateTo always returns empty results admin/api
#38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
#38918 IPv6 support: Broker tests failing with proxy configuration ci
#38920 Downstream docs have duplicate ID on sampling docs
#38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
#38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
#38930 [Docs] Broken link in ExternalLinksTest for importmap docs
#38932 Home button always redirects to master realm when permission denied admin/ui
#38934 UI: Readonly/disabled profile form input fields are visually indistinguishable from active fields account/ui
#38937 Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x storage
#38938 Missing null checks in IdentityProviderResource lead to NPE admin/api
#38944 Admin UI test "Enable user events" breaks as event metadata has changed admin/ui
#38964 [26.2.3/26.1.5] Regression: ClientList value is empty in UI for Custom UserStorageProviderFactory admin/ui
#38970 Authentication request can fail with `unknown_error` authentication
#38982 JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal) ldap
#39015 Keycloak operator with update strategy to Auto: missing imagePullSecrets operator
#39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc
#39022 Setting batch size to 0 in LDAP provider with pagination enabled leads to NPE ldap
#39023 Keycloak 26.2.0 UI Performance Degradation admin/ui
#39026 Fine-grained-permssion v2 Display problem admin/fine-grained-permissions
#39037 UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope oidc
#39046 Keycloak 26.2.0 can't authenticate to the H2 database after the upgrade core
#39055 After import of keys an export doesn't include these values admin/ui
#39061 Missing iteration key property in SigningIn Page account/ui
#39063 Optimized startup fails from `kc.spi-connections-http-client-default-expect-continue-enabled` passed at runtime dist/quarkus
#39065 Issue with SSL and `CertificatereloadManager` in Keycloak 26.2 when using Istio infinispan
#39085 Redirects to admin endpoint 404s on hostname-admin / request scheme mismatch core
#39096 Release note 26.2.0 has broken link docs
#39110 jwks_uri endpoint returns content-type as "application/json" instead of "application/jwk+json" or "application/jwk-set+json" oidc
#39119 Evaluate client scopes can corrupt UI completely admin/ui
#39124 [Operator CI] - Test remote (slow) ci
#39125 [Keycloak CI] - FIPS UT - Run crypto tests ci
#39130 Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc
#39144 Getting Started Podman: We are sorry... HTTPS required docs
#39146 [FGAP] [UI] Searching for permissions doesn't allow to search for all group permissions admin/fine-grained-permissions
#39150 Evaluation should consider roles granted to the user admin/fine-grained-permissions
#39156 Quick theme: logo is undefined if not set admin/ui
#39157 [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus
#39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan
#39179 Uncaught server error during organization update when name already exists organizations
#39180 Groups view: Filter/search bar disappears and groups not shown after clearing empty search results admin/ui
#39182 Oracle driver problems in keycloak 26.2.1 dependencies
#39187 Account console: defaultLocale item in select locale field account/ui
#39206 Wrong UDP jgroups metric name docs
#39219 Serverinfo response grows over time admin/api
#39227 Quarkus devtools dependencies in 26.2.x dependencies
#39237 Deletion of a role is slow when when there are a lot of roles in the database core
#39246 Duplicate user entries when searching custom attributes core
#39259 Admin E2E tests ignores `RETRY_COUNT` environment variable admin/ui
#39262 Keycloak does not take into account value request parameter in the claims request for acr claim authentication
#39264 [OID4VCI] Documentation Errors docs
#39267 Avoid a NPE at org.keycloak.email.freemarker.beans.ProfileBean#getOrganizations when feature "organization" is disabled organizations
#39274 Aurora DB should not update automatically to the latest minor version ci
#39296 Inconsistent "grant_types" vs "grantTypes" Naming Causes GrantTypeCondition to Always Fail core
#39312 SLO measurement should mention a month as a period docs
#39336 Tests failing with embedded undertow due the infinispan testsuite
#39345 Ghost user entries in database from ldap causes import errors ldap
#39349 CVE-2025-3910 Two factor authentication bypass
#39350 CVE-2025-3501 Keycloak hostname verification
#39358 Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui
#39402 Client Scope with mapper Organization Membership - claim disappears as soon as user is member of more than one Organisation organizations
#39403 Client Scope with mapper Organization Membership - organizations claim disappears when Include in token scope is off organizations
#39429 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode ci
#39442 Non-closing HTML tag in footer example docs
#39450 quarkus runtime options are treated as buildtime options dist/quarkus
#39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan
#39457 Typos in French login and email messages templates translations
#39465 Scheduled Task cannot access realm when feature fpap:v2 is active, but realm has it not configured admin/fine-grained-permissions
#39485 Inconsistent "Forgot Password" behavior reveals user account information login/ui
#39487 Incorrect tooltip over enabled features admin/ui
#39492 Check if suspicious log about CORS is correct
#39496 [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui
#39499 UI does not show user's attributes after reentering the Attributes TAB admin/ui
#39500 Update Job Pod is listed in the keycloak discovery service operator
#39502 Refreshed tokens are not persisted for IDP token exchange token-exchange
#39509 UI does not show organization's attributes after reentering the Attributes TAB account/ui
#39538 Autocomplete in Mapper type of user federation broken admin/ui
#39540 Forms IT tests breaks with Chrome 136.0.7103.59 ci
#39549 Inconsistency in User enabled status in Rest query results. core
#39596 Enabling "HTTP-POST binding response" is not reflected in the SP metadata saml
#39599 Error when requesting token inspection for a access token requested by a offline token authorization-services
#39612 Unable to change the OTP hash algorithm admin/ui
#39614 Keycloak not using custom Infinispan config infinispan
#39643 Can't change locale on expired page login/ui
#39663 Duplicate validation message “Please specify username.” shown on login form login/ui
#39668 Fetching 1250 group children much slower in v26 vs. v25 admin/api
#39669 Hide update email link in account console when email is read-only in user profile user-profile
#39693 Clicking on the jump links removes the localization of the UI admin/ui
#39697 Authorization documentation shows the wrong view authorization-services
#39710 Recreate update is not scaling down the statefulset to zero operator
#39715 Users Credentials tab crashes on orphan LDAP user admin/ui
#39720 User listing broken because of missing `is_temporary_admin` attribute admin/ui
#39724 Hibernate LazyInitializationException when deleting client with CompositeRoles core
#39753 POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api
#39759 ModelDuplicateException since Keycloak v26 when logging into Keycloak core
#39765 SAML certificate in UI not refreshed after keystore import account/ui
#39781 SMTP password overwritten with asterisks core
#39785 Client sessions are not cached when loaded from the database core
#39798 Documentation has outdated link to the "latest" branch of quickstarts docs
#39800 [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci
#39816 Do not show warning ISPN000312: Lost data because of graceful leaver infinispan
#39843 Custom classes for checkbox are not applied on password reset form in keycloak.v2 login theme login/ui
#39850 [FGAP] Clients empty when using role based policy and roles inherited from groups admin/fine-grained-permissions
#39861 [Keycloak CI] - Several failures HTTP response code 429 - too many requests ci
#39866 MigrationModel duplicate entry on Recreate Upgrade in Cluster with 2+ nodes dist/quarkus
#39876 JS CI fails with merging playwright reports admin/ui
#39893 Missing Quarkus flag for syslog logging dist/quarkus
#39904 Missing angle bracket authentication
#39915 Searching user by attributes force an exact request even if not asked admin/ui
#39917 Liquibase update failed from KC 26.1 to KC 26.2 with PostgreSQL JDBC driver 42.7.5 storage
#39918 Admin UI key permissionPoliciesHelp possible typo admin/ui
#39920 Admin UI doesn't use conditionsHelpItem message key admin/ui
#39923 ModelDuplicateException on next login after deleting an account storage
#39934 Locale set to English even when only one Locale is enabled admin/ui
#39937 Admin UI shows message "Imported users have been removed" twice admin/ui
#39939 Operator error: desiredPullSecrets is null operator
#39942 LDAP Edit mode option is required but not marked admin/ui
#39949 [Keycloak JavaScript CI] - Admin UI E2E (firefox) ci
#39950 [Keycloak CI] - Cookies Tests - KcOidcBrokerTokenExchangeTest
#39956 Allow mapping Admin roles to server administrator only admin/fine-grained-permissions
#39971 Custom tabs implementing UiTabProvider/UiTabProviderFactory not displayed since KC26.2.0 admin/ui
#40003 Change connection settings totle to OAuth2 settings
#40046 Cache TLS is not available with protocol UDP after upgrading from 26.2.4 to 26.2.5 infinispan
#40049 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#checkAuthenticatorTimeLocale ci
#40085 Federated user IDs are not correctly evicted from cache storage
#40088 Make UPDATE_TIME unique for MIGRATION_MODEL table
#40090 Emphasize using StatefulSet instead of Deployment operator
#40096 Error creating user in Windows Active Directory over LDAP ldap
#40099 [Keycloak Operator CI] - Test OLM Installation ci
#40104 NPE during external-internal token exchange in case that user exists token-exchange
#40106 Two same tests in KcOidcBrokerTokenExchangeTest testsuite
#40128 Unable to set LoA field in auth-flow-enforcer core
#40135 Transparent filter panel in Admin > Events > Search events form admin/ui
#40139 Incorrect placeholder for "delete multiple users" title in German translation translations
#40151 Avoid unbalanced curly braces in message properties translations
#40159 Brute force detection permanent lockout flag not shown for users auto-unlocked after temporary lockout admin/ui
#40171 SQL error when logging in for first time (per user) after Keycloak upgrade core
#40180 Admin UI doesn't show client names from resource bundle admin/ui
#40187 Client Registration with fake scope oidc
#40195 Documentation of Argon2 hash-length configuration property is incorrect. authentication
#40213 `UserStorageManager.getUserById` called multiple times on `POST /realms/{realm}/protocol/{protocol}/token` storage
#40232 Setting of `type` of `Argon2PasswordHashProviderFactory` is incorrect, authentication
#40235 PasswordHashingTest#testPasswordRehashedWhenCredentialImportedWithDifferentKeySize fails to successfully log in core
#40240 Capitalize each word of the string "security admin console"
#40253 Case sensitive Organization/IDP linking on domain organizations
#40270 LDAP: error code 19 - pwdChangedTime: no user modification allowed ldap
#40284 Webauthn policy data resets to previous state after binding flow admin/ui
#40303 Account UI goBack link doesn't render when referrer query string is set account/ui
#40339 [Keycloak CI] - Windows: local maven repository error ci
#40353 Issue with Handling Negative Values in Certain Fields of Brute Force Detection authentication
#40360 [Keycloak-Operator]: Rolling Updates -- Strategy=Auto, operator error keycloak-update-job is invalid -- Strategy=Explicit, operator always replaces operator
#40365 Labeler fails to set version of parent issue ci
#40375 Outdated information in HA Keycloak deployment docs
#40402 Failing WebAuthn IT (chrome) / WebAuthnSigningInTest.passwordlessWebAuthnTest authentication/webauthn
#40408 Multiple QuarkusJpaUpdaterProvider calls during boot dist/quarkus
#40423 Missing highlighting of deprecated and disabled-by-default features admin/ui
#40438 Unable to retrieve `attributes` with organization get members endpoint admin/api
#40444 Link to dynamic client registration section is broken in docs oidc
#40451 Compilation error in AbstractWebAuthnAccountTest testsuite
#40474 WebAuthn Passwordless Policy Timeout Field Causes Syntax Error When Value Exceeds 1000 Seconds Due to Locale-Specific Number Formatting in FTL Generated JavaScript adapter/javascript
#40479 Federation unlink failure message contains double single quotes translations
#40483 Missing adjustment about offline session caches for volatile sessions infinispan
#40494 On change of language, confirmation is shown in old language account/ui
#40497 Creating a user profile attribute "displayName" does not work as expected. user-profile
#40498 Account UI e2e tests do not run in CI account/ui
#40514 Authentication flows documentation should match new GUI docs
#40531 DefaultLazyLoader is not thread safe, but is used in a shared instance of CachedRealm infinispan
#40542 Nightly build shows outdated information on the Keycloak website docs
#40596 UI Customization missing footer example admin/ui
#40598 Account console reports duplicate keys in development mode account/ui
#40611 Negative expiration for token exchange using an offline session token-exchange
#40632 Translation key missing from Greek translations. translations
#40637 Front logout channel broken in 26.2.5 for saml saml
#40663 Potential copy-paste issue in PersistentClientSessionEntity.java storage
#40694 quarkus-next: update Quarkus snapshots url dist/quarkus
#40695 Multiple resources that match same URI with different scope cause inconsistent authorization response authorization-services
#40717 Allow passkeys login when user has no password credential authentication/webauthn

Talks announced for KEYCONF25 - get your tickets!

Alexander Schwartz — Fri, 27 Jun 2025 00:00:00 GMT

The talks and speakers have now been announced for Keycloak’s Identity Summit. Save your spot today!

📍 KEYCONF25 – taking place in Amsterdam on August 28th, 2025!

This year’s edition of the Keycloak Identity Summit promises more content, more connections, and even more opportunities to engage with the people shaping the future of identity and access management.

Talk highlights

Our talks highlight the broad spectrum of the Keycloak ecosystem: How to run it with confidence and securely, how extend it, and how to apply it in existing and new scenarios.

See below for a short-list of topics we cover:

Human and Workload Identities: Bridging the Gap with Keycloak
AI Meets Identity: Managing Keycloak with Natural Language via MCP
Observability in Keycloak: Where Does It Hurt?
The Event Sorcerer with the Keycloak: The Battle against Dynamic Configuration
Protectors of the Realm: Breaking and Fixing Keycloak Configurations

A great place to network

Networking lunch: Our extended lunch break is designed to help you meet fellow attendees, swap ideas, and build meaningful professional connections in a relaxed setting.
Meet the maintainers: We will have a panel discussion with the maintainers. Ask your questions live and get a response from the experts!
Business drinks: Stick around after the last session for informal networking over drinks. Want to sponsor this year’s Business Drink? Get in touch with us—we’d love to partner with you!

Get your ticket and join us!

Whether you’re a developer, architect, security specialist, or product owner, KEYCONF25 is your opportunity to gain knowledge, grow your network, and contribute to the future of the Keycloak community.

📅 August 28th, 2025

📍 Amsterdam, Netherlands

Tickets are now available at keyconf.dev – secure your spot!

Want to get involved?

Let’s continue building a stronger, smarter IAM community—together.

We can’t wait to see you in Amsterdam!

Meet Keycloak at KubeCon India in August

Alexander Schwartz — Thu, 12 Jun 2025 00:00:00 GMT

Last year’s KubeCon India was a great success, and Keycloak will be part of this year’s edition in Hyderabad on August 7-8.

A lot of people use Keycloak and develop extensions in for Keycloak in India, so we are thrilled to connect with the community.

Connect with me in this GitHub discussion to have your contributions or projects mentioned in the talk!

Talks at KubeCon

The schedule of KubeCon + CloudNativeCon India 2025 has been released, see below talks about Keycloak:

Project Lightning Talk: How to get your custom access tokens from Keycloak
Wednesday August 6, 2025 11:37 IST
Alexander Schwartz, Red Hat
Delegate Authentication and a Lot More To Keycloak With OpenID Connect
Wednesday August 6, 2025 12:10 IST
Alexander Schwartz & Rishabh Singh, Red Hat

Project Pavillion

The Keycloak project table in the Project Pavillion is the place to meet the Keycloak maintainers, contributors and the larger community.

We will be there in the afternoons, while other projects will be there during the mornings. See below for the location and the times.

Wednesday, August 6: 3:10 pm - 7:15 pm

Thursday, August 7: 1:25 pm - 3:50 pm

Meet us at Table number 3 in the Hyderabad International Convention Centre, Hall 4, solutions showcase.

See you there!

We’re preparing for KubeCon India 2025 and can’t wait to connect with our community. Mark your calendars and join us.

Let me know in this GitHub discussion to have your contributions or projects mentioned in the talk!

See you in Hyderabad!

Keycloak 26.2.5 released

Wed, 28 May 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#39469 Fix Securing Apps links to adapters docs
#39486 Email server credentials can be harvested through host/port manipulation admin/api
#39541 Fix doc link to FGAP v1 docs
#39543 Apply edits to Operators Guide docs
#39572 Edit Observability Guide docs
#39590 Fix callouts in Operator guide docs
#39638 Sessions from Infinispan should be mapped lazily for the Admin UI
#39651 Speed up Infinispan list of all sessions be more eagerly remove old client sessions
#39665 When logging in, all client sessions are loaded which is slow oidc

Bugs

#39130 Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc
#39157 [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus
#39264 [OID4VCI] Documentation Errors docs
#39358 Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui
#39450 quarkus runtime options are treated as buildtime options dist/quarkus
#39496 [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui
#39499 UI does not show user's attributes after reentering the Attributes TAB admin/ui
#39502 Refreshed tokens are not persisted for IDP token exchange token-exchange
#39509 UI does not show organization's attributes after reentering the Attributes TAB account/ui
#39538 Autocomplete in Mapper type of user federation broken admin/ui
#39540 Forms IT tests breaks with Chrome 136.0.7103.59 ci
#39612 Unable to change the OTP hash algorithm admin/ui
#39614 Keycloak not using custom Infinispan config infinispan
#39663 Duplicate validation message “Please specify username.” shown on login form login/ui
#39693 Clicking on the jump links removes the localization of the UI admin/ui
#39697 Authorization documentation shows the wrong view authorization-services
#39710 Recreate update is not scaling down the statefulset to zero operator
#39724 Hibernate LazyInitializationException when deleting client with CompositeRoles core
#39753 POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api
#39798 Documentation has outdated link to the "latest" branch of quickstarts docs
#39800 [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci

Standard Token Exchange is now officially supported in Keycloak 26.2

Giuseppe Graziano — Mon, 26 May 2025 00:00:00 GMT

The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of Keycloak 26.2, we’re happy to share that Standard Token Exchange is now officially supported and fully compliant with OAuth 2.0 Token Exchange (RFC 8693).

What is Token Exchange? 🔄

Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself.

Token Exchange is especially helpful in these scenarios:

🎯 Different Audience

When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience.

🔐 Scoped Permissions

If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes.

What’s new? 🆕

✅ Official support (no longer a preview feature)
📘 Compliance with RFC 8693 (OAuth 2.0 Token Exchange)
🖱️ Simple configuration via the Admin Console (just a switch in client settings)
🛡️ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes.

How to get started 🚀

If you’re using Keycloak 26.2 or later, there’s nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch.

If you’re still using the preview feature of token exchange, check the migration guide and the comparison to understand the differences and plan your migration.

📄 For full setup instructions and configuration details, refer to the official documentation.

What’s next? 🔍

We’re continuing to expand Token Exchange support with future enhancements such as:

🔄 Exchanging tokens issued by external identity providers
👤 Using token exchange to impersonate users

Stay tuned for updates in upcoming releases.

We’d love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.

Hitachi Keycloak case study published

Alexander Schwartz — Mon, 19 May 2025 00:00:00 GMT

Hitachi Ltd. uses Keycloak to make financial grade security easier.

They are providing an API management cloud service for Japanese banks. Banks can open their APIs (like accessing bank accounts) to third-party fintech companies securely by using the service. One of the biggest challenges in the development phase was authorizing APIs for financial grade security. For API authorization in the financial sector, Financial-grade API (FAPI) is specified by the OpenID Foundation and widely adopted.

By using Keycloak as an authorization server of the API management cloud service, they can provide a fully FAPI conformant API authorization for their customers.

Read more on their challenges and the solution in this CNCF case study published for the Keycloak project!

We are now starting to collect all case studies at our case studies page. If you want to share your case study with the Keycloak community, contact me to sort out the details.

Secure email delivery with XOAUTH2

Sebastian Rose — Sun, 18 May 2025 00:00:00 GMT

Keycloak relies on email functionality for tasks like password resets, user verifications, and notifications.

A common setup is for Keycloak to authenticate to the SMTP server with a username and password. With issue #17432, the Keycloak community raised the need for token-based authentication with XOAUTH2, as some providers deprecated the authentication for SMTP with passwords.

With Keycloak 26.2, the SMTP AUTH configuration now supports XOAUTH2. As Keycloak’s role is that of an application, it uses the client credentials grant to fetch the token. The SMTP AUTH configuration in Keycloak now supports all required fields to fetch such a token with client id and client secret.

When implementing this functionality, I found that while it works with Microsoft Azure and Office365, it would need a different mechanism for providers like Google.

So let’s follow through this example, and then discuss if we need something different from SMTP altogether.

Configuring Keycloak to send emails with XOAUTH2

The following assumes that you are working with Keycloak 26.2.

In a realm, navigate to Realm Settings → Email and fill in the fields.

To see the new XOAUTH2 feature, enable Authentication via the radio-button and switch the Authentication Type from Password to Token. You can find further details in the documentation on sending emails.

Once you fill all the settings for gathering an access token and the username, you can test the configuration via the built-in "Test connection" button.

Challenges with real world cloud providers

Testing Microsoft Azure, I found it supports fetching an XOAUTH2 token through a client credentials grant using a client secret. It needs several configuration changes in several places on Microsoft Azure to make it work, which is annoying, but eventually it all works in Keycloak 26.2.

Google does not support the client credentials grant with a client secret, but requires sending a JWT token. Therefore, it does not work with Keycloak 26.2 yet, as that would need additional functionality and even more configuration options for Keycloak. Please vote on issue #39610 to add Google with SMTP and XOAUTH2 to a future Keycloak release.

When analyzing the Google APIs, we found that a Google Enterprise account seems to have no possibility of restricting the sender email address. So any email address, even the CEO’s email address, could be as a sender with Google and XOAUTH2 authentication, which feels wrong.

Looking at the different capabilities of those two cloud providers, it raises the question of how to support scenarios for additional providers: Should Keycloak show provider-specific configuration screens, or would we need to make the UI even more generic and complex?

Re-thinking sending messages to users

While implementing XOAUTH2, I learned a lot more details on a modern cloud-provider’s perspective handle sending of emails. Another big impulse came from discussions during the Keycloak DevDay 2025 Hackathon.

Let’s break apart what happens when we talk about the current email functionality of Keycloak:

Keycloak is sending a message to an identity. This message could be any format, and building a message could be separated from the actual delivery of that message.
An identity could have all kinds of message handles and email just one of them. Also, the way to send an email in a cloud world might no longer be the Simple Mail Transfer Protocol (SMTP), but an HTTP- and JSON-based API.

To me, working with SMTP and XOAUTH2 feels like working on something quite ancient. So what might be other steps for the bright future of Keycloak regarding sending messages to identities?

Providers offer HTTP-based messaging APIs to send email without using SMTP. Looking at these and remembering the discussions from the Keycloak DevDay 2025 Hackathon:

Why use email addresses at all?
All kinds of handles could reach an identity.
In some parts of the planet, only mobile phones are used to reach out to somebody.
In development scenarios, even a chat-message to, for example, Slack might be enough.

I started a discussion about the Future of sending messages to identities in Keycloak. Please join the discussion and let me know what you think.

OpenTalk Keycloak case study published

Alexander Schwartz — Thu, 15 May 2025 00:00:00 GMT

OpenTalk, a videoconferencing solution, needed a secure and scalable Identity and Access Management (IAM) solution to authenticate users across various services. Keycloak meets OpenTalk’s goals for security, user sovereignty, data privacy and regulatory requirements, so they use it in their architecture.

Read more on their challenges and the solution in the first CNCF case study published for the Keycloak project!

We are now starting to collect all case studies at our case studies page. If you want to share your case study with the Keycloak community, contact me to sort out the details.

Achieving Fine-Grained Admin Permissions with Keycloak 26.2

Vlasta Ramik — Wed, 14 May 2025 00:00:00 GMT

For years, Role-Based Access Control (RBAC) has been the cornerstone of authorization in many applications. Assigning users to roles provides a simple and effective way to manage access for common use cases. However, as applications become more complex and security requirements more demanding, RBAC alone often falls short.

Keycloak is leveling up administrative access control with the release of Fine Grained Admin Permissions V2 a major step towards introducing delegated administration to Keycloak so that server administrators can assign management privileges to other users in a realm. By doing that, you should be able to reduce management costs and effort, and improve the overall efficiency and security of your deployments by authorizing access to specific resources in a realm.

Why Fine-Grained Admin Permissions (FGAP) V2?

In previous Keycloak versions, administrative access was largely driven by broad roles such as realm-admin or manage-users. While effective for simple setups, these roles often granted more access than necessary and lacked clarity around which actions they allowed.

FGAP V2 introduces a cleaner, more deliberate permission model that enables:

Granular access control over users, clients, groups, and roles
Clear boundaries between operations—no more implicit permissions
Easier management of the permissions and policies
Better evaluation mechanism to allow authorization administrators audit the model

✨ Key Highlights

🧭 Centralized Permissions Management

A new Permissions section in the Admin Console provides a single place to view and manage all fine-grained permissions for a realm. This simplifies navigation and makes it easier to design and audit your permission model.

🔍 Improved Manageability and Evaluation

Permissions are now easier to discover, filter, and evaluate. You can inspect which scopes are assigned to which identities—making it more transparent and manageable to build tailored administrative roles.

🎯 Resource-Specific and Global Permissions

Define permissions either at the individual resource level (e.g., a single or set of users or clients), or across all resources of a given type (e.g., all groups). This dual mode offers flexibility for both tightly scoped delegation and broader administrative policies.

✂️ Explicit Operation Scoping

Gone are the days of hidden dependencies between permissions. FGAP V2 makes every scope explicit—such as view-members, manage-members, map-roles, or impersonate. This reduces confusion and gives you full visibility into what’s granted and why.

🛠️ Per-Realm Enablement

FGAP V2 can be enabled independently for each realm. This allows administrators to adopt the new model incrementally, experiment safely, and customize permission boundaries realm-by-realm.

🔧 How to Enable It

Start Keycloak. The feature is enabled by default.
Go to Realm Settings → Admin Permissions and enable FGAP for the realm.
Use the new Permissions section to define permissions and policies for users, clients, groups, and roles.

For full configuration details, refer to the Fine-Grained Admin Permissions documentation.

🔄 Migration and Compatibility

FGAP V2 provides the same level of access control over realm resources as the previous version, while improving manageability and clarity. Automatic migration is not available, but if you’re upgrading from an earlier Keycloak version, see the Upgrading Guide for important key changes and migration notes.

What’s Next?

This is just the beginning. Upcoming Keycloak releases will continue to expand FGAP support to additional resource types (such as Organizations) and more fine grained actions for existing resources.

Try it out, experiment with permissions and policies and let us know what you think. Fine-Grained Admin Permissions V2 is here to help you run Keycloak with confidence, clarity, and control.

Keycloak 26.2.4 released

Thu, 8 May 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#39418 Clarify when to use podman docs

Bugs

#35278 Double click on social provider link causes page has expired error login/ui
#38918 IPv6 support: Broker tests failing with proxy configuration ci
#39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc
#39023 Keycloak 26.2.0 UI Performance Degradation admin/ui
#39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan
#39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan
#39500 Update Job Pod is listed in the keycloak discovery service operator

Keycloak 26.2.3 released

Mon, 5 May 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#38985 Possibility to log details and representation to the jboss-logging listener

Enhancements

#39080 Standardize introductory text in Keycloak guides

Bugs

#38104 Temporary failure in name resolution with nip.io ci
#38145 Unknown error on authentication-flow delete action admin/ui
#38482 SAML client certificate not persisted admin/ui
#38487 [Keycloak Operator CI] - Test remote (slow) - UpdateTest.testExplicitStrategy ci
#38660 Ldap federation seems to open and keep open a new thread/connection for each ldap request ldap
#38671 Duplicate Key Violation When Reauthenticating After Account Deletion via Google identity-brokering
#38703 Password Policy Changes get overwritten in the UI admin/ui
#38799 Kerberos principal attribute value "comes back" when cleared. admin/ui
#38873 Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load admin/ui
#38911 Filtering of user- and admin-events by dateTo always returns empty results admin/api
#38932 Home button always redirects to master realm when permission denied admin/ui
#38934 UI: Readonly/disabled profile form input fields are visually indistinguishable from active fields account/ui
#38964 [26.2.0/26.1.5] Regression: ClientList value is empty in UI for Custom UserStorageProviderFactory admin/ui
#38970 Authentication request can fail with `unknown_error` authentication
#39026 Fine-grained-permssion v2 Display problem admin/fine-grained-permissions
#39037 UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope oidc
#39046 Keycloak 26.2.0 can't authenticate to the H2 database after the upgrade core
#39055 After import of keys an export doesn't include these values admin/ui
#39065 Issue with SSL and `CertificatereloadManager` in Keycloak 26.2 when using Istio infinispan
#39085 Redirects to admin endpoint 404s on hostname-admin / request scheme mismatch core
#39124 [Operator CI] - Test remote (slow) ci
#39180 Groups view: Filter/search bar disappears and groups not shown after clearing empty search results admin/ui
#39182 Oracle driver problems in keycloak 26.2.1 dependencies
#39187 Account console: defaultLocale item in select locale field account/ui
#39206 Wrong UDP jgroups metric name docs
#39219 Serverinfo response grows over time admin/api
#39237 Deletion of a role is slow when when there are a lot of roles in the database core
#39246 Duplicate user entries when searching custom attributes core
#39274 Aurora DB should not update automatically to the latest minor version ci
#39296 Inconsistent "grant_types" vs "grantTypes" Naming Causes GrantTypeCondition to Always Fail core
#39312 SLO measurement should mention a month as a period docs

Keycloak 26.2.2 released

Wed, 30 Apr 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#39142 Make distribution startup timeout configurable testsuite

Bugs

#39125 [Keycloak CI] - FIPS UT - Run crypto tests ci
#39349 CVE-2025-3910 Two factor authentication bypass
#39350 CVE-2025-3501 Keycloak hostname verification

Announcing Keycloak's Identity Summit: KEYCONF25

Nathalia Pinesi — Mon, 28 Apr 2025 00:00:00 GMT

KeyConf24 was a fantastic success, bringing together identity and access management professionals, developers, and community members from across Europe. The day was packed with insightful talks, deep dives into Keycloak, and incredible conversations between some of the brightest minds in IAM.

Now, we’re excited to take things even further.

📍 Introducing KEYCONF25 – taking place in Amsterdam on August 28th, 2025!

What to expect at KEYCONF25

Inspiring Keynote Speakers: Hear directly from thought leaders, core contributors, and experts working on the cutting edge of Keycloak and open identity standards.
Connect with like-minded professionals: From long-time contributors to those just starting their IAM journey, KEYCONF25 is the perfect place to meet others working with identity, OAuth2, OIDC, and more.
Networking lunch: Our extended lunch break is designed to help you meet fellow attendees, swap ideas, and build meaningful professional connections in a relaxed setting.
Business drinks: Stick around after the last session for informal networking over drinks. Want to sponsor this year’s Business Drink? Get in touch with us—we’d love to partner with you!
Expert sessions and real-world use cases: Gain practical insights into Keycloak implementation, security improvements, OAuth2 best practices, and evolving identity standards. Topics and speakers to be announced soon!

Save the date and join us!

📅 August 28th, 2025

📍 Amsterdam, Netherlands

Tickets are now available at keyconf.dev – secure your spot early!

Want to get involved?

We’re actively seeking sponsors and speakers for KEYCONF25. If you’d like to share your expertise or support this community-driven event, please get in touch at marketing@adorsys.com.

Let’s continue building a stronger, smarter IAM community—together.

We can’t wait to see you in Amsterdam!

Observability in Keycloak 26.2

Michal Hajas — Thu, 24 Apr 2025 00:00:00 GMT

When running a central single sign on service like Keycloak in production, you need to understand how well the system performs and whether there are service degradations. Having a proper monitoring stack in place is essential for this. Moreover, when the system performance degrades, it is crucial to identify which part of the system is causing the problem to address it.

In the latest Keycloak release, all the above became more straightforward and works without additional extensions.

Read on to learn more and watch the recording of our meetup on May 7th!

Hey Keycloak! How are you?

Users rely on Keycloak to log in to their applications, and service level indicators (SLIs) capture the key metrics capturing that behavior. Misbehavior of the system can be detected by monitoring these SLIs.

One of the indicators can be the availability of the system. The indicator for availability can be defined as: percentage of the time the system can answer requests. The lower the indicator is for your system, the less available it was in the observed period.

Find an example set of SLIs for Keycloak and more details on this topic in the Monitoring performance with Service Level Indicators guide.

Oh no! You are not doing well?

Now we know how to detect when Keycloak is not performing well. But what should I do when a service level indicator shows a degradation of the service? This situation usually means some part of Keycloak does not perform well. However, from the indicator itself, it is hard to say what part of Keycloak it is.

To identify the culprit of the problem, we provide the Troubleshooting using metrics guide that lists chosen metrics. Using these metrics, you can visualize what is happening in your deployment and down problems.

Some examples of metrics from the guide are listed below:

Number of operations performed by Keycloak like password hashes, login flows, token refreshes, etc.
Memory usage
Database connection pool utilization
Number of HTTP requests per URL and outcome
Hit ratios for internal caches

For environments with Prometheus for collecting metrics and Grafana for displaying them, we also provide Grafana dashboards to make troubleshooting smoother. Find instructions on how to deploy our dashboards into your Grafana instance in the Visualizing activities in dashboards guide.

Grafana dashboards with SLIs (click to enlarge)

My Keycloak is still sick :( I need an in-depth examination

Thanks to metrics, you can observe certain aspects of the system and how they evolve over time. However, they may not provide a detailed picture of what is happening inside Keycloak for a specific request. For this, you can leverage traces. Learn more in the Root cause analysis with tracing guide.

With tracing, you can observe steps that Keycloak was performing for a specific request, including the respective timing for each of them. These steps include operations by Keycloak but also waiting time for responses from third party services like the database, LDAP, Infinispan and others. This helps you to reveal where the bottleneck in your system is.

In the example below, you can see steps Keycloak was performing when a user submitted the username and password form. You can see the most time-consuming step was password hashing, which took 30 milliseconds out of 48-millisecond total request processing time.

Trace displayed in Jaeger (click to enlarge)

Next steps

To see all of this in action and to ask live questions, join the Keycloak hour of code online meetup held on 7th May 2025 at 4pm CEST dedicated to observability.

As an appetizer, see a shorter version of a demo by Ryan Emerson recorded at KubeCon London 2025.

To ask questions outside the meetup, use the CNCF #keycloak-sre-sig Slack channel. Use https://slack.cncf.io/ to join the CNCF Slack if you do not have an account yet.

You can also leave the feedback in the Keycloak GitHub discussion dedicated to this blog post.

Keycloak 26.2.1 released

Wed, 23 Apr 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#38956 Clarify upgrade instructions
#39057 Change the title for Grafana dashboards guide to plural docs
#39059 Document operator `Auto` update strategy when used with `podTemplate`

Bugs

#38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
#38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
#38767 Make group required when selecting a specific group creating a premission admin/ui
#38812 Test failures in CI in Chrome tests ci
#38846 StatefulSet reconciliation infinitely looping operator
#38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
#38920 Downstream docs have duplicate ID on sampling docs
#38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
#38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
#38930 [Docs] Broken link in ExternalLinksTest for importmap docs
#38937 Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x storage
#38982 JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal) ldap
#39015 Keycloak operator with update strategy to Auto: missing imagePullSecrets operator
#39096 Release note 26.2.0 has broken link docs

Keycloak at KubeCon EU 2025

Ryan Emerson — Wed, 16 Apr 2025 00:00:00 GMT

Keycloak had a very active presence at this year’s KubeCon EU in London. This blog presents a few of the highlights as well as ways you can contribute to Keycloak’s CNCF journey.

Project Pavilion

Keycloak hosted a project pavilion stand during Wednesday, Thursday and Friday afternoon slots. Attending the booth were Keycloak contributors Takashi Norimatsu and Yoshiyuki Tabata from Hitachi, alongside Martin Bartos and Ryan Emerson from Red Hat.

During these sessions, we had the opportunity to connect with both existing and prospective Keycloak users to talk all things related to Identity and Access Management. Keycloak stickers were as popular as ever, with both the CNCF sticker wall and our own stash completely emptied! It was fantastic to hear firsthand feedback - what’s working well and where there’s room for improvement. Insights like these are invaluable as we continue to grow the project and shape the future roadmap. If you weren’t able to stop by the pavilion, we’d still love to hear from you, please feel free to share your thoughts via the online feedback form.

Keycloak Talk

Takashi Norimatsu and Ryan Emerson presented a talk titled “Evolving OpenID Connect and Observability in Keycloak”. Watch the recording to hear about how OpenID Connect and observability have evolved over the past year in the Keycloak project. A video of the talk is linked below.

Thank you to all who attended and asked questions, there were good follow-up conversations that continued well after our time was up.

Keycloak Survey

Are you a Keycloak user who is deploying in production or just considering starting with Keycloak? We would love to hear more from you about your success stories, what is crucial to your deployments and what can be done better. Please fill out the online Keycloak Survey so we can better understand your use cases.

Your story maybe a candidate for a CNCF Case Study. If you would like to share your success story with our community, answer yes to the “Would you be interested to share your story with our broader community?” and we will be in touch shortly.

KeycloakCon and KubeCon Japan

The two events KeycloakCon Japan and KubeCon Japan will happen in Tokyo on June 13 and June 16-17 2025, respectively.

KeycloakCon 2025 Japan is a half-day meetup on June 13 where the community of Keycloak gathers. It provides opportunities for technical lectures, growth, and networking with talks related Identity and Access Management (IAM) and Single Sign On (SSO). The call for papers and the registration for KeycloakCon 2025 Japan is now open! Submit your talks to the first-ever KeycloakCon in Japan.

KubeCon 2025 Japan will be held on June 16-17, where Marek Posolda and Takashi Norimatsu will be presenting the talk: Add Single-sign-on To Your Applications With Keycloak and Learn About Its Latest Features.

We hope to see you there and hear your latest Keycloak stories!

Keycloak Client Libraries 26.0.5 released

Tue, 15 Apr 2025 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#120 Add release notes so they can be pulled into the website client

Enhancements

#111 Close session when client is closed client
#135 Testing and document keycloak-client with Java 11 client
#147 Update PR-CHECKLIST client
#158 Sync with Keycloak server after Keycloak 26.2 release client

Bugs

#150 POM contains invalid SCM URLs client

Keycloak 26.2.0 released

Fri, 11 Apr 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Supported Standard Token Exchange

In this release, we added support for the Standard token exchange! The token exchange feature was in preview for a long time, so we are glad to finally support the standard token exchange. For now, this is limited to exchanging the Internal token to internal token compliant with the Token exchange specification. It does not yet cover use cases related to identity brokering or subject impersonation. We hope to support even more token exchange use cases in subsequent releases.

For more details, see the Standard token exchange.

For information on how to upgrade from the legacy token exchange used in previous Keycloak versions, see the Upgrading Guide.

Fine-grained admin permissions supported

This release introduces support for a new version of fine-grained admin permissions. Version 2 (V2) provides enhanced flexibility and control over administrative access within realms. With this feature, administrators can define permissions for administering users, groups, clients, and roles without relying on broad administrative roles. V2 offers the same level of access control over realm resources as the previous version, with plans to extend its capabilities in future versions. Some key points follow:

Centralized Admin Console Management - New Permissions section was introduced to allow management from a single place without having to navigate to different places in the Admin Console.
Improved manageability - Administrators can more easily search and evaluate permissions when building a permission model for realm resources.
Resource-Specific and Global Permissions – Permissions can be defined for individual resources (such as specific users or groups), or entire resource types (such as all users or all groups).
Explicit Operation Scoping – Permissions are now independent, removing hidden dependencies between operations. Administrators must assign each scope explicitly, making it easier to see what is granted without needing prior knowledge of implicit relationships.
Per-Realm Enablement – Fine-Grained Admin Permissions can be enabled on a per-realm basis, allowing greater control over adoption and configuration.

For more details, see fine-grained admin permissions.

For more information about migration, see the Upgrading Guide.

Guides for metrics and Grafana dashboards

In addition to the list of useful metric names the Observability guides category now also contains a guide on how to display these metrics in Grafana. The guide contains two dashboards.

Keycloak troubleshooting dashboard - showing metrics related to service level indicators and troubleshooting.
Keycloak capacity planning dashboard - showing metrics related to estimating the load handled by Keycloak.

Zero-configuration secure cluster communication

For clustering multiple nodes, Keycloak uses distributed caches. Starting with this release for all TCP-based transport stacks, the communication between the nodes is encrypted with TLS and secured with automatically generated ephemeral keys and certificates.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

For more information, check the Securing Transport Stacks in the distributed caches guide.

Rolling updates for optimized and customized images

When using an optimized or customized image, the Keycloak Operator can now perform a rolling update for a new image if the old and the new image contain the same version of Keycloak. This is helpful when you want to roll out, for example, an updated theme or provider without downtime.

To use the functionality in the Operator, enable the Auto update strategy and the Keycloak Operator will on image change briefly start up the old and the new image to determine if a rolling update without downtime is possible. Read the section Managing Rolling Updates in the Keycloak Operator Advanced Configuration guide for more details on this functionality.

The checks to determine if a rolling update is possible are also available on the Keycloak command line so you can use them in your deployment pipeline. Continue reading in the Update Compatibility Tool guide for more information about the functionality available on the command line.

Additional query parameters in Admin Events API

The Admin Events API now supports filtering for events based on Epoc timestamps in addition to the previous yyyy-MM-dd format. This provides more fine-grained control of the window of events to retrieve.

A direction query parameter was also added, allowing controlling the order of returned items as asc or desc. In the past the events where always returned in desc order (most recent events first).

Finally, the returned event representations now also include the id, which provides a unique identifier for an event.

Logs support ECS format

All available log handlers now support ECS (Elastic Common Schema) JSON format. It helps to improve Keycloak’s observability story and centralized logging.

For more details, see the Logging guide.

New cache for CRLs loaded for the X.509 authenticator

Now the Certificate Revocation Lists (CRL), that are used to validate certificates in the X.509 authenticator, are cached inside a new infinispan cache called crl. Caching improves the validation performance and decreases the memory consumption because just one CRL is maintained per source.

Check the crl-storage section in the All provider configuration guide to know the options for the new cache provider.

Operator creates NetworkPolicies to restrict traffic

The Keycloak Operator now creates by default a NetworkPolicy to restrict traffic to internal ports used for Keycloak’s distributed caches.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

You can restrict the access to the management and HTTP endpoints further using the Kubernetes NetworkPolicies rule syntax.

Read more about this in the Operator Advanced configuration.

Option to reload trust and key material for the management interface

The https-management-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-management-* options for the management interface. Use -1 to disable reloading. Defaults to https-certificates-reload-period, which defaults to 1h (one hour).

For more information, check the Configuring the Management Interface guide.

Dynamic Authentication Flow selection using Client Policies

Introduced the ability to dynamically select authentication flows based on conditions such as requested scopes, ACR (Authentication Context Class Reference) and others. This can be achieved using Client Policies by combining the new AuthenticationFlowSelectorExecutor with conditions like the new ACRCondition. For more details, see the Server Administration Guide.

JWT Client authentication aligned with the latest OIDC specification

The latest version of the OpenID Connect Core Specification tightened the rules for audience validation in JWT client assertions for the Client Authentication methods private_key_jwt and client_secret_jwt . Keycloak now enforces by default that there is single audience in the JWT token used for client authentication.

For information on the changed audience validation in JWT Client authentication Keycloak versions, see the Upgrading Guide.

Many thanks to Thomas Darimont for the contribution.

Federated credentials are available now when fetching user credentials

Until now, querying user credentials using the User API will not return credentials managed by user storage providers and, as a consequence, prevent fetching additional metadata associated with federated credentials like the last time a credential was updated.

In this release, we are adding a new method getCredentials(RealmModel, UserModel) to the org.keycloak.credential.CredentialInputUpdater interface so that user storage providers can return the credentials they manage for a specific user in a realm. By doing this, user storage providers can indicate whether the credential is linked to it as well as provide additional metadata so that additional information can be shown when managing users through the administration console.

For LDAP, it should be possible now to see the last time the password was updated based on the standard pwdChangedTime attribute or, if using Microsoft AD, based on the pwdLastSet attribute.

In order to check if a credential is local - managed by Keycloak - or federated, you can check the federationLink property available from both CredentialRepresentation and CredentialModel types. If set, the federationLink property holds the UUID of the component model associated with a given user storage provider.

Token based authentication for SMTP (XOAUTH2)

The Keycloak outgoing SMTP mail configuration now supports token authentication (XOAUTH2). Many service providers (Microsoft, Google) are moving towards SMTP OAuth authentication and end the support for basic authentication. The token is gathered using Client Credentials Grant.

Many thanks to Sebastian Rose for the contribution.

New client configuration for access token header type

A new admin setting has been added: Clients → Advanced → Fine grain OpenID Connect configuration → Use "at+jwt" as access token header type

If enabled, access tokens will get header type at+jwt in compliance with rfc9068#section-2.1. Otherwise, the access token header type will be JWT.

This setting is turned off by default.

Many thanks to Laurids Møller Jepsen for the contribution.

OpenID for Verifiable Credential Issuance documentation

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it received further improvements and especially the The documentation, with the steps how to try this feature.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join and provide the feedback.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Awambeng Rodrick and Ingrid Kamga.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#10438 Release process for OperatorHub operator
#17171 Traefik SPI Provider
#35507 Token exchange - permissions token-exchange
#36306 New CLI command: update-compatibility
#36520 New operator spec: upgrade strategy
#36696 Support token type "at+jwt" for OAuth 2 access tokens oidc
#36750 Create CA certificate for JGroups encryption
#38523 Expose OTP Policy in FreeMarker Context for Login Themes login/ui

Enhancements

#17432 Add support for SMTP OAuth 2.0 authentication for outgoing email core
#19127 Improve docs about audience docs
#19148 Token Exchange in "Securing Applications and Services" should mention admin_fine_grained_authz token-exchange
#21728 Removal of X-XSS-Protection header core
#23144 Review and document how refresh tokens are issued when executing token exchanges token-exchange
#24297 Add authentication flow mapping to existing ACR implementation authentication
#25154 `VERIFY_EMAIL` is not supported as an Application Initiated Action
#26473 The way CRLs are currently loaded is slow and uses large amounts of memory authentication
#27734 Use separate OLM channels for each major Keycloak release operator
#28569 Ability to set DN for new users/groups seperate to DN used for search
#30226 Admin-UI: disable Direct Access Grant by default when creating a new client
#31797 Improved consent handling in token exchange (OIDC to OIDC Client) token-exchange
#33357 Create some mechanism to catch duplicate keys in .properties file translations
#33804 Support multiple mail domains for linked IDPs per organization organizations
#33833 Replace `RTL_LANGUAGE_CODE` with Intl request
#33946 Keycloak Admin Client: Close Session when Client is Closed
#34132 Signed SAML metadata saml
#34202 Improve useability of authentication flow UI admin/ui
#34275 Organizations: Allow Organization Selection organizations
#34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
#34720 Include broker session ID in IDENTITY_PROVIDER_LOGIN events
#34764 Do not remove users in LDAP when queries return an empty result ldap
#34922 IPv6 support: OLM tests not passing operator
#34971 Extend InfiniSpan ProtoSchema with custom types
#34989 Not email password policy provider: case insensitive comparison
#35505 Support for multiple values of audience token-exchange
#35861 Make client cert lookup honor the `proxy-trusted-addresses` option dist/quarkus
#35901 Document how Keycloak is upgraded when Operator is upgraded via OLM docs
#35995 Review usages of `ref` in `Inject` annotations as they not always translate to the identifier of the object being injected test-framework
#36036 Make Network policy supported
#36126 Add OpenSSF Scorecard badge to README
#36262 Introduce guide for metrics provided by Keycloak docs
#36266 Make user events feature supported
#36440 Remove Node.js adapter documentation from main repo docs
#36456 Clarify IPv6 JGroups requirements in Keycloak documenation
#36501 Upgrade to Quarkus 3.17.x dist/quarkus
#36557 Polishing of CreatedResponseUtil.getCreatedId admin/client-java
#36600 Extend REST API for login and admin events to support sync scenarios
#36671 Translation guide should show a more detailed translation status translations
#36691 Upstream KC main docs to ROSA 4.17 in the sizing guide docs
#36748 Operator: automatic upgrade strategy
#36775 Add option to enable debugging for distribution server mode test-framework
#36786 SPI for compatibility metadata
#36794 Upgrade to Quarkus 3.20 LTS
#36798 Add detail on dependencyManagement section for POM files
#36840 Update Compatibility CLI: add feature flag
#36854 Enable QUARKUS_LOG_JSON_LOG_FORMAT = ecs when logging in Keycloak dist/quarkus
#36885 Improve UX of realm selector
#36904 Add APIResponse annotations to User resources
#36905 Add APIResponse annotations to Role resources
#36906 Add APIResponse annotations to Client Scope resources
#36907 Add APIResponse annotations to Realm resources
#36908 Add APIResponse annotations to Organization resources
#36941 Organization membership for federated users organizations
#36996 Updated translation for "noAccount" in messages_ko.properties
#37005 Login[v2]: Worsen appearance of list of Identity Providers login/ui
#37011 Missing language: Slovenian translations
#37014 Improve readability of relevant options in guides docs
#37034 Remove redundant information from cache entries
#37056 Upgrade to Quarkus 3.18.2 dist/quarkus
#37062 Slow query when checking if a realm has brokers and brokering is enabled identity-brokering
#37079 Improve docs about JPA provider configuration for DB migration strategy core
#37083 Update screens for new realm selector
#37087 Test logs for Quarkus IT are huge and cannot be viewed testsuite
#37089 Stabilize `QuarkusPropertiesDistTest` for Windows in Quarkus IT testsuite
#37093 Avoid sending JSON for user and client sessions to the database
#37129 Create new guide for Keycloak Grafana dashboards
#37145 Simplify translations by removing leading blanks in strings translations
#37220 Operator: new CR status condition for upgrades
#37225 Refactor OAuthClient used for testing test-framework
#37306 Add full Keycloak CR HPA example to docs
#37316 JGroups certificate rotation
#37389 Make event metrics supported
#37416 Operator: Implement an explicit update stategy
#37428 Add a HTML sanitizer for translated message resources translations
#37433 Allow admin to disable automatic refresh of event views admin/ui
#37436 Quarkus 3.19.x upgrade
#37458 Prevent proxy-protocol-enabled=true from being used proxy-headers set
#37535 Add CLOMonitor Badge to the README
#37582 Check surplus blanks in source strings translations
#37584 Support RTL in HTML generated for emails translations
#37624 Suppress info message about mapper config synchronizer core
#37645 Changes needed for new realm selector admin/ui
#37696 Document default key length (2048 bits) and key type (RSA) and make JGroups encryption enabled by default
#37711 Upgrade to Infinispan 15.0.14
#37850 Upgrade to Quarkus 3.19.2 dist/quarkus
#37998 Improve Documentation for Email Event Listner
#38107 Upgrade to Quarkus 3.20.0.CR1
#38168 Make make the rolling updates feature supported versioned and supported
#38212 Improve message when evaluating permission results admin/fine-grained-permissions
#38263 Login[v2]: Use SVG Keycloak logo
#38273 Support partial evaluation for the group resource type admin/fine-grained-permissions
#38355 Add Italian and Romanian language to translations.md
#38366 Polish the events thrown by client policies oidc
#38398 Update javadoc of java admin-client for Keycloak 26.2 admin/client-java
#38415 Login[v2]: WebAuthn/Passkeys screens are not polished
#38426 New realm creation should validate the name uniqueness before hitting the DB
#38445 Not possible to delegate creating or deleting RecoveryKeys credential to userStorage authentication
#38459 Docker image creation simplification
#38490 Support decoding EC private keys and PEM bundles in PEM/DER utilities
#38540 Validate placeholder usage in frontend and backend messages
#38568 Clear persistent user sessions cache on Keycloak cluster merge
#38583 Rework titles in the observability guide
#38596 Prevent NPE in `CryptoIntegration.setProvider(null)`
#38644 Do not allow delete the FGAP client admin/fine-grained-permissions
#38688 Adding a guide on how to use and enable exemplars
#38732 Improvements to partial evaluation admin/fine-grained-permissions
#38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus
#38792 Add Janher to Dutch translation
#38798 Update FGAP documentation admin/fine-grained-permissions
#38819 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication oidc
#38837 Cache resource names associated to policies to improve partial evaluation admin/fine-grained-permissions

Bugs

#26104 Improper Input Validation for Recovery Codes Setup authentication
#26105 Users Can Change Recovery Codes Generation Timestamp authentication
#26106 Recovery Code Validation Race Possible authentication
#29585 Passkeys conditional UI authenticator: NullPointerException when filling some random username authentication/webauthn
#29586 Passkeys conditional UI authenticator: NullPointerException when authenticated as removed user authentication/webauthn
#32262 SAML Frontchannel Logout missing via Redirect or Post Binding is missing signature if login happened via artifact binding saml
#32535 Invalid migration export for empty database core
#32766 Translation error in messages_fr.properties translations
#32921 Update realm erases browser security header fields admin/api
#33332 External token (not issued by Keycloak) cannot be validated in token exchange flow in case user info check is disabled token-exchange
#33432 UI Build complains about Typescript issue (TS2742) admin/ui
#33475 quarkus-next: SunCertPathBuilderException: unable to find valid certification path to requested target ci
#33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
#33524 Social login - several tests failing constantly ci
#33743 Linked accounts displayed when there are no providers available account/ui
#34364 User import gets exponentially slow import-export
#34396 com.google.code.findbugs:jsr305 is old and no longer under active maintenance dependencies
#34454 quarkus-next: StackOverflowError causes build failure dist/quarkus
#34512 Keycloak OpenAPI specification doesn't match actual API implementation admin/api
#34868 [Jenkins Operator CI] - Test remote - ClusteringTest on OpenShift ci
#35020 Pasword creation date from active directory is wrong ldap
#35261 liveness probe /health/live not UP while DB migrations initialization core
#35580 AvailableRoleMappingResource.listAvailableUserRoleMappings returns the wrong roles when using fine grained permissions admin/fine-grained-permissions
#35700 Very uncommon new german Weblate translation 'Berechtigungsnachweis' for login data /account credential translations
#35833 Install on oracle database with custom schema fails on clean install storage
#36103 Translation resolution bug in keycloak-admin-ui admin/ui
#36159 Realm not found while exists and works if entered directly in the URL admin/ui
#36195 CVE-2024-12397 - HTTP Request Smuggling in io.quarkus.http:quarkus-http-core dist/quarkus
#36284 Fail to import realm during the startup with specific name file import-export
#36285 Permission editor shows resource IDs instead of names admin/ui
#36338 Scrollbar missing so I can't scroll to the last menu item on the left admin/ui
#36345 [Keycloak CI] - Cookies tests - KcOidcBrokerTokenExchangeTest ci
#36383 Operator tests failing on IPV6 environment operator
#36405 Redirect after linking account account/ui
#36409 Verify email required action shows presents message that email was sent even on errors core
#36413 Empty state in new events tabs admin/ui
#36447 ClientProtocolCondition.getProviderId() typo authentication
#36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
#36464 Remove a duplicate code block
#36475 DPoP: Refresh token created with DPoP can be refreshed without proof oidc
#36476 DPoP: User Info Endpoint authorization type mismatch oidc
#36478 Spelling and grammar mistakes in admin UI messages admin/ui
#36482 The root cause of error is suppressed in KC 26 at building dependencies
#36483 Wrong link for tracing in 26.1.0 release notes docs
#36486 ExternalLinksTest is broken after Keycloak 26.1.0 release docs
#36498 Duplicated code due to typo in DefaultHttpClientFactory core
#36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
#36517 Custom ClientAuthenticatorFactory with ProviderConfigProperty broken admin/ui
#36518 Duplicate groups needs fine grained authorisation admin/ui
#36527 Viewing user events requires `view-realm`-role admin/ui
#36531 WebAuthN and dark mode: device icons are hardly readable login/ui
#36535 Duplicate message keys for FA email template translations
#36541 Unable to build from source using instructions core
#36559 keycloak.v2 forms are too small for mobile view login/ui
#36560 Policy enforcer do not handle suppressed server resources authorization-services
#36569 Organization invite link leads to non-defined page, when clicked second time organizations
#36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
#36596 Client session list doesn't show all sessions (again..) admin/ui
#36598 Duplicated warning banner for temporary admin admin/ui
#36611 TimeOffsetSupplier for new test framework doesn't reset time offset test-framework
#36615 Unable to regenerate secret after changing client authenticator admin/ui
#36621 Multi-valued control in user attributes doesn't sort entries and doesn't support autocomplete admin/ui
#36629 All IDPs shown when reloading login page login/ui
#36633 JGroups warning on startup infinispan
#36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
#36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
#36675 Links error for https://jwt.io in documentation docs
#36679 FIPS docs is incorrect docs
#36697 kc.bat script doesn't allow multiple log level entries dist/quarkus
#36703 When linking IDP to an organization hide on login sets as off admin/ui
#36708 After importing SAML client certificate the client is broken and can't be saved admin/ui
#36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
#36725 IPA-Tuura federation README needs a few fixes core
#36728 Logging errors on DB transaction retries core
#36732 External (IDP) token-exchange is possible even for clients needing user consents token-exchange
#36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
#36752 Addition of crl cache is a breaking change infinispan
#36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
#36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
#36789 Seaching users in the user selector will not show the username for users already selected admin/ui
#36811 OAuth 2.0 Device Authorization Grant Issues: Token Issued After Authorization Denial and Browser Back oidc
#36826 NullPointerException when registering a oid4vc CredentialBuilder provider component oid4vc
#36834 Documentation about ImportSynchronization mentions wrong interface UserStorageProvider storage
#36837 Remove resources from permissions when updating the associated resources admin/fine-grained-permissions
#36838 Update FGAP v2 to not grant permissions of all users when permission is granted only for a single user admin/fine-grained-permissions
#36842 Comboxes do not display selected option after reset admin/ui
#36843 Login with x-forwarded-for: IP address in user login event is null admin/cli
#36844 Provide an option to force login after reset credentials authentication
#36858 JDBC Ping with Docker infinispan
#36861 AuthenticationFlowContext.getRefreshUrl(true) - adds auth_session_id query param in an old non-supported format core
#36865 Error pulling from docker.io in DockerClientTest ci
#36872 Duplicate admin UI message keys admin/ui
#36874 Unrecognized configuration key "quarkus.smallrye-health.extensions.enabled" was provided dist/quarkus
#36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
#36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
#36916 [FGAP] User can see itself even though he has negative permission to view itself
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#36927 MeterFilter is configured after a Meter has been registered dist/quarkus
#36945 Bad escape apostrophe character in messages_fr.properties login/ui
#36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
#36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
#36988 Typos in English email message templates translations
#36998 UI tests failing admin/ui
#37002 RawKeycloakDistribution creates empty directory when copying provider testsuite
#37039 Certificate reloading dosen't work for management interface related certificate dist/quarkus
#37066 Error on import of a public key (pem) authentication
#37072 AccountRestService.supportedLocales is missing @Produces account/api
#37073 Account console not working on embedded Keycloak server account/ui
#37081 Review how all resource type permissions are evaluated admin/fine-grained-permissions
#37127 Organization invitation flow -> changing locale / language does not work organizations
#37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
#37136 Password Setting modal box title is "Reset Password..." admin/ui
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan
#37169 Wrong organization claim assignment in JWT access token organizations
#37207 Change default value for force-login option in reset-credential-email authentication
#37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
#37268 Problems changing pre-defined user profile attributes admin/ui
#37285 Upgrade to latest JGroups patch version
#37298 Main is broken because of the OAuthClient changes testsuite
#37320 Cannot fetch realm role that was renamed admin/api
#37337 Make sure resources are properly managed when updating permissions admin/fine-grained-permissions
#37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
#37392 [Jenkins Operator CI] - UpgradeTest#testImageChange ci
#37393 Organizations: Adding LDAP federated user to org leads to org group being pushed to LDAP core
#37415 Typo in English text for admin UI key resourceAttributeHelp translations
#37431 Password policies like NoUsername consider case-sensitivity authentication
#37434 External Link Test failing docs
#37449 'Registration Flow' forms on organization invites should have the 'token' query parameter added to forms 'url.loginAction' organizations
#37508 Allow refresh of session list in admin ui even if list is corrently empty admin/ui
#37530 Missing translation for INVITE_ORG event in admin console admin/ui
#37544 INVALID_REQUEST error code returned but not INVALID_SCOPE authentication
#37546 new warnings with simple start-dev dist/quarkus
#37552 The token exchange grant type not available in well-known endpoint when token-exchange-standard feature enabled oidc
#37560 Flaky test OrganizationInvitationLinkTest testsuite
#37570 Requested locale applied on first login page but not on following pages admin/ui
#37571 Flaky test: org.keycloak.testsuite.actions.RequiredActionPriorityTest#executeRequiredActionWithCustomPriorityAppliesSamePriorityToSessionAndUserActions ci
#37577 Property Name Casing Mismatch in ProtocolMapperUtils saml
#37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage
#37656 [Keycloak Integration CI] - Extension - Start keycloak failed ci
#37673 `ClientPolicyProvider` doesn't check for deleted Clients - throws NPE authorization-services
#37675 Keycloak Fails to Load HTTPS Key Material (Incorrect Path Resolution) dist/quarkus
#37690 [Operator] Test UpgradeTest is unstable ci
#37694 Session type incorrectly set in access-token context when token created with scope=offline_access oidc
#37710 Code editor is not displaying when viewing a policy from Clients → Authorization → Policies admin/ui
#37715 Quick Theme needs icon support admin/ui
#37744 Group search of nested groups does not work as expected core
#37749 "remember me" session are reset as standard session after browser restart authentication
#37766 API docs don't build after adding new ISPN compile time annotations ci
#37772 Configuring log levels for package names with underscores dist/quarkus
#37780 keycloak.conf allows for some quarkus. properties dist/quarkus
#37781 Config expression may use the wrong value dist/quarkus
#37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "Counter Based" admin/ui
#37802 Add User to Organisation documentation wrong admin/api
#37816 Compilation failure: KeycloakModelSchema cannot find symbol KeycloakModelSchemaImpl infinispan
#37817 internal options are settable in non-cli config sources dist/quarkus
#37824 Organization - Identity-First Flow automatic redirect only works with domain in login name organizations
#37834 URI template for paths shouldn't allow nested braces core
#37839 OIDC Backchannel Logout does not honour pairwise subject identifier oidc
#37842 webauthn-authenticate.ftl broken login/ui
#37843 Admin events: resource type filter does not work admin/ui
#37869 ConditionalOtpFormAuthenticator fails to set CONFIGURE_TOTP required action for LDAP read-only users
#37890 Add search filter to Organizations page admin/ui
#37898 [Keycloak CI] - SSSD tests ci
#37911 Unwanted placeholder texts in user profile fields admin/ui
#37920 When testing/evaluating permissions UMA resources are not resolved properly authorization-services
#37922 KeycloakModelUtils.findUserByNameOrEmail() returns null for email as "username" (realm setting: login with email disabled) core
#37928 Custom Authenticator SPI MAP_TYPE default value ignored in Admin UI admin/ui
#37930 Inconsistent use of single quotes in message resources translations
#37941 Repeated info logs running an import infinispan
#37944 KC_HTTPS_TRUST_STORE_TYPE not working dist/quarkus
#37988 For external-to-internal token exchange when using the userinfo endpoint, information from access or ID token can't be extracted token-exchange
#37992 Id of user federations not respecting UUID format, consequently warning logs "The given key is not a valid key per specification, future migration might fail" are raised core
#38006 Polynomial regex in KeycloakUriBuilder core
#38020 [FGAP] [UI] Remove the requirement for mandatory fields in admin console when creating policies
#38029 User created with undefined locale except when they explicitely select their language login/ui
#38030 Need a better 403 page for admin console admin/ui
#38038 The default setting of the client request object parameter is empty admin/ui
#38041 [Keycloak CI] - WebAuthn tests ci
#38061 Selecting an indvidual Client Policy selects all client policies admin/ui
#38063 Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task
#38065 Login with admin-cli not possible with password starting with "@@" admin/cli
#38078 Custom UI Tab Incorrectly Displayed Under Multiple Tabs admin/ui
#38112 Worse UX with new realm selector admin/ui
#38117 Login[v2]: Worsen UI design for login screens core
#38119 Login[v2]: Keycloak logo is not fully visible core
#38120 Login[v2]: Missing info section for screens core
#38121 Login[v2]: Worsen login screen layout core
#38127 Profile Custom Attribute Group: Click on attribute group changes URL, breaking the navigation in AdminUI admin/ui
#38137 Cannot authenticate to "admin-cli" client due to Java null pointer exception admin/cli
#38141 Account UI doesn't show max length validation for user profile account/ui
#38143 Message format must not be used for UI messages account/ui
#38152 Broken guides link on reverseproxy page docs
#38162 Missing Space in Role Attribute View After Refresh admin/ui
#38180 Unstable test TimeOffsetTest testsuite
#38190 [Documentation CI] - External links check docs
#38193 Managed resource not injected if a dependency is incompatible testsuite
#38195 Injected HttpClient is always re-created testsuite
#38208 Attribute added to managed test client with rollback is not removed testsuite
#38240 [FGAP] [UI] Searching for permissions doesn't clear `Resource` field upon changing `Resource type` admin/fine-grained-permissions
#38243 Updating a client with rollback in a test doesn't reset all values testsuite
#38247 Keycloak rotate certificate without delay when rotation time is less then 100s infinispan
#38249 Unable to activate user-event-metrics with optimized container image using the operator dist/quarkus
#38250 Unexpected transformation of user labels in the Account UI account/ui
#38253 ERROR Hostname v1 options [hostname-strict-https] are still in use on startup dist/quarkus
#38257 Can not set user email to blank organizations
#38260 File upload in realm settings is not working admin/ui
#38269 Fine-Grain Admin Permissions: Difference in Policy Evaluation in v1 vs v2 admin/fine-grained-permissions
#38281 [Keycloak CI] - AuroraDB IT - Error deleting AuroraDB ci
#38282 [Keycloak JavaScript CI] - Admin UI E2E (chrome) - Upload Playwright report error ci
#38284 `PartialEvaluator` ignores `view-*` and `manage-*` roles admin/fine-grained-permissions
#38298 Fix leaking 5s rotation period to other tests
#38304 Filtering not working when using view-member permission with a permission that denies access to a resource admin/fine-grained-permissions
#38319 Authorization Settings (ResourceServerRepresentation) Import doesn't reflected into all keycloak functionalities without server restart authorization-services
#38320 Locale RTL does not work properly login/ui
#38323 Regression in the "client selector" UI component admin/ui
#38331 Not Recently Used (In Days) "user" is null on registration core
#38333 When calling the user info endpoint, the DPoP is not bound to the access token core
#38353 Keycloak email message ID contains the local host name or IP address core
#38369 [FGAP] User not visible when permission with different scope exists admin/fine-grained-permissions
#38381 Recovery Codes messages in account console are not displayed / API change account/ui
#38394 JWKSUtils.computeThumbprint(..) broken for ECPublicKeys oidc
#38417 Cookie “KC_AUTH_SESSION_HASH” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict” authentication
#38454 Keycloak account console is missing the Keycloak logo account/ui
#38463 Frontend endpoint redirects to admin endpoint core
#38467 PersistenceExceptionConverter#convert NPE if SQLState is null storage
#38500 Impossible to update client settings after previously updated client in tab "Advanced" admin/ui
#38501 Disabled switch for "Allow refresh token for token exchange" after client is created admin/ui
#38517 [Keycloak CI] - Quarkus IT - ProxyHostnameV2DistTest.testForwardedProxyHeaders ci
#38550 Cluster is not correctly formed with JDBC_PING2 infinispan
#38572 Missing explicit target for cross-reference 2FA in server admin guide docs
#38576 Define a max expiration window for Signed JWT client authentication oidc
#38591 Persistent User Sessions doesn't track staleness of client sessions core
#38607 Recaptcha secret key configuration lost when migrating from 24.0.5 to 26.1.4 authentication
#38617 Set the correct revision number in stateful set operator
#38648 Can not delete users using the administration consle admin/ui
#38677 [FGAP] Documentation contains redundant sentense admin/fine-grained-permissions
#38695 Export failing if the realm has FGAP enabled admin/fine-grained-permissions
#38712 Can not add or remove groups when updating a group resource type permission admin/fine-grained-permissions
#38721 Obsolete pinned guides and wrong ordering in downstream docs
#38740 OTelHttpClientFactory not configured properly when tracing enabled dist/quarkus
#38760 POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API not working with some REST clients admin/api
#38765 Client 'admin-permissions' doesn't have protocol set. admin/fine-grained-permissions

Keycloak 26.1.5 released

Fri, 11 Apr 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#38409 Upgrade to Quarkus 3.15.4 dist/quarkus
#38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus

Bugs

#36482 The root cause of error is suppressed in KC 26 at building dependencies
#37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "Counter Based" admin/ui
#37869 ConditionalOtpFormAuthenticator fails to set CONFIGURE_TOTP required action for LDAP read-only users
#38041 [Keycloak CI] - WebAuthn tests ci
#38063 Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task
#38152 Broken guides link on reverseproxy page docs
#38353 Keycloak email message ID contains the local host name or IP address core
#38454 Keycloak account console is missing the Keycloak logo account/ui
#38576 Define a max expiration window for Signed JWT client authentication oidc
#38607 Recaptcha secret key configuration lost when migrating from 24.0.5 to 26.1.4 authentication
#38740 OTelHttpClientFactory not configured properly when tracing enabled dist/quarkus

Translating Keycloak with Weblate

Alexander Schwartz — Mon, 7 Apr 2025 00:00:00 GMT

Keycloak runs in a lot of regions and countries. Translations help Keycloak to reach a wider audience by making the platform usable for speakers of various languages.

For translations, Keycloak now integrates with Weblate to simplify the process. The community can use a web-based frontend to contribute translations, and the language maintainers get automated notifications and review the translations.

Read on for more details on the process.

We had an online Q&A session for AMER/EMEA and APAC where you can see this process live and in action.

Translate using Weblate

Weblate eliminates the need for Git skills; and browsers suffice for translation contributions.

Two language maintainers are needed to set up a translation for Keycloak in Weblate. They need to be native speakers of that language and will regularly review the contributions from the community. Today this is the case for languages like Catalan, German, Dutch, Italian, Japanese and Spanish.

To have your language added to Weblate, join the GitHub discussion on translations and pair up with others.

Translate using GitHub pull requests

Before Weblate, we used GitHub pull requests to contribute and maintain all translations, and you can still use them.

Each pull request for a translation needs to be reviewed by a native speaker. You can either ask the community, a friend or a colleague for the review.

Join the discussion and read up on the process

Read more about the translation process in our repository, or join the GitHub discussion on translations to ask questions or to contribute ideas.

Let’s make Keycloak’s translations shine!

Register now for KubeCon Japan in June

Alexander Schwartz — Thu, 27 Mar 2025 00:00:00 GMT

This year is the first time there is a KubeCon in Japan, and the Keycloak project is excited to be part of it! Join us on June 16-17 2025 in Tokyo, Japan for this exciting event.

Keycloak has a powerful community in Japan, and we have received several contributions in the past. There will be two talks about Keycloak (see below).

Talks at KubeCon

The schedule of KubeCon + CloudNativeCon Japan 2025 has been released, see below talks about Keycloak:

Add Single-sign-on To Your Applications With Keycloak and Learn About Its Latest Features
Monday June 16, 2025 12:10 - 12:40 JST
Takashi Norimatsu, Hitachi & Marek Posolda, Red Hat
Mastering Authorization: Integrating Authentication and Authorization Data in Cloud Native Apps
Tuesday June 17, 2025 14:50 - 15:20 JST
Yoshiyuki Tabata, Hitachi, Ltd.

Project Pavillion

The Keycloak project table in the Project Pavillion is the place to meet the Keycloak maintainers, contributors and the larger community.

We will be there in the afternoons, while other projects will be there during the mornings. See below for the location and the times.

Table: P-7
Table Schedule: Monday 15:15 - 19:15, Tuesday 14:00 - 17:00 JST
Location: Level 1 | Pegasus Foyer

Please see the official page above for the exact location and time in case it is changed by event organizers.

See you there!

We’re preparing for KubeCon Japan 2025 and can’t wait to connect with our community. Mark your calendars and join us.

See you in Tokyo!

Keycloak 26.1.4 released

Fri, 14 Mar 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#37433 Allow admin to disable automatic refresh of event views admin/ui
#37711 Upgrade to Infinispan 15.0.14

Bugs

#37320 Cannot fetch realm role that was renamed admin/api
#37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage
#37843 Admin events: resource type filter does not work admin/ui
#37911 Unwanted placeholder texts in user profile fields admin/ui
#37944 KC_HTTPS_TRUST_STORE_TYPE not working dist/quarkus
#38038 The default setting of the client request object parameter is empty admin/ui

Meet Keycloak at KubeCon EU, London in April 2025

Ryan Emerson — Sat, 8 Mar 2025 00:00:00 GMT

We are thrilled to announce that Keycloak will be at KubeCon Europe, London April 1-4th 2025.

Keycloak community Meet & Greet at the Project Pavilion

Takashi Norimatsu from Hitachi, Ryan Emerson and Martin Bartos from Red Hat, and other contributors will be hosting a Keycloak kiosk at the Project Pavilion. This is a great chance to meet people who use Keycloak, contribute to Keycloak, take our survey about new Keycloak features, and get some cool swag!

Keycloak Kiosk (booth 17A) opening hours:

Wednesday, April 2: 15:30 - 19:45
Thursday, April 3: 14:00 - 17:00
Friday, April 4: 12:30 - 14:00

Presenting evolving OpenID Connect and Keycloak Observability

Takashi Norimatsu and Ryan Emerson will be presenting a talk on Evolving OpenID Connect and Observability in Keycloak.

Friday, April 4, 14:30 - 15:00pm
Evolving OpenID Connect and Observability in Keycloak
By Takashi Norimatsu, Hitachi & Ryan Emerson, Red Hat.

Related Talks

Keycloak has a powerful community in Japan, and we have received several contributions in the past. One of Keycloak’s maintainers, Takashi Norimatsu, is based in Japan. There is also a quite popular Japanese book about Keycloak Authentication and Authorization by Yuichi Nakamura and Japanese community colleagues that will soon appear in its second edition.

To learn more about community activities in Japan, join the following talk:

Thursday April 3, 2025 14:15 - 14:45
Cloud Native Communities in Action: How Japan Shaped Its Path To KubeCon
By Ota Kohei, Apple; Shu Muto, NEC Solution Innovators, Ltd.; Yuichi Nakamura, Hitachi, Ltd.; Sunyanan Choochotkaew, IBM Research; Noriaki Fukuyasu, The Linux Foundation

See you soon!

We’re preparing for KubeCon EU 2025 and can’t wait to connect with our community. Mark your calendars and join us.

See you in London!

Introducing the Keycloak Austria User Group

Christoph Kofler, Stephan Kraft — Wed, 5 Mar 2025 00:00:00 GMT

Join the event on March 11th to look behind the scenes of how the development of Keycloak is organized, and subscribe to the Meetup to get invitations for future events. Read on to find out about previous topics that have been recorded and upcoming events.

It happened to me several times that I was sitting in a workshop about any topic and the term “Keycloak” was used. Not in a spectacular tone, but rather like “We have Keycloak for this and that, and it just works!” Christoph Kofler, COO at Gepardec, had similar experiences. Thus, we already discussed some years ago that Keycloak is somehow an unsung hero, a hidden star, very much appreciated, but not in the spotlight of any encountering or events.

End of 2023, we concluded that we want to establish a local community in Austria, very informal, very technical - just for like-minded people to meet, give and take experiences and have a good time together. It was easy to set up the group in the meetup platform (Keycloak User Group Austria) and also announced the first event in March 2024 at the Red Hat Office in Vienna. To our positive surprise, we almost immediately jumped to 100 members and had 40+ participants on-site. The meeting was framed by a very nice greeting note from the Keycloak founder Stian Thorgersen. We had two great sessions about Keycloak Configuration with DevOps principles and Keycloak in mission-critical environments from the community and afterward beer and original Leberkäse from Leberkäs-Pepi. The feedback was overwhelmingly positive, participants talked, laughed and connected till 9 pm.

This has motivated us to have two more gatherings in 2024, one at Posedio and one at ÖBB (“Austrian Railway systems”) who kindly offered to provide location, food and beverages. Again, the talks lead to lots of questions and discussions which lasted till the late evening. Moreover, we also have established a YouTube channel with all recorded sessions and many members from the local Austrian Keycloak community have participated in KeyConf in September 2024, organized by adorsys.

We are looking forward to another 3 events in 2025 which are already planned. If you are interested to participate and/or contribute a talk, please get in touch with us:

Christoph Kofler, Stephan Kraft

Keycloak 26.1.3 released

Fri, 28 Feb 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Send Reset Email force login again for federated users after reset credentials

In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated users and false for the internal database users. The new behavior is now the default. This way all users managed by user federation providers, whose implementation can be not so tightly integrated with Keycloak, are forced to login again after the reset credentials flow to avoid any issue. This change in behavior is due to the secure by default policy.

For more information, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#32535 Invalid migration export for empty database core
#36405 Redirect after linking account account/ui
#36527 Viewing user events requires `view-realm`-role admin/ui
#36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
#36703 When linking IDP to an organization hide on login sets as off admin/ui
#36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
#36842 Comboxes do not display selected option after reset admin/ui
#36927 MeterFilter is configured after a Meter has been registered dist/quarkus
#36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
#36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
#37029 CI fails with "Problem creating zip: Execution exception: Java heap space" ci
#37066 Error on import of a public key (pem) authentication
#37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
#37169 Wrong organization claim assignment in JWT access token organizations
#37207 Change default value for force-login option in reset-credential-email authentication
#37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
#37268 Problems changing pre-defined user profile attributes admin/ui
#37285 Upgrade to latest JGroups patch version
#37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
#37431 Password policies like NoUsername consider case-sensitivity authentication
#37434 External Link Test failing docs
#37577 Property Name Casing Mismatch in ProtocolMapperUtils saml

New videos about OpenID Connect and Keycloak from FOSDEM 2025

Alexander Schwartz — Tue, 25 Feb 2025 00:00:00 GMT

FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event.

Several talks regarding OpenID Connect and Keycloak have been recorded, and are now available online to re-watch. See below for the links to the videos.

Meeting the Keycloak community on-site

As an incubating project of the Cloud Native Computing Foundation (CNCF), we were happy to share the space of their stand. During the two days, we met with hundreds of existing Keycloak users on-site, as well as with people new to the IAM and identity space. It was fun and exciting to learn what people are doing.

We would love to hear more from you about your success stories, what is crucial to your deployments and what can be done better. Fill out the online Keycloak Survey, so we can better understand your use cases, and if you want to share your experience with the wider Keycloak community.

Videos to re-watch

These four talks mentioned Keycloak in their talk and on their slides, or are related to OpenID Connect. Did we miss a talk that would be interesting to users of Keycloak? Let us know!

Using DPoP to use access tokens securely in your Single Page Applications: Speakers: Takashi Norimatsu, Alexander Schwartz
Track: Security

Abstract: OAuth 2.0 uses access tokens to grant access to secured resources. When using Single Page Applications, they are passed from browsers to the servers as bearer tokens using HTTP headers.

While they are secured in transit using TLS, those tokens could be stolen from a browser, replayed, or mis-used by a malicious or vulnerable server. OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) takes this one step further by equipping the client like your Single Page Application with a key pair so that it can show a proof when passing the access token, so no-one else can use the access token. DPoP is part of the FAPI 2.0 Security Profile by the OpenID Foundation. It promotes best practices on how to protect APIs exposing high-value and sensitive (personal and other) data, for example, in finance, e-health and e-government applications.

This talk will explain the concepts and demos how this can be implemented using Keycloak and other open source components. We will also describe the current challenges, limitations and alternatives of the approach.
Deep Dive into OIDC flows: Speaker: Milan Jakobi
Track: Identity and Access Management

Abstract: Modern web applications strongly rely on Authentication/Authorization infrastructures. To address these needs, the OSS community has strongly endorsed open protocols such as OpenIdConnect and OAuth2, on top of JSON and REST. In turn, these protocols have been implemented in software products such as Keycloak, WSO2 or Lemonldap.

OpenId Connect and OAuth2 are authorization protocols, closely aligned with authentication, as provided by Identity Providers. They have been designed within various standardization bodies such as the OpenId foundation or the Internet Engineering Task Force. Understanding these standards is demanding, but needed in order to implement feature-rich solutions, to understand the various options offered to implementers.

This talk will therefore discuss in details OIDC and OAuth : the various flows that exist in order to obtain access tokens for standard clients, and some advanced features enabled by these protocols.
SSSD and IdPs: Track: Identity and Access Management

Identity Providers (IdP) based on OAuth 2.0/OIDC and other REST APIs like e.g. Keycloak or Entry ID play a dominant role in the identity management of web-based applications. But organizations which are using IdPs for their internal applications still have to use other services, typically LDAP based, to manage access and authentication to LINUX/POSIX user workstations.

To help to avoid running two services for identity management SSSD started to use IdPs to lookup users and authenticate them against the IdPs. In contrast to LDAP there are no standards and conventions with respect to POSIX users and groups in the IdP world.

This talk will focus on how SSSD is getting user and group information from IdPs, how information required by POSIX, e.g. the numeric user and group IDs, is created and what kind of limitations there are. Additionally it will be explained why the OAuth 2.0 Device Authorization Flow was chosen for authentication and demonstrated.
Delegating the chores of authenticating users to Keycloak: Speaker: Alexander Schwartz
Track: Identity and Access Management

Abstract: Authenticating users can start simple with a username and a password for each user. But you will also need to handle forgotten passwords and user registration. You might also want to validate email addresses, add second factors, have users update their profile information as needed, or even offer password-less authentication.

A single-sign-on system like Keycloak can handle all that for you and will redirect users after they are authenticated to your applications using the industry standards like OpenID Connect and SAML.

Join this talk to see how you can delegate all the tasks around authentication to Keycloak. We will start simple and enable more and more features in our demo to show the functionality and flexibility of Keycloak. We will also look at features of the latest release and the road map ahead.

FOSDEM is all about devrooms!

FOSDEM is a big event divided into smaller, single-track conferences with their own call for papers and organizers. Here a short list of those dev rooms that might be of interest for you if you are into Keycloak:

Identity and Access Management Devroom: Identity and Access Management Devroom is related to operating systems' identity and access management in the free software and open source world.
Security Devroom: The Security Devroom covers everything that is relevant to security in the free software and open source world. Talks cover topics like cryptography, supply chain, secure development and hardening.
Digital Wallets and Verifiable Credentials Devroom: The Digital Wallets and Verifiable Credentials DevRoom is about digital wallets, verifiable credentials and the ecosystems emerging from these subjects, especially in the EU.

Keycloak JS 26.2.0 released

Thu, 20 Feb 2025 00:00:00 GMT

Highlights

Today marks a significant milestone in the evolution of Keycloak JS with the release of version 26.2.0. This new version represents a shift in how the JavaScript adapter develops and evolves alongside the Keycloak ecosystem. Although this new version introduces no functional changes to the adapter, it does include several organizational changes.

The most notable change is that Keycloak JS now breaks free from the main Keycloak project’s release cycle. As announced earlier this year, the JavaScript adapter will follow its own independent development path. The separation from the main project allows for more frequent releases of features, bug fixes, and improved responsiveness to community feedback. The JavaScript adapter will continue to be backwards compatible with all actively supported releases of the Keycloak server, and deviation from this will be considered a breaking change.

The choice to use a higher version than the main project itself was made intentionally in order to signal to users the departure from Keycloak’s release cycle. We will however continue to commit to using Semantic Versioning, only bumping major versions if backwards incompatible changes are made, as is customary in the NPM ecosystem. Maintenance updates will continue to land in the 26.1.x series, as it is tied to the current stable release of the Keycloak server, but we encourage users to upgrade to new versions as needed.

Another significant change is the relocation of the codebase to its own dedicated repository. This structural adjustment is not just administrative—it represents a strategic move toward better maintainability. By separating the JavaScript adapter from the main Keycloak repository, the development team gains greater flexibility in managing the codebase and processing community contributions. If you are looking to provide contributions, or are reporting issues, please redirect your efforts here.

Looking ahead, we will be focussing on what is next for Keycloak JS. When it was originally released, only a few OpenID Connect adapters existed for client-side JavaScript, so we needed to make our own adapter. However, this landscape looks very different now, and there are many mature solutions available. The code for Keycloak JS requires modernization and has become challenging to maintain due to the growing complexity. We will continue to evaluate if it makes sense to keep refactoring Keycloak JS, incorporate some mature third-party libraries we can collaborate on, or even replace it with a well-established community solution.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak Extensions show GitHub stars

Alexander Schwartz — Wed, 19 Feb 2025 00:00:00 GMT

The Keycloak homepage has an updated community extensions page! Thanks to Martin Bartoš, each extension shows off with its GitHub stars.

This should provide you with a better overview which extensions are popular with the community.

If an extension you use is listed there, give a star! Are you missing an extension? Create an issue in our GitHub issue tracker to let us know so we can add it.

Click on image below to get the extensions page, or navigate via the Community page and choose “Extensions” there.

PS: Did you already give Keycloak a star?

Keycloak 26.1.2 released

Tue, 11 Feb 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#573 Convert tests to standard modules to upgrade dependencies nodejs-connect
#576 Upgrade `@keycloak/keycloak-admin-client` to latest version nodejs-connect

Bugs

#567 Connections with an error code are not terminated nodejs-connect
#571 CI status badge in README is incorrect nodejs-connect
#36858 JDBC Ping with Docker infinispan
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan

Keycloak 26.1.1 released

Wed, 5 Feb 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

New option in X.509 authenticator to abort authentication if CRL is outdated

The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL next update field, see RFC5280, Section-5.1.2.5.

The value false is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to false, but the Admin Console will add the default value true on edit.

New option in Send Reset Email to force a login after reset credentials

The reset-credential-email (Send Reset Email) is the authenticator used in the reset credentials flow (forgot password feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option force-login (Force login after reset). When this option is set to true, the authenticator terminates the session and forces a new login.

For more details about this new option, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#552 Clean up old release code from Node.js adapter repo nodejs-connect
#34275 Organizations: Allow Organization Selection organizations
#34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
#36440 Remove Node.js adapter documentation from main repo docs
#36456 Clarify IPv6 JGroups requirements in Keycloak documenation
#36798 Add detail on dependencyManagement section for POM files

Bugs

#558 The draft nightly untagged release is created by "Release nightly" GH action nodejs-connect
#562 Incorrectly resolved {project_versionNpm} expression in the documentation nodejs-connect
#32766 Translation error in messages_fr.properties translations
#33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
#36159 Realm not found while exists and works if entered directly in the URL admin/ui
#36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
#36483 Wrong link for tracing in 26.1.0 release notes docs
#36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
#36531 WebAuthN and dark mode: device icons are hardly readable login/ui
#36559 keycloak.v2 forms are too small for mobile view login/ui
#36629 All IDPs shown when reloading login page login/ui
#36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
#36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
#36675 Links error for https://jwt.io in documentation docs
#36728 Logging errors on DB transaction retries core
#36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
#36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
#36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
#36844 Provide an option to force login after reset credentials authentication
#36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
#36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
#36945 Bad escape apostrophe character in messages_fr.properties login/ui
#36988 Typos in English email message templates translations
#36998 UI tests failing admin/ui

Keycloak Nodejs Connect 26.1.1 released

Tue, 28 Jan 2025 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#552 Clean up old release code from Node.js adapter repo nodejs-connect

Bugs

#558 The draft nightly untagged release is created by "Release nightly" GH action nodejs-connect
#562 Incorrectly resolved {project_versionNpm} expression in the documentation nodejs-connect

Keycloak Client Libraries 26.0.4 released

Fri, 17 Jan 2025 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#113 Wrong logger class client
#117 Remove JEE from the title of GH actions client
#127 Sync after Keycloak server 26.1.0 release client
#130 Test with keycloak server images 24.0, 26.0 and 26.1 client

Bugs

#115 ProviderTest failing with latest nightly build client
#124 The action "Sync with Keycloak Server and send PR with changes" sends PR, which does not have DCO on the commit client
#129 The action "Sync with Keycloak Server and send PR with changes" takes only client-common-synced into consideration client

Keycloak 26.1.0 released

Wed, 15 Jan 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Transport stack `jdbc-ping` as new default

Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.

Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.

Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak’s database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated.

The Keycloak Operator will continue to configure kubernetes as a transport stack.

See the Configuring distributed caches guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools

Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported

In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default.

There were made multiple improvements to the tracing capabilities in Keycloak such as:

Configuration via Keycloak CR in Keycloak Operator
Custom spans for:
- Incoming/outgoing HTTP requests including Identity Providers brokerage
- Database operations and connections
- LDAP requests
- Time-consuming operations (passwords hashing, persistent sessions operations, …)

For more information, see the Enabling Tracing guide.

Infinispan default XML configuration location

Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided.

Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels

It is now possible to set category-specific log levels as individual log-level-category options.

For more details, see the Logging guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Francis Pouatcha, Ingrid Kamga, Pascal Knüppel, Thomas Darimont, Ogen Bertrand, Awambeng Rodrick and Takashi Norimatsu.

Minimum ACR Value for the client

The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.

Many thanks to Simon Levermann for the contribution.

Support for prompt=create

Support now exists for the Initiating user registration standard, which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms/<realm>/protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak.

Many thanks to Thomas Darimont for the contribution.

Option to create certificates for generated EC keys

A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.

Many thanks to Pascal Knüppel for the contribution.

Authorization Code Binding to a DPoP Key

Support now exists for Authorization Code Binding to a DPoP Key including support for the DPoP with Pushed Authorization Requests.

Many thanks to Takashi Norimatsu for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.

Many thanks to Manuel Schallar and Patrick Weiner for the contribution.

Network Policy support added to the Keycloak Operator

Note	Preview feature.

To improve the security of your Kubernetes deployment, Network Policies can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`

The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see Conditions in conditional flows.

Defining dependencies between provider factories

When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme

We’ve now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.

If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

darkMode=false

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings.

Metrics on password hashing

There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.

See Keycloak metrics and Concepts for sizing CPU and memory resources for more details.

Sign out all active sessions in admin console now effectively removes all sessions

In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated.

This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter

From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server.

Updates in quickstarts

The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.

The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.

These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file

The robots.txt file, previously included by default, is now removed. The default robots.txt file blocked all crawling, which prevented the noindex/nofollow directives from being followed. The desired default behaviour is for Keycloak pages to not show up in search engine results and this is accomplished by the existing X-Robots-Tag header, which is set to none by default. The value of this header can be overridden per-realm if a different behaviour is needed.

If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired cetificate

The key providers that allow to import externally generated keys (rsa and java-keystore factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in Keycloak anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.

The default generated key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

OpenShift v3 identity brokering removed

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#24992 Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core
#25006 Use optional realm attribute for authenticationrequest parameter max size/number validation configuration
#26178 Support dark mode, at least for the login pages login/ui
#26466 Operator support for setting default value of `http-pool-max-threads` operator
#27736 Used encrypted JGroups connection by default in Operator deployments operator
#29399 JDBC_PING2 as default discovery protocol
#32135 Option to specify trusted proxies dist/quarkus
#32488 Enabling authorization_details for client grant tokens until RAR is fully implemented
#33043 Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener
#34957 Ability to specify log category levels through separate options dist/quarkus
#35110 Enhance WebAuthn registration to support custom FIDO2 origin validation
#35231 Ability to reject authentication to users without 2FA configured authentication
#35639 Allow users to specify the start page of a custom account-console theme account/ui
#36081 Authentication flow condition for client scope authentication

Enhancements

#10138 Align admin console for client for backchannel and frontchannel logout oidc
#10701 AuthenticationRequest add "create" prompt for sign-up oidc
#13852 js adapter just sets error to true upon error updateToken adapter/javascript
#16545 Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc
#16884 Support to enforce LoA in authentication flow for a client (Step-up) authentication
#17014 Allow custom message for brute force temporary lockout authentication
#23805 H2 Database should be opt-in and well-documented storage
#23881 Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage
#26780 Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services
#29511 Allow to restrict ProviderConfigProperty input to int values
#29570 Generalize or remove stack trace information found in error message exception handling
#29859 Keycloak native verification of an SD-JWT based vp_token oid4vc
#31764 Run tests with original `keycloak` login theme in nightly
#31842 Allow to create certificates for provider-keys authentication
#32092 OTEL: Add Keycloak CR support for Tracing options operator
#32094 OTEL: Apache HTTP client OpenTelemetry instrumentation
#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
#32114 OTEL: Instrument parts of Keycloak with OTEL spans
#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#32657 Readonly profile attribute profile has unwanted not translated placeholder account/ui
#32773 [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33233 Add ui to override patternfly colors and logo
#33275 Better logging when error happens during transaction commit storage
#33484 Consolidate the logic for determining a local address core
#33492 Remove retry in LoginPage.resetPassword testsuite
#33496 Add CopyToClipboardButton to UserID in Admin UI
#33498 Expose membership type in the Admin UI for organization members admin/ui
#33559 Add an example nginx reverse proxy configuration
#33569 Show User Events on dedicated tab on Client-/User-Details
#33605 Add a reference to http-enabled in TLS/SSL setup
#33646 Upgrade Infinispan to 15.0.10.Final
#33651 Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments
#33678 Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn
#33702 Prevent Keycloak from starting with wrong `work` cache configuration
#33717 Create a new base login theme
#33821 Add switch to disable dark mode
#33932 Background SQL statements show without a connected trace dist/quarkus
#33939 Enable virtual threads in Infinispan and JGroups by default
#34026 Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication
#34027 Sign the AUTH_SESSION_ID cookie value authentication
#34091 Username Form should support autocomplete login/ui
#34137 Standardize error messages from client and server in login theme (keycloak.v2) login/ui
#34253 Deprecate other transport stacks (ec2, azure, google)
#34265 Add JDBC_PING2 stacks for both TCP and UDP
#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34330 Delete Openshift 3.x identity provider
#34351 Support for the Croatian language
#34380 Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times
#34382 Make the organization chapter of Server Admin guide available on downstream
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34393 Improve build time of the js module
#34524 Add ability to enable support for Verifiable Credentials per Realm account/ui
#34536 Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34583 Microsoft login - add prompt param configure
#34630 Avoid multi-release and java16 specific sources in the core module oidc
#34640 Update certain email templates for password recovery to match English translation format
#34658 Document network ports for Keycloak clustering
#34659 [Operator] Enhance the Keycloak Operator with Network Policies operator
#34695 Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering
#34711 OTEL: Provide Tracing SPI
#34755 Disable trim_trailing_whitespace in editorconfig to reduce noise in PRs
#34760 Improving the error message when failing to query an LDAP provider ldap
#34804 Allow a request object by considering a clock skew for smooth interoperability oidc
#34805 Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc
#34848 Too many exceptions created when validating user profile
#34850 Avoid throwing exceptions when issuing reflection on user model
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34880 Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus
#34882 Edits to Authorization Services guide
#34894 Allow a DPoP Proof by considering a clock skew for smooth interoperability
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final
#34990 Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc
#35003 Expose templateName in attributes when rendering freemarker templates login/ui
#35077 Upgrade to Quarkus 3.15.2 dist/quarkus
#35080 Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core
#35103 [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui
#35180 Improve test method signature and gather more info about assertions testsuite
#35192 Resolve scopes from authenticated client sessions when selecting attributes
#35225 Allow configuring retries for JavaScript tests using environment variable ci
#35243 Allow asking for additional scopes when querying the account console root URL
#35252 Add WHY issues are important for each PR no matter how small to CONTRIBUTING.md docs
#35254 CONTRIBUTING.md has confusing ordered list with two times point 5
#35331 Updated tested PostgreSQL version to 17
#35333 Updated tested MariaDB version to 11.4
#35335 Updated tested MySQL version to 8.4
#35402 Consistent use of log.debugf to avoid generating too much GC overhead
#35415 Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later
#35419 OTEL: Enhance traces with spans for each RestEASY resource
#35425 OTEL: Show spans in transaction completion at the end of a request
#35430 OTEL: Group persistent session work activities in parent span or link them
#35457 Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details
#35478 Add password validation to update-password
#35506 Support for multiple values of some parameters in the grant SPI oidc
#35573 Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors
#35588 Update release notes for Keycloak 26.1.0 with new community additions docs
#35598 [Operator] Network Policy Rules operator
#35604 Removing unnecessary configuration from auth servers
#35640 Update the sizing guide with an indicator on which user events to use
#35676 Reduce debounce time in RealmSelector
#35714 Replace `uuid` module with `crypto.randomUUID()`
#35758 Set the LDAP connection pooling protocols by default to plain and tls
#35775 Document the performance numbers from the ARM based ROSA cluster runs
#35807 Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start)
#35834 Use MeterProvider as suggested by the Micrometer team to avoid GC overhead
#35852 Enable LDAP Connection pooling by default
#35856 Release note about node.js adapter and javascript adapter released independently of keycloak server docs
#35859 Update upgrading notes with the changes related to core clients docs
#35939 Rescue dutch translations from aborted Weblate PR
#36015 Update the CA translation translations
#36039 Tune caching guide list of stacks for the upcoming release
#36047 Align realm name placeholder in the docs docs
#36048 Add metric for number of password validations
#36059 OTEL: Add tracing for credential validation
#36079 Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci
#36087 Allow tracing packets sent to and from LDAP for troubleshooting purposes
#36211 Help texts in the admin UI should end with a dot admin/ui
#36263 OTEL: merge Operator tracing test cases
#36388 Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework
#36389 Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework
#36425 Make @EnableFeature to handle the case with added provider of currently non-used SPI testsuite
#36442 Prepare a new guide for Keycloak's own metrics in the observability guide

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#10233 Locale Setting for Update Password Mail admin/api
#10417 Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage
#11008 Incorrect get the members of a group imported from LDAP ldap
#12309 IllegalArgumentException on canceled Account Linking oidc
#12919 Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication
#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#15058 Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc
#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#16451 Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#17433 robots.txt causes indexing authentication/webauthn
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#19652 Members are inhereted from LDAP group with the same name ldap
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#24493 Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage
#25085 Inconsistent TypeScript definitions in the module @keycloak/keycloak-admin-client while compiling admin/client-js
#25675 Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#27378 update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication
#27856 Social login - Stack Overflow test fails ci
#28241 NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange
#28328 Declining terms and conditions in account-console results in error account/ui
#28978 some GUI validation check missing admin/ui
#29289 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci
#29290 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci
#30037 Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci
#30204 When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core
#30364 Make sure it is not possible to run snapshot server against production DB by default core
#30453 Event type not set in reset-credential flow under some conditions resulting in an error page authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#30832 Organization API not available from OpenAPI documentation admin/api
#30994 Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci
#31091 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci
#31180 token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange
#31359 Offline sessions are not removed from admin console after sign out all active sessions core
#31415 Selection list does not close after outside click admin/ui
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#31469 Show account page before login core
#31492 Misleading docs and functionality around cache-ispn.xml dist/quarkus
#31638 Error when non-admin user accesses admin console admin/fine-grained-permissions
#31724 Logout not working after removing Identity Provider of user identity-brokering
#31727 KC doesn’t enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication
#31835 Windows builds fail too often due to problems with the download of Node ci
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32270 High CPU usage on logout when using remote Infinispan only setup infinispan
#32348 none of the enabled features are shown as such in the admin console docs
#32356 creating short admin password in BCFIPS approved mode gives "Internal server error" page core
#32462 "Cookie not found" in multi-step auth flows / mobile browsers core
#32476 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci
#32550 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci
#32610 addExecutionFlow endpoint does not return right ID admin/api
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32650 Requesting `offline_access` without an established session results in two sessions oidc
#32658 Authentication sessions do not handle concurrent writes core
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#32677 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci
#32767 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#32801 Requested `grant_types` inconsistent with created `grant_types` for OpenID Connect Dynamic Client Registration oidc
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32901 Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#32992 Role descriptions do not wrap in the UI admin/ui
#33020 Incorrect Disclosure Handling in SdJwtVP.of(String) Method oid4vc
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33125 Duplicate principals not allowed in keystore authentication
#33132 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithEmailUserAndRememberMe ci
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33232 400 error logged as 500 identity-brokering
#33282 Icons for social providers broken in login screen if the provider is created with non-default alias admin/ui
#33309 Admin UI e is undefined if required action recreated with own alias admin/ui
#33349 Double scroll bar due to warning banner admin/ui
#33352 Wrong translation issues in greek translation translations
#33404 Permission cannot be evaluated when only role and client are provided authorization-services
#33408 Link to existing account form: IDP Alias displayed instead of IDP Display Name login/ui
#33435 404 in admin console when unlinking managed user from organizations admin/ui
#33505 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2 ci
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33596 Cleanup how static state is set for import / export dist/quarkus
#33599 Upgrade Selenium testsuite
#33603 Repeated "to a" in the help text for the "User Attribute" mapper admin/ui
#33607 Fix v2 login layout login/ui
#33614 Client Secret Required Bug When Using "JWT Signed with Private Key" for (Keycloak/) OpenID Connect Provider admin/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#33642 RTL not working on keycloak.v2 login template login/ui
#33649 Validation of http truststore or keystore file masks if the file exists dist/quarkus
#33653 Test "Duplicate Group" unstable in Admin UI / job is failing admin/ui
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33729 Not possible to configure custom client authenticator in Admin UI authentication
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33734 Client Policy throws "Invalid Redirect Uri" if Standard Flow is disabled oidc
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33767 Aurora IT tests failing periodically with download of node ci
#33775 Admin client returns HTTP code `400 Bad Request` when using x509 certificate admin/client-java
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33793 FOUC in Firefox on login UI login/ui
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33810 Stabilise my-resources.spec test account/ui
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33820 client-jwt ES256 error when doing CODE_TO_TOKEN oidc
#33844 Wrong documentation link in keycloak-js readme docs
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33902 Not persisted config settings prevent server start dist/quarkus
#33907 NPE thrown in whoami endpoint admin/ui
#33933 Recovery authentication codes are numbered inconsistently login/ui
#33940 ResetPasswordTest.resetPasswordExpiredCode Error -> AbstractKeycloakTest.deleteAllCookiesForRealm:297 core
#33941 Cannot install latest version (26.0.0) of the adapter using Galleon adapter/jee
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33967 password is a required field admin/ui
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33970 Windows kc.bat handling of serveral parameter types is not correct dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#33991 Doc CI - broken links error docs
#34000 Handle removal of online session for the directGrant and clientCredentials
#34001 Handle removal of online session for authorization_code when `scope=offline_access`is used oidc
#34009 grammatical error in "Managing Organizations" documentation docs
#34013 Add More Info to Organization Events organizations
#34015 Home URL for security-admin-console is broken admin/ui
#34017 [Admin UI] Broken autocomplete input on the "Create resource-based permission" form admin/ui
#34023 Flaky Test ResetPasswordTest.resetPasswordLoggedUser:188->openResetPasswordUrlAndDoFlow:252 testsuite
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34041 [Windows] Wrong expansion of ${kc.home.dir} causes NoSuchFile exception dist/quarkus
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34054 Onclick focus issue in the Username field of Clients / / Client Scopes / Evaluate admin/ui
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34149 Group select dialog: Subgroups not displayed initially due to pagination admin/ui
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34176 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" token service endpoint returns NullPointerException authorization-services
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34224 Deleting a user leads to ISPN marshalling exception
#34229 Group search in user view doesn't work as expected for nested groups admin/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34257 Docs: Dead link docs
#34273 Flaky Test: BrowserFlowTest.testAlternativeNonInteractiveExecutorInSubflow() testsuite
#34276 PEM files distributed as part of SAML adapter configs are missing -----BEGIN and -----END blocks saml
#34298 NullPointerException in ConditionalOtpFormAuthenticator.java authentication
#34301 Remove inaccurate statement about master realm imports docs
#34304 Fix DB overflow for EVENT_ENTITY table and SESSION_ID column in case that incorrect data are sent core
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34352 ParEndpoint#request corrupts values added in request object oidc
#34356 Admin UI doesn't show realms when using login through identity provider admin/fine-grained-permissions
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap
#34432 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34440 [Trivy] - Workflow failure ci
#34444 NullPointerException in RoleResolveUtil when admin-cli uses lightweight token admin/cli
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34460 kc.config.args exposed in show-config dist/quarkus
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap
#34474 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34508 Username and password should be optional for multi-site deployment infinispan
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34530 Flaky test: org.keycloak.testsuite.actions.TermsAndConditionsTest#termsDeclined ci
#34540 Renaming realm in UI broken admin/api
#34547 Non compliant OpenID Client Authentication when `client_secret_jwt` with PAR (Pushed Authorization Requests) oidc
#34549 Quarkus dev mode does not work dist/quarkus
#34558 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkTestAppWithoutRedirectUriParam ci
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34592 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34602 Rework global event listener for metrics core
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34605 Error on testsuite "group_test" on Cypress admin/ui
#34611 AdminEventQueryTest test fails after adding global event listener core
#34614 Remove duplicate lines in userprofile freemarker template login/ui
#34616 Fix typo in log message account/ui
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34635 Feature in higher version takes precedence even if it has lower type order
#34636 Client Protocol Mappers with non UUID ids cannot be edited admin/ui
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34652 Continuous reload when KC_AUTH_SESSION_HASH expires authentication
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34687 New credential templates broken in KC26 login/ui
#34750 calling openid-connect/auth with previous version valid cookies generate internal server error authorization-services
#34769 Invalid flag for addDefaultRequiredActions infinispan
#34776 GroupMappersTest test fails in keycloak-client core
#34794 CVE-2024-10973 - Cleartext Transmission of Sensitive Information in org.keycloak:keycloak-quarkus-server
#34811 AdminUI: Alphabetically sort "Event saved type" in the events listing admin/ui
#34817 Log handler specific log levels support only lower-case levels dist/quarkus
#34818 Liquibase outputs update summary directly to standard out dist/quarkus
#34824 [Keycloak CI] - Base IT - KerberosLdapCrossRealmTrustTest.test03SpnegoLoginUsernamePassword ldap
#34832 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerPrivateKeyJwtCustomAudienceTest ci
#34834 [Jenkins Keycloak CI] - Cookies Tests - KcSamlBrokerTest
#34835 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerLdapTest ci
#34842 Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof oidc
#34844 [Keycloak CI] - Quarkus IT - StartCommandDistTest and BuildAndStartDistTest dist/quarkus
#34853 [Jenkins Keycloak CI] - Adapter Cookies Tests - Failures with Firefox strict cookies ci
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34875 Clients invalidated on each client credential grant core
#34876 Incomplete registration form when edit email is disabled and email is set as username user-profile
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34968 Unable to scroll/swipe through the main menu on macOS admin/ui
#34973 ES256 key continue to be used to sign token even after expiry oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#34995 MySQL database migration issue core
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35047 PersistentSessionsWorker: retry with 0 backoff ms. core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35060 Cannot request additional scopes when using the account console account/api
#35068 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled core
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35088 Flaky test: org.keycloak.testsuite.adapter.servlet.SAMLClockSkewAdapterTest#testTokenTimeIsValid ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation
#35219 Account UI E2E / `personal-info/personal-info.spec.ts` is unstable ci
#35226 Typo www.recatcha.net -> www.recaptcha.net in docs docs
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35240 Links to guides in Observability section are still pointing to server section docs
#35256 Typos in `.md` and `.adoc` files, detected using codespell and manual review docs
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35276 Your login attempt timed out authentication
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35289 Maven clean shouldn't be skipped by default on Windows
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services
#35340 Errors in persian and tukish translations in account translations
#35352 Multiselect Checkboxes in user profile don't allow to unset value user-profile
#35357 Resolve scopes from bearer tokens when processing requests to the Account API
#35386 log-syslog-max-length is ignored dist/quarkus
#35405 [Keycloak CI] - Quarkus UT (windows-latest) - Keycloak Quarkus Server Deployment ci
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35414 Capitalization in Hungarian translation needs improvement translations
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35427 OTEL: OTelTracingProvider should be request-scoped dist/quarkus
#35429 access token or refresh token will be reset when another is set admin/ui
#35448 Flaky test: org.keycloak.testsuite.model.DBLockTest.testTwoLocksCurrently ci
#35451 Update Infinispan examples in the High Availability guide docs
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35483 Event Representation is not shown for Admin Events in UI admin/ui
#35486 When using the token revocation endpoint with refresh-token, all sessions from the user+client are terminated oidc
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35496 `QuarkusPropertiesDistTest` fails on Windows testsuite
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35529 IPA-Tuura federation: password field shows password in plaintext core
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35550 JVM crash when running base testsuite test from command line using auth-server-quarkus-embedded dist/quarkus
#35570 Invoking `BaseUpdater.markDeleted()` more than once cause the transient status to be lost infinispan
#35591 Embedded test server fails when running from `mvn` dist/quarkus
#35611 Code quote for http-enabled is incorrect, missing relevant option in reverse proxy documentation docs
#35612 Fix broken Dependabot configuration
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35637 Inconsistency when returning user attributes when executing a seach or fetching users by ID from external user storage providers ldap
#35643 Improve sssd note about synchronization of groups docs
#35664 realm_test.spec fails on firefox admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35704 token exchange response expires_in inconsistent behavior token-exchange
#35706 Support for X-Forwarded-Prefix should not be implied docs
#35723 POST create client with id exceed 36 characters length response status 500 instead of 403 admin/api
#35732 Missing userId in LOGIN_ERROR event for permanent lockout authentication
#35745 GET .../organizations/{id}/members/{id} multiple ids organizations
#35760 Event for setting up recovery codes authentication
#35766 Fix grammar in documentation page docs
#35767 Typo in using custom Keycloak image for Operator guide docs
#35770 Quarkus.properties should not use -cf or --config-file flag docs
#35793 Update to KC 26.x from <26 fails if admin-cli client deleted core
#35796 Keycloak incorrect usage of UserPolicy and cache. authorization-services
#35802 Keycloak arquillian testsuite not working with the default profile testsuite
#35813 Token revocation may not correctly revoke related access tokens
#35822 Exact searches should be the default when querying user by attributes admin/api
#35827 Regression Mysql 8 support as the upgrade script do not use temporary table storage
#35830 Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization organizations
#35854 Unused LDAP provider options are still exposed
#35863 Selecting one role selects all admin/ui
#35874 MapComponent UI Not Displaying Saved Values in Keycloak React Admin UI admin/ui
#35876 Typo in username pt_BR translation in account console account/ui
#35904 Failing since may be reported incorrectly on health probe dist/quarkus
#35914 Map Configuration Property in Custom UserStorageProviderFactory Not Displayed in UI After Saving admin/ui
#35935 Organization Scope mismatch organizations
#35937 Duplicate entry in admin message properties admin/ui
#35947 Broken links in getting-started guide pointing to quickstarts latest branch docs
#35964 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testExceedMaxTemporaryLockouts ci
#35971 Wrong content-type for content.json account/ui
#36009 Unable to use custom handlers for HTTP OPTIONS method in subresources dist/quarkus
#36012 Double submit on otp form causes error login/ui
#36037 Translations specified in the admin console do not override the translations specified in a theme translations
#36038 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTokenExchangeTest#testInternalExternalTokenExchangeStoredToken ci
#36053 IDPs can not be found anymore by "Issuer" value when exchanging tokens identity-brokering
#36055 Unnecessary text in documentation docs
#36061 NPE when Kerberos Server is unreachable core
#36090 Incompatible method of admin-client in Keycloak 26.1 and missing javadoc admin/client-java
#36117 max-count for session caches is not set by default for local Infinispan config dist/quarkus
#36121 Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} admin/api
#36168 Fix invalid url in keycloak.js log message adapter/javascript
#36172 "Remove role" alert text is wrong admin/ui
#36241 Profile attribute inputs incorrectly marked as required when minimum length is configured admin/ui
#36249 Error when re-authenticating when organization is enabled organizations
#36297 PasswordAgePolicy triggering NullPointerException when credentail does not have createdDate core
#36301 KeycloakServer application not working anymore testsuite
#36332 PersistentSessionsWorker: Cannot access delegate without a transaction ldap
#36347 Roll-back change to startup timeout operator
#36375 [Keycloak CI] - Bse IT/Store IT - IdentityProviderTest ci
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
#36401 Metric `vendor_jgroups_*` is unstable and can change in upcoming releases infinispan
#36410 When running Keycloak in testutils with Undertow, the admin UI thows NoMessageBodyWriterFoundFailure admin/ui
#36432 Too much space around "Forgot Password" button (keycloak.v2) login/ui

Keycloak Terraform Provider Release 5

Thomas Darimont — Mon, 13 Jan 2025 00:00:00 GMT

Keycloak Terraform Provider Releases

We’re excited to announce the release of the Keycloak Terraform Provider 5.0 with support for Keycloak 24/26. You can find the repository here.

Following our announcement in December 2024, we released Keycloak Terraform Provider 4.5 with a new license and dependency upgrades for Keycloak versions older than 23.0.0.

If you are still using the old Keycloak Terraform Provider by mrparkers you can take a look at the migration notes to use the new Keycloak Terraform Provider.

Changes

4.5 Maintenance Release

CVE fixes
Go upgrade
Minor Dependency Upgrades
License change

5.0 Release

Support for Keycloak 24
Support for Keycloak 26
Dependency Upgrades

Planned Next Releases

5.1 with support for managing organizations
patch releases on demand

Join the Community

We’re grateful for all contributors who’ve helped make the Terraform Provider what it is today. We welcome new contributions, issue reports, feature suggestions, and fixes. Let’s work together to make it even better! Explore the repository location, join the discussions, and help shape the future of the Keycloak Terraform Provider.

Keycloak 26.0.8 released

Mon, 13 Jan 2025 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#33569 Show User Events on dedicated tab on Client-/User-Details
#34091 Username Form should support autocomplete login/ui

Bugs

#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34995 MySQL database migration issue core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35822 Exact searches should be the default when querying user by attributes admin/api
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers

Meet Keycloak at FOSDEM 2025 in February!

Alexander Schwartz — Wed, 8 Jan 2025 00:00:00 GMT

FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event. Those staying home will be able to watch the live stream of the talks and ask questions online.

Members of the Keycloak project will be on-site like last year, and there will be talks from both the Keycloak community and the Keycloak team. See below for places to meet other Keycloak enthusiasts, and which talks will relate to Keycloak.

Meet-and-greet

While FOSDEM is organized around talks, it is also a great place to meet people in real life that you previously knew only from online, and make new friends. With thousands of people at the event, it is good to have a place for a meet-and-greet.

Cloud Native Computing Foundation (CNCF) Stand: A lot of organizations and projects will have a stand at FOSDEM. With Keycloak being a CNCF project, we will be sharing a time slot at their stand. You’ll be able to meet Keycloak maintainers at the CNCF stand on Saturday, February 1st, from 16:00–17:30 h. As our time slot might change, please come back here on the day of the event and double-check!
Linux Foundation side event & drinks! (Sat Feb 01, 18:00–20:00 h): As part of the events happening around FOSDEM, also called FOSDEM Fringe, the Linux foundation invites you for a drink. A free registration is required to join. UPDATE: It is currently fully booked and there is a waiting list.

FOSDEM is all about devrooms!

Identity and Access Management Devroom (Sun Feb 02, 09:00–17:00 h): Identity and Access Management Devroom is related to operating systems' identity and access management in the free software and open source world.

Expect talks about identity federation, integrating identity management into the operating system, Kerberos, and last but not the least OpenID Connect. There are several Keycloak talks happening in this dev room, so make sure to tune in!
Security Devroom (Sat Feb 01, 10:30–19:00 h): The Security Devroom covers everything that is relevant to security in the free software and open source world. Talks cover topics like cryptography, supply chain, secure development and hardening.

There will be one talk covering DPoP with proof of possession for access tokens in single page applications!
Digital Wallets and Verifiable Credentials Devroom (Sun Feb 02, 10:30–12:30 h): The Digital Wallets and Verifiable Credentials DevRoom is about digital wallets, verifiable credentials and the ecosystems emerging from these subjects, especially in the EU.

No talk is related to Keycloak itself, still interesting for those who are following the Keycloak OIDC Special Interest Group's activities around verifiable credentials.

Keycloak related talks

See below a list of all Keycloak related talks. When you watch them live, you will be able to ask questions in the chat. All talks have been recorded are now available on-line to re-watch!

Using DPoP to use access tokens securely in your Single Page Applications
Track: Security / Room: UB4.132
Scheduled: Saturday 13:30 CET
Deep Dive into OIDC flows
Track: Identity and Access Management / Room UA2.118 (Henriot)
Scheduled: Sunday 10:05 CET
Nubus: An Enterprise Open Source IAM Stack in Kubernetes
Track: Identity and Access Management / Room UA2.118 (Henriot)
Scheduled: Sunday 10:35 CET
SSSD and IdPs
Track: Identity and Access Management / Room UA2.118 (Henriot)
Scheduled: Sunday 12:35 CET
Delegating the chores of authenticating users to Keycloak
Track: Identity and Access Management / Room UA2.118 (Henriot)
Scheduled: Sunday 16:00 CET

We hope to see a lot of you either online or on site in Brussels at FOSDEM!

Storing sessions in Keycloak 26

Michal Hajas — Tue, 17 Dec 2024 00:00:00 GMT

Keycloak 26 now uses by default the Persistent user sessions feature. In this blog post, we uncover the background on why we introduced this feature, what are the alternatives and what is the future.

Session storages in Keycloak 26 cheatsheet

This section provides a TLDR guidance on what sessions storages exist and when each of them should be used with Keycloak 26. The following sections provide more details on each storage type and reasoning behind introducing or dropping each of them.

Number of sites	Sessions storage	Characteristics	When to use	Keycloak CLI options to enable
Single site	Persistent sessions	Sessions stored in the database and cached in memory Sessions available after cluster restart Lower memory usage Higher database usage	Default and recommended for standard installations You want your sessions to survive restarts and upgrades Accept higher database usage	No additional configuration needed
Sessions stored in memory	Faster reads and writes Sessions lost after cluster restart Higher memory usage (all sessions must be in memory)	Can’t use persistent user sessions feature Please provide your feedback here, as we want to understand why you can’t use persistent user sessions	--features-disabled="persistent-user-sessions"
Sessions stored in external Infinispan	Sessions stored only in external Infinispan Reduced database usage Using Hot Rod client for communication with external Infinispan Experimental feature	Do not use in production as it is experimental Evaluate and provide your feedback here if you are interested in this feature and want to help to make it supported.	--features="clusterless" --features-disabled="persistent-user-sessions"
Sessions stored in memory and external Infinispan	4 copies of each session 2x in Keycloak memory and 2x in Infinispan memory Sessions available after Keycloak cluster restarts High memory usage Experimental and will be removed soon	When you used this setup with previous releases and cannot switch to persistent user sessions now	--features="cache-embedded-remote-store" --features-disabled="persistent-user-sessions"
Multiple sites (guide)	Persistent user sessions	Sessions stored in the database without caching in Keycloak memory Synchronously replicating sessions to second site (depending on database configuration)	When resiliency to whole site outage is needed	--features="multi-site"
Sessions stored in external Infinispan	Sessions stored only in external Infinispan Using Hot Rod client for communication with external Infinispan Reduced database usage Experimental feature	Do not use in production as it is experimental Evaluate and provide your feedback here if you are interested in this feature and want to help to make it supported.	--features="multi-site,clusterless" --features-disabled="persistent-user-sessions"

Number of sites

Sessions storage

Characteristics

When to use

Keycloak CLI options to enable

Single site

Persistent sessions

Sessions stored in the database and cached in memory
Sessions available after cluster restart
Lower memory usage
Higher database usage

Default and recommended for standard installations
You want your sessions to survive restarts and upgrades
Accept higher database usage

No additional configuration needed

Sessions stored in memory

Faster reads and writes
Sessions lost after cluster restart
Higher memory usage (all sessions must be in memory)

Can’t use persistent user sessions feature
Please provide your feedback here, as we want to understand why you can’t use persistent user sessions

--features-disabled="persistent-user-sessions"

Sessions stored in external Infinispan

Sessions stored only in external Infinispan
Reduced database usage
Using Hot Rod client for communication with external Infinispan
Experimental feature

Do not use in production as it is experimental
Evaluate and provide your feedback here if you are interested in this feature and want to help to make it supported.

--features="clusterless"
--features-disabled="persistent-user-sessions"

Sessions stored in memory and external Infinispan

4 copies of each session 2x in Keycloak memory and 2x in Infinispan memory
Sessions available after Keycloak cluster restarts
High memory usage
Experimental and will be removed soon

When you used this setup with previous releases and cannot switch to persistent user sessions now

--features="cache-embedded-remote-store"
--features-disabled="persistent-user-sessions"

Multiple sites (guide)

Persistent user sessions

Sessions stored in the database without caching in Keycloak memory
Synchronously replicating sessions to second site (depending on database configuration)

When resiliency to whole site outage is needed

--features="multi-site"

Sessions stored in external Infinispan

Sessions stored only in external Infinispan
Using Hot Rod client for communication with external Infinispan
Reduced database usage
Experimental feature

Do not use in production as it is experimental
Evaluate and provide your feedback here if you are interested in this feature and want to help to make it supported.

--features="multi-site,clusterless"
--features-disabled="persistent-user-sessions"

Evolution of storing sessions

In the old Keycloak days, all sessions were stored only in embedded Infinispan - in memory of each Keycloak node in a distributed cache (each Keycloak node storing some portion of sessions where each session is present in at least 2 nodes). This worked well in a single site with a small to medium amount of sessions, and the setup was resilient to one Keycloak node without losing any data. This could be extended to more than one node if we increase the number of nodes storing each session.

What about whole site disasters?

The problem occurred when more nodes failed or when a whole site failed. Users asked for more resilient setups. For this, we introduced a technical preview of the cross-site feature. The impact on the session data was that we replicated all of them across 4 locations - 2 Keycloak clusters and 2 Infinispan clusters. With each of these locations needing to store all of the sessions in order to be able to search/query them.

In the beginning, this setup didn’t perform very well, one of the reasons was that we needed to synchronously replicate the data 4 times to keep the system in the correct state. As a consequence of this bad performance we initially wanted to drop the feature, however due to significant community interest we decided to evolve the feature instead. After several optimisations and performance tuning, we were able to release this in Keycloak 24 under the name multi-site, which allowed active-passive setups. This architecture replicated some data asynchronously to the second Keycloak cluster and therefore, we could not use this setup in an active-active way.

I want my sessions to survive!

Even though we were more resilient with this setup, we are still losing sessions when the whole deployment goes down, which happens, for example, during updates. We received a lot of complaints about this.

That is where persistent sessions came into consideration as a rescue to both of these problems - asynchronous updates replication to the other site and losing sessions. The idea is to store sessions in the database - the source of truth for sessions. We already stored offline sessions in the database so we reused the concept and introduced a new feature named Persistent user sessions which is now enabled by default in Keycloak 26.

Is the database the correct place for such write-heavy objects?

Almost each request coming to Keycloak needs to check whether a session exists, whether it is valid and usually also update its validity period. This makes sessions read and write heavy objects and the question whether the database is the correct place to store them is appropriate.

At the moment of writing this blog post, we have no reports that would show performance problems with persistent user sessions and it seems the advantages overcome the disadvantages. Still, we have an additional feature in experimental mode that you can evaluate. As explained above, some of the problems with the multiple sites setup in Keycloak 24 were that we needed to have sessions replicated in 4 locations and the second Keycloak cluster was receiving some updates asynchronously. This can be also solved by storing sessions only in the external Infinispan as sessions are replicated only twice instead of four times. Also, the asynchronous replication is not used anymore as we do not need to replicate changes to Keycloak nodes. Infinispan also provides query and indexing capabilities for searching sessions which avoids sequential scans needed with the sessions stored in embedded Infinispan. Note this is an experimental feature and therefore it is not yet fully finished and performance optimised. We are eager to hear your feedback to understand where persistent user sessions fail and where the pure Infinispan storage for sessions could shine.

What options do I have and which of them should I consider?

Since we could not remove any of the options from the list above without a proper deprecation period, all of them can still be used in Keycloak 26, however, some of them are more blessed than others.

Single site with sessions stored in the database and cached in memory

This is the default setup in Keycloak 26.

Single site with sessions stored in memory

This is the default setup used in Keycloak versions prior to 26 and at the moment probably the most commonly used among all of them. The recommendation is to switch to persistent user sessions and with no additional configuration with Keycloak 26 the switch will be done automatically. However, if you have some problems with persistent user sessions (eager to hear your feedback here), and you don’t mind losing your sessions on restarts you can enable this setup by disabling the persistent-user-sessions feature.

bin/kc.[sh|bat] build --features-disabled="persistent-user-sessions"

Single site with sessions stored in external Infinispan

This is the experimental setup mentioned above. To configure this, disable persistent-user-sessions and enable clusterless features.

bin/kc.[sh|bat] build --features="clusterless" --features-disabled="persistent-user-sessions"

Single site with sessions stored in memory and external Infinispan

This setup uses the functionality aimed for multi-site, however, this was often used in a single site as well, because of its benefit of not losing sessions on Keycloak restarts. We believe persistent user sessions make this setup obsolete and Keycloak will refuse to start with this setup complaining with this message: Remote stores are not supported for embedded caches….. This functionality is deprecated and will be removed in the next Keycloak major release. To run this configuration, disable persistent-user-sessions, enable cache-embedded-remote-store features and configure embedded Infinispan accordingly.

bin/kc.[sh|bat] build --features="cache-embedded-remote-store" --features-disabled="persistent-user-sessions"

Options for multiple sites

Running Keycloak in multiple sites requires two building blocks to make data available and synchronized in both sites. A synchronously replicated database and an external Infinispan in each site with cross-site replication enabled. The whole setup is described here. From the point of view of storing sessions the setup is always forcing usage of the Persistent user sessions feature and they are stored only in the database with no caching in the Keycloak’s memory. To configure this enable the multi-site feature.

bin/kc.[sh|bat] build --features="multi-site"

It is possible to evaluate the experimental clusterless feature described for the single site also with the multiple sites. In this setup the sessions are not stored in the database but in the external Infinispan. Note this is an experimental feature and as such it is not yet fully documented and performance optimised. To configure this, disable persistent-user-sessions and enable multi-site and clusterless features.

bin/kc.[sh|bat] build --features="multi-site,clusterless" --features-disabled="persistent-user-sessions"

Feedback welcomed

If you have any questions or feedback on this proceed to the following GitHub discussions:

Frequently asked questions

Why do we need external Infinispan in a multi-site setup with persistent user sessions

In this case external Infinispan is not used for storing sessions, however, we still need it for communication between two Keycloak sites, for example, for invalidation messages, for synchronization of background tasks and also for storing some objects, usually short-lived, like authentication sessions, login failures or action tokens.

Videos for the holidays and meet us at FOSDEM!

Alexander Schwartz — Thu, 12 Dec 2024 00:00:00 GMT

Videos to re-watch

This year, the Keycloak project was present at multiple conferences. Here are the videos to watch for the holiday break if you haven’t watched them yet: KubeCon NA, KeyConf, Keycloak DevDay, Devoxx France and KubeCon Europe.

When going through the list, I found that at least two of the talks have not been published on the Keycloak blog yet. So here they are:

FOSDEM in February with the talk Add user self-management, brokerage and federation to your infrastructure with Keycloak,
FrOSCon in August with What’s new in Keycloak, the open source IAM.

Did we miss another video that we should have shared here? Let me know!

We are excited to connect with the community

All conferences were exciting for us: We met with the community to share the latest developments of Keycloak, engaged in discussions and heard interesting stories from people running Keycloak in their production environments.

The FrOSCon and the KubeCon conferences were special as we had our own stand where we connected to both new and existing users of Keycloak. At FrOSCon, we had our own signage up as this photo proves!

If you have not met us at a conference yet, please take this online Keycloak Survey: Let us know if you want to share your story with the broader community, and we will be in contact with you about the next steps.

Meet us next at FOSDEM!

The good news is that we will back at FOSDEM 2025 in Brussels in February this year. In the meantime, save the date to either join us in Brussels or live on the stream. If you want to connect on-site, reach out to me using your preferred channel.

Some of our team members will also be at the Keycloak DevDay in March, which is unfortunately already sold out.

We are already planning for other upcoming events in 2025, so return to this blog to read the latest news here!

Keycloak Adopts Terraform Provider

Thomas Darimont — Mon, 9 Dec 2024 00:00:00 GMT

New Repository Location

We’re excited to announce that the Keycloak Terraform Provider has officially moved under the Keycloak organization! You can find the new repository location here.

The Journey So Far

Thanks to our community survey, we confirmed that the Keycloak Terraform Provider by mrparkers is the most widely used tool for realm configuration management. The move to the Keycloak organization is a natural next step in making this essential tool a core part of the Keycloak ecosystem.

Gratitude and Transition

A huge thank-you to mrparkers for creating and maintaining the provider. Your contributions have been invaluable to the community. The new maintainers, Sebastian Schuster and Thomas Darimont, will ensure the project continues to thrive.

Migration Notes

You’ll need to update your configurations to migrate to the Keycloak-hosted Terraform Provider. Check out our migration guide, especially the replace-provider instructions, to make the process smooth.

Updates and Changes

License Change: The Keycloak Terraform Provider now uses the Apache 2.0 license, ensuring broader adoption and clarity for contributors.

Next releases:

4.5 Maintenance Release: Includes CVE fixes, Go upgrade, and license change.
5.0 Release (Upcoming): Adds support for Keycloak 24/26, new features, and improvements.

Join the Community

We’re grateful for all contributors who’ve helped make the Terraform Provider what it is today. We welcome new contributions, issue reports, feature suggestions, and fixes. Let’s work together to make it even better! Explore the new repository location, join the discussions, and help shape the future of the Keycloak Terraform Provider.

Recap Keycloak at KubeCon NA 2024

Ryan Emerson — Wed, 4 Dec 2024 00:00:00 GMT

Keycloak had a very active presence at this year’s KubeCon NA in Salt Lake City, Utah. This blog presents a few of the highlights as well as ways you can contribute to Keycloak’s CNCF journey.

Project Pavilion

Keycloak hosted a project pavilion stand during Wednesday, Thursday and Friday afternoon slots. Attending the booth were Keycloak contributors Yoshiyuki Tabata from Hitachi and Ryan Emerson, Martin Bartos and Kamesh Akella from Red Hat.

During these sessions, we discussed all things Keycloak with existing and prospective users, as well as provided the much requested Keycloak stickers plus additional swag for particularly enthusiastic users. It was great to hear war stories from the trenches with regard to both the good and bad of Keycloak. This feedback is essential for us to continue to evolve the project and plan the future roadmap. A special thanks to all of those who filled out our survey forms, we really appreciate your time. If you were unable to attend the pavilion, please consider filling out the online version of the form.

Keycloak Talk

Ryan Emerson and Kamesh Akella presented a talk titled “Running a Highly Available Identity and Access Management with Keycloak”. Watch the recording to hear about the recent developments in Keycloak’s HA story, including an overview of the architecture recommended in the Keycloak guides, the lessons learned during the development of said guides and the CNCF technologies used as part of our stack. A video of the talk is linked below.

Thank you to all who attended and asked questions, there were good follow-up conservations that continued well after our time was up.

Keycloak Survey

KubeCon EU

In 2025, KubeCon EU will be held in London on April 1-4th, we hope to see you there and hear your latest Keycloak stories. As it’s still very much early days, we cannot provide any specifics, but be assured that we’ll publish more information in the near future.

Keycloak 26.0.7 released

Tue, 3 Dec 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34882 Edits to Authorization Services guide
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final

Bugs

#10233 Locale Setting for Update Password Mail admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33810 Stabilise my-resources.spec test account/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34391 Error on "check a11y" tests on Cypress admin/ui
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35276 Your login attempt timed out authentication
#35282 [Keycloak CI] - Test PoC failing on Keycloak 26.0 branch
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services

Keycloak 26.0.6 released

Fri, 22 Nov 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Admin events might include now additional details about the context when the event is fired

Updates to documentation of X.509 client certificate lookup via proxy

Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated reverse proxy guide if you have configured the client certificate lookup via a proxy header.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34887 Apply QE edits to High Availability guide

Bugs

#609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement quickstarts
#11008 Incorrect get the members of a group imported from LDAP ldap
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19652 Members are inhereted from LDAP group with the same name ldap
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#27856 Social login - Stack Overflow test fails ci
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#34013 Add More Info to Organization Events organizations
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34549 Quarkus dev mode does not work dist/quarkus
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34687 New credential templates broken in KC26 login/ui
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation

Keycloak Client Libraries 26.0.3 released

Tue, 19 Nov 2024 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#90 Update MD files client
#93 Move upgrading guide for keycloak-client libraries to the client documentation client
#101 Setup GH action (or script), which will send PR for automatically sync with keycloak server client

Bugs

#105 Unnecessary `httpclient` dependency in `keycloak-client-common-synced` module client

Introducing the Keycloak Test Framework

Lukas Hanusovsky — Thu, 14 Nov 2024 00:00:00 GMT

How It All Started

The idea to replace the current test suite has been on the table for multiple years. Initially, it was meant to be only a refactoring of the current approach on how to write tests, but after a few internal discussions and refactor updates it turned out a new test suite, based on a new framework would be a better solution.

It would be good to mention a few drawbacks, that stand out when working with the current test suite. First of all, is the complexity of various configurations and additions made on top of the Arquillian framework. These changes make the test suite powerful, but the cons is that without proper documentation for beginners is almost unreadable. The second thing has the same importance, the Arquillian framework is not fully supported anymore. Other things to mention are a complicated execution system, where you want to specify what exactly should be tested, then abstract classes with shared configurations and missing the option to add a custom extension.

Brighter Future?

The Keycloak team began an effort to design a new test framework in May 2024. It started with a prototype to verify if our ideas were feasible. The prototype is a JUnit5 Extension based on the JUnit5 testing framework, specifically to implement JUnit5 callback classes which extend the default test lifecycle functionality and provide custom inject annotations, like @KeycloakIntegrationTest, @InjectWebDriver or @InjectRealm.

After a successful test round, we’ve continued with a proof of concept extending features list to support multiple server modes, different databases and WebDrivers, clients and users setup, SmallRye configuration support, OAuthClient based on Nimbus SDK (this feature is a preview only) etc. The full list of currently implemented features is:

Maven BOM
Core module
- Server lifecycle
- Database lifecycle
- Admin client injection
- Realm, User, Client lifecycle and injection
- Event and Admin event listener and injection
- OAuth client injection
UI module
- WebDriver lifecycle and injection
- Page injection
- Support for the Chrome, Firefox and HtmlUnit4 browsers
Database modules
- Postgres
- MariaDB
- MySQL
- MSSQL
- Oracle

It is already present in the main branch and Keycloak nightly builds.

Are you curious about where to start?

We suggest reading the user guide, which will provide a basic overview of how the framework works and should be used. If this is not enough, you can also check test examples.

For extension developers we recommend to look into an example on how to start Keycloak with their custom provider: provider example, pom.xml test dependency and test example.

If you find a bug, want to discuss something, or propose a new enhancement, please follow this GitHub feedback discussion link.

Next steps

We already have enough capabilities in the new test framework to start migrating some tests from the old testsuite; and in fact already have our very first test migrated. We plan to migrate one package at a time from the old testsuite starting with the admin tests, then moving on to the forms and oauth packages. As we are doing this we will expand on the capabilities of the test framework.

Some features we know will be coming soon included:

An easier way to deploy custom providers, not requiring a Maven build of the provider first
Improved logging, making it easy to configure logging from tests as well as Keycloak
Easy testing of OAuth and OpenID Connect, including a mock application
Extension to allow running code on the tested server when it’s not possible to easily test through only remote interfaces

We also have some more long term plans to deliver:

Provider tests that can be used to easily test a provider by invoking the provider directly
Parallel execution of tests, to take full advantage of multiple cores to reduce test execution time

Acknowledgement

I would like to thank all the people who put the proof of concept together and made it real: Miquel, Simon, Filip, Moises, Jon, and Pedro. A special thank-you goes to Stian, who led the technical design and proposed very nifty things that raised the project to another level.

Thank you for your feedback.

Enjoy!

KeyConf24 recordings available

Alexander Schwartz — Sun, 10 Nov 2024 00:00:00 GMT

KeyConf24, our 2024 Keycloak Identity Summit, happened in Vienna in September this year. We were excited to have a full room on site, and 150+ people watching online.

Thanks to our event sponsor adorsys, all recorded videos are now available online at the event’s website: https://keyconf.dev/. Re-watch the talks and learn from practitioners, developers and maintainers.

Thanks to all our sponsors adorsys, Banfico, Hitachi and Red Hat who made this event possible!

Wallets are Key - the state of play from Bangalore to Brussels
Daniel Goldschneider (The OpenWallet Foundation)
The Journey, Achievements, and Significance of the Keycloak SIG Community
Vinod Anandan (JPMorgan Chase & Co.)
Streamlining Keycloak Configuration Management: Exploring keycloak-config-cli
Francis Pouatcha (adorsys)
Keycloak’s Updates on Emerging Paradigm of Identity and Compliance with Security Specifications
Takashi Norimatsu (Hitachi, Ltd.)
Building declaratively configured Keycloak
Václav Muzikář (Red Hat)
Core Keycloak features developed in past 12 months
Marek Posolda (Red Hat)
Integrating Keycloak with Openresty as a resource server in Open Banking
Pritish Joshi (Banfico)
Unlocking adaptive authentication with Keycloak
Martin Bartoš (Red Hat)
New and Noteworthy in the OAuth World
Dmitry Telegin (Backbase UK)
Extending Keycloak for All Your Identity Use Cases
GR Patil (Phase Two)
Enhancing User Experience with Native Authentication and Passkeys in Keycloak
Martin Besozzi (TwoGenIdentity)

Keycloak 26.0.5 released

Fri, 1 Nov 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#31415 Selection list does not close after outside click admin/ui
#33607 Fix v2 login layout login/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#34301 Remove inaccurate statement about master realm imports docs
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap

Keycloak Client Libraries 26.0.2 released

Thu, 31 Oct 2024 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#92 Setup CI during nightly build client
#99 Sync with keycloak server 26.0.4 client

Bugs

#94 Tests failing with latest Keycloak server nightly client

Keycloak 26.0.4 released

Wed, 30 Oct 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34382 Make the organization chapter of Server Admin guide available on downstream

Bugs

#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

Keycloak DevDay 2025 Pre-Conf Event Announcement

Sebastian Rose — Fri, 25 Oct 2024 00:00:00 GMT

Keycloak DevDay 2025 is just around the corner, and we would like to invite you to a special pre-event: the Keycloak Hackathon!

Hackathon: actively help shape Keycloak

On the day before DevDay, on March 5, our hackathon will give you the opportunity to actively contribute to the further development of Keycloak. Whether you write code, work on the documentation, improve translations or maintain issues in the issue tracker - everyone can take part. The hackathon offers you the opportunity to pitch new ideas and work together in small groups on exciting projects.

Schedule of the hackathon

10:00: Start of the first iteration with a pitch round. Here you can present your ideas and topics, ranging from new features and bug fixes to documentation improvements. The teams start working on the pitched topics. Our goal is to achieve measurable results by the end of the day - be it through code contributions, documentation or other important improvements for the Keycloak community.

12:30: Lunch-break

13:30: Another start for everyone arriving later in the day.

17:00: Closing with presentation and honouring the results

Why should you participate?

The hackathon is a great opportunity to network and actively participate with other members of the Keycloak community. It’s the perfect chance for:

Participants arriving early who want to make good use of the previous day.
Experienced contributors and maintainers who want to advance their projects or work on new topics.
Newcomers who want to contribute for the first time and get involved in the community - whether through code, documentation or organisational tasks.

Ideas and topics

If you have an idea or a topic that you would like to work on at the hackathon, get in touch with us! We will be happy to support you with the preparation and help you present your topic successfully.

If you would like to work on a topic but don’t yet know exactly what you would like to take part in, please let us know. We try to organize teams and topics at an early stage so that you can get in touch with like-minded people in advance.

How can you take part?

Participation is easy: Grab your free pre-event ticket on the Keycloak DevDay website and join us! The hackathon offers a great opportunity to contribute in a relaxed atmosphere and to talk to other participants.

We look forward to seeing you at the hackathon and working together on the future of Keycloak. Let’s code, document, and contribute - together for Keycloak!

Keycloak 26.0.2 released

Thu, 24 Oct 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs

#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#28978 some GUI validation check missing admin/ui
#30832 Organization API not available from OpenAPI documentation admin/api
#31724 Logout not working after removing Identity Provider of user identity-brokering
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33844 Wrong documentation link in keycloak-js readme docs
#33902 Not persisted config settings prevent server start dist/quarkus
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33991 Doc CI - broken links error docs
#34009 grammatical error in "Managing Organizations" documentation docs
#34015 Home URL for security-admin-console is broken admin/ui
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34224 Deleting a user leads to ISPN marshalling exception

Keycloak Client Libraries 26.0.1 released

Tue, 22 Oct 2024 00:00:00 GMT

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#92 Setup CI during nightly build client

Bugs

#89 ClientTest failing with latest Keycloak nightly client

Keycloak 26.0.1 released

Thu, 17 Oct 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#33275 Better logging when error happens during transaction commit storage

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33642 RTL not working on keycloak.v2 login template login/ui
#33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33907 NPE thrown in whoami endpoint admin/ui
#33967 password is a required field admin/ui

Meet Keycloak at KubeCon Salt Lake City, Utah in Nov 2024

Kamesh Akella — Thu, 10 Oct 2024 00:00:00 GMT

We are thrilled to announce that Keycloak will be at KubeCon Salt Lake City, Utah in Nov 2024. There are several Keycloak specific sessions lined up during this conference, and we will be hosting a Kiosk at the Project Pavilion at KubeCon.

What is KubeCon?

Keycloak’s presence in the previous KubeCons was a huge success, and we continue to have a lot of fun interacting with Keycloak enthusiasts, users, newcomers alike. KubeCon is a fast-growing Cloud Native tech conference expected to have up to 8,000 developers, architects, and technical leaders onsite as well as thousands of participants virtually.

KubeCon Salt Lake City will be held from Nov. 12th, 2024 through Nov. 15th, 2024, with many of the co-located events happening on Tuesday, Nov 12th, 2024.

Keycloak community Meet & Greet at the Project Pavilion

Yoshiyuki Tabata from Hitachi, Ryan Emerson, Martin Bartos, Kamesh Akella from Red Hat and other contributors will be at the Keycloak kiosk at the Project Pavilion. This is a great chance to meet people who use Keycloak, contribute to Keycloak, take our survey about new Keycloak features, and get some cool swag!

Keycloak Kiosk opening hours:

Wednesday, November 13: 3:15pm-8:00pm
Thursday, November 14: 1:45pm–5:00pm
Friday, November 15: 12:30pm-2:30pm

OpenShift Commons Gathering

The OpenShift Commons Gathering happens on Tuesday (Nov. 12th, 2024) and builds connections and collaboration across OpenShift communities, projects and stakeholders. Some maintainers from the Keycloak development team will be here during the afternoon. This gives a chance for more community Keycloak maintainers, contributors, and users to meet and share their ideas or just hang out. Access to the OpenShift Commons event is free and does not require a paid KubeCon ticket, still you’ll need to register on their website in advance.

Keycloak specific events at KubeCon

Below is the Keycloak specific event that the attendees both in-person and virtually can plan to attend and learn more about a Highly Available Keycloak deployed in a Multi-Site environment.

Friday, November 15, 4:55pm - 5:30pm MST(UTC-7)
Running a Highly Available Identity and Access Management with Keycloak
By Ryan Emerson & Kameswararao Akella, Red Hat.

We’re preparing for KubeCon SLC 2024 and can’t wait to connect with our community. Mark your calendars and join us.

See you in Salt Lake City, Utah!

Backwards compatibility in Keycloak releases

Stian Thorgersen — Tue, 8 Oct 2024 00:00:00 GMT

With four major releases of Keycloak every year it can be a daunting task to keep deployments up to date. Especially, since the number of breaking changes have drastically increased the last couple years. Combine this with the importance of patching deployments quickly for vulnerabilities, this can leave many deployments open to known vulnerabilities as the time and effort required to update to the latest release is too costly.

Additionally, currently Keycloak client libraries are released together with the server, resulting in new major versions of a client library, where in fact there can be no changes at all, or perhaps only a bug fix or two.

For these reasons, after Keycloak 26.0 is released there will be some changes to how Keycloak is being released:

Keycloak server will have 4 minor releases every year, and a major release every 2-3 years
Keycloak client libraries will be released separately. The latest client library release will support all currently supported Keycloak server releases

We will continue to bring new features and enhancements to Keycloak in each release, and we are committed to doing so in a backwards compatible way, making it seamless and easy to upgrade.

When a minor comes with breaking changes, such changes will be opt-in. This will be driven through versioning where the currently default version for a Feature or an API can not change in a minor release, and there will be a new version that can be explicitly enabled. The current version of a Feature or API can be deprecated in a minor, but will not be removed until the next major version. This will allow you to gradually roll-out new Feature or API versions separately from upgrading. You can choose to get ready for the next major release early, or wait and do it in one go.

Backwards compatibility guarantees will only be given to Features and APIs that are fully supported. Preview features or preview APIs, as well as non-public APIs may change at any time.

Keycloak 26.0.0 released

Fri, 4 Oct 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Organizations supported

Starting with Keycloak 26, the Organizations feature is fully supported.

Client libraries updates

Dedicated release cycle for the client libraries

From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.

The client libraries are these artifacts:

Java admin client - Maven artifact org.keycloak:keycloak-admin-client
Java authorization client - Maven artifact org.keycloak:keycloak-authz-client
Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

For details about supported versions of client libraries with server versions, see the Upgrading Guide.

User sessions persisted by default

Keycloak 25 introduced the feature persistent-user-sessions. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.

It is possible to revert this behavior to the previous state by disabling the feature. Follow the Volatile user sessions section in Configuring distributed caches guide for more details.

For information on how to upgrade, see the Upgrading Guide.

New default login theme

There is now a new version (v2) of the keycloak login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.

The previous version (v1) is now deprecated, and will be removed in a future release.

For all new realms, keycloak.v2 will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to keycloak.v2.

Highly available multi-site deployments

Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:

Keycloak deployments are now able to handle user requests simultaneously in both sites.
Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.
The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.
Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.

For information on how to migrate, see the Upgrading Guide.

Admin Bootstrapping and Recovery

In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.

It is now possible to run the start or start-dev commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.

For detailed instructions and more information on this topic, refer to the Admin Bootstrap and Recovery guide.

OpenTelemetry Tracing preview

The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.

For more information, see the Enabling Tracing guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the Francis Pouatcha, Pascal Knüppel, Takashi Norimatsu, Ingrid Kamga, Stefan Wiedemann and Thomas Darimont

DPoP improvements

The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the authorization_code grant type. Support also exists for the DPoP token type on the UserInfo endpoint.

Many thanks to Pascal Knüppel for the contribution.

Removal of GELF logging handler

GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the Logging guide.

Lightweight access tokens for Admin REST API

Lightweight access tokens can now be used on the admin REST API. The security-admin-console and admin-cli clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.

Keycloak JavaScript adapter now standalone

Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.

For a complete breakdown of the changes consult the Upgrading Guide.

Hostname v1 feature removed

The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the Configuring the hostname (v2) and the initial migration guide.

Automatic redirect from root to relative path

User is automatically redirected to the path where Keycloak is hosted when the http-relative-path property is specified. It means when the relative path is set to /auth, and the user access localhost:8080/, the page is redirected to localhost:8080/auth.

The same applies to the management interface when the http-management-relative-path or http-relative-path property is specified.

It improves user experience as users no longer need to set the relative path to the URL explicitly.

Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

For information on how to migrate, see the Upgrading Guide.

Client Attribute condition in Client Policies

The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.

Many thanks to Yoshiyuki Tabata for the contribution.

Specify different log levels for log handlers

It is possible to specify log levels for all available log handlers, such as console, file, or syslog. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.

For more information, see the Logging guide.

Proxy option removed

The deprecated proxy option was removed. This option was deprecated in Keycloak 24 and replaced by the proxy-headers option in combination with hostname options as needed. For more details, see using a reverse proxy and the initial migration guide.

Option `proxy-trusted-addresses` added

The proxy-trusted-addresses can be used when the proxy-headers option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.

Option `proxy-protocol-enabled` added

The proxy-protocol-enabled option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.

Option to reload trust and key material added

The https-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).

Options to configure cache max-count added

The --cache-embedded-${CACHE_NAME}-max-count= can be set to define an upper bound on the number of cache entries in the specified cache.

The `https-trust-store-*` options have been undeprecated

Based on the community feedback, we decided to undeprecate https-trust-store-* options to allow better granularity in trusted certificates.

The `java-keystore` key provider supports more algorithms and vault secrets

The java-keystore key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the vault. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.

For more information about this subject, see Configuring realm keys.

Adding support for ECDH-ES encryption key management algorithms

Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: epk, apu and apv. Currently Keycloak implementation only manages the compulsory epk while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the JSON Web Algorithms (JWA).

Also, a new key provider, ecdh-generated, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.

Many thanks to Justin Tay for the contribution.

Support for multiple instances of a social broker in a realm

It is now possible to have multiple instances of the same social broker in a realm.

Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the organization feature, it should be possible to link different instances of the same social broker to different organizations.

When creating a social broker, you should now provide an Alias and optionally a Display name just like any other broker.

New generalized event types for credentials

There are now generalized events for updating (UPDATE_CREDENTIAL) and removing (REMOVE_CREDENTIAL) a credential. The credential type is described in the credential_type attribute of the events. The new event types are supported by the Email Event Listener.

The following event types are now deprecated and will be removed in a future version: UPDATE_PASSWORD, UPDATE_PASSWORD_ERROR, UPDATE_TOTP, UPDATE_TOTP_ERROR, REMOVE_TOTP, REMOVE_TOTP_ERROR

Customizable Footer in login Themes

The template.ftl file in the base/login and the keycloak.v2/login theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.

The new footer.ftl template provides a content macro that is rendered at the bottom of the "login box".

Keycloak CR supports standard scheduling options

The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.

For more details, see the Operator Advanced Configuration.

KeycloakRealmImport CR supports placeholder replacement

The KeycloakRealmImport CR now exposes spec.placeholders to create environment variables for placeholder replacement in the import.

For more details, see the Operator Realm Import.

Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties.

For more details, see Configuring the connection pool.

Infinispan marshalling changes to Infinispan Protostream

Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.

Warning

JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version.

Infinispan Protostream is based on Protocol Buffers (proto 3), which has the advantage of backwards/forwards compatibility.

Removal of OSGi metadata

Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.

Group-related events no longer fired when removing a realm

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the GroupRemovedEvent are no longer fired when removing a realm.

For information on how to migrate, see the Upgrading Guide.

Identity Providers no longer available from the realm representation

As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.

For information on how to migrate, see the Upgrading Guide.

Securing Applications documentation converted into the guide format

The Securing Applications and Services documentation was converted into the new format similar to the Server Installation and Configuration documentation converted in the previous releases. The documentation is now available under Keycloak Guides.

Removal of legacy cookies

Keycloak no longer sends _LEGACY cookies, which where introduced as a work-around to older browsers not supporting the SameSite flag on cookies.

The _LEGACY cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over http outside of localhost. As an alternative to the _LEGACY cookies Keycloak now doesn’t set the secure flag and sets SameSite=Lax instead of SameSite=None when it detects an insecure context is used.

Property `origin` in the `UserRepresentation` is deprecated

The origin property in the UserRepresentation is deprecated and planned to be removed in future releases.

Instead, prefer using the federationLink property to obtain the provider to which a user is linked with.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Removed features

#492 Stop using the UMD version of Keycloak JS on the website web
#10983 Remove redirect_uri support from OIDC logout endpoint
#15013 Remove OpenJDK 8 for adapters
#16181 Deprecate legacy cookie behaviour behind profile authentication
#16770 Remove legacy cookies authentication
#27365 Remove GELF dist/quarkus
#27731 Remove Hostname v1 docs
#29104 Check if OSGI metadata can be removed entirely
#32821 Remove references of using statically served Keycloak JS code from docs docs
#32823 Remove ability for Keycloak JS to detect the URL of Keycloak server based on script docs
#32824 De-couple integration tests from statically served Keycloak JS testsuite
#32826 Remove UMD distribution of Keycloak JS adapter/javascript
#32827 Remove code and profile to statically serve Keycloak JS from the server adapter/javascript
#32843 Release notes and upgrade guide for Keycloak JS docs
#33021 Remove deprecated `setOrCreateChild()` method from Admin Client admin/client-js
#33082 Stop statically serving Keycloak JS from the Keycloak server adapter/javascript

New features

#20342 Duplicate groups in the admin console of Keycloak admin/ui
#26178 Support dark mode, at least for the login pages login/ui
#29324 Bootstrapping an admin user using a dedicated command dist/quarkus
#29755 Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider
#30002 Bootstrapping an admin service account using a dedicated command dist/quarkus
#30009 Warnings for temporary admin user and service account core
#30011 Document admin bootstrapping and recovery docs
#30682 Group assignment: Display disabled information from user admin/ui
#30795 Initiate create events if ClientScopes are created
#31421 Add Events for Organization Creation and Member Assignment organizations
#31642 Include organization attributes and information in ID and access tokens organizations
#31643 Implement invitation-only self-registration for realm users organizations
#32030 Retry remote cache operations with back off
#32135 Option to specify trusted proxies dist/quarkus
#32553 Expose Password Policies in FreeMarker Context for Login Themes

Enhancements

#583 Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT quickstarts
#10114 Specific events for webauthn register authentication/webauthn
#10492 Support proxy_protocol
#14073 SAML 2.0 HTTP-Artifact binding
#15769 update or replace base64-js and js-sha256 adapter/javascript
#16750 Google login - add prompt=select_account option core
#19564 response_type none is oidc spec but ignored in the current implementation. oidc
#19750 Use a proper FreeMarker template for the new consoles account/ui
#21072 Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings"
#21261 Identity providers: Pagination in account console (and account REST API)
#21342 Upgrade login theme to PatternFly 5 login/ui
#23179 kcadm should have a command to verify connection admin/cli
#23596 Support generated ECDH realm keys oidc
#23597 Support ECDH-ES JWE algorithms oidc
#23771 Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk dist/quarkus
#24815 Hostname config check on welcome page
#25391 Improve auto behavior with operator and --optimized
#25541 Add an option for a custom welcome page to disable bootstrapping of admin account welcome/ui
#26262 Remove need to update Quarkus tests when profile features change dist/quarkus
#26470 Add a field to the RealmImportSpec to toggle replacing ENV variable placeholders
#27040 [keycloak-js] Expose didInitialize as a public method/property adapter/javascript
#27298 Validate spi options wrt build / run time dist/quarkus
#27432 Document how to specify CPU and memory limits/requests for the Operator operator
#27884 Automatic update of bcfips versions in the docs docs
#27947 Rename Dockerfile to Containerfile in the docs docs
#28017 Un-friendly error message for Fail Import option in keycloak GUI import-export
#28140 External Infinispan as cache - Part 1
#28311 Detect clients which refresh their access tokens too early
#28581 Support OpenTelemetry tracing
#28648 External Infinispan as cache - Part 2
#28754 External Infinispan as cache - Part 3 / login failures cache
#28755 External Infinispan as cache - Part 4 / user + client sessions online + offline
#29200 Clarify import/export usage of options
#29258 Support pod affinity settings in the Keycloak Operator operator
#29303 Active/Active XSite fencing
#29394 Infinispan Protostream
#29480 GET users endpoint is making lots of requests to the database storage
#29665 Please clarify in the docs that the replacement of KC_PROXY=edge is not just KC_PROXY_HEADERS, but one MUST set KC_HTTP_ENABLED=true.
#29698 Improve SAML2 Metadata Validation Exception messages saml
#29725 VC issuance in Authz Code flow with considering “scope” parameter oid4vc
#29974 Add support of RTL UI in login pages login/ui
#29986 private AuthzClient.createPatSupplier
#30003 Bootstrapping an admin user or service account at server startup dist/quarkus
#30004 Bootstrapping an admin user or service account using the Operator operator
#30010 Update the welcome page to create a temporary admin user dist/quarkus
#30094 Do not inherit 'https-client-auth' property for the management interface
#30118 Admin UI - Fixed save buttons on the bottom at the page
#30165 Handle proxy related env vars in the Operator operator
#30243 Protobuf schema compatibility check (maven plugin)
#30267 Protect the disabling of the main keycloak account admin/api
#30286 Add missing translation for oid4vc protocol
#30337 Introduce packages for organization tests organizations
#30338 Refactor organization tests organizations
#30346 Enhance masking around config-keystore dist/quarkus
#30419 Credential Issuer Metadata: Support Optional ```claims``` Object in ```credential_configurations_supported``` in ```openid-credential-issuer``` endpoint oid4vc
#30445 Batch cluster events
#30454 Server crash when using kc.sh with -Dkeycloak.profile=experimental dist/quarkus
#30525 Enhance Verifiable Credential Signing Service Flexibility and Key Rotation oid4vc
#30537 Document how Admin REST API endpoints work with Hostname config docs
#30542 Use correct scope within maven-plugin core
#30623 Make sure not possible to import jakarta classes in admin-client-jee admin/client-java
#30629 Cleanup dependencies of keycloak-client-registration-api to not have dependency on server admin/client-java
#30707 prevent removing the flow when used by client flow overrides authentication
#30743 Make sure users created through a registration link are managed members organizations
#30746 Allow auto-redirect existing users federated from organization broker when using the username organizations
#30747 Support for members joining multiple organizations organizations
#30829 Print keycloak's server response when using keycloak-admin-client admin/client-js
#30855 Make persistent user sessions and external Infinispan co-exist
#30856 Remove inclusive language foreword docs
#30873 Exchange VC Format class for String constantns oid4vc
#30880 Add vault support to JavaKeystoreKeyProvider core
#30907 Implement advanced verification of SD-JWT in Keycloak oid4vc
#30918 VerifiableCredential: Exchange java.util.Date for java.time.Instant oid4vc
#30924 Keycloak Operator should use the port name and not the port number for the ingress operator
#30931 Enable ProtoStream encoding for External Infinispan feature
#30934 Drop `AuthenticatedClientSessionStore` from user sessions
#30995 Document LDAP connection pool configuration
#30999 Make ProofType for CredentialRequest a string instead of enum oid4vc
#31005 Override of begin transaction in AbstractKeycloakTransaction
#31006 Conditionally redirect existing users to a broker based on their credentials organizations
#31029 Refactor HA guide
#31046 ConditionalRemove interface for External Infinispan feature
#31056 Avoid iterating and updating all group policies when removing groups authorization-services
#31064 Add simple cache to cache-local.xml
#31076 Oauth2GrantType.Context requires getter-methods oidc
#31086 Manipulate redirect on OpenID redirect with custom implementation oidc
#31183 Show Display Name (if available) and Realm Id on Realm Dropdown Button admin/ui
#31226 Release notes for JavaKeystoreProvider updates docs
#31343 Can we remove distribution/feature-packs directory? adapter/jee
#31388 [Organizations] Add a count() method to the OrganizationMembersResource core
#31390 Allow custom login themes to define a footer ftl fragment login/ui
#31438 Support for authenticating and issuing tokens in the context of a organization organizations
#31489 Remove keycloak-undertow-adapter-spi adapter/saml
#31491 Add a deprecation warning when old `KEYCLOAK_ADMIN`, `KEYCLOAK_ADMIN_PASSWORD` env vars are used dist/quarkus
#31513 Support lightweight access tokens for Admin REST API oidc
#31514 Allow Embedded Cache sizes to be configured via the CLI
#31547 Use correct error code in error response in token exchange token-exchange
#31548 Add issued_token_type to token-exchange response token-exchange
#31581 Allow optional inclusion of Issue At TIme (iat) and Not Before (nbf) claim to a verifiable credential oid4vc
#31625 import placeholders should be converted to an option
#31648 Change default name of bootstrap service account dist/quarkus
#31670 Make sure the storage provider ID is always available from `UserModel.getFederationLink`
#31676 Upgrade to Quarkus 3.13.2 dist/quarkus
#31681 Add x5c and jwk header to JWSBuilder oidc
#31699 Optimize Remote Infinispan performance on removal of entry
#31701 Optimize CPU cycles for persistent sessions
#31725 Revoked tokens table is missing an index
#31766 Client Policy - Condition : Client - Client Attribute oidc
#31786 The console takes a very long time to display group members with LDAP provider ldap
#31807 Simplify enabling MULTI_SITE setup in KC26
#31816 Class CertificateUtils should support creation of EC certificates oidc
#31845 JavaScript build should not cache Keycloak Java artifacts and should rotate PNPM cache
#31876 Non clustered Keycloak with External Infinispan feature
#31894 Redirect after cancelling a required action should contain kc_action parameter authentication
#31908 Add docs for the OpenTelemetry tracing docs
#31932 Upgrade to next Quarkus LTS dist/quarkus
#31963 Upgrade to Infinispan 15.0.7.Final
#32023 Add ECDH-ES encyption algorithms to the java keystore key provider core
#32033 References to removed artifacts and obsolete properties in root pom.xml
#32056 OTEL: Service name isn't configurable and doesn't comply with conventions
#32095 OTEL: Dynamic service name for tracing in K8s environment operator
#32131 Remove session related caches from external Infinispan in HA guide
#32158 Add an endpoint to the `organizations` endpoint to return the organizations for a given user organizations
#32188 Quarkus IDE Debugging should set JVM options like kc.sh
#32198 error message "Address already in use" should state which address/port in particular
#32231 OTEL: Profile Feature dist/quarkus
#32265 Enable persistent sessions by default
#32273 Optimize Persistent Sessions SQL for session list
#32312 Relocate Quarkus resteasy-reactive dependencies to REST
#32314 Syslog: add necessary options to cover the major usability dist/quarkus
#32328 Upgrade to Infinispan 15.0.8
#32343 Upgrade Keycloak's sizing guide for KC26 and persistent sessions
#32387 Documentation for persistent sessions enabled by default
#32388 Make update IdentityProvider admin REST API more efficient.
#32389 Upgrade to Quarkus 3.13.3 dist/quarkus
#32416 Skip creating sessions cache when Persistent Sessions is enabled
#32428 Performance optimization when checking secure context
#32517 Upgrade to Quarkus 3.14.2 dist/quarkus
#32525 Document Syslog app-name option
#32579 Set autocomplete="one-time-code" in OTP login form login/ui
#32582 Remove tables `user_session`, `user_session_note` and `client_session`
#32583 Review the number indexes for offline session tables
#32586 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17 dependencies
#32588 Search Identity Providers by alias or display name
#32590 Remove `version()` projection from Ickle Queries
#32596 Rename `remote-cache` Feature
#32619 Possibility to separately specify log levels for log handlers
#32683 Optimize LogoutEndpoint.backchannelLogout endpoint identity-brokering
#32717 Make it explicit which options are needed when using optimized image with the Operator operator
#32745 Review the RTO and RPO in the multi-site docs after the A/A failure and recovery tests
#32746 Add organization id to the organization claim of the access token
#32803 Update the HA guide with fencing lambda taking Infinispan caches offline
#32804 Remove `org.keycloak.utils.ProxyClassLoader`
#32845 Add client side password policy checks
#32852 Prevent deadlocks on concurrent user updates
#32863 Redirect to relative-path from the root path dist/quarkus
#32906 Reduce the cost of updating user attributes in JPA store core
#32968 [OID4VCI] Show OpenID4VCI Credential Issuer Metadata link in admin ui oid4vc
#32970 Upgrade to Quarkus 3.14.4 dist/quarkus
#33010 Bootstrap admin client should use lightweight access tokens dist/quarkus
#33015 FolderThemeProvider should select theme from available themes core
#33040 Provide more information when there is an error to possibly debug
#33143 Add the Troubleshooting and Health checks guide to Keycloak
#33163 Use INFO Log Level for status in Migration Logic in DefaultMigrationManager
#33201 [Organizations] Allow orgs to define the redirect URI after user registers or accepts invitation link organizations
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33325 Refactor loading resources from themes
#33384 Document supported configurations and limitations for multi-site
#33405 Use feature versions for admin3, account3, and login2
#33426 Minor tweaks in SAML documentation adapter/saml
#33515 Use `crypto.randomUUID()` to generate UUIDs for Keycloak JS adapter/javascript

Bugs

#555 Failures in `ExtendAdminConsoleTest` quickstarts
#565 Build fails in the extension quickstarts
#567 Tests in user-storage-simple quickstart are failing in main branch quickstarts
#572 Action-token quickstarts don't compile with latest Keycloak quickstarts
#574 Incorrect Keycloak version in the main branch of quickstarts quickstarts
#595 Jakarta tests are failing with latest main quickstarts
#607 Workflow failure - JavaScript quickstarts
#10730 realm import: error if ldap groupmapper has a group path set import-export
#13505 locale attribute not set after registration authentication
#17857 New Admin UI does not send e-mails if account-client is disabled core
#19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
#20371 Double form submit in Admin UI possible leading to error mesages admin/ui
#20431 Fine-grained admin permission client manage does not work admin/ui
#23028 Documentation: Authorization Services documentation contains duplicated image authorization-services
#23496 Rename "Realm name" field to "Realm ID" field in realm creation screen admin/ui
#25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
#25339 "Invalid Username" when "Email as Username" is used and the email contains special characters user-profile
#25440 page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt authentication
#25794 Flaky test: org.keycloak.testsuite.model.DBLockTest#testTwoLocksCurrently storage
#25837 Infinispan Cache(embedded) data is not being updated during mergeView event infinispan
#26042 Issue when start-dev in 23.0.1 dist/quarkus
#26117 Flaky test: org.keycloak.testsuite.oidc.AuthenticationMethodReferenceTest#testAmrPastMaxAge oidc
#26176 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
#26435 NullPointerException when using client scope policy for token-exchange token-exchange
#26794 MULTIVALUED_LIST_TYPE not working for client mappers admin/ui
#27506 Readable realm name no longer visible in logs, but realm id is used instead core
#27536 "User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added account/ui
#27677 Translations missing for user events in admin ui translations
#27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
#28020 Firefox Webauthn Registration "SecurityError: The operation is insecure." authentication/webauthn
#28418 SSO Session Idle: session is still active after session idle time expired oidc
#28489 Missing help text on tokens tab admin/ui
#28633 Client roles won't open (Forbidden) with Fine Grained Permission (without view-clients realm-management role) account/ui
#28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
#28865 NullPointerException on RealmCacheSession when upgrading Keycloak 23.0.4 to 24.0.2 infinispan
#28953 Flaky test: org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfileWithoutRemoveCustomAttributes ci
#29098 User profile validation pattern error-message not rendered from messages_en.properties admin/ui
#29211 Network error attempting to view default realm roles without permissions admin/ui
#29271 TrustedHostClientRegistrationPolicyTest#testGithubDomain failing in clean checkout testsuite
#29385 Restart authentication event type is not generated authentication
#29407 Need refresh attributes group translations on Users > Details tab admin/ui
#29413 Realm client unset protocol not preserved admin/ui
#29468 realm_settings_general_tab_test.spec fails randomly admin/ui
#29486 Default theme logs font related console errors on firefox login/ui
#29542 The EmailEventListenerProvider throws an exception on brute force lockout events authentication
#29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
#29615 Get effective roles for user needs more privileges than expected admin/api
#29761 bug: disabling all default features no longer works core
#29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
#29866 Missing Cache-Control header when "response_type" parameter is missing in login request authentication
#29878 Updating a client protocol mappers through Admi CLI (kcadm) resets the client service account roles admin/cli
#29978 Admin UI slow performance loading 600+ realms admin/ui
#30048 Save button is not activated at first modification on "Client scope details" admin/ui
#30111 Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken ci
#30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
#30143 User in subgroup not synchronized and still appears as not in the subgroup account/ui
#30181 [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP oidc
#30188 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
#30235 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30236 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30240 Custom attributes are removed during UPDATE PROFILE event core
#30271 Client role descriptions are not localized admin/ui
#30276 The "Quarkus development mode" instructions in quarkus/README.md throw a ForkJoinPool error dist/quarkus
#30284 Executor consent-required does not work for client-roles condition oidc
#30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
#30302 Methods of SimpleHttp are after change now too much protected core
#30305 Importing organizations failing if there is no broker and members in the representation organizations
#30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
#30308 Organization resources in keycloak-admin-client-jee have dependencies on jakarta admin/client-java
#30312 Add an alias to organization organizations
#30313 Expose organization to theme templates organizations
#30329 Client secret rotation UI shows wrong rotated secret admin/ui
#30332 Operator fails to patch ingress after update to 25.0.0 operator
#30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
#30335 Google login on Social login test is failing ci
#30339 Identity-first login flow should be followed by asking for the user credentials rather than allowing providing the username again organizations
#30351 Migration of sessions in KC25 should run only on migration, not on imports
#30355 New operator failing on health checks operator
#30368 Documentation : label error for persistent-user-sessions feature flag docs
#30380 Incorrect warning log about deprecated options hostname, hostname-debug dist/quarkus
#30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
#30414 Login / Admin events filter by date under realm Events return incorrect results storage
#30417 Keycloak 25 db guide shows unevaluated "ifeval docs
#30425 Built-in scopes are not translated in the account console "applications" tab account/ui
#30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
#30434 Improvements for ldap test authentication ldap
#30436 Client Roles are not shown when clientId property is set admin/ui
#30440 UI theme bug in KC 25.0.0 admin/ui
#30449 Migration stuck if versions incompatible operator
#30460 The `start` command should automatically re-build when previous run was `start-dev` dist/quarkus
#30476 All user attributes readonly in admin ui and admin API after setting edit mode of one user federation to READ_ONLY core
#30485 Fix LoginFailureEntity protostream encoding infinispan
#30492 partial_import_test fails randomly admin/ui
#30511 Fix AuthenticatedClientSessionEntity protostream encoding infinispan
#30520 Flow steps back when changing locale or refreshing page on "Try another way page" authentication
#30521 "Client Offline Session Max" no longer available admin/ui
#30541 Account UI resources try to load from admin path instead of frontend path account/ui
#30550 [UI] group selection does not update attribute tab admin/ui
#30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
#30582 Localization prevents update of user-profile attributes admin/ui
#30591 Invalid character in spanish translation file for Identity Provider Link Template translations
#30599 client-jwt authentication fails on Token Introspection Endpoint oidc
#30604 Network response was not OK. saml
#30614 token exchange: exchange-sequence fails with Client session for client 'client-exchanger' not present in user session token-exchange
#30641 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
#30662 User policy -> select user shows user id instead of user name. admin/ui
#30663 A theme called `custom` is displayed as `Custom Attribute...` in the admin console admin/ui
#30677 LDAP connection pool params(maxsize, initsize, prefsize) picked up from backend ComponentModel and are not visible in Keycloak admin console ldap
#30678 Require SSL mode "External requests" does not work with IPv6 local addresses dist/quarkus
#30683 Infinite loader on the admin console for non-admin users admin/ui
#30703 Recovery codes missing from account console docs
#30705 Full details of errors not shown in admin and account console account/ui
#30706 Internal error occurs for the removed flow which override by the client authentication
#30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
#30717 Broken external links docs
#30730 Cannot explicitly disable KERBEROS feature core
#30758 Docs: server_admin/topics/login-settings/acr-to-loa-mapping.adoc docs
#30761 Protobuf deserialization has a default of an empty String core
#30765 fallback to the no override flow when the flow is missing in client override authentication
#30772 Rendering of granted client scopes in User Consents view broken in Admin UI admin/ui
#30794 Filtering by Client ID in the "User Client Role" mapper does not work anymore admin/ui
#30816 Docs: server_development/topics/themes.adoc docs
#30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
#30837 Cannot find requested client with clientId ldap
#30840 Incorrect order when instantiate ClientRemovedEvent infinispan
#30857 Check for being Offline type in refresh token flow must be done based on refresh token request parameter oidc
#30866 admin-cli invalid credentials admin/cli
#30874 DPoP Keycloak JS Adapter docs
#30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
#30935 Incorrect version comparison in ModelVersion storage
#30941 Fix docs about User Storage SPI JPA quickstart docs
#30945 Keycloak operator adds proxy by default which is depreacted operator
#30947 Error when trying to edit authentication sub-flow name / description admin/ui
#30967 Keycloak is not working in IBM AIX OS. dist/quarkus
#30969 Brute force protection: Lockout permanently uses parameters configured under lockout temporarily core
#30992 Realm cannot be deleted if there are tons of consents storage
#31001 User Federation settings changing when saving admin/ui
#31014 "Verify Email" may cause other Required Actions to be ignored authentication
#31021 Styling of recovery codes seems wrong login/ui
#31023 Keycloak 25 - protocol_mapper_config stores client_uid in usermodel.clientRoleMapping.clientId instead of client_id admin/ui
#31038 Home URL for account-console / security-admin-console broken in admin-ui admin/ui
#31040 Cannot reorder custom auth flow executions in admin-ui admin/ui
#31045 Users cache clears after creating client scope. infinispan
#31050 Caching docs should name parameter runtime parameters, not build parameters docs
#31062 Updating dynamically registered client's metadata drops `preferred_username` from ID token core
#31070 Search doesn't work for nested groups admin/ui
#31083 Docs: server_admin/topics/admin-console-permissions/fine-grain.adoc authorization-services
#31085 MULTIVALUED_STRING_TYPE not displaying 1 value while more than 1 value is working fine admin/ui
#31107 Not able to remove otp credential of user account/api
#31111 inputOptionLabelsI18nPrefix is take into consideration only for login-ui account/ui
#31115 Review filtering of session returned from the sessions cache core
#31143 KC.ORG user attribute shown - even if the organizations feature for the realm is disabled admin/ui
#31144 "Can not update organization group" error when trying to create organisation from REST API organizations
#31153 Cannot set unmanagedAttributePolicy without profile attributes admin/api
#31161 Keycloak 25: Only first required action is executed core
#31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
#31166 A lot (really!) dropdown/select fields in admin-ui remain open after selecting an action/entry. admin/ui
#31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
#31169 Wrong Sync Mode of newly created external IdentityProvider admin/api
#31171 Single use tokens, like action tokens, has a claim `expiration` core
#31182 Realm export - duplicated elements in browser flow. Organization user must click login button multiple times. import-export
#31187 Recaptcha links changed in the Google Docs docs
#31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
#31204 Bruteforce protector does not work when using organizations organizations
#31216 #kc-form-options div not wrapping its content correctly in login-password.ftl login/ui
#31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
#31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
#31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
#31228 Userprofile/Translation: user attribute cannot be saved because no translation was (even though it is present) admin/ui
#31240 Can't update the user where userName contains uppercase letters core
#31244 IdP redirect URL shows hostname_admin admin/ui
#31246 All pubic brokers are shown during authentication rather than only those associated with the current organization organizations
#31260 Download of Recovery Codes broken. File contains no Recovery Codes. login/ui
#31267 multiple ldap url's not working on one realm ldap
#31276 Account console won't load when using URL having a path as hostname config account/ui
#31291 Incosistent casing of built-in flow descriptions core
#31296 Revoke access tokens for persistent user sessions storage
#31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
#31319 keycloak.v2 broken in main login/ui
#31341 Keycloak URL for Brokerage in Admin UI still suggests "/realms" in the path admin/ui
#31368 logging-pattern failure in token-exchange token-exchange
#31386 Joining group for user doesn't list correct number of groups admin/ui
#31410 call to group-by-path does not return subGroupCount admin/api
#31413 Wrong command in exposing metrics from caches section docs
#31420 Seeing `Client cannot marshall the server's key media type` with external Infinispan after 25 upgrade infinispan
#31444 keycloak Public Client secret are updated frequently admin/api
#31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
#31480 dynamic MultiValuedListComponent default value not stringified admin/ui
#31515 Export users throws Disabled option: '--users' in v25 import-export
#31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
#31537 Creating client roles with fine grained permissions is not possible admin/fine-grained-permissions
#31545 Event tables have broken aria-labels admin/ui
#31558 MSSQL test container can't start ci
#31563 Link existing account to SSO by email not linking since v23 login/ui
#31575 AdvancedClaimToGroupMapper throws Exception if no claims are configured identity-brokering
#31585 Credential offer endpoint fails with 500 when bearer token has expired oid4vc
#31592 Description field for roles creation could be better instead of ${} values admin/ui
#31595 Misconfiguration of login settings causes login to not be possible admin/api
#31598 CURL commands in build don't check the response code ci
#31603 Can't delete kerberos user storage
#31612 Store Model Tests (jpa+cross-dc-infinispan+persistentsessions) - org.keycloak.testsuite.model.session.SessionTimeoutsTest infinispan
#31614 Endpoint /admin/users Degradation Based on Role admin/fine-grained-permissions
#31633 localization not work with user attribute display name in users add admin/ui
#31640 Admin Console Spins with hostname:v2 using security-admin-console Redirect URIs docs
#31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
#31704 ID is used as tab name instead of localized string admin/ui
#31712 The OID4VCI cross-device flow should not require the device to have an access token oid4vc
#31718 Documentation for `Delete Credential` action and related changes authentication
#31760 Persist revoke tokens with remote cache feature storage
#31780 SAML IdP configure does not parse IdP metadata.xml correctly saml
#31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
#31818 Management Interface is turned on even though nothing is exposed on it dist/quarkus
#31823 Ignoring JWK key Missing required field 'use' still happens in keycloak version 25.02 identity-brokering
#31828 EmbeddedInfinispanSplitBrainTest fails with "IllegalState Session not bound to a realm" core
#31829 Deleted authentication sessions should not be re-surrected with an update core
#31858 Custom component persist only some config keys admin/api
#31864 Certificate-Generation with EC signing RSA and vice versa does not work oidc
#31881 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#31882 Realm roles that do not exist are displayed in "Default roles" when "Hide inherited roles" is not checked admin/ui
#31892 Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. admin/api
#31893 In realm role ellipsis value is null admin/ui
#31918 Network error attempting to view events without permissions admin/ui
#31929 Network error attempting to view user registeration without permissions admin/ui
#31931 Failure to generate Ed448 token authentication
#31941 Cache guide does not properly print `cache-stack` values docs
#31944 Filter organization brokers in the account console organizations
#31947 Fix server guide cross-references for downstream docs docs
#31956 Admin console not usable when instance has a 1000 realms admin/ui
#31972 Unstable test ExternalInfinispanTest testsuite
#32016 `My password` string in `Signing in` page not getting translated in `keycloak.v3 account` theme account/ui
#32025 Not possible to import realm with newest Java admin-client against Keycloak 24 admin/client-java
#32059 Look around window cannot be set to 0 admin/ui
#32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
#32100 Remember Me with External Infinispan is not works properly infinispan
#32108 [Scalability of IDPs] Follow up: ensure organization aware IdentityProviderModel is used in the infinispan IDPProvider
#32117 Impossible to import RolePolicy with newest admin-client against Keycloak 24 admin/client-java
#32127 Offline session bug on 25.0.2 core
#32136 Missing TypeScript `populateHierarchy` param for keycloak admin client admin/client-js
#32150 Session list doesn't handle non-existing client gracefully core
#32153 Remote Infinispan code must not call JPA code in non-blocking thread core
#32156 SingleSelect-kind readonly attribute is not disabled in account console account/ui
#32176 Bootstrap options missing from help dist/quarkus
#32178 Table names for persistent sessions upgrading guide is wrong docs
#32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
#32182 `show-config` command outputs duplicate options dist/quarkus
#32194 UserRemovedEvent does not contain all user attributes infinispan
#32195 Migration to persistent sessions fails from Keycloak version <22 storage
#32197 Keycloak reuses AUTH_SESSION_ID of logged out sessions login/ui
#32205 Endpoint configurations shows hostname_admin admin/ui
#32238 Brokers associated with organization not filtered when linking brokers with an organization organizations
#32256 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#32259 [Keycloak CI] - AuroraDB IT fails to start on EC2 due to lack of entropy regression storage
#32305 Temporary admin account notice logged to org.keycloak.events dist/quarkus
#32333 Legacy `KEYCLOAK_ADMIN` environment variable is not working dist/quarkus
#32368 KeycloakRealmImport not working with Istio service mesh operator
#32392 Validate organization alias for forbidden chars organizations
#32402 Additional datasources do not work dist/quarkus
#32415 Missing translations for required action webauthn-register login/ui
#32419 Joining group with text filter does not show all results even if backend returned them admin/ui
#32425 Duplicate message keys in admin messages_en.properties admin/ui
#32435 Multiple Logout Confirmation Actions Trigger NullPointerExceptions core
#32451 Wildcard search not working for custom user attributes admin/api
#32460 When Organization feature is enabled UserAdapter.getGroupsCount() returns wrong result organizations
#32465 SocialLoginTest failing after switching to the new IDP Provider
#32468 Warning Banner for Temporary Admin User shouldn't be placed under breadcrumbs admin/ui
#32473 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessAndWebAuthnAndWebAuthnPasswordlessLogin ci
#32477 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongSmtp ci
#32478 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithPasswordHistoryPolicy ci
#32481 Drag & drop issue with the step order in the Authentication settings of the Admin Console admin/ui
#32486 Identity Provider secret visible in Organization tab (API request) organizations
#32492 Welcome screen logo is bigger then the one on login welcome/ui
#32498 Flaky test BruteForceTest.testPermanentLockout() core
#32503 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#internalTransport ci
#32510 Login v2 username form login/ui
#32512 [Keycloak CI] - BruteForceTest.testPermanentLockout failures login/ui
#32513 [Keycloak CI] - OrganizationBruteForceTest.testPermanentLockout failures login/ui
#32514 [Keycloak CI] - ResetPasswordTest.resetPasswordExpiredCode failures login/ui
#32515 Invalid client data in /login-actions/authenticate causes an uncaught server error and a HTTP 500 response code authentication
#32531 Cannot invoke "org.keycloak.authentication.RequiredActionFactory.isConfigurable()" because "factory" is null account/ui
#32533 Admin UI messages sometimes miss details, and sometimes refer to details in the logs which are missing admin/ui
#32541 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewTabAndProperRedirectClient ci
#32542 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewBrowserSessionPreserveClient ci
#32544 Multiple bugs in the experimental UiTabProvider / UiTabProviderFactory admin/ui
#32546 "Include Client Audience" field is not mandatory admin/ui
#32547 The set value ‘Default Admin-Initiated Action Lifespan’ has no effect on the ‘Credential Reset’ form admin/ui
#32548 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#required ci
#32554 CRDs for the Operator are generated multiple times during the build operator
#32605 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#nfcTransport ci
#32606 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#bluetoothTransport ci
#32609 Continuous loading screen instead of access denied on account info page account/ui
#32615 Forms IT (chrome) ResetOtpTest fail testsuite
#32622 InvalidDestination Error for IDP-initiated SSO with Keycloak behind a Reverse Proxy saml
#32623 OAuth login error with custom scheme oidc
#32624 "Authentication" Link in Admin Portal Fails with 400 Bad Request After Migrating to Version 25 admin/ui
#32641 Help text under text field admin/ui
#32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
#32678 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordBeforeUserIsDisabled ci
#32689 Unable to import master realm with --import-realm dist/quarkus
#32698 On backchannel logout, a user ID with a dot on the broker side breaks the logout by user core
#32731 KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus admin/client-java
#32736 In the account console when I update the password the referrer dissapears account/ui
#32755 Leftover code in login-passkeys-conditional-authenticate.ftl login/ui
#32758 Keycloak admin console interface is out of screen admin/ui
#32761 The endpoint /admin/realms/{{realm}}/groups/{{group-id}}/members potentially fetch all user in database admin/api
#32764 When forcing re-authentication by passing maxAge value as 0 does not work adapter/javascript
#32770 Adapters backward compatibility tests are failing ci
#32782 `@noble/hashes/sha256` is bundled into Keycloak JS adapter/javascript
#32784 Flaky test: org.keycloak.testsuite.url.HostnameV2Test ci
#32789 CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core
#32798 Custom theme and not existing image: error 500 (No enum constant org.keycloak.theme.Theme.Type.IMG) login/ui
#32799 Realm import fails when client configures default_acr values import-export
#32802 Lightweight access token is not working for bootstrap admin client oidc
#32817 Error when deploying SAML application with the keys in PEM format inside keycloak-saml.xml adapter/saml
#32829 Login V2 theme: Pages specify fewer tabindex entries login/ui
#32830 Login v2 theme: Auto-focus on input fields no longer working and autocomplete changed login/ui
#32833 TOTP QR codes broken when realm display name contains colon character core
#32834 Admin UI does not display admin events expiration admin/ui
#32860 Database index creation isn’t skipped on large data sets in Keycloak 24 storage
#32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
#32880 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerExistingEmailAllowed ci
#32881 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy ci
#32891 Exceptions on X509 authentication are logged without a stack trace core
#32892 [Store Model Test] Failed test org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testOnRealmRemoved ci
#32896 Inconsistency of the access token iat after setting the time offset in the test suite authentication
#32915 Administrator username changed in master realm after configuring email address for SMTP connection test for another realm with "Email as username" enabled admin/ui
#32916 Device activity client name translations account/ui
#32923 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#usbTransport ci
#32930 Flaky test: org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testAttributeInputTypes ci
#32939 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessWithNonResidentCredentialLogin ci
#32942 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#32984 Application names are not taking realm overrides into account account/ui
#33011 Admin bootstrap client should not have standard flow enabled dist/quarkus
#33023 Documentation CI is failing on broken links docs
#33037 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#discouraged ci
#33044 Next page not working for "Localization --> Realm overrides" admin/ui
#33054 Identity-first login screen has broken IDP icons admin/ui
#33058 Clusterless feature is not tested in Model tests testsuite
#33060 Tests are showing exception while trying to import admin user after organizations were enabled by default testsuite
#33064 Action expired error occurs when accessing regular registration page with Organizations enabled organizations
#33095 The "Valid redirect URIs" field is not displayed when the "Standard flow" is unchecked admin/ui
#33109 Infinite loop when accessing account management console account/ui
#33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
#33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
#33156 CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java dist/quarkus
#33172 Deprecation of https-trust-store-* weakens X509 browser authentication authentication
#33207 [Organizations] Preserve org id in exported realms core
#33224 [Keycloak CI] - Quarkus IT - StartCommandDistTest.testStartUsingAutoBuild ci
#33231 [Keycloak CI] - User Federation Tests - LDAPSamlIdPInitiatedVaryingLetterCaseTest ci
#33246 Unable to start Keycloak when metrics are enabled dist/quarkus
#33296 Migrating to a FIPS environment disallows all users from logging in authentication
#33300 Organization UI is overriding the alias with the org name when user navigates to another tab admin/ui
#33307 XA Transaction recovery support is enabled even thoug transaction-xa-enabled is false dist/quarkus
#33330 "somethingWentWrong" when opening Keycloak URL in unsecure context login/ui
#33331 Performance drop in cpuUsageForLoginsTest since 19.09.2024
#33336 Changing locale on passwordless or custom login flow does not work login/ui
#33342 Duplicate entry "duplicate" in Admin UI message properties admin/ui
#33347 Hostname v2 should enforce hostname is a full url if hostname-admin is used dist/quarkus
#33351 Wrong release notes for Login v1 theme deprecation login/ui
#33353 Performance regression when Organisations feature is enabled
#33355 ID token from refresh_token flow does not contain nonce even when using Nonce backwards compatible mapper oidc
#33362 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#preferredVerificationWrong ci
#33389 Banner is not wrapping properly admin/ui
#33390 Creating clientAttributesCondition in some client policy breaks the login to the realm authentication
#33412 User specific organisation entries shouldn't be placed in the realm cache core
#33415 Organization brokers should be hidden on login pages by default organizations
#33424 Organization data is cached for each user even if realm never enabled organizations organizations
#33439 Avoid caching `RealmModel` in `CachedOrganization` organizations
#33440 Test group_test.spec.ts Duplicate group fails repeatedly testsuite
#33461 AWS Lambda description for HA setup doesn't reflect latest changes for failure policy core
#33467 The "Client Secret" field does not expand to display the entire secret value admin/ui
#33508 Can't load theme resources on Windows core
#33517 Issue when running tests from IDE on embedded undertow ( org.jboss.threads.EnhancedQueueExecutor$Builder.setKeepAliveTime(java.time.Duration) ) testsuite

Keycloak Client Libraries 26.0.0 released

Fri, 4 Oct 2024 00:00:00 GMT

Highlights

Dedicated release cycle for the client libraries

The client libraries are these artifacts:

Java admin client - Maven artifact org.keycloak:keycloak-admin-client
Java authorization client - Maven artifact org.keycloak:keycloak-authz-client
Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak 25.0.6 released

Thu, 19 Sep 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#30604 Network response was not OK. saml
#31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
#32100 Remember Me with External Infinispan is not works properly infinispan
#32578 WebAuthn Flows Broken in login.v2 login/ui
#32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
#32731 KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus admin/client-java
#32799 Realm import fails when client configures default_acr values import-export
#32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
#33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
#33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

Keycloak Realm Configuration Management Tools Survey Results

Thomas Darimont — Wed, 11 Sep 2024 00:00:00 GMT

Three months ago, the Keycloak project conducted a survey to gather insights on realm configuration tooling within our community. The number of responses overwhelmed us! With a total of 433 (!) submissions, it highlighted the diverse range of options our community uses for configuring realms.

Thank You for your valuable feedback!

Popular Tools in Use

The survey revealed a variety of tools employed by the community for realm configuration, including:

Terraform Provider for Keycloak
Keycloak-Config-CLI
Self-developed Realm Configuration Management
Keycloak JSON Import/Export
Keycloak Admin CLI kcadm.sh
EPAM Keycloak Operator
Keycloak Ansible
Keycloak Pulumi
Custom Operator for Realm Import/Update and Client Provisioning
Keycloak Operator Realm Import via Custom Resources
Crossplane Provider for Keycloak
KeycloakMigration
keycloak-configurator
Keycloak Groovy Helpers

Tool Usage Distribution

From the submissions, we observed the following distribution of tool usage among respondents:

Terraform Keycloak Provider ~51% of the votes
Keycloak-Config-CLI ~16% of the votes
Self-developed Realm Configuration Management ~7% of the votes
Keycloak JSON Realm Import/Export ~6% of the votes
Keycloak Admin CLI ~4% of the votes

These top five tools accounted for 84% of all responses.

Areas for Improvement

While each tool has its strengths and weaknesses, the survey highlighted several common challenges:

Using the Admin API can be awkward and inconsistent, for example, with references using IDs versus aliases.
Recognizing changes in the configuration, such as when new roles are added to service accounts via the Admin UI, can be challenging or impossible.
Many tools depend heavily on the Keycloak version used and are often not compatible with new releases.
Managing components that are automatically created by Keycloak, like service accounts, is challenging with existing configuration tools.
Lack of support for configuration linting, validation and code completion

What’s Next?

Based on the feedback, here are some key lessons learned and the next steps:

Tool Compatibility: We aim at improving compatibility with newer Keycloak releases to ensure seamless integration.
Admin API Enhancements: We’ll address inconsistencies and usability issues in the Admin API to streamline configuration tasks.
Ease Change Management: Enhance tools and APIs to improve the recognition and change management of realm configurations.

We are committed to addressing these areas and working closely with the community to enhance the realm configuration experience in Keycloak. Your continued feedback and support are invaluable as we move forward. Stay tuned for updates and improvements!

If you have any further questions or suggestions about this blog post, please join the related discussion on GitHub.

Thank you very much for your support!

Keycloak 25.0.5 released

Tue, 10 Sep 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
#32754 CVE-2024-7341 Session fixation in the SAML adapters adapter/saml

Announcing New Keycloak UI Component Libraries!

Erik Jan de Wit — Wed, 4 Sep 2024 00:00:00 GMT

We’re excited to announce the release of two new npm packages designed to supercharge your Keycloak customization efforts. These React component libraries, built on top of PatternFly, provide the essential building blocks for crafting Keycloak account and admin consoles. The tool generates sample code for a custom console using our "Composable UI" technique. Essentially, this means that you can build your console out of exported Keycloak components that we intend to support in future releases.

The packages are:

@keycloak/keycloak-admin-ui: This package provides the building blocks for creating a Keycloak admin console.
@keycloak/keycloak-account-ui: This package provides the building blocks for creating a Keycloak account console.
@keycloak/ui-shared: This package provides shared components and utilities for building Keycloak UIs.

Accelerate Your Development with Our Quickstart Tool

Kickstart your project with our npm create keycloak-theme my-theme command. This streamlined tool generates a project structure, essential dependencies, and configuration, saving you precious time. At the moment, the tool is only available for account consoles, but we are working on adding support for admin consoles. This will be available in the next release (26.0.0).

Get Started:

Run npm create keycloak-theme@latest my-theme.
The keycloak server can be started with npm run start-keycloak
Start the development server with npm run dev
Customize your theme by editing files in the src directory.

The keycloak server will connect to the development server and all the changes will be reflected in the browser. Just open your browser and go to http://localhost:8080/realms/master/account/personalInfo and login with admin/admin. This will open the keycloak account console. You will see that the example code has an extra page and some extra content above each page.

Key Benefits:

Rapid development: Create stunning UIs in less time.
Consistency: Adhere to the PatternFly design system for a cohesive look and feel.
Flexibility: Customize components to match your brand and user preferences.
Upgradable: Having a npm package dependency will make updating your theme easier.

For more information, see the README.

Introducing the Keycloak SRE special interest group

Michal Hajas, Alexander Schwartz — Tue, 3 Sep 2024 00:00:00 GMT

After an initial installation of Keycloak, users today spend a significant amount of time optimizing their installations, keeping them up to date and secure. When doing this, they follow the principles of Site Reliability Engineers, among others automation, setting service level objectives, keeping things simple and monitoring. As of today, Keycloak doesn’t provide much documentation and best practices in that area. The Keycloak project is also looking for faster feedback on changes so that we do not break existing installations without providing migration instructions on upgrades.

To improve the lives of people running and operating Keycloak, we’re starting the Site Reliability Engineers Special Interest Group, or SRE SIG for short. The idea is to speed up the feedback loop for existing and new features and to improve the communication between people operating Keycloak in real deployments and people developing Keycloak.

Desired outputs would include:

Simplifying Keycloak’s configuration and upgrade process.
Collecting best practices and feedback from real-world Keycloak installations to identify and prioritize new features.
Educating users about what Keycloak can already do and what items are on the future roadmap.

Topics to tackle

At the initial meeting on August 19th 2024, we identified the following topics as initial discussion points to tackle by the group:

How to load test Keycloak?
(Introduction of keycloak-benchmark project, identifying possible enhancements and presenting custom community solutions)
What are the right metrics of Keycloak to watch and how to visualize them in a dashboard?
Can we simplify how Keycloak is configured and set up?

Call to action

We have yet to decide what our regular meetings and cadence will look like, and we will discuss all the details in the Slack channel mentioned above. So stay tuned, join the #keycloak-sre-sig Slack channel and share your story with the group to better understand your needs and expectations!

Communication channels

To receive the latest information about what is happening in the SIG join us in our CNCF #keycloak-sre-sig Slack channel. Use https://slack.cncf.io/ to join the CNCF Slack if you do not have an account yet.

For sharing documents and following the activities of SIG proceed to the keycloak/keycloak-sre-sig GitHub repository.

KeyConf24 program announced & livestream

Alexander Schwartz — Fri, 30 Aug 2024 00:00:00 GMT

KeyConf24, our 2024 Keycloak Identity Summit, will happen on September 19th, which is just around the corner! This year’s event promises to be even bigger and better, with a program packed full of relevant, cutting-edge topics.

This year due to high demand and limited space on-site, we’re offering for the first time a live stream, so the Keycloak community can join remotely.

What to Expect at KeyConf24

The talks have been selected, and the program is now online at https://keyconf.dev/.

Expect talks about:

European Digital Identity Wallet: Deep dives into the European Union’s ambitious initiative and its impact on identity management.
Verifiable Credentials: Explore the exciting potential of decentralized identity verification and the role of Keycloak.
Real-world Keycloak integrations: Technical sessions on Keycloak’s capabilities and how to leverage them in real world scenarios like the banking industry.
New and upcoming features in Keycloak: Hear about the new organisations and user profile features which are available in the latest releases of Keycloak, as well as the next upcoming features.

Save the Date and join us in the live stream!

You can register for the live stream at https://keyconf.dev/.

We’re excited and are looking forward to meeting you at our event. Let’s continue to shape the future of identity together!

Keycloak 25.0.4 released

Mon, 19 Aug 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#31963 Upgrade to Infinispan 15.0.7.Final

Bugs

#31299 NPM library of account-ui is unusable (@keycloak/keycloak-account-ui version 25.0.1) account/ui
#31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
#31340 Hidden options shown in help all dist/quarkus
#31386 Joining group for user doesn't list correct number of groups admin/ui
#31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
#31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
#31545 Event tables have broken aria-labels admin/ui
#31558 MSSQL test container can't start ci
#31598 CURL commands in build don't check the response code ci
#31633 localization not work with user attribute display name in users add admin/ui
#31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
#31718 Documentation for `Delete Credential` action and related changes authentication
#31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
#31835 Windows builds fail too often due to problems with the download of Node ci
#31918 Network error attempting to view events without permissions admin/ui
#31929 Network error attempting to view user registeration without permissions admin/ui
#32059 Look around window cannot be set to 0 admin/ui
#32127 Offline session bug on 25.0.2 core
#32150 Session list doesn't handle non-existing client gracefully core
#32178 Table names for persistent sessions upgrading guide is wrong docs
#32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
#32195 Migration to persistent sessions fails from Keycloak version <22 storage

Keycloak DevDay 2025 Announcement and Call-for-Papers

Niko Köbler — Sun, 18 Aug 2024 00:00:00 GMT

We (Sebastian and me (Niko)) are excited to announce the next edition of Keycloak DevDay!

Save the Date

DevDay is taking place in Darmstadt, Germany on March, 6th 2025. The location is about 30 minutes away from Frankfurt/Main Airport by public transport, see website for details.

It will be again a 1-day conference with talks, panels, discussions and an OpenSpace/Unconference format, with lots of opportunities for networking and exchange among like-minded people. Of course, there will also be plenty of drinks 🥤🍹 and food 🍔🌮🥗, as well as an exclusive surprise gift 🎁 for all participants.

Call for Papers

The call for papers 📝 is already open (approx. until mid of October). If you would like to submit a talk proposal, you should not wait too long, as we will regularly review and publish the submitted proposals. So submitting early gives you the best chance of being part of the next DevDay!

Tickets

Ticket sales 🎟️ will start in mid-September. This time, there will be more tickets available than at the first edition.

Find all further information at https://keycloak-day.dev

We are looking forward to welcoming as many of you as possible (again) at the upcoming event. If you have any further questions, get in touch via email: info@keycloak-day.dev

Keycloak 25.0.2 released

Thu, 18 Jul 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#30094 Do not inherit 'https-client-auth' property for the management interface
#30537 Document how Admin REST API endpoints work with Hostname config docs
#30856 Remove inclusive language foreword docs

Bugs

#19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
#26042 Issue when start-dev in 23.0.1 dist/quarkus
#28489 Missing help text on tokens tab admin/ui
#29407 Need refresh attributes group translations on Users > Details tab admin/ui
#29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
#29761 bug: disabling all default features no longer works core
#29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
#30329 Client secret rotation UI shows wrong rotated secret admin/ui
#30355 New operator failing on health checks operator
#30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
#30436 Client Roles are not shown when clientId property is set admin/ui
#30440 UI theme bug in KC 25.0.0 admin/ui
#30444 Failed to evaluate permissions when fetchRoles is enabled on role policies authorization-services
#30449 Migration stuck if versions incompatible operator
#30521 "Client Offline Session Max" no longer available admin/ui
#30541 Account UI resources try to load from admin path instead of frontend path account/ui
#30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
#30591 Invalid character in spanish translation file for Identity Provider Link Template translations
#30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
#30662 User policy -> select user shows user id instead of user name. admin/ui
#30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
#30717 Broken external links docs
#30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
#30837 Cannot find requested client with clientId ldap
#30866 admin-cli invalid credentials admin/cli
#30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
#30947 Error when trying to edit authentication sub-flow name / description admin/ui
#30992 Realm cannot be deleted if there are tons of consents storage
#31014 "Verify Email" may cause other Required Actions to be ignored authentication
#31050 Caching docs should name parameter runtime parameters, not build parameters docs
#31146 IDP SAML Certificate should be text-area not text admin/ui
#31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
#31171 Single use tokens, like action tokens, has a claim `expiration` core
#31187 Recaptcha links changed in the Google Docs docs
#31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
#31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
#31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
#31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
#31244 IdP redirect URL shows hostname_admin admin/ui
#31267 multiple ldap url's not working on one realm ldap

Survey on Keycloak Realm Configuration Management Tools

Thomas Darimont — Tue, 25 Jun 2024 00:00:00 GMT

Numerous options exist for managing Keycloak Realm configurations within the Keycloak ecosystem. We know that configuration as code is an essential topic for DevOps and that the Keycloak ecosystem needs an excellent solution to make this possible.

As the Keycloak team, we want to understand better what works best for the community and how we can improve the support for Realm configuration Management tools.

So that we in the Keycloak community have a representative picture of the configuration options used, we would also like you to participate in the following brief, anonymous survey.

The options that exist on our radar are as follows:

Keycloak Admin CLI kcadm.sh
Keycloak-Config-CLI
Terraform Provider for Keycloak
Keycloak Ansible
Pulumi Keycloak Provider
Crossplane Keycloak Provider
Keycloak JSON Import / Export
Keycloak Operator Realm Import via Custom Resources
Hand-made Realm Configuration Management

Join the related discussion on GitHub to discuss this in more details with the Keycloak community. And don’t forget to fill out the survey!

Thank you very much for your support!

Support for Customer Identity and Access Management (CIAM) and Multi-tenancy

Pedro Igor — Thu, 20 Jun 2024 00:00:00 GMT

Dear Keycloak community,

Thanks to the collaborative work with a lot of folks from the community and Red Hat’s IT, we are delivering in Keycloak 25 the Keycloak Organizations feature.

We are pleased to announce the beginning of a long journey to support Customer Identity and Access Management (CIAM) and, to some degree, also support for multi-tenancy when a realm needs to integrate with third parties such as customers and business partners.

Keycloak Organizations is a feature that leverages the existing Identity and Access Management (IAM) capabilities of Keycloak to address CIAM uses cases like Business-to-Business (B2B) and Business-to-Business-to-Customer (B2B2C) integrations. By leveraging the existing capabilities available from a realm, the first release of this feature provides the very core capabilities to allow a realm to integrate with business partners and customers:

Manage Organizations
Manage Organization Members
Onboard members using different strategies such as invitation links and brokering
Decorate tokens with additional metadata about the organization that the subject belongs to

The feature is being delivered initially as a technology preview feature with the ultimate goal to make it supported in Keycloak 26. There are many more capabilities in the roadmap for this feature, and we consider this initial set of capabilities the very core of the feature that will allow us to build more capabilities on top. For this reason, your feedback is very important to make sure we are on the right path for solving real use cases around CIAM.

Please, consider checking our nightly builds as well to check for the latest updates and what is coming in the next major release.

For more details about the feature, consider reading the documentation available at the official documentation.

Getting started

The Keycloak Organizations feature introduces changes on how users authenticate to a realm to identify whether a user is authenticating in the scope of an organization or the realm.

One of the key changes introduced by the feature in terms of authentication is the introduction of an identity-fist login flow whenever you are authenticating to a realm that has the Organizations setting enabled.

Start Keycloak

The Keycloak Organization feature is a technology preview feature that needs to be enabled when starting (or building an optimized image of) the server:

docker run --name kc-orgs -d -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8080:8080 quay.io/keycloak/keycloak start-dev --features organization

Once you run the command above, make sure you can access the server at http://localhost:8080/ and log in into the administration console using the following credentials:

Username: admin
Password: admin

Create a realm

Let us start by creating a new realm called orgdemo. The orgdemo realm is a first-party company that wants to integrate with third-parties, the organizations, so that their users can have access to protected resources served by client applications available at the orgdemo realm.

For that, create a new realm using orgdemo as the name via the administration console.

Create users in the `orgdemo` realm

You also need some users in the orgdemo realm to authenticate and follow the next steps.

The mjane user is a realm user that has an email account that does not match any organization in the realm. We will use this user to represent an existing realm user in the orgdemo realm that is not associated with any organization. For that, create a user as the following:

Username: mjane
Email: mjane@orgdemo.com
First Name: Mary
Last Name: Jane

Make sure to set a password for this user so that you can authenticate to the realm.

Now, create the alice@orga.com user. This user will act as an existing realm user that has an email that matches one of the domains set to an organization but is not yet a member of the organization. This user could have been created through self-registration, or by integrating with a custom identity store, or even federated from an identity provider available from the realm:

Username: alice
Email: alice@orga.com
First Name: Alice
Last Name: Chains

Make sure to set a password for this user so that you can authenticate to the realm.

Understanding the changes to authentication flows when the feature is enabled

When a realm is created, the authentication flows are automatically updated to enable specific steps to authenticate and onboard organization members. The authentication flows updated are:

browser
first broker login

The main change to the browser flow is that it defaults to an identity-first login so that users are identified before prompting for their credentials. In regard to the first broker login flow, the main change there is to automatically add the user as an organization member once they authenticate through the identity provider associated with an organization and successfuly complete flow.

The decision to whether an identity-first login should happen is based on the availability of any organization in a realm. If no organizations exist yet, the user will follow the usual steps to authenticate using both username and password, or any other step configured to the browser flow.

Try reaching http://localhost:8080/realms/orgdemo/account and you’ll see the usual login page. From this page, you can authenticate as usual to the realm using the following credentials:

Username: mjane
Password: <password>

Once you submit the login form, you are authenticated to the realm and automatically redirected to the client application acting on behalf of the user. In this case, the account console.

Authenticating to a realm when there are organizations

Now, let us create an organization in the orgademo realm. For that, we need to enable organizations to the realm by navigating to the Realm Settings page and enabling the Organizations setting.

Once you enable organizations, you can click on the Organizations section in the menu. Click the Create organization button to create a new organization as follows:

Name: OrgA Inc
Domains: orga.com

Once the orga organization is created, sign out from the client application and try to log in again. At this time, you should be present with the identity-first login page.

Differently than the previous attempt, the orgdemo realm has an organization and the authentication flow changed to first identify the user before prompting for any credentials.

At the identity-first login page you can still authenticate as the mjane user. However, the user will now authenticate in two steps. The first step will ask for the username or email only, and then provide the password in a second step.

Trying to authenticate as a user that does not exist using an email domain that matches an organization

Try to log in again to http://localhost:8080/realms/orgdemo/account/ and type bob@orga.com. There is no account associated with that email in the orgdemo realm.

If a user that does not exist tries to authenticate using an email domain that matches an organization domain, the identity-first login page will be shown again and indicate that the username provided is not valid. At this point, there is no reason to ask the user for credentials in a second step.

There are several ways to register the user so that he can authenticate to the orgdemo realm and eventually join the orga organization.

If the realm has the self-registration setting enabled, the user can click on the Register link at the identity-first login page and create an account at the orgdemo realm. After that, the administrator can send an invitation link to the user or manually add him as a member of the orga organization.

If the organization has an identity provider without a domain set, and they are marked as public, they can also click on the identity provider link at the identity-first login page to automatically create an account and join the orga organization once they authenticate through the identity provider.

Similar to the above, if the organization has an identity provider set with one of the organization domains, the user will be automatically redirected to the identity provider to authenticate and automatically create an account and join the orga organization once the flow is completed.

Look at the official documentation for more details.

Authenticating as an existing user using an email domain that matches an organization

Try to log in again to http://localhost:8080/realms/orgdemo/account/ and type alice@orga.com.

Differently than before, the user is now presented with the second step to provide the credentials. Given that the user exists in the orgdemo realm, it should be possible to authenticate even though the user is not yet a member of the organization.

As an administrator, you can later choose to invite the user to join an organization or manually add it to an organization.

Authenticating as an existing user using an email domain that matches the domain set to an identity provider associated with an organization

The feature allows you to set a domain to an identity provider associated with an organization. This is useful when you want to make sure that users using a specific email domain always authenticate through the identity provider.

Let us create a orga realm to federate users from it using an identity provider at the orgdemo realm, where the identity provider will be associated to the orga organization.

Once you create the orga realm, create a OpenID Connect client at this realm as follows:

Client type: OpenID Connect
Client ID: orgdemo-broker
Client authentication: ON
Valid redirect URIs: * (using * for the sake of simplicity, don’t use in production)

Create a user now so that we can federate this user later using an identity provider from the orgdemo realm:

Username: jdoe
Email: jdoe@orga.com
First Name: John
Last Name: Doe

Make sure to set a password for this user so that you can authenticate to the realm.

Let us now create an OpenID Connect Identity Provider at the orgdemo realm as follows:

Alias: orga-broker
Display name: OrgA Inc.
Discovery endpoint: http://localhost:8080/realms/orga/.well-known/openid-configuration
Client ID: orgdemo-broker
Client Secret: <credentials generated when you created the orgdemo-broker client in orga realm>

For last, let us associate the identity provider we just created in orgdemo realm and link it with the orga organization. For that, click on the Organizations section in the menu and select the OrgA Inc organization. Navigate to the Identity Providers tab and click the Link identity provider button and provide the following settings:

Identity provider: orga-broker
Domain: orga.com
Redirect when email domain matches: ON

Try to log in again to http://localhost:8080/realms/orgdemo/account/ and type jdoe@orga.com. The user is now automatically redirected to the orga realm to authenticate.

When a user that does not exist yet in the realm tries to authenticate using an email domain that matches an organization domain, and that domain is also set to the identity provider associated with the organization, the user is automatically redirected to the identity provider.

By doing this, you can now authenticate at the orga realm using the following credentials:

Username: jdoe@orga.com
Password: <password>

Once the user completes the authentication, it will be automatically redirected back to the orgdemo realm to create an account and automatically join the orga organization.

The same is true if you re-authenticate as the jdoe@orga.com user. However, this time the user is already linked with the identity provider and will always authenticate through the identity provider.

Using organization metadata in bearer tokens to access protected resources from the clients in a realm

So far, we have been using the account console client at the orgdemo realm to authenticate the user. As an OpenID Connect client, an access token is issued as a result of a successful authentication.

When authenticating in the context of an organization, the access token is automatically updated with specific claims about the organization the user is a member.

To map organization-specific claims into tokens, a client needs to request the organization scope when sending authorization requests to the server.

As a result, the token will contain a claim as follows:

"organization": {
    "orga": {}
}

The organization claim can be used by clients (e.g.: from ID Tokens) and resource servers (e.g.: from access tokens) to authorize access to protected resources based on the organization that a user belongs to.

The organization scope is a built-in optional client scope at the realm. As such, it is added to any client created in the realm, by default.

Keycloak 25.0.1 released

Thu, 20 Jun 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#19750 Use a proper FreeMarker template for the new consoles account/ui
#30346 Enhance masking around config-keystore dist/quarkus

Bugs

#25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
#28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
#30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
#30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
#30240 Custom attributes are removed during UPDATE PROFILE event core
#30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
#30302 Methods of SimpleHttp are after change now too much protected core
#30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
#30332 Operator fails to patch ingress after update to 25.0.0 operator
#30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
#30351 Migration of sessions in KC25 should run only on migration, not on imports
#30368 Documentation : label error for persistent-user-sessions feature flag docs
#30417 Keycloak 25 db guide shows unevaluated "ifeval docs
#30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
#30434 Improvements for ldap test authentication ldap
#30492 partial_import_test fails randomly admin/ui

Keycloak DevDay 2024 Videos published

Niko Köbler — Fri, 14 Jun 2024 00:00:00 GMT

Back in February this year, we (Sebastian and me (Niko)) hosted the very first edition of Keycloak DevDay - a one-day, community-driven conference - in Frankfurt/Main, Germany. The event was a blast and completely sold-out, plus many additional participants online in the two parallel live streams. We were able to welcome attendees from all over Europe. Thank you all for being part of this incredible event! 🙏

For all of you who couldn’t attend, we have published all the recorded and live streamed sessions online on my YouTube channel:

The complete playlist can be found here.

We are currently preparing the next edition “Keycloak DeveloperDay 2025”. If you want to contribute, please get in touch with us (Sebastian & Niko)! Expect more information in the next weeks and months. Looking forward to have you and your colleagues & team members as attendees!

Keeping users logged in with Keycloak 25

Alexander Schwartz — Wed, 12 Jun 2024 00:00:00 GMT

Previous versions of Keycloak would store regular user sessions (also called online user sessions) only in memory. Due to that, all users would be logged out when you shut down or restart the Keycloak cluster.

With Keycloak 25, there is a preview feature “persistent user sessions”, which stores the user sessions in its database. If a session is not found in memory, it is loaded from the database, and the user can continue to use their session without the need to re-authenticate.

The preview feature is disabled by default, and you need to enable it with the persistent-user-sessions feature flag to try it out.

You can help to make this feature fully supported by providing feedback in this GitHub discussion thread. For June 24th, we are planning an ask-me-anything session for persistent sessions.

Changed runtime behavior of Keycloak and the Database

With this feature enabled, Keycloak’s memory usage might be reduced and the database usage may increase.

Keycloak will default to a maximum of 10'000 entries for each of the caches sessions, clientSessions, offlineSessions, and offlineClientSessions if no other maximum size is configured in Keycloak’s cache configuration XML file. If you want to keep more sessions in memory, see Configuring distributed caches on how to configure a different size.
The options spi-user-sessions-infinispan-offline-session-cache-entry-lifespan-override and spi-user-sessions-infinispan-offline-client-session-cache-entry-lifespan-override are ignored, as instead the maximum entry size is used.
External Infinispan instances are supported for multi-site setups of Keycloak. If you use such a setup and have enabled persistent user sessions, you can (and should) set a maximum number of sessions to be kept in the external Infinispan to limit the memory consumption of the external Infinispan. See Infinispan’s docs on how to configure eviction in the Infinispan caches.
If the number of concurrent user sessions exceeds the maximum cache size in Keycloak, you’ll see an increased database activity to load sessions from the database when tokens are for example refreshed or the user info endpoint is called. Those requests will also incur an increased latency depending on the response time of your database for those read statements. Monitor the cache hit rate to see if your setup needs optimizations.
For each login, token refresh, and logout, the session tables in the database are updated, and will show as an increased database activity. Keycloak attempts to bundle concurrent session updates into a single transaction, still the utilization of both CPU and IOPS of your database will increase significantly. Those requests will also incur an increased latency depending on the response time of your database for those write statements.

The impact on your environment will depend on your infrastructure and usage patterns. As an indicator, we’ve run a test with the following setup:

150 logins and 150 logouts per second
Aurora PostgreSQL regional database 15.5
Type db.t4g.large server (2 ARM vCPU cores, 8 GB RAM)

We’ve seen the following change in the runtime metrics:

On the database:
- 300 additional commits per second
- CPU usage increased by 1 to 1.5 CPU cores depending on the number of concurrent sessions
- approximately 2500 additional WriteIOPS
On Keycloak:
- CPU usage on Keycloak remained constant
- Memory usage constant after 10'000 sessions had been created
- 50th percentile response times for login and logout increased by 20 and 10 ms respectively for a single-AZ database, and 30 and 20 ms respectively for a two-AZ database.

We recommend you to run benchmarks for your environment. Use the tools we provide in the Keycloak Benchmark Project as a tool box.

See Enabling Keycloak Metrics on how to enable metrics for Keycloak to monitor information about your caches and HTTP response times.

Migrating from previous community solutions

The community has been evaluating different configurations in the past, with some of them having drawbacks and which were not officially supported by Keycloak. With persistent sessions enabled, those setups can now be simplified.

Using deployments with very large JVM head sizes: In the past, one would need a lot of JVM memory to keep all sessions in memory and avoid an out-of-memory situation. With persistent sessions being stored in the database and only a subset kept in memory for caching, you can now reduce the memory allocated to your Keycloak instances.

Using offline sessions to keep users logged in: One popular approach was to use offline sessions to keep users logged in, as those have been persisted in the database even before. Still, offline sessions are intended for a different purpose: The intended use is to allow an application to access resources on behalf of a user even when that user has logged out, and the regular online session logout would not log out those sessions. With persistent user sessions enabled, you should start using online sessions. The existing offline sessions can still be used, and would eventually expire.
Connecting a JDBC store to Keycloak’s embedded Infinispan: In this setup the embedded Infinispan stored the sessions into a database and a custom created table. While this is a default set up for login and logout, it will do so only if all sessions are loaded at start-up as the code for non-persistent user sessions assumes to have all sessions in memory. All sessions would need to be loaded at startup, as otherwise the list of sessions for a client or a realm would be incomplete, and constraints to have for example only a single session for a given user could not be guaranteed. With persistent sessions as a preview feature in Keycloak 25, this new approach offers a reduced complexity in the setup, and a reduced memory footprint of both Keycloak and Infinispan. See below on how to migrate existing sessions.
Connecting Keycloak to an external Infinispan for a single-site setup: In this setup Keycloak would read and write sessions to an external Infinispan. Like above, all sessions would need to be loaded at startup, both into the embedded Infinispan and the external Infinispan, as otherwise the list of sessions for a client or a realm would be incomplete, and constraints to have for example only a single session for a given user could not be guaranteed. Such a setup was only supported for multi-site setups starting with Keycloak 24. With persistent sessions as a preview feature in Keycloak 25, this new approach offers a reduced complexity in the setup, and a reduced memory footprint for Keycloak, and no need to run an external Infinispan. See below on how to migrate existing sessions.

Migrating existing sessions

If you have been using a JDBC store connected to the embedded Infinispan, or an external Infinispan to store Keycloak online sessions in Keycloak 24, you can migrate those sessions if (and only if) you enable persistent user sessions when you start Keycloak 25 for the first time.

The Upgrading Guide for Keycloak 25 contains instructions on how to do this.

Once the migration is complete, you should remove the configuration for any JDBC persistence for embedded session caches. You should also remove the connection to an external Infinispan if you have used it in a single-site setup.

Enabling Persistent User Sessions

As this is a preview feature, it is not enabled by default. Once we consider this feature to be fully supported, we plan to enable it by default in a future release.

If you have already migrated to Keycloak 25, we recommend you clear all existing online user sessions from your setup.

Depending on if you are using it in a development environment, building your Keycloak distribution, or relying on automatic rebuilding of Keycloak on startup, your command would look like the following:

bin/kc.[sh|bat] [start-dev|build|start] --features="persistent-user-sessions"

If you’re using environment variables to set options, set the following environment variable, or add the value if the environment variable already exists.

KC_FEATURES=persistent-user-sessions

If you are using the Keycloak Operator, add it to the enabled features in the Keycloak CR:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  features:
    enabled:
      - persistent-user-sessions
...

See Enabling and disabling features for more information on how to enable features.

Outlook

While we’re working to make this feature fully supported, we’re also working on similar features. Some would make deployment of Keycloak simpler, and others would eventually enable a Keycloak multi-site active-active setup.

Join the discussion of these features and give them a thumbs up vote, so we’ll know that you are interested.

Kudos, providing feedback and asking questions

Thank you to the Keycloak team members Kamesh Akella, Michal Hajas, Pedro Ruivo, Anna Manukyan and Ryan Emerson who discussed ideas and edge cases, contributed code and performed tests of the intermediate pull requests and versions. Special thanks to the community members Tristan971, daviddelannoy and Thomas Darimont who joined the GitHub discussion and provided feedback.

You can help to make this feature fully supported by trying out the preview feature and providing feedback in this GitHub discussion thread.

Use this thread also to ask questions about persistent user sessions. For June 24th, we are planning an ask-me-anything session for persistent sessions.

Announcing Keycloak's Identity Summit: KeyConf24

Nathalia Pinesi — Mon, 10 Jun 2024 00:00:00 GMT

KeyConf23 was an incredible success, bringing together nearly 60 passionate members of the Keycloak community in London. The energy and collaboration were palpable as attendees delved into the latest developments in identity and access management. We witnessed thought-provoking discussions, learned from industry experts, and forged valuable connections.

Building on that momentum, we’re thrilled to announce KeyConf24, our 2024 Keycloak Identity Summit! This year’s event promises to be even bigger and better, with a program packed full of relevant, cutting-edge topics.

What to Expect at KeyConf24

European Digital Identity Wallet: Deep dives into the European Union’s ambitious initiative and its impact on identity management.
Verifiable Credentials: Explore the exciting potential of decentralized identity verification and the role of Keycloak.
State of OIDC FAPI2: Get the latest updates on OpenID Connect’s Financial-grade API (FAPI) security profile.
New Grant Type SPI & Token Exchange Endpoints: Technical sessions on Keycloak’s expanded capabilities and how to leverage them.
Many more to be announced…

And of course, there will be ample opportunities for networking, knowledge sharing, and connecting with the vibrant Keycloak community and Keycloak maintainers.

Save the Date and Join Us!

We invite all developers, architects, security professionals, and anyone interested in identity and access management to join us for KeyConf24. We’ll be announcing more details soon, so stay tuned for more information.

In the meantime, mark your calendars and prepare for an unforgettable experience!

Want to get involved?

You can register to attend to the event here.

We are actively seeking speakers and sponsors for KeyConf24. If you’d like to share your expertise or help support this community-driven event, please submit your ideas here.

If you have any further questions reach out to us on marketing@adorsys.com

Let’s continue to shape the future of identity together!

Keycloak 25.0.0 released

Mon, 10 Jun 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Account Console v2 theme removed

The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.

Java 21 support

Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.

Java 17 support is deprecated

OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.

Most of Java adapters removed

As stated in the release notes of previous Keycloak version, the most of Java adapters are now removed from the Keycloak codebase and downloads pages.

For OAuth 2.0/OIDC, this includes removal of the Tomcat adapter, WildFly/EAP adapter, Servlet Filter adapter, KeycloakInstalled desktop adapter, the jaxrs-oauth-client adapter, JAAS login modules, Spring adapter and SpringBoot adapters. You can check our older post for the list of some alternatives.

For SAML, this includes removal of the Tomcat adapter and Servlet filter adapter. SAML adapters are still supported with WildFly and JBoss EAP.

The generic Authorization Client library is still supported, and we still plan to support it. It aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries. You can check the quickstarts for some examples where this authorization client library is used together with the 3rd party Java adapters like Elytron OIDC or SpringBoot. You can check the quickstarts also for the example of SAML adapter used with WildFly.

Upgrade to PatternFly 5

In Keycloak 24, the Welcome page is updated to use PatternFly 5, the latest version of the design system that underpins the user interface of Keycloak. In this release, the Admin Console and Account Console are also updated to use PatternFly 5. If you want to extend and customize the Admin Console and Account Console, review the changes in PatternFly 5 and update your customizations accordingly.

Argon2 password hashing

Argon2 is now the default password hashing algorithm used by Keycloak in a non-FIPS environment.

Argon2 was the winner of the 2015 password hashing competition and is the recommended hashing algorithm by OWASP.

In Keycloak 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in Keycloak requires 7MB per-hashing request. To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To support the memory intensive nature of Argon2, we have updated the default GC from ParallelGC to G1GC for a better heap utilization.

New Hostname options

In response to the complexity and lack of intuitiveness experienced with previous hostname configuration settings, we are proud to introduce Hostname v2 options.

We have listened to your feedback, tackled the tricky issues, and created a smoother experience for managing hostname configuration. Be aware that even the behavior behind these options has changed and requires your attention - if you are dealing with custom hostname settings.

Hostname v2 options are supported by default, as the old hostname options are deprecated and will be removed in the following releases. You should migrate to them as soon as possible.

New options are activated by default, so Keycloak will not recognize the old ones.

For information on how to migrate, see the Upgrading Guide.

Persistent user sessions

Previous versions of Keycloak stored only offline user and offline client sessions in the databases. The new feature persistent-user-session stores online user sessions and online client sessions not only in memory, but also in the database. This will allow a user to stay logged in even if all instances of Keycloak are restarted or upgraded.

The feature is a preview feature and disabled by default. To use it, add the following to your build command:

bin/kc.sh build --features=persistent-user-session ...

For more details see the Enabling and disabling features guide. The sizing guide contains a new paragraph describing the updated resource requirements when this feature is enabled.

For information on how to upgrade, see the Upgrading Guide.

Cookies updates

SameSite attribute set for all cookies

The following cookies did not use to set the SameSite attribute, which in recent browser versions results in them defaulting to SameSite=Lax:

KC_STATE_CHECKER now sets SameSite=Strict
KC_RESTART now sets SameSite=None
KEYCLOAK_LOCALE now sets SameSite=None
KEYCLOAK_REMEMBER_ME now sets SameSite=None

The default value SameSite=Lax causes issues with POST based bindings, mostly applicable to SAML, but also used in some OpenID Connect / OAuth 2.0 flows.

Removing KC_AUTH_STATE cookie

The cookie KC_AUTH_STATE is removed and it is no longer set by the Keycloak server as this server no longer needs this cookie.

Deprecated cookie methods removed

The following APIs for setting custom cookies have been removed:

ServerCookie - replaced by NewCookie.Builder
LocaleSelectorProvider.KEYCLOAK_LOCALE - replaced by CookieType.LOCALE
HttpCookie - replaced by NewCookie.Builder
HttpResponse.setCookieIfAbsent(HttpCookie cookie) - replaced by HttpResponse.setCookieIfAbsent(NewCookie cookie)

Addressed 'You are already logged in' for expired authentication sessions

The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, Keycloak is able to redirect back to the client application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more details, see Server Administration Guide authentication sessions.

Lightweight access token to be even more lightweight

In previous releases, the support for lightweight access token was added. In this release, we managed to remove even more built-in claims from the lightweight access token. The claims are added by protocol mappers. Some of them affect even the regular access tokens or ID tokens as they were not strictly required by the OIDC specification.

Claims sub and auth_time are added by protocol mappers now, which are configured by default on the new client scope basic, which is added automatically to all the clients. The claims are still added to the ID token and access token as before, but not to lightweight access token.
Claim nonce is added only to the ID token now. It is not added to a regular access token or lightweight access token. For backwards compatibility, you can add this claim to an access token by protocol mapper, which needs to be explicitly configured.
Claim session_state is not added to any token now. It is still possible to add it by protocol mapper if needed. There is still the other dedicated claim sid supported by the specification, which was available in previous versions as well and which has exactly the same value.

For more details, see the Upgrading Guide..

Support for application/jwt media-type in token introspection endpoint

You can use the HTTP Header Accept: application/jwt when invoking a token introspection endpoint. When enabled for a particular client, it returns a claim jwt from the token introspection endpoint with the full JWT access token, which can be useful especially for the use-cases when the client calling introspection endpoint used lightweight access token. Thanks to Thomas Darimont for the contribution.

Password policy for check if password contains Username

Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.

Required actions improvements

In the Admin Console, you can now configure some required actions in the Required actions tab of a particular realm. Currently, the Update password is the only built-in configurable required action. It supports setting Maximum Age of Authentication, which is the maximum time users can update their password by the kc_action parameter (used for instance when updating password in the Account Console) without re-authentication. The sorting of required actions is also improved. When there are multiple required actions during authentication, all actions are sorted together regardless of whether those are actions set during authentication (for instance by the kc_action parameter) or actions added to the user account manually by an administrator. Thanks to Thomas Darimont and Daniel Fesenmeyer for the contributions.

Passkeys improvements

The support for Passkeys conditional UI was added. When the Passkeys preview feature is enabled, there is a dedicated authenticator available, which means you can select from a list of available passkeys accounts and authenticate a user based on that. Thanks to Takashi Norimatsu for the contribution.

Default client profile for SAML

The default client profile to have secured SAML clients was added. When browsing through client policies of a realm in the Admin Console, you see a new client profile saml-security-profile. When it is used, there are security best practices applied for SAML clients such as signatures are enforced, SAML Redirect binding is disabled, and wildcard redirect URLs are prohibited.

Authenticator for override existing IDP link during first-broker-login

There was new authenticator Confirm override existing link added. This authenticator allows to override linked IDP username for the Keycloak user, which was already linked to different IDP identity before. More details in the Server Administration Guide. Thanks to Lex Cao for the contribution.

OpenID for Verifiable Credential Issuance - experimental support

There is work in progress on the support of OpenID for Verifiable Credential Issuance (OID4VCI). Right now, this is still work in progress, but things are being gradually added. Keycloak can act as an OID4VC Issuer with support of Pre-Authorized code flow. There is support for verifiable credentials in the JWT-VC, SD-JWT-VC and VCDM formats. Thanks to the members of the OAuth SIG groups for the contributions and feedback and especially thanks to Stefan Wiedemann, Francis Pouatcha, Takashi Norimatsu and Yutaka Obuchi.

Searching by user attribute no longer case insensitive

When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using Keycloak’s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.

Breaking fix in authorization client library

For users of the keycloak-authz-client library, calling AuthorizationResource.getPermissions(…) now correctly returns a List<Permission>.

Previously, it would return a List<Map> at runtime, even though the method declaration advertised List<Permission>.

This fix will break code that relied on casting the List or its contents to List<Map>. If you have used this method in any capacity, you are likely to have done this and be affected.

IDs are no longer set when exporting authorization settings for a client

When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client.

Management port for metrics and health endpoints

Metrics and health checks endpoints are no longer accessible through the standard Keycloak server port. As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port 9000.

It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable.

Keycloak Operator assumes the management interface is turned on by default. For more details, see Configuring the Management Interface.

Syslog for remote logging

Keycloak now supports Syslog protocol for remote logging. It utilizes the protocol defined in RFC 5424. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.

For more information, see the Configuring logging guide.

Change to class `EnvironmentDependentProviderFactory`

The method EnvironmentDependentProviderFactory.isSupported() was deprecated for several releases and has now been removed.

For more details, see the Upgrading Guide.

All `cache` options are runtime

It is now possible to specify the cache, cache-stack, and cache-config-file options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them.

For more details, see the Upgrading Guide.

High availability guide enhanced

The high availability guide now contains a guide on how to configure an AWS Lambda to prevent an intended automatic failback from the Backup site to the Primary site.

Removing deprecated methods from `AccessToken`, `IDToken`, and `JsonWebToken` classes

In this release, we are finally removing deprecated methods from the following classes:

AccessToken
IDToken
JsonWebToken

For more details, see the Upgrading Guide.

Method `getExp` added to `SingleUseObjectKeyModel`

As a consequence of the removal of deprecated methods from AccessToken, IDToken, and JsonWebToken, the SingleUseObjectKeyModel also changed to keep consistency with the method names related to expiration values.

For more details, see the Upgrading Guide.

Support for PostgreSQL 16

The supported and tested databases now include PostgreSQL 16.

Introducing support for Customer Identity and Access Management (CIAM) and Multi-tenancy

In this release, we are delivering Keycloak Organizations as a technology preview feature.

This feature provides a realm with some core CIAM capabilities, which will serve as the baseline for more capabilities in the future to address Business-to-Business (B2B) and Business-to-Business-to-Customers (B2B2C) use cases.

In terms of functionality, the feature is completed. However, we still have work to do to make it fully supported in the next major release. This remaining work is mainly about preparing the feature for production deployments with a focus on scalability. Also, depending on the feedback we get until the next major release, we might eventually accept additional capabilities and add more value to the feature, without compromising its roadmap.

For more details, see Server Administration Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Removed features

#19664 Remove Account Console v2 account/ui
#23381 Remove Wildfly and EAP OIDC adapters adapter/jee
#26813 Remove deprecated cookie code

New features

#25940 Support Credentials Issuance through the OID4VCI Protocol oid4vc
#25942 Issue Verifiable Credentials in the SD-JWT-VC format oid4vc
#25943 Issue Verifiable Credentials in the VCDM format oid4vc
#25945 Extend Account Console to support Credentials Issuance Self-Service account/ui
#26201 Introduce a new Authenticator to handle duplicate IdP broker links authentication
#27673 Hardcoded SAML metadata URL in admin-v2 admin/ui
#27728 Reflect new hostname v2 options in Keycloak CR operator
#27729 Add documentation for Hostname v2 docs
#27730 Release notes and Migration guide for Hostname v2 docs
#28030 Create Argon2 password hashing provider
#28400 Make RequiredActions configurable
#28608 Allow onboarding organization members through a registration invitation link
#28750 CLI options to disable encryption and authentication to external Infinispan dist/quarkus
#28938 Need inline translation assistance for user profile attribute groups.
#29491 Remove Oracle JDBC driver out of the box docs
#29539 Add CRUD for organizations to admin client
#29627 Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 oid4vc
#29634 Expose JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification oid4vc

Enhancements

#11757 Declarative User Profile: local-date validation and html5-date clash user-profile
#13113 Conditionally enable and disable CLI options dist/quarkus
#16295 JsonSerialization does not load all available modules from the classpath
#17530 Add Portuguese translations
#19334 Support management port for health and metrics in Quarkus 3 dist/quarkus
#20736 uma-ticket returns 403 even though user has access, when User Realm Role isn't present in access Token authorization-services
#20792 Make it clear that `Client Offline Token Max` should not be set when `Offline Session Max Limited` is disabled for realm admin/ui
#20916 DefaultHttpClientFactory should handle the encoding of the response core
#21185 Protocol mapper and client scope for sub claim
#21344 Upgrade account theme to PatternFly 5 account/ui
#21345 Upgrade admin theme to PatternFly 5 admin/ui
#21439 Allow options to support any value in addition to a list of pre-defined values. dist/quarkus
#21562 Make sure admin events are not referencing sensitive data from their representation admin/api
#21961 Allow to provider password to kcadm (keycloak-admin-cli) via environment variable admin/cli
#22436 Query users by 'LDAP_ID' is not working ldap
#22711 Enable theme caches by default in start-dev dist/quarkus
#24192 Refine how ConfigSource names are being used dist/quarkus
#24264 Passkeys: Supporting WebAuthn Conditional UI authentication/webauthn
#24466 Look if checks in IntrospectionEndpoint can be simplified oidc
#25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
#25114 User Profile "Input placeholder" and other annotations - Use Localization keys user-profile
#26162 Optimize query batching and result fetching by tuning Hibernate parameters
#26443 Show an error message when file does not exist for the `config-file` parameter dist/quarkus
#26504 Localization Proposal 2 admin/ui
#26654 Initial client policies integration for SAML saml
#26657 Map Storage Removal: Remove deprecated model/legacy module storage
#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap
#26713 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention authentication/webauthn
#27264 Trivy Analysis warnings should be fixed
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
#27442 Use browser router for Account Console account/ui
#27481 Edit High Availability guide
#27484 Edit 23.0 changes part of Upgrading Guide
#27494 Use JDK17 functionality in the KC Operator operator
#27508 Use new remote-store options in HA guides
#27509 Upgrade to Aurora Postgres 15.5
#27515 `ClusterProvider` should no longer be deprecated now that "legacy" is the default
#27527 CS and SK localized messages need an update
#27544 Expose quarkus syslog logging now GELF is being deprecated from Keycloak dist/quarkus
#27545 Simplify handling of profile features in test cases
#27549 Make general `cache` options runtime dist/quarkus
#27574 Support for script providers when running in embedded mode testsuite
#27602 Remove offline session preloading
#27614 Remove additional handlers for health and metrics endpoints dist/quarkus
#27632 Integrate downstream Upgrading Guide changes into upstream
#27696 Upgrade to Quarkus 3.8.2 dist/quarkus
#27724 Enable Infinispan metrics by default
#27787 Missing API documentation for /admin/realms/{realm}/groups/{group-id}
#27871 Upgrade to Infinispan 14.0.26 core
#27924 Enable http metrics once Quarkus 3.8.3 is available
#27953 Address feedback to Keycloak Server guide docs
#27976 Persist online sessions to the database
#27997 Make the Language Selector sorted and searchable
#28009 Address edits to the Operator Guide
#28033 Upgrade Infinispan to 14.0.27.Final
#28035 update for messages_de.properties required translations
#28084 Upgrade to Quarkus 3.8.3 dist/quarkus
#28120 Default password hashing algorithm should be set to default password hash provider
#28142 Update HA Guide now that non-XA mode is the default
#28145 Align help output for Quarkus distribution across Windows and Linux dist/quarkus
#28161 Use Argon2 password hashing by default
#28178 Provide histograms for http server metrics
#28256 Prevent duplicate form submission in Create realm dialog in admin ui admin/ui
#28318 Use the same new code for persistent sessions for offline sessions core
#28336 Provide a dedicated way of updating Quarkus classloading indices
#28388 Handle concurrent writes to sessions more gracefullly
#28429 Add details to error messages, especially around refresh tokens
#28436 When LDAP groups synchronization fails, show root cause in admin UI admin/api
#28448 Avoid deprecated `jboss-modules` method usage
#28453 More conventional looking conditional element in authentication diagram admin/ui
#28460 Polishing docs for lightweight tokens oidc
#28477 The concurrency of hashing leads to increased memory usage and CPU throttling
#28501 Batch updates to the database to avoid using too many IOPS
#28517 Java 21 support
#28567 Change user_id value for REFRESH_TOKEN and REFRESH_TOKEN_ERROR events oidc
#28616 Add ui-tab context information into the onCreate
#28650 Improve german translations for admin ui
#28654 Refine the warning produced when a non-cli build-time property is used at runtime dist/quarkus
#28672 For client-credential-grants, there shouldn't be an interaction with the authentication cache
#28729 Emphasize the need for setting container limit docs
#28814 Add missing german translations for user federation in admin UI
#28848 Automatically fill username when authenticating to through a broker
#28861 Improve the performance of the PermissionTicketStore.findGrantedResources method authorization-services
#28862 Improve persistent sessions DB throughput for logins/logouts by batching
#28879 Indicate whether a user is transient or not in user sessions list
#28880 Upgrade to Quarkus 3.8.4 dist/quarkus
#28906 ID fields in SessionWrapper should be immutable
#28926 Store extended error message in events for client credential grants
#28935 Ensure GroupResource.getSubGroups doesn't rely on no-arg version of GroupModel.getSubGroupsStream to avoid prematurely loading all subgroups storage
#28939 OIDC: Backchannel logout token should use "typ":"logout+jwt" oidc
#28974 Replace tooltip for adding a translation to an attribute with a text underneath `Display name`
#29023 Support adding existing users to an organization
#29068 Infinispan 15.0.3.Final
#29073 Use cache.compute() method to improve the replace retry loop
#29118 Conditionally run Quarkus IT in GHA based on code changes testsuite
#29124 Use Java locale translations instead of manually edited translations translations
#29166 Improve details for user error events in OIDC protocol endpoints oidc
#29183 Minor corrections to High Availability Guide docs
#29203 Revisit SessionsResource#realmSessions as it current loads all sessions into memory
#29223 Complete transistion away from Resteasy core
#29280 Update Create Realm in Keycloak 24 Getting Started
#29319 Don't sort persistent sessions when retrieving a list
#29348 Set default role mapping filter in the role mapping modal
#29375 Allow migration of non-persistent sessions to persistent sessions
#29392 Avoid conflicts when writing make store keys
#29431 Make sure organization groups can not be managed but when managing an organization
#29460 Email validation for managed members should only fail if it does not match the domain set to a broker
#29489 Describe how to enable and disable persistent sessions for an installation docs
#29561 Revisit rolling configuration upgrades for persistent-sessions feature
#29639 Enhance documentation for REST API for X.509 Direct Grant Flow usage authentication
#29724 VC issuance in Authz Code flow without considering “scope” parameter
#29743 Infinispan 15.0.4.Final
#29750 Require external Infinispan be of version 15 or greater
#29778 Upgrade Selenium and Arquillian dependencies in testsuite testsuite
#29780 Unify approach for WebAuthn tests testsuite
#29787 Document Failover Lambda for Active/Passive deployments
#29794 Show a message when confirming an invitation link
#29813 Snyk report to identify branches impacted by a CVE ci
#29818 Avoid explicit flush when handling persistent sessions
#29880 Improve documentation for the case when 'basic' client scope already exists storage
#29883 Upgrade old Keycloak version for DB migration tests testsuite
#29919 Avoid IntelliJ to automatically create start imports
#30017 Improve Client Type Integration Tests oidc
#30026 Conditionally execute WebAuthn tests when Account console UI is changed testsuite
#30052 Add periodic synchronisation for Weblate contents
#30104 Release notes for support application/jwt response in token introspection endpoint docs
#30160 Upgrade to Quarkus 3.8.5 dist/quarkus
#30241 Adding ability to get realm attributes in themes

Bugs

#8887 Information not displayed when a logged in user reset his password authentication
#9695 Add `id_token_signed_response_alg` when realm default algorithm is not `RS256` oidc
#12298 Security bug: Timing Oracle @ Authorization Grant Request , CWE 208 authentication
#12326 AccessTokens generated from RefreshTokens without scope oidc
#12585 False implementation of SAML element EncryptionMethod saml
#12671 Slow user query by attribute storage
#13045 Duplicated user consents storage
#14084 DefaultBruteForceProtector leverages a single thread to write success/failed events authentication
#14122 Refresh token rotation with multiple tabs oidc
#14188 "1403 Killed" after starting a fresh build docs
#14501 Getting failed to initialize js message if consent is rejected by user account/ui
#15403 No email send on TOTP/Authenticator app removal core
#16064 RS256 signed token validation fails oidc
#16345 Unable to delete realm names with invalid URL characters admin/api
#16520 AuthzClient getPermissions() deserializes to List and not List authorization-services
#16873 Required actions execution order (session and user required actions) authentication
#16948 search users by custom attributes admin/client-js
#17154 User locale in server info has language and country switched around admin/api
#17483 MultiVersionClusterTest not working for Quarkus based distribution storage
#17678 Stop using nested components admin/ui
#19671 Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug) oidc
#19853 CRL Verification failing due to client certificate not being in a chain authentication
#20411 Entering a single space in a regex password policy makes admin interface unusable. core
#20490 SAML IDP initiated SSO getting cookie_not_found error saml
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
#20747 Keycloak admin cli creating/updating authention executions not respecting the priority value specified admin/api
#21422 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink ci
#22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled import-export
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
#23252 Invalid redirect after logging in using Twitter (X) testsuite
#23528 NullPointerException in SAML IdP Logout request with SessionIndex and without NameID identity-brokering
#23701 Attribute search does not work with federated users with ldap. admin/ui
#23832 New admin console doesn't support automatic logout account/ui
#23833 Account console v2 doesn't support automatic logout account/ui
#23900 Duplicate path in groups claim oidc
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
#24201 Cannot disable LDAP-backed user if importEnabled=false ldap
#24414 Container labels inherited from UBI image dist/quarkus
#24462 Remove non-unique `id` attributes from `webauthn-authenticate.ftl` login/ui
#24568 iframe for frontend logout gets blocked if a custom CSP header is used core
#24571 Parallel builds stopped working admin/ui
#24795 Not proper remove for nested sub-flows from DB core
#24878 NoClassDefFoundError for Apache XML and EAP8 adapter/jee-saml
#24936 Negative token expiration when changing client session max lifetime oidc
#25038 ServerRequestFilter / ServerResponseFilter not being picked up extensions
#25219 Restrict the access to 'whoami' endpoint for tokens issued for the admin console client admin/api
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
#25514 Errors in Outgoing HTTP requests documentation docs
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
#25778 Incorrect JSON format returned in case of existing user (with user federation) admin/api
#25807 Space in realm name breaks initial console uris admin/api
#25815 Loosing refresh token with Google Identity Provider identity-brokering
#25975 Failing to import client's authorisation settings through UI authorization-services
#25993 PostgreSQL deadlock causes 400 client error instead of 500 server error storage
#26019 Identity provider sync mode: incorrect selection in case of null admin/ui
#26100 Device verification flow does not require consent under certain circumstances oidc
#26108 Realm improper input sanitization core
#26109 Improper Input Validation and Sanitization Leads to persistent partial Denial of Service admin/api
#26113 Revoked Token may be valid for a short time after expiring oidc
#26364 Duplicate emails is On when Email as username and Login with email are On admin/ui
#26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
#26438 Keycloak cannot run on windows machine in dev-mode. Because non-English systems cannot support keycloak's package's. dist/quarkus
#26439 Incorrect position of nonce in OCSP request authentication
#26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
#26515 Wrong rendering duplicated options in guides docs
#26658 `LogoutEvent` is not fired on required UpdatePassword action core
#26667 Can't access hidden tabs on the left in admin UI admin/ui
#26868 Login via brokerage to identity provider fails with clients having UUID with uppercase letter identity-brokering
#26893 Access tokens includes nonce claim oidc
#26915 Deleting sub-realm roles throw errors (even tho it succeeded) authorization-services
#26981 Workflow failure Quarkus IT - StartCommandDistTest#testWarningWhenOverridingBuildOptionsDuringStart ci
#27021 Workflow failure: Fuse adapter tests ci
#27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists ci
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
#27184 Editing built-in client policy profiles are silently reverted oidc
#27201 Missing `exp` claim from Offline tokens when `Offline Session Max Limited` is disabled core
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
#27245 Account console does not correctly treat link / unlink account account/ui
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
#27275 Invalidating offline token is not working from client sessions tab authentication
#27308 Warnings in log during normal startup dist/quarkus
#27349 Google Authenticator now supports SHA256 and SHA512 authentication
#27366 Social login - test failures with unexpected status code testsuite
#27391 Log warning when not using scope `openid` oidc
#27416 Missing feature ID for tech preview feature in docs docs
#27444 type of clients.findRole() in @keycloak/keycloak-admin-client is wrong admin/client-js
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
#27499 LdapSyncTest failures running with external Active Directory testsuite
#27504 Cpu and memory sizing typo docs
#27506 Readable realm name no longer visible in logs, but realm id is used instead core
#27512 Getting subgroups does pagination before filtering core
#27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided oidc
#27529 LegacyUserCredentialManager class not found storage
#27538 User tab "Identity Provider Links" is not available when only "view-users" or "manage-users" realm-management role is assigned as in the v1 Keycloak theme account/ui
#27540 URL change for liquibase docs docs
#27548 Custom Browser Flow not working anymore admin/ui
#27558 Client registration policy "Allowed Protocol Mapper Types" prevents clients from self-updating via the client registration api admin/api
#27565 Admin Console tests are failing due to changes in supported authenticators testsuite
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
#27597 dropping KC_PROXY=edge causes startup error core
#27604 Account console dev environment broken account/ui
#27609 Mixed use of javax and jakarta in org.keycloak.admin.client adapter/jee
#27611 Cannot modify realm email settings since keycloak 24 user-profile
#27620 Incomplete documentation when an email about changed credentials is sent docs
#27622 In the account console, the link "Back to security-admin-console" disappears after the first navigation account/ui
#27628 Only allow a known refferer URI for the Account Console account/ui
#27643 Password policy for not having username in the password authentication
#27646 Account Console REST API for /linked-accounts Returns Multiple Access-Control-Allow-Origin Headers account/api
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
#27683 Quarkus-next build failure: Could not find artifact io.quarkus:quarkus-extension-maven-plugin ci
#27691 Unable to set a newly created flow in First Login Flow override for a SAML identity provider admin/ui
#27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
#27709 Account console does not work with `--http-relative-path` account/ui
#27719 Wrong Welcome page image in the documentation docs
#27745 Registration template in login2 is broken login/ui
#27756 SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY core
#27761 Snyk workflow failure ci
#27779 Broken Migration "MigrateTo24_0_0" core
#27780 Fixing downstream documentation build docs
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
#27798 Performance problem with Amazon JDBC wrapper version 2.3.4
#27820 Account console confusing with WebAuthn account/ui
#27824 Can't register webauthn passwordless key when RS1 signature algorithm is configured in policies authentication/webauthn
#27837 Translation values not loaded for User Profile attributes admin/ui
#27838 User Profile translations - value put in wrong field after search user-profile
#27839 Incorrect Length Validation for Attribute admin/cli
#27840 Race condition loading serverinfo in admin console admin/ui
#27841 ES translation causes FreeMarker rendering issues translations
#27846 Authenticator Example module compilation failure authentication
#27852 VerifyUserProfile invalidates user cache on every login core
#27854 Required action selection is broken admin/ui
#27868 Documentation is referring to deprecated/unmaintained examples docs
#27875 SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor saml
#27877 Get Groups in admin/cli returns all groups and not the groups that meets the condition specified in -q option admin/cli
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
#27882 Incorrect version of bctls-fips in the docs docs
#27890 Webauthn token stops working on migration to 24 authentication/webauthn
#27892 Truststore handling for the Operator is not documented operator
#27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
#27900 Performance impact in changed hashing measured wrong authentication
#27917 User search field loses focus after first input in realms with user federation admin/ui
#27925 Keycloak docs state that there are http metrics, but they are disabled docs
#27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
#27944 Admin tests: Failing realm_settings_events_test test admin/ui
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
#27962 message of groups is wrong in messages_ja.properties admin/ui
#27965 Groups help message is only "Groups" admin/ui
#27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
#27967 ORA-01450 when updating keycloak 23 -> 24 storage
#27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
#27984 Username LDAP attribute other than uid is difficult ldap
#28001 MySQL connector artifact should be ignored dist/quarkus
#28004 JWK key ignored due to missing required field 'use' despite matching KID oidc
#28012 Keycloak CR Truststore should not have a name operator
#28016 User Profile attribute translation saves wrong key to realm overrides admin/ui
#28069 Token setting missing admin/ui
#28079 Group search does not work in user view admin/ui
#28080 Paging issue in groups via user view admin/ui
#28090 kc.sh may leak credentials core
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
#28103 Deleting translations after attribute deletion admin/ui
#28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn
#28143 Navigation broken on local development account/ui
#28174 HA guide erroneously refers to AWS Global Accelerator docs
#28187 Admin UI drag & drop in flow config seems to delete actions admin/ui
#28201 Locale label missing on login page for Brazilian Portuguese, Greek and Persian translations
#28207 JAVA_OPTS are not set under Windows dist/quarkus
#28215 Inconsistent handling of product vs. community in HA guide table-of-contents docs
#28220 Admin API: User PUT operation clears firstname, lastname email fields admin/api
#28231 username contains invalid characters user-profile
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
#28284 scroll bar is missing inn clients view keycloak admin GUI core
#28303 WARN - Event object wasn't available in remote cache after event was received infinispan
#28330 org.keycloak.documentation.test.ExternalLinksTest fails with incorrect status code reported back in the results docs
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
#28341 ConditionalLoaAuthenticator documentation incorrect re: unauthenticated users. authentication
#28370 PodTemplateTest assertions are ignored testsuite
#28374 Syntax highlighting for log example is wrong in downsream dist/quarkus
#28377 Broken lists in import/export server guide docs
#28381 Password denylist Doesn't Work As Expected authentication
#28389 New username-password policy check is reversed user-profile
#28409 Unclosed span bracket in register.ftl login/ui
#28416 Keycloak is not returning proper error message for PUT /users admin API user-profile
#28431 Dedicated client scopes always show up when searching admin/ui
#28443 Declarative User Profile: The use of the "select-radiobuttons" with options validation display is broken user-profile
#28463 Error in refresh flow with scope parameter oidc
#28465 Review cookie attributes and set SameSite for all cookies
#28479 Authentication flow diagram incorrect branching in some flows admin/ui
#28484 inputOptionLabels is truncating text that is not wrapped for localization account/ui
#28486 Help text wrong in key provider admin/ui
#28490 Missing help text for Brute Force Mode admin/ui
#28495 IdP Linking: Usernames sometimes lowercase and sometimes uppercase identity-brokering
#28509 Workflow failure: ManagementDistTest ci
#28514 Message for searchClientRegistration is missing admin/ui
#28519 Cards in IDP and User federation are not shown to be clicable admin/ui
#28523 [LDAPStorageProvider] NPE if user is cached but has been deleted in ldap ldap
#28531 notBefore and setToNow untranslated admin/ui
#28546 LDAP provider add has 3 lines on top of screen admin/ui
#28555 Collision with base testsuite dependency
#28564 UserStorageSyncManager int overflow storage
#28575 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
#28576 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
#28577 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
#28579 Brute force detection fails with read-only LDAP users authentication
#28606 OrganizationTest.testAttributes fails in GHA CI testsuite
#28624 Incorrect user info in the head when using lightweight access token for account-console account/ui
#28628 Invalide objects comparison in Java core
#28638 Missing permission to read configmaps in `keycloak-operator-role` operator
#28640 Unable to see user's inherited role if user has no directly assigned roles admin/ui
#28649 docker-v2 authentication fails with KC-SERVICES0097: Invalid request: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.ClientModel.getClientScopes(boolean)" because "this.client" is null core
#28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui admin/ui
#28684 "Extend to children" button in authorization group policies is wrongly disabled admin/ui
#28702 Unable to fetch realm names when contains special characters admin/ui
#28704 Remove invalid "this." from keycloak-admin-client README admin/client-js
#28725 Keycloak 24.0.2 - Enlisted connection used without active transaction storage
#28744 Invalid label `validatingX509Certs` in new SAML identity provider screen admin/ui
#28746 Translations missing for recovery codes in KC 24 account/ui
#28747 ID is shown prematurely on Identity Provider Mapper after Save admin/ui
#28748 Webauthn Policy timeout accepts values > 8 hours admin/ui
#28798 `passwordPoliciesHelp.notContainsUsername` missing in admin console admin/ui
#28801 NPE when listing sessions in UI if associated user is gone core
#28818 Child groups filtering returns all groups admin/ui
#28821 Failure reset time is applied to Permanent Lockout authentication
#28824 Inconsistent Group Ordering in Keycloak API Responses For Client Policies Causing Drift Detection Challenges admin/fine-grained-permissions
#28825 Keycloak Operator 24.x - the keycloak custom image tag is being overwritten with nightly pull operator
#28881 socketTimeoutUnits and establishConnectionTimeoutUnits in HttpClientBuilder are not used core
#28896 Master realm can be deleted admin/api
#28911 clients_saml_test.spec.ts fails in main admin/ui
#28915 Possible NPE when exporting user policy authorization-services
#28947 IndexWrapper warnings when starting Keycloak dist/quarkus
#28948 Auto-build shouldn't warn about unavailable runtime options dist/quarkus
#28949 Conditional cache options are not evaluated correctly dist/quarkus
#28964 Compilation error in latest main (conflicting PRs for oid4vc and changes for EnvironmentDependentFactory) core
#28968 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code enabled even if oid4vc_vci feature is disabled oid4vc
#28979 MULTIVALUED_STRING_TYPE does not show in UI if empty admin/ui
#28982 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnsupportedCredential ci
#28983 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriInvalidToken ci
#28984 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredential ci
#28985 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnauthorized ci
#28986 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUnauthorized ci
#28987 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialInvalidToken ci
#28988 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnauthorized ci
#28989 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testCredentialIssuance ci
#28990 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutNonce ci
#28991 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOffer ci
#28992 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithABrokenNote ci
#28993 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferURI ci
#28994 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutAPreparedOffer ci
#28995 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedFormat ci
#28996 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedCredential ci
#29027 Creating client-scope without protocol causes GUI bug admin/api
#29033 Argon2 password hashing leads to increased Major GC's in Keycloak's JVM during load tests authentication
#29035 Admin console message bundle contains duplicate keys admin/ui
#29039 Preflight request with OPTIONS method for token introspection endpoint not working. authentication
#29057 not able to disable declarative_ui feature
#29072 Startup probe should check for existence of an Admin user before returning 200 dist/quarkus
#29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
#29132 Documentation cites wrong endpoint for Docker Registry v2 Authentication docs
#29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address core
#29141 Fix waiting for change to take effect in SessionTimeoutsTest
#29142 LDAP - GroupToGroup Mapper throws "ENTRY_EXISTS" Error ldap
#29147 local user login not possible after LDAP connection problem ldap
#29154 Update docs to distinguish between product names and CR names docs
#29190 JS Admin Client does not support q query parameter on users.count() and clients.find() methods admin/client-js
#29206 LDAP user creation reports error but user is created ldap
#29213 Bad formatting of permissions error in admin console admin/ui
#29233 Broken link in documentation docs
#29235 Tests for persistent sessions are not performed infinispan
#29237 The select for a locale behaves as a multi-select in the admin and account UI when it should be single value admin/ui
#29246 Flaky test: org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType ci
#29247 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled ci
#29248 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange ci
#29249 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation ci
#29250 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed ci
#29251 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount ci
#29252 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation ci
#29253 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient ci
#29259 `auth-server-feature` does not work for `auth-server-quarkus-embedded` testsuite
#29263 Default value for MULTIVALUED_STRING_TYPE in authenticator config is ignored admin/ui
#29266 Documentation Enhancements Admin Rest API Group to Client Role Mappings docs
#29287 Upgraded docker to 24, now unable to browse "authentication" page in one of my realms. authentication
#29294 Listing of sessions is very slow when we have tens of thousands sessions (+ not able to know the exact number of sessions) admin/ui
#29309 JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT core
#29311 POST /{realm}/clients-initial-access is allowing invalid data like count = -1 and expiration date-time can be set earlier than the creation date-time oidc
#29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
#29336 Unlocking and saving the user's temporary lock will render the user disabled. account/ui
#29352 Fix user-facing typos in error messages core
#29362 Custom user attributes are not shown for service account users in the Admin UI admin/ui
#29376 kc export fails when using User Federation (LDAP) with SSL/TLS import-export
#29385 Restart authentication event type is not generated authentication
#29408 Need to show translation for attributes group on Registration form admin/ui
#29426 Potential bug introduced to JavaKeystoreKeyProvider in #26936 admin/api
#29429 NPE when Organization feature enabled core
#29440 clients_tests is unstable admin/ui
#29458 Empty CSP header value breaks security filter authentication
#29471 Cypress tests store videos even for passing tests ci
#29495 Fixing realm removal when removing groups and brokers associated with an organization core
#29507 realm_settings_user_profile_enabled fails randomly admin/ui
#29525 Maven clean build doesn't clean admin client generated files ci
#29528 Failure: SessionTimeoutsTest ci
#29551 OAuth 2.0 Device Polling Interval - Setting in Realms settings/Token Plus-Minus to change value not working admin/ui
#29554 Cypress failing on video recording ci
#29579 Increased augmentation time after Quarkus 3.8.4 upgrade dist/quarkus
#29592 Remote caches and other site's caches might get out-of-sync when persistent sessions are used core
#29599 Org domain removal from IDP is not properly propagated to the DB core
#29602 SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
#29607 CVE-2024-30172 - Infinite loop in org.bouncycastle:bcprov-jdk18on dependencies
#29608 CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
#29609 CVE-2024-29857 - Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk18on dependencies
#29620 Wrong Media Type / Format of SD JWT VC oid4vc
#29625 Database driver install examples can lead to permission errors in some circumstances docs
#29630 Unable to import realms with organization feature enabled core
#29640 Admin console development fail due to whoami endpoint admin/ui
#29641 Admin Console uses a wrong URL type for auth server admin/ui
#29644 Unmanaged Attributes drop down doesn't reflect the value admin/ui
#29688 client_authorization_test fails admin/ui
#29699 Snyk Report is not preventing duplicates ci
#29738 Broken translations for loa-condition-level and loa-max-age admin/ui
#29756 MigrateTo25_0_0 does not complete within default transaction timeout storage
#29788 OpenAPI: Missing content definition for authentication flow executions GET API admin/api
#29802 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSession ci
#29805 Supported Credential Type is not evaluated when applying the Protocol Mapper in OID4VCI oid4vc
#29808 LDAP User federation: LDAP: error code 49 - Invalid Credentials ldap
#29814 package com.google.common.hash does not exist when building keycloak-api-docs-dist docs
#29816 Aggregated javadoc generation fix + missing keycloak-operator javadoc dist/quarkus
#29868 Missing Text for x509 translations
#29869 Kubernetes resources point to non-existing Operator image operator
#29875 Upgrade supported PostgreSQL to version 16 ci
#29885 Unable to create an LD-Credentials/VCDM provider for OID4VC oid4vc
#29931 Cannot access the account console account/ui
#29939 Increased GC overhead in the continuous performance tests after G1GC compiler change dist/quarkus
#29948 Reason not logged in event for invalid SAML request saml
#29968 x509 SAN UPN other name is not handled in JDK 21 authentication
#29976 CI for JS not running all the tasks ci
#29981 Enabling and disabling functions are not working properly in KC GUI admin/ui
#29982 Revert editorconfig for properties files as trailing blanks are used ci
#29984 Nightly build for API docs is broken
#30018 SessionTimeoutsTest failing even after retry, probably due to insufficient cleanup testsuite
#30023 Using {application.session.host} in backchannel logout url prevents from saving client admin/api
#30024 Sign out button in the account console has wrong Selenium locator testsuite
#30028 Typo in the upgrading guide for persistent sessions docs
#30049 All roles are populated as inherited roles if a single role is added to a dedicated client scope admin/ui
#30068 Update RFC reference in subject: Likely typo RFC2553 -> RFC2253, Consider RFC4514 admin/ui
#30079 The OID4VC tests break automation account/ui
#30086 Remove sources folder before invoking JakartaTransformer
#30102 Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error admin/ui
#30120 Option `cache-remote-tls-enabled` is missing the default dist/quarkus
#30126 Client scope names not shown in evaluate section in client-scopes tab admin/ui
#30134 Malformed dependency version causing the build failure testsuite
#30196 Test PoC does not run with Quarkus fork join worker
#30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
#30206 Use forkjoin pool factory in testsuite for embedded Quarkus Auth Server testsuite
#30218 Locale dropdowns not working account/ui
#30220 Base theme contains properties without default values login/ui

Keycloak 24.0.5 released

Tue, 4 Jun 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Security issue with PAR clients using client_secret_post based authentication

This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate the client secrets of your clients after upgrading to this version.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#29073 Use cache.compute() method to improve the replace retry loop
#29280 Update Create Realm in Keycloak 24 Getting Started

Bugs

#29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
#29206 LDAP user creation reports error but user is created ldap
#29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
#29458 Empty CSP header value breaks security filter authentication
#29471 Cypress tests store videos even for passing tests ci
#29525 Maven clean build doesn't clean admin client generated files ci
#29554 Cypress failing on video recording ci
#29625 Database driver install examples can lead to permission errors in some circumstances docs

Keycloak 24.0.4 released

Wed, 8 May 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Partial update to user attributes when updating users through the Admin User API is no longer supported

When updating user attributes through the Admin User API, you cannot execute partial updates when updating the user attributes, including the root attributes like username, email, firstName, and lastName.

For more details, see the Upgrading Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#27508 Use new remote-store options in HA guides
#28429 Add details to error messages, especially around refresh tokens
#28729 Emphasize the need for setting container limit docs
#28880 Upgrade to Quarkus 3.8.4 dist/quarkus
#29183 Minor corrections to High Availability Guide docs

Bugs

#16345 Unable to delete realm names with invalid URL characters admin/api
#22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled import-export
#24568 iframe for frontend logout gets blocked if a custom CSP header is used core
#24878 NoClassDefFoundError for Apache XML and EAP8 adapter/jee-saml
#27021 Workflow failure: Fuse adapter tests ci
#27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists ci
#27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided oidc
#28079 Group search does not work in user view admin/ui
#28187 Admin UI drag & drop in flow config seems to delete actions admin/ui
#28220 Admin API: User PUT operation clears firstname, lastname email fields admin/api
#28303 WARN - Event object wasn't available in remote cache after event was received infinispan
#28377 Broken lists in import/export server guide docs
#28431 Dedicated client scopes always show up when searching admin/ui
#28514 Message for searchClientRegistration is missing admin/ui
#28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui admin/ui
#28684 "Extend to children" button in authorization group policies is wrongly disabled admin/ui
#28911 clients_saml_test.spec.ts fails in main admin/ui
#29072 Startup probe should check for existence of an Admin user before returning 200 dist/quarkus
#29094 Fix the client name help grammatical error admin/ui
#29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address core
#29147 local user login not possible after LDAP connection problem ldap
#29154 Update docs to distinguish between product names and CR names docs
#29233 Broken link in documentation docs

High availability in Keycloak 24

Alexander Schwartz, Ryan Emerson — Tue, 7 May 2024 00:00:00 GMT

A single sign on solution for your customers and employees shouldn’t be a single-point-of-failure in your architecture. At Devoxx France 2024, Ryan Emerson and Alexander Schwartz presented, from an architects and developer perspective, how Keycloak approached the problem. They describe which architecture the Keycloak team chose, the challenges they faced and which tools helped along the way. The slides and the recorded video are linked below. Scroll down for additional links and details of the tasks we’re currently working on to further enhance the architecture.

A clustered Keycloak deployment in a single site or datacenter provides sufficient availability for many. However, an increasing number of organizations need to utilize multiple sites for improved resiliency or to meet legal requirements. In 2023, Keycloak overhauled its multi-site capabilities for public and private cloud infrastructures, tested them thoroughly and provided deployment blueprints to the community. As part of the release of Keycloak 24, an active/passive setup is now fully supported.

Read more about it in the new high availability guide published as part of Keycloak’s documentation, and get more tools and background information in the Keycloak Benchmark Project. Since the previous blog post which covered Keycloak 23, we have made the configuration of such a setup simpler, with fewer options required by Keycloak and the Keycloak Operator. Thank you to everyone who provided feedback along the way, and those who participated in our survey in early 2023 which guided us in the implementation of this setup.

Still, the journey doesn’t stop here: The team is now working on durable sessions across restarts and upgrades, and a simpler Infinispan architecture which aims to eventually support active/active. Follow these issues and discussions to stay up-to-date with the latest developments, and provide feedback on Keycloak’s nightly builds.

Keycloak 24.0.3 released

Tue, 16 Apr 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap

Bugs

#24201 Cannot disable LDAP-backed user if importEnabled=false ldap
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
#28638 Missing permission to read configmaps in `keycloak-operator-role` operator

Recap from KubeCon + CloudNativeCon Europe 2024

Thomas Darimont — Mon, 15 Apr 2024 00:00:00 GMT

After a packed week of fantastic talks at KubeCon + CloudNativeCon Europe 2024 in Paris, we’re delighted to share our impressions with the rest of the Keycloak community.

Keycloak and OAuth2 Token Exchange for Microservice API Security

The presence of Keycloak in many presentations highlighted its importance in the cloud-native ecosystem. Notably, the talk “OAuth2 Token Exchange for Microservice API Security” by Ahmet Soormally & Letz Yaara on OAuth2 Token Exchange (RFC 8693) underscored its application in microservice security and pinpointed areas for Keycloak’s enhancement. Efforts to advance the support for Token Exchange are underway, and community feedback is invaluable. Please join the discussion on the current usage of Token Exchange to help us out.

Keycloak and the Secrets of the Universe at CERN

A standout moment was learning about Keycloak’s role at CERN in the talk “The Hard Life of Securing a Particle Accelerator”, as shared by Antonio Nappi and Sebastian Lopienski, emphasizing its contribution to securing the particle accelerator’s IAM infrastructure. Keycloak supports research on the nature of the universe. How cool is that :)

Keycloak, OpenFGA, and Kubernetes Authorizer

Jonathan Whitaker’s talk “Federated IAM for Kubernetes with OpenFGA” on federated IAM with OpenFGA showcased innovative approaches for managing access to Kubernetes resources through the combination of Keycloak, OpenFGA and a custom Kubernetes Authorizer Web Hook. In particular, the demonstration of temporarily elevated access to Kubernetes resources was very well received.

Keycloak: The Leading Edge of AuthN and AuthZ

Last but not least, our session, “The Leading Edge of AuthN and AuthZ by Keycloak”, presented by Takashi Norimatsu and Thomas Darimont, introduced the latest Keycloak advancements, including support for Passkeys, OAuth 2.1, and OpenID for Verifiable Credentials (OpenID4VC). As part of our talk, we showed the current support for Passkeys and some integration options with Open Policy Agent.

Summary

Keycloak is an essential pillar of many cloud-native systems and significantly impacted the conference, attracting thousands of Kubernetes and cloud-native professionals.

The engagement and collaborative spirit of the cloud-native community were genuinely inspiring, underscoring the collective drive to enhance and innovate within this vibrant ecosystem.

We’re very proud and happy to be part of this fantastic community!

Keycloak 24.0.2 released

Mon, 25 Mar 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
#27481 Edit High Availability guide
#27484 Edit 23.0 changes part of Upgrading Guide
#27632 Integrate downstream Upgrading Guide changes into upstream
#27696 Upgrade to Quarkus 3.8.2 dist/quarkus
#27867 Corrections to Securing Apps Guide
#27871 Upgrade to Infinispan 14.0.26 core
#27953 Address feedback to Keycloak Server guide docs
#27955 Address term Keycloak in Server Administration Guide docs
#28009 Address edits to the Operator Guide
#28033 Upgrade Infinispan to 14.0.27.Final
#28084 Upgrade to Quarkus 3.8.3 dist/quarkus

Bugs

#14501 Getting failed to initialize js message if consent is rejected by user account/ui
#15403 No email send on TOTP/Authenticator app removal core
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
#23701 Attribute search does not work with federated users with ldap. admin/ui
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
#26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
#27117 user sessions not accessible in all cluster nodes infinispan
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
#27245 Account console does not correctly treat link / unlink account account/ui
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
#27275 Invalidating offline token is not working from client sessions tab authentication
#27366 Social login - test failures with unexpected status code testsuite
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
#27504 Cpu and memory sizing typo docs
#27529 LegacyUserCredentialManager class not found storage
#27540 URL change for liquibase docs docs
#27548 Custom Browser Flow not working anymore admin/ui
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
#27597 dropping KC_PROXY=edge causes startup error core
#27611 Cannot modify realm email settings since keycloak 24 user-profile
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
#27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
#27719 Wrong Welcome page image in the documentation docs
#27745 Registration template in login2 is broken login/ui
#27761 Snyk workflow failure ci
#27779 Broken Migration "MigrateTo24_0_0" core
#27780 Fixing downstream documentation build docs
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
#27820 Account console confusing with WebAuthn account/ui
#27841 ES translation causes FreeMarker rendering issues translations
#27852 VerifyUserProfile invalidates user cache on every login core
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
#27882 Incorrect version of bctls-fips in the docs docs
#27892 Truststore handling for the Operator is not documented operator
#27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
#27900 Performance impact in changed hashing measured wrong authentication
#27925 Keycloak docs state that there are http metrics, but they are disabled docs
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
#27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
#27967 ORA-01450 when updating keycloak 23 -> 24 storage
#27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
#28001 MySQL connector artifact should be ignored dist/quarkus
#28012 Keycloak CR Truststore should not have a name operator
#28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn

Keycloak 24.0.1 released

Tue, 5 Mar 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Operator deploys nightly build instead of 24.0.0

Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0.

As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled.

If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with the wrong versions. To check if you are affected connect to your database and run the following SQL command:

SELECT * from migration_model WHERE version = '999.0.0';

If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:

UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Keycloak 24.0.0 released

Mon, 4 Mar 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Supported user profile and progressive profiling

The user profile preview feature is promoted to be fully supported and user profile is enabled by default.

In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.

The following are a few highlights of this feature;

Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of scope parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user.
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.

The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.

We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:

For more details about user profile capabilities, see the Server Administration Guide.

Breaking changes to the User Profile SPI

In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.

Changes to Freemarker templates to render pages based on the user profile and realm

In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:

login-update-profile.ftl
register.ftl
update-email.ftl

For more details, see the Upgrading Guide.

New Freemarker template for the update profile page at first login through a broker

In this release, the server renders the update profile page when the user is authenticating through a broker for the first time using the idp-review-user-profile.ftl template.

For more details, see the Upgrading Guide.

Java adapter deprecation and removal

Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.

With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.

The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.

The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.

Jetty adapter removed

Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.

New Welcome Page

The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.

If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.

New Account Console now the default

We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.

This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.

If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.

Keycloak JS

Using `exports` field in `package.json`

The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.

PKCE enabled by default

The Keycloak JS adapter now sets the pkceMethod option to S256 by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod option to false to disable it.

Changes to Password Hashing

In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.

As part of this change, the default password hashing provider has changed from pbkdf2-sha256 to pbkdf2-sha512. Also, the number of default hash iterations for pbkdf2 based password hashing algorithms changed. This change means better security aligned with latest recommendations, but it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm and hashIterations to your realm. For more details, see the Upgrading Guide.

OAuth/OIDC related improvements

Lightweight access tokens support

This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.

This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.

Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.

A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.

Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.

OAuth 2.1 support

This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.

Scope parameter supported in the refresh token flow

Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.

Client policy executor for secure redirect URIs

A new client policy executor secure-redirect-uris-enforcer is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance, you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on. Thanks to Lex Cao and Takashi Norimatsu for the contribution.

Client policy executor for enforcing DPoP

A new client policy executor dpop-bind-enforcer is introduced. You can use it to enforce DPoP for a particular client if dpop preview is enabled. Thanks to Takashi Norimatsu for the contribution.

Supporting EdDSA

You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT. This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt authentication to third party identity providers. Thanks to Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.

EC Keys supported by JavaKeystore provider

The provider JavaKeystoreProvider for providing realm keys now supports EC keys in addition to previously supported RSA keys. Thanks to Stefan Wiedemann for the contribution.

Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers

OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.

OAuth Grant Type SPI

The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.

CORS improvements

The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI is internal and may change at a future release. Thanks to Dmitry Telegin for the contribution.

Truststore improvements

Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores, or use the new truststore-paths config option. For details refer to the relevant guide.

Versioned Features

Features now support versioning. To preserve backward compatibility, all existing features (including account2 and account3) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.

For details refer to the features guide.

Keycloak CR Truststores

You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:

spec:
  truststores:
    mystore:
      secret:
        name: mystore-secret
    myotherstore:
      secret:
        name: myotherstore-secret

Currently only Secrets are supported.

Trust Kubernetes CA

The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.

Automatic certificate management for SAML identity providers

The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL to ON. The certificates are automatically downloaded and cached in the public-key-storage SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.

See the documentation for more details about the new options.

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keyloak with the multi-site feature. For more details, see Enabling and disabling features.

Keycloak CR Optimized Field

The Keycloak CR now includes an startOptimized field, which may be used to override the default assumption about whether to use the --optimized flag for the start command. As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.

Enhanced reverse proxy settings

It is now possible to separately enable parsing of either Forwarded or X-Forwarded-* headers by using the new --proxy-headers option. For details, see the Reverse Proxy Guide. The original --proxy option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.

Changes to the user representation in both Admin API and Account contexts

In this release, we are encapsulating the root user attributes (such as username, email, firstName, lastName, and locale) by moving them to a base/abstract class in order to align how these attributes are marshalled and unmarshalled when using both Admin and Account REST APIs.

This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.

For more details, see the Upgrading Guide.

Sequential loading of offline sessions and remote sessions

Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.

For more details, see the Upgrading Guide.

Performing actions on behalf of another already authenticated user is not longer possible

In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.

Changes to the email verification flow

In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.

In addition to that, a new error (EMAIL_ALREADY_VERIFIED) event will be fired to indicate an attempt to verify an already verified email. You can use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.

Deprecated offline session preloading

The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.

For more details, see the Upgrading Guide.

Configuration option for offline session lifespan override in memory

To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.

For more details, see the Server Administration Guide.

Infinispan metrics use labels for cache manager and cache names

When enabling metrics for Keycloak’s embedded caches, the metrics now use labels for the cache manager and the cache names.

For more details, see the Upgrading Guide.

User attribute value length extension

As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.

For more details, see the Upgrading Guide.

Brute Force Protection changes

There have been a couple of enhancements to the Brute Protection:

When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
The property failedLoginNotBefore has been added to the brute-force/users/{userId} endpoint

Authorization Policy

In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.

Keycloak CR cache-config-file option

The Keycloak CR now allows for specifying the cache-config-file option by using the cache spec configMapFile field, for example:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  cache:
    configMapFile:
      name: my-configmap
      key: config.xml

Keycloak CR resources options

The Keycloak CR now allows for specifying the resources options for managing compute resources for the Keycloak container. It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.

When no values are specified, the default requests memory is set to 1700MiB, and the limits memory is set to 2GiB.

You can specify your custom values based on your requirements as follows:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  resources:
    requests:
      cpu: 1200m
      memory: 896Mi
    limits:
      cpu: 6
      memory: 3Gi

For more details, see the Operator Advanced configuration.

Temporary lockout log replaced with event

There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT when a user is temporarily locked out by the brute force protector. The log with ID KC-SERVICES0053 has been removed as the new event offers the information in a structured form.

For more details, see the Upgrading Guide.

Updates to cookies

Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.

SAML User Attribute Mapper For NameID now suggests only valid NameID formats

User Attribute Mapper For NameID allowed setting Name ID Format option to the following values:

urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity

However, Keycloak does not support receiving AuthnRequest document with one of these NameIDPolicy, therefore these mappers would never be used. The supported options were updated to only include the following Name ID Formats:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Different JVM memory settings when running in container

Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container. The JVM options -Xms, and -Xmx were replaced by -XX:InitialRAMPercentage, and -XX:MaxRAMPercentage.

For more details, see the Running Keycloak in a container guide.

GELF log handler has been deprecated

With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.

Support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.

To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

#21258 CVE-2022-1471- SnakeYaml remote code execution by sending malicious YAML content dependencies
#26923 CVE-2023-35116 - jackson-databind - 2.15.2
#27204 CVE-2024-1597 - SQL Injection vulnerability in org.postgresql:postgresql

Removed features

#15472 Remove session revocation by 'not before' date admin/api
#17734 Remove session revocation by 'not before' date admin/ui
#19660 Deprecate Account Console v2 account/ui
#26255 Remove Jetty 9.4 adapters
#27364 Deprecate GELF dist/quarkus

New features

#15190 RestAPI endpoint "send-verify-email" sending execute actions email template. admin/api
#19586 @keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token admin/client-js
#23539 User profile attributes should only accept a single value unless configured otherwise user-profile
#25167 Implement POST logout in Keycloak JS adapter/javascript
#25446 CORS SPI oidc
#25676 Introduce new CLI config options for Infinispan remote store dist/quarkus
#25702 Encrypt network communication in JGroups dist/quarkus
#25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
#25903 Create new landing page for admin console
#25941 Issue Verifiable Credentials in the JWT-VC format core
#26028 Remove conditional statements about Windows / Linux from the docs docs
#26250 OAuth 2.0 Grant Type SPI oidc
#26455 Supported option to specify maximum threads used to handle HTTP requests dist/quarkus
#26456 Supported option to specify resource management for pods in Keycloak CR dist/quarkus
#26458 Support custom Infinispan configuration file in Keycloak CR operator
#26460 Supported option to specify site name for multi-site deployments dist/quarkus
#26500 Cookie Provider
#26936 Support EC Key-Imports for the JavaKeystoreKeyProvider
#27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties

Enhancements

#9508 Rename "Resident key" to "Discoverable Credential" docs
#9758 User attributes with a text more than 255 characters storage
#9784 Add truststore options to Keycloak CR operator
#10794 Support importing Kubernetes CA operator
#12009 Support for scope parameter in the refresh flow oidc
#12352 Align Operator config naming with Quarkus distribution operator
#12946 Add X509 thumbprint to JWT when using private_key_jwt oidc
#13250 --verbose option doesn't work in Quarkus distribution dist/quarkus
#15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms authentication/webauthn
#15714 Supporting EdDSA oidc
#16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations authentication
#17574 Add failedLoginNotBefore field to existing brute force detection status API
#17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available admin/ui
#19190 Add "amr" to already implemented "acr" support
#19285 Disable Groovy Closures when bootstrapping Picocli dist/quarkus
#20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui
#21074 Identity providers: pagination in admin console
#21343 Upgrade welcome theme to PatternFly 5 welcome/ui
#21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation
#21578 Scope parameter in Oauth 2.0 token exchange
#21771 List reload button for admin panel admin/ui
#22436 Query users by 'LDAP_ID' is not working ldap
#22922 Use Infinispan BOM instead of direct Infinispan dependencies storage
#23057 Localization tabs admin/ui
#23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header
#23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc authorization-services
#23854 Use upstream Quarkus functionality for non-blocking probes dist/quarkus
#23878 User profile configuration scoped to user-federation provider user-profile
#23896 Changes in declarative user profile should result in admin events user-profile
#24094 Map Store Removal: Delete map profiles from testsuite storage
#24097 Map Store Removal: Delete container providers that were added to the base testsuite storage
#24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages storage
#24103 Map Store Removal: Delete GlobalLockProvider storage
#24105 Map Store Removal: Rename Legacy* classes storage
#24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage" storage
#24148 Add config property to specify a list of truststores
#24202 Cache stampede after client invalidation storage
#24245 Parse default UserProfile configuration in the build time
#24250 Allow selecting attributes from user profile when managing token mappers user-profile
#24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
#24412 Accessibility of 2FA method selection login/ui
#24422 UMA 2 not evaluating as expected when using permission tickets authorization-services
#24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #24310 saml
#24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite storage
#24668 Features versioning
#24793 Map Store Removal: Remove `LockObjectsForModification` storage
#24798 Add truststores to keycloak cr
#24860 Initialize Infinispan earlier in the build chain dist/quarkus
#24926 Add polish translations admin/ui
#24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base core
#25058 Add Polish Translations to Account UI account/ui
#25074 Update Kerberos provider for user-profile user-profile
#25075 Update SSSD provider for user-profile user-profile
#25103 Remove product from server info admin/ui
#25113 Add a test for the LoadBalancerCheck
#25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation user-profile
#25149 Replace the existing themes with the dynamic templates from user profile user-profile
#25236 Documentation about Australia Consumer Data Right security profile
#25238 Add missing Arabic messages
#25287 Upgrade Infinispan to 14.0.21.Final
#25288 Map Store Removal: Remove protostream dependency storage
#25300 Deprecate offline session preloading infinispan
#25308 Map Store Removal: Revert changes made to backchannelLogout storage
#25309 Map Store Removal: Remove ResponseSessionTask storage
#25314 Supporting OAuth 2.1 for confidential clients oidc
#25315 Client policies : executor for enforcing DPoP oidc
#25316 Supporting OAuth 2.1 for public clients oidc
#25328 Tests for client scopes/evaluate tab are missing
#25375 Extra tests for realm roles
#25388 Enable concurrent remote operations for Infinispan storage
#25403 Implements attributes field in KeycloakProfile interface admin/client-js
#25404 Adapt incremental build for latest changes in themes module ci
#25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan storage
#25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String
#25487 Add extra tests for realm-settings in admin-ui
#25637 Client policies: executor for validate and match a redirect URI oidc
#25638 Keycloak native implementation of SD-JWT core
#25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider
#25691 More info on UserProfileContext user-profile
#25738 Tooltips improvements when configuring user profile attribute user-profile
#25770 X509 client certificate login label extends out of form login/ui
#25823 Ability to declare a default "First broker login flow" per Realm
#25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template
#25882 RealmResourceProvider is not working as expected since version 23.0.0 core
#25897 Admin UI: Show realm display name on welcome page admin/ui
#25908 Could not format default value for log formats dist/quarkus
#25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures docs
#25935 Create Infinispan metrics with labels instead of long metric names
#25962 Missing localization of cs+sk messages
#25979 User profile attribute names with strange characters docs
#25985 Enable verify-profile required action by default user-profile
#26068 Reduce internal unsupported options in the Keycloak HA documentation
#26083 Change RHDG references to Infinispan
#26092 Do not use raw parameterized PropertyMapper dist/quarkus
#26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190 docs
#26172 Permanently lock users out after X temporary lockouts during a brute force attack authentication
#26198 Comprehensive log for the LoggingDistTest and Quarkus IT testsuite
#26220 Don't differentiate Windows for getting started docs
#26223 Use `--http-max-queued-requests` option in Keycloak HA documentation docs
#26241 Do not use general debug log level for tests testsuite
#26315 Fully remove reasteasy-core
#26320 Allow formating numbers when rendering attributes user-profile
#26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete
#26402 Improve wording in Concepts for configuring thread pools section in documentation
#26416 Remove support for old cookie path
#26430 Implement stricter controls at token endpoint for PKCE verification
#26457 Remove support for multiple AUTH_SESSION_ID cookies
#26469 Documentation for verify-profile required action enabled by default docs
#26485 Add missing Arabic translations translations
#26489 Ability to have alternative default user-profile configuration user-profile
#26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces storage
#26552 Do we need to hide "required" settings for email? user-profile
#26570 Upgrade liquibase to 4.25.1
#26585 Improve UX of read-only attributes user-profile
#26587 Documentation for SuppressRefreshTokenRotationExecutor oidc
#26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI admin/ui
#26598 Map Store Removal: deprecate model legacy module storage
#26626 Brute force detection should issue event for temporary lockout core
#26634 Documentation for default validation changes due user-profile enabled docs
#26683 Remove explicitly set `lit-element` version dist/quarkus
#26689 Update Maven dependency versions for docs docs
#26701 Upgrade to Quarkus 3.7.1 dist/quarkus
#26730 Add Multi-AZ Aurora DB to CI store-integration-tests
#26776 Update documentation to use new Infinispan configuration options
#26781 Update HA guide about non-blocking probes docs
#26810 Shorter lifespan for offline session cache entries in memory storage
#26812 Upgrade to embedded Infinispan 14.0.24 storage
#26819 Use version specific tag for Keycloak images in the docs docs
#26859 Upgrade to Quarkus 3.8 dist/quarkus
#26898 User profile: Add regression test for select inputs
#26910 Keycloak Operator should add service-ca.crt to the truststore operator
#26916 Upgrade to Quarkus 3.7.2 dist/quarkus
#26919 doc: add a clear mention in the documentation about the storage of the refresh and access token docs
#26921 Use latest OLM version for Operator CI testsuite
#26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory dist/quarkus
#26967 Aurora Postgres IT: Upload flaky and surefire test reports
#27036 Upgrade to Quarkus 3.7.3 dist/quarkus
#27048 Add Amazon Aurora PostgreSQL to the list of tested databases
#27078 Update Keycloak HA Guide new resource limit settings
#27084 Remove the preview note from Keycloak's HA guide
#27093 "Open ID Connect" in docs / UIs should be "OpenID Connect"
#27105 Add New User Registration Option on WebAuthn Authentication UI authentication/webauthn
#27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs
#27123 Use AWS JDBC Wrapper in CI tests
#27125 Add warning about too long attribute values
#27143 Distinguish user registration action label from the security key registration action's one authentication/webauthn
#27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents authentication/webauthn
#27148 Allow overriding the default validators added to attributes user-profile
#27169 Tweak the default memory request and limit in the Operator operator
#27190 a11y improvements on login page
#27226 Upgrade to Quarkus 3.7.4 dist/quarkus
#27238 Add option to clients to use lightweight access token oidc
#27280 Upgrade to Infinispan 14.0.25
#27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. identity-brokering
#27315 Change docker image to container image
#27324 Remove RHSSO product documentation from upgrading guide docs
#27326 Edit Keycloak 24.0 release notes docs
#27327 Harmonize behaviour of different CertificateUtilsProvider implementations
#27440 Edit Keycloak 23.x Release Notes
#27452 Edit Keycloak 24 Upgrade guide

Bugs

#9871 Remove Infinispan workarounds introduced to prevent deadlocks storage
#11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response saml
#13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256 authentication
#13368 Issue when using DenyAuthenticator in direct-grant flow authentication
#14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke) testsuite
#14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added dist/quarkus
#14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials) authentication
#16260 Incorrect handling of OptionParserException in kcadm admin/cli
#17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP user-profile
#17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms admin/api
#19183 token-exchange does apply clientScopes of the origin client token-exchange
#19294 Error on starting keycloak when foldername contains ")" using kc.bat. dist/quarkus
#19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards authentication
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable admin/ui
#20867 Control redirect after password reset core
#21127 During password reset, the baseURL is not shown on the info page after browser restart authentication
#21151 Realm import stack overflow import-export
#21409 Brute Force Detection is disabled when updating frontenUrl via admin client authentication
#21542 Context path missing in URL on OTP page to switch between QR code and manual code core
#21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step core
#21951 Unable to use `<` as part of a password admin/cli
#22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes storage
#22401 Common resources in Welcome page didn't resolve correctly welcome/ui
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
#22507 User profile attributes not localized in account console V3 user-profile
#22540 Description of "Configuring sources for Keycloak" inconsistent / misleading docs
#22555 Docs: server_development/topics/identity-brokering.adoc docs
#22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI admin/ui
#22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
#22836 Invalid redirect uri when identity provider alias has spaces identity-brokering
#22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode ci
#22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null authentication
#23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution core
#23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently storage
#23217 NoSuchFileException with ${kc.home.dir} on Windows dist/quarkus
#23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address admin/api
#23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue storage
#23399 Audience is lost after refreshing a RPT authorization-services
#23683 Default-Value in UI for krbPrincipalAttribute is error prone admin/ui
#23699 Account v3 theme - Localization not working on account console account/ui
#23786 Failure: FipsDistTest ci
#23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode admin/api
#24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme account/ui
#24141 LDAP user mapper for username: user appears twice in the GUI ldap
#24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company core
#24200 NPE in User Session Note mapper on Token Exchange token-exchange
#24219 admin-fine-grained-authz + client authorization settings requires view-client role admin/ui
#24323 Refresh request ignores scope parameter from refresh request oidc
#24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak operator
#24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration admin/api
#24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event user-profile
#24459 Keycloak fails to start when uninstalling custom provider dist/quarkus
#24464 Tabbing is not working in forms inside dropdown admin/ui
#24485 NullPointerException when key is not available in the database oidc
#24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33 dependencies
#24508 Deadlock when pre-loading remote sessions from external Infinispan storage
#24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page authentication
#24626 Upgrade testsuite to use SpringBoot 2.7 ci
#24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user. authorization-services
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
#24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui
#24767 Improve LDAP Condition implementations ldap
#24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI admin/ui
#24923 Importing Keycloak breaks typescript in esModule adapter/javascript
#24960 OpenAPI spec doesn't match the admin API admin/api
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
#24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys oidc
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
#25001 Client redirect_uri check must be compared using exact string matching oidc
#25016 Make password visibility css classes configurable for themes login/ui
#25033 Typo in the balloon help of SAML Username Template Importer core
#25041 Incomplete Spanish translations for Admin UI translations
#25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
#25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console admin/ui
#25060 fix debug log string core
#25078 Log Injection during WebAuthn authentication/registration authentication
#25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups admin/api
#25110 User Profile attribute with "Options" shows options of another attribute if none set on it user-profile
#25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter admin/api
#25173 Make sure username is lowercase when normalizing attributes user-profile
#25183 NullPointerException thrown for UPConfig.getGroups() user-profile
#25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci
#25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc
#25235 Unable to start after updating Docker container dist/quarkus
#25290 Social Login Tests unable to retrieve Federated Access Token from user session testsuite
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
#25322 Warning "Event object wasn't available in remote cache" when using remote store
#25392 Admin Console: Realm Dropdown should only show the realms the user has access to admin/ui
#25417 Avoid keycloak-admin-client in UI to call admin console UI extension admin/ui
#25423 Confusing error message by pr-backport.sh when not authenticated to gh ci
#25433 Key provider UI issue while saving - RSA admin/ui
#25449 Clean up translations for DE/EN/NL for a first test-run of Weblate translations
#25451 Admin cli failing when adding roles to a 3rd group in a list admin/cli
#25463 Unnecessary user profile metdata sent on user update user-profile
#25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect user-profile
#25502 Account v3 theme - theme.properties Custom theme scripts not loading account/ui
#25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy user-profile
#25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins) oidc
#25565 OpenAPI: POST for /admin/realms response is 201 admin/api
#25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile testsuite
#25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated oidc
#25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201 admin/api
#25604 OpenAPI: Client authz endpoints without responses admin/api
#25628 Translations missing in user details role mapping admin/ui
#25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword ci
#25636 "Disable realm?" displayed when disabling client admin/ui
#25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check testsuite
#25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API. admin/api
#25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201 admin/api
#25660 Incorrect version of the fix in release notes
#25677 Removing all group attributes no longer works with keycloak-admin-client (java) admin/client-java
#25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see admin/ui
#25699 Flaky test Job URL missing on some runs ci
#25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL user-profile
#25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet ci
#25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
#25746 Using kcadm.sh create components result to 400 Bad Request admin/cli
#25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest storage
#25753 Backchannel logout token is missing the "exp" claim oidc
#25783 Since 23, start-dev command line arguments parsing is buggy dist/quarkus
#25789 User events: labels overlap content admin/ui
#25827 admin ui uses hyphen instead of dot as realm attribute separator admin/ui
#25853 Timeouts after upgrade of download action v4 ci
#25878 HTML emails in Catalan don't contain links translations
#25883 ldap-group-mapper fails when empty member: attribute is present ldap
#25891 Optimize handling of terms and conditions during registration core
#25892 Test suite depends on artifacts built only when distribution profile is active ci
#25909 Keycloak HA Guide uses token for cross-site setup that expires
#25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
#25927 UI crash after using breadcrumb group navigation during an active group search admin/ui
#25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template authentication
#25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values. user-profile
#25951 Masthead tests fail often admin/ui
#25961 Native SQL Schema names broken on MySQL storage
#25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab user-profile
#25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols saml
#25981 GitHub Status check is green if the build fails ci
#26021 `mvn clean` does not work in js directory account/ui
#26032 Duplicate tooltip/label for refresh button on device activity page account/ui
#26036 subgroups clickopen not working admin/ui
#26040 Subgroups-check is incorrect, and therefore subgroups are not clickable admin/ui
#26051 Name ID Format field is confusing for User Attribute Mapper For NameID saml
#26052 Configure OTP Form regenerates Secret on reload authentication
#26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation admin/ui
#26060 Various Localization tab issues
#26075 Next time you start message references the wrong command dist/quarkus
#26088 Rest custom JAX-RS resource in kc 23: Method not allowed core
#26131 Localization: Realm overrides subtab admin/ui
#26132 Localization: Effective message bundles subtab admin/ui
#26148 Keycloak JavaScript CI: client_scopes_test.spec.ts ci
#26156 A11y critical violation in ProviderId form field admin/ui
#26168 KC_DB_DRIVER is not propagated properly admin/cli
#26177 Invalidate authentication session on repeated OTP failures authentication
#26180 Invalidate authentication session on repeated Recovery Code failures authentication
#26228 With fine grained permissions enabled, the grouptree rights check is not working correctly admin/ui
#26231 keycloak-admin-client missing recent changes to group query parameters admin/client-js
#26236 Ensure community-maintained translations are not part of product build account/ui
#26266 Importing Realm with declarative user profile attributes fails user-profile
#26281 Incorrect example in the Keycloak operator configuration operator
#26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode ci
#26295 Incomplete Chinese Translation for Login Page translations
#26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration user-profile
#26323 Reset credentials action fails when triggered from first broker login flow identity-brokering
#26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23 saml
#26334 Resource and permission titles missing for a new client admin/ui
#26335 Bind flow modal broken admin/ui
#26337 Write tests to cover binding a flow testsuite
#26350 Fix more A11y violations admin/ui
#26358 Apparently incorrect tooltip on "type" field for a "resource" in a client admin/ui
#26363 Search dialog for authorization policy is wrong? admin/ui
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26375 The role Unassign button enabled in admin console even if no roles are selected admin/ui
#26383 Labels for WebAuthN missing in Account Console account/ui
#26390 More A11y Violations Detected admin/ui
#26400 Workflow failure: Admin UI E2E - realm_test.spec.ts ci
#26407 Typo in disable dialog admin/ui
#26409 Duplicate `key` for credentials on sign in page account/ui
#26418 Failed to link identity broker to user with a verified email by IdP email verification flow identity-brokering
#26420 Labels for WebAuthN Passwordless missing in Account Console account/ui
#26427 Operator CSV uses wrong format for `createdAt` field operator
#26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab admin/ui
#26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
#26468 SPI-truststore-file-type option appears to be invalid docs
#26490 Update Keycloak sizing guide after change of default hashing configuration core
#26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP. storage
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26549 Mysterious settings changes due to Keycloak cluster changes admin/ui
#26564 Issues related to IDNHomographValidator user-profile
#26584 User details locale select broken in realm specific admin console admin/ui
#26588 Infinite loop during X509 authentication authentication
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
#26604 Arc container is null dist/quarkus
#26609 allow sending realm in request without changing the kc admin object admin/client-js
#26612 Wrong delete messages in Realm overrides admin/ui
#26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres) storage
#26631 Keycloak HA guide with blank and callout docs
#26635 Account UI ships too much Beer in user attributes user-profile
#26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow admin/ui
#26643 Replace "message bundle" text to "translation" in realm overrides admin/ui
#26649 PhantomJS does not send secure cookies over http://localhost core
#26651 [keycloak.js] useNonce parameter is all-or-nothing adapter/javascript
#26653 Disallow removing required filters when searching for effective message bundle. admin/ui
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core
#26668 Wrong help for "Create initial access token" expiration field admin/ui
#26686 Not possible to build documentation after quarkus upgrade docs
#26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy admin/ui
#26716 User Profile Applies Validation To Service Account Users user-profile
#26727 Auto layout of authenticator flow graph only applies the second time admin/ui
#26747 Tooltip for attribute name in user-profile configuration is incorrect user-profile
#26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation user-profile
#26782 Accessing userinfo fails with CORS when token is expired or session is deleted oidc
#26790 Workflow failure: Operator IT on OpenShift ci
#26792 User profile 'uri' validator not working user-profile
#26816 Keycloak server admin docs needs change with the new hashing iteration changes docs
#26818 bug in operator example yaml operator
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
#26830 Duplicate "Refresh" buttons present in admin-ui admin/ui
#26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password" authentication
#26853 Fixing anchors in security apps guide in prod profile docs
#26856 Remove custom user attributes section in server developer guide user-profile
#26937 Once all default client scopes are deleted from the realm we can't create a new custom role. core
#26941 When loading entries from a remote store at startup, no lifespan or expiry is set core
#26951 Roles admin REST API for creating roles: Composite roles are expanded admin/api
#26983 Group not found in list after creation core
#27002 Refresh doesn't work in Localization/Effective message bundles admin/ui
#27005 Unable to approve/deny permission requests account/ui
#27031 Having read-only attributes stored at a user leads to validation warning on every login user-profile
#27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated infinispan
#27120 Microsoft social login failure testsuite
#27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres) ci
#27137 Users with fine-grained permissions can not create a user admin/ui
#27140 Locale selector is unnecessarily visible without rights to locales admin/ui
#27162 Default locale is set to null when not explicitly choosing a locale admin/ui
#27173 Newly created authentication subflow is always disabled admin/ui
#27234 Cannot update email in account console with `update-email` feature enabled account/ui
#27243 Account console not working when lightweight-access-tokens used oidc
#27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo core
#27284 FolderTheme does not support Locales with extensions core
#27290 AWS JDBC driver throws ConcurrentModificationException storage
#27297 Check for duplicated usernames and emails when Login with email option is enabled user-profile
#27316 Server admin guide not building downstream due to missing IDs docs
#27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled admin/ui
#27344 Secure Redirect URI executor issues oidc
#27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI ci
#27406 JavaDocs generation broken after removal of resteasy-core
#27409 Apply remote store workaround also for configuration via CLI options
#27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor oidc

Keycloak 23.0.7 released

Thu, 22 Feb 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#26810 Shorter lifespan for offline session cache entries in memory storage

Bugs

#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
#23786 Failure: FipsDistTest ci
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
#25883 ldap-group-mapper fails when empty member: attribute is present ldap
#25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
#25961 Native SQL Schema names broken on MySQL storage
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
#27120 Microsoft social login failure testsuite

Keycloak 23.0.6 released

Fri, 2 Feb 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#26427 Operator CSV uses wrong format for `createdAt` field operator
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core

Keycloak 23.0.5 released

Mon, 29 Jan 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
#26028 Remove conditional statements about Windows / Linux from the docs docs

Enhancements

#20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui
#26006 Clarification needed of use of containers
#26083 Change RHDG references to Infinispan
#26220 Don't differentiate Windows for getting started docs
#26417 Update to Quarkus 3.2.10

Bugs

#14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke) testsuite
#24219 admin-fine-grained-authz + client authorization settings requires view-client role admin/ui
#24586 Read Only Access of a realm clients' Authz is broken for Admin Console admin/ui
#24918 User details tab does not display or update attibutes with dot admin/ui
#25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console admin/ui
#25078 Log Injection during WebAuthn authentication/registration authentication
#25392 Admin Console: Realm Dropdown should only show the realms the user has access to admin/ui
#25502 Account v3 theme - theme.properties Custom theme scripts not loading account/ui
#25677 Removing all group attributes no longer works with keycloak-admin-client (java) admin/client-java
#25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see admin/ui
#25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet ci
#25783 Since 23, start-dev command line arguments parsing is buggy dist/quarkus
#25827 admin ui uses hyphen instead of dot as realm attribute separator admin/ui
#25909 Keycloak HA Guide uses token for cross-site setup that expires
#25981 GitHub Status check is green if the build fails ci
#26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode ci

Keycloak 23.0.4 released

Mon, 8 Jan 2024 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#9693 PubKeySignRegisterTest failures in WebAuthn tests testsuite
#24508 Deadlock when pre-loading remote sessions from external Infinispan storage
#24763 Remove sign out action for offline sessions admin/ui
#25016 Make password visibility css classes configurable for themes login/ui
#25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups admin/api
#25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter admin/api
#25120 CORS issue in 'openid-connect/certs' endpoint oidc
#25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect user-profile
#25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword ci
#25753 Backchannel logout token is missing the "exp" claim oidc
#25878 HTML emails in Catalan don't contain links translations

Recover from site failures with a Multi-Site Setup

Alexander Schwartz, Kamesh Akella — Mon, 18 Dec 2023 00:00:00 GMT

For a Customer Identity and Access Management (CIAM) system, high availability is essential as it is a single point for all systems where customers log in. For Keycloak 23, there is a new and updated High Availability guide describing multi-site setups. With detailed instructions and blueprints targeting cloud infrastructure, this is documented, tested, and ready to be tried out.

Read on to find out what is new, and take a peek behind the scenes how this setup has been evaluated, tested and improved. And finally, we are providing an outlook when this will no longer be a preview feature.

Improved documentation and new blueprints

The recent updates to Keycloak’s multi-site setup mark a significant milestone. Keycloak 23 includes an opinionated guide on setting up Keycloak in a multi-site configuration including blueprints for a cloud setup.

The high-level topics of this documentation are:

Concept and building block overview

These guides include step-by-step instructions to bring up different components of the Keycloak multi-site architecture such as:

What does an active-passive setup with Keycloak architecture look like?
How to use an external database?
How to tune the resources for each of these architectural components?

Blueprints for building blocks

A series of guides around how to deploy Keycloak in various configurations on Amazon Web Service.

Operational procedures

These guides include detailed operational procedures, ensuring that users can set up and operate their multi-site Keycloak instances efficiently.

Validation of the multi-site setup

Before we published the guides above, we worked on the tooling that allows us both experimenting and getting reproducible results for performance, scalability and chaos testing our solution.

With these tools, we tested first a single-site setup, and once that worked sufficiently well, also a multi-site setup.

All these tools are available as open source, and we invite you to review them to give us feedback, and use them in your environment to run your own performance benchmark and regression tests:

Dataset Provider: Install this into a Keycloak server in a test environment, and create as many users, clients, groups, etc. as you need to run your performance benchmark. Keycloak caches a lot of information in its internal caches, and so does the database, so you will be able to spot some problems only when you have the right amount of data in your database.
Benchmark: This contains ready-to-be used scenarios for authentication flows and for Keycloak’s admin REST endpoints. If it does not fit your needs yet, use it as a library to create your own Gatling scenarios based on existing and custom steps. These tests are deployed as a JAR and a shell script wrapper, so you will only need to install Java on your load runners and you are ready to go.
Dedicated EC2 load drivers: Use these Ansible playbooks to spin up a set of EC2 instances to drive load against a Keycloak test installation, and aggregate the results.
Automated OpenShift installation on AWS: Based on Red Hat OpenShift Service on AWS (ROSA), use the scripts to provision an instance with monitoring, logging and useful Operators preconfigured, ready to deploy Keycloak.
Automated Aurora installation: Set up an Aurora in different variants regional or global, and connect it to a ROSA environment.
Opinionated Keycloak deployment for Minikube or OpenShift: This deploys Keycloak with additional monitoring and debugging tools so we can look at metrics, logs and traces as needed
Scripted AWS Route 53 load balancer: Set up Route 53 for an active-passive setup to distribute the load to two Keycloak deployments in different OpenShift clusters
Scripted Multi-AZ deployment: Every weekday we create a new Multi-AZ setup from scratch using GitHub actions, a performance testsuite, and record the results. This way we catch functional and performance regressions as they occur.

Thank you to everyone in the community who has already tried out these tools, found bugs and submitted ideas for improvements!

Keycloak got better for everyone

When using the tools listed above, we were able to reproduce several situations where Keycloak needed to improve. Here are of the improvements which are available in Keycloak 23 for both single-site and multi-site setups:

Non-Blocking liveness probe: When running Keycloak under a high load, requests might queue up in a Keycloak instance. The more requests queue up, the longer it takes to reply to the requests. In previous versions also the requests to the liveness probe (/health/live) were queued, and the probe eventually timed out, and then Kubernetes restarted the Pod. In the latest version of Keycloak, the probe is re-implemented to be non-blocking, so it will not queue, and therefore will not time out and the Pod is not restarted under a high load.
Load Shedding: When requests are queued as described above, the caller will not get a response in time, and the Pod might eventually run out of resources like memory or network connections. The recommended recipe is to drop requests early when an instance will not be able to serve the requests in time, which is called load shedding. Keycloak 23 now supports the new option http-max-queued-requests that can limit the number of concurrent blocking requests. When the number is exceeded, Keycloak immediately returns the response 503 Server not Available. This has two benefits: The caller receives an immediate response and can retry later, and resources are freed on the server side immediately.
Prevented cache stampede for realms and clients: When a new Keycloak instance starts or restarts, its caches are empty. If under high load parallel requests arrive for the same realm or the same client on a node of Keycloak, previous versions of Keycloak loaded the data from the database in each parallel request. This caused a spike in database connection usage and an initial response delay. The same happens when a cache or realm entry in the cache is evicted, for example, because it was modified. The latest version of Keycloak prevents this so that each Keycloak instance will fetch the data from the database once, and all other parallel requests then use this data without querying the database again (see #21521 and #22988, #24202).
Align the number of JGroup threads with the number of Quarkus threads: The more Keycloak instances run in a cluster, and the more requests are processed in parallel, the higher is the load on the JGroups thread pool. The JGroups thread pool ensures smooth communication for the embedded Infinispan of Keycloak, and could lead to timeouts on the internal Infinispan communications if its capacity is exceeded. The high-availability docs now contain documentation on how to set the Quarkus thread pool to not exceed the JGroup thread pool.
Improved Infinispan Metrics: The embedded Infinispan provides improved metrics that allow you to monitor your cluster. The metrics exposed by the Keycloak’s metrics endpoint now contain only Infinispan metrics for the current node, so they will not block if another Pod is currently starting up or shutting down (ISPN-15042 and ISPN-15072). This way you have better visibility of your cluster during those critical moments. The metrics can now expose the cache names as labels, so they can be plotted simpler in dashboards by adding a <metrics names-as-tags="true" /> to the Infinispan XML configuration. Additional metrics are available for the latencies between sites.
Reliable Infinispan operations: We tested Infinispan and its communication layer JGroups thoroughly, and we were able to fix situations where a state transfer stalled (ISPN-14982), or an initial state transfer failed. The Gossip router used in the multi-site setup now works even in situations where a load balancer has multiple IP addresses (JGRP-2722, JGRP-2721, infinispan-operator#1857, and infinispan-operator#1856).

Can the blueprints or scripts be used in production?

As part of the testing we did, we optimized Keycloak and those optimizations are built into Keycloak. They are available without the need for additional configuration except for the JGroup thread pool configuration. While the configuration of Keycloak on Kubernetes might match a production environment quite closely, we expect the database, network, load balancer and security hardening to be different in every organization, so you will need to adapt it to your needs.

This is why we chose to document the blueprints as text, so you can learn about the choices we made and why different aspects are configured in one setup, while others are at their default settings.

The scripts we use for the automated setup in the Keycloak Benchmark project focus on high availability and mix this with configurations that are simple to debug and analyze from an engineering perspective. A production-ready setup would not have that functionality, so we do not recommend using the scripts as is. Still, they can serve as a starting point for your own automation.

Read the guides and give it a try!

At the moment, we are running the final tests for an active/passive setup and work toward automating more tests. We are also looking for feedback from the community in this GitHub discussion on multi-site setups: Do you like what you see here? Is something missing? Your feedback is essential!

Once our tests are complete, and we receive feedback from the community, we plan to make it a fully supported feature. This is a huge opportunity for the community to engage with this setup, try it in your environment, and share your findings. Let’s build a stronger and more resilient Keycloak together!

Keycloak 23.0.3 released

Fri, 15 Dec 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#25388 Enable concurrent remote operations for Infinispan storage

Bugs

#24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui
#25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci
#25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc
#25322 Warning "Event object wasn't available in remote cache" when using remote store
#25437 Failed to find theme resources, using built-in themes when accessing account console account/ui

Keycloak 23.0.2 released

Thu, 14 Dec 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keycloak with feature multi-site. Proceed to Enabling and disabling features guide for more details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#25113 Add a test for the LoadBalancerCheck
#25287 Upgrade Infinispan to 14.0.21.Final

Bugs

#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
#25001 Client redirect_uri check must be compared using exact string matching oidc
#25010 Bug: KC_DB_USERNAME environment variable is causing a crash in latest version dist/quarkus
#25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
#25108 Documentation Inconsistency about Open Banking(Finance) Brasil FAPI security profile docs
#25124 If a client does not have a URL the applications page in the account console links to about:blank account/ui
#25173 Make sure username is lowercase when normalizing attributes user-profile
#25183 NullPointerException thrown for UPConfig.getGroups() user-profile
#25307 Keycloak instance `HasErrors` true after update: `More than 1 secondary resource related to primary` operator

Join Keycloak Developer Day: A Celebration of Innovation and Community!

Sebastian Rose — Mon, 11 Dec 2023 00:00:00 GMT

Are you passionate about Keycloak and eager to dive deeper into this incredible Open Source IAM solution? Then don’t miss Keycloak Developer Day – a one-day, community-driven conference in Frankfurt/Main Germany in February 2024, dedicated to Keycloak and its vibrant community.

Community Event to celebrate Keycloak

Niko and I (Sebastian) have been active in the Keycloak community for years and have been using Keycloak in many customer projects. We co-organize the Java User Group Darmstadt, and participate in community events like the JavaLand conference. Now we want to take the next step: Create a special event to celebrate and explore the vast possibilities of Keycloak. We’re thrilled to invite you to be part of this exciting first occasion, the Keycloak Developer Day 2024!

Tailored for users of Keycloak

We’re calling everyone using Keycloak in their day-to-day work – whether you’re tackling operational challenges, brainstorming innovative solutions to unique use-cases, or just curious about the future of IAM – to join us.

Expect a day filled with insightful talks, hands-on workshops, and plenty of opportunities to network with fellow Keycloak enthusiasts and Keycloak maintainers. The feature set of Keycloak is as vast as it is impressive, promising a rich array of topics to explore.

Book your ticket online

Don’t miss this unique opportunity to connect, share, and grow with the Keycloak community. Book your ticket today at keycloak-day.dev and join us in celebrating Keycloak!

Keycloak 23.0.1 released

Wed, 29 Nov 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#23841 Users page with LDAP User Storage Provider Cannot read properties of undefined admin/ui
#23872 Attempt to request storage access in Firefox oidc
#24261 „Unlink users“-Option greyed out in ldap federation admin/ui
#24958 Error handling in admin console when update of user fails due the 400 HTTP error code admin/ui
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
#24984 Operator is missing CRDs metadata in CSV operator
#25008 Group search when creating user admin/ui
#25022 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token oidc

Keycloak 23.0.0 released

Thu, 23 Nov 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Highlights

OpenID Connect / OAuth 2.0

FAPI 2 drafts support

Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.

DPoP preview support

Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.

More flexibility for introspection endpoint

In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new switch Add to token introspection on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token, so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.

Feature flag for OAuth 2.0 device authorization grant flow

The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.

Authentication

Passkeys support

Keycloak has preview support for Passkeys.

Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user’s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.

WebAuthn improvements

WebAuthn policy now includes a new field: Extra Origins. It provides better interoperability with non-Web platforms (for example, native mobile applications). Thanks to Charley Wu for the contribution.

You are already logged-in

There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them, the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in. This is improved now as other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then restarted just in one browser tab and hence other browser tabs won’t follow automatically with the login. So we still plan improvements in this area.

Password policy for specify Maximum authentication time

Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.

Deployments

Preview support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.

A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Adapters

OpenID Connect WildFly and JBoss EAP

OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.

SAML WildFly and JBoss EAP

The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.

See the Securing Applications and Services Guide for the details.

Server distribution

Load Shedding support

Keycloak now features http-max-queued-requests option to allow proper rejecting of incoming requests under high load. For details refer to the production guide.

RESTEasy Reactive

Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI’s that depend directly on JAX-RS API should be compatible with this change. SPI’s that depend on RESTEasy Classic including ResteasyClientBuilder will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.

User profile

Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome. If you find any issues or have any improvements in mind, you are welcome to create Github issue, ideally with the label area/user-profile. It is also recommended to check the Upgrading Guide with the migration changes for this release for some additional informations related to the migration.

Group scalability

Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.

Themes

Localization files for themes default to UTF-8 encoding

Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.

See the migration guide for more details.

Storage

Removal of the Map Store

The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Removed features

#23348 Remove `P3P` header from authentication flow oidc

New features

#23155 [WebAuthn] origin validation not support for non-Web platforms core

Enhancements

#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#10128 Improve failed test behaviour operator
#10620 Internationalized Domain Names in email address user-profile
#10713 Update the server to use RESTEasy Reactive
#10803 Persist session in JDBC store without using external infinispan cluster storage
#11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
#12406 Remove "You are already logged-in" during authentication authentication
#14009 CreatedTimestamp on REST import not used
#14165 Cannot refresh RPT tokens authorization-services
#14400 Add proxy options to Keycloak CR operator
#15018 Enhancements around proxy and hostname configuration
#15072 Allow setting a help text to an attribute user-profile
#15109 Refactor patch-sources.sh used by the Operator operator
#17258 Data too long for column 'DETAILS_JSON' storage
#20343 message bundles are not included in the realm export import-export
#20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
#20695 Add support for single-tenant in Microsoft Identity Provider
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
#20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
#21073 Identity providers: pagination in admin REST API
#21154 Allow existing mappers for Custom Identity Providers identity-brokering
#21181 Add FAPI 2.0 security profile as default profile of client policies
#21182 Enhancing Pluggable Features of Token Manager
#21183 More flexibility for Introspection endpoint oidc
#21200 DPoP support 1st phase
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
#21945 Release notes for FAPI 2
#22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
#22215 DPoP verification in UserInfo endpoint oidc
#22318 Allow overriding Account Console resources for full control and backwards compatibility
#22372 Expand Group providers to allow for paginated lookup of subgroups storage
#22725 Do not initialize barrier build items for deployment dist/quarkus
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
#23194 Add regex support in 'Condition - User attribute' execution authentication
#23340 Implement load shedding for RESTEasy reactive
#23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
#23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
#24024 User profile tweaks in registration forms user-profile
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
#24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
#24278 Transient users: documentation core
#24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
#24494 Transient users: Consents core
#24535 Moving UPConfig and related classes from keycloak-services user-profile
#24844 Add High Availability Guide to Keycloak's main repository
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml

Bugs

#468 Cant build it quickstarts
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
#19125 kcadm do not update defaultGroups docs
#19154 Non working API docs link docs
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
#20135 Searching for multiple types in the Events section gives an error admin/client-js
#20218 Role mappers must return a single value when they are not multivalued oidc
#20316 Email pattern is not compliant account/api
#20453 Admin UI incredibly slow with 300 realms admin/api
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
#20885 Key length is limited to 4000 characters storage
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
#21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
#21236 Keycloak Event clientId is null when ever a logout event is fired. core
#21555 Listing realms due to realm drop-down admin/ui
#21660 Wrong convert timestamp to date account/ui
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
#21805 Missing labels account console account/ui
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
#22177 Missing client_id validation match when authenticating client with JWT
#22191 Verification of iss at refresh token request oidc
#22332 Selecting resource on resource based permission gives error admin/ui
#22337 kc.sh errors if using characters like semicolon inside the arguments docs
#22375 Possible NullPointerException core
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
#22432 inputOptionLabels is not used by Admin UI admin/ui
#22583 Fine grained permissions not rendering account/ui
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
#22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
#22818 inputOptionLabels is not used by Account UI v3 account/ui
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
#22988 Cache stampede after realm cache invalidation infinispan
#23044 Docs: server_admin/topics/sessions/transient.adoc authentication
#23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
#23173 crypto/elytron package has several bugs core
#23180 TypeError in user profile admin-ui admin/ui
#23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
#23255 Several help text messages missing in saml identity provider admin/ui
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients. dependencies
#23582 Join group screen does not show child groups without filters admin/ui
#23616 invalid tag in .ftl file user-profile
#23692 Genetated access token exception then $ sign in client name core
#23733 OpenAPI spec doesn't match the admin API admin/api
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
#23789 Can not create attribute group before setting/removing an annotation user-profile
#23795 Spelling errors in TokenManager.java oidc
#23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
#24032 Group attributes are not saved if there are two attributes with the same key admin/ui
#24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
#24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
#24096 Document or avoid breaking change in UserSessionModel core
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
#24183 Username now shown when creating a user and edit username is not allowed user-profile
#24187 Admin UI group view shows attributes of previously viewed group admin/ui
#24293 b.map is not a function error when LDAP server is offline core
#24420 User profile behaves different in keycloak 22.0.5 user-profile
#24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
#24455 NPE when logging in with TransientUser storage
#24458 Unfriendly error message when user-storage provider not available admin/ui
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
#24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
#24672 Basic auth is not RFC 2617 compliant authentication
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
#24766 non-functioning session persistence when using JDBC over Infinispan infinispan
#24792 Invalid redirect_uri if it contains uppercase letters authentication
#24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js

Developer Certificate of Origin

Stian Thorgersen — Tue, 31 Oct 2023 00:00:00 GMT

For any Open Source project, it is important that any contributions contain code that can legally be contributed to the project, and that the project has the right to distribute it under its license. There are many ways to achieve this, where two popular approaches are Developer Certificate of Origin (DCO) and Contributor License Agreement (CLA).

Developer Certificate of Origin (DCO) is the most lightweight approach, which requires contributors to sign-off on individual commits that are part of a contribution. This is easily done by using the --signoff (-s) option when creating a commit. For example:

git commit -s -m "Description of the commit"

This adds a Signed-off-by statement at the end of the commit, where the contributor certifies they are following the agreement laid out in the Developer Certificate of Origin (DCO).

Contributor License Agreement (CLA), on the other hand, is a more complicated approach. As part of CLA, any contributors are required to sign an upfront agreement with the project before making any contributions. This provides a higher barrier for contributors, and also a higher cost for the Open Source Project as it has to maintain a list of approved contributors with a corresponding maintained archive of agreements.

For Keycloak we decided to go with DCO as we believe it is much simpler both for contributors as well as maintainers.

If you are interested in learning more about CLA vs DCO, opensource.com has an excellent article on the subject.

Keycloak 22.0.5 released

Tue, 24 Oct 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#14820 Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted keycloak storage
#19348 Sort subgroups keycloak storage
#22109 Add non-blocking liveness and readiness checks to Keycloak keycloak dist/quarkus
#22200 External Link check for documentation logs warning and exception: WARN FilenoUtil: Native subprocess control requires open access keycloak docs
#23581 Code certain topics as upstream only keycloak
#23711 Remove recommendation to file a GitHub issue keycloak docs
#23800 Add a disclaimer about refererences to Kubernetes keycloak
#23856 Allow documentation to be build referencing only Linux, not Windows keycloak
#23910 Removing the default cache metadata keycloak
#23946 Limit Keycloak 22 Windows support to the Admin CLI to upstream keycloak
#23951 Update Keycloak 22 Getting Started keycloak

Bugs

#22170 Operator secrets sequencing keycloak operator
#22600 Keycloak admin v2 theme js mapper adding issue keycloak admin/ui
#22960 Do not store empty attributes when updating user profile keycloak user-profile
#22982 User attributes can't be saved when user profile is enabled keycloak admin/ui
#23220 Update to Keycloak 22.0.3 fails: Migration failed for change set META-INF/jpa-changelog-13.0.0.xml::default-roles::keycloak keycloak storage
#23294 admin-fine-grained-authz + client authorization settings requires more realm-management roles keycloak admin/ui
#23345 Broken link https://stackapps.com/apps/oauth/register keycloak docs
#23397 The "invalid_grant" error occurs again when loading the offline client session with an early creation time. keycloak infinispan
#23434 Can not view or update user profile attribute in user details keycloak admin/ui
#23507 User cannot be created via Admin UI if custom user attribute is required keycloak admin/ui
#23584 Return attribute group metadata from Admin and Account APIs keycloak user-profile
#23654 Attributes tab fields are not changing when a different group is selected keycloak admin/ui
#23713 Weak hashing algorithm usage in SSSD User federation keycloak identity-brokering
#23740 Admin Console doesn't show user when user attribute has annotation inputType keycloak admin/ui
#23743 Keycloak 22.0.4 crashes on file step1.html on old safari versions keycloak authentication
#23774 User can't be updated in admin console when user profile is used keycloak admin/ui
#23783 'Show version information' is not working keycloak dist/quarkus
#23790 The `Enabled When` setting should be set to `Always` by default keycloak user-profile
#23911 User profile attribute default render should be ordinary input keycloak admin/ui
#23930 Admin console does not allow several special characters for realm name anymore keycloak admin/ui
#23954 FederatedUserLink errors when user does not have view-realm role keycloak admin/ui
#24017 Operator operand env var does not conform to OSBS naming requirements keycloak operator
#24031 Missing migration step for Keycloak 22 during import keycloak storage
#24081 Scopes still persisted when required attribute is set to `Always` keycloak user-profile
#24143 Operator docs link is broken keycloak operator

Announcement: Discontinuation of Keycloak's Map Store

Stefan Guilhen — Tue, 17 Oct 2023 00:00:00 GMT

Dear Keycloak community,

For the past two years, the Keycloak store team has been working on a replacement for the storage layer, which became known as the Map Store. Despite the successful development of many features, such as a new JPA storage layer with some no downtime capabilities, a new Hot Rod storage layer, flexible configuration, among others, the amount of work remaining for the store to be fully operational and supported is still quite significant. There is still a lot of uncertainty and risk involved in getting to the point where the store is production ready and able to provide enough value for users to migrate to it.

To give more context, the new Map Store still lacks support for databases other than PostgreSQL and CockroachDB, a caching layer, implementation of the tree store that ties all the stores together, a migration strategy to Map Store, thorough testing, among other things. Each of these items is complex, require a significant amount of development and testing time, and carry risks of their own.

This situation, combined with the need to address existing issues and demands in the storage area now rather than in a somewhat distant future, led us to the tough decision to stop any development in the Map Store. Instead the team will focus on improving the capabilities of the current store and deliver these improvements in smaller chunks and quicker iterations. One of these improvements is to fully support a high availability setup for Keycloak spanning multiple data centers and regions, also known as cross-DC support. While this has been a preview feature in the past, this should now become fully supported in a future release and include guides on how to configure different parts in a cloud environment.

The experience we gained from the Map Store development won’t be wasted though, as the ideas and experiments that worked well in the Map Store are all natural candidates for enhancements in the storage area. Still the Map Store will be entirely removed from the main codebase. Having two different storage implementations is greatly complicating the maintenance process and also making it more difficult for users and other teams to work with the store as they need to understand how to operate on two very different implementations.

What’s next?

For the time being, the Map Store will be available in a separate branch, yet to be created. It will exist mainly to provide us with a way to fetch bits and pieces that can be valuable to the current store. Then, you can expect the gradual removal of the Map Storage bits from the codebase starting with Keycloak 23. This encompasses, among other things, closing the Map Storage issues on Github, removal of Map Store CLI options, and removal of the Map Store modules.

In the near to mid-term future, the store team will continue to focus on cross-DC and some selected smaller improvements/refactorings for the current store. We will prioritize working on highly voted issues and pull requests provided by the community. In parallel, the plan is to develop a roadmap for features and capabilities that we want to bring to the Keycloak store after wrapping up the cross-DC work, and then share this roadmap so it can be discussed and prioritized according to the community’s feedback.

We would also like to thank the Keycloak community for the engagement and feedback during the development of the Map Store. We know that discarding a significant amount of work is not ideal, but we are confident that this decision is the most beneficial for Keycloak and its users in the long run as it will allow us to deliver meaningful value quicker. The team remains focused on improving the store layer and is looking forward to meeting all the challenges ahead.

Keycloak Store Team

Reactivating Discourse

Bruno Oliveira — Mon, 16 Oct 2023 00:00:00 GMT

Back in June, we decided to sunset Discourse as one of our communication channels. However, after careful consideration and understanding the impact this decision had on our community, we have chosen to revert it.

Firstly, we want to acknowledge that our first goal has always been to seek the best for our community. While we strive to make the right decisions, we recognize that we are not perfect. We apologize for any inconvenience our initial decision may have caused, and appreciate the feedback received from many of you.

We are happy to announce that Niko and Garth have kindly volunteered to moderate Discourse. Their commitment makes it possible for us to reactivate the forum. Without their support, especially given the multiple communication channels we manage, this would not have been possible.

In the future, we will ensure to be transparent about decisions that impact our users on Discourse. Thank you for your understanding, patience, and continued support.

The Keycloak Team

Meet Keycloak at KubeCon Chicago in Nov 2023

Kamesh Akella — Tue, 10 Oct 2023 00:00:00 GMT

We are thrilled to announce that Keycloak will be at KubeCon Chicago 2023. There are several Keycloak specific sessions lined up during this Conference, and we will be hosting a Kiosk at the Project Pavilion at KubeCon 2023 Chicago.

What is KubeCon?

As some of you might already know, KubeCon is a fast-growing Cloud Native tech conference that is expected to have 8,000 developers, architects, and technical leaders onsite as well as thousands of participants virtually.

KubeCon Chicago will be held from Nov. 6th, 2023 through Nov. 9th, 2023, with many of the co-located events happening on Monday Nov 6th, 2023.

Keycloak community Meet & Greet at the Project Pavilion

Alexander Schwartz, Michal Hajas, Takashi Norimatsu and Kamesh Akella will be at the Keycloak kiosk at the Project Pavilion. This is a great chance to meet people who use Keycloak, contribute to Keycloak, take our survey about new Keycloak features, and get some cool swag!

Keycloak Kiosk opening hours:

Tuesday, November 7: 10:30 - 3:30 PM CST
Wednesday, November 8: 10:30 - 2:00 PM CST
Thursday, November 9: 10:30 - 12:30 PM CST

OpenShift Commons Gathering

The OpenShift Commons Gathering happens on Monday (Nov. 6th, 2023) and builds connections and collaboration across OpenShift communities, projects and stakeholders. Some maintainers from the Keycloak development team will be here during the afternoon. This gives a chance for more community Keycloak maintainers, contributors, and users to meet and share their ideas or just hang out. Access to the OpenShift Commons event is free and does not require a paid KubeCon ticket, still you’ll need to register on their website in advance.

Keycloak specific events at KubeCon

Below are some Keycloak specific events that the attendees both in-person and virtually can plan to attend.

Tuesday, November 7, 11:00am - 11:35am CST(UTC-6)
10 Years of Keycloak - What’s Next for Cloud-Native Authentication and OIDC?
By Alexander Schwartz, Red Hat & Takashi Norimatsu, Hitachi, Ltd.
Tuesday, November 7, 11:55am - 12:30pm CST(UTC-6)
Challenge to Implementing “Scalable” Authorization with Keycloak
By Yoshiyuki Tabata, Hitachi, Ltd.
Tuesday, November 7, 2:30pm - 4:00pm CST(UTC-6)
Contribfest: Keycloak - Accelerate New Features, Squash Bugs and Learn to Contribute
By Alexander Schwartz & Michal Hajas, Red Hat
Wednesday, November 8, 11:55am - 12:30pm CST(UTC-6)
Beyond Passwords: Keycloak’s Contributions to IAM (Identity and Access Management) + Security
By Soojin Lee & Hoon Jo, Megazone

We’re preparing for KubeCon Chicago 2023 and can’t wait to connect with our community. Mark your calendars and join us.

See you in Chicago!

Keycloak 22.0.4 released

Wed, 4 Oct 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#17733 Improve feature (detection) code in the Admin Console keycloak admin/api
#23066 Remove bearer-only content from the Server Administration Guide keycloak docs
#23124 Move email validation change docs to migration guide of 22.0.3 keycloak docs
#23177 Move email validation change docs to migration guide of 22.0.4 keycloak docs
#23246 Improve documentation about manual database migration keycloak docs
#23312 Deploy JavaScript adapter to Maven repository keycloak

Bugs

#11931 user first name not refreshed in Keycloak V2 theme keycloak account/ui
#21935 Using truststore with LDAP and StartTLS is not working keycloak ldap
#22185 Can't boot Keycloak server with Java KeyStore p12 file running on Windows 10/2019 keycloak dist/quarkus
#22478 Custom User Provider SPI: MULTIVALUED_STRING_TYPE value isn't correctly displayed on ui (but correctly saved and retrieved) keycloak admin/ui
#22778 Deep link format for redirect uri parameter is not parsed correctly keycloak core
#22825 Keycloak 22.0.1 unable to create user with long email address keycloak admin/api
#22839 Linux Firefox + Keycloak 22.0.1 issue(continuation of issue 21307) keycloak authentication
#22892 Not-working link during adding a SAML Identity provider keycloak admin/ui
#22923 Events filter by IP Address not working keycloak admin/api
#22974 NullpointerException when using encrypted SAML assertions keycloak saml
#23053 KC22: Issue with FIPS140 in non approved mode. keycloak core
#23065 Admin console throwing 403 error when logged in for sub realm using local admin user keycloak admin/ui
#23185 Registration page not showing username when edit username is not enabled keycloak user-profile
#23251 SAML Encryption Key Export Downloads Signing Key keycloak admin/ui
#23258 Race condition inside Keycloak build chain execution keycloak dist/quarkus
#23306 NPE in AuthenticationManager backchannelLogout keycloak core
#23325 PolicyEnforcer should set WWW-Authenticate header before calling sendError() method keycloak authorization-services
#23327 User cannot be created via Admin UI if custom user attribute is required keycloak admin/ui
#23341 Keycloak 22.0.3: Create user: select groups to join filter does nothing keycloak admin/ui
#23342 Test failures with Wildfly/EAP adapters using TLS keycloak ci
#23366 Reopening of CVE-2023-21971 - Update Connector/J to 8.0.33 keycloak dependencies
#23402 Outdated kcadm.sh help examples can be misleading to our users keycloak admin/cli
#23438 Cannot update email address when "Email as username" is enabled keycloak admin/api
#23447 Allow 'prompt' Value 'consent' in Keycloak JavaScript Adapter keycloak adapter/javascript
#23481 Text field for last name field in user form has an incorrect ID keycloak admin/ui
#23637 Some container implementations don't work with the documented additional RPM install procedure keycloak docs
#23661 Upload JVM Heapdumps action fail on Windows keycloak ci
#23773 22.0.4 Operator installed via OLM deploys Keycloak nightly version keycloak operator

Keycloak 22.0.3 released

Tue, 12 Sep 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Release notes

Security vulnerability when registering or updating user through templates

A security vulnerability was introduced in Keycloak 22.0.2. We highly recommend not upgrading to 22.0.2, and for anyone that has deployed 22.0.2 in production to upgrade to 22.0.3 immediately.

For users that has self-registered after Keycloak was upgraded to 22.0.2 their password is not stored securely, and can be exposed to administrators of Keycloak. This only affects users that has registered after the upgrade was rolled-out, and does not affect any previously registered users.

Any realm using the preview declarative user profile is not affected by this issue, and only realms using the default user profile provider is affected.

To identify if there are any affected users in your deployment you can query these by accessing the database, and running the following SQL statement:

SELECT DISTINCT U.ID, U.USERNAME, U.EMAIL, U.REALM_ID FROM USER_ENTITY U
    INNER JOIN USER_ATTRIBUTE UA ON U.ID = UA.USER_ID
    WHERE UA.NAME IN ('password','password-confirm')

We recommend contacting any affected users as well as adding the update password required action for them.

If there are any affected users we also recommend removing these attributes from the database by running the following SQL statement:

DELETE FROM USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')

If any backups have been done of the database after the 22.0.2 release and there are affected users, we recommend deleting these.

Custom user storage providers

Any deployments with custom user storage federation providers may also be affected, please verify your custom user storage to identify if this is an issue.

To identify if there are any federated user affected in your deployment in case the user storage provider is delegating management of attributes to Keycloak, you can query these by accessing the database, and running the following SQL statement:

SELECT DISTINCT USER_ID,REALM_ID,STORAGE_PROVIDER_ID FROM FED_USER_ATTRIBUTE
    WHERE NAME IN ('password','password-confirm')

If there are any affected federated users, we also recommend removing these attributes from the database by running the following SQL statement:

DELETE FROM FED_USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')

If your custom user storage provider is managing attributes itself, you should look at your custom storage to remove the password and password-confirm attributes.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

2nd edition of the Keycloak book is out

Stian Thorgersen — Mon, 11 Sep 2023 00:00:00 GMT

We’re pleased to announce that the 2nd edition of the Keycloak book is out, and available for available for purchase on Amazon.

This new edition has been updated to the latest release of Keycloak, making the book compatible with the newer Quarkus distribution of Keycloak, as well as the new administration console.

If you are new to Keycloak this book brings an excellent guide to getting started with Keycloak, including how to secure a range of different application types with Keycloak.

Keycloak 22.0.2 released

Mon, 11 Sep 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Release notes

Improvements in LDAP and Kerberos integration

Keycloak now supports multiple LDAP providers in a realm, which support Kerberos integration with the same Kerberos realm. When an LDAP provider is not able to find the user which was authenticated through Kerberos/SPNEGO, Keycloak ties to fallback to the next LDAP provider. Keycloak has also better support for the case when single LDAP provider supports multiple Kerberos realms, which are in trust with each other.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#9422 Support kerberos realm filter on LDAP provider keycloak ldap
#10232 Kill sessions after a password reset or MFA modification keycloak authentication
#14665 map a kerberos provider to one or more ldap provider stores keycloak ldap
#20931 Improvements on Documentation/Guides for "Hostname/Proxy/Admin Console" Settings keycloak
#21564 Upgrade to Infinispan 14.0.13.Final keycloak
#22452 Ask admins to install the Oracle Database driver separately keycloak
#22500 Correct Getting Started guide keycloak
#22745 Upgrade to Quarkus 3.2.5.Final keycloak dist/quarkus
#22762 Provide support for determining community/product guides keycloak docs
#22793 Remove log-level property for `ClassTransformingBuildStep` in Quarkus keycloak dist/quarkus
#22795 Error message when JDBC driver is missing is not helpful keycloak
#22800 Blank Java adapter section in Securing Apps Guide keycloak
#22871 Operator guide screen shot should show fast channel keycloak
#23067 Add "LinkedIn (deprecated)" provider to the DEPRECATED profile keycloak identity-brokering

Bugs

#10981 Keycloak "forgets" ui_locales parameter when using Reset Password functionality keycloak authentication
#12137 IdP Mappers ignored when performing external -> internal token exchange keycloak token-exchange
#19954 Admin UI hangs with many subgroups keycloak admin/ui
#20005 JavaScript Authenticator Providers not updated automatically on build and SQL error when removing/adding in flow keycloak core
#20045 Use an original domain name of Kerberos Principal in UserModel attribute instead of configured value of Kerberos realm in User federation keycloak authentication
#20455 MigrationTest » IllegalArgument argument type mismatch [JDK Temurin 17] keycloak testsuite
#20718 NullPointerException in GroupTreeResolver with LDAP keycloak ldap
#20837 [Declarative User Profile] Attributes tab doesn't dipslay attributes, values get lost and multi values get stored as single ones keycloak admin/ui
#20983 Flaky test: org.keycloak.testsuite.model.session.SessionTimeoutsTest#testOnlineUserClientMaxLifespanSmallerThanSessionOverrideInClient keycloak storage
#21092 Keycloak fails to start due to infinispan state transfer exception keycloak infinispan
#21173 User administration: It is not possible to assign a user to a subgroup of an assigned parent group in order to obtain more rights keycloak admin/ui
#21256 State transfer never completes keycloak storage
#21421 After switching the Admin UI theme to "Base," an error occurred when attempting to access the keycloak login keycloak admin/ui
#21514 Can create a user without the registration flow finished properly (reopened #17644) keycloak storage
#21528 Declarative User Profile validators are not saved keycloak admin/ui
#21595 LGPL license header in files incompatible with Apache v2.0 keycloak core
#21693 New Admin UI: Group Attribute UI does not refresh, shows stale values keycloak admin/ui
#21719 New Admin UI: User attributes UI does not refresh, shows stale values keycloak admin/ui
#21739 CRD incompatible with Flux reconcilation keycloak operator
#21745 Re-instate authenticator alias in authentication flow GUI keycloak admin/ui
#21751 v 22.0.0 rest-api, cleans user email when updating attributes (with user-profile enabled) keycloak user-profile
#21778 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#testScriptAuthenticatorNotAvailable keycloak authentication
#21791 User unable to save user profile attributes keycloak user-profile
#21801 Warnings about quarkus.http.ssl.certificate.file and quarkus.http.ssl.certificate.key-file on startup keycloak dist/quarkus
#21814 Keycloak operator lacks RBAC for Pods keycloak operator
#21851 v22.0.1 - Windows: kcadm.bat gives Java Exception keycloak admin/cli
#21927 Client Session Max set never expires is not working anymore since 22.0.0 keycloak oidc
#21960 Configuration of flow execution is wiped after using admin UI drag and drop keycloak admin/ui
#22002 Admin UI v2 : client credentials tab is hidden with view-client fine grained permission keycloak admin/ui
#22032 Example postgres deployment used in Operator test is sometimes hitting rate limits keycloak operator
#22039 Link to freeipa broken in documentation keycloak docs
#22079 In assign role dialog, the filter dropdown is missing when having only manage-user role keycloak admin/ui
#22140 KeycloakIngressTest failing in OCP keycloak ci
#22142 PodTemplateTest.testPodTemplateIncorrectNamespace error in OCP keycloak ci
#22172 Keycloak SAML Adapter subsystem does not support Wildfly 29 keycloak adapter/jee-saml
#22175 Missing ":providerId" param - Error when viewing users from federated provider with limited admin roles keycloak admin/ui
#22186 ExternalLinksTest fails for https://nodejs.org (invalid redirect to /en/) keycloak docs
#22198 User session expire task shouldn't run concurrently in a cluster keycloak storage
#22243 Flaky test: org.keycloak.testsuite.oauth.OfflineTokenTest#offlineTokenBrowserFlowIdleTimeExpired keycloak storage
#22352 Only first kerberos provider is checked keycloak authentication
#22383 LinkedIn as Identity provider not working keycloak oidc
#22570 Unable to remove user attributes keycloak admin/ui
#22581 idp jwt userinfo broken keycloak identity-brokering
#22593 Update the Keycloak SAML adapter subsystem to no longer use the AttributeDefinition#getAttributeMarshaller method keycloak adapter/jee-saml
#22602 UserSyncTest does not clean LDAP properly keycloak testsuite
#22707 `start-dev` by default starts with cache `local`, but docs state otherwise keycloak dist/quarkus
#22709 Incorrect event types in the events overview (eventTypes.Refresh token error.name & eventTypes.User info refresh error.name) keycloak admin/ui
#22760 Translations missing for theme select placeholder text keycloak translations
#22823 Support EAP8 with SAML Adapter Galleon Feature Pack keycloak adapter/jee-saml
#22888 Surefire reports not triggered when a test suite fails. keycloak ci
#22900 User data is incorrectly erased in Keycloak Admin UI keycloak admin/ui
#22924 Incorrect help Text for the field 'Temporary' while setting password for new user keycloak admin/ui
#22947 Status check succeeds if "conditional" step fails keycloak ci
#22961 Attributes without a value set are not rendered in the account console keycloak account/ui
#23001 Conditional store tests do not run if tests are updated keycloak ci
#23027 Broker user attribute mapper not obtaing user info claims when creating users through token exchange keycloak token-exchange
#23058 Quarkus IT that use Oracle DB don't work with `-Dproduct` keycloak testsuite
#23118 Failure in identity_providers_test.spec.ts keycloak testsuite

Keycloak 22.0.1 released

Tue, 18 Jul 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#10503 Revisit Pod-Template in Keycloak CR keycloak operator
#15344 Support configurable custom Identity Providers keycloak
#21626 [REG 21->22] Error messages on kc build keycloak dist/quarkus

Bugs

#17711 Accessibility/Clients List: Minor Issues keycloak admin/ui
#21607 `keycloakCRName` and `realm` are no longer marked as required in KeycloakRealmImport CRD keycloak operator
#21625 Version 22.0.0 not started in dev mode and build mode keycloak dist/quarkus
#21629 Migration for 22.0.0 is missing from the documentation keycloak docs
#21637 Broken links to quickstarts in documentation keycloak docs
#21657 Account V3 Missing translate Refresh keycloak account/ui
#21698 Keycloak is storing error events even if storing events is disabled keycloak storage
#21733 Fixing broken JSON translation files keycloak admin/ui

Keycloak 22.0.0 released

Tue, 11 Jul 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Release notes

Server Distribution

Java 11 support removed

Running the Keycloak server with Java 11 is no longer supported. Java 11 was deprecated in Keycloak 21 with the announced plan to be removed in Keycloak 22.

Upgrade to Quarkus 3.x

Keycloak upgraded to version 3.2.0.Final of the Quarkus Java framework. Quarkus 3.x continues the tradition of propelling Java development by moving fast and providing a cutting-edge user experience with the latest technologies.

Transition from Java EE to Jakarta EE

As part of upgrading to Quarkus 3.x Keycloak migrated its codebase from Java EE (Enterprise Edition) to its successor Jakarta EE, which brings various changes into Keycloak. We have upgraded all Jakarta EE specifications in order to support Jakarta EE 10.

Context and dependency injection no longer enabled to JAX-RS Resources

In order to provide a better runtime and leverage as much as possible the underlying stack, all injection points for contextual data using the javax.ws.rs.core.Context annotation were removed. The expected improvement in performance involves no longer creating proxies instances multiple times during the request lifecycle, and drastically reducing the amount of reflection code at runtime.

Upgrade to Hibernate ORM 6

Keycloak now benefits from the upgrade to Hibernate ORM 6.2, which includes improved performance, better SQL, modern JDK support, and support for modern RDBMS features.

Elytron credential store replacement

The previous and now removed WildFly distribution provided a built-in vault provider that reads secrets from a keystore-backed Elytron credential store. As this is no longer available, we have added a new implementation of the Keycloak Vault SPI called Keycloak KeyStore Vault. As the name suggests, this implementation reads secrets from a Java keystore file. Such secrets can be then used within multiple places of the Administration Console. For further details, see our guide and the latest documentation.

KeyStore Config Source added

In relation to the KeyStore Vault news, we also integrated Quarkus’s recently released feature called KeyStore Config Source. This means that among the already existing configuration sources (CLI parameters, environment variables and files), you can now configure your Keycloak server via configuration properties stored in a Java keystore file. You can learn more about this feature in the Configuration guide.

Hostname debug tool

As a number of users have had problems with configuring the hostname for the server correctly there is now a new helper tool to allow debugging the configuration.

Passthrough proxy mode changes

Installations which use Keycloak’s --proxy configuration setting with mode passthrough should review the documentation as the behavior of this mode has changed.

Export and Import perform an automatic build

In previous releases, the export and import commands required a build command to be run first. Starting with this release, the export and import commands perform an automatic rebuild of Keycloak if a build time configuration has changed.

Admin Console

Account Console v1 removal

The old Account Console (v1) is now completely removed. This version of the Account Console was marked as deprecated in Keycloak 12.

Account Console v3 promoted to preview

In version 21.1.0 of Keycloak the new Account Console (version 3) was introduced as an experimental feature. Starting this version it has been promoted to a preview feature.

Account Console template variables removed

Two of the variables exposed to the Account Console V2 and V3 templates (isEventsEnabled and isTotpConfigured) were left unused, and have been removed in this release.

It is possible that if a developer extended the Account Console theme, he or she could make use of these variables. So make sure that these variables are no longer used if you are extending the base theme.

Changes to custom Admin Console messages

The Admin Console (and soon also the new Account Console) works slightly different than the rest of Keycloak in regards to how keys for internationalized messages are parsed. This is due to the fact that it uses the i18next library for internationalization. Therefore when defining custom messages for the Admin Console under "Realm Settings" ➡ "Localization" best practices for i18next must be taken into account. Specifically, when defining a message for the Admin Console it is it important to specify a namespace in the key of your message.

For example, let’s assume we want to overwrite the welcome message shown to the user when a new realm has been created. This message is located in the dashboard namespace, same as the name of the original file that holds the messages (dashboard.json). If we wanted to overwrite this message we’ll have to use the namespace as a prefix followed by the key of the message separated by a colon, in this case it would become dashboard:welcome.

JavaScript adapter

Legacy Promise API removed

With this release, we have removed the legacy Promise API methods from the Keycloak JS adapter. This means that calling .success() and .error() on promises returned from the adapter is no longer possible.

Required to be instantiated with the `new` operator

In a previous release we started to actively log deprecation warnings when the Keycloak JS adapter is constructed without the new operator. Starting this release doing so will throw an exception instead. This is to align with the expected behavior of JavaScript classes, which will allow further refactoring of the adapter in the future.

Admin API

Renamed Admin library artifacts

After the upgrade to Jakarta EE, artifacts for Keycloak Admin clients were renamed to more descriptive names with consideration for long-term maintainability. We still provide two separate Keycloak Admin clients, one with Jakarta EE and the other with Java EE support.

Support for count users based on custom attributes

The User API now supports querying the number of users based on custom attributes. For that, a new q parameter was added to the /{realm}/users/count endpoint.

The q parameter expects the following format q=<name>:<value> <name>:<value>. Where <name> and <value> represent the attribute name and value, respectively.

Operator

k8s.keycloak.org/v2alpha1 changes

The are additional fields available in the keycloak.status to facilitate keycloak being a scalable resource. There are also additional fields that make the status easier to interpret such as observedGeneration and condition observedGeneration and lastTransitionTime fields.

The condition status field was changed from a boolean to a string for conformance with standard Kubernetes conditions. In the CRD it will temporarily be represented as accepting any content, but it will only ever be a string. Please make sure any of your usage of this field is updated to expect the values "True", "False", or "Unknown", rather than true or false.

Co-management of Operator Resources

In scenarios where advanced management is needed you may now directly update most fields on operator managed resources that have not been set by the operator directly. This can be used as an alternative to the unsupported stanza of the Keycloak spec. Like the unsupported stanza these direct modifications are not considered supported. If your modifications prevent the operator from being able to manage the resource, there Keycloak CR will show this error condition and the operator will log it.

Identity Brokering

Essential claim configuration in OpenID Connect identity providers

OpenID Connect identity providers support a new configuration to specify that the ID tokens issued by the identity provider must have a specific claim, otherwise the user can not authenticate through this broker.

The option is disabled by default; when it is enabled, you can specify the name of the JWT token claim to filter and the value to match (supports regular expression format).

Support for JWE encrypted ID Tokens and UserInfo responses in OpenID Connect providers

The OpenID Connect providers now support Json Web Encryption (JWE) for the ID Token and the UserInfo response. The providers use the realm keys defined for the selected encryption algorithm to perform the decryption.

Hardcoded group mapper

The new hardcorded group mapper allows adding a specific group to users brokered from an Identity Provider.

User session note mapper

The new user session note mapper allows mapping a claim to the user session notes.

LDAP Federation

LDAPS-only Truststore option removed

LDAP option to use truststore SPI Only for ldaps has been removed. This parameter is used to select truststore for TLS-secured LDAP connection: either internal Keycloak truststore is picked (Always), or the global JVM one (Never).

Deployments where Only for ldaps was used will automatically behave as if Always option was selected for TLS-secured LDAP connections.

Removed Openshift integration feature

The openshift-integration preview feature that allowed replacing the internal IdP in OpenShift 3.x with Keycloak was removed from Keycloak codebase into separate extension project.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#8750 Require user to agree to 'terms and conditions' during registration keycloak
#11089 Securing credentials/passwords not possible with Quarkus distribution keycloak dist/quarkus
#11632 Enable Horizontal Pod Autoscaling for Keycloak deployed with the new Operator keycloak
#15101 Support OpenJDK 19 keycloak
#15910 Hostname debug tool keycloak dist/quarkus
#17252 Add Keycloak Keystore Vault implementation keycloak dist/quarkus
#17659 Claim to User Session Note Idp Mapper keycloak oidc
#19650 Supporting reference access/refresh tokens keycloak
#19968 Allow changing admin console logo and favicon from theme.properties keycloak
#20016 Group attribute query is missing QueryParams in java admin client keycloak admin/client-java
#20262 SSSD integration in Quarkus distribution keycloak
#20625 Add support to the Operator for setting default labels on Keycloak pods keycloak operator
#21254 Support for JWE IDToken and UserInfo tokens in OIDC brokers keycloak identity-brokering

Enhancements

#356 Update QuickStarts documentation to Quarkus distribution keycloak-quickstarts
#357 Re-enable test that where disabled when updating test for the Quarkus dist keycloak-quickstarts
#407 Nashorn dependency no longer needed in quickstarts keycloak-quickstarts
#412 Doublecheck "provider" quickstarts with quarkus3 based Keycloak distribution keycloak-quickstarts
#416 user-storage-* provider quickstarts keycloak-quickstarts
#417 Event listener sysout quickstart keycloak-quickstarts
#421 Event store mem quickstart keycloak-quickstarts
#428 Extend-account-console quickstart keycloak-quickstarts
#436 Remove keycloak-remote profile keycloak-quickstarts
#1791 Clarification on user registration and identity brokering keycloak-documentation
#8753 Reset Credentials Flow does not delete existing OTP keycloak authentication
#9075 Remove any unnecessary dependency from distribution keycloak dist/quarkus
#9434 OTP base32 decode improvements keycloak
#10285 Expose deployment errors in the status field of Keycloak CR keycloak operator
#10562 Support multiple KC instances in a single namespace keycloak operator
#10736 Use SchemaSwap instead of shell script for Realm CRD generatio keycloak operator
#10911 Use Quarkus JOSDK to generate CSV for OLM in the operator keycloak operator
#11015 Use dist Quarkus version in the operator keycloak dist/quarkus
#11561 Non ASCII characters in TOTP secret not supported in 2FA configurations keycloak authentication
#11759 Add support to indicate desired locale on init func with onLoad: 'login-required' options keycloak adapter/javascript
#12593 Add a name to the keycloak port in the service keycloak
#13074 Operator CRD status incompatible with kstatus keycloak operator
#14747 Addition of Custom User Attribute Filter to Users API Count Endpoint keycloak
#15003 Enable IPv6 dualstack support by default keycloak dist/quarkus
#15044 Clean `RealmProvider` from methods from other areas keycloak storage
#15046 Remove methods for old default roles approach keycloak storage
#15136 Back to Application link should be client specific with the UPDATE_EMAIL feature keycloak
#15434 Customize log messages for user storage LDAP configuration in KC shown in admin UI keycloak
#15454 Update migration guide with the changes that need to be done for developers using JAX-RS in their extensions keycloak
#15490 Update Datastore provider to contain full data model keycloak storage
#15789 "Failed to add user 'admin' ..." should not be an ERROR keycloak dist/quarkus
#15947 support parameters like "uri" and "matchingUri" in the UMA grant token endpoint keycloak
#16535 Group Attribute Search Erroneously returns when searching for nested group keycloak storage
#16800 Operator Support for missing leading slash and present trailing slash in `http-relative-path` keycloak operator
#16849 Add "Enable new user after creation" option for Active Directory keycloak
#16902 Refine the set of RPMs included in the keycloak container image keycloak dist/quarkus
#16967 Minimize the RPM content of the Operator container keycloak operator
#16977 CRDB optimization: Optimize selects targeting the primary key or unique keys keycloak storage
#17470 security enhancement : representation of admin events & credentials keycloak
#17484 Migrate realms if configured to use RH-SSO themes keycloak
#19792 Javascript example not printing errors keycloak docs
#19924 Allow pre-filled GitHub issue forms via links from docs keycloak docs
#19959 Add missing Spanish translations for login keycloak translations
#19965 Add `lang` attribute to HTML tag of UIs keycloak account/ui
#19990 Only add Access properties on groups, if the fine grain feature is on keycloak
#20067 Upgrading to Infinispan 14.0.8 keycloak
#20191 Conditional login through identity provider keycloak
#20200 account console v3 theme.properties customizations keycloak
#20216 Correct formatting in Server Developer guide keycloak
#20250 Adhere to HTML standard when using `ul`-element keycloak
#20263 SSSD documentation updated for quarkus distribution keycloak
#20265 SSSD testing with GH actions keycloak
#20303 UserPropertyMapper generated exceptions on mapping keycloak
#20305 Upgrade JNA library keycloak
#20386 Client executor for reject implicit grant when enabled for clients keycloak oidc
#20388 Upgrade owasp html sanitizer to newest version keycloak
#20469 Look ahead window setting in OTP policy is not accurate keycloak admin/ui
#20486 Enable `simple-cache` for `local-cache` keycloak
#20496 Move openshift client integration to separate extension keycloak core
#20497 Move http-challenge authentication flow and the related authenticators to the extension keycloak authentication
#20548 Also run Cypress tests on Firefox keycloak testsuite
#20576 Allow custom annotation in Ingress keycloak
#20582 Show warning message when overriding build options during starts keycloak
#20623 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request keycloak
#20674 Increase the length of password hash iterations password-policy input in admin ui keycloak admin/ui
#20689 Removing unnecessary message from main command help text keycloak
#20710 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request keycloak
#20773 Add Hardcoded Group mapper to Identify Provider configuration keycloak
#20783 Ability for users to view credentials without manage user permissions keycloak admin/api
#20791 Update docs (and maybe tooltips) for timeout changes keycloak docs
#20817 Improve start page on the account ui keycloak account/ui
#20994 Update securing_applications guide for latest adapter changes (community) keycloak docs
#21064 Allow any JGroups stack with --cache-stack keycloak
#21163 Support for the `locale` user attribute keycloak
#21167 Add missing Polish translations keycloak translations
#21176 Remove adapters from product documentation keycloak docs
#21272 Upgrade to Quarkus 3.2.0.Final keycloak
#21283 Add `iat` claim to JWT that is passed to CIBA HttpAuthenticationChannel keycloak
#21476 When essential claim check fails the error message should provide detailed information keycloak
#21493 Enable publishNotReadyAddresses for discovery service keycloak

Bugs

#369 Quickstarts for action-token-authenticator / action-token-required-action not working keycloak-quickstarts
#409 Legacy quickstart tests are failing since quarkus3 upgrade keycloak-quickstarts
#437 Tests does not work on OpenJDK 17 for quickstarts keycloak-quickstarts
#9299 Refresh token with offline_access scope affected by session idle/session max keycloak oidc
#9313 LDAPS Bind test fails with SSLHandshakeException while LDAP connection test works keycloak ldap
#10110 Unable to add more than 6 acceptable AAGUIDs for WebAuthn keycloak authentication/webauthn
#10195 User search with LDAP federation not consistent keycloak ldap
#11079 SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata keycloak saml
#11728 SSSD Federation fails with NPE after upgrade keycloak authentication
#11990 Negative refresh token expiration (exp timestamp in the past) keycloak oidc
#12012 KEYCLOAK-17116 Copy of Browser Flow overrides an original one keycloak authentication
#12018 Trust Store hostname-verification-policy=ANY seems to be ignored keycloak docs
#12720 Clearify the use of `db-url-properties` keycloak docs
#12745 [keycloak-js] multiple init call with onload option as check-sso cause redirects keycloak adapter/javascript
#12939 importing bin/kc.[sh|bat] import --file doesn't work when using external database keycloak dist/quarkus
#13542 MigrationTest for KC 17 failures in the pipeline keycloak testsuite
#13543 RecoveryAuthnCodesAuthenticatorTest failures in the pipeline keycloak testsuite
#13922 Switching Locale after Completing an admin triggered required action yields an error keycloak authentication
#14441 Client-secret with special character (+) for authorization is failing in 19.0.2 keycloak oidc
#14617 ID token is not including roles keycloak oidc
#14851 Realm update fails when realm has many Identity Providers configured and saves rep. with Admin Events keycloak admin/api
#14854 Client session lifespan doesn't consider user session lifespan keycloak authentication
#15337 User Session Note Mapper no longer adds IMPERSONATOR_USERNAME as SAML attribute keycloak saml
#15536 Able to modify built-in flow keycloak admin/api
#15782 Unable to perform export when server was started with new storage keycloak dist/quarkus
#15845 Realm localization: Inconsistent message resolving regarding language fallbacks for different themes keycloak core
#15853 Incorrect Signature algorithms presented by Client Authenticator keycloak oidc
#15898 Keycloak Export only accept H2 datase-URL (Datasource: URL format error; must be jdbc:h2 ... but is jdbc:mariadb: ...) keycloak dist/quarkus
#16165 SSSD User Federation dissapeared in 20.0.1/20.0.2 keycloak authentication
#16166 Set OpenShift as a "Social Identity Provider" cannot work keycloak identity-brokering
#16321 Single client export bug keycloak docs
#16507 Hibernate 6 upgrade: Warning SqmDynamicInstantiation about dynamic Map instantiation keycloak storage
#16551 Quarkus 3: RealmModelTest.testRealmLocalizationTexts fails keycloak testsuite
#16577 Setting user password and entering "password confirmation" first leads to blocking of "save" keycloak admin/ui
#16613 Impossible to update a federated user credential label keycloak admin/api
#16833 Update documentation around `View all users` behavior in the new admin console keycloak docs
#16992 upgrading from v18.0.2 to 19.0.3 or 20.0.3 fails with ERROR duplicate key value violates unique constraint "constraint_3c" keycloak core
#17130 Theme & Provider folder empty in KeyCloak 20.0.3 keycloak docs
#17288 New Referrer-policy breaks cross-origin SP<->IdP (KC) keycloak saml
#17294 Make LDAP `searchForUsersStream` consistent with other storages keycloak storage
#17304 javax.net.ssl.SSLException exceptions because org.keycloak.adapters.HttpClientBuilder ignores connectionTTL setting keycloak oidc
#17312 Error updating old version (Keycloak 8) to Keycloak 20. NPE thrown due the realm.getDefaultRole() keycloak core
#17377 Error: realms.removeSession wrong generic type keycloak admin/client-js
#17388 Incorrect Url on Keycloak Health - Liveness and Readiness, no Startup Probes keycloak operator
#17581 `JpaUserProvider` count methods are inconsistent with `searchForUser`'s param filter handling keycloak storage
#19096 Memory issue with PathCache when running the traffic keycloak authorization-services
#19136 Report an issue link points to Jira instead of GHI keycloak docs
#19155 Priority not sent to server when adding new RSA key provider keycloak admin/ui
#19156 Server Deployment documentation is not updated to Quarkus keycloak docs
#19193 Slow Query Caused By Composite Indexes Order On Broker Link Table keycloak storage
#19257 User ID is ignored in partial import keycloak import-export
#19323 Hibernate 6: Entity in Key not returned when querying keycloak storage
#19368 Facebook identity provider not working keycloak identity-brokering
#19485 SignatureProvider not showing up in the Default Signature Algorithm list keycloak admin/ui
#19530 Custom ResetCredentialEmail does not work after upgrade to Keycloak 21 keycloak core
#19575 Account Console II doesn't remove TOTP from UserStorage keycloak account/api
#19596 A way to override internal SPI after KC 21 keycloak core
#19638 Custom User Storage Provider doesn't look up users after saving changes keycloak admin/ui
#19675 Gzip cache is only invalidated upon Keycloak version changes keycloak core
#19677 AlreadyLoggedIn when impersonating a user in a SAML client keycloak core
#19725 Operator restarts occasionally result in recreation of managed keycloak Statefulset Pods keycloak operator
#19746 Email settings erased after any change on realm settings keycloak admin/ui
#19763 Documentation for User Storage Spi is incorrect keycloak storage
#19777 Custom providers are not loaded properly in KC21 keycloak core
#19805 Custom SignatureProviderFactory is not working as expected after Keycloak 21 upgrade keycloak core
#19814 Testsuite must rely on IDs from Keycloak keycloak testsuite
#19818 Support for realm-less entities in login failures keycloak storage
#19844 NPE when updating a subflow in an authentication flow keycloak admin/api
#19849 Incorrect HTTP status reported when DNS resolver is not available (and DB connection unavailable due to that) keycloak core
#19852 Admin UI does not respect default values for custom authenticator configurations keycloak admin/ui
#19897 Create a Client Policy on realm with client-roles or client-scopes condition raises an expection on the Client details keycloak admin/ui
#19932 Test app is not functioning - https://www.keycloak.org/app/ keycloak docs
#19933 Account v3 - account console link redirect to master realm keycloak account/ui
#19942 New Flow created for Post Login Flow IDP not mark "Used by" at Flows keycloak admin/ui
#19950 Logout redirect URL truncated since v20 keycloak oidc
#19957 User search with more than two keywords returns empty list keycloak storage
#19982 Default Roles show all roles if "Hide inherited roles" is not checked keycloak admin/ui
#20007 Conditional user attribute authenticator does not match the joined groups keycloak oidc
#20009 authenticator javaScript Provider always failed the login, user context is lost and break the login keycloak core
#20013 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet keycloak ci
#20020 Cannot find @Generated annotation for ServicesLogger keycloak dependencies
#20070 Update passthrough behavior and docs keycloak dist/quarkus
#20077 Conditionally build WildFly adapters for our testsuite keycloak testsuite
#20085 Custom theme - url.resourcesCommonPath references wrong theme keycloak admin/api
#20097 FederatedUserLink always points to LDAP keycloak admin/ui
#20101 Duplicated serverPrincipal property in LDAPStorageProviderFactory keycloak storage
#20105 Unable to template emails in EventListenerProvider (No realm in provided KeycloakSession) keycloak authentication
#20119 Support for non-XA databases keycloak storage
#20182 User defined message bundles do not apply correctly to Admin Console keycloak admin/ui
#20194 Valid redirect URI & web origin input fields display when "Standard flow" is disabled keycloak admin/ui
#20202 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testLazyClientSessionStatsFetching keycloak ci
#20259 Failing ExternalLinks tests for old Keycloak JIRA Links keycloak docs
#20261 Quarkus 3 build properties break product build keycloak dist/quarkus
#20269 Flaky test: org.keycloak.testsuite.model.infinispan.CacheExpirationTest#testCacheExpiration keycloak ci
#20329 Additional Provider Info only shows at end of list not below provider keycloak admin/ui
#20331 Keycloak-js crasher: Missing null checks. Websites that have inline scripts without a src attribute as src attributes are not required. keycloak adapter/javascript
#20332 Error 500 after signin to admin console: NullPointerException keycloak core
#20349 WebAuthn test fails in the GHA keycloak testsuite
#20372 keycloak-js-admin-client and keycloak-js-adapter do not build when a maven proxy is configured keycloak
#20384 Fix User Federation tests after Q3 upgrade keycloak testsuite
#20385 Servlet tests for JBoss-based adapters with TLS are broken keycloak testsuite
#20387 Productization issue related to JNA upgrade keycloak dependencies
#20401 SAML error not shown to user keycloak admin/ui
#20426 ClientScope changes don't invalidate the realm cache keycloak storage
#20433 Administration / Keycloak Admin REST API documentation can no longer be generated keycloak docs
#20443 Avoid NPE while fetching offline sessions keycloak storage
#20459 Changing the email address has no impact at username regardless "Email as username" toggle keycloak user-profile
#20481 Fix tests related to file storage keycloak testsuite
#20489 Admin UI - unable to load user's groups when large number of groups defined for the realm keycloak admin/ui
#20498 When user federation is enabled, admin console user search doesn't show search field keycloak admin/ui
#20503 Enabled User Event Types not visible when "Save events" disabled. keycloak admin/ui
#20506 User events settings - "Save events" toggle doesn't always activate Save button. keycloak admin/ui
#20510 Ensure proper escaping for LDAP keycloak storage
#20534 For versions > 18.x.x client mapper is not able to override "name" for OpenID tokens keycloak oidc
#20536 [Declarative User Profile] Optional attributes become required keycloak admin/ui
#20540 `register-node-at-startup` in EAP Client Adapter eventually causes "java.lang.OutOfMemoryError: unable to create native thread keycloak adapter/jee
#20541 Identity providers initialization has to use models keycloak storage
#20550 Update example custom cache configuration for v>21 keycloak docs
#20564 keycloak-admin-client does not url-encode client id and secret for basic auth as defined in RFC6749 keycloak admin/client-js
#20599 Introduced additional dependencies in the testsuite keycloak testsuite
#20615 Moving a group to root loses all its members keycloak admin/ui
#20622 FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error keycloak oidc
#20635 Add back examples for Kubernetes and Openshift to the quickstarts keycloak core
#20656 Reset password does not show option to sign out from other devices keycloak authentication
#20670 Could not process response from SAML identity provider because "this.text" is null keycloak identity-brokering
#20671 Userinfo endpoint doesn't accept charset keycloak oidc
#20673 Missing SAML Allow ECP Flow option keycloak admin/ui
#20694 Selecting one mapper and switch page select them all keycloak admin/ui
#20700 REST API Documentation ref wrong keycloak docs
#20703 Realm export performance heavily depends on the amount of users per file keycloak import-export
#20723 Keycloak deployed via new keycloak-operator triggers OpenShift alert `IngressWithoutClassName` keycloak operator
#20725 Denial of Service/100% CPU usage: CRLUtils in infinite loop if more than one CRL list is used from different CAs keycloak core
#20732 Keycloak erases form data on validation when `login_hint` is present keycloak account/ui
#20757 SEND_RESET_PASSWORD event is not stored keycloak admin/api
#20782 Mappers tab is not reachable on identity provider settings keycloak admin/ui
#20831 Webauthn signature algorithms are improperly encoded as strings keycloak authentication/webauthn
#20835 There is no server side pagination for sessions keycloak admin/ui
#20847 Private key JWT authentication no longer works on Keycloak 21 keycloak authentication
#20851 Empty shortVerificationUri not the same with default (null) value keycloak authentication
#20855 Session cross-reference / transaction mismatch keycloak core
#20878 Emails with non-ascii characters are not allowed since v21.0.0 keycloak user-profile
#20888 Flaky test: org.keycloak.operator.testsuite.integration.ClusteringTest#testKeycloakScaleAsExpected keycloak operator
#20895 Keycloak's default http client doesn't check HTTP response code keycloak core
#20920 keycloak-server from testsuite won't start keycloak testsuite
#20947 Partial Import is not working for resource Type in keycloak 21.1.1 keycloak import-export
#20951 Jump links render wrong on small screens keycloak admin/ui
#20954 Performance degradation when upgrading from RHSSO 7.6 to KC22 caused by TLSv1.3 processing keycloak dist/quarkus
#20974 Avoid loading classes and resources from new store if legacy is enabled keycloak storage
#20977 NPE when shutting down JPA after a failed initialization keycloak storage
#20978 processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager keycloak oidc
#21045 Custom User Storage Provider gets disabled when saved keycloak admin/ui
#21047 Role details not visible unless the user has "View Realm" enabled keycloak admin/ui
#21095 Group list isn't filtered based on permission like user lists keycloak admin/fine-grained-permissions
#21106 Service Account Impersonation fails and results in weird browser state keycloak core
#21120 Client scopes mapping not available for users with "view-clients" and "query-clients" keycloak admin/ui
#21234 custom user storage provider update in admin-ui disables it, and stores value “t” as enabled keycloak admin/ui
#21242 GroupResource POST /children cannot update existing subgroups keycloak admin/api
#21263 Broken Links / Redirects Issues in Docs - 2023-06-27 keycloak docs
#21290 UserSessionConcurrencyTest#testConcurrentNotesChange fails intermittently keycloak testsuite
#21295 UserSessionProviderModelTest#testRemoteCachesParallel sessions are not removed after the test keycloak testsuite
#21300 Keycloak Docs for Native App Redirect URI Should Recommend the IP literal keycloak docs
#21307 3rd party check in iframe not working anymore in safari and keycloak 21.1.2 keycloak oidc
#21317 [docs] External Links Errors - saml.xml.org http -> https redirect keycloak docs
#21349 List of tested database in docs doesn't match pom.xml keycloak docs
#21358 NPE in Edit Identity Provider Mapper on second Save keycloak admin/ui
#21394 SSSD users with capitals in the email cannot login to keycloak keycloak core
#21412 JavascriptAdapterTest is broken due to the multiple initialization of JS adapter keycloak testsuite
#21427 Nexus staging plugin failing after Java 11 deprecation keycloak ci
#21451 Cookie error on second browser tab keycloak core
#21456 Quarkus 3.2 changed the property for quarkus.transaction-manager.object-store-directory keycloak dist/quarkus
#21491 Wrong message for sync actions on LDAP role mapper keycloak admin/ui

Authorization Survey

Alec Henninger — Thu, 6 Jul 2023 00:00:00 GMT

Services dedicated to authorization are evolving rapidly. There is a steady establishment of policy languages, purpose-built for authorization, as well as a growing number of implementations of Google’s "Zanzibar" whitepaper, their global, consistent authorization system.

To better understand how we should evolve Keycloak Authorization Services in this context, we’d appreciate the opportunity to learn more about the Keycloak communities' authorization use cases and experience, regardless of whether you’ve used Keycloak Authorization Services before or if you use a different service for access management.

Please consider filling out this brief, anonymous survey to help shape Keycloak’s future authorization experience.

Survey - Cross-Site Replication in Keycloak

Stian Thorgersen — Fri, 30 Jun 2023 00:00:00 GMT

The Keycloak and Infinispan engineering teams are working together to bring Cross-Site Replication (CSR) to a fully supported state in future Keycloak releases, with Active/Passive support and Active/Active support.

We would like to gather inputs on your expectations, requirements, use-cases and sizing of the target deployment environments for the CSR feature. Thanks in advance for filling out this survey form to help us better plan and deliver this feature.

If your are interested in Active/Passive or Active/Active deployments of Keycloak please fill in the survey.

Keycloak 21.1.2 released

Wed, 28 Jun 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Release notes

Changes in validating schemes for valid redirect URIs

If an application client is using non http(s) custom schemes, from now on the validation requires that a valid redirect pattern explicitly allows that scheme. Example patterns for allowing custom scheme are custom:/test, custom:/test/* or custom:*. For security reasons a general pattern like * does not cover them anymore.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#20613 Avoid using user property mapper when resolving root user attributes keycloak

Bugs

#17165 Issue with "User-Initiated Action Lifespan" keycloak admin/ui
#19080 Vulnerable packages and or dependencies found in keycloak 21.0.1 quarkus distribution keycloak dist/quarkus
#19286 CVE-2022-1471 keycloak dependencies
#19491 Cannot set initial password for new users when using a custom UserFederation keycloak
#19689 SAML Encryption: Missing Support for http://www.w3.org/2009/xmlenc11#rsa-oaep keycloak saml
#19835 Keycloak issues on edge and after chrome upgarde to 112 (with experimental features) keycloak oidc
#19865 Enabling Dynamic Scope missing in UI keycloak admin/ui
#19879 Incorrect function is used in 'keycloak-admin-client' library in getToken function keycloak adapter/javascript
#19883 Saving client admin-cli in master realm gives a javascript error keycloak admin/ui
#19966 Paginating on the group tree view doesn't work keycloak admin/ui
#19974 Dropdown options on Documentation pointing to 21.1 endpoint instead of latest and throwing 404 when clicking on it. keycloak docs
#19981 Keycloak 21.1.1: Paging and filtering not working in "Assign roles" popup for Groups keycloak admin/ui
#19999 Keycloak 21.1.1: filter on Sessions gets stuck keycloak admin/ui
#20032 Processing of env variable references in config file broken keycloak dist/quarkus
#20068 LDAP Mapper Action Menu Error keycloak admin/ui
#20087 Event-Type: "User info request error" does not work keycloak admin/ui
#20096 Create new user UI: username is not marked with an asterisk keycloak admin/ui
#20140 role filter has no effect on roles list keycloak admin/ui
#20143 required fields don't show errors when user profile is enabled keycloak account/ui
#20258 OTP devices are not shown in the admin UI keycloak admin/ui
#20307 Test `InternationalizationTest` fails in CI keycloak testsuite
#20370 Deleting a client scope in the Admin UI should redirect to the list of ClientScopes keycloak admin/ui
#20379 SAML Protocol Mapper's NameIDFormat is null keycloak admin/ui
#20515 Headers is not defined keycloak admin/client-js
#20663 Fix for certificate revalidation keycloak

New Keycloak maintainer: Alexander Schwartz

Bruno Oliveira — Tue, 27 Jun 2023 00:00:00 GMT

We’re delighted to announce Alexander Schwartz as an official maintainer of Keycloak.

Alexander started contributing to Keycloak in 2015. He applied it in several customer installations and is maintaining the Dropwizard module for Keycloak. In January 2022, he joined Red Hat. Since then, he has contributed to Keycloak’s store and documentation and is the key contributor to the Keycloak benchmark project. He helped with Keycloak’s submission to CNCF, and represented Keycloak at KubeCon Amsterdam in April 2023.

He has shown his commitment to the Keycloak community by collaborating on design discussions, participating in GitHub discussions, reviewing pull-requests, answering questions on the Keycloak mailing lists, contributing to new features, bug fixes and triaging GitHub issues.

The Keycloak team is very excited to welcome Alexander as our new maintainer and long-time contributor.

Keyconf 23

Marek Posolda — Thu, 4 May 2023 00:00:00 GMT

We would like to invite you to the Keycloak conference Keyconf 23!

The event will take place on June 16 in London. The details about this event together with the links for free registration are here!

The Keyconf conference takes place the day after the IDM Identity Management conference. If you are interested in security in general, this is a good opportunity to join the both conferences.

New Keycloak maintainer: Sebastian Schuster

Stian Thorgersen — Tue, 2 May 2023 00:00:00 GMT

We are pleased to welcome Sebastian Schuster as an official maintainer of Keycloak.

Sebastian has contributed to Keycloak since 2019, when he convinced his company Bosch to use Keycloak for identity and access management. He has been active in the community providing help, taking part in discussions and contributing. Behind him, there is a whole team at Bosch providing more than 60 contributions over the last years in various areas. The declarative user profile was the most prominent feature contributed.

His company allows him to dedicate a considerable amount of time for Keycloak to help review contributions and reports and get involved in discussions. Since Sebastian has got experience operating Keycloak on a wide scale over several years, he will focus on topics around cloud-native and Keycloak operations like observability.

Not only will Sebastian on his own bring a lot of value to Keycloak, but he will also serve as an integration point for Bosch to enable more contributions from his team, allowing them to contribute more value to Keycloak in the future.

Keycloak 21.1.1 released

Wed, 26 Apr 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#17514 SAML2 Client Signing Keys Config does not accept PEM import keycloak admin/ui
#19469 ClientPolicies: Deserialization of `MultivaluedString ` config property doesn't work properly between new admin-ui and backend keycloak admin/ui
#19513 Trusted Hosts configuration in Client Registration Policy not working keycloak admin/ui
#19532 When editing JS policy, the text area with "Code" should be read-only keycloak admin/ui
#19582 UI glitches in Users - Groups - Join Group keycloak admin/ui
#19609 Declarative user profile attribute options validator is not added correctly keycloak admin/ui
#19673 Sessions displayed multiple times keycloak admin/ui
#19800 Installation of keycloak-js fails with npm and yarn keycloak adapter/javascript
#19801 Documentation doesn't have versions set properly keycloak docs
#19803 `.\kc.bat start-dev` on Windows failed to start in 21.1.0 keycloak dist/quarkus
#19841 Upgrade from 21.0.2 to 21.1.0 fails on oracle db keycloak storage
#19850 Keycloak Quarkus Server dependency broken keycloak dependencies
#19867 Not possible to override default or built-in providers keycloak core
#19875 Validators not saved when creating new User profile -> Attribute keycloak admin/ui

Keycloak 21.1.0 released

Thu, 20 Apr 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Release notes

Monorepo

In the past Keycloak was maintained across multiple GitHub repositories:

Having multiple repositories introduced a lot of complexity and toil. For example frequently multiple pull requests had to be sent to different repositories for a single change.

To simplify things we have now migrated everything into the main repository.

FIPS 140-2 support

FIPS 140-2 support in Keycloak, which was preview in the previous release, is now promoted to be officially supported.

Experimental Account Console version 3

The Account Console version 3 is now available as an experimental feature in Keycloak. This version supports custom fields created with the 'User Profile' feature. If you are looking to try it out and provide us with some early feedback you can enable it as follows:

bin/kc.sh start-dev --features=account3

Changes to Keycloak Authorization Services support in Keycloak Java-based Adapters

As part of the removal of the deprecated adapters, the Keycloak Policy Enforcer was extracted from the adapters code base into a separate dependency:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-policy-enforcer</artifactId>
    <version>21.1.0</version>
</dependency>

By providing this dependency, we expect making it possible to integrate the policy enforcer with the Java stack of your preference.

It also provides built-in support for enabling the policy enforcer to Jakarta applications protected with Wildfly Elytron.

For now, this dependency is not yet GA as we are still working on the quickstarts and documentation.

This work should not impact existing applications using the deprecated adapters.

Javascript engine available by default

In the previous version, when Keycloak was used on Java 17 with Javascript providers it was needed to add the Nashorn javascript engine to the distribution. This is no longer needed as Nashorn javascript engine is available in Keycloak server by default.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#10733 Keycloak to fire an event upon realm creation/deletion keycloak
#12363 Provide a Galleon feature pack to install the Keycloak Elytron SAML adapter keycloak
#19524 Build Account Console v3 as Maven artifact and include it as a theme keycloak account/ui

Enhancements

#391 Update javascript quickstarts to not copy nashorn keycloak-quickstarts
#11580 Proxy EDGE is not being reflected in the post_logout_redirect_uri - Admin Console Logut button keycloak oidc
#15251 Add mapping UserSessionNoteMapper into UserInfo claims keycloak oidc
#16573 Avoid resolving expressions twice but rely on MP config expression support keycloak dist/quarkus
#17139 Try to use SimpleHttp to execute SOAP calls instead default HttpURLConnection keycloak saml
#17353 Decouple the policy enforcer from adapters and provide a separate library keycloak
#19540 Policy Enforcer built-in support for Elytron and Jakarta keycloak authorization-services
#19560 Switch to quarkus-extension-maven-plugin keycloak dist/quarkus

Bugs

#8849 service-account leaking in get users API with "exact" query parameter set keycloak admin/api
#9564 Authentication Flow ID not imported keycloak core
#9896 Override of SSO Session Max for client does not work keycloak oidc
#9959 Unexpected invalid_grant error on offline session refresh when maximum number of offline sessions is configured keycloak storage
#10164 id_token_hint for external IDP not sent after token expiry keycloak oidc
#10412 Token contains old DB values with "Always Read Value From LDAP" mapper setting keycloak ldap
#11330 Theme can auto-select rememberMe even if disabled in a realm keycloak authentication
#11340 authentication checks cause 'Cookie not found' error keycloak authentication
#11517 POST /{realm}/users/{id}/role-mappings/realm is returning 500 keycloak core
#11730 LDAP user attribute is not updated in local database keycloak ldap
#12048 Items in dropdown menu for sharing resources are not visible keycloak account/ui
#12738 Revoking consent breaks for certain client IDs keycloak account/ui
#13835 Remove `ClearExpiredUserSessions` from services module keycloak storage
#14280 Subject's common name user identity extractor doesn't work with some certificate with RDN multi-valued keycloak authentication
#14613 414 Request-URI Too Long keycloak dist/quarkus
#14650 ciba authentication policy not found in keycloak 19 keycloak oidc
#14932 Default 'first broker login' default first login flow for identity providers ignores realm user registration settings keycloak docs
#14933 jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected keycloak oidc
#15098 IDENTITY_PROVIDER_FIRST_LOGIN is never triggered keycloak identity-brokering
#15476 NPE on welcome page if setting spi-theme-default and not providing theme keycloak core
#15624 UserInfo: Role name mapper is not respected for user info endpoint keycloak core
#16329 Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id keycloak oidc
#16448 Failed to obtain JDBC connection with built-in H2 in start-dev keycloak storage
#16484 When hitting the account client with the referrer parameter ,the AccountConsole doesn't support the relative Client URLs keycloak account/api
#16587 Regression related to redirect url with port 80 keycloak oidc
#16844 Get UserInfo return 401 Unauthorized keycloak oidc
#16848 New user from identity provider not having attribute mapped to user federation (LDAP) keycloak ldap
#16851 v20.0.2 attempts to URL decode same string up to 5 times for unclear reasons keycloak core
#16888 Getting notification with unknown error when trying to create duplicated sub group. keycloak admin/api
#16965 direct naked impersonation documentation is wrong keycloak token-exchange
#17187 Docker auth: IllegalArgumentException on multiple resource scopes keycloak authentication
#17242 Typo in Outgoing HTTP requests documentation keycloak docs
#17253 Container image from FIPS docs doesn't work keycloak core
#17322 Disabling features with disabled dependencies fails "Feature account2 depends on disabled feature account-api" keycloak core
#17359 Connection string for ldap user federation with multiple hosts no longer supported keycloak core
#17374 User session limit make account console crash and logout the user keycloak authentication
#17403 Keycloak 21.0.1 - Paging and filtering not working in "Assign roles" popup" keycloak admin/ui
#17439 [User Profile Enabled] Email/Password fields disappear from registration when Email as Username is on keycloak user-profile
#17441 Redirect loop with authentication success but access denied at default identity provider keycloak identity-brokering
#17456 Bug in SAML Redirect Binding with 2 validating certificates keycloak saml
#17539 Stepup issue on "remember_me" authentication : alreadyLoggedIn keycloak authentication
#17549 SAML Signature metadata loses certificate info keycloak saml
#17561 group don't have any clickable link even though it have the access right permission on UI keycloak admin/ui
#17569 Theme resource common path is always /keycloak/common keycloak core
#17587 User with "view-clients" role cannot view credentials in Admin Console, but can still use the API to fetch them. keycloak admin/ui
#17588 admin-ui: authz unable to access child group when using fine grained auth keycloak admin/ui
#17591 Username field when creating user when email is set as username keycloak admin/ui
#17592 Admin console doesn't work in case realm name changed to name with space keycloak admin/ui
#17620 /users/count endpoint with search field has different behavior than /users query endpoint keycloak storage
#17635 Error creating realm keycloak admin/ui
#17671 docker image 21.0.1 lacks a Javascript engine keycloak core
#17686 Invalid Frontend URL leads to NullPointerException in OIDC Endpoints keycloak oidc
#17808 "SAML signature key name" attribute is not well forged keycloak admin/ui
#17811 Identity Provider hard coded role mapper does not allow selection of all roles keycloak admin/ui
#17850 New Admin Console does not import X509 Certificate from metadata keycloak admin/ui
#17933 Error! Failed to send email, and Error 400 API keycloak admin/ui
#19057 Experimental configuration options included in the documentation keycloak docs
#19083 [Keycloak 21.0.1] Identity provider JWKS public key is not editable via UI keycloak admin/ui
#19094 Unable to use SAML entity descriptor with transient NameIDFormat keycloak admin/ui
#19122 Read Only Attributes - Outdated configuration guide keycloak docs
#19126 Authentication flows first paragraph seems incomplete keycloak docs
#19128 UserFederationMapperFactory does not seem to exist anymore keycloak docs
#19134 client credentials tab not visible with "view-clients" role keycloak docs
#19145 Cannot produce an access token for the admin console keycloak docs
#19162 Entity collections in Hibernate 6 can't be replaced keycloak storage
#19254 Admin-UI does not show all custom attributes of Authorization Resource keycloak admin/ui
#19261 Flaky test: PhotozExampleLazyLoadPathsAdapterTest keycloak authorization-services
#19273 Adapters tests are failing for EAP and wildfly keycloak testsuite
#19321 Hibernate 6: UnsupportedOperationException: compare() not implemented for EntityType keycloak storage
#19324 Profile is created twice when resolving ignored artifacts keycloak core
#19335 Custom implemention of OIDC Login Protocol doesn't get executed keycloak oidc
#19346 Sending 'application/jwt' Accept header to GET userinfo endpoint returns a 406 error keycloak oidc
#19363 Incorrect documentation around password policies keycloak docs
#19396 memory leak when using ldap user federations keycloak ldap
#19397 Fix SSSDTest keycloak testsuite
#19404 Inconsistent use of Enum storage in legacy store keycloak storage
#19444 Client policies tab crashes in admin console. keycloak admin/ui
#19515 Remove access not working in new account v2 app keycloak account/ui
#19662 Invalid parameter redirect_uri when using an invalid client_id keycloak oidc

Keycloak 21.0.2 released

Thu, 30 Mar 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#17161 Acquisition timeout while waiting for new connection keycloak storage
#17273 adding package using microdnf no longer works since keycloak version 21 keycloak docs
#17277 Can't accept terms and conditions after upgrade from 20.0.3 to 21.0.0 keycloak authentication
#17281 Avoid recording raw UUIDs URIs in metrics like http_server_requests_seconds collected via micrometer keycloak dist/quarkus
#17337 `testReleaseAllLocksMethod` test is intermittently timing out with HotRod store keycloak storage
#17417 Build on Windows fails keycloak docs
#17427 OutOfMemoryError when running Model Tests in CI keycloak storage
#17790 Unable to use client tls certificate bound access token with the new admin UI keycloak
#17803 Accessibility/Identity Providers: Critical Issues keycloak admin/ui
#17804 Accessibility/Realm Settings: Critical Issues keycloak admin/ui
#17805 Accessibility/Groups: Critical Issues keycloak admin/ui
#17806 Accessibility/Users: Critical Issues keycloak admin/ui
#17807 Accessibility/Clients List: Critical Issues keycloak admin/ui
#17810 Missing visual error information for "Error while evaluating permissions" keycloak admin/ui
#17813 With KC21: Authentication flows "used by" shows the name of the flow, not of the bind keycloak admin/ui
#17814 Wrong role required for Client Settings > Advanced > OpenID Connect Compatibility Modes keycloak admin/ui
#17815 Inconsistent SAML configuration generated for clients with forceNameId keycloak admin/ui
#17816 admin-ui: authz permissions tab not updated when switching between groups keycloak admin/ui
#17817 Alerts don't show in Keycloak nightly, also disrupting user feedback on actions keycloak admin/ui
#17846 In Authorization --> Evaluate, Users and Roles should not both be requred keycloak admin/ui

Update on deprecation of Keycloak adapters

Stian Thorgersen — Wed, 29 Mar 2023 00:00:00 GMT

In 2022 we announced the deprecation of deprecating Keycloak adapters, with a plan to stop delivering most adapters in Keycloak 19.

As we have not been able to make sufficient progress on finding alternatives and work on supporting material to help migrating away from Keycloak adapters we are extending the life of the Keycloak adapters.

The plan is still to eventually stop delivering bespoke Keycloak adapters in the future, but we will do this in a more gradual process than previous laid out.

We still strongly belive that the community as a whole are better served in the long run by us focusing more on the Keycloak server with full compliance and support for specifications such as OAuth 2.0 and OpenID Connect, and adding support for additional relevant extensions to the specifications.

We also believe by leaving the integration for various programming languages and frameworks to the relevant communities, the end result will be more extensive support, with more features and abilities, and last but not least better integrations and easy of use.

OAuth 2.0 and OpenID Connect adapters

Java

For Java applications there is now more than ever wide-spread support for OpenID Connect, where some examples include:

Jakarta Security 3.0 - OpenID Connect support in Jakarta EE 10
Elytron OIDC - OpenID Connect support in WildFly
Quarkus OIDC - OpenID Connect support for Quarkus applications
Spring Security - OAuth and OpenID Connect support in Spring
Pac4j - The Java security framework to protect all your web applications and web services

Neither of these have support for Keycloak Authorization Services though, which is why we are planning to introduce a generic Java client libraries for Authorization Services that can be leveraged with other OpenID Connect client libraries. Expect this to be delivered in Keycloak 22.

The Keycloak Java adapters will remain for a while though, at least towards the end of the year, but likely not be removed until early 2024. At the same time don’t expect the adapters to be updated in terms of adding new features, enhancements, or supporting newer versions of Tomcat, Jetty, WildFly, or Spring.

Node.js

We are still investigating alternatives for Node.js, so plan is available for those one just yet. Expect more information to come later in the year. Regardless of the alternative we will deliver support for Keycloak Authorization Services to Node.js.

The Keycloak Node.js adapter will remain, at least towards the end of the year, but likely not be removed until early 2024.

Client-side JavaScript

For now the Keycloak client-side JavaScript adapter remains, but we are looking into alternatives as well as the potential of completely overhauling our current adapter and continue maintaining and delivering this adapter.

SAML 2.0

We are planning to continue supporting SAML 2.0 for WildFly and JBoss EAP in the long run, but support for Tomcat and Jetty are likely to be removed relatively soon.

Keycloak 21.0.1 released

Wed, 1 Mar 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#17192 Duplicated set-cookie headers sent causing issues with proxies keycloak authentication
#17248 MigrateT021_0_0 fails with NPE if adminTheme is not configured explictly keycloak core
#17313 When upgrading from v20.0.2 to v21.0.0 I get a NPE on Theme keycloak core

Keycloak 21.0.0 released

Thu, 23 Feb 2023 00:00:00 GMT

To download the release go to Keycloak downloads.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#11698 Add an option allowing to disable client registration access token rotation keycloak
#15271 Add support for Microsoft Authenticator keycloak
#16107 Short verification_uri for Device Authorization Request keycloak
#16787 support multi hosted-domain in `GoogleIdentityProvider` keycloak
#17037 Allow configuring of redirectUri for the cordova adapter keycloak adapter/javascript

Enhancements

#1738 Deprecate SHA1 based algorithms for SAML signatures keycloak-documentation
#1743 Documentation of some options of SAML IDP is not up-to-date keycloak-documentation
#8820 Official Support for Microsoft mobile authenticator app keycloak
#8982 Blacklist false positive rate could be set a lot lower. keycloak
#9008 Update client with registration access token gained by client registration keycloak authorization-services
#9017 Pre-authorization hook for client policies keycloak
#9144 Remove Hashicorp Support keycloak dist/quarkus
#9388 Global lock interface keycloak storage
#9420 Use bulk deletes in HotRod store keycloak storage
#9699 Include list of possible option values in help messages. keycloak dist/quarkus
#10018 JPA Map Storage: leverage function-based indexes (Postgresql) keycloak storage
#10090 Remove workaround in HotRodUtils#paginateQuery keycloak storage
#10376 Add MapKeycloakTransaction.exists(id) method keycloak storage
#10988 Remove doubled field from HotRod entities keycloak storage
#11744 Remove `session.area().getById(id)` from Map provider methods keycloak storage
#12067 Investigate a way to update indexes in no-downtime way for HotRod store keycloak storage
#12068 Leverage Infinispan lifespan for ExpirableEntities in HotRod storage keycloak storage
#12950 Implement "advanced claim to group" mapping for SAML keycloak
#13219 Followup: JPA Map store wants to use `hibernate.integrator_provider` in Quarkus keycloak
#13222 Followup: Revisit JTA vs. RESOURCE_LOCAL for JPA map storage for Quarkus and other Setups keycloak storage
#13346 Cannot save profile on User Management Console while CJK characters in username keycloak user-profile
#13544 Quarkus testsuite should use storage=chm by default where it makes sense keycloak testsuite
#13606 Keycloak uses incorrect encryption keys as SAML identity brokers in SPSSODescriptor keycloak
#13632 File map storage: Basic storage keycloak storage
#13725 Make GHA Map-JPA base testsuite running with Quarkus keycloak storage
#14503 Allow to configure firstname and lastname to be optional during registration keycloak user-profile
#14504 Ability to add fields in job template for KeycloakRealmImport CR keycloak
#14583 Provide partial import of realms for the map storage, ideally without needing a representation keycloak storage
#14686 Add missing german translation for emailInstructionUsername keycloak
#14739 Improve readability and manageability of deployment configuration for operator keycloak operator
#14915 Cleanup setting of Hibernate version twice in root pom and Quarkus pom keycloak dist/quarkus
#15026 Declarative user profile should allow to mark the email attribute as non required keycloak
#15053 Remove deprecated methods from `login-failure` area from `user-session` interface keycloak storage
#15223 Make sure the KeycloakSession is not closed more than once keycloak core
#15234 Switch to micrometer metrics keycloak
#15256 Expose attribute metadata from the User API keycloak user-profile
#15374 Remove dependencies on Resteasy API and rely on JAX-RS API as much as possible keycloak
#15450 Remove unnecessary injection points from JAX-RS (sub)resources keycloak
#15507 JPA Map Storage: leverage function-based indexes (CockroachDB) keycloak storage
#15525 Remove unnecessary injection points from our JAX-RS resources keycloak
#15576 Enable Oracle DB drivers for KeycloakServer in the testsuite utils keycloak
#15602 Remove injection points for Resteasy contextual data and use the Keycloak context instead keycloak
#15603 Keycloak distribution contains testing libraries keycloak dist/quarkus
#15605 Avoid creating proxies at runtime for Rest-based SPIs keycloak
#15612 Client registration service must not check client protocol for Bearer token keycloak
#15644 Review `set-quarkus-version.sh` keycloak dist/quarkus
#15666 Update to latest version of Keycloak Actionbot keycloak
#15677 Enumerate fields in autogenerated class descriptor keycloak storage
#15706 Create model-map-file module with empty implementations keycloak storage
#15740 ./kc.sh does not pickups conf/quarkus.properties keycloak docs
#15749 Add logging to KeycloakModelUtils.runJobInRetriableTransaction keycloak storage
#15810 Remove dependency on Resteasy Multipart Provider keycloak
#15811 Make sure JAX-RS resource methods are advertizing the media type they support keycloak
#15812 ConcurrentModificationException in DeclarativeUserProfileProvider keycloak user-profile
#15846 Support autogeneration of camel case field names keycloak storage
#15885 Add write ability to file store keycloak storage
#15890 Introduce tests for pessimistic locking usecases keycloak storage
#15901 Enable Infinispan Metrics keycloak
#15946 User Attribute Policy keycloak
#15977 Upgrade to Infinispan 14.0.4.Final keycloak storage
#16008 Update to JBoss Parent 39 keycloak
#16020 Adding CRDB into GHA for the new store keycloak storage
#16089 Normalize memory usage in tests and OOM behavior keycloak storage
#16091 Cache Maven Wrapper JAR in GitHub actions keycloak ci
#16139 The search does not work if only partial information is entered keycloak
#16220 Clarify using of `--optimized` flag with DBs keycloak docs
#16224 Incrementally cache consents on a per client basis keycloak infinispan
#16248 Keycloak operator. Add labels to keycloak PODs keycloak
#16281 Keep consistency when importing realms at startup when they are exported via the `export` command keycloak
#16308 Compatibility with Maven4 build cache and parallel builds keycloak ci
#16320 Single client export bug keycloak
#16373 Remove invalid property from Operator properties keycloak dist/quarkus
#16420 Support runnning tests using an embedded distribution keycloak
#16529 Move Admin UI custom REST endpoints to main repository keycloak
#16616 Make lockTimeout better configurable in JpaMapStorageProviderFactory keycloak storage
#16676 Create basic read-only file store keycloak storage
#16690 Make LockAcquiringTimeoutException a runtime exception keycloak storage
#16751 Do not enable caching metrics by default and provide a guide keycloak
#16807 KeycloakIngress (controller) should configure edge TLS when back-end protocol is HTTP keycloak operator
#16892 Update proxy guide with information about session stickness keycloak docs
#16921 Recovery codes input error not displayed in the standardized way keycloak
#16962 Make it possible to run the embedded distribution in FIPS mode keycloak
#17133 Apply documentation standards to Getting Started Guides keycloak
#17134 Create an SPI for DeviceActivityManager keycloak
#17865 Add "Encryption algorithm" option of SAML IDP keycloak admin/ui
#17935 Update message for 'Valid Post Logout Redirect URIs' client option keycloak admin/ui
#18080 Testing running on release branches keycloak admin/ui

Bugs

#8833 Performing an external-to-internal token exchange with an ID token with provider mappers enabled results in `unknown_error`. keycloak token-exchange
#8958 NullPointerException when editing a sub flow without a description keycloak authentication
#9003 Documentation Error: User Storage SPI: CredentialInputValidator keycloak core
#9345 Can't join a node under certain conditions keycloak admin/api
#9771 Hard-coded signature algorithm in token verification keycloak oidc
#9991 required action terms_and_conditions is not imported keycloak import-export
#10668 Kerberos User Federation creates a user that does not exist keycloak ldap
#10672 Kerberos User Federation creates a user that does not exist when username including "//" keycloak ldap
#10755 Replace operation set wrong lifespan in remote infinispan database and leads to session eviction keycloak storage
#10958 Client ID in LDAP Mappers User Federation doesn't align with Rename Client ID keycloak ldap
#11608 Realm password policy regex does not work keycloak authentication
#11627 New cluster joiners hang while trying to preload remote sessions (not offline) keycloak storage
#11726 Conflicting data returned for /users/id and /users endpoints when user is temporarily locked keycloak admin/api
#11783 Timeout when waiting for 3rd party check iframe message. keycloak adapter/javascript
#12039 Account console doesn't show the currently logged in user keycloak account/ui
#12053 [SAML Broker] BadPaddingException because Keycloak uses signing key pair for decryption keycloak saml
#12523 DELETE user api uses inefficient SQL queries while deleting data from OFFLINE_CLIENT_SESSION keycloak storage
#12567 SQLGrammarException would occur if a user doesn't belong to any groups keycloak storage
#12618 Role name containing ";"(semicolon) leads "Resource not found..." error in the admin console keycloak admin/api
#12649 GET /{realm}/users/{id}/groups ignores 'search' query parameter keycloak admin/api
#12819 Inconsistent behavior of group attribute caching keycloak storage
#12913 Keycloak 18.0.2 mixed content issue. keycloak dist/quarkus
#12970 Public URL autodetection from request does not work when using reverse proxy on non standard ports keycloak dist/quarkus
#12979 Admin console infinite redirect loop before password prompt keycloak dist/quarkus
#13063 Setting hostname-admin=localhost redirects to keycloak.example.com keycloak dist/quarkus
#13089 Infinispan/TCPPING does not span the cluster over all specified nodes keycloak dist/quarkus
#13114 Reencrypt proxy ignored with new operator keycloak operator
#13122 Deleting Users in Keycloak Cluster with 3 or more Nodes is not possible keycloak dist/quarkus
#13148 keycloak(behind nginx) .well-known/openid-configuration path not return correct token or jwt url（custom port loss） keycloak dist/quarkus
#13157 Response_mode not setup on request when using keycloak Java client keycloak authorization-services
#13210 JPA Map Storage with CRDB: ConcurrentLoginTest failures keycloak storage
#13236 Username is removed when updating service account with empty/null email when declarative user profile and registrationEmailAsUsername is enabled keycloak user-profile
#13340 Performance Issues with many offline sessions keycloak storage
#13354 LDAP integration doesn't map emails keycloak ldap
#13656 I get these [com.arjuna.ats.arjuna] warnings and right after the readiness probe dies keycloak storage
#13988 19 - update-email feature - email change does not affect the username when "Email as username" option is checked keycloak authentication
#14035 User/User Profile API inconsistent behaviour : partial PUT clear all user fields when user profile enabled keycloak user-profile
#14071 Keycloak docker container default theme environment variable not working keycloak dist/quarkus
#14173 IDP Provider is hidden from the login form after the back button is pressed keycloak authentication
#14197 Configurable session limits bug on chrome & edge keycloak authentication
#14234 SigningInPage has wrong icon keycloak account/ui
#14323 Unexpected error when authenticating client: java.lang.RuntimeException: Illegal base64url string! keycloak oidc
#14433 customized ingress resource is deleted as soon as a Keycloak pod is killed keycloak operator
#14537 400 for /token endpoint for Multiple Keycloak Servers keycloak dist/quarkus
#14610 Default Build Failing Due to Test Failures keycloak core
#14638 Keycloak 19.0.1 can not atrt with mariaDB 10.8.4 keycloak dist/quarkus
#14657 Keycloak 18.0.0 - Upgrade to 19.0.2 - ISPN Cache error keycloak dist/quarkus
#14689 User Session Count Limiter not working for some users keycloak authentication
#14703 Email field that is not required still renders with an asterisk in registration form keycloak authentication
#14772 Paging for "Users in role" is not guaranteed to work with JPA keycloak storage
#14794 Error when using similar keys with different algorithms in a jwks for identity provider signature validation keycloak oidc
#14843 User password is visible on admin events tab keycloak authentication
#14884 Weird export/re-import behaviour regarding `post.logout.redirect.uris` keycloak oidc
#15008 Configure custom user provider results in RuntimeException: Failed to find provider map for user keycloak dist/quarkus
#15021 Unable to create idp role mapper (oidc / saml) with old admin UI keycloak admin/ui
#15060 Transaction deadlock with Microsoft SQL if "sendStringParametersAsUnicode=false" not set in db url properties keycloak storage
#15083 Status 500 when trying to retrieve non-existing external IDP token keycloak oidc
#15093 JPA Map Storage: JpaRootAuthenticationSessionEntity constructor missing version parameter keycloak storage
#15116 Old admin console theme still visible for selection even though the corresponding feature is disabled keycloak admin/ui
#15118 Build Timeouts on integration tests keycloak ci
#15231 Groups beyond first 10 are not accessible keycloak admin/ui
#15236 Cannot convert undefined or null to object keycloak admin/ui
#15252 Conditional Authentication flow - Deny Access Error Message - custom property not loaded keycloak authentication
#15269 User Profile removes all user attributes keycloak admin/api
#15278 KeycloakErrorHandler throws NPE if session is missing keycloak core
#15295 AdminV2 not loading through reverse proxy (reencrypt) keycloak admin/ui
#15324 KC_HTTP_RELATIVE_PATH --http-relative-path ingress or nginx not work keycloak admin/ui
#15326 Multipod (kubernetes) upgrade from v19 to v20 fails keycloak infinispan
#15346 Error when loading public keys keycloak oidc
#15361 user_info not working after upgrading from 19.0.3 to 20.0.0 keycloak oidc
#15394 Admin account user name is forcibly changed keycloak dist/quarkus
#15412 All configurations documentation lists database vendor as a build configuration keycloak docs
#15422 Keycloak User Federation Provider LDAP connection with Azure Active Directory connection is unsuccessful. keycloak ldap
#15429 NPE in userinfo endpoint keycloak oidc
#15431 User Profile Attributes not showing up in Admincp User view and User account management view keycloak
#15432 Startup Fails with NullPointerException in Kubernetes with Keycloakx Helm chart keycloak core
#15449 Not able to create user with non english character in Keycloak 14 environment keycloak admin/ui
#15482 User Federation: getReadable() can throw a NPR for a federated user if the user has no attributes keycloak storage
#15485 12.0.4 - User names fields accept special characters keycloak admin/ui
#15487 Flaky test: Model Tests DBLockTest keycloak testsuite
#15493 make nginx certificate-lookup thread safe keycloak authentication
#15497 Unknown bind DN using LDAP anonymous bind aka bind type none keycloak ldap
#15503 Flaky tests: Connection timed out to repo.maven keycloak testsuite
#15538 Custom admin theme not working keycloak admin/ui
#15539 Invalid redirect uri / keycloak authentication
#15558 UserSessionProviderTest#testOnClientRemoved fails on CockroachDB keycloak storage
#15564 Flaky test: RequiredActionTotpSetupTest.setupTotpExistingReusableCodeDisabled keycloak testsuite
#15566 Failed to generate javadoc keycloak
#15571 Keycloak 20.0 - Build Configurations not applied? KC_FEATURES=token-exchange keycloak
#15607 JDK 17 InaccessibleObjectException with infinispan keycloak storage
#15608 Keycloak wrongly assumes that the default datasource is the first one keycloak dist/quarkus
#15614 Fix update of group mappers on certain changes of the group path keycloak
#15656 Password change sometimes triggers error keycloak core
#15668 User Profile: Editing the username attribute adds empty permissions keycloak user-profile
#15685 Search by group attributes might break on OracleDB keycloak storage
#15687 IdentityProviderModel from third party packages are ignored keycloak identity-brokering
#15699 Unique constraints should use attribute value hash instead of the value itself keycloak storage
#15701 Unable to run map-storage-jpa tests with custom Postgres image keycloak testsuite
#15712 Keycloak won't start due to Unsupported database file version or invalid file header in file "/var/lib/keycloak/data/h2/keycloakdb.mv.db" [90048-214] keycloak core
#15718 Flaky test: RefreshTokenTest.tokenRefreshRequest_ClientES512_RealmRS256 keycloak testsuite
#15738 ERROR: Failed to start server in (production) mode after update from 19.0.3 quarkus to 20.0.1 keycloak core
#15739 Device Authorization Grant fails with valid S256 code challenge keycloak core
#15744 CORS error from token endpoint keycloak authentication
#15761 Flaky test: JavascriptAdapterTest.implicitFlowOnTokenExpireTest keycloak testsuite
#15767 Make KeycloakDeploymentBuilder initialize CryptoIntegration keycloak core
#15777 Can't change 'Restart login' keycloak account/ui
#15781 kc 19.0.3 with oracle 11g: realm export with users leads SQL Error: 1000, SQLState: 72000 (maximum open cursors exceeded) keycloak storage
#15801 Multiple failures in Model Tests keycloak testsuite
#15803 Keycloak upgrade fails: relation databasechangeloglock already exists keycloak core
#15806 Console not login since Keycloak 19+ keycloak authentication
#15807 fix typo in kcWebAuthnKeyIcon keycloak account/api
#15817 Get opentid token server error keycloak account/api
#15823 Overriding email template provider according to guide fails keycloak core
#15824 Failed to find Liquibase implementation when using Postgres DB keycloak core
#15849 JPA Map Storage: Add transaction retry logic to LoginActionsService.authenticate keycloak storage
#15869 Upload Script error keycloak account/api
#15886 After changing URL, admin console load old URL keycloak admin/ui
#15889 Keycloak 20.0.1 on Oracle Database - ORA-00932: inconsistent datatypes: expected - got NCLOB keycloak core
#15894 Sign in to your account with SAML integration resulting in "Unexpected error when authenticating with identity provider" and no error found on logs. keycloak saml
#15904 Flaky test: HostnameDistTest keycloak testsuite
#15916 Java 17 support not given keycloak dist/quarkus
#15921 Can not set Context path on Keycloak 20 keycloak dist/quarkus
#15925 JAVA_OPTS_APPEND does not allow overriding the ipv4/ipv6 setting keycloak dist/quarkus
#15944 API call to get user profile config should allow any admin role. keycloak admin/api
#15952 export client saml key JKS from realm ui admin theme keycloakv2 give invalid JKS keycloak admin/ui
#16002 Health Check failure when KC_HTTP_RELATIVE_PATH set on 20.0.0 keycloak core
#16030 Better error handling on startup keycloak dist/quarkus
#16046 GHA are not running HotRod tests because of config error keycloak storage
#16047 NPE while trying to access the list of users in the admin console keycloak admin/api
#16048 Flaky test: OfflineServletsAdapterTest keycloak ci
#16053 `FieldsGenerator` doesn't generate `getMapKeyClass()` and `getMapValueClass()` for `Map config` fields keycloak storage
#16067 Title/header of Admin REST API page incorrectly shows placeholder keycloak docs
#16069 Stuck at Loading the admin console keycloak admin/cli
#16078 Flaky test: UserSessionConcurrencyTest.testConcurrentNotesChange keycloak storage
#16079 Flaky test: UserSessionExpirationTest>KeycloakModelTest.createEnvironment keycloak storage
#16099 Keycloak admin page is not loading keycloak dist/quarkus
#16108 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoLoginTest keycloak ci
#16109 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#validatePasswordPolicyTest keycloak ci
#16110 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#testClientOverrideFlowUsingBrowserHttpChallenge keycloak ci
#16111 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#writableEditModeTest keycloak ci
#16112 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoCaseInsensitiveTest keycloak ci
#16113 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#usernamePasswordLoginTest keycloak ci
#16114 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#credentialDelegationTest keycloak ci
#16115 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoLoginWithRequiredKerberosAuthExecutionTest keycloak ci
#16116 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoNotAvailableTest keycloak ci
#16117 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoWithInvalidTokenTest keycloak ci
#16125 Warning printed in Keycloak CI jobs keycloak ci
#16130 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testOldCookieWithNodeInValue keycloak ci
#16131 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testMultipleCookies keycloak ci
#16132 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testOldCookieWithWrongPath keycloak ci
#16133 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testCookiesPath keycloak ci
#16143 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithoutForcePasswordChangePolicy keycloak ci
#16174 Username is not updated if email was changed keycloak user-profile
#16191 Keycloak 20.0.1 quarkus Distro is failing with MSSqlServer on second time restart keycloak core
#16202 LinkageError for FipsMode during startup keycloak core
#16211 AccountConsole leaks translated messages into cached theme keycloak account/ui
#16216 Some authorization adapter test failing on Java 17 keycloak testsuite
#16222 operator doesn't watch other namespaces keycloak operator
#16232 Flaky test: org.keycloak.testsuite.admin.UserTest.sendResetPasswordEmailWithCustomLifespan keycloak ci
#16240 SAMLServletAdapterTest and SAMLFilterServletAdapterTest failing on Java 17 keycloak testsuite
#16255 Field generator: `getCollectionElementClass` method not generated when no addElement method is present in interface keycloak storage
#16261 io.quarkus.builder.BuildException caused by java.lang.OutOfMemoryError: unable to create native thread keycloak dist/quarkus
#16263 Do not show username field when updating profile if UPDATE_EMAIL feature is enabled and email as username is enabled keycloak user-profile
#16274 Read-only user attributes error from Keycloak Admin API keycloak admin/api
#16283 No data stored in external database (MariaDB) keycloak storage
#16290 Migrating from keycloak 15 to keycloak 20.0.1: If we pass wrong username then getting Internal Server Error keycloak core
#16297 NPE if user not exists in PolicyEvaluationRequest keycloak admin/api
#16306 Role/Group based authentication not working for users authenticated by External IdPs (Azure AD, GitHub etc) keycloak authorization-services
#16313 In CI, new-store-integration-tests for CRDB is sometimes cancelled after 70 minutes keycloak storage
#16317 EntityField `mapPut` and `collectionAdd` default methods doesn't insert an element when `get(e)` returns `null` keycloak storage
#16330 Hibernate 6 upgrade: native query registration keycloak storage
#16332 Hibernate 6 upgrade: unable to extract query parameter name in QueryCacheKey keycloak storage
#16333 Email theme is not working after update to 20.0.2 keycloak translations
#16334 Hibernate 6 upgrade: API changes in JpaAutoFlushListener keycloak storage
#16335 Hibernate 6 upgrade: valueType in `JsonbType` is no longer set keycloak storage
#16336 Hibernate 6 upgrade: JSON functions need to be registered using new APIs keycloak storage
#16337 Hibernate 6 upgrade: Entity -> id mapping no longer automatically done keycloak storage
#16347 Priority order of protocol mappers keycloak oidc
#16401 Clients secret with % for clients (access type : confidential) have to be encoded keycloak authorization-services
#16403 Keycloak - Missing data in the userinfo response keycloak core
#16443 Keycloak 19.0.1 search from UI bug keycloak admin/ui
#16465 ElytronSessionTokenStore#logoutHttpSessions() does not work as expected due to UNDERTOW-2159 keycloak adapter/jee
#16467 The user could not be deleted unknown_error keycloak account/api
#16502 Hibernate 6 upgrade: Warning about missing Bean Validation provider keycloak storage
#16513 Wrong property for events in map-storage-hot-rod on Undertow keycloak storage
#16514 Flaky tests: DateTimeParse failures in New Account Console tests keycloak ci
#16538 Quarkus 3: Model tests fail to finish keycloak testsuite
#16552 JpaClientModelCriteriaBuilder doesn't work correctly with H6 keycloak storage
#16584 Userinfo Endpoint Gives 500 (nullpointerexception) on POST request keycloak account/api
#16586 Upgrading from keycloak 20.0.1-20.0.2+ breaks app logout keycloak oidc
#16592 Memory leak when running the embedded server keycloak core
#16605 http-relative-path is not working keycloak core
#16622 Snyk workflow failing when running the checks against the Operator keycloak ci
#16634 Hibernate Error performing load command with JDK 17 keycloak storage
#16642 Database migrations are not transactional keycloak storage
#16649 Fixing OfflineSessionPersistenceTest in Quarkus3 branch keycloak storage
#16657 Flaky test: org.keycloak.common.ProfileTest#enablePreviewWithPropertiesFile & #configWithPropertiesFile keycloak ci
#16658 Label for "Review Profile config" modal is not displayed properly in new admin console keycloak admin/api
#16669 Flaky test: org.keycloak.testsuite.ui.account2.WelcomeScreenTest#resourcesTest keycloak ci
#16679 Update Email Action does not properly update username if username=email is active keycloak authentication
#16684 cannot open admin console after upgrade to 20.0.3 keycloak admin/ui
#16693 Hibernate 6 referencing m:n association from both entities with both `joinColumns` and `inverseJoinColumns` causes interference keycloak storage
#16705 Snyk Workflow failing due to the usage of the same category on multiple sections keycloak ci
#16711 SAML tests in quarkus3 branch failing due to missing SAAJ factory keycloak testsuite
#16721 Failing tests due to outdated X509Certificate request attribute name keycloak testsuite
#16727 Keycloak 20.0.3 container does not support Java 17 keycloak dist/quarkus
#16743 ArtifactBindingTest fails on quarkus 3 branch with ClassNotFoundException keycloak testsuite
#16745 ISPN000559: Cannot marshall 'class org.infinispan.marshall.protostream.impl.MarshallableUserObject': java.io.NotSerializableException: org.keycloak.models.cache.infinispan.entities.NonExistentItem keycloak dist/quarkus
#16775 Operator ignores DB vendor when using custom image. Forces h2 instead of chosen vendor. keycloak operator
#16797 Make sure PBKDF2 providers are using the expect size for derived keys keycloak authentication
#16801 Log message about leaked statement in JPA map storage keycloak storage
#16804 Connection Refused on Quarkus Tests keycloak dist/quarkus
#16818 Any tests using PhantomJS failing in some newer linux environments keycloak testsuite
#16857 Fix `Overwriting value of clientRole field` log message keycloak storage
#16880 Keycloak LDAPS does not find valid certification path to requested target in Production keycloak ldap
#16899 [typing] user.listGroups typing seems incorrect keycloak admin/client-js
#16901 Can't update user groups keycloak admin/client-js
#16974 Trivy Workflow failing with context deadline exceeded keycloak ci
#16988 application/x-unknown-content-type when loading admin console JS and CSS keycloak admin/ui
#17010 Changing realm id will not update relative URLs in `account-console` client keycloak account/ui
#17022 lastSync value into COMPONENT_CONFIG is always updated keycloak core
#17029 File store path traversal keycloak storage
#17141 Exception in log: Response already committed, can't be changed keycloak storage
#17162 build failed with pom can not import keycloak ci
#17197 Discovery document is missing mandatory fields keycloak account/api
#17216 Link "Sign out" incorrectly hardcoded to localhost in the authz example applications keycloak testsuite
#17833 Paging doesn't work on filtered tables keycloak admin/ui
#17870 User profile - Button email verified doesn't appear keycloak admin/ui
#17874 Client assertion signature configuration of identity broker is missing on new security admin console keycloak admin/ui
#17887 User profile - Validation Options not working keycloak admin/ui
#17914 Client Advanced Settings: Access Token Lifespan displayed as "Never expires" when realm value is used (default 1h) keycloak admin/ui
#17919 Federation Link no longer visible for Users keycloak admin/ui
#17920 User profile - firstName not showing keycloak admin/ui
#17921 [Keycloak 20.0.1 ] JWKS url can't be configured keycloak admin/ui
#17925 New admin console missing action that allows synchronizing LDAP groups to Keycloak keycloak admin/ui
#17937 Custom User Provider SPI: MULTIVALUED_STRING_TYPE setting not being shown on ui (but saved and retrieved) keycloak admin/ui
#17968 Azure AD Error: AADSTS90023: Unsupported 'prompt' value keycloak admin/ui
#17974 Align user profile UI with the behavior from the old admin console keycloak user-profile

FIPS 140-2 experimental support

Marek Posolda — Wed, 16 Nov 2022 00:00:00 GMT

We are glad to announce that latest Keycloak 20 release contains experimental support for FIPS 140-2!

The FIPS 140-2 standard is a set of requirements for cryptography modules, which needs to be met for the software used by U.S. governments and related parties. The FIPS compliant software should use only secure cryptography algorithms allowed by the FIPS specification and must use them in a secured way. Keycloak does not directly implement any cryptography algorithms, however it internally needs to use lots of cryptography functionalities. For this purpose, Keycloak mostly relies on the Java cryptography SPI and 3rd party libraries for implementing cryptography related functionality - especially the BouncyCastle library.

FIPS support is usually enabled at the OS level. For example, during installation of RHEL 8.6 , you can enable kernel flag during OS installation to make sure that your OS is FIPS compliant. When FIPS is enabled at the OS level, it means that various packages including OpenJDK are also set to be FIPS compliant and are pre-configured to rely on FIPS approved functions. For example java.security configuration file is pre-configured to contain only FIPS compliant security providers.

The FIPS support in Keycloak means that the Keycloak server can run on the FIPS compliant OS with FIPS compliant Java. It also means that the Keycloak server is FIPS compliant and can be used by parties, which strictly require FIPS 140-2 support. Even if you do not use the FIPS enabled OS, you can still try the FIPS enabled Keycloak server by using custom java.security file with only BouncyCastle-FIPS security providers configured as described in the instructions below in the step 4.

Thanks to David Anderson, who contributed parts of this feature. Also, thanks to Sudeep Das and Isaac Jensen for their initial prototype effort, which was used as an inspiration.

Instructions

Instructions for how to try FIPS support in Keycloak are here.

Conclusion

We will be happy for you to try Keycloak FIPS integration and share your feedback! Also you can report any bugs.

The known limitation in the BCFIPS non-approved mode include:

Possible issues when using SAML clients and SAML Identity providers
Kerberos/SPNEGO authenticator does not work
X.509 client certificate authentication may not work for both users and clients

In BCFIPS approved mode (more strict mode), more limitations exist such as:

User passwords must be at least 14 characters long. You should set a password policy for your realm to be 14 characters to avoid issues during registration/authentication of users
Keystore/truststore must be of type bcfks because neither jks and pkcs12 work. This is a restriction of BCFIPS approved mode
Some warnings in the server.log at startup

New Keycloak maintainer: Michal Hajas

Stian Thorgersen — Fri, 16 Sep 2022 00:00:00 GMT

We are pleased to welcome Michal Hajas as an official maintainer of Keycloak.

Michal has been with the Keycloak project since September 2015, and since that period has contributed to almost every component of Keycloak - core server, authorization services, adapters, javascript, code auto-generation, legacy operator - either by review or code contribution.

Since his first involvement, he has steadily contributed code, currently ranked as #8 highest contributor. Lately, he has designed and co-developed Hot Rod storage and has been instrumental in overall establishing the new map storage.

He reviews community contributions and offers help to finalize PRs, as well as participates in community discussions and issue triaging. He understands and respects the code of conduct, and in reviews helps maintaining it.

The future of Keycloak Operator CRs

Václav Muzikář — Fri, 2 Sep 2022 00:00:00 GMT

A while back, we have announced a new Operator rewritten from scratch to provide the best experience for the Quarkus distribution. While the legacy Operator is now deprecated and will reach EOL with Keycloak 20, the new one is already available as a preview, see the installation guide.

One of the most common concerns around the new Operator is the current lack of the CRDs for managing Keycloak resources, such as realm, users and clients, in a cloud-native way. One of the key aspects of the new Operator will be redesign of managing these Keycloak resources via CRs and git-ops. This new approach will leverage the new storage architecture and future immutability options, making the CRs the declarative single source of truth. In comparison to the legacy Operator, this will bring high robustness, reliability, and predictability to the whole solution.

Before we would consider operator ready for leveraging CRs, we expect completing several features including but not limited to:

File store (expected in Keycloak 20) to persist data in a file instead of DB.
Read-only possibilities for administration REST API, UI Console and other interfaces. This is required for the new immutability concept which will be used to ensure any data coming from the CRs (and subsequently from the file store) are read-only from all interfaces.

All of this is critical to proper CRs implementation, hence the new Operator is currently missing the CRDs for managing Keycloak resources. The missing CRDs will be added once Keycloak has the necessary support for it, which is currently expected in Keycloak 21.

We have prepared a few options to alleviate the situation with missing CRDs in this repository.

New Keycloak maintainer: Václav Muzikář

Bruno Oliveira — Thu, 4 Aug 2022 00:00:00 GMT

We are pleased to welcome Václav Muzikář as an official maintainer of Keycloak.

Vašek has consistently collaborated to the success of Keycloak since 2015 when he joined Red Hat. He is known for his various contributions to our test suite, the Quickstarts, integration tests for the Node.js Adapter, improvements in the new Account Console, security auditing of our REST Account API, enhancement to our pipelines and also the maintenance and development of Keycloak Operator. Now he is coordinating the efforts on Cloud-Native development which includes the new Quarkus distribution and the new Operator.

He has shown his commitment to the Keycloak community collaborating on design discussions, participating in GitHub discussions, reviewing pull-requests, answering questions on the Keycloak mailing lists, contributing to new features, bug fixes and triaging GitHub issues.

The Keycloak team is very excited to welcome Vašek as our new maintainer and long-time contributor.

New storage in Keycloak

Hynek Mlnařík — Wed, 27 Jul 2022 00:00:00 GMT

The current store in Keycloak has some known limitations. For small deployments, it takes too long to initialize the database and start Keycloak. There is no native support for cloud-native deployment. Upgrading to a new Keycloak version often means a requirement for stop-the-world updates with little chance for no downtime upon upgrade.

Keycloak 19 brings in an early preview of the future Keycloak store supporting no-downtime upgrades, per-realm storage, and cloud-nativity from its very inception. This so called map storage stays focused at delivering optimal experience and thus limits its support to Postgres and CockroachDB databases, and Infinispan datastore. The early preview is available in the Quarkus distribution.

This early preview lacks several features necessary for optimal performance and is thus not yet production ready; still we have a plan to deliver those:

In Keycloak 20, expect improved support especially for CockroachDB; and also a file-based store. Together with another anticipated feature
- tree store - it would be possible to combine several storage mechanisms and have e.g. several static client declarations in static files managed in a versioning system like Git, combined with dynamic clients stored in a database.
- Per-request object caching is on radar for Keycloak 20 too and should result in significantly better performance.
In Keycloak 21, expect LDAP support, and an offline tool for migrating data from legacy store to new one, and further optimizations and garbage collection

Note that the store used in previous versions (now called legacy store) does not go away soon! Since the new store is not yet production ready, it remains the default store in Keycloak 19. Also other databases (MySQL, MariaDB, MS SQL Server, Oracle) are not supported by the new store, these are only supported by the legacy. We do consider second-level support for these databases, based on results of a community survey.

For development and testing purposes, we offer a fast in-memory store called chm. This store is intentionally not capable of zero-downtime upgrade as that is not needed for development. As such, it also offers a quick Keycloak-without-database deployment.

We will be glad to hear your feedback in GitHub Discussions.

Try it out

The following section contains examples of how to configure Keycloak 19 with the new store.

The experimental command line options starting with --storage might change without prior warning, based on the feedback from the community and project needs.

See what Keycloak can do without a database

After downloading, you can try Keycloak in a single-node deployment as simply as running

bin/kc.sh start-dev --storage=chm

This starts a Keycloak instance with a simple testing in-memory store which is saved to the local file system across Keycloak restarts but has no support for zero-downtime upgrades or clustering.

Next step: Persist data in a relational database

Requirements: Postgres 14 or CockroachDB 22.1 (or newer)

To keep the data in a database, run the following command:

bin/kc.sh start-dev --storage=jpa --db-url=<jdbc-url> --db-username=<username> --db-password=<password>

Reference to Q&A live document.

This feature has known issues in CockroachDB, see this tracker for list.

Alternative next step: Persist data in external Infinispan

Requirements: Infinispan 12.1

If you have a Infinispan up and running, you can use it for storing the data as well. You can achieve it by running the following command:

bin/kc.sh start-dev --storage=hotrod --storage-hotrod-host=<host> --storage-hotrod-port=11222 --storage-hotrod-username=<username> --storage-hotrod-password=<password>

Keycloak creates the needed caches in Infinispan upon first start if the caches do not exist already. You are free to create and configure the caches yourself if you prefer to fine-tune those or e.g. want to set up persistence. Refer to Infinispan documentation for available options for cache configuration.

Reference to Q&A live document.

Next step: Store data in separate storages

Eventually it turns out that some of the data should be stored in files or a database, other (e.g. session) data should be stored in Infinispan. Can this be achieved?

Yes! Keycloak storage is divided into the following storage areas: Realms, clients, users, groups, roles, client scopes, authorization services, events, authentication sessions, user/client sessions, login failures, action tokens, and single-use tokens (last two areas to be merged in Keycloak 20).

For more details on this division, please see architecture specification.

Each area maintains its own storage for storing the data, and each area is independent of others. In other words, realms can be served by a database and users by Infinispan.

To have all the session data stored in an external Infinispan, and realm / client / user / group / role / … data stored in a relational database, you can issue the following command:

bin/kc.sh start-dev --storage=jpa \
  --db-url=<jdbc-url> --db-username=<username> --db-password=<password> \
  --storage-hotrod-host=<host> --storage-hotrod-port=<port> \
  --storage-hotrod-username=<username> --storage-hotrod-password=<password> \
  --storage-area-action-token=hotrod \
  --storage-area-auth-session=hotrod \
  --storage-area-single-use-object=hotrod \
  --storage-area-user-session=hotrod

This starts a Keycloak server with all areas being handled by the relational database (--storage=jpa) but those listed in specific --storage-area-… options which are set to use external Infinispan protocol. This setup is similar to the legacy store where all the session data are stored in Infinispan, with the exception that Infinispan is not embedded within Keycloak.

Conclusion

We will be happy for you to try the new store and share your feedback!

FAPI-SIG - a Keycloak's community

Takashi Norimatsu — Fri, 1 Jul 2022 00:00:00 GMT

Hello everybody, I am Takashi Norimatsu, a keycloak maintainer. In this article, I would like to introduce you FAPI-SIG, a Keycloak’s community. We welcome everyone to join FAPI-SIG.

What is FAPI-SIG?

The Financial-grade API Special Interest Group (FAPI-SIG) is a Keycloak’s community whose aim is to support security features called Financial-grade API (FAPI) security profiles to Keycloak. FAPI-SIG was established in Aug 2020.

FAPI security profiles are the open security specifications for secure API access using OAuth 2.0. They are standardized by OpenID Foundation (OID-F), the standardization organization about digital identity. For example, it standardized OpenID Connect.

FAPI security profiles are for accessing an API that requires high security level. As its name suggests (Financial), they are originally intended to be used for securely accessing an API providing financial services (e.g., retrieving the balance of a user’s bank account, initiating payment). However, also as its name suggests (Financial-grade), these can be used for other types of an API that requires the same security level (e.g., in healthcare industries, retrieving a user’s medical records).

By supporting FAPI security profiles, Keycloak can be applied in a wide range of use cases that requires high security level about API access (e.g., open banking).

FAPI-SIG not only aim to support FAPI security profiles to Keycloak but confirm that Keycloak conforms to FAPI security profiles by using the conformance suite of FAPI security profiles officially provided by OID-F.

FAPI-SIG has created the environment for automatically running FAPI security conformance tests. Whenever a new version of Keycloak is released, FAPI-SIG checks if it still complies with FAPI security profiles by using the environment. Therefore, FAPI-SIG contributes to keeping every version of Keycloak compliant to FAPI security profiles.

FAPI-SIG start working on supporting security standards defined by OID-F other than FAPI security profiles. For example, FAPI-SIG has created the environment for automatically running conformance tests for OpenID Connect 1.0 and OpenID Connect for Logout Profile, which contributed of getting the certifications of OpenID Connect 1.0 and OpenID Connect for Logout Profile.

As described in the blog post, Keycloak has achieved several certifications: FAPI 1.0 Advanced, FAPI-CIBA, Australia CDR, Open Banking Brazil FAPI 1.0, OpenID Connect, and OpenID Connect for Logout Profiles. FAPI-SIG has contributed to these achievements.

FAPI-SIG is an open community. All activities of FAPI-SIG are voluntary-based. All outputs of FAPI-SIG’s activities are disclosed in FAPI-SIG’s github repository. For example, the environment for automatically running FAPI security conformance tests is in the repository whose license is Apache License 2.0 so everyone can user the environment.

How do FAPI-SIG’s activities proceed?

FAPI-SIG holds monthly web meetings. In the meetings, we report the situation of the activity going on, propose and discuss what activity we work on. The minutes of the meetings are disclosed in FAPI-SIG’s github repository.

FAPI-SIG’s activity is not only writing codes and sending a pull request, but reviewing other contributor’s pull requests, proposing and discussing an working item, and so on.

Not only FAPI-SIG member but others can communicate with each other by the following ways.

Mail : Google Group keycloak developer mailing list Meeting : Web meeting on a regular basis

What has FAPI-SIG achieved?

FAPI-SIG mainly contributed the implementation of the following specifications:

OAuth2/OIDC related specifications:
- OpenID Connect Client Initiated Backchannel Authentication (CIBA)
- RFC 9126 OAuth 2.0 Pushed Authorization Requests (PAR)
FAPI security profiles:
Specifications based on FAPI security profiles for open banking use cases:
- Australia Consumer Data Right (CDR)

FAPI-SIG secondarily helped the other contributor’s implementation of the following specifications:

FAPI security profiles:
- FAPI JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
Specifications based on FAPI security profiles for open banking use cases:
- Open Banking Brasil FAPI 1.0 Security Profile

FAPI-SIG has created the environment for automatically running FAPI security conformance tests:

FAPI security profiles:
- FAPI 1.0 Advanced Security Profile
- FAPI Client Initiated Backchannel Authentication Profile (FAPI-CIBA)
Specifications based on FAPI security profiles for open banking use cases:
- Australia Consumer Data Right (CDR)
- Open Banking Brasil FAPI 1.0 Security Profile
OpenID Specifications:
- OpenID Connect 1.0
- OpenID Connect for Logout Profiles

What activities are going on in FAPI-SIG?

FAPI-SIG are working on the following working items:

FAPI 2.0 Baseline Security Profile
FAPI 2.0 Grant Management for OAuth 2.0
OAuth 2.0 Rich Authorization Requests (RAR)
OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)

Where do I know FAPI-SIG’s activities in detail?

Please refer to the front page of FAPI-SIG’s github repository and meeting minutes.

How do I participate FAPI-SIG’s activities?

Please feel free to contact us in communication channels shown above.

New Keycloak certifications

Marek Posolda — Mon, 30 May 2022 00:00:00 GMT

We are glad to announce new certifications for Keycloak related to the OpenID Connect and FAPI! In the previous post, we announced certification of Keycloak 15.0.2 with the FAPI and Brazil Open Banking. This is a follow-up of this post with the announcement of the additional certifications. Here are the details:

Keycloak 18.0.0 is re-certified as OpenID Connect Provider. We already obtained certification for the OpenID Connect protocol a long time ago with the Keycloak 2.3.0. We now re-certified all the existing configurations (Basic, Implicit, Hybrid, Config, Dynamic) with latest Keycloak 18.0.0 and added certification as a Form Post OP. See the OpenID Connect certifications page for the details.
Keycloak 18.0.0 is certified as OpenID Connect Logout Provider with all logout profiles (RP-Initiated OP, Session OP, Front-Channel OP, Backchannel OP). See the OpenID Connect certifications page (logout section) for the details.
Keycloak 15.0.2 is certified as Australia CDR, which is the extension based on existing FAPI 1 Advanced Final certification, which Keycloak already obtained before. See the FAPI certifications page for the details.

This milestone was achieved due the hard work of the awesome Keycloak community, who contributed lots of features related to OpenID Connect Protocol, OpenID Connect Logout and FAPI. The special Thanks go to the FAPI-SIG, who helped a lot with the FAPI and OpenID Connect related features and especially to Takashi Norimatsu, who is doing an awesome job for the Keycloak project.

Keycloak release plans for 2022

Stian Thorgersen — Thu, 24 Mar 2022 00:00:00 GMT

December last year was a bit on the crazy side with 3 feature releases of Keycloak (15.1, 16.0, and 16.1). This was down to balancing WildFly upgrades with introduction of the Quarkus dist preview.

This year we are planning to bring more predictability to Keycloak releases and are aiming for a quarterly release, with more frequent patch releases in-between.

One thing worth highlighting is we have decided to extend the support of the WildFly distribution until September to give everyone more time to migrate.

Subject to change: this is a provisional plan, which may change throughout the year.

Keycloak 18 - March/April

Highlights

Enhancements and polishing for the Quarkus distribution
Preview of the new Kubernetes Operator for the Quarkus distribution
Preview of the new Admin Console
Upgrade to Quarkus 2.8.0
Upgrade to WildFly 26.1.0

End of life

Ability to upload custom JavaScript providers through REST APIs will be removed

Keycloak 19 - June/July

Highlights

Preview of the new Store
New Admin Console is graduated to the default console, while the old Admin Console is deprecated

End of life

Old Account Console will be removed, but the new Account Console will remain of course
Text-based login flows and authenticators will be removed
Some OpenID Connect adapters will be removed (adapter deprecation blog post), including:
- JBoss AS 7 and EAP 6
- Fuse 6 and 7
- Jetty 9.2 and 9.3
- WildFly legacy
- WildFly Galleon feature pack
Some SAML adapters will be removed, including:
- JBoss AS 7 and EAP 6
- Jetty 9.2 and 9.3
- WildFly legacy

Keycloak 20 - September/October

Highlights

New store is graduated to the new default store for PostgreSQL and CockroachDB. We will come back with more details on what happens with the old store and support for other database vendors, but rest assured we will give everyone plenty of heads up, and at the minimum the old store will be supported at least until the middle of 2023.

End of life

WildFly distribution will be removed
Legacy Kubernetes Operator will be removed

Keycloak 21 - December/January

Highlights

With the new Quarkus distribution, new Operator, and new Store we are aiming to shift our focus onto production deployments of Keycloak. Keycloak 21 is the release where we’re aiming all this effort to really come together to make it as easy as possible to install and manage Keycloak at any scale.

End of life

Old Admin Console will be removed

Keycloak 22 - March/April 2023

End of life

Remaining deprecated OpenID Connect adapters will be removed (adapter deprecation blog post), including:
- Java (Jetty, Tomcat, Servlet Filter, Spring, Servlet Filter, etc.)
- Node.js
Remaining deprecated SAML adapters will be removed, including:
- Jetty
- Tomcat

Supported databases for the new Keycloak store

Stian Thorgersen — Thu, 24 Feb 2022 00:00:00 GMT

Maintaining a broad selection of relational database support is expensive, and also more importantly limits how well the databases can be supported.

With that in mind we are looking at supporting databases at different levels; first class, second class, and community.

Please fill in this survey as we’d like to gather as much feedback as we can.

First class databases

The aim of first class databases is to offer better levels of tuning and testing, better defaults, and better documentation. We will also be considering testing with different versions and variants of the selected first class databases, such as cloud services.

First class databases will be the solutions we are looking towards when scaling and tuning database to accommodate large scale deployments with high-availability, including multi-region deployments.

As first class databases we aim to support one traditional relational database, and a cloud native database. With this in mind we have selected PostgreSQL and CockroachDB as the best candidates.

PostgreSQL is a high quality fully open source database, with many supported offerings such as:

Azure Database for PostgreSQL
Amazon RDS for PostgreSQL
BigAnimal
Cloud SQL for PostgreSQL
Cruncy Bridge
Cruncy PostgreSQL for Kubernetes
EnterpriseDB

CockroachDB is an cloud native open source database, with PostgreSQL compatibility. By cloud native it means that it can scale horizontally, including spanning multiple-regions. There are some competitive solutions, but not as mature, and with less streamlined PostgreSQL compatibility. There are obviously also NoSQL and other non-relational database that could in theory be a good fit for Keycloak, but would be a lot of additional effort to support.

It is also worth mentioning that we are still looking towards Infinispan as our cache layer, but are also aiming to support running Keycloak without Infinspan for smaller deployments with PostgreSQL and larger deployments with CockroachDB.

Second class databases

The aim for second class databases are to offer mostly the same support as we offer for any database in Keycloak today. We will only test one version, there will be no database vendor specific documentation, or any additional tuning on our end.

We do hope that the majority of the Keycloak community are able to migrate to first class databases, and that this will in the end be a better solution for everyone. As such we are not currently planning on offering any second class databases long term, and rather phase out support for MySQL, MariaDB, SQL Server, and Oracle over time.

Community supported databases

If there is interest from the community to support additional databases, including non-relational database, we would like to discuss and figure out how this could look like. Including making it easy to install community maintained databases, as well as continuously testing of the integration.

Deprecation of Keycloak adapters

Stian Thorgersen — Fri, 4 Feb 2022 00:00:00 GMT

Way back in 2013 when we started work on the Keycloak project there was a lack of client libraries that would help developers secure their applications with Keycloak. Fast forward to today and this situation has changed drastically with wide-spread availability of OAuth 2.0 and OpenID Connect libraries.

In addition, Keycloak adapters has not received the love and attention they require, and are now significantly lagging behind the server on what features they supported. While Keycloak can be used to secure any application no matter the programming language and frameworks, we’ve only had adapters for a limited set of Java developers.

Rather than continue to spreading ourselves thin we are going to deprecate the adapters, and focus more on the Keycloak server. In addition we are aiming to provide help and guidance on how to secure various applications with getting started guides, and advocating what we believe are better alternative options to Keycloak adapters.

What is being deprecated:

OpenID Connect Java adapters
OpenID Connect Node.js adapters
SAML Tomcat and Jetty adapters

What is not being deprecated:

OpenID Connect client-side JavaScript adapter
SAML WildFly and servlet filter

Alternatives

WildFly

WildFly 25 introduced native support for OpenID Connect with all the features from the Keycloak adapter and more. Migration to the WildFly native OpenID Connect is very easy as the WildFly team has taken great care to make this as simple as a move as possible.

Check out this great blog post from Farah Juma for more details.

Spring

Spring Security has for a long time provided great support for OAuth 2.0 and OpenID Connect. We appreciate that migrating from the Keycloak adapters to Spring Security is not trivial, but in the exchange you get more features, a better maintained library, and better integration with Spring.

Check out this great blog post from Ger Roza for more details.

Quarkus

Although not a direct replacement for existing Keycloak adapters it is worth highlighting that Quarkus has very extensive built-in support for OpenID Connect and Keycloak, with a lot of additional benefit on top.

Check out Quarkus security guides for more details.

Node.js

We are still looking around for the best candidate for Node.js applications, but it looks like openid-client is a good alternative, that is a lot more feature rich than the Keycloak adapter.

Timeline

February 2022: Adapters deprecated
September 2022: No more major/minor releases of adapters
December 2022: No more micro releases of adapters

Discussions

If you have questions, concerns, or suggestions, please join us to discuss this topic through GitHub Discussions.

Community

If anyone from the community would like to step-up and continue to maintain the deprecated Keycloak adapters get in touch with us through the developer mailing list.

We would also love suggestions and help in finding the best alternatives for everyone, as well as providing getting started guides, migration guides, etc. To help us in this regard please join the discussions on GitHub Discussions.

Extended support

If you are not able to migrate away from Keycloak adapters by the end of 2022 an alternative option to consider is getting support from Red Hat.

Red Hat offers supported adapters through Red Hat Single Sign-On 7.x, which is currently in support until 30 June 2024.

The adapters supported by Red Hat Single Sign-On includes:

JBoss EAP
Node.js
Java Servlet Filter
JBoss Fuse
Spring Boot

Keycloak certified as FAPI and Brazil Open Banking provider

Marek Posolda — Thu, 6 Jan 2022 00:00:00 GMT

We are glad to announce that Keycloak 15.0.2 was officially certified as FAPI OpenID Provider! FAPI is a shortcut for Financial-grade API and the FAPI compliance means that Keycloak is now officially able to be used in the highly confidential financial based deployments.

Firstly, Keycloak is now certified as FAPI 1 Advanced Final (Generic) provider. For this generic profile, Keycloak is compliant with all the matrix combinations. This means that Keycloak clients are allowed to use PAR, JARM, and client authentication based on Mutual-TLS or JSON Web Token signed by Private Key.

Keycloak is also certified as Brazil Open Banking provider. For this profile, Keycloak is also compliant with all the matrix combinations. We just did not obtain certification for the DCR, which requires more complicated setup including registration with official Brazil institutions. However some Brazil banks, which are customers of Keycloak based product RH-SSO 7.5, were able to obtain DCR certification. So technically, the certification with DCR for any institution using Keycloak or RH-SSO is completely fine.

You can see the Official OpenID Page with the details about the certification. For more details about FAPI support, you can check the Keycloak documentation with the details to setup your own Keycloak deployment to be FAPI compliant.

Keycloak 15.0.2 is also compliant with FAPI CIBA and we are working to officially obtain the certification for this. Moreover, We plan to re-certify Keycloak 15.0.2 with OpenID Connect Core, which Keycloak certified back in 2016.

The FAPI certification was possible just due the awesome work of the FAPI Working Group. Members of this group contributed many features related to FAPI, like Client Policies, CIBA, PAR, JARM and others. I hope that year 2022 will be at least as successful as 2021 and there will be even more contributions related to the FAPI as there are more standards being made and more certifications to be obtained. If you are interested in contributing to the Keycloak FAPI support, you are welcome to join FAPI Working Group. It is community working group and it is opened for anyone to join.

Important security vulnerability discovered

Stian Thorgersen — Thu, 23 Dec 2021 00:00:00 GMT

A flaw (CVE-2021-4133) was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

In most situations the newly created user is the equivalent of a self-registered user, and does not have the ability to receive any additional roles or groups. However, there are some vectors that are harder to reproduce, but may result in additional privileges.

We highly recommend everyone upgrade to Keycloak 15.1.1 or 16.1.0 as soon as possible. Keycloak 16.0.0 also includes the fix, but if you are not already running this version we recommend going straight to 16.1.0.

If you are unable to upgrade we recommend mitigate the issue by blocking access to the user creation REST endpoint in the interim.

This can be achieved with the following CLI commands:

bin/jboss-cli.sh --connect
/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add( \
  expression="(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)" \
)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()

This will block both valid and invalid attempts at creating new users, including requests from the Keycloak admin console.

Alternatively, the path /auth/admin/realms/.*/users and method POST, or /auth/admin completely, can be blocked with a firewall.

For more information about the flaw please view CVE-2021-4133 and GHSA-83x4-9cwr-5487.

How to Integrate Keycloak for Authentication with Apache APISIX

Xinxin Zhu & Yilin Zeng — Tue, 21 Dec 2021 00:00:00 GMT

This article shows you how to use OpenID-Connect protocol and Keycloak for identity authentication in Apache APISIX through detailed steps.

Keycloak is an open source identity and access management solution for modern applications and services. Keycloak supports Single-Sign On, which enables services to interface with Keycloak through protocols such as OpenID Connect, OAuth 2.0, etc. Keycloak also supports integrations with different authentication services, such as Github, Google and Facebook.

In addition, Keycloak also supports user federation, and can import users through LDAP and Kerberos. For more information about Keycloak, please refer to the official documentation.

Apache APISIX is a dynamic, real-time, high-performance API gateway, providing rich traffic management. The project offers load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, and many useful plugins. In addition, the gateway supports dynamic plugin changes along with hot update. The OpenID Connect plugin for Apache APISIX allows users to replace traditional authentication mode with centralized identity authentication mode via OpenID Connect.

How to use

Install Apache APISIX

Install dependencies

The Apache APISIX runtime environment requires dependencies on NGINX and etcd.

Before installing Apache APISIX, please install dependencies according to the operating system you are using. We provide the dependencies installation instructions for CentOS7, Fedora 31 and 32, Ubuntu 16.04 and 18.04, Debian 9 and 10, and macOS. Please refer to Install Dependencies for more details.

Installation via RPM Package (CentOS 7)

This installation method is suitable for CentOS 7; please run the following command to install Apache APISIX.

sudo yum install -y https://github.com/apache/apisix/releases/download/2.7/apisix-2.7-0.x86_64.rpm

Installation via Docker

Please refer to Installing Apache APISIX with Docker.

Installation via Helm Chart

Please refer to Installing Apache APISIX with Helm Chart.

Initializing Dependencies

Run the following command to initialize the NGINX configuration file and etcd.

make init

Start Apache APISIX

Run the following command to start Apache APISIX.

apisix start

Start Keycloak

Here we use docker to start Keycloak.

docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password -e DB_VENDOR=h2  -d jboss/keycloak:9.0.2

After execution, you need to verify that Keycloak have started successfully.

docker ps

Configure Keycloak

After Keycloak is started, use your browser to access "http://127.0.0.1:8080/auth/admin/" and type the admin/password account password to log in to the administrator console.

Create a realm

First, you need to create a realm named apisix_test_realm. In Keycloak, a realm is a workspace dedicated to managing projects, and the resources of different realms are isolated from each other.

The realm in Keycloak is divided into two categories: one is the master realm, which is created when Keycloak is first started and used to manage the admin account and create other realm. the second is the other realm, which is created by the admin in the master realm and can be used to create, manage and use users and applications in this realm. The second category is the other realm, created by admin in the master realm, where users and applications can be created, managed and used. For more details, please refer to the realm and users section in Keycloak.

Create a Client

The next step is to create the OpenID Connect Client. In Keycloak, Client means a client that is allowed to initiate authentication to Keycloak.

In this example scenario, Apache APISIX is equivalent to a client that is responsible for initiating authentication requests to Keycloak, so we create a Client with the name apisix. More details about the Client can be found in Keycloak OIDC Clients.

Configure the client

After the Client is created, you need to configure the Apache APISIX access type for the Client.

In Keycloak, there are three types of Access Type:

Confidential: which is used for applications that need to perform browser login, and the client will get the access token through client secret, mostly used in web systems rendered by the server.
Public: for applications that need to perform browser login, mostly used in front-end projects implemented using vue and react.
Bearer-only: for applications that don’t need to perform browser login, only allow access with bearer token, mostly used in RESTful API scenarios.

For more details about Client settings, please refer to Keycloak OIDC Clients Advanced Settings.

Since we are using Apache APISIX as the Client on the server side, we can choose either "Confidential" Access Type or "Bearer-only" Access Type. For the demonstration below, we are using "Confidential" Access Type as an example.

Create Users

Keycloak supports interfacing with other third-party user systems, such as Google and Facebook, or importing or manually creating users using LDAP . Here we will use "manually creating users" to demonstrate.

Then set the user’s password in the Credentials page.

Create Routes

After Keycloak is configured, you need to create a route and open the Openid-Connect plugin . For details on the configuration of this plugin, please refer to the Apache APISIX OpenID-Connect plugin.

Get client_id and client_secret

In the above configuration.

client_id is the name used when creating the Client before, i.e. apisix
client_secret should be obtained from Clients-apisix-Credentials, for example: d5c42c50-3e71-4bbbe-aa9e-31083ab29da4.

Get the discovery configuration

Go to Realm Settings-General-Endpoints, select the OpenID Endpoint Configuration link and copy the address that the link points to, for example:`http://127.0.0.1:8080/auth/realms/apisix_test_realm/.well-known/openid-configuration`.

Create a route and enable the plug-in

Use the following command to access the Apache APISIX Admin interface to create a route, set the upstream to httpbin.org, and enable the plug-in OpenID Connect for authentication.

Note: If you select bearer-only as the Access Type when creating a Client, you need to set bearer_only to true when configuring the route, so that access to Apache APISIX will not jump to the Keycloak login screen.

curl  -XPOST 127.0.0.1:9080/apisix/admin/routes -H "X-Api-Key: edd1c9f034335f136f87ad84b625c8f1" -d '{
    "uri":"/*",
    "plugins":{
        "openid-connect":{
            "client_id":"apisix",
            "client_secret":"d5c42c50-3e71-4bbe-aa9e-31083ab29da4",
            "discovery":"http://127.0.0.1:8080/auth/realms/apisix_test_realm/.well-known/openid-configuration",
            "scope":"openid profile",
            "bearer_only":false,
            "realm":"apisix_test_realm",
            "introspection_endpoint_auth_method":"client_secret_post",
            "redirect_uri":"http://127.0.0.1:9080/"
        }
    },
    "upstream":{
        "type":"roundrobin",
        "nodes":{
            "httpbin.org:80":1
        }
    }
}'

Access Testing

Once the above configuration is complete, we are ready to perform the relevant access tests in Apache APISIX.

Access Apache APISIX

Use your browser to access http://127.0.0.1:9080/image/png.

Since the OpenID-Connect plugin is enabled and bearer-only is set to false, when you access this path for the first time, Apache APISIX will redirect to the login screen configured in apisix_test_realm in Keycloak and make a user login request.

Enter the User peter created during the Keycloak configuration to complete user login.

Successful access

After a successful login, the browser will again redirect the link to http://127.0.0.1:9080/image/png and will successfully access the image content. The content is identical to that of the upstream http://httpbin.org/image/png.

Logout

After the test, use your browser to access http:/127.0.0.1:9080/logout to logout your account.

Note: The logout path can be specified by logout_path in the OpenID-Connect plug-in configuration, the default is logout.

Summary

This article shows the procedure of using OpenID-Connect protocol and Keycloak for authentication in Apache APISIX. By integrating with Keycloak, Apache APISIX can be configured to authenticate and authenticate users and application services, which greatly reduces the development work involved.

For more information about the implementation of authentication in Apache APISIX, see Apache APISIX Blog.

Keycloak.X Update

Stian Thorgersen — Thu, 28 Oct 2021 00:00:00 GMT

It’s been quite some time since we announced the plans around Keycloak.X, two years in fact. Due to other priorities we’ve been a bit distracted, but now it’s finally full speed ahead.

Keycloak.X will be lighter, faster, easier, more scalable, more cloud native, and a bunch of other things. Expect greatness coming your way!

As part of Keycloak.X we’re not only making code changes, but there will also be a cultural shift where the team behind Keycloak will focus a lot more on user experience and the delivery of a manageable solution over simply pieces of code.

There will be some disruptive changes coming, but we will strive to make the transition as easy as possible for everyone. For breaking changes such as moving from WildFly to Quarkus we plan to provide 6 months to do the migration.

If that is not enough there is Red Hat Single Sign-On, which is a supported build of Keycloak by Red Hat. Red Hat Single Sign-On 7, which is based on current Keycloak architecture, has support until June 2024 (currently says 2023, but will soon be extended to 2024).

We will follow-up to this blog post with more details in the future, but for now let’s look at some of the highlights coming to Keycloak.X.

Highlights

Experiences

As mentioned previously a lot more attention will be put on your experience with Keycloak. With this in mind we have identified a few experiences that we believe cover a wide range of different use-cases:

App developer Developers that are integrating Keycloak with applications and services
Customizer Developers that are extending Keycloak or integrating with other systems
Bridge Using Keycloak as a bridge between applications and other identity solutions
Regular A typical small to medium-sized deployment of Keycloak
Super-sized Elastic and highly available deployment of Keycloak for very large use-cases
SaaS A extension to super-sized where Keycloak enables identities for SaaS, CIAM, and B2C scenarios

Quarkus

We’re switching to Quarkus as the platform to build Keycloak. Compared to WildFly this gives faster startup-time and lower memory footprint. It also provides a much simpler approach to configuring Keycloak, with command-line arguments and environment variables instead of complicated XML files. Another great aspect of Quarkus is that it gives us a lot more control over what external libraries are included in the distribution, including faster upgrades of dependencies, which should significantly improve on situation around CVEs.

Storage re-architecture

We’re doing a significant re-architecture of the storage layer as part of Keycloak.X to address a number of shortcomings that where discovered in the current architecture. Zero downtime upgrade, scalability, and availability will be key topics of this new architecture, as well as making it a lot easier to support additional storage types in the long run.

Operator and Containers

With the current approach to configuration in Keycloak creating a good experience around a container is problematic as the container has to convert from environment variables to complicated XML configuration files. With the work we’re doing around Quarkus configuring Keycloak with environment variables becomes a native thing, making it a lot simpler to provide a great container experience.

Similarly, the Operator can also be made simpler as it will be easier to configure Keycloak, as well as having better opinionated configuration from the base distribution, which trickles through from the Zip distribution, to the container, and finally to the Operator. To align the codebase more we’re also re-writing the Operator from scratch using the Java SDK and Quarkus.

Observability

Metrics, tracing, logging, and health-checks are all important aspect of a cloud native application. These are all important capabilities to manage and debug Keycloak in production, especially when running on Kubernetes or OpenShift.

GitOps friendly configuration

In a GitOps or CI/CD environment it can be problematic to manage the runtime configuration within Keycloak. As all configuration such as realms and clients live in the database and can only be managed through REST APIs it is hard to reliably manage as part of a GitOps process.

Along with the storage re-architecture comes a very powerful capability that can federate configuration from multiple sources, and we plan to take advantage of this with a file-based store, where Keycloak can read more static/immutable configuration from the file-system (YAML of course), and combine this with dynamic/mutable configuration from the DB.

Further, this enables checking in your static configuration in a Git repository, and deploy it to your development, stage and production environments as needed.

External integrations

Keycloak has a large number of extension points today, called SPIs. With Java (and in some cases JavaScript) it is possible to customize Keycloak with custom providers for these SPIs. Although, highly powerful and flexible, this is not ideal in a modern Kuberetes centric architecture. As the extensions are co-located with Keycloak it is harder to deploy, upgrade, and scale extensions. Extensions can also not be written in any language or framework making it more costly for non-Java developers to extend Keycloak.

With this in mind we are planning more focus on the ability to extend and integrate with Keycloak through remote extensions, and are looking at REST, gRPC, Knative, Kafka, etc. as vehicles to achieve this. In addition we would also like to get to a point where we can have a "headless" Keycloak allowing a frontend to be built in any way you want, which would bring a great addition to the current themes approach to customising the UI.

Decomposing

Last, but not least. We are also planning on ability to decompose Keycloak as well as bring better isolation on Keycloak’s code base and capabilities. We’re not planning to go full micro-service architecture here, but rather a sensible compromise allowing everything to run as a single process, with the ability to separate some parts of Keycloak into external services.

Roadmap

As you can imagine all of what we have planned in Keycloak.X is a large amount of work, and won’t happen overnight. We’re focusing first on the breaking changes such as moving to Quarkus and re-architecture of the storage layer.

Everything is not planned fully at this point, but we do have some idea of when we believe the various components of Keycloak.X will be delivered.

ASAP: Keycloak 16 will be the last preview of the Quarkus distribution, so we welcome everyone to try it out, and provide us with feedback.
December 2021: In Keycloak 17 we will make the Quarkus distribution fully supported, and deprecate the WildFly distribution.
March 2022: In Keycloak 18 we are aiming to include the new Operator, and preview the new store. We’re also planning on removing WildFly support from the code-base at this point.
June 2022: First release with only the Quarkus distribution. We’re also hoping to make the new store a fully supported option at this point.

The dates above are subject to change!

Feedback

We would love your feedback on our plans around Keycloak.X, so please join us on GitHub Discussions to discuss the future of Keycloak!

New Keycloak maintainer: Takashi Norimatsu

Stian Thorgersen — Mon, 18 Oct 2021 00:00:00 GMT

We are extremely pleased to welcome Takashi Norimatsu as an official maintainer of Keycloak.

Takashi has contributed to Keycloak since 2017, with a focus on security features of OAuth 2.0 and OpenID Connect, such as PKCE, strong signature algorithms, and Certificate Bound Access Tokens. More recently, he has been leading development related to Financial-grade API (FAPI) in the FAPI special interest group. In addition he has been helping other developers in the area of API authorization, including giving presentations at multiple conferences.

Takashi will continue leading development of OAuth 2.0 and OpenID Connect security related features, with an initial focus on features needed to provide higher level of API security for enterprise scenarios.

Takashi works for Hitachi, Ltd. in Japan, which sees the real value of Keycloak especially in the API management area, allowing him to invest a significant portion of his time to the Keycloak project.

The Keycloak team is very exited about having Takashi join us as a maintainer, and we are looking forward to working more closely with Takashi going forward.

New Keycloak maintainer: Thomas Darimont

Stian Thorgersen — Fri, 17 Sep 2021 00:00:00 GMT

We are extremely pleased to welcome Thomas Darimont as an official maintainer of Keycloak.

Thomas has contributed to Keycloak since 2015, and is well known and respected by the current maintainers, as well as the Keycloak community. He has enriched the community through practical examples, valuable discussions on mailing lists, and presenting at conferences. In addition, he has also helped with design discussions, contributed bug fixes, as well as new features.

Thomas will start by helping us with our Keycloak.X effort, with first focusing on an excellent observability story for a true cloud native experience. In addition he will help review and sponsor community contributions, engage with the community, and join in discussions around new features and capabilities.

We’re seeing more and more people getting involved in the Keycloak community, and a lot of continued commitment and contributions from large organizations to Keycloak. Thomas works for codecentric AG in Germany, which sees the real value of Keycloak allowing him to invest a significant portion of his time to the Keycloak project.

The Keycloak team is very exited about having Thomas join us as a maintainer, and we are looking forward to working more closely with Thomas going forward.

Book on Keycloak

Stian Thorgersen — Fri, 18 Jun 2021 00:00:00 GMT

The first ever book dedicated to Keycloak was recently launched, and is available on Amazon now.

The book introduces you to Keycloak, giving a good fundamental of everything you need to know to get started with Keycloak. From installing, securing applications, and deploying to production.

If you are new to Keycloak, or even if you have been using Keycloak for a while, you should consider getting yourself a copy.

Introducing Keycloak.X Distribution

Keycloak Team — Wed, 16 Dec 2020 00:00:00 GMT

The world is changing fast and IT has been an important part of the engine. As companies start moving their infrastructure to the cloud, security becomes a key factor to make this journey a success.

We are proud to announce that Keycloak is now running on top of Quarkus, a Kubernetes and Cloud native Stack using the best of breed Java libraries and standards, to give to our users a cloud-friendly distribution with a strong focus on usability, scalability, and optimized for running in the hybrid cloud.

Also known as Keycloak.X, this new distribution format provides:

Reduced startup time
Lower memory footprint
Container-First Approach
Better Developer Experience
Focus on Usability

Why Quarkus ?

Keycloak is basically a Java application, currently running on top of the Wildfly (JEE) Application Server. So far, that is how we have been releasing the Keycloak Server for general use.

While Wildfly is probably the most optimized, easy-to-use, and best performing JEE Application Server, the requirements we have now for running in a more cloud-native fashion push us forward, where Quarkus, being a Java and Container-First stack, provides the more natural path for bringing to Keycloak all the capabilities that make Quarkus the perfect fit for running in the hybrid cloud with a focus on platforms like Kubernetes and Openshift.

For more information on Quarkus, check their web site at https://quarkus.io/.

Focus on Usabillity

On Quarkus, Keycloak is a regular Java application with a much simpler stack if compared to the Wildfly distribution.

With the new distribution users should expect a better experience when configuring and starting the server as well as when performing other common operations.

The introduction of a rich Command-Line Interface makes it a lot easier to install and use Keycloak.

Smaller

The distribution is simpler with only a few directories, and the total size of the distribution is almost half the size of the current WildFly based distribution.

By leveraging Quarkus, Keycloak has significantly reduced server startup time, memory footprint (low RSS), as well as better runtime performance through Vert.x.

All these aspects are important when deploying in the hybrid cloud where resource usage should be optimized to provide the optimal runtime environment as well as reduced costs.

Container-First and Cloud-Native Distribution

In conjunction with the Keycloak Operator, deploying Keycloak to the hybrid cloud should be easier.

The same goes for spinning up a simple container.

Developer Experience

Quarkus provides a rich ecosystem for developers with an impressive number of integrations to different libraries.

Flexibility is probably one of the main characteristics of Keycloak and with Quarkus we expect to provide a much better experience for developers.

Installation

Download and extract the Keycloak.X distribution zip or tar.gz file from https://www.keycloak.org/downloads.

Directory Structure

The bin directory is where all binaries are located, basically the new Keycloak CLI and a few other utilities.

The conf directory, as the name suggests, is where configuration files are located. You may be using the keycloak.properties file within this directory to configure the server or not. More on that you’ll see later when we talk about configuration in more detail.

The providers directory is where you should deploy your JAR files with your custom providers or themes jar.

Command-Line Interface

One of the main requirements we have is to improve user experience when using the server for the very first time as well as in the long run when the server is running in production.

Common operations that people usually perform on the server are easier to perform and configuration should be simpler by providing good defaults and requiring the minimal set of options to have a running server.

The Keycloak CLI is a tool that you should now use to start and change configuration of the server. As any other CLI, it is self-descriptive with good documentation around its usage.

By running:

kc.sh --help

You are now able to look at the different actions you can perform, such as starting the server or exporting a realm, as well as go through the different configuration options you can set for each supported command.

We’re always looking for improvements in the CLI. Please, feel free to contact us with any suggestion you think that might help.

Starting the Server

As previously mentioned, the default configuration imposes some conditions on how the server can be started.

One of the main conditions to successfully start the server is to configure HTTPS.

However, for development purposes Keycloak can be started in development mode.

For now, this mode is basically a configuration profile that allows you to run the server without HTTPS using local caches.

kc.sh start-dev

After executing the command above, the server should be available at http://localhost:8080/.

In the future, this mode will also lax on some configuration policies for realms that otherwise would not be allowed when running in production. For instance, using wildcards as valid redirect URIs for your clients.

Configuring the Server

Considering how critical an IAM solution is and the impact of misconfiguration on the overall security of the deployment, Keycloak is now distributed with the minimal configuration possible with a secure by default policy in mind.

The idea is to provide the bare minimum configuration options to run the server while imposing some key constraints on how the configuration should be set before running in production.

This is one of the main areas we are improving, and constantly trying to improve, where boilerplate configuration should be avoided through a small set of configuration options or with good defaults.

The different configuration options can now be set using a properties file, environment variables or as arguments through the Keycloak CLI.

You can easily check the available configuration options by running the help command.

For more details about the configuration, check the Configuration Design document.

Configuration Categories

Configuration options are organized in two categories:

Those that can be set at runtime when starting the server
Those that can only be set when configuring the server through the config command

As an example, if you want to change the HTTP port to 8180, you may use:

kc.sh --http-port=8180

However, for changing the database, you would need to first run the config command before starting the server:

kc.sh config --db=postgres --db-username=******* --db-password=*******
Kc.sh # then start the server

Basically, any configuration option you can set when configuring the server can also be set when starting the server, but the other way around is not true, and the database configuration is an example of that.

Check the help option to check which properties can be set for each available command.

HTTPS

In the real world, you would configure a valid key pair and certificate, but you can use the command below to generate a self-signed certificate to understand how to setup HTTPS.

Just make sure to execute the following command at the root directory of the distribution:

keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore

The command above should create a server.keystore file inside the conf directory. By default, Keycloak will load the keys and certificates from this keystore if none was set.

After that, you can run the server as follows:

kc.sh

Database

Database configuration is much simpler. You are able to change the database with only a few simple command-line arguments:

kc.sh config --db=postgres && kc.sh --db-username=**** --db-password=****

For each database we provide good defaults for JDBC URL, driver, database name, and dialect. So you don’t need to provide these options if you are happy with the defaults.

In the example above, the server connects to a PostgreSQL service running on localhost where the database name is keycloak.

Of course, when running in production you usually need to customize the JDBC URL and other parameters , so you can start the server as follows:

kc.sh --db-url=jdbc:postgresql://<host>/<database> \
      --db-username=****** \
      --db-password=******

Or still rely on the default JDBC URL and set both host and database as follows:

kc.sh -Dkc.db.url.host=<host> \
      -Dkc.db.url.database=<database>
      --db-username=******
      --db-password=******

Clustering

For the time being we are still using Infinispan and JGroups for clustering and HA deployments.

However, the configuration is now using Infinispan’s native configuration as opposed to using an abstraction as in the Wildfly Infinispan Subsystem. That should give much more flexibility in terms of configuration, support, as well as documentation.

The configuration is also simplified and you should get good defaults for the different platforms where the server is being deployed.

By default, clustering is enabled and you are ready to build a Keycloak cluster using the default configuration.

The default configuration is located in the conf directory, the file name is cluster-default.xml.

In the same directory, you also have a cluster-local.xml file which configures all caches as local, no clustering. To use this configuration you run the following command:

kc.sh --cluster=local

You can define your own cache configuration by just creating a file in the conf directory with the cluster- prefix, just like cluster-local.xml and cluster-default files that we ship with the distribution.

We also provide some good defaults for specific platforms such as Kubernetes and EC2. For instance, to run a cluster in Kubernetes you could run the following command:

kc.sh -Djgroups.dns.query=<jgroups-ping-service>.<namespace>.<cluster-domain-suffix> --cluster-stack=kubernetes

The default configuration for these platforms is based on the defaults provided by Infinispan.

In the example above, the default configuration for Kubernetes is going to be based on UDP for node communication and DNS_PING for node discovery. Any parameter you can use to customize the default configuration can be obtained from Infinispan documentation.

Custom Providers and Themes

The JAR files for custom providers and themes should be placed in the providers directory.

However, in order to benefit from optimizations when installing custom providers, you should first run the config command before starting the server:

kc.sh config
kc.sh # then start the server

Basically, SPI implementations are resolved when configuring the server hence saving startup time and memory during startup. Once you run the config command to install your custom providers, they would be statically linked into the server.

Running in a Container

To run Keycloak using Docker, you can use the following command:

docker run --name keycloak -p 8080:8080  \
    -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
    quay.io/keycloak/keycloak-x \
    start-dev

As expected, the container will run in development mode.

You can run the server in the same manner as when using the Keycloak.X distribution by passing any command-line argument.

To configure the container with any additional configuration that you want to persist into the server image, you can use the --auto-config option as follows:

docker run --name keycloak -p 8080:8080 \
    -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
    quay.io/keycloak/keycloak-x \
    --auto-config \
    --db=postgres -Dkc.db.url.host=$DB_HOST --db-username=keycloak --db-password=change_me --http-enabled=true

The command above should be enough to run a server using a PostgreSQL database listening on a given DB_HOST. Once the container is created, subsequent restarts will never go through the configuration phase again but just start the server with the configuration previously defined.

The recommendation, however, is to always create your own image based on this image. By doing that, you are able to perform more customizations, such as deploying custom providers or themes, as well as improve the startup time by eliminating the configuration step.

For more details and examples, see https://github.com/keycloak/keycloak-containers/tree/master/server-x.

Benchmarking

Here are a few numbers for a very simple comparison between Keycloak running on Quarkus and Wildfly.

Both distributions are running using OpenJDK 11, a PostgreSQL Database, and numbers are the average of 10 consecutive runs for each distribution.

The test scenario involves running the server for the very first time as well as when the database is already initialized.

Distribution

Startup Time(s)

Memory Footprint(RSS/MB)

First

Second+

First

Second+

Wildfly

12.1

8.1

646

512

Quarkus

7.6

3.1

428

320

The numbers should speak by themselves and people should expect these numbers improving on each Keycloak.X release.

However, it is not only about cutting down MBs but how to optimize memory usage. By running both servers using a 64MB heap, you should notice that when running on Wildfly you have a lot of garbage collection that eventually may cause the server to fail to start. While with Keycloak.X using the same heap size you are able to have a running server. Of course, using this heap size is not realistic depending on your use case but it gives a good idea on what you should expect from now on.

Regarding performance, in this first release our main focus was startup time and memory consumption. Runtime performance is a WIP and the results are promising due to the fact that Keycloak.X runs on top of Vert.X.

In general, we are still just on the beginning of the journey. Once Keycloak has the native distribution on Quarkus, we can expect even faster startup times, smaller memory consumption and overaly better performance with less resources.

Roadmap

This is only the beginning of our journey to provide a more cloud friendly experience for those using Keycloak.

Keycloak.X is a preview distribution and we are constantly improving it with the help of our community until it becomes our main distribution. We appreciate any feedback during this journey.

There are a lot of important work being done that complements Keycloak.X distribution such as:

Zero-Downtime Upgrade
Native Image Support
Improve Developer Experience
More documentation

We would like to ask for your support and feedback to keep improving your experience on using Keycloak.

Thanks to the Community

This was a result of a combined effort by the community and as such we would like to highlight and thank for all contributions we had.

A special thanks to:

Quarkus Team
- Stuart Douglas
- Sanne Grinovero
- Guillaume Smet
Backbase
- Dmitry Telegin (https://github.com/dteleguin)
- Matthew Conners (https://github.com/bb-matthewc)

And everybody that helped with the Configuration Design Document.

References

New Account Console

Stan Silvert — Fri, 4 Sep 2020 00:00:00 GMT

The Keycloak team is excited that our new Account Console is finally final! The old account console is still available for those who need it, but the new version is the default from now on.

This new console is written as a Single Page Application with React and PatternFly 4.

In addition to the modern look and feel, we make it really easy for organizations to personalize the console with custom themes and even custom pages that can have unlimited functionality.

Screen shots of New Account Management Console

Theming

PatternFly 4 makes it really easy to theme the new account console using its system of CSS variables. All you have to do is tweak a few variables, add your own logo, and the console is perfectly skinned.

body {
  --pf-global--FontFamily--sans-serif: Comic Sans MS;
  --pf-global--FontFamily--heading--sans-serif: Comic Sans MS;
  --pf-global--BackgroundColor--dark-100: #2B9AF3;
  --pf-global--Color--100: #004080;
}

Create your own sub-pages

You may have noticed the "Keycloak Man" section above. The new console includes one of our most requested features. That is the ability to add and remove sub-pages. So we’ve made it very easy to develop and plug in your own React component and add it to the Account Console.

It’s even possible to build new pages with nothing but an editor. No build step is required unless you want to use more advanced tools like JSX and Typescript.

Of course, this "Keycloak Man" theme is available online as a Keycloak Quick Start so you can check out all the source.

The Home for New Keycloak Features

New Account Console is the home for user configuration of new Keycloak features like WebAuthn support. So look for new features to start showing up in the New Account Console instead of the old one.

Sunsetting Louketo Project

Bruno Oliveira — Fri, 21 Aug 2020 00:00:00 GMT

After careful consideration, we have decided to pull the plug on Louketo and start the EOL procedure. The plan is during the next 3 months to fix only critical bugs and security issues. Everyone interested in capabilities provided by Louketo Proxy should look at OAuth2 Proxy project which is providing a similar set of capabilities and has a healthy and active community.

A few months ago, the Keycloak team started Louketo — a joint effort to build a generic OAuth2 Proxy and possibly also begin an umbrella project for a set of OIDC related integration libraries. The initial set of goals has not worked out. Keycloak Gatekeeper and OAuth2 Proxy projects hoped to merge and join efforts but for various reasons, this has not worked out.

With Louketo and OAuth2 proxy providing similar features, OAuth Proxy being a more popular project with a bigger community we reached a conclusion there’s no reason to put more effort into Louketo, when we can just contribute there.

What does it mean in practice?

FAQ

Will Louketo Proxy be no longer maintained? Will there be no new releases?

Critical bug fixes will be merged and micro releases provided for the next 3 months. It is up to community members to step up and take over maintaining and driving this project further if they wish to do so. Please comment on the GitHub issue or contact the Keycloak team on the mailing list.

Are there any alternatives I should use instead?

OAuth2 Proxy is very close in a set of capabilities to Louketo Proxy and we highly suggest you investigate it as a replacement.

How do I migrate to OAuth2 Proxy?

We’ll provide high-level guidance on how to migrate. Although unfortunately there is no comprehensive guide nor magical script. Some corner cases, specific configurations, and capabilities may not be fully covered or addressed in exactly the same way.

Why are you abandoning Louketo Proxy as a project?

Initial goals failed. Which were merging with OAuth2 Proxy and creating a wider set of OAuth2/OIDC integration libraries. Some individuals originally interested in collaboration took a step back. The end result is the Louketo project duplicating efforts and capabilities of other much more popular projects - OAuth2 Proxy. As we believe in OpenSource we just don’t want to follow NIH syndrome :)

I would like to keep maintaining Louketo - what should I do?

Please comment on the GitHub issue so others can join the discussion. We’ll take it from there :)

What happens if nobody will step up to maintain Louketo?

After 3 months Louketo repository will be archived and made read-only.

New Keycloak Admin Console Design

Stian Thorgersen — Thu, 16 Apr 2020 00:00:00 GMT

We are planning to completely re-vamp the Keycloak Admin Console, and have been lucky enough to get awesome help from UXD professionals.

The designs are a work-in-progress, but some sections of the console are already ready. We would love to get feedback from users of Keycloak in order to make the new admin console as good as it can be.

In order to make it as easy as possible for everyone to view the designs and provide feedback we have created a dedicate website.

Introducing Keycloak.X

Stian Thorgersen — Fri, 11 Oct 2019 00:00:00 GMT

What are we trying to improve?

The first stable release of Keycloak was way back in 2014. As always when building software there are things that could have been done better.

With Keycloak.X we are aiming to introduce some bigger changes to make Keycloak leaner, easier and more future-proof.

A few goals with Keycloak.X are:

Make it easier to configure
Make it easier to scale, including multi-site support
Make it easier to extend
Reduce startup time and memory footprint
Support zero-downtime upgrades
Support continuous delivery

This work will be broken into several parts:

A new and improved storage layer
A new distribution powered by Quarkus
A new approach to custom providers

Distribution

Building a new distribution powered by Quarkus will allow us to significantly reduce startup time and memory footprint.

We will be able to create a leaner distribution in terms of size and dependencies as well. Reducing dependencies will further reduce the number of CVEs in third-party libraries.

We are also planning to introduce a proper Keycloak configuration file, where we will document directly how to configure everything related to Keycloak. In the current WildFly based distribution the configuration file is very complex as it contains everything to configure the underlying application server, and more often than not it is required to refer to WildFly documentation to figure out how to configure things properly.

Storage

The current storage layer is complex, especially when deployed to multiple-sites. It has a number of scalability issues like the number of realms and clients. Sessions are only kept in-memory, which can be good for performance, but not so great for scaling when you consider a large portion of sessions are idle and unused most of the time.

Exactly what the new storage layer will look like is still to be decided, but we know for sure that we want to:

Reduce complexity with regards to configuring, SPIs and schema
Support zero downtime upgrades
Make sure we can scale to large number of realms and clients
Make sure we can scale to millions of sessions, including support for persisting and passivation

Providers

Providers today have some issues that we would like to address. Including:

Deprecation and versioned approach to SPIs - breaking changes to APIs are horrible in a continuous delivery world
Polyglot - not everyone is a JavaEE developer, let's embrace that and allow more options when it comes to extending Keycloak
Sand-boxing - allow safe customizations in a SaaS world

Continuous Delivery

We are aiming to make it easier to use Keycloak in a continuous delivery world. This should consider Keycloak upgrades, custom providers as well as configuration.

Keycloak upgrades should be seamless and there should not be any breaking changes, rather deprecation periods.

It should be possible to more easily manage and reproduce the config of Keycloak, including realm config, in different environments. A developer should be able to try some config changes in a dev environment, push to a test environment, before finally making the changes live in a production environment.

Contributing

We would love help from the community on Keycloak.X. You can contribute with code, with discussions or simply just trying it out and giving us feedback.

Migration to Keycloak.X

There will be a migration required to Keycloak.X. In fact there will be multiple migrations required as everything mentioned earlier will not be ready in one go.

It is an aim to make this migration as simple and painless as possible though.

Timing

We are staring with the Quarkus powered distribution. The aim is to have a fully functional stable distribution by the end of 2019, but we already have a prototype you can try out and contribute to.

In 2020 we are aiming to work on both the storage layer and providers. Hopefully, by the end of 2020 we will have most if not everything sorted out.

We will continue to support the current Keycloak version in parallel with Keycloak.X and will give everyone plenty of time to do the migration before we eventually will pull the plug on the old.

What's Coming To Keycloak

Stian Thorgersen — Tue, 3 Sep 2019 00:00:00 GMT

New Account Console and Account REST API

The current account console is getting dated. It is also having issues around usability and being hard to extend. For this reason we had the UXD team at Red Hat develop wireframes for a new account console. The new console is being implemented with React.js providing a better user experience as well as making it easier to extend and customise.

WebAuthn

We are working towards adding WebAuthn support both for two factor authentication and passwordless experience. This task is not as simple as adding an authenticator for WebAuth, but will also require work on improving authentication flows and the account console.

Operator

Operators are becoming an important way to manage software running on Kubernetes and we are working on an operator for Keycloak. The aim is to have an operator published on OperatorHub.io soon which provides basic install and seamless upgrade capabilities. This will be based on the awesome work done by the Red Hat Integreatly team.

Vault

At the moment to keep credentials such as LDAP bind credentials more secure it is required to encrypt the whole database. This can be complex and can also have a performance overhead.

We are working towards enabling loading credentials, such as LDAP bind credential and SMTP password, from an external vault. We're providing a built-in integration with Kubernetes secrets as well as an SPI allowing integrating with any vault provider.

In the future we will also provide the option to encrypt other more dynamic credentials at rest in the database.

JIRA - Vault

JIRA - Encryption at rest

User Profile

Currently there's no single place to define user profiles for a realm. To resolve this we are planning to introduce the Profile SPI, which will make it possible to define a user profile for a realm. It will be possible to define mandatory as well as optional attributes and also add validation to the attributes.

The built-in Profile SPI provider will make it possible to declaratively define the user profile for a realm and we also aim to have an editor in the admin console.

JIRA

Observerability

Keycloak already comes with basic support for metrics and health endpoints provided by the underlying WildFly container. We plan to document how to enable this as well as extend with Keycloak specific metrics and health checks. If you would like to try this out today check the WildFly documentation.

JIRA

Continuous Delivery

Over the last few months the team has invested a significant amount of time into automated testing and builds. This will pay of in the long run as we will need to spend less time on releases and will also make sure Keycloak is always release ready. In fact we're taking this as far as not allowing maintainers to manually merge PRs anymore, but rather have created a bot called the Merge Monster that will merge PRs automatically after they have been both manually reviewed and all tests have passed.

Keycloak.X

It's 5 years since the first Keycloak release so high time for some rearchitecting. More details coming soon!

Kanban Planning Board

For more insight and details into what we are working on and our backlog, check out our Kanban Planning Board.

Keycloak Community Newsletter #2

Sébastien Blanc — Mon, 6 May 2019 00:00:00 GMT

We have a lot of news to share in this second edition, so fasten your seatbelt and let's go!

News from the community

First of all, we would like to thank the whole community, which has contributed to this edition by sharing their links, tips, and so on.

An increasing number of API Management/Gateway solutions can now be integrated with Keycloak. Recently, Ambassador, an Open Source Kubernetes-Native API Gateway built on the Envoy Proxy, has added support for Keycloak; it has also published a quickstart to show how Keycloak can be used to add Github as Identity provider.

We have some good news for Python users. Akhil Lawrence has created a Python Keycloak Adapter Client. Be sure to check out the really nice documentation that comes with many usage examples.

Like any other project, setting up clustering can be somehow complex. Liqiang has shared with us his setup and configuration tips. Thanks again for sharing your knowledge with the community!

The existing Keycloak Helm Chart has now been deprecated and is now replaced by the one managed by CodeCentric.

Dmitry Telegin has created a really nice example on how you can dynamically brand your login theme for Keycloak. Check out the repository here.

Hayri Cicek has written a nice introductory article on how to use Keycloak and MicroProfile. It even shows the usage of the brand new Client Scope "microprofile-jwt," which has been added in Keycloak 6.0.0.

News from the project

Keycloak 6.0.1 has been released. We know that some people were a bit confused by our new versioning schema. We hope that this blog post will clear it up.

We started the proposal process for Keycloak to be accepted into the Cloud Native Computing Foundation (CNCF). We hope that this effort will significantly boost our community adoption with our ultimate goal of becoming the de facto solution for OAuth2/OpenID Connect within Open Source and Cloud Native. You can watch the presentation to the CNCF TOC (Technical Oversight Committee) here and the slides are also available here.

As mentioned in the previous newsletter, we will now discuss larger features openly on Github. It's community-focused and we have currently two open Pull Requests:

Conferences / Webinars

W-Jax has just posted a YouTube talk in German Secure Spring Applications with Keycloak delivered by Thomas Darimont.

In May, Sébastien Blanc will deliver a full-day workshop about Keycloak during VoxxedDays Minsk

Contributing to Keycloak

We always welcome contributions to Keycloak. If you would like to contribute and have a great idea, tell us about it on the developer mailing list. If you are unsure about what to work on, let us know and we can help!

As a first time contributor, you may have a simpler idea to start, such as contributing a bug fix. This type of contribution will allow you to get to know the code base, the test suite, and the mechanics of creating a pull request. You can find a list of open bugs here.

We also have a list of open issues that are awaiting contributions. Not all issues are properly reviewed, so we recommend that you start by sending an email to the developer mailing list before you begin.

For each newsletter, we will also highlight a few features for which we would especially like contributions. These features include:

Allow user to delete account - In light of GDPR and the right to be forgotten a very useful feature is to allow users to delete their own accounts.
OpenID Connect Backchannel Logout - Add support for OpenID Connect Back-Channel logout specification to Keycloak.

Keycloak Releases and Versioning

Stian Thorgersen — Wed, 24 Apr 2019 00:00:00 GMT

We are aiming to achieve a continuous delivery model with Keycloak. By that we mean it should be seamless to upgrade between Keycloak releases and to keep up to date with the latest release.

This requires no breaking changes, but rather deprecating old APIs allowing time to migrate to new APIs.

Traditional semantic versioning does not fit very well with this model. By following the mantra of continuous delivery we would forever be stuck on a major version and only update the minor version, and you could argue whether or not it would be correct to update the major version when an API that has been deprecated for a long period of time is removed.

With this in mind, we have made some slight changes to our release cadence and versioning schema.

For now, we will have a new feature release roughly 4 times each year. Each release will bump the major version number. That doesn't mean there are breaking changes, but until we perfect our continuous delivery model there may be some, so always refer to the migration guide prior to upgrading!

We have also decided to drop the Final suffix from releases. That is simply because it is not needed as we have not done any beta or release candidates for a long time. In the spirit of continuous delivery, we will have individual features marked as preview rather than whole releases.

As a final note, with the reduced release cadence we are planning to do more micro releases. This will be focused on critical bugs and security vulnerabilities. However, we may accept contributions to less critical bugs given the fix is well tested and has low risk of regressions.

Keycloak Community Newsletter #1

Sébastien Blanc — Mon, 1 Apr 2019 00:00:00 GMT

This is the very first "Keycloak Community Newsletter." The goal of this newsletter is to share news about the Keycloak project.

News from the community

Since the beginning of the year, the community has been really active. Each week several blog posts about Keycloak are published. Here is a short selection.

Let's start with Philip Riecks who explains in this article how you can use Microprofile JWT Authentication with Keycloak and React.

Ramandeep Singh has been blogging about Keycloak and NodeJS.

Joshua Alfred Erney explains in this blog series how to integrate Keycloak and Kong, a popular API management platform.

With Mohamed Aboullaite's blog post, you will learn how to secure your Kibana dashboards using Keycloak.

Finally in this three-part article, the process of installing Keycloak on Kubernetes will become very clear.

News from the project

Keycloak 5.0.0 has been released and 6.0.0 is around the corner.

From now on, new larger Keycloak's features will be openly discussed. For each new feature, a design document will be created and pushed to our Github repository as a simple MarkDown file. This strategy makes it easy for everyone to comment as well as contribute to the designs by opening Github issues and providing pull requests. We have already three documents open for discussion:

News from the Identity Management World

The big announcement, two weeks ago, was that WebAuthn became an official W3C Standard. This event is a milestone in the world of authentication and Identity Management. The goal of WebAuthn, according to Wikipedia is to: standardize an interface for public-key authentication of users to web-based applications and services. The Keycloak community is naturally really interested in this new standard. A design document is available and the community has even started to work on a prototype.

Conferences / Webinars

In March, the Javaland conference was held in Germany. The conference had two talks about Keycloak. Sébastien blanc gave a talk about Securing your Microservices with Keycloak. A Github repository contains the demo. Thomas Darimont also gave an introductory talk in German about Keycloak.

In April, at Devoxx France, Guillaume Gillon will talk in French about how to combine Keycloak and Gravitee.io.

Contributing to Keycloak

For each newsletter, we will also highlight a few features for which we would especially like contributions. These features include:

Support for large number of realms - Keycloak is not designed to handle large amount of realms. When over 50 realms exist, you start to experience issues.
Support different URLs for front and back channel requests in adapters - When adapters are located alongside Keycloak, it's not always recommended to use the public URL of Keycloak; this issue concerns allowing adapters to use one URL for back-channel requests and a different URL for redirects.
OpenID Connect Front-Channel Logout - Add support for OpenID Connect Front-Channel logout specification to Keycloak.
SCIM 2 - Add support for the SCIM 2 specification to Keycloak, which provides a standards-based interface for user management.

W3C Web Authentication (WebAuthn)

Stian Thorgersen — Wed, 6 Mar 2019 00:00:00 GMT

W3C Web Authentication (WebAuthn) was recently made an official web standard. This is a great step towards making a safer and simpler authentication experience for users.

Where traditional authentication, such as password and OTP, rely on having shared secrets between the user and the web application, this is not the case with WebAuthn. WebAuthn uses public key-based credentials resulting in the web application not having access to the users secrets anymore. The keys are also unique per web application which eliminates the risk of phishing attacks.

WebAuthn provides a standard protocol for web applications to authenticate via a number of devices through a relatively simple challenge/response. All major browser vendors now have support for WebAuthn and FIDO2, where FIDO2 is the specification that enables the browser to communicate with different hardware devices.

WebAuthn can be used both as a two factor mechanism as well as enable passwordless authentication. There are already an healthy amount of devices that can be used together with WebAuthn. There are a number of security keys like YubiKey, ThinC and Titan. A lot of new laptops also come with built-in fingerprint scanners, and it Android also recently made it possible to use the fingerprint scanners on Android 7+ devices with WebAuthn.

We are of course planning on bringing WebAuthn support to Keycloak in the near future. The team behind webauthn4j has been hard at work greating a quality Java library for WebAuthn and will hopefully soon have an extension to Keycloak ready.

We will first focus on two-factor authentication with WebAuth and as part of this we will bring a number of improvements to Keycloak around two-factor authentication. For more details check the design document.

Later, we will also bring the passwordless experience to Keycloak. This will also introduce Keycloak to the identity first login flows. By asking for the users identity first Keycloak can provide smarter decisions on how to authenticate a user based on the users preferences. For example requesting the user to press the button on their security key instead of asking for a password.

Resources:

Keycloak on Kubernetes

Stian Thorgersen — Wed, 27 Jun 2018 00:00:00 GMT

If you'd like to get started with using Keycloak on Kubernetes check out this screencast. If you'd rather try it out yourself check out this GitHub repository that contains the instructions as well as all the bits you'll need to reproduce what is shown in the screencast.

Keycloak Cordova Browser Tabs support

Stian Thorgersen — Thu, 21 Jun 2018 00:00:00 GMT

Thanks to gtudan we finally have support for browser tabs for Cordova in our JavaScript adapter. This enables using a system browser tab to do the login flows to Keycloak, which brings better security and also single sign-on and single sign-out to mobile applications secured with Keycloak.

This will be included in Keycloak 4.1.0.Final which will be released soon. In the meantime check this screen-cast to see this in action!

Red Hat Single Sign-On in Keynote demo on Red Hat Summit!

Marek Posolda — Sun, 17 Jun 2018 00:00:00 GMT

Red Hat Summit is one of the most important events during the year. Many geeks, Red Hat employees and customers have great opportunity to meet, learn new things and attend lots of interesting presentations and trainings. During the summit this year, there were few breakout sessions, which were solely about Keycloak and Red Hat SSO. You can take a look at this blogpost for more details.

One of the most important parts of Red Hat Summit are Keynote demos, which show the main bullet points and strategies going forward. Typically they also contain the demos of the most interesting technologies, which Red Hat uses.

On the Thursday morning keynote, there was this demo to show the Hybrid Cloud with 3 clouds (Azure, Amazon, Private) in action! There were many technologies and interesting projects involved. Among others, let's name Red Hat JBoss Data Grid (JDG), OpenWhisk or Gluster FS. The RH-SSO (Red Hat product based on Keycloak project) had a honor to be used as well.

Red Hat SSO setup details

The frontend of the demo was the simple mobile game. RH-SSO was used at the very first stage to authenticate users to the mobile game. Each attendee had an opportunity to try it by yourself. In total, we had 1200 players of the game.

There was loadbalancer up-front and every user was automatically forwarded to one of the 3 clouds. The mobile application used RH-SSO Javascript adapter (keycloak.js) to communicate with RH-SSO.

With Javascript application, whole OpenID Connect login flow happens within browser and hence can rely on sticky session. So since Javascript adapter is used, you may think that we can do just "easy" setup and let the RH-SSO instances across all 3 clouds to be independent of each other and have each of them to use separate RDBMS and infinispan caches. See the image below for what such a setup would look like:

With this setup, every cloud is aware just about the users and sessions created on itself. This is fine with sticky session, but it won’t work for failover scenarios in case if one of the 3 clouds is broken/removed. There are also other issues with it - for example that admins and users see just sessions created on particular cloud. There are also potential security issues. For example when admin disables user on one cloud, user would still be enabled on other clouds as changes to user won’t be propagated to other clouds.

So we rather want to show more proper setup aware of the replication. Also because one part of the demo was showing failover in action. One of the 3 clouds (Amazon) was killed and users, who were previously logged in Amazon, were redirected to one of the remaining 2 clouds. The point was that the end user won't be able to recognize any change. Hence users previously logged in Amazon must be still able to refresh their tokens in Azure or Private cloud. This in turn meant that the data (both users, user sessions and caches) need to be aware of all 3 clouds.

In Keycloak 3.X, we added support for Cross-datacenter (Cross-site) setup with usage of external JDG servers to replicate data among datacenters (tech preview in RH-SSO 7.2). The demo was using exactly this setup. Each site had JDG server and all 3 sites communicate with each other through those JDG servers. This is standard JDG Cross-DC setup. See the picture below for what the demo looked like:

The JDG servers were not used during the demo just for the purpose of the RH-SSO, but also for the purpose of other parts of the demo. The details are described in the JDG setup blog by Sebastian Łaskawiec. The JDG servers were setup with ASYNC backups, which was more effective and was completely fine for the purpose of the demo due the fact that mobile application was using keycloak.js adapter. See RH-SSO docs for more details.

Red Hat SSO customizations

The RH-SSO was using standard RH-SSO openshift image . For Cross-DC setup, we needed to do configuration changes as described in the RHSSO documentation . Also few other customizations were done.

JDG User Storage

RH-SSO Cross-DC setup currently requires both replicated RDBMS and replicated JDG server. When preparing to demo, we figured that using the clustered RDBMS in OpenShift replicated across all 3 clouds, is not very straightforward thing to setup.

Fortunately RH-SSO is highly customizable platform and among other things, it provides supported User Storage SPI , which allows customers to plug their own storage for RH-SSO users. So instead of setup of replicated RDBMS, we created custom JDG User Storage. So users of the example realm were saved inside JDG instead of the RDBMS Database.

Lessons learned is, that we want to make the Keycloak/RH-SSO Cross-DC setup simpler for administrators. Hence we're considering removing the need for replicated RDBMS entirely and instead store all realms and users metadata within JDG. So just replicated JDG would be a requirement for Cross-DC setup.

Other customizations

For the purpose of the demo, we did custom login theme. We also did Email-Only authenticator, which allows to register user just by providing their email address. This is obviously not very secure, but it's pretty neat for the example purpose. Keynote users were also able to login with Google Identity Provider or Red Hat Developers OpenID Connect Identity Provider, which was useful for users, who already had an account in those services.

If you want to try all these things in action, you can try to checkout our Demo Project on Github and deploy it to your own openshift cluster! If you have 3 clouds, even better! You can try the full setup including JDG to try exactly the setup we used during keynote demo.

Keycloak on OpenShift

Stian Thorgersen — Thu, 31 May 2018 00:00:00 GMT

In this post you'll see how to deploy Keycloak on OpenShift. You'll also learn how to deploy a Node.js based REST service and an HTML5 application to OpenShift and secure these with Keycloak.

There is also a screencast showing this example at https://youtu.be/9zUWqbK3BqI.

If you don't already have OpenShift available a good place to start is by using MiniShift.

Deploying Keycloak

First of all create a new project in OpenShift with oc by running:

oc new-project keycloak

The next thing to do is to import the Keycloak template into OpenShift, by running:

oc replace --force -f "https://raw.githubusercontent.com/jboss-dockerfiles/keycloak"\
"/master/openshift-examples/keycloak-https.json"

Now open the OpenShift console and open the keycloak project.

Click on Add to Project and Browse Catalog. In the catalog you should find Keycloak. Click on it.

Click next on the information. Under configuration set a username and password that you can remember in the Keycloak Administrator Username and Keycloak Administrator Password fields. Then click on create. Click on Continue to project overview.

Wait for the deployment to complete then click on the link to the application. Your browser will complain about the certificate as it is a self-signed certificate. Ignore this and proceed. Click on Administration Console, then login with the username and password you entered previously. Keep this tab open as you will need it later.

You have now deployed Keycloak onto OpenShift.

Configure Clients in Keycloak

We need to create clients for the service and the application we will secure.

Open the tab with the Keycloak admin console. Click on Clients and Create. For Client ID enter service and click Save. Under Access Type select bearer-only and click on Save.

Click on Clients then Create again. For Client ID enter app and click Save. For Valid Redirect URIs and Web Origins enter *. In production environment it is very important that you enter the correct URL for your application, but since this is a demonstration we will simply allow all URLs for simplicity. You can easily update these to the correct URLs for the application after it has been deployed.

Keep the Keycloak admin console tab open as again you will need it later.

Deploy the Service

Go back to the tab with the OpenShift console and click on Add to Project and Browse Catalog again. This time click on Node.js. Click next on Information, then click on advanced options under Configuration.

Make the following changes:

Name: service
Git Repository URL: https://github.com/stianst/misc.git
Context Dir: openshift/service
Secure route: enable
TLS Termination: Edge
Insecure Traffic: Redirect
Deployment Config
- KEYCLOAK_URL=https://secure-keycloak-keycloak.192.168.42.52.nip.io/auth

Replace the value for KEYCLOAK_URL with the URL for Keycloak. You can find this by going back to the tab with the Keycloak admin console (copy the URL up to and including "/auth").

Click on Create then Continue to the project overview. Wait for the build and deployment to complete then click on the link to the application. You should see "Not found!". Add "/service/public" to the url and you should see "message: public" in JSON.

You have now deployed and secured the service. Keep this tab open as well as you need it later.

Deploy the Application

Go back to the tab with the OpenShift console and click on Add to Project and Browse Catalog again. This time click on PHP. Click next on Information, then click on advanced options under Configuration.

Make the following changes:

Name: app
Git Repository URL: https://github.com/stianst/misc.git
Context Dir: openshift/app
Secure route: enable
TLS Termination: Edge
Insecure Traffic: Redirect
Deployment Config
- KEYCLOAK_URL=https://secure-keycloak-keycloak.192.168.42.52.nip.io/auth
- SERVICE_URL=https://service-keycloak.192.168.42.240.nip.io/service

Replace the value for KEYCLOAK_URL with the URL for Keycloak. You can find this by going back to the tab with the Keycloak admin console (copy the URL up to and including "/auth"). Also, replace the value for SERVICE_URL with the URL for the Service. You can find this by going back to the tab with the service (copy the URL up to and including "/service").

Click on Create then Continue to the project overview. Wait for the build and deployment to complete then click on the link to the application. You should already be logged-in. You can now invoke the service by clicking on Invoke Public to invoke the unsecured endpoint or Invoke Admin to invoke the endpoint secured with the admin role. If you click on Invoke Secured it will fail as the admin user you are logged in with does not have the user role. To be able to invoke this endpoint as well go back to the Keycloak admin console. Create a realm role named user. Then go to users find your admin user and under role mappings add the user role to the user.

You have now deployed and secured the application as well as seen how the application can securely invoke the service you deployed previously.

Red Hat Single Sign-On @ Red Hat Summit

Stian Thorgersen — Wed, 2 May 2018 00:00:00 GMT

At Red Hat Summit this year there are no less than 4 sessions about Red Hat Single Sign-On! If you are going to Summit make sure to join us.

OpenShift + single sign-on = Happy security teams and happy users

Dustin Minnich, Joshua Cain, Jared Blashka, Brian Atkisson. Tuesday 4 PM.

One username and password to rule them all.

In this lab, we'll discuss and demonstrate single sign-on technologies and how to implement them using Red Hat products. We'll take you through bringing up an OpenShift cluster in a development environment, installing Red Hat single sign-on on top of it, and then integrating that with a variety of example applications.

Securing service mesh, microservices, and modern applications with JSON Web Token (JWT)

Stian Thorgersen, Sébastien Blanc. Wednesday 10:30 AM.

Sharing identity and authorization information between applications and services should be done with an open industry standard to ensure interoperability in heterogeneous environments. Javascript Object Signing and Encryption (JOSE) is a framework for securely sharing such information between heterogeneous applications and services.

In this session, we’ll cover the specifications of the JOSE framework, focusing especially on JSON Web Token (JWT). We’ll discuss practical applications of the JOSE framework, including relevant specifications, such as OpenID Connect. After this session, you’ll have an understanding of the specifications and how to easily adopt them using Red Hat single sign-on or another OpenID Connect provider.

Red Hat single sign-on: Present and future

Boleslaw Dawidowicz, John Doyle. Wednesday 3:30 PM.

Red Hat single sign-on (SSO) provides web SSO with modern, token-based protocols, such as OAuth and OpenID Connect. This session will highlight the features of the latest release and show the future direction of the technology within the Red Hat portfolio.

Securing apps and services with Red Hat single sign-on

Sébastien Blanc, Stian Thorgersen. Thursday 1:00 PM.

If you have a number of applications and services, the applications may be HTML5, server-side, or mobile, while the services may be monolithic or microservices, deployed on-premise or to the cloud. You may have started looking at using a service mesh. Now, you need to easily secure all these applications and services.

Securing applications and services is no longer just about assigning a username and password. You need to manage identities. You need two-factor authentication. You need to integrate with legacy and external authentication systems. Your list of other requirements may be long. But you don’t want to develop all of this yourself—nor should you.

In this session, we’ll demonstrate how to easily secure all your applications and services—regardless of how they're implemented and hosted—with Red Hat single sign-on. After this session, you'll know how to secure your HTML5 application or service, deployed to a service mesh and everything in between. Once your applications and services are secured with Red Hat single sign-on, you'll know how to easily adopt single sign-on, two-factor authentication, social login, and other security capabilities.

Keycloak Questionnaire

Stian Thorgersen — Thu, 19 Apr 2018 00:00:00 GMT

Are you using Keycloak? If so we would greatly appreciate it if you can take some time and answer some questions at https://goo.gl/forms/TRSmCCU6eX25prhH2.

Keycloak and Istio

Sébastien Blanc — Mon, 26 Feb 2018 00:00:00 GMT

This short blog post is to share the first trials of combining Keycloak with Istio.

What is Istio?

Istio is an platform that provides a common way to manage your service mesh. You may wonder what a service mesh is, well, it's an infrastructure layer dedicated to connect, secure and make reliable your different services.

Istio, in the end, will be replacing all of our circuit-breakers, intelligent load balancing or metrics librairies, but also the way how two services will communicate in a secure way. And this is of course the interesting part for Keycloak.

As you know Keycloak uses adapters for each of the application or service that it secures. These adapters make sure to perform the redirect if needed, to retrieve the public keys, to verify the JWT signature etc ...

There are a lot of different adapters depending on the type of application or technology that is used : there are Java EE adapters, JavaScript adapters and we even have a NodeJS adapter.

The end of the adapters?

Following the Istio philosophy, these adapters would not be needed in the end because the Istio infrastructure will take care of the tasks the adapters were doing (signature verification etc ...). We are not yet there for now but in this post we will see what can already be done with Istio and how much it already can replace the role of the Adapters.

The Envoy Sidecar

We won't dive into the details on how Istio works but there is one main concept to understand around which Istio is articulated : the Envoy Sidecar. Envoy is a high performance proxy deployed alongside with each deployed service and this is the reason we call it a "sidecar".

Envoy captures all incoming and outgoing traffic of its "companion" service, it can then apply some basic operations and also collect data and send it to a central point of decision, called the "mixer" in Istio. The conifugration of Envoy itself happens through the "pilot" an other Istio component.

Envoy Filters

To make it easier to add new functionnality to the Envoy Proxy, there is the concept of filters that you can stack up. Again, these filters can be congifured by the Pilot and they can gather information for the Mixer:

The JWT-Auth Filter

The Istio team has been developping a filter that interest us : the jwt-auth filter. As the name suggests, this filter is capable of performing checks on a JWT token that the Envoy Proxy will extract from the HTTP Request's headers.

The details about this filters can be found here.

The Keycloak-Istio Demo

Now that you have the big picture in mind let's take a look at the demo that has been developed by Kamesh Sampath (@kamesh_sampath) From the Red Hat Developer Experience Team to show how Keycloak and Istio can be combined:

The demo will be running inside a Minishift instance, Minishift is a tool that helps to run OpenShift locally. Minishift has really nice support for Istio, as it takes only a few commands to install the Istio layer inside a Minishift instance.

So inside our Minishift instance we will have:

A Keycloak Pod : a pod containing a Keycloak Server.
A Web App Pod (Cars Web): this pod contains the Web App that will perform the authentification through the Keycloak login in order to obtain a JWT token
Then we have the Istio related components :

The Pilot to configure the Envoy proxies
The Mixer to handle the attributes returned by Envoy

The API Service (Cars API) : this pod will have two containers :

The API service itself, in this case a simple Spring Boot Application
The Envoy Side-Car container

The demo repository provides the Istio script to delpoy the Envoy Sidecar alongside the Spring Boot Api Service.

Thi is how the Cars API Pod looks like after it is deployed:

Now, the Envoy Sidecar needs to be configured:

We indicate what needs to be configured, the kind of policy and implicitly the correct filter (in our case the jwt-auth filter) will be configured.
It needs to know where to retrieve Keycloak's Public key in order to verify the JWT signature.
The issuer : who has generated the token ? In this case it's also the Keycloak Server.

Now each incoming request to the API Service will be checked by the Envoy Sidecar to see if the JWT token contained in the header is valid or not. If it's valid the request be authorized otherwise an error message will be returned.

The full instructions of the demo (including setting up Minishift with Istio) can be found hereand again thanks to the awesome Kamesh for the work he delivered for this demo.

Keycloak and Angular CLI

Stan Silvert — Fri, 9 Feb 2018 00:00:00 GMT

So I made a schematic that installs and configures Keycloak in any Angular CLI application.

If you want to try it out, do this from the command line:

npm install -g @ssilvert/keycloak-schematic
ng new myApp
cd myApp
ng generate keycloak --collection @ssilvert/keycloak-schematic --clientId=myApp

Now Keycloak is integrated into your app. Of course, you can do this with any existing Angular CLI application. It doesn't have to be a new one.

Then, go to the Keycloak Admin console (master realm) and go to Clients --> Add Client --> Select File.

Select the client-import.json file that the "ng generate keycloak" command created in /myApp.

Assuming your Keycloak server is running on localhost:8080, you are ready to go. Start your application:

ng serve

Go to your browser to start the app and see this:

Oh joy! myApp is protected with Keycloak!

The keycloak-schematic installs a KeycloakService and a KeycloakGuard. So you can easily:

Add login/logout buttons
Access user self service (account management)
Guard protected routes instead of the whole app
Work with roles
Lots more

Click here for a comprehensive getting started guide, full documentation, and sample code.

Note that this stuff is early alpha right now. And it will move from @ssilvert to @keycloak before long. In the mean time, I'd love to get feedback. There is a lot to do to make Keycloak/Angular integration even better, but I think the keycloak-schematic is a big step forward.

So long, and thanks for all the fish.

Keycloak, Apache and OpenID Connect

Stian Thorgersen — Thu, 4 Jan 2018 00:00:00 GMT

mod_auth_openidc makes it easy to secure your applications running in Apache or when Apache is used as a reverse proxy. It can be used both for enabling SSO to web applications as well as to secure RESTful services. For more details check out our documentation as well as the guides from mod_auth_openidc.

X.509 and Smartcard Authentication with Keycloak

Stian Thorgersen — Wed, 4 Oct 2017 00:00:00 GMT

If you want to do X.509 and Smartcard authentication with Keycloak check out this blog post from Stephen Higgs. It walks you through how to setup X.509 authentication with Keycloak and a Yubikey Neo device.

Easily secure your Spring Boot applications with Keycloak

Sébastien Blanc — Mon, 29 May 2017 00:00:00 GMT

What is Keycloak?

Although security is a crucial aspect of any application, its implementation can be difficult. Worse, it is often neglected, poorly implemented and intrusive in the code. But lately, security servers have appeared which allow for outsourcing and delegating all the authentication and authorization aspects. Of these servers, one of the most promising is Keycloak, open-source, flexible, and agnostic of any technology, it is easily deployable/adaptable in its own infrastructure. Moreover, Keycloak is more than just an authentication server, it also provides a complete Identity Management system, user federation for third parties like LDAP and a lot more ... Check it out on here. The project can also be found on Github

Spring Boot and Keycloak

Keycloak provides adapters for an application that needs to interact with a Keycloak instance. There are adapters for WildFly/EAP, NodeJS, Javascript and of course for Spring Boot.

Setting up a Keycloak server

You have different options to set up a Keycloak server but the easiest one is probably to grab a standalone distribution, unzip it and voila! Open a terminal and go to your unzipped Keycloak server and from the bin directory simply run:

./standalone.sh(bat)

Then open a browser and go to http://localhost:8080/auth. Since it's the first time that the server runs you will have to create an admin user, so let's create an admin user with admin as username and admin for the password:

Now you can log in into your administration console and start configuring Keycloak.

Creating a new Realm

Keycloak defines the concept of a realm in which you will define your clients, which in Keycloak terminology means an application that will be secured by Keycloak, it can be a Web App, a Java EE backend, a Spring Boot etc. So let's create a new realm by simply clicking the "Add realm" button:

Let's call it "SpringBoot".

Creating the client, the role, and the user

Now we need to define a client, which will be our Spring Boot app. Go to the "Clients" section and click the "create" button. We will call our client "product-app":

On the next screen, we can keep the defaults settings but just need to enter a valid redirect URL that Keycloak will use once the user is authenticated. Put as value: "http://localhost:8081/*"

Don't forget to Save! Now, we will define a role that will be assigned to our users, let's create a simple role called "user":

And at last but not least let's create a user, only the username property is needed, let's call him "testuser":

And finally, we need to set his credentials, so go to the credentials tab of your user and choose a password, I will be using "password" for the rest of this article, make sure to turn off the "Temporary" flag unless you want the user to have to change his password the first time he authenticates. Now proceed to the "Role Mappings" tab and assign the role "user":

We are done for now with the Keycloak server configuration and we can start building our Spring Boot App!

Creating a simple app

Let's create a simple Spring Boot application, you might want to use the Spring Initializr and choose the following options:

Web
Freemarker
Keycloak

Name your app "product-app" and download the generated project:

Import the application in your favorite IDE, I will be using IntelliJ. Our app will be simple and will contain only 2 pages:

An index.html which will be the landing page containing just a link to the product page.
Products.ftl which will be our product page template and will be only accessible for authenticated user.

Let's start by creating in simple index.html file in "/src/resources/static":

<html>
<head>
    <title>My awesome landing page</title>
</head>
 <body>
   <h2>Landing page</h2>
   <a href="/products">My products</a>
 </body>
</html>

Now we need a controller:

@Controller
class ProductController {

   @Autowired ProductService productService;

   @GetMapping(path = "/products")
   public String getProducts(Model model){
      model.addAttribute("products", productService.getProducts());
      return "products";
   }

   @GetMapping(path = "/logout")
   public String logout(HttpServletRequest request) throws ServletException {
      request.logout();
      return "/";
   }
}

As you can see, it's simple; we define a mapping for the product page and one for the logout action. You will also notice that we are calling a "ProductService" that will return a list of strings that will put in our Spring MVC Model object, so let's create that service:

@Component
class ProductService {
   public List<String> getProducts() {
      return Arrays.asList("iPad","iPod","iPhone");
   }
}

We also need to create the product.ftl template, create this file in "src/resources/templates":

<#import "/spring.ftl" as spring>
<html>
<h2>My products</h2>
<ul>
<#list products as product>
    <li>$amp{product}</li>
</#list>
</ul>
<p>
    <a href="/logout">Logout</a>
</p>
</html>

Here we simply iterate through the list of products that are in our Spring MVC Model object and we add a link to log out from our application. All that is the left is adding some keycloak properties in our application.properties.

Defining Keycloak's configuration

Some properties are mandatory:

keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=springboot
keycloak.public-client=true
keycloak.resource=product-app

Then we need to define some Security constraints as you will do with a Java EE app in your web.xml:

keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*

Here, we simply define that every request to /products/* should be done with an authenticated user and that this user should have the role "user". One last property is to make sure our application will be running on port 8081:

server.port=8081

We are all set and we can run our app! You have several options to run your Spring Boot application, with Maven you can simply do:

mvn clean spring-boot:run

Now browse to "http://localhost:8080" and you should see the landing page, click the "products" links and you will be redirected to the Keycloak login page:

Login with our user "testuser/password" and should be redirected back to your product page:

Congratulations! You have secured your first Spring Boot app with Keycloak. Now Log out and go back to the Keycloak administration console and discover how you can "tune" your login page. For instance, you can activate the "Remember Me", the "User Registration", hit the save button and go back to your login screen, you will see that these features have been added.

Introducing Spring Security support

If you're a Spring user and have been playing around security, there is a big chance that you have been using Spring Security. Well, I have some good news: we also have a Keycloak Spring Security Adapter and it's already included in our Spring Boot Keycloak Starter. Let's see how we can leverage Spring Security together with Keycloak.

Adding Spring Security Starter

First, we need the Spring Security libraries, the easiest way to do that is to add the spring-boot-starter-security artifact in your pom.xml:

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Creating a SecurityConfig class

Like any other project that is secured with Spring Security, a configuration class extending WebSecurityConfigurerAdapter is needed. Keycloak provides its own subclass that you can again subclass:

@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
 class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
   /**
    * Registers the KeycloakAuthenticationProvider with the authentication manager.
    */
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
      KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
      keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
      auth.authenticationProvider(keycloakAuthenticationProvider);
   }

   @Bean
   public KeycloakConfigResolver KeycloakConfigResolver() {
      return new KeycloakSpringBootConfigResolver();
   }

   /**
    * Defines the session authentication strategy.
    */
   @Bean
   @Override
   protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
      return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
   }

   @Override
   protected void configure(HttpSecurity http) throws Exception
   {
      super.configure(http);
      http
            .authorizeRequests()
            .antMatchers("/products*").hasRole("user")
            .anyRequest().permitAll();
   }
}

Let's have a closer look at the most important methods:

configureGlobal: Here we change the Granted Authority Mapper, by default in Spring Security, roles are prefixed with ROLE_, we could change that in our Realm configuration but it could be confusing for other applications that do not know this convention, so here we assign a SimpleAuthorityMapper that will make sure no prefix is added.
keycloakConfigResolver: By default, the Keycloak Spring Security Adapter will look up for a file named keycloak.json present on your classpath. But here we want to leverage the Spring Boot properties file support.
configure: Here is where we define our security constraints, pretty simple to understand we secure the path "/products" with role "user"

Now we can remove the security constraints that we had defined previously in our application.properties file and let's add another property to map the Principal name with our Keycloak username:

keycloak.principal-attribute=preferred_username

Now we can even inject the principal in our controller method and put the username in the Spring MVC model:

@GetMapping(path = "/products")
public String getProducts(Principal principal, Model model){
   model.addAttribute("principal",principal);
   model.addAttribute("products", productService.getProducts());
   return "products";
}

Finally, we update the product.ftl template to print out the username:

<#import "/spring.ftl" as spring>
<html>
<h2>Hello $amp{principal.getName()}</h2>
<ul>
<#list products as product>
    <li>$amp{product}</li>
</#list>
</ul>
<p>
    <a href="/logout">Logout</a>
</p>
</html>

Restart your app, authenticate again, it should still work and you should also able to see your username printed on the product page:

Conclusion

We saw in this article how to deploy and configure a Keycloak Server and then secure a Spring Boot app, first by using Java EE security constraints and then by integrating Spring Security. In the next article, we will decompose this monolith application, which will give us the opportunity to:

See how to secure a microservice.
How microservices can securely "talk" to each other.
How a Pure Web App build with AngularJS can be secured with Keycloak and call secured microservices.

Screencast

This article is also available in "screencast" format :

https://www.youtube.com/watch?v=UUWyu1kG6YI (Part 1)
https://www.youtube.com/watch?v=Yc5Qe5C3Xn4 (Part 2)

Resources

Criticial vulnerability fixed in Keycloak Node.js adapters

Stian Thorgersen — Thu, 11 May 2017 00:00:00 GMT

A criticial vulnerability was discovered in Keycloak Node.js adapters. We highly recommend everyone upgrades to version 3.1.0 of the adapter immediately. This adapter will work with Keycloak 2 and upwards.

For more details see CVE-2017-7474.

How to Setup MS AD FS 3.0 as Brokered Identity Provider in Keycloak

Hynek Mlnařík — Thu, 23 Mar 2017 00:00:00 GMT

This document guides you through initial setup of Microsoft Active Directory Federation Services 3.0 as a brokered identity provider Keycloak.

Prerequisites

Two server hosts:

Microsoft Windows Server 2012 with Active Directory Federation Services (AD FS) installed. The AD domain will be named DOMAIN.NAME in this post.
Keycloak server. This can be generally placed anywhere but here it is expected to be running on separate host

DNS setup:

The Windows host name will be fs.domain.name in this post
The Keycloak host name will be kc.domain.name in this post

Setup Keycloak Server

Keycloak server has configured for SSL/TLS transport - this is mandatory for AD FS to communicate with it. This comprises two steps:

Setup keycloak for incoming HTTPS connections - steps are provided in Server Installation guide.
Export AD FS certificate into a Java truststore to enable outgoing HTTPS connections:

In the AD FS management console, go to Service → Certificates node in the tree and export the Service communications certificate.
Import the certificate into a Java truststore (JKS format) using Java keytool utility.
Setup the truststore in Keycloak as described in Server Installation guide.

Setup Identity Provider in Keycloak

Setup Basic Properties of Brokered Identity Provider

In the Identity Providers, create a new SAML v2.0 identity provider. In this post, the identity provider will be known under alias adfs-idp-alias.

Now scroll to the bottom and enter the AD FS descriptor URL into Import from URL field. For AD FS 3.0, this URL is https://fs.domain.name/FederationMetadata/2007-06/FederationMetadata.xml. Once you click “Import”, check the settings. Usually, you would at least enable Validate signature option.

If the authentication requests sent to the AD FS instance are expected to be signed, which is also usually the case, you have to enable Want AuthnRequests Signed option. Importantly, then the SAML Signature Key Name field that shows after enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT as AD FS expects the signing key name hint to be the subject of the signing certificate.

The AD FS will be set up in the next step to respond with name ID in Windows Domain Qualified Name format, hence set the NameID Policy Format field accordingly.

Setup Mappers

In the steps setting AD FS below, AD FS will be set up to send email and group information in SAML assertion. To transform these details from SAML document issued by AD FS to Keycloak user store, we’ll need to set up two corresponding mappers in the Mappers tab of Identity Provider:

Mapper named Group: managers will be of type SAML Attribute to Role, and will map attribute named http://schemas.xmlsoap.org/claims/Group, if that has attribute value managers, to role manager.

Mapper named Attribute: email will be of type Attribute Importer, and will map attribute named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress into user attribute named email.

Obtain information for the AD FS configuration

Now we determine SAML service provider descriptor URI that will be used in AD FS setup from the Redirect URI field in the identity provider detail by adding “/descriptor” to the URI in this field. The URI will be similar to https://kc.domain.name:8443/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor. You can check whether you got the URI right by entering the URI into the browser - you should receive a SAML service provider XML descriptor.

Setup Relying Party Trust in AD FS

Setup Relying Party

In AD FS Management console, right-click Trust relationships → Relying Party Trusts and select Add Relying Party Trust from the menu:

At the beginning of the wizard, enter the SAML descriptor URL obtained in the previous step into the Federation metadata address field, and let AD FS import the settings. Proceed with the wizard, and adjust the settings where appropriate. Here we use only the default settings. Note that you will need to edit the claim rules so when asked to do so at the last page of the wizard, you can leave the checkbox checked on.

Setup Claim Mapping

Now the SAML protocol would proceed correctly, AD FS would be able to correctly authenticate the users according to requests from Keycloak, but the requested name ID format is not yet recognized and SAML response would not contain any additional information like e-mail. It is hence necessary to map claims from AD user details into SAML document.

We will set up three rules: one for mapping user ID, second for mapping standard user attributes, and third for a user group. All start by clicking the Add Rule button in the Edit Claim Rules for kc.domain.name window:

The first rule will map user ID in Windows Qualified Domain name to the SAML response. In the Add Transform Claim Rule window, select Transform an incoming claim rule type:

The example above targets windows account name ID format. Other name ID formats are supported but out of scope of this post. See e.g. this blog on how to setup name IDs for persistent and transient formats.

The second rule will map user e-mail to the SAML response. In the Add Transform Claim Rule window, select Send LDAP attributes as Claims rule type. You can add other attributes as needed:

The third rule would send a group name if the user is member of a named group. Start again in the Add Transform Claim Rule window, and select Send Group Membership as a Claim rule type. Then enter the requested values in the field:

This setup would send an attribute named Group in the SAML assertion with value managers if the authenticated user is member of the DOMAIN\Managers group.

Troubleshooting

As a first-hand tool, you should check SAML messages sent back and forth between Keycloak and AD FS in your browser. The SAML decoders are available as browser extensions (e.g. SAML Tracer for Firefox, SAML Chrome Panel for Chrome). From the captured communication, you might see error status codes as well as the actual attribute names and values in SAML assertion necessary for setting up mappers. For example, if name ID format is not recognized, AD FS would return a SAML response containing urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy status code.

As a second resort, check the logs. For AD FS, the logs are available in the Event viewer under Applications and Services Logs → AD FS → Admin. In Keycloak, you can enable tracing of the SAML processing by connecting to the running Keycloak instance via jboss-cli.sh and entering the following commands:

/subsystem=logging/logger=org.keycloak.saml:add(level=DEBUG)

/subsystem=logging/logger=org.keycloak.broker.saml:add(level=DEBUG)

Then you will be able to find the SAML messages and broker-related SAML processing messages in the Keycloak server log.

Common issues

Q: I cannot log out! When I click logout in my app, it seems I’m logged out from Keycloak but when I return to the app, AD FS login form never displays and I’m redirected back authenticated as the same user as previously!

A: Don’t panic. This is not a Keycloak issue, rather AD FS settings of authentication policy. Try disabling Windows Authentication before reporting an issue.

Q: While using AD FS in Windows 2016, the following error appeared in Keycloak log after importing the descriptor from URL: RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: https://kc.domain.name/auth/realms/master/broker/adfs-idp-alias/endpoint/descriptor/FederationMetadata/2007-06/FederationMetadata.xml. Does it cause any harm?
A: It is harmless. It seems that Windows 2016 version first checks for AD FS-like descriptor URL by adding FederationMetadata/2007-06/FederationMetadata.xml to the entered URL. Such resource does not exist in Keycloak, so it reports error. AD FS however seems to import using the entered URL when this happens. Please see also the original email discussion on this issue.

Conclusion

If you get stuck, do not hesitate to write a question to Keycloak user forum mailing list.

As there is always room for improvement, if you find any issue or have any suggestion on this text, feel free to leave a comment!

Keycloak Blog

Organization Groups: Structure Your Organizations with Hierarchical Group Management

Why Organization Groups?

Creating a Group Hierarchy

Automatic Group Assignment via Identity Providers

Groups in Tokens

OIDC

SAML

Viewing a Member’s Group Memberships

How Organization Groups Differ from Realm Groups

REST API

Getting Started

Keycloak JS 26.2.4 released

Highlights

Bug Fixes

Cordova adapter no longer triggers duplicate authentication requests

Cordova in-app browser now closes before awaiting token exchange

Upgrading

Keycloak Client Libraries 26.0.9 released

Upgrading

All resolved issues

Enhancements

Keycloak 26.6.1 released

Upgrading

All resolved issues

Security fixes

Enhancements

Bugs

SCIM Realm API as an Experimental Feature

How to try it out?

Connecting a SCIM client

Understanding SCIM Permissions

Accessing the SCIM Realm API

Mapping User Attributes to SCIM Attributes

Mapping Group Attributes to SCIM Attributes

What is being delivered?

How does it map to other features?

We want to hear from you!

Keycloak 26.6.0 released

Highlights

Security and Standards

JWT Authorization Grant (supported)

Federated client authentication (supported)

New guide about Demonstrating Proof-of-Possession (DPoP)

Identity Brokering APIs V2 (preview)

Step-up authentication for SAML (preview)

OAuth Client ID Metadata Document (experimental)

Administration

Workflows (supported)

Organization groups

New Groups scope for user membership changes

Looking up client secrets via the Vault SPI

Forcing password change for LDAP users

Configuring and Running

Java 25 support

Zero-downtime patch releases (supported)

Installation instructions for CloudNativePG

Simplified database operations

Graceful shutdown of HTTP stack

New KCRAW_ prefix for environment variables to preserve literal values

Automatic reload of lists with disallowed passwords

Automatic truststore initialization on Kubernetes and OpenShift

Client certificate lookup providers for Traefik and Envoy

Configurable Kubernetes Service name and port in the Keycloak Operator

Sensitive information is not displayed in the HTTP Access log

Configurable log file rotation

HTTP access logs in a dedicated file

Customizable service fields in JSON log output

New and updated translations

Right-to-left language support in the Account UI

Observability

Telemetry configuration via the Keycloak CR

Custom request headers for OpenTelemetry

Service Monitor annotations and labels via the Keycloak CR

Extension Development

Keycloak Test Framework (supported)

Upgrading

All resolved issues

Deprecated features

New features

New `KCRAW_` prefix for environment variables to preserve literal values