Draft: Update All Maven dependencies to v26 (major) (!19) · Merge requests · public-projects / Folio / Keycloak

Renovate Bot requested to merge renovate/major-all-maven-dependencies into main Oct 05, 2024

This MR contains the following updates:

Package	Type	Update	Change
org.keycloak:keycloak-services (source)	provided	major	`25.0.6` -> `26.2.2`
org.keycloak:keycloak-server-spi-private (source)	provided	major	`25.0.6` -> `26.2.2`
org.keycloak:keycloak-core (source)	provided	major	`25.0.6` -> `26.2.2`
org.keycloak:keycloak-server-spi (source)	provided	major	`25.0.6` -> `26.2.2`

Release Notes

keycloak/keycloak (org.keycloak:keycloak-services)

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#39142 Make distribution startup timeout configurable testsuite

Bugs

#39125 [Keycloak CI] - FIPS UT - Run crypto tests ci
#39349 CVE-2025-3910 Two factor authentication bypass
#39350 CVE-2025-3501 Keycloak hostname verification

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#38956 Clarify upgrade instructions
#39057 Change the title for Grafana dashboards guide to plural docs
#39059 Document operator `Auto` update strategy when used with `podTemplate`

Bugs

#38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
#38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
#38767 Make group required when selecting a specific group creating a premission admin/ui
#38812 Test failures in CI in Chrome tests ci
#38846 StatefulSet reconciliation infinitely looping operator
#38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
#38920 Downstream docs have duplicate ID on sampling docs
#38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
#38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
#38930 [Docs] Broken link in ExternalLinksTest for importmap docs
#38937 Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x storage
#38982 JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal) ldap
#39015 Keycloak operator with update strategy to Auto: missing imagePullSecrets operator
#39096 Release note 26.2.0 has broken link docs

Highlights

Supported Standard Token Exchange

In this release, we added support for the Standard token exchange! The token exchange feature was in preview for a long time, so we are glad to finally support the standard token exchange. For now, this is limited to exchanging the Internal token to internal token compliant with the Token exchange specification. It does not yet cover use cases related to identity brokering or subject impersonation. We hope to support even more token exchange use cases in subsequent releases.

For more details, see the Standard token exchange.

For information on how to upgrade from the legacy token exchange used in previous Keycloak versions, see the Upgrading Guide.

Fine-grained admin permissions supported

This release introduces support for a new version of fine-grained admin permissions. Version 2 (V2) provides enhanced flexibility and control over administrative access within realms. With this feature, administrators can define permissions for administering users, groups, clients, and roles without relying on broad administrative roles. V2 offers the same level of access control over realm resources as the previous version, with plans to extend its capabilities in future versions. Some key points follow:

Centralized Admin Console Management - New Permissions section was introduced to allow management from a single place without having to navigate to different places in the Admin Console.
Improved manageability - Administrators can more easily search and evaluate permissions when building a permission model for realm resources.
Resource-Specific and Global Permissions – Permissions can be defined for individual resources (such as specific users or groups), or entire resource types (such as all users or all groups).
Explicit Operation Scoping – Permissions are now independent, removing hidden dependencies between operations. Administrators must assign each scope explicitly, making it easier to see what is granted without needing prior knowledge of implicit relationships.
Per-Realm Enablement – Fine-Grained Admin Permissions can be enabled on a per-realm basis, allowing greater control over adoption and configuration.

For more details, see fine-grained admin permissions.

For more information about migration, see the Upgrading Guide.

Guides for metrics and Grafana dashboards

In addition to the list of useful metric names the Observability guides category now also contains a guide on how to display these metrics in Grafana. The guide contains two dashboards.

Keycloak troubleshooting dashboard - showing metrics related to service level indicators and troubleshooting.
Keycloak capacity planning dashboard - showing metrics related to estimating the load handled by Keycloak.

Zero-configuration secure cluster communication

For clustering multiple nodes, Keycloak uses distributed caches. Starting with this release for all TCP-based transport stacks, the communication between the nodes is encrypted with TLS and secured with automatically generated ephemeral keys and certificates.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

For more information, check the Securing Transport Stacks in the distributed caches guide.

Rolling updates for optimized and customized images

When using an optimized or customized image, the Keycloak Operator can now perform a rolling update for a new image if the old and the new image contain the same version of Keycloak. This is helpful when you want to roll out, for example, an updated theme or provider without downtime.

To use the functionality in the Operator, enable the Auto update strategy and the Keycloak Operator will on image change briefly start up the old and the new image to determine if a rolling update without downtime is possible. Read the section Managing Rolling Updates in the Keycloak Operator Advanced Configuration guide for more details on this functionality.

The checks to determine if a rolling update is possible are also available on the Keycloak command line so you can use them in your deployment pipeline. Continue reading in the Update Compatibility Tool guide for more information about the functionality available on the command line.

Additional query parameters in Admin Events API

The Admin Events API now supports filtering for events based on Epoc timestamps in addition to the previous yyyy-MM-dd format. This provides more fine-grained control of the window of events to retrieve.

A direction query parameter was also added, allowing controlling the order of returned items as asc or desc. In the past the events where always returned in desc order (most recent events first).

Finally, the returned event representations now also include the id, which provides a unique identifier for an event.

Logs support ECS format

All available log handlers now support ECS (Elastic Common Schema) JSON format. It helps to improve Keycloak8217;s observability story and centralized logging.

For more details, see the Logging guide.

New cache for CRLs loaded for the X.509 authenticator

Now the Certificate Revocation Lists (CRL), that are used to validate certificates in the X.509 authenticator, are cached inside a new infinispan cache called crl. Caching improves the validation performance and decreases the memory consumption because just one CRL is maintained per source.

Check the crl-storage section in the All provider configuration guide to know the options for the new cache provider.

Operator creates NetworkPolicies to restrict traffic

The Keycloak Operator now creates by default a NetworkPolicy to restrict traffic to internal ports used for Keycloak8217;s distributed caches.

This strengthens a secure-by-default setup and minimizes the configuration steps of new setups.

You can restrict the access to the management and HTTP endpoints further using the Kubernetes NetworkPolicies rule syntax.

Read more about this in the Operator Advanced configuration.

Option to reload trust and key material for the management interface

The https-management-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-management-* options for the management interface. Use -1 to disable reloading. Defaults to https-certificates-reload-period, which defaults to 1h (one hour).

For more information, check the Configuring the Management Interface guide.

Dynamic Authentication Flow selection using Client Policies

Introduced the ability to dynamically select authentication flows based on conditions such as requested scopes, ACR (Authentication Context Class Reference) and others. This can be achieved using Client Policies by combining the new AuthenticationFlowSelectorExecutor with conditions like the new ACRCondition. For more details, see the Server Administration Guide.

JWT Client authentication aligned with the latest OIDC specification

The latest version of the OpenID Connect Core Specification tightened the rules for audience validation in JWT client assertions for the Client Authentication methods private_key_jwt and client_secret_jwt . Keycloak now enforces by default that there is single audience in the JWT token used for client authentication.

For information on the changed audience validation in JWT Client authentication Keycloak versions, see the Upgrading Guide.

Many thanks to Thomas Darimont for the contribution.

Federated credentials are available now when fetching user credentials

Until now, querying user credentials using the User API will not return credentials managed by user storage providers and, as a consequence, prevent fetching additional metadata associated with federated credentials like the last time a credential was updated.

In this release, we are adding a new method getCredentials(RealmModel, UserModel) to the org.keycloak.credential.CredentialInputUpdater interface so that user storage providers can return the credentials they manage for a specific user in a realm. By doing this, user storage providers can indicate whether the credential is linked to it as well as provide additional metadata so that additional information can be shown when managing users through the administration console.

For LDAP, it should be possible now to see the last time the password was updated based on the standard pwdChangedTime attribute or, if using Microsoft AD, based on the pwdLastSet attribute.

In order to check if a credential is local - managed by Keycloak - or federated, you can check the federationLink property available from both CredentialRepresentation and CredentialModel types. If set, the federationLink property holds the UUID of the component model associated with a given user storage provider.

Token based authentication for SMTP (XOAUTH2)

The Keycloak outgoing SMTP mail configuration now supports token authentication (XOAUTH2). Many service providers (Microsoft, Google) are moving towards SMTP OAuth authentication and end the support for basic authentication. The token is gathered using Client Credentials Grant.

Many thanks to Sebastian Rose for the contribution.

New client configuration for access token header type

A new admin setting has been added: Clients 8594; Advanced 8594; Fine grain OpenID Connect configuration 8594; Use "at+jwt" as access token header type

If enabled, access tokens will get header type at+jwt in compliance with rfc9068#section-2.1. Otherwise, the access token header type will be JWT.

This setting is turned off by default.

Many thanks to Laurids Møller Jepsen for the contribution.

OpenID for Verifiable Credential Issuance documentation

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it received further improvements and especially the The documentation, with the steps how to try this feature.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join and provide the feedback.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Awambeng Rodrick and Ingrid Kamga.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#10438 Release process for OperatorHub operator
#17171 Traefik SPI Provider
#35507 Token exchange - permissions token-exchange
#36306 New CLI command: update-compatibility
#36520 New operator spec: upgrade strategy
#36696 Support token type "at+jwt" for OAuth 2 access tokens oidc
#36750 Create CA certificate for JGroups encryption
#38523 Expose OTP Policy in FreeMarker Context for Login Themes login/ui

Enhancements

#17432 Add support for SMTP OAuth 2.0 authentication for outgoing email core
#19127 Improve docs about audience docs
#19148 Token Exchange in "Securing Applications and Services" should mention admin_fine_grained_authz token-exchange
#21728 Removal of X-XSS-Protection header core
#23144 Review and document how refresh tokens are issued when executing token exchanges token-exchange
#24297 Add authentication flow mapping to existing ACR implementation authentication
#25154 `VERIFY_EMAIL` is not supported as an Application Initiated Action
#26473 The way CRLs are currently loaded is slow and uses large amounts of memory authentication
#27734 Use separate OLM channels for each major Keycloak release operator
#28569 Ability to set DN for new users/groups seperate to DN used for search
#30226 Admin-UI: disable Direct Access Grant by default when creating a new client
#31797 Improved consent handling in token exchange (OIDC to OIDC Client) token-exchange
#33357 Create some mechanism to catch duplicate keys in .properties file translations
#33804 Support multiple mail domains for linked IDPs per organization organizations
#33833 Replace `RTL_LANGUAGE_CODE` with Intl request
#33946 Keycloak Admin Client: Close Session when Client is Closed
#34132 Signed SAML metadata saml
#34202 Improve useability of authentication flow UI admin/ui
#34275 Organizations: Allow Organization Selection organizations
#34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
#34720 Include broker session ID in IDENTITY_PROVIDER_LOGIN events
#34764 Do not remove users in LDAP when queries return an empty result ldap
#34922 IPv6 support: OLM tests not passing operator
#34971 Extend InfiniSpan ProtoSchema with custom types
#34989 Not email password policy provider: case insensitive comparison
#35505 Support for multiple values of audience token-exchange
#35861 Make client cert lookup honor the `proxy-trusted-addresses` option dist/quarkus
#35901 Document how Keycloak is upgraded when Operator is upgraded via OLM docs
#35995 Review usages of `ref` in `Inject` annotations as they not always translate to the identifier of the object being injected test-framework
#36036 Make Network policy supported
#36126 Add OpenSSF Scorecard badge to README
#36262 Introduce guide for metrics provided by Keycloak docs
#36266 Make user events feature supported
#36440 Remove Node.js adapter documentation from main repo docs
#36456 Clarify IPv6 JGroups requirements in Keycloak documenation
#36501 Upgrade to Quarkus 3.17.x dist/quarkus
#36557 Polishing of CreatedResponseUtil.getCreatedId admin/client-java
#36600 Extend REST API for login and admin events to support sync scenarios
#36671 Translation guide should show a more detailed translation status translations
#36691 Upstream KC main docs to ROSA 4.17 in the sizing guide docs
#36748 Operator: automatic upgrade strategy
#36775 Add option to enable debugging for distribution server mode test-framework
#36786 SPI for compatibility metadata
#36794 Upgrade to Quarkus 3.20 LTS
#36798 Add detail on dependencyManagement section for POM files
#36840 Update Compatibility CLI: add feature flag
#36854 Enable QUARKUS_LOG_JSON_LOG_FORMAT = ecs when logging in Keycloak dist/quarkus
#36885 Improve UX of realm selector
#36904 Add APIResponse annotations to User resources
#36905 Add APIResponse annotations to Role resources
#36906 Add APIResponse annotations to Client Scope resources
#36907 Add APIResponse annotations to Realm resources
#36908 Add APIResponse annotations to Organization resources
#36941 Organization membership for federated users organizations
#36996 Updated translation for "noAccount" in messages_ko.properties
#37005 Login[v2]: Worsen appearance of list of Identity Providers login/ui
#37011 Missing language: Slovenian translations
#37014 Improve readability of relevant options in guides docs
#37034 Remove redundant information from cache entries
#37056 Upgrade to Quarkus 3.18.2 dist/quarkus
#37062 Slow query when checking if a realm has brokers and brokering is enabled identity-brokering
#37079 Improve docs about JPA provider configuration for DB migration strategy core
#37083 Update screens for new realm selector
#37087 Test logs for Quarkus IT are huge and cannot be viewed testsuite
#37089 Stabilize `QuarkusPropertiesDistTest` for Windows in Quarkus IT testsuite
#37093 Avoid sending JSON for user and client sessions to the database
#37129 Create new guide for Keycloak Grafana dashboards
#37145 Simplify translations by removing leading blanks in strings translations
#37220 Operator: new CR status condition for upgrades
#37225 Refactor OAuthClient used for testing test-framework
#37306 Add full Keycloak CR HPA example to docs
#37316 JGroups certificate rotation
#37389 Make event metrics supported
#37416 Operator: Implement an explicit update stategy
#37428 Add a HTML sanitizer for translated message resources translations
#37433 Allow admin to disable automatic refresh of event views admin/ui
#37436 Quarkus 3.19.x upgrade
#37458 Prevent proxy-protocol-enabled=true from being used proxy-headers set
#37535 Add CLOMonitor Badge to the README
#37582 Check surplus blanks in source strings translations
#37584 Support RTL in HTML generated for emails translations
#37624 Suppress info message about mapper config synchronizer core
#37645 Changes needed for new realm selector admin/ui
#37696 Document default key length (2048 bits) and key type (RSA) and make JGroups encryption enabled by default
#37711 Upgrade to Infinispan 15.0.14
#37850 Upgrade to Quarkus 3.19.2 dist/quarkus
#37998 Improve Documentation for Email Event Listner
#38107 Upgrade to Quarkus 3.20.0.CR1
#38168 Make make the rolling updates feature supported versioned and supported
#38212 Improve message when evaluating permission results admin/fine-grained-permissions
#38263 Login[v2]: Use SVG Keycloak logo
#38273 Support partial evaluation for the group resource type admin/fine-grained-permissions
#38355 Add Italian and Romanian language to translations.md
#38366 Polish the events thrown by client policies oidc
#38398 Update javadoc of java admin-client for Keycloak 26.2 admin/client-java
#38415 Login[v2]: WebAuthn/Passkeys screens are not polished
#38426 New realm creation should validate the name uniqueness before hitting the DB
#38445 Not possible to delegate creating or deleting RecoveryKeys credential to userStorage authentication
#38459 Docker image creation simplification
#38490 Support decoding EC private keys and PEM bundles in PEM/DER utilities
#38540 Validate placeholder usage in frontend and backend messages
#38568 Clear persistent user sessions cache on Keycloak cluster merge
#38583 Rework titles in the observability guide
#38596 Prevent NPE in `CryptoIntegration.setProvider(null)`
#38644 Do not allow delete the FGAP client admin/fine-grained-permissions
#38688 Adding a guide on how to use and enable exemplars
#38732 Improvements to partial evaluation admin/fine-grained-permissions
#38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus
#38792 Add Janher to Dutch translation
#38798 Update FGAP documentation admin/fine-grained-permissions
#38819 Make sure that there is single audience allowed by default in JWT tokens sent to client authentication oidc
#38837 Cache resource names associated to policies to improve partial evaluation admin/fine-grained-permissions

Bugs

#26104 Improper Input Validation for Recovery Codes Setup authentication
#26105 Users Can Change Recovery Codes Generation Timestamp authentication
#26106 Recovery Code Validation Race Possible authentication
#29585 Passkeys conditional UI authenticator: NullPointerException when filling some random username authentication/webauthn
#29586 Passkeys conditional UI authenticator: NullPointerException when authenticated as removed user authentication/webauthn
#32262 SAML Frontchannel Logout missing via Redirect or Post Binding is missing signature if login happened via artifact binding saml
#32535 Invalid migration export for empty database core
#32766 Translation error in messages_fr.properties translations
#32921 Update realm erases browser security header fields admin/api
#33332 External token (not issued by Keycloak) cannot be validated in token exchange flow in case user info check is disabled token-exchange
#33432 UI Build complains about Typescript issue (TS2742) admin/ui
#33475 quarkus-next: SunCertPathBuilderException: unable to find valid certification path to requested target ci
#33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
#33524 Social login - several tests failing constantly ci
#33743 Linked accounts displayed when there are no providers available account/ui
#34364 User import gets exponentially slow import-export
#34396 com.google.code.findbugs:jsr305 is old and no longer under active maintenance dependencies
#34454 quarkus-next: StackOverflowError causes build failure dist/quarkus
#34512 Keycloak OpenAPI specification doesn't match actual API implementation admin/api
#34868 [Jenkins Operator CI] - Test remote - ClusteringTest on OpenShift ci
#35020 Pasword creation date from active directory is wrong ldap
#35261 liveness probe /health/live not UP while DB migrations initialization core
#35580 AvailableRoleMappingResource.listAvailableUserRoleMappings returns the wrong roles when using fine grained permissions admin/fine-grained-permissions
#35700 Very uncommon new german Weblate translation 'Berechtigungsnachweis' for login data /account credential translations
#35833 Install on oracle database with custom schema fails on clean install storage
#36103 Translation resolution bug in keycloak-admin-ui admin/ui
#36159 Realm not found while exists and works if entered directly in the URL admin/ui
#36195 CVE-2024-12397 - HTTP Request Smuggling in io.quarkus.http:quarkus-http-core dist/quarkus
#36284 Fail to import realm during the startup with specific name file import-export
#36285 Permission editor shows resource IDs instead of names admin/ui
#36338 Scrollbar missing so I can't scroll to the last menu item on the left admin/ui
#36345 [Keycloak CI] - Cookies tests - KcOidcBrokerTokenExchangeTest ci
#36383 Operator tests failing on IPV6 environment operator
#36405 Redirect after linking account account/ui
#36409 Verify email required action shows presents message that email was sent even on errors core
#36413 Empty state in new events tabs admin/ui
#36447 ClientProtocolCondition.getProviderId() typo authentication
#36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
#36464 Remove a duplicate code block
#36475 DPoP: Refresh token created with DPoP can be refreshed without proof oidc
#36476 DPoP: User Info Endpoint authorization type mismatch oidc
#36478 Spelling and grammar mistakes in admin UI messages admin/ui
#36482 The root cause of error is suppressed in KC 26 at building dependencies
#36483 Wrong link for tracing in 26.1.0 release notes docs
#36486 ExternalLinksTest is broken after Keycloak 26.1.0 release docs
#36498 Duplicated code due to typo in DefaultHttpClientFactory core
#36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
#36517 Custom ClientAuthenticatorFactory with ProviderConfigProperty broken admin/ui
#36518 Duplicate groups needs fine grained authorisation admin/ui
#36527 Viewing user events requires `view-realm`-role admin/ui
#36531 WebAuthN and dark mode: device icons are hardly readable login/ui
#36535 Duplicate message keys for FA email template translations
#36541 Unable to build from source using instructions core
#36559 keycloak.v2 forms are too small for mobile view login/ui
#36560 Policy enforcer do not handle suppressed server resources authorization-services
#36569 Organization invite link leads to non-defined page, when clicked second time organizations
#36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
#36596 Client session list doesn't show all sessions (again..) admin/ui
#36598 Duplicated warning banner for temporary admin admin/ui
#36611 TimeOffsetSupplier for new test framework doesn't reset time offset test-framework
#36615 Unable to regenerate secret after changing client authenticator admin/ui
#36621 Multi-valued control in user attributes doesn't sort entries and doesn't support autocomplete admin/ui
#36629 All IDPs shown when reloading login page login/ui
#36633 JGroups warning on startup infinispan
#36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
#36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
#36675 Links error for https://jwt.io in documentation docs
#36679 FIPS docs is incorrect docs
#36697 kc.bat script doesn't allow multiple log level entries dist/quarkus
#36703 When linking IDP to an organization hide on login sets as off admin/ui
#36708 After importing SAML client certificate the client is broken and can't be saved admin/ui
#36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
#36725 IPA-Tuura federation README needs a few fixes core
#36728 Logging errors on DB transaction retries core
#36732 External (IDP) token-exchange is possible even for clients needing user consents token-exchange
#36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
#36752 Addition of crl cache is a breaking change infinispan
#36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
#36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
#36789 Seaching users in the user selector will not show the username for users already selected admin/ui
#36811 OAuth 2.0 Device Authorization Grant Issues: Token Issued After Authorization Denial and Browser Back oidc
#36826 NullPointerException when registering a oid4vc CredentialBuilder provider component oid4vc
#36834 Documentation about ImportSynchronization mentions wrong interface UserStorageProvider storage
#36837 Remove resources from permissions when updating the associated resources admin/fine-grained-permissions
#36838 Update FGAP v2 to not grant permissions of all users when permission is granted only for a single user admin/fine-grained-permissions
#36842 Comboxes do not display selected option after reset admin/ui
#36843 Login with x-forwarded-for: IP address in user login event is null admin/cli
#36844 Provide an option to force login after reset credentials authentication
#36858 JDBC Ping with Docker infinispan
#36861 AuthenticationFlowContext.getRefreshUrl(true) - adds auth_session_id query param in an old non-supported format core
#36865 Error pulling from docker.io in DockerClientTest ci
#36872 Duplicate admin UI message keys admin/ui
#36874 Unrecognized configuration key "quarkus.smallrye-health.extensions.enabled" was provided dist/quarkus
#36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
#36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
#36916 [FGAP] User can see itself even though he has negative permission to view itself
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#36927 MeterFilter is configured after a Meter has been registered dist/quarkus
#36945 Bad escape apostrophe character in messages_fr.properties login/ui
#36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
#36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
#36988 Typos in English email message templates translations
#36998 UI tests failing admin/ui
#37002 RawKeycloakDistribution creates empty directory when copying provider testsuite
#37039 Certificate reloading dosen't work for management interface related certificate dist/quarkus
#37066 Error on import of a public key (pem) authentication
#37072 AccountRestService.supportedLocales is missing @Produces account/api
#37073 Account console not working on embedded Keycloak server account/ui
#37081 Review how all resource type permissions are evaluated admin/fine-grained-permissions
#37127 Organization invitation flow -> changing locale / language does not work organizations
#37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
#37136 Password Setting modal box title is "Reset Password..." admin/ui
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan
#37169 Wrong organization claim assignment in JWT access token organizations
#37207 Change default value for force-login option in reset-credential-email authentication
#37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
#37268 Problems changing pre-defined user profile attributes admin/ui
#37285 Upgrade to latest JGroups patch version
#37298 Main is broken because of the OAuthClient changes testsuite
#37320 Cannot fetch realm role that was renamed admin/api
#37337 Make sure resources are properly managed when updating permissions admin/fine-grained-permissions
#37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
#37392 [Jenkins Operator CI] - UpgradeTest#testImageChange ci
#37393 Organizations: Adding LDAP federated user to org leads to org group being pushed to LDAP core
#37415 Typo in English text for admin UI key resourceAttributeHelp translations
#37431 Password policies like NoUsername consider case-sensitivity authentication
#37434 External Link Test failing docs
#37449 'Registration Flow' forms on organization invites should have the 'token' query parameter added to forms 'url.loginAction' organizations
#37508 Allow refresh of session list in admin ui even if list is corrently empty admin/ui
#37530 Missing translation for INVITE_ORG event in admin console admin/ui
#37544 INVALID_REQUEST error code returned but not INVALID_SCOPE authentication
#37546 new warnings with simple start-dev dist/quarkus
#37552 The token exchange grant type not available in well-known endpoint when token-exchange-standard feature enabled oidc
#37560 Flaky test OrganizationInvitationLinkTest testsuite
#37570 Requested locale applied on first login page but not on following pages admin/ui
#37571 Flaky test: org.keycloak.testsuite.actions.RequiredActionPriorityTest#executeRequiredActionWithCustomPriorityAppliesSamePriorityToSessionAndUserActions ci
#37577 Property Name Casing Mismatch in ProtocolMapperUtils saml
#37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage
#37656 [Keycloak Integration CI] - Extension - Start keycloak failed ci
#37673 `ClientPolicyProvider` doesn't check for deleted Clients - throws NPE authorization-services
#37675 Keycloak Fails to Load HTTPS Key Material (Incorrect Path Resolution) dist/quarkus
#37690 [Operator] Test UpgradeTest is unstable ci
#37694 Session type incorrectly set in access-token context when token created with scope=offline_access oidc
#37710 Code editor is not displaying when viewing a policy from Clients → Authorization → Policies admin/ui
#37715 Quick Theme needs icon support admin/ui
#37744 Group search of nested groups does not work as expected core
#37749 "remember me" session are reset as standard session after browser restart authentication
#37766 API docs don't build after adding new ISPN compile time annotations ci
#37772 Configuring log levels for package names with underscores dist/quarkus
#37780 keycloak.conf allows for some quarkus. properties dist/quarkus
#37781 Config expression may use the wrong value dist/quarkus
#37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "Counter Based" admin/ui
#37802 Add User to Organisation documentation wrong admin/api
#37816 Compilation failure: KeycloakModelSchema cannot find symbol KeycloakModelSchemaImpl infinispan
#37817 internal options are settable in non-cli config sources dist/quarkus
#37824 Organization - Identity-First Flow automatic redirect only works with domain in login name organizations
#37834 URI template for paths shouldn't allow nested braces core
#37839 OIDC Backchannel Logout does not honour pairwise subject identifier oidc
#37842 webauthn-authenticate.ftl broken login/ui
#37843 Admin events: resource type filter does not work admin/ui
#37869 ConditionalOtpFormAuthenticator fails to set CONFIGURE_TOTP required action for LDAP read-only users
#37890 Add search filter to Organizations page admin/ui
#37898 [Keycloak CI] - SSSD tests ci
#37911 Unwanted placeholder texts in user profile fields admin/ui
#37920 When testing/evaluating permissions UMA resources are not resolved properly authorization-services
#37922 KeycloakModelUtils.findUserByNameOrEmail() returns null for email as "username" (realm setting: login with email disabled) core
#37928 Custom Authenticator SPI MAP_TYPE default value ignored in Admin UI admin/ui
#37930 Inconsistent use of single quotes in message resources translations
#37941 Repeated info logs running an import infinispan
#37944 KC_HTTPS_TRUST_STORE_TYPE not working dist/quarkus
#37988 For external-to-internal token exchange when using the userinfo endpoint, information from access or ID token can't be extracted token-exchange
#37992 Id of user federations not respecting UUID format, consequently warning logs "The given key is not a valid key per specification, future migration might fail" are raised core
#38006 Polynomial regex in KeycloakUriBuilder core
#38020 [FGAP] [UI] Remove the requirement for mandatory fields in admin console when creating policies
#38029 User created with undefined locale except when they explicitely select their language login/ui
#38030 Need a better 403 page for admin console admin/ui
#38038 The default setting of the client request object parameter is empty admin/ui
#38041 [Keycloak CI] - WebAuthn tests ci
#38061 Selecting an indvidual Client Policy selects all client policies admin/ui
#38063 Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task
#38065 Login with admin-cli not possible with password starting with "@@" admin/cli
#38078 Custom UI Tab Incorrectly Displayed Under Multiple Tabs admin/ui
#38112 Worse UX with new realm selector admin/ui
#38117 Login[v2]: Worsen UI design for login screens core
#38119 Login[v2]: Keycloak logo is not fully visible core
#38120 Login[v2]: Missing info section for screens core
#38121 Login[v2]: Worsen login screen layout core
#38127 Profile Custom Attribute Group: Click on attribute group changes URL, breaking the navigation in AdminUI admin/ui
#38137 Cannot authenticate to "admin-cli" client due to Java null pointer exception admin/cli
#38141 Account UI doesn't show max length validation for user profile account/ui
#38143 Message format must not be used for UI messages account/ui
#38152 Broken guides link on reverseproxy page docs
#38162 Missing Space in Role Attribute View After Refresh admin/ui
#38180 Unstable test TimeOffsetTest testsuite
#38190 [Documentation CI] - External links check docs
#38193 Managed resource not injected if a dependency is incompatible testsuite
#38195 Injected HttpClient is always re-created testsuite
#38208 Attribute added to managed test client with rollback is not removed testsuite
#38240 [FGAP] [UI] Searching for permissions doesn't clear `Resource` field upon changing `Resource type` admin/fine-grained-permissions
#38243 Updating a client with rollback in a test doesn't reset all values testsuite
#38247 Keycloak rotate certificate without delay when rotation time is less then 100s infinispan
#38249 Unable to activate user-event-metrics with optimized container image using the operator dist/quarkus
#38250 Unexpected transformation of user labels in the Account UI account/ui
#38253 ERROR Hostname v1 options [hostname-strict-https] are still in use on startup dist/quarkus
#38257 Can not set user email to blank organizations
#38260 File upload in realm settings is not working admin/ui
#38269 Fine-Grain Admin Permissions: Difference in Policy Evaluation in v1 vs v2 admin/fine-grained-permissions
#38281 [Keycloak CI] - AuroraDB IT - Error deleting AuroraDB ci
#38282 [Keycloak JavaScript CI] - Admin UI E2E (chrome) - Upload Playwright report error ci
#38284 `PartialEvaluator` ignores `view-*` and `manage-*` roles admin/fine-grained-permissions
#38298 Fix leaking 5s rotation period to other tests
#38304 Filtering not working when using view-member permission with a permission that denies access to a resource admin/fine-grained-permissions
#38319 Authorization Settings (ResourceServerRepresentation) Import doesn't reflected into all keycloak functionalities without server restart authorization-services
#38320 Locale RTL does not work properly login/ui
#38323 Regression in the "client selector" UI component admin/ui
#38331 Not Recently Used (In Days) "user" is null on registration core
#38333 When calling the user info endpoint, the DPoP is not bound to the access token core
#38353 Keycloak email message ID contains the local host name or IP address core
#38369 [FGAP] User not visible when permission with different scope exists admin/fine-grained-permissions
#38381 Recovery Codes messages in account console are not displayed / API change account/ui
#38394 JWKSUtils.computeThumbprint(..) broken for ECPublicKeys oidc
#38417 Cookie “KC_AUTH_SESSION_HASH” has been rejected because it is in a cross-site context and its “SameSite” is “Lax” or “Strict” authentication
#38454 Keycloak account console is missing the Keycloak logo account/ui
#38463 Frontend endpoint redirects to admin endpoint core
#38467 PersistenceExceptionConverter#convert NPE if SQLState is null storage
#38500 Impossible to update client settings after previously updated client in tab "Advanced" admin/ui
#38501 Disabled switch for "Allow refresh token for token exchange" after client is created admin/ui
#38517 [Keycloak CI] - Quarkus IT - ProxyHostnameV2DistTest.testForwardedProxyHeaders ci
#38550 Cluster is not correctly formed with JDBC_PING2 infinispan
#38572 Missing explicit target for cross-reference 2FA in server admin guide docs
#38576 Define a max expiration window for Signed JWT client authentication oidc
#38591 Persistent User Sessions doesn't track staleness of client sessions core
#38607 Recaptcha secret key configuration lost when migrating from 24.0.5 to 26.1.4 authentication
#38617 Set the correct revision number in stateful set operator
#38648 Can not delete users using the administration consle admin/ui
#38677 [FGAP] Documentation contains redundant sentense admin/fine-grained-permissions
#38695 Export failing if the realm has FGAP enabled admin/fine-grained-permissions
#38712 Can not add or remove groups when updating a group resource type permission admin/fine-grained-permissions
#38721 Obsolete pinned guides and wrong ordering in downstream docs
#38740 OTelHttpClientFactory not configured properly when tracing enabled dist/quarkus
#38760 POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API not working with some REST clients admin/api
#38765 Client 'admin-permissions' doesn't have protocol set. admin/fine-grained-permissions

`v26.1.5`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#38409 Upgrade to Quarkus 3.15.4 dist/quarkus
#38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus

Bugs

#36482 The root cause of error is suppressed in KC 26 at building dependencies
#37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "Counter Based" admin/ui
#37869 ConditionalOtpFormAuthenticator fails to set CONFIGURE_TOTP required action for LDAP read-only users
#38041 [Keycloak CI] - WebAuthn tests ci
#38063 Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task
#38152 Broken guides link on reverseproxy page docs
#38353 Keycloak email message ID contains the local host name or IP address core
#38454 Keycloak account console is missing the Keycloak logo account/ui
#38576 Define a max expiration window for Signed JWT client authentication oidc
#38607 Recaptcha secret key configuration lost when migrating from 24.0.5 to 26.1.4 authentication
#38740 OTelHttpClientFactory not configured properly when tracing enabled dist/quarkus

`v26.1.4`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#37433 Allow admin to disable automatic refresh of event views admin/ui
#37711 Upgrade to Infinispan 15.0.14

Bugs

#37320 Cannot fetch realm role that was renamed admin/api
#37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage
#37843 Admin events: resource type filter does not work admin/ui
#37911 Unwanted placeholder texts in user profile fields admin/ui
#37944 KC_HTTPS_TRUST_STORE_TYPE not working dist/quarkus
#38038 The default setting of the client request object parameter is empty admin/ui

`v26.1.3`

Compare Source

Highlights

Send Reset Email force login again for federated users after reset credentials

In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated users and false for the internal database users. The new behavior is now the default. This way all users managed by user federation providers, whose implementation can be not so tightly integrated with Keycloak, are forced to login again after the reset credentials flow to avoid any issue. This change in behavior is due to the secure by default policy.

For more information, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#32535 Invalid migration export for empty database core
#36405 Redirect after linking account account/ui
#36527 Viewing user events requires `view-realm`-role admin/ui
#36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
#36703 When linking IDP to an organization hide on login sets as off admin/ui
#36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
#36842 Comboxes do not display selected option after reset admin/ui
#36927 MeterFilter is configured after a Meter has been registered dist/quarkus
#36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
#36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
#37029 CI fails with "Problem creating zip: Execution exception: Java heap space" ci
#37066 Error on import of a public key (pem) authentication
#37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
#37169 Wrong organization claim assignment in JWT access token organizations
#37207 Change default value for force-login option in reset-credential-email authentication
#37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
#37268 Problems changing pre-defined user profile attributes admin/ui
#37285 Upgrade to latest JGroups patch version
#37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
#37431 Password policies like NoUsername consider case-sensitivity authentication
#37434 External Link Test failing docs
#37577 Property Name Casing Mismatch in ProtocolMapperUtils saml

`v26.1.2`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

#525 Drop support for end-of-life versions of Node.js

Enhancements

#573 Convert tests to standard modules to upgrade dependencies
#576 Upgrade `@keycloak/keycloak-admin-client` to latest version dependencies

Bugs

#567 Connections with an error code are not terminated
#571 CI status badge in README is incorrect
#36858 JDBC Ping with Docker infinispan
#36919 Latency issue after Keycloak version upgrade core
#36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
#37162 Pods become unresponsive after upgrade to 26.1.0 infinispan

`v26.1.1`

Compare Source

Highlights

New option in X.509 authenticator to abort authentication if CRL is outdated

The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL next update field, see RFC5280, Section-5.1.2.5.

The value false is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to false, but the Admin Console will add the default value true on edit.

New option in Send Reset Email to force a login after reset credentials

The reset-credential-email (Send Reset Email) is the authenticator used in the reset credentials flow (forgot password feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option force-login (Force login after reset). When this option is set to true, the authenticator terminates the session and forces a new login.

For more details about this new option, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#552 Clean up old release code from Node.js adapter repo
#34275 Organizations: Allow Organization Selection organizations
#34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
#36440 Remove Node.js adapter documentation from main repo docs
#36456 Clarify IPv6 JGroups requirements in Keycloak documenation
#36798 Add detail on dependencyManagement section for POM files

Bugs

#558 The draft nightly untagged release is created by "Release nightly" GH action
#562 Incorrectly resolved {project_versionNpm} expression in the documentation
#32766 Translation error in messages_fr.properties translations
#33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
#36159 Realm not found while exists and works if entered directly in the URL admin/ui
#36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
#36483 Wrong link for tracing in 26.1.0 release notes docs
#36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
#36531 WebAuthN and dark mode: device icons are hardly readable login/ui
#36559 keycloak.v2 forms are too small for mobile view login/ui
#36629 All IDPs shown when reloading login page login/ui
#36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
#36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
#36675 Links error for https://jwt.io in documentation docs
#36728 Logging errors on DB transaction retries core
#36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
#36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
#36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
#36844 Provide an option to force login after reset credentials authentication
#36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
#36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
#36945 Bad escape apostrophe character in messages_fr.properties login/ui
#36988 Typos in English email message templates translations
#36998 UI tests failing admin/ui

`v26.1.0`

Compare Source

Highlights

Transport stack `jdbc-ping` as new default

Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.

Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.

Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak8217;s database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated.

The Keycloak Operator will continue to configure kubernetes as a transport stack.

See the Configuring distributed caches guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools

Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported

In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default.

There were made multiple improvements to the tracing capabilities in Keycloak such as:

Configuration via Keycloak CR in Keycloak Operator
Custom spans for:
- Incoming/outgoing HTTP requests including Identity Providers brokerage
- Database operations and connections
- LDAP requests
- Time-consuming operations (passwords hashing, persistent sessions operations, 8230;8203;)

For more information, see the Enabling Tracing guide.

Infinispan default XML configuration location

Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided.

Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels

It is now possible to set category-specific log levels as individual log-level-category options.

For more details, see the Logging guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Francis Pouatcha, Ingrid Kamga, Pascal Knüppel, Thomas Darimont, Ogen Bertrand, Awambeng Rodrick and Takashi Norimatsu.

Minimum ACR Value for the client

The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.

Many thanks to Simon Levermann for the contribution.

Support for prompt=create

Support now exists for the Initiating user registration standard, which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms/<realm>/protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak.

Many thanks to Thomas Darimont for the contribution.

Option to create certificates for generated EC keys

A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.

Many thanks to Pascal Knüppel for the contribution.

Authorization Code Binding to a DPoP Key

Support now exists for Authorization Code Binding to a DPoP Key including support for the DPoP with Pushed Authorization Requests.

Many thanks to Takashi Norimatsu for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.

Many thanks to Manuel Schallar and Patrick Weiner for the contribution.

Network Policy support added to the Keycloak Operator

Note	Preview feature.

To improve the security of your Kubernetes deployment, Network Policies can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`

The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see Conditions in conditional flows.

Defining dependencies between provider factories

When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme

We8217;ve now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.

If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

darkMode=false

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings.

Metrics on password hashing

There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.

See Keycloak metrics and Concepts for sizing CPU and memory resources for more details.

Sign out all active sessions in admin console now effectively removes all sessions

In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated.

This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter

From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server.

Updates in quickstarts

The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.

The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.

These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file

The robots.txt file, previously included by default, is now removed. The default robots.txt file blocked all crawling, which prevented the noindex/nofollow directives from being followed. The desired default behaviour is for Keycloak pages to not show up in search engine results and this is accomplished by the existing X-Robots-Tag header, which is set to none by default. The value of this header can be overridden per-realm if a different behaviour is needed.

If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired cetificate

The key providers that allow to import externally generated keys (rsa and java-keystore factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in Keycloak anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.

The default generated key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

OpenShift v3 identity brokering removed

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#24992 Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core
#25006 Use optional realm attribute for authenticationrequest parameter max size/number validation configuration
#26178 Support dark mode, at least for the login pages login/ui
#26466 Operator support for setting default value of `http-pool-max-threads` operator
#27736 Used encrypted JGroups connection by default in Operator deployments operator
#29399 JDBC_PING2 as default discovery protocol
#32135 Option to specify trusted proxies dist/quarkus
#32488 Enabling authorization_details for client grant tokens until RAR is fully implemented
#33043 Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener
#34957 Ability to specify log category levels through separate options dist/quarkus
#35110 Enhance WebAuthn registration to support custom FIDO2 origin validation
#35231 Ability to reject authentication to users without 2FA configured authentication
#35639 Allow users to specify the start page of a custom account-console theme account/ui
#36081 Authentication flow condition for client scope authentication

Enhancements

#10138 Align admin console for client for backchannel and frontchannel logout oidc
#10701 AuthenticationRequest add "create" prompt for sign-up oidc
#13852 js adapter just sets error to true upon error updateToken adapter/javascript
#16545 Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc
#16884 Support to enforce LoA in authentication flow for a client (Step-up) authentication
#17014 Allow custom message for brute force temporary lockout authentication
#23805 H2 Database should be opt-in and well-documented storage
#23881 Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage
#26780 Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services
#29511 Allow to restrict ProviderConfigProperty input to int values
#29570 Generalize or remove stack trace information found in error message exception handling
#29859 Keycloak native verification of an SD-JWT based vp_token oid4vc
#31764 Run tests with original `keycloak` login theme in nightly
#31842 Allow to create certificates for provider-keys authentication
#32092 OTEL: Add Keycloak CR support for Tracing options operator
#32094 OTEL: Apache HTTP client OpenTelemetry instrumentation
#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
#32114 OTEL: Instrument parts of Keycloak with OTEL spans
#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#32657 Readonly profile attribute profile has unwanted not translated placeholder account/ui
#32773 [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33233 Add ui to override patternfly colors and logo
#33275 Better logging when error happens during transaction commit storage
#33484 Consolidate the logic for determining a local address core
#33492 Remove retry in LoginPage.resetPassword testsuite
#33496 Add CopyToClipboardButton to UserID in Admin UI
#33498 Expose membership type in the Admin UI for organization members admin/ui
#33559 Add an example nginx reverse proxy configuration
#33569 Show User Events on dedicated tab on Client-/User-Details
#33605 Add a reference to http-enabled in TLS/SSL setup
#33646 Upgrade Infinispan to 15.0.10.Final
#33651 Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments
#33678 Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn
#33702 Prevent Keycloak from starting with wrong `work` cache configuration
#33717 Create a new base login theme
#33821 Add switch to disable dark mode
#33932 Background SQL statements show without a connected trace dist/quarkus
#33939 Enable virtual threads in Infinispan and JGroups by default
#34026 Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication
#34027 Sign the AUTH_SESSION_ID cookie value authentication
#34091 Username Form should support autocomplete login/ui
#34137 Standardize error messages from client and server in login theme (keycloak.v2) login/ui
#34253 Deprecate other transport stacks (ec2, azure, google)
#34265 Add JDBC_PING2 stacks for both TCP and UDP
#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34330 Delete Openshift 3.x identity provider
#34351 Support for the Croatian language
#34380 Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times
#34382 Make the organization chapter of Server Admin guide available on downstream
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34393 Improve build time of the js module
#34524 Add ability to enable support for Verifiable Credentials per Realm account/ui
#34536 Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34583 Microsoft login - add prompt param configure
#34630 Avoid multi-release and java16 specific sources in the core module oidc
#34640 Update certain email templates for password recovery to match English translation format
#34658 Document network ports for Keycloak clustering
#34659 [Operator] Enhance the Keycloak Operator with Network Policies operator
#34695 Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering
#34711 OTEL: Provide Tracing SPI
#34755 Disable trim_trailing_whitespace in editorconfig to reduce noise in MRs
#34760 Improving the error message when failing to query an LDAP provider ldap
#34804 Allow a request object by considering a clock skew for smooth interoperability oidc
#34805 Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc
#34848 Too many exceptions created when validating user profile
#34850 Avoid throwing exceptions when issuing reflection on user model
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34880 Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus
#34882 Edits to Authorization Services guide
#34894 Allow a DPoP Proof by considering a clock skew for smooth interoperability
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final
#34990 Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc
#35003 Expose templateName in attributes when rendering freemarker templates login/ui
#35077 Upgrade to Quarkus 3.15.2 dist/quarkus
#35080 Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core
#35103 [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui
#35180 Improve test method signature and gather more info about assertions testsuite
#35192 Resolve scopes from authenticated client sessions when selecting attributes
#35225 Allow configuring retries for JavaScript tests using environment variable ci
#35243 Allow asking for additional scopes when querying the account console root URL
#35252 Add WHY issues are important for each MR no matter how small to CONTRIBUTING.md docs
#35254 CONTRIBUTING.md has confusing ordered list with two times point 5
#35331 Updated tested PostgreSQL version to 17
#35333 Updated tested MariaDB version to 11.4
#35335 Updated tested MySQL version to 8.4
#35402 Consistent use of log.debugf to avoid generating too much GC overhead
#35415 Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later
#35419 OTEL: Enhance traces with spans for each RestEASY resource
#35425 OTEL: Show spans in transaction completion at the end of a request
#35430 OTEL: Group persistent session work activities in parent span or link them
#35457 Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details
#35478 Add password validation to update-password
#35506 Support for multiple values of some parameters in the grant SPI oidc
#35573 Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors
#35588 Update release notes for Keycloak 26.1.0 with new community additions docs
#35598 [Operator] Network Policy Rules operator
#35604 Removing unnecessary configuration from auth servers
#35640 Update the sizing guide with an indicator on which user events to use
#35676 Reduce debounce time in RealmSelector
#35714 Replace `uuid` module with `crypto.randomUUID()`
#35758 Set the LDAP connection pooling protocols by default to plain and tls
#35775 Document the performance numbers from the ARM based ROSA cluster runs
#35807 Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start)
#35834 Use MeterProvider as suggested by the Micrometer team to avoid GC overhead
#35852 Enable LDAP Connection pooling by default
#35856 Release note about node.js adapter and javascript adapter released independently of keycloak server docs
#35859 Update upgrading notes with the changes related to core clients docs
#35939 Rescue dutch translations from aborted Weblate MR
#36015 Update the CA translation translations
#36039 Tune caching guide list of stacks for the upcoming release
#36047 Align realm name placeholder in the docs docs
#36048 Add metric for number of password validations
#36059 OTEL: Add tracing for credential validation
#36079 Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci
#36087 Allow tracing packets sent to and from LDAP for troubleshooting purposes
#36211 Help texts in the admin UI should end with a dot admin/ui
#36263 OTEL: merge Operator tracing test cases
#36388 Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework
#36389 Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework
#36425 Make @EnableFeature to handle the case with added provider of currently non-used SPI testsuite
#36442 Prepare a new guide for Keycloak's own metrics in the observability guide

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#10233 Locale Setting for Update Password Mail admin/api
#10417 Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage
#11008 Incorrect get the members of a group imported from LDAP ldap
#12309 IllegalArgumentException on canceled Account Linking oidc
#12919 Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication
#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#15058 Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc
#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#16451 Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#17433 robots.txt causes indexing authentication/webauthn
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#19652 Members are inhereted from LDAP group with the same name ldap
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#24493 Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage
#25085 Inconsistent TypeScript definitions in the module @keycloak/keycloak-admin-client while compiling admin/client-js
#25675 Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#27378 update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication
#27856 Social login - Stack Overflow test fails ci
#28241 NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange
#28328 Declining terms and conditions in account-console results in error account/ui
#28978 some GUI validation check missing admin/ui
#29289 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci
#29290 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci
#30037 Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci
#30204 When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core
#30364 Make sure it is not possible to run snapshot server against production DB by default core
#30453 Event type not set in reset-credential flow under some conditions resulting in an error page authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#30832 Organization API not available from OpenAPI documentation admin/api
#30994 Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci
#31091 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci
#31180 token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange
#31359 Offline sessions are not removed from admin console after sign out all active sessions core
#31415 Selection list does not close after outside click admin/ui
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#31469 Show account page before login core
#31492 Misleading docs and functionality around cache-ispn.xml dist/quarkus
#31638 Error when non-admin user accesses admin console admin/fine-grained-permissions
#31724 Logout not working after removing Identity Provider of user identity-brokering
#31727 KC doesn’t enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication
#31835 Windows builds fail too often due to problems with the download of Node ci
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32270 High CPU usage on logout when using remote Infinispan only setup infinispan
#32348 none of the enabled features are shown as such in the admin console docs
#32356 creating short admin password in BCFIPS approved mode gives "Internal server error" page core
#32462 "Cookie not found" in multi-step auth flows / mobile browsers core
#32476 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci
#32550 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci
#32610 addExecutionFlow endpoint does not return right ID admin/api
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32650 Requesting `offline_access` without an established session results in two sessions oidc
#32658 Authentication sessions do not handle concurrent writes core
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#32677 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci
#32767 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#32801 Requested `grant_types` inconsistent with created `grant_types` for OpenID Connect Dynamic Client Registration oidc
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32901 Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#32992 Role descriptions do not wrap in the UI admin/ui
#33020 Incorrect Disclosure Handling in SdJwtVP.of(String) Method oid4vc
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33125 Duplicate principals not allowed in keystore authentication
#33132 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithEmailUserAndRememberMe ci
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33232 400 error logged as 500 identity-brokering
#33282 Icons for social providers broken in login screen if the provider is created with non-default alias admin/ui
#33309 Admin UI e is undefined if required action recreated with own alias admin/ui
#33349 Double scroll bar due to warning banner admin/ui
#33352 Wrong translation issues in greek translation translations
#33404 Permission cannot be evaluated when only role and client are provided authorization-services
#33408 Link to existing account form: IDP Alias displayed instead of IDP Display Name login/ui
#33435 404 in admin console when unlinking managed user from organizations admin/ui
#33505 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2 ci
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33596 Cleanup how static state is set for import / export dist/quarkus
#33599 Upgrade Selenium testsuite
#33603 Repeated "to a" in the help text for the "User Attribute" mapper admin/ui
#33607 Fix v2 login layout login/ui
#33614 Client Secret Required Bug When Using "JWT Signed with Private Key" for (Keycloak/) OpenID Connect Provider admin/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#33642 RTL not working on keycloak.v2 login template login/ui
#33649 Validation of http truststore or keystore file masks if the file exists dist/quarkus
#33653 Test "Duplicate Group" unstable in Admin UI / job is failing admin/ui
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33729 Not possible to configure custom client authenticator in Admin UI authentication
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33734 Client Policy throws "Invalid Redirect Uri" if Standard Flow is disabled oidc
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33767 Aurora IT tests failing periodically with download of node ci
#33775 Admin client returns HTTP code `400 Bad Request` when using x509 certificate admin/client-java
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33793 FOUC in Firefox on login UI login/ui
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33810 Stabilise my-resources.spec test account/ui
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33820 client-jwt ES256 error when doing CODE_TO_TOKEN oidc
#33844 Wrong documentation link in keycloak-js readme docs
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33902 Not persisted config settings prevent server start dist/quarkus
#33907 NPE thrown in whoami endpoint admin/ui
#33933 Recovery authentication codes are numbered inconsistently login/ui
#33940 ResetPasswordTest.resetPasswordExpiredCode Error -> AbstractKeycloakTest.deleteAllCookiesForRealm:297 core
#33941 Cannot install latest version (26.0.0) of the adapter using Galleon adapter/jee
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33967 password is a required field admin/ui
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33970 Windows kc.bat handling of serveral parameter types is not correct dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#33991 Doc CI - broken links error docs
#34000 Handle removal of online session for the directGrant and clientCredentials
#34001 Handle removal of online session for authorization_code when `scope=offline_access`is used oidc
#34009 grammatical error in "Managing Organizations" documentation docs
#34013 Add More Info to Organization Events organizations
#34015 Home URL for security-admin-console is broken admin/ui
#34017 [Admin UI] Broken autocomplete input on the "Create resource-based permission" form admin/ui
#34023 Flaky Test ResetPasswordTest.resetPasswordLoggedUser:188->openResetPasswordUrlAndDoFlow:252 testsuite
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34041 [Windows] Wrong expansion of ${kc.home.dir} causes NoSuchFile exception dist/quarkus
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34054 Onclick focus issue in the Username field of Clients / / Client Scopes / Evaluate admin/ui
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34149 Group select dialog: Subgroups not displayed initially due to pagination admin/ui
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34176 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" token service endpoint returns NullPointerException authorization-services
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34224 Deleting a user leads to ISPN marshalling exception
#34229 Group search in user view doesn't work as expected for nested groups admin/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34257 Docs: Dead link docs
#34273 Flaky Test: BrowserFlowTest.testAlternativeNonInteractiveExecutorInSubflow() testsuite
#34276 PEM files distributed as part of SAML adapter configs are missing -----BEGIN and -----END blocks saml
#34298 NullPointerException in ConditionalOtpFormAuthenticator.java authentication
#34301 Remove inaccurate statement about master realm imports docs
#34304 Fix DB overflow for EVENT_ENTITY table and SESSION_ID column in case that incorrect data are sent core
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34352 ParEndpoint#request corrupts values added in request object oidc
#34356 Admin UI doesn't show realms when using login through identity provider admin/fine-grained-permissions
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap
#34432 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34440 [Trivy] - Workflow failure ci
#34444 NullPointerException in RoleResolveUtil when admin-cli uses lightweight token admin/cli
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34460 kc.config.args exposed in show-config dist/quarkus
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap
#34474 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34508 Username and password should be optional for multi-site deployment infinispan
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34530 Flaky test: org.keycloak.testsuite.actions.TermsAndConditionsTest#termsDeclined ci
#34540 Renaming realm in UI broken admin/api
#34547 Non compliant OpenID Client Authentication when `client_secret_jwt` with PAR (Pushed Authorization Requests) oidc
#34549 Quarkus dev mode does not work dist/quarkus
#34558 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkTestAppWithoutRedirectUriParam ci
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34592 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34602 Rework global event listener for metrics core
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34605 Error on testsuite "group_test" on Cypress admin/ui
#34611 AdminEventQueryTest test fails after adding global event listener core
#34614 Remove duplicate lines in userprofile freemarker template login/ui
#34616 Fix typo in log message account/ui
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34635 Feature in higher version takes precedence even if it has lower type order
#34636 Client Protocol Mappers with non UUID ids cannot be edited admin/ui
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34652 Continuous reload when KC_AUTH_SESSION_HASH expires authentication
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34687 New credential templates broken in KC26 login/ui
#34750 calling openid-connect/auth with previous version valid cookies generate internal server error authorization-services
#34769 Invalid flag for addDefaultRequiredActions infinispan
#34776 GroupMappersTest test fails in keycloak-client core
#34794 CVE-2024-10973 - Cleartext Transmission of Sensitive Information in org.keycloak:keycloak-quarkus-server
#34811 AdminUI: Alphabetically sort "Event saved type" in the events listing admin/ui
#34817 Log handler specific log levels support only lower-case levels dist/quarkus
#34818 Liquibase outputs update summary directly to standard out dist/quarkus
#34824 [Keycloak CI] - Base IT - KerberosLdapCrossRealmTrustTest.test03SpnegoLoginUsernamePassword ldap
#34832 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerPrivateKeyJwtCustomAudienceTest ci
#34834 [Jenkins Keycloak CI] - Cookies Tests - KcSamlBrokerTest
#34835 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerLdapTest ci
#34842 Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof oidc
#34844 [Keycloak CI] - Quarkus IT - StartCommandDistTest and BuildAndStartDistTest dist/quarkus
#34853 [Jenkins Keycloak CI] - Adapter Cookies Tests - Failures with Firefox strict cookies ci
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34875 Clients invalidated on each client credential grant core
#34876 Incomplete registration form when edit email is disabled and email is set as username user-profile
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34968 Unable to scroll/swipe through the main menu on macOS admin/ui
#34973 ES256 key continue to be used to sign token even after expiry oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#34995 MySQL database migration issue core
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35047 PersistentSessionsWorker: retry with 0 backoff ms. core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35060 Cannot request additional scopes when using the account console account/api
#35068 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled core
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35088 Flaky test: org.keycloak.testsuite.adapter.servlet.SAMLClockSkewAdapterTest#testTokenTimeIsValid ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation
#35219 Account UI E2E / `personal-info/personal-info.spec.ts` is unstable ci
#35226 Typo www.recatcha.net -> www.recaptcha.net in docs docs
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35240 Links to guides in Observability section are still pointing to server section docs
#35256 Typos in `.md` and `.adoc` files, detected using codespell and manual review docs
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35276 Your login attempt timed out authentication
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35289 Maven clean shouldn't be skipped by default on Windows
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services
#35340 Errors in persian and tukish translations in account translations
#35352 Multiselect Checkboxes in user profile don't allow to unset value user-profile
#35357 Resolve scopes from bearer tokens when processing requests to the Account API
#35386 log-syslog-max-length is ignored dist/quarkus
#35405 [Keycloak CI] - Quarkus UT (windows-latest) - Keycloak Quarkus Server Deployment ci
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35414 Capitalization in Hungarian translation needs improvement translations
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35427 OTEL: OTelTracingProvider should be request-scoped dist/quarkus
#35429 access token or refresh token will be reset when another is set admin/ui
#35448 Flaky test: org.keycloak.testsuite.model.DBLockTest.testTwoLocksCurrently ci
#35451 Update Infinispan examples in the High Availability guide docs
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35483 Event Representation is not shown for Admin Events in UI admin/ui
#35486 When using the token revocation endpoint with refresh-token, all sessions from the user+client are terminated oidc
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35496 `QuarkusPropertiesDistTest` fails on Windows testsuite
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35529 IPA-Tuura federation: password field shows password in plaintext core
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35550 JVM crash when running base testsuite test from command line using auth-server-quarkus-embedded dist/quarkus
#35570 Invoking `BaseUpdater.markDeleted()` more than once cause the transient status to be lost infinispan
#35591 Embedded test server fails when running from `mvn` dist/quarkus
#35611 Code quote for http-enabled is incorrect, missing relevant option in reverse proxy documentation docs
#35612 Fix broken Dependabot configuration
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35637 Inconsistency when returning user attributes when executing a seach or fetching users by ID from external user storage providers ldap
#35643 Improve sssd note about synchronization of groups docs
#35664 realm_test.spec fails on firefox admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35704 token exchange response expires_in inconsistent behavior token-exchange
#35706 Support for X-Forwarded-Prefix should not be implied docs
#35723 POST create client with id exceed 36 characters length response status 500 instead of 403 admin/api
#35732 Missing userId in LOGIN_ERROR event for permanent lockout authentication
#35745 GET .../organizations/{id}/members/{id} multiple ids organizations
#35760 Event for setting up recovery codes authentication
#35766 Fix grammar in documentation page docs
#35767 Typo in using custom Keycloak image for Operator guide docs
#35770 Quarkus.properties should not use -cf or --config-file flag docs
#35793 Update to KC 26.x from <26 fails if admin-cli client deleted core
#35796 Keycloak incorrect usage of UserPolicy and cache. authorization-services
#35802 Keycloak arquillian testsuite not working with the default profile testsuite
#35813 Token revocation may not correctly revoke related access tokens
#35822 Exact searches should be the default when querying user by attributes admin/api
#35827 Regression Mysql 8 support as the upgrade script do not use temporary table storage
#35830 Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization organizations
#35854 Unused LDAP provider options are still exposed
#35863 Selecting one role selects all admin/ui
#35874 MapComponent UI Not Displaying Saved Values in Keycloak React Admin UI admin/ui
#35876 Typo in username pt_BR translation in account console account/ui
#35904 Failing since may be reported incorrectly on health probe dist/quarkus
#35914 Map Configuration Property in Custom UserStorageProviderFactory Not Displayed in UI After Saving admin/ui
#35935 Organization Scope mismatch organizations
#35937 Duplicate entry in admin message properties admin/ui
#35947 Broken links in getting-started guide pointing to quickstarts latest branch docs
#35964 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testExceedMaxTemporaryLockouts ci
#35971 Wrong content-type for content.json account/ui
#36009 Unable to use custom handlers for HTTP OPTIONS method in subresources dist/quarkus
#36012 Double submit on otp form causes error login/ui
#36037 Translations specified in the admin console do not override the translations specified in a theme translations
#36038 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTokenExchangeTest#testInternalExternalTokenExchangeStoredToken ci
#36053 IDPs can not be found anymore by "Issuer" value when exchanging tokens identity-brokering
#36055 Unnecessary text in documentation docs
#36061 NPE when Kerberos Server is unreachable core
#36090 Incompatible method of admin-client in Keycloak 26.1 and missing javadoc admin/client-java
#36117 max-count for session caches is not set by default for local Infinispan config dist/quarkus
#36121 Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} admin/api
#36168 Fix invalid url in keycloak.js log message adapter/javascript
#36172 "Remove role" alert text is wrong admin/ui
#36241 Profile attribute inputs incorrectly marked as required when minimum length is configured admin/ui
#36249 Error when re-authenticating when organization is enabled organizations
#36297 PasswordAgePolicy triggering NullPointerException when credentail does not have createdDate core
#36301 KeycloakServer application not working anymore testsuite
#36332 PersistentSessionsWorker: Cannot access delegate without a transaction ldap
#36347 Roll-back change to startup timeout operator
#36375 [Keycloak CI] - Bse IT/Store IT - IdentityProviderTest ci
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
#36401 Metric `vendor_jgroups_*` is unstable and can change in upcoming releases infinispan
#36410 When running Keycloak in testutils with Undertow, the admin UI thows NoMessageBodyWriterFoundFailure admin/ui
#36432 Too much space around "Forgot Password" button (keycloak.v2) login/ui

`v26.0.8`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#33569 Show User Events on dedicated tab on Client-/User-Details
#34091 Username Form should support autocomplete login/ui

Bugs

#34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
#34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
#34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
#34675 Keys tab showing disabled and inactive keys as active admin/ui
#34995 MySQL database migration issue core
#35048 Filter events by user id and client not working admin/ui
#35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
#35273 Edit Help Mode descriptor for Roles in policy form admin/ui
#35290 Database migration fails after upgrading operator to v26.0.6 core
#35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
#35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
#35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
#35416 Mis-formatted definition list of hashing algorithms
#35421 Showing LDAP error message when failing to reset password ldap
#35475 Delete user confirm title is wrong admin/ui
#35481 Events: Wrong text for user id search admin/ui
#35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
#35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
#35544 Upgrading guide 26.0.6 is missing in the built document docs
#35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
#35675 New install doesn't allow admin user creation dist/quarkus
#35822 Exact searches should be the default when querying user by attributes admin/api
#36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
#36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers

`v26.0.7`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34882 Edits to Authorization Services guide
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final

Bugs

#10233 Locale Setting for Update Password Mail admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33810 Stabilise my-resources.spec test account/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34391 Error on "check a11y" tests on Cypress admin/ui
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35276 Your login attempt timed out authentication
#35282 [Keycloak CI] - Test PoC failing on Keycloak 26.0 branch
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services

`v26.0.6`

Compare Source

Highlights

Admin events might include now additional details about the context when the event is fired

Updates to documentation of X.509 client certificate lookup via proxy

Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated reverse proxy guide if you have configured the client certificate lookup via a proxy header.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34887 Apply QE edits to High Availability guide

Bugs

#609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement
#11008 Incorrect get the members of a group imported from LDAP ldap
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19652 Members are inhereted from LDAP group with the same name ldap
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#27856 Social login - Stack Overflow test fails ci
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#34013 Add More Info to Organization Events organizations
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34549 Quarkus dev mode does not work dist/quarkus
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34687 New credential templates broken in KC26 login/ui
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation

`v26.0.5`

Compare Source

Highlights

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#31415 Selection list does not close after outside click admin/ui
#33607 Fix v2 login layout login/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#34301 Remove inaccurate statement about master realm imports docs
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap

`v26.0.4`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34382 Make the organization chapter of Server Admin guide available on downstream

Bugs

#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

`v26.0.3`

Compare Source

`v26.0.2`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs

#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#28978 some GUI validation check missing admin/ui
#30832 Organization API not available from OpenAPI documentation admin/api
#31724 Logout not working after removing Identity Provider of user identity-brokering
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33844 Wrong documentation link in keycloak-js readme docs
#33902 Not persisted config settings prevent server start dist/quarkus
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33991 Doc CI - broken links error docs
#34009 grammatical error in "Managing Organizations" documentation docs
#34015 Home URL for security-admin-console is broken admin/ui
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34224 Deleting a user leads to ISPN marshalling exception

`v26.0.1`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#33275 Better logging when error happens during transaction commit storage

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33642 RTL not working on keycloak.v2 login template login/ui
#33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33907 NPE thrown in whoami endpoint admin/ui
#33967 password is a required field admin/ui

`v26.0.0`

Compare Source

Highlights

Organizations supported

Starting with Keycloak 26, the Organizations feature is fully supported.

Client libraries updates

Dedicated release cycle for the client libraries

From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.

The client libraries are these artifacts:

Java admin client - Maven artifact org.keycloak:keycloak-admin-client
Java authorization client - Maven artifact org.keycloak:keycloak-authz-client
Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

For details about supported versions of client libraries with server versions, see the Upgrading Guide.

User sessions persisted by default

Keycloak 25 introduced the feature persistent-user-sessions. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.

It is possible to revert this behavior to the previous state by disabling the feature. Follow the Volatile user sessions section in Configuring distributed caches guide for more details.

For information on how to upgrade, see the Upgrading Guide.

New default login theme

There is now a new version (v2) of the keycloak login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.

The previous version (v1) is now deprecated, and will be removed in a future release.

For all new realms, keycloak.v2 will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to keycloak.v2.

Highly available multi-site deployments

Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:

Keycloak deployments are now able to handle user requests simultaneously in both sites.
Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.
The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.
Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.

For information on how to migrate, see the Upgrading Guide.

Admin Bootstrapping and Recovery

In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.

It is now possible to run the start or start-dev commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.

For detailed instructions and more information on this topic, refer to the Admin Bootstrap and Recovery guide.

OpenTelemetry Tracing preview

The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.

For more information, see the Enabling Tracing guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the Francis Pouatcha, Pascal Knüppel, Takashi Norimatsu, Ingrid Kamga, Stefan Wiedemann and Thomas Darimont

DPoP improvements

The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the authorization_code grant type. Support also exists for the DPoP token type on the UserInfo endpoint.

Many thanks to Pascal Knüppel for the contribution.

Removal of GELF logging handler

GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the Logging guide.

Lightweight access tokens for Admin REST API

Lightweight access tokens can now be used on the admin REST API. The security-admin-console and admin-cli clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.

Keycloak JavaScript adapter now standalone

Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.

For a complete breakdown of the changes consult the Upgrading Guide.

Hostname v1 feature removed

The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the Configuring the hostname (v2) and the initial migration guide.

Automatic redirect from root to relative path

User is automatically redirected to the path where Keycloak is hosted when the http-relative-path property is specified. It means when the relative path is set to /auth, and the user access localhost:8080/, the page is redirected to localhost:8080/auth.

The same applies to the management interface when the http-management-relative-path or http-relative-path property is specified.

It improves user experience as users no longer need to set the relative path to the URL explicitly.

Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

For information on how to migrate, see the Upgrading Guide.

Client Attribute condition in Client Policies

The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.

Many thanks to Yoshiyuki Tabata for the contribution.

Specify different log levels for log handlers

It is possible to specify log levels for all available log handlers, such as console, file, or syslog. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.

For more information, see the Logging guide.

Proxy option removed

The deprecated proxy option was removed. This option was deprecated in Keycloak 24 and replaced by the proxy-headers option in combination with hostname options as needed. For more details, see using a reverse proxy and the initial migration guide.

Option `proxy-trusted-addresses` added

The proxy-trusted-addresses can be used when the proxy-headers option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.

Option `proxy-protocol-enabled` added

The proxy-protocol-enabled option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.

Option to reload trust and key material added

The https-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).

Options to configure cache max-count added

The --cache-embedded-${CACHE_NAME}-max-count= can be set to define an upper bound on the number of cache entries in the specified cache.

The `https-trust-store-*` options have been undeprecated

Based on the community feedback, we decided to undeprecate https-trust-store-* options to allow better granularity in trusted certificates.

The `java-keystore` key provider supports more algorithms and vault secrets

The java-keystore key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the vault. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.

For more information about this subject, see Configuring realm keys.

Adding support for ECDH-ES encryption key management algorithms

Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: epk, apu and apv. Currently Keycloak implementation only manages the compulsory epk while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the JSON Web Algorithms (JWA).

Also, a new key provider, ecdh-generated, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.

Many thanks to Justin Tay for the contribution.

Support for multiple instances of a social broker in a realm

It is now possible to have multiple instances of the same social broker in a realm.

Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the organization feature, it should be possible to link different instances of the same social broker to different organizations.

When creating a social broker, you should now provide an Alias and optionally a Display name just like any other broker.

New generalized event types for credentials

There are now generalized events for updating (UPDATE_CREDENTIAL) and removing (REMOVE_CREDENTIAL) a credential. The credential type is described in the credential_type attribute of the events. The new event types are supported by the Email Event Listener.

The following event types are now deprecated and will be removed in a future version: UPDATE_PASSWORD, UPDATE_PASSWORD_ERROR, UPDATE_TOTP, UPDATE_TOTP_ERROR, REMOVE_TOTP, REMOVE_TOTP_ERROR

Customizable Footer in login Themes

The template.ftl file in the base/login and the keycloak.v2/login theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.

The new footer.ftl template provides a content macro that is rendered at the bottom of the "login box".

Keycloak CR supports standard scheduling options

The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.

For more details, see the Operator Advanced Configuration.

KeycloakRealmImport CR supports placeholder replacement

The KeycloakRealmImport CR now exposes spec.placeholders to create environment variables for placeholder replacement in the import.

For more details, see the Operator Realm Import.

Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties.

For more details, see Configuring the connection pool.

Infinispan marshalling changes to Infinispan Protostream

Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.

Warning

JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version.

Infinispan Protostream is based on Protocol Buffers (proto 3), which has the advantage of backwards/forwards compatibility.

Removal of OSGi metadata

Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.

Group-related events no longer fired when removing a realm

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the GroupRemovedEvent are no longer fired when removing a realm.

For information on how to migrate, see the Upgrading Guide.

Identity Providers no longer available from the realm representation

As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.

For information on how to migrate, see the Upgrading Guide.

Securing Applications documentation converted into the guide format

The Securing Applications and Services documentation was converted into the new format similar to the Server Installation and Configuration documentation converted in the previous releases. The documentation is now available under Keycloak Guides.

Removal of legacy cookies

Keycloak no longer sends _LEGACY cookies, which where introduced as a work-around to older browsers not supporting the SameSite flag on cookies.

The _LEGACY cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over http outside of localhost. As an alternative to the _LEGACY cookies Keycloak now doesn8217;t set the secure flag and sets SameSite=Lax instead of SameSite=None when it detects an insecure context is used.

Property `origin` in the `UserRepresentation` is deprecated

The origin property in the UserRepresentation is deprecated and planned to be removed in future releases.

Instead, prefer using the federationLink property to obtain the provider to which a user is linked with.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

#600 De-couple quickstarts from statically served Keycloak JS quickstarts

New features

#20342 Duplicate groups in the admin console of Keycloak admin/ui
#26178 Support dark mode, at least for the login pages login/ui
#29324 Bootstrapping an admin user using a dedicated command dist/quarkus
#29755 Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider
#30002 Bootstrapping an admin service account using a dedicated command dist/quarkus
#30009 Warnings for temporary admin user and service account core
#30011 Document admin bootstrapping and recovery docs
#30682 Group assignment: Display disabled information from user admin/ui
#30795 Initiate create events if ClientScopes are created
#31421 Add Events for Organization Creation and Member Assignment organizations
#31642 Include organization attributes and information in ID and access tokens organizations
#31643 Implement invitation-only self-registration for realm users organizations
#32030 Retry remote cache operations with back off
#32135 Option to specify trusted proxies dist/quarkus
#32553 Expose Password Policies in FreeMarker Context for Login Themes

Enhancements

#583 Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT quickstarts
#10114 Specific events for webauthn register authentication/webauthn
#10492 Support proxy_protocol
#14073 SAML 2.0 HTTP-Artifact binding
#15769 update or replace base64-js and js-sha256 adapter/javascript
#16750 Google login - add prompt=select_account option core
#19564 response_type none is oidc spec but ignored in the current implementation. oidc
#19750 Use a proper FreeMarker template for the new consoles account/ui
#21072 Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings"
#21261 Identity providers: Pagination in account console (and account REST API)
#21342 Upgrade login theme to PatternFly 5 login/ui
#23179 kcadm should have a command to verify connection admin/cli
#23596 Support generated ECDH realm keys oidc
#23597 Support ECDH-ES JWE algorithms oidc
#23771 Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk dist/quarkus
#24815 Hostname config check on welcome page
#25391 Improve auto behavior with operator and --optimized
#25541 Add an option for a custom welcome page to disable bootstrapping of admin account welcome/ui
#26262 Remove need to update Quarkus tests when profile features change dist/quarkus
#26470 Add a field to the RealmImportSpec to toggle replacing ENV variable placeholders
#27040 [keycloak-js] Expose didInitialize as a public method/property adapter/javascript
#27298 Validate spi options wrt build / run time dist/quarkus
#27432 Document how to specify CPU and memory limits/requests for the Operator operator
#27884 Automatic update of bcfips versions in the docs docs
#27947 Rename Dockerfile to Containerfile in the docs docs
#28017 Un-friendly error message for Fail Import option in keycloak GUI import-export
#28140 External Infinispan as cache - Part 1
#28311 Detect clients which refresh their access tokens too early
#28581 Support OpenTelemetry tracing
#28648 External Infinispan as cache - Part 2
#28754 External Infinispan as cache - Part 3 / login failures cache
#28755 External Infinispan as cache - Part 4 / user + client sessions online + offline
#29200 Clarify import/export usage of options
#29258 Support pod affinity settings in the Keycloak Operator operator
#29303 Active/Active XSite fencing
#29394 Infinispan Protostream
#29480 GET users endpoint is making lots of requests to the database storage
#29665 Please clarify in the docs that the replacement of KC_PROXY=edge is not just KC_PROXY_HEADERS, but one MUST set KC_HTTP_ENABLED=true.
#29698 Improve SAML2 Metadata Validation Exception messages saml
#29725 VC issuance in Authz Code flow with considering “scope” parameter oid4vc
#29974 Add support of RTL UI in login pages login/ui
#29986 private AuthzClient.createPatSupplier
#30003 Bootstrapping an admin user or service account at server startup dist/quarkus
#30004 Bootstrapping an admin user or service account using the Operator operator
#30010 Update the welcome page to create a temporary admin user dist/quarkus
#30094 Do not inherit 'https-client-auth' property for the management interface
#30118 Admin UI - Fixed save buttons on the bottom at the page
#30165 Handle proxy related env vars in the Operator operator
#30243 Protobuf schema compatibility check (maven plugin)
#30267 Protect the disabling of the main keycloak account admin/api
#30286 Add missing translation for oid4vc protocol
#30337 Introduce packages for organization tests organizations
#30338 Refactor organization tests organizations
#30346 Enhance masking around config-keystore dist/quarkus
#30419 Credential Issuer Metadata: Support Optional ```claims``` Object in ```credential_configurations_supported``` in ```openid-credential-issuer``` endpoint oid4vc
#30445 Batch cluster events
#30454 Server crash when using kc.sh with -Dkeycloak.profile=experimental dist/quarkus
#30525 Enhance Verifiable Credential Signing Service Flexibility and Key Rotation oid4vc
#30537 Document how Admin REST API endpoints work with Hostname config docs
#30542 Use correct scope within maven-plugin core
#30623 Make sure not possible to import jakarta classes in admin-client-jee admin/client-java
#30629 Cleanup dependencies of keycloak-client-registration-api to not have dependency on server admin/client-java
#30707 prevent removing the flow when used by client flow overrides authentication
#30743 Make sure users created through a registration link are managed members organizations
#30746 Allow auto-redirect existing users federated from organization broker when using the username organizations
#30747 Support for members joining multiple organizations organizations
#30829 Print keycloak's server response when using keycloak-admin-client admin/client-js
#30855 Make persistent user sessions and external Infinispan co-exist
#30856 Remove inclusive language foreword docs
#30873 Exchange VC Format class for String constantns oid4vc
#30880 Add vault support to JavaKeystoreKeyProvider core
#30907 Implement advanced verification of SD-JWT in Keycloak oid4vc
#30918 VerifiableCredential: Exchange java.util.Date for java.time.Instant oid4vc
#30924 Keycloak Operator should use the port name and not the port number for the ingress operator
#30931 Enable ProtoStream encoding for External Infinispan feature
#30934 Drop `AuthenticatedClientSessionStore` from user sessions
#30995 Document LDAP connection pool configuration
#30999 Make ProofType for CredentialRequest a string instead of enum oid4vc
#31005 Override of begin transaction in AbstractKeycloakTransaction
#31006 Conditionally redirect existing users to a broker based on their credentials organizations
#31029 Refactor HA guide
#31046 ConditionalRemove interface for External Infinispan feature
#31056 Avoid iterating and updating all group policies when removing groups authorization-services
#31064 Add simple cache to cache-local.xml
#31076 Oauth2GrantType.Context requires getter-methods oidc
#31086 Manipulate redirect on OpenID redirect with custom implementation oidc
#31183 Show Display Name (if available) and Realm Id on Realm Dropdown Button admin/ui
#31226 Release notes for JavaKeystoreProvider updates docs
#31343 Can we remove distribution/feature-packs directory? adapter/jee
#31388 [Organizations] Add a count() method to the OrganizationMembersResource core
#31390 Allow custom login themes to define a footer ftl fragment login/ui
#31438 Support for authenticating and issuing tokens in the context of a organization organizations
#31489 Remove keycloak-undertow-adapter-spi adapter/saml
#31491 Add a deprecation warning when old `KEYCLOAK_ADMIN`, `KEYCLOAK_ADMIN_PASSWORD` env vars are used dist/quarkus
#31513 Support lightweight access tokens for Admin REST API oidc
#31514 Allow Embedded Cache sizes to be configured via the CLI
#31547 Use correct error code in error response in token exchange token-exchange
#31548 Add issued_token_type to token-exchange response token-exchange
#31581 Allow optional inclusion of Issue At TIme (iat) and Not Before (nbf) claim to a verifiable credential oid4vc
#31625 import placeholders should be converted to an option
#31648 Change default name of bootstrap service account dist/quarkus
#31670 Make sure the storage provider ID is always available from `UserModel.getFederationLink`
#31676 Upgrade to Quarkus 3.13.2 dist/quarkus
#31681 Add x5c and jwk header to JWSBuilder oidc
#31699 Optimize Remote Infinispan performance on removal of entry
#31701 Optimize CPU cycles for persistent sessions
#31725 Revoked tokens table is missing an index
#31766 Client Policy - Condition : Client - Client Attribute oidc
#31786 The console takes a very long time to display group members with LDAP provider ldap
#31807 Simplify enabling MULTI_SITE setup in KC26
#31816 Class CertificateUtils should support creation of EC certificates oidc
#31845 JavaScript build should not cache Keycloak Java artifacts and should rotate PNPM cache
#31876 Non clustered Keycloak with External Infinispan feature
#31894 Redirect after cancelling a required action should contain kc_action parameter authentication
#31908 Add docs for the OpenTelemetry tracing docs
#31932 Upgrade to next Quarkus LTS dist/quarkus
#31963 Upgrade to Infinispan 15.0.7.Final
#32023 Add ECDH-ES encyption algorithms to the java keystore key provider core
#32033 References to removed artifacts and obsolete properties in root pom.xml
#32056 OTEL: Service name isn't configurable and doesn't comply with conventions
#32095 OTEL: Dynamic service name for tracing in K8s environment operator
#32131 Remove session related caches from external Infinispan in HA guide
#32158 Add an endpoint to the `organizations` endpoint to return the organizations for a given user organizations
#32188 Quarkus IDE Debugging should set JVM options like kc.sh
#32198 error message "Address already in use" should state which address/port in particular
#32231 OTEL: Profile Feature dist/quarkus
#32265 Enable persistent sessions by default
#32273 Optimize Persistent Sessions SQL for session list
#32312 Relocate Quarkus resteasy-reactive dependencies to REST
#32314 Syslog: add necessary options to cover the major usability dist/quarkus
#32328 Upgrade to Infinispan 15.0.8
#32343 Upgrade Keycloak's sizing guide for KC26 and persistent sessions
#32387 Documentation for persistent sessions enabled by default
#32388 Make update IdentityProvider admin REST API more efficient.
#32389 Upgrade to Quarkus 3.13.3 dist/quarkus
#32416 Skip creating sessions cache when Persistent Sessions is enabled
#32428 Performance optimization when checking secure context
#32517 Upgrade to Quarkus 3.14.2 dist/quarkus
#32525 Document Syslog app-name option
#32579 Set autocomplete="one-time-code" in OTP login form login/ui
#32582 Remove tables `user_session`, `user_session_note` and `client_session`
#32583 Review the number indexes for offline session tables
#32586 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17 dependencies
#32588 Search Identity Providers by alias or display name
#32590 Remove `version()` projection from Ickle Queries
#32596 Rename `remote-cache` Feature
#32619 Possibility to separately specify log levels for log handlers
#32683 Optimize LogoutEndpoint.backchannelLogout endpoint identity-brokering
#32717 Make it explicit which options are needed when using optimized image with the Operator operator
#32745 Review the RTO and RPO in the multi-site docs after the A/A failure and recovery tests
#32746 Add organization id to the organization claim of the access token
#32803 Update the HA guide with fencing lambda taking Infinispan caches offline
#32804 Remove `org.keycloak.utils.ProxyClassLoader`
#32845 Add client side password policy checks
#32852 Prevent deadlocks on concurrent user updates
#32863 Redirect to relative-path from the root path dist/quarkus
#32906 Reduce the cost of updating user attributes in JPA store core
#32968 [OID4VCI] Show OpenID4VCI Credential Issuer Metadata link in admin ui oid4vc
#32970 Upgrade to Quarkus 3.14.4 dist/quarkus
#33010 Bootstrap admin client should use lightweight access tokens dist/quarkus
#33015 FolderThemeProvider should select theme from available themes core
#33040 Provide more information when there is an error to possibly debug
#33143 Add the Troubleshooting and Health checks guide to Keycloak
#33163 Use INFO Log Level for status in Migration Logic in DefaultMigrationManager
#33201 [Organizations] Allow orgs to define the redirect URI after user registers or accepts invitation link organizations
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33325 Refactor loading resources from themes
#33384 Document supported configurations and limitations for multi-site
#33405 Use feature versions for admin3, account3, and login2
#33426 Minor tweaks in SAML documentation adapter/saml
#33515 Use `crypto.randomUUID()` to generate UUIDs for Keycloak JS adapter/javascript

Bugs

#555 Failures in `ExtendAdminConsoleTest` quickstarts
#565 Build fails in the extension quickstarts
#567 Tests in user-storage-simple quickstart are failing in main branch quickstarts
#572 Action-token quickstarts don't compile with latest Keycloak quickstarts
#574 Incorrect Keycloak version in the main branch of quickstarts quickstarts
#595 Jakarta tests are failing with latest main quickstarts
#607 Workflow failure - JavaScript quickstarts
#10730 realm import: error if ldap groupmapper has a group path set import-export
#13505 locale attribute not set after registration authentication
#17857 New Admin UI does not send e-mails if account-client is disabled core
#19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
#20371 Double form submit in Admin UI possible leading to error mesages admin/ui
#20431 Fine-grained admin permission client manage does not work admin/ui
#23028 Documentation: Authorization Services documentation contains duplicated image authorization-services
#23496 Rename "Realm name" field to "Realm ID" field in realm creation screen admin/ui
#25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
#25339 "Invalid Username" when "Email as Username" is used and the email contains special characters user-profile
#25440 page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt authentication
#25794 Flaky test: org.keycloak.testsuite.model.DBLockTest#testTwoLocksCurrently storage
#25837 Infinispan Cache(embedded) data is not being updated during mergeView event infinispan
#26042 Issue when start-dev in 23.0.1 dist/quarkus
#26117 Flaky test: org.keycloak.testsuite.oidc.AuthenticationMethodReferenceTest#testAmrPastMaxAge oidc
#26176 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
#26435 NullPointerException when using client scope policy for token-exchange token-exchange
#26794 MULTIVALUED_LIST_TYPE not working for client mappers admin/ui
#27506 Readable realm name no longer visible in logs, but realm id is used instead core
#27536 "User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added account/ui
#27677 Translations missing for user events in admin ui translations
#27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
#28020 Firefox Webauthn Registration "SecurityError: The operation is insecure." authentication/webauthn
#28418 SSO Session Idle: session is still active after session idle time expired oidc
#28489 Missing help text on tokens tab admin/ui
#28633 Client roles won't open (Forbidden) with Fine Grained Permission (without view-clients realm-management role) account/ui
#28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
#28865 NullPointerException on RealmCacheSession when upgrading Keycloak 23.0.4 to 24.0.2 infinispan
#28953 Flaky test: org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfileWithoutRemoveCustomAttributes ci
#29098 User profile validation pattern error-message not rendered from messages_en.properties admin/ui
#29211 Network error attempting to view default realm roles without permissions admin/ui
#29271 TrustedHostClientRegistrationPolicyTest#testGithubDomain failing in clean checkout testsuite
#29385 Restart authentication event type is not generated authentication
#29407 Need refresh attributes group translations on Users > Details tab admin/ui
#29413 Realm client unset protocol not preserved admin/ui
#29468 realm_settings_general_tab_test.spec fails randomly admin/ui
#29486 Default theme logs font related console errors on firefox login/ui
#29542 The EmailEventListenerProvider throws an exception on brute force lockout events authentication
#29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
#29615 Get effective roles for user needs more privileges than expected admin/api
#29761 bug: disabling all default features no longer works core
#29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
#29866 Missing Cache-Control header when "response_type" parameter is missing in login request authentication
#29878 Updating a client protocol mappers through Admi CLI (kcadm) resets the client service account roles admin/cli
#29978 Admin UI slow performance loading 600+ realms admin/ui
#30048 Save button is not activated at first modification on "Client scope details" admin/ui
#30111 Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken ci
#30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
#30143 User in subgroup not synchronized and still appears as not in the subgroup account/ui
#30181 [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP oidc
#30188 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
#30235 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30236 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30240 Custom attributes are removed during UPDATE PROFILE event core
#30271 Client role descriptions are not localized admin/ui
#30276 The "Quarkus development mode" instructions in quarkus/README.md throw a ForkJoinPool error dist/quarkus
#30284 Executor consent-required does not work for client-roles condition oidc
#30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
#30302 Methods of SimpleHttp are after change now too much protected core
#30305 Importing organizations failing if there is no broker and members in the representation organizations
#30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
#30308 Organization resources in keycloak-admin-client-jee have dependencies on jakarta admin/client-java
#30312 Add an alias to organization organizations
#30313 Expose organization to theme templates organizations
#30329 Client secret rotation UI shows wrong rotated secret admin/ui
#30332 Operator fails to patch ingress after update to 25.0.0 operator
#30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
#30335 Google login on Social login test is failing ci
#30339 Identity-first login flow should be followed by asking for the user credentials rather than allowing providing the username again organizations
#30351 Migration of sessions in KC25 should run only on migration, not on imports
#30355 New operator failing on health checks operator
#30368 Documentation : label error for persistent-user-sessions feature flag docs
#30380 Incorrect warning log about deprecated options hostname, hostname-debug dist/quarkus
#30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
#30414 Login / Admin events filter by date under realm Events return incorrect results storage
#30417 Keycloak 25 db guide shows unevaluated "ifeval docs
#30425 Built-in scopes are not translated in the account console "applications" tab account/ui
#30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
#30434 Improvements for ldap test authentication ldap
#30436 Client Roles are not shown when clientId property is set admin/ui
#30440 UI theme bug in KC 25.0.0 admin/ui
#30449 Migration stuck if versions incompatible operator
#30460 The `start` command should automatically re-build when previous run was `start-dev` dist/quarkus
#30476 All user attributes readonly in admin ui and admin API after setting edit mode of one user federation to READ_ONLY core
#30485 Fix LoginFailureEntity protostream encoding infinispan
#30492 partial_import_test fails randomly admin/ui
#30511 Fix AuthenticatedClientSessionEntity protostream encoding infinispan
#30520 Flow steps back when changing locale or refreshing page on "Try another way page" authentication
#30521 "Client Offline Session Max" no longer available admin/ui
#30541 Account UI resources try to load from admin path instead of frontend path account/ui
#30550 [UI] group selection does not update attribute tab admin/ui
#30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
#30582 Localization prevents update of user-profile attributes admin/ui
#30591 Invalid character in spanish translation file for Identity Provider Link Template translations
#30599 client-jwt authentication fails on Token Introspection Endpoint oidc
#30604 Network response was not OK. saml
#30614 token exchange: exchange-sequence fails with Client session for client 'client-exchanger' not present in user session token-exchange
#30641 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
#30662 User policy -> select user shows user id instead of user name. admin/ui
#30663 A theme called `custom` is displayed as `Custom Attribute...` in the admin console admin/ui
#30677 LDAP connection pool params(maxsize, initsize, prefsize) picked up from backend ComponentModel and are not visible in Keycloak admin console ldap
#30678 Require SSL mode "External requests" does not work with IPv6 local addresses dist/quarkus
#30683 Infinite loader on the admin console for non-admin users admin/ui
#30703 Recovery codes missing from account console docs
#30705 Full details of errors not shown in admin and account console account/ui
#30706 Internal error occurs for the removed flow which override by the client authentication
#30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
#30717 Broken external links docs
#30730 Cannot explicitly disable KERBEROS feature core
#30758 Docs: server_admin/topics/login-settings/acr-to-loa-mapping.adoc docs
#30761 Protobuf deserialization has a default of an empty String core
#30765 fallback to the no override flow when the flow is missing in client override authentication
#30772 Rendering of granted client scopes in User Consents view broken in Admin UI admin/ui
#30794 Filtering by Client ID in the "User Client Role" mapper does not work anymore admin/ui
#30816 Docs: server_development/topics/themes.adoc docs
#30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
#30837 Cannot find requested client with clientId ldap
#30840 Incorrect order when instantiate ClientRemovedEvent infinispan
#30857 Check for being Offline type in refresh token flow must be done based on refresh token request parameter oidc
#30866 admin-cli invalid credentials admin/cli
#30874 DPoP Keycloak JS Adapter docs
#30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
#30935 Incorrect version comparison in ModelVersion storage
#30941 Fix docs about User Storage SPI JPA quickstart docs
#30945 Keycloak operator adds proxy by default which is depreacted operator
#30947 Error when trying to edit authentication sub-flow name / description admin/ui
#30967 Keycloak is not working in IBM AIX OS. dist/quarkus
#30969 Brute force protection: Lockout permanently uses parameters configured under lockout temporarily core
#30992 Realm cannot be deleted if there are tons of consents storage
#31001 User Federation settings changing when saving admin/ui
#31014 "Verify Email" may cause other Required Actions to be ignored authentication
#31021 Styling of recovery codes seems wrong login/ui
#31023 Keycloak 25 - protocol_mapper_config stores client_uid in usermodel.clientRoleMapping.clientId instead of client_id admin/ui
#31038 Home URL for account-console / security-admin-console broken in admin-ui admin/ui
#31040 Cannot reorder custom auth flow executions in admin-ui admin/ui
#31045 Users cache clears after creating client scope. infinispan
#31050 Caching docs should name parameter runtime parameters, not build parameters docs
#31062 Updating dynamically registered client's metadata drops `preferred_username` from ID token core
#31070 Search doesn't work for nested groups admin/ui
#31083 Docs: server_admin/topics/admin-console-permissions/fine-grain.adoc authorization-services
#31085 MULTIVALUED_STRING_TYPE not displaying 1 value while more than 1 value is working fine admin/ui
#31107 Not able to remove otp credential of user account/api
#31111 inputOptionLabelsI18nPrefix is take into consideration only for login-ui account/ui
#31115 Review filtering of session returned from the sessions cache core
#31143 KC.ORG user attribute shown - even if the organizations feature for the realm is disabled admin/ui
#31144 "Can not update organization group" error when trying to create organisation from REST API organizations
#31153 Cannot set unmanagedAttributePolicy without profile attributes admin/api
#31161 Keycloak 25: Only first required action is executed core
#31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
#31166 A lot (really!) dropdown/select fields in admin-ui remain open after selecting an action/entry. admin/ui
#31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
#31169 Wrong Sync Mode of newly created external IdentityProvider admin/api
#31171 Single use tokens, like action tokens, has a claim `expiration` core
#31182 Realm export - duplicated elements in browser flow. Organization user must click login button multiple times. import-export
#31187 Recaptcha links changed in the Google Docs docs
#31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
#31204 Bruteforce protector does not work when using organizations organizations
#31216 #kc-form-options div not wrapping its content correctly in login-password.ftl login/ui
#31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
#31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
#31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
#31228 Userprofile/Translation: user attribute cannot be saved because no translation was (even though it is present) admin/ui
#31240 Can't update the user where userName contains uppercase letters core
#31244 IdP redirect URL shows hostname_admin admin/ui
#31246 All pubic brokers are shown during authentication rather than only those associated with the current organization organizations
#31260 Download of Recovery Codes broken. File contains no Recovery Codes. login/ui
#31267 multiple ldap url's not working on one realm ldap
#31276 Account console won't load when using URL having a path as hostname config account/ui
#31291 Incosistent casing of built-in flow descriptions core
#31296 Revoke access tokens for persistent user sessions storage
#31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
#31319 keycloak.v2 broken in main login/ui
#31341 Keycloak URL for Brokerage in Admin UI still suggests "/realms" in the path admin/ui
#31368 logging-pattern failure in token-exchange token-exchange
#31386 Joining group for user doesn't list correct number of groups admin/ui
#31410 call to group-by-path does not return subGroupCount admin/api
#31413 Wrong command in exposing metrics from caches section docs
#31420 Seeing `Client cannot marshall the server's key media type` with external Infinispan after 25 upgrade infinispan
#31444 keycloak Public Client secret are updated frequently admin/api
#31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
#31480 dynamic MultiValuedListComponent default value not stringified admin/ui
#31515 Export users throws Disabled option: '--users' in v25 import-export
#31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
#31537 Creating client roles with fine grained permissions is not possible admin/fine-grained-permissions
#31545 Event tables have broken aria-labels admin/ui
#31558 MSSQL test container can't start ci
#31563 Link existing account to SSO by email not linking since v23 login/ui
#31575 AdvancedClaimToGroupMapper throws Exception if no claims are configured identity-brokering
#31585 Credential offer endpoint fails with 500 when bearer token has expired oid4vc
#31592 Description field for roles creation could be better instead of ${} values admin/ui
#31595 Misconfiguration of login settings causes login to not be possible admin/api
#31598 CURL commands in build don't check the response code ci
#31603 Can't delete kerberos user storage
#31612 Store Model Tests (jpa+cross-dc-infinispan+persistentsessions) - org.keycloak.testsuite.model.session.SessionTimeoutsTest infinispan
#31614 Endpoint /admin/users Degradation Based on Role admin/fine-grained-permissions
#31633 localization not work with user attribute display name in users add admin/ui
#31640 Admin Console Spins with hostname:v2 using security-admin-console Redirect URIs docs
#31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
#31704 ID is used as tab name instead of localized string admin/ui
#31712 The OID4VCI cross-device flow should not require the device to have an access token oid4vc
#31718 Documentation for `Delete Credential` action and related changes authentication
#31760 Persist revoke tokens with remote cache feature storage
#31780 SAML IdP configure does not parse IdP metadata.xml correctly saml
#31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
#31818 Management Interface is turned on even though nothing is exposed on it dist/quarkus
#31823 Ignoring JWK key Missing required field 'use' still happens in keycloak version 25.02 identity-brokering
#31828 EmbeddedInfinispanSplitBrainTest fails with "IllegalState Session not bound to a realm" core
#31829 Deleted authentication sessions should not be re-surrected with an update core
#31858 Custom component persist only some config keys admin/api
#31864 Certificate-Generation with EC signing RSA and vice versa does not work oidc
#31881 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#31882 Realm roles that do not exist are displayed in "Default roles" when "Hide inherited roles" is not checked admin/ui
#31892 Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. admin/api
#31893 In realm role ellipsis value is null admin/ui
#31918 Network error attempting to view events without permissions admin/ui
#31929 Network error attempting to view user registeration without permissions admin/ui
#31931 Failure to generate Ed448 token authentication
#31941 Cache guide does not properly print `cache-stack` values docs
#31944 Filter organization brokers in the account console organizations
#31947 Fix server guide cross-references for downstream docs docs
#31956 Admin console not usable when instance has a 1000 realms admin/ui
#31972 Unstable test ExternalInfinispanTest testsuite
#32016 `My password` string in `Signing in` page not getting translated in `keycloak.v3 account` theme account/ui
#32025 Not possible to import realm with newest Java admin-client against Keycloak 24 admin/client-java
#32059 Look around window cannot be set to 0 admin/ui
#32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
#32100 Remember Me with External Infinispan is not works properly infinispan
#32108 [Scalability of IDPs] Follow up: ensure organization aware IdentityProviderModel is used in the infinispan IDPProvider
#32117 Impossible to import RolePolicy with newest admin-client against Keycloak 24 admin/client-java
#32127 Offline session bug on 25.0.2 core
#32136 Missing TypeScript `populateHierarchy` param for keycloak admin client admin/client-js
#32150 Session list doesn't handle non-existing client gracefully core
#32153 Remote Infinispan code must not call JPA code in non-blocking thread core
#32156 SingleSelect-kind readonly attribute is not disabled in account console account/ui
#32176 Bootstrap options missing from help dist/quarkus
#32178 Table names for persistent sessions upgrading guide is wrong docs
#32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
#32182 `show-config` command outputs duplicate options dist/quarkus
#32194 UserRemovedEvent does not contain all user attributes infinispan
#32195 Migration to persistent sessions fails from Keycloak version <22 storage
#32197 Keycloak reuses AUTH_SESSION_ID of logged out sessions login/ui
#32205 Endpoint configurations shows hostname_admin admin/ui
#32238 Brokers associated with organization not filtered when linking brokers with an organization organizations
#32256 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#32259 [Keycloak CI] - AuroraDB IT fails to start on EC2 due to lack of entropy regression storage
#32305 Temporary admin account notice logged to org.keycloak.events dist/quarkus
#32333 Legacy `KEYCLOAK_ADMIN` environment variable is not working dist/quarkus
#32368 KeycloakRealmImport not working with Istio service mesh operator
#32392 Validate organization alias for forbidden chars organizations
#32402 Additional datasources do not work dist/quarkus
#32415 Missing translations for required action webauthn-register login/ui
#32419 Joining group with text filter does not show all results even if backend returned them admin/ui
#32425 Duplicate message keys in admin messages_en.properties admin/ui
#32435 Multiple Logout Confirmation Actions Trigger NullPointerExceptions core
#32451 Wildcard search not working for custom user attributes admin/api
#32460 When Organization feature is enabled UserAdapter.getGroupsCount() returns wrong result organizations
#32465 SocialLoginTest failing after switching to the new IDP Provider
#32468 Warning Banner for Temporary Admin User shouldn't be placed under breadcrumbs admin/ui
#32473 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessAndWebAuthnAndWebAuthnPasswordlessLogin ci
#32477 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongSmtp ci
#32478 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithPasswordHistoryPolicy ci
#32481 Drag & drop issue with the step order in the Authentication settings of the Admin Console admin/ui
#32486 Identity Provider secret visible in Organization tab (API request) organizations
#32492 Welcome screen logo is bigger then the one on login welcome/ui
#32498 Flaky test BruteForceTest.testPermanentLockout() core
#32503 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#internalTransport ci
#32510 Login v2 username form login/ui
#32512 [Keycloak CI] - BruteForceTest.testPermanentLockout failures login/ui
#32513 [Keycloak CI] - OrganizationBruteForceTest.testPermanentLockout failures login/ui
#32514 [Keycloak CI] - ResetPasswordTest.resetPasswordExpiredCode failures login/ui
#32515 Invalid client data in /login-actions/authenticate causes an uncaught server error and a HTTP 500 response code authentication
#32531 Cannot invoke "org.keycloak.authentication.RequiredActionFactory.isConfigurable()" because "factory" is null account/ui
#32533 Admin UI messages sometimes miss details, and sometimes refer to details in the logs which are missing admin/ui
#32541 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewTabAndProperRedirectClient ci
#32542 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewBrowserSessionPreserveClient ci
#32544 Multiple bugs in the experimental UiTabProvider / UiTabProviderFactory admin/ui
#32546 "Include Client Audience" field is not mandatory admin/ui
#32547 The set value ‘Default Admin-Initiated Action Lifespan’ has no effect on the ‘Credential Reset’ form admin/ui
#32548 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#required ci
#32554 CRDs for the Operator are generated multiple times during the build operator
#32605 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#nfcTransport ci
#32606 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#bluetoothTransport ci
#32609 Continuous loading screen instead of access denied on account info page account/ui
#32615 Forms IT (chrome) ResetOtpTest fail testsuite
#32622 InvalidDestination Error for IDP-initiated SSO with Keycloak behind a Reverse Proxy saml
#32623 OAuth login error with custom scheme oidc
#32624 "Authentication" Link in Admin Portal Fails with 400 Bad Request After Migrating to Version 25 admin/ui
#32641 Help text under text field admin/ui
#32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
#32678 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordBeforeUserIsDisabled ci
#32689 Unable to import master realm with --import-realm dist/quarkus
#32698 On backchannel logout, a user ID with a dot on the broker side breaks the logout by user core
#32731 KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus admin/client-java
#32736 In the account console when I update the password the referrer dissapears account/ui
#32755 Leftover code in login-passkeys-conditional-authenticate.ftl login/ui
#32758 Keycloak admin console interface is out of screen admin/ui
#32761 The endpoint /admin/realms/{{realm}}/groups/{{group-id}}/members potentially fetch all user in database admin/api
#32764 When forcing re-authentication by passing maxAge value as 0 does not work adapter/javascript
#32770 Adapters backward compatibility tests are failing ci
#32782 `@noble/hashes/sha256` is bundled into Keycloak JS adapter/javascript
#32784 Flaky test: org.keycloak.testsuite.url.HostnameV2Test ci
#32789 CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core
#32798 Custom theme and not existing image: error 500 (No enum constant org.keycloak.theme.Theme.Type.IMG) login/ui
#32799 Realm import fails when client configures default_acr values import-export
#32802 Lightweight access token is not working for bootstrap admin client oidc
#32817 Error when deploying SAML application with the keys in PEM format inside keycloak-saml.xml adapter/saml
#32829 Login V2 theme: Pages specify fewer tabindex entries login/ui
#32830 Login v2 theme: Auto-focus on input fields no longer working and autocomplete changed login/ui
#32833 TOTP QR codes broken when realm display name contains colon character core
#32834 Admin UI does not display admin events expiration admin/ui
#32860 Database index creation isn’t skipped on large data sets in Keycloak 24 storage
#32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
#32880 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerExistingEmailAllowed ci
#32881 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy ci
#32891 Exceptions on X509 authentication are logged without a stack trace core
#32892 [Store Model Test] Failed test org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testOnRealmRemoved ci
#32896 Inconsistency of the access token iat after setting the time offset in the test suite authentication
#32915 Administrator username changed in master realm after configuring email address for SMTP connection test for another realm with "Email as username" enabled admin/ui
#32916 Device activity client name translations account/ui
#32923 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#usbTransport ci
#32930 Flaky test: org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testAttributeInputTypes ci
#32939 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessWithNonResidentCredentialLogin ci
#32942 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#32984 Application names are not taking realm overrides into account account/ui
#33011 Admin bootstrap client should not have standard flow enabled dist/quarkus
#33023 Documentation CI is failing on broken links docs
#33037 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#discouraged ci
#33044 Next page not working for "Localization --> Realm overrides" admin/ui
#33054 Identity-first login screen has broken IDP icons admin/ui
#33058 Clusterless feature is not tested in Model tests testsuite
#33060 Tests are showing exception while trying to import admin user after organizations were enabled by default testsuite
#33064 Action expired error occurs when accessing regular registration page with Organizations enabled organizations
#33095 The "Valid redirect URIs" field is not displayed when the "Standard flow" is unchecked admin/ui
#33109 Infinite loop when accessing account management console account/ui
#33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
#33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
#33156 CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java dist/quarkus
#33172 Deprecation of https-trust-store-* weakens X509 browser authentication authentication
#33207 [Organizations] Preserve org id in exported realms core
#33224 [Keycloak CI] - Quarkus IT - StartCommandDistTest.testStartUsingAutoBuild ci
#33231 [Keycloak CI] - User Federation Tests - LDAPSamlIdPInitiatedVaryingLetterCaseTest ci
#33246 Unable to start Keycloak when metrics are enabled dist/quarkus
#33296 Migrating to a FIPS environment disallows all users from logging in authentication
#33300 Organization UI is overriding the alias with the org name when user navigates to another tab admin/ui
#33307 XA Transaction recovery support is enabled even thoug transaction-xa-enabled is false dist/quarkus
#33330 "somethingWentWrong" when opening Keycloak URL in unsecure context login/ui
#33331 Performance drop in cpuUsageForLoginsTest since 19.09.2024
#33336 Changing locale on passwordless or custom login flow does not work login/ui
#33342 Duplicate entry "duplicate" in Admin UI message properties admin/ui
#33347 Hostname v2 should enforce hostname is a full url if hostname-admin is used dist/quarkus
#33351 Wrong release notes for Login v1 theme deprecation login/ui
#33353 Performance regression when Organisations feature is enabled
#33355 ID token from refresh_token flow does not contain nonce even when using Nonce backwards compatible mapper oidc
#33362 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#preferredVerificationWrong ci
#33389 Banner is not wrapping properly admin/ui
#33390 Creating clientAttributesCondition in some client policy breaks the login to the realm authentication
#33412 User specific organisation entries shouldn't be placed in the realm cache core
#33415 Organization brokers should be hidden on login pages by default organizations
#33424 Organization data is cached for each user even if realm never enabled organizations organizations
#33439 Avoid caching `RealmModel` in `CachedOrganization` organizations
#33440 Test group_test.spec.ts Duplicate group fails repeatedly testsuite
#33461 AWS Lambda description for HA setup doesn't reflect latest changes for failure policy core
#33467 The "Client Secret" field does not expand to display the entire secret value admin/ui
#33508 Can't load theme resources on Windows core
#33517 Issue when running tests from IDE on embedded undertow ( org.jboss.threads.EnhancedQueueExecutor$Builder.setKeepAliveTime(java.time.Duration) ) testsuite

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited May 01, 2025 by Renovate Bot

Draft: Update All Maven dependencies to v26 (major)

Release Notes

Upgrading

All resolved issues

Enhancements

Bugs

Upgrading

All resolved issues

Enhancements

Bugs

Highlights

Supported Standard Token Exchange

Fine-grained admin permissions supported

Guides for metrics and Grafana dashboards

Zero-configuration secure cluster communication

Rolling updates for optimized and customized images

Additional query parameters in Admin Events API

Logs support ECS format

New cache for CRLs loaded for the X.509 authenticator

Operator creates NetworkPolicies to restrict traffic

Option to reload trust and key material for the management interface

Dynamic Authentication Flow selection using Client Policies

JWT Client authentication aligned with the latest OIDC specification

Federated credentials are available now when fetching user credentials

Token based authentication for SMTP (XOAUTH2)

New client configuration for access token header type

OpenID for Verifiable Credential Issuance documentation

Upgrading

All resolved issues

New features

Enhancements

Bugs

Upgrading

All resolved issues

Enhancements

Bugs

Upgrading

All resolved issues

Enhancements

Bugs

Highlights

Send Reset Email force login again for federated users after reset credentials

Upgrading

All resolved issues

Bugs

Upgrading

All resolved issues

Deprecated features

Enhancements

Bugs

Highlights

New option in X.509 authenticator to abort authentication if CRL is outdated

New option in Send Reset Email to force a login after reset credentials

Upgrading

All resolved issues

Enhancements

Bugs

Highlights

Transport stack jdbc-ping as new default

Virtual Threads enabled for Infinispan and JGroups thread pools

OpenTelemetry Tracing supported

Infinispan default XML configuration location

Individual options for category-specific log levels

OpenID for Verifiable Credential Issuance

Minimum ACR Value for the client

Support for prompt=create

Option to create certificates for generated EC keys

Authorization Code Binding to a DPoP Key

Maximum count and length for additional parameters sent to OIDC authentication request

Network Policy support added to the Keycloak Operator

LDAP users are created as enabled by default when using Microsoft Active Directory

New conditional authenticators Condition - sub-flow executed and Condition - client scope

Defining dependencies between provider factories

Dark mode enabled for the welcome theme

Metrics on password hashing

Sign out all active sessions in admin console now effectively removes all sessions

Dedicated release cycle for the Node.js adapter and JavaScript adapter

Updates in quickstarts

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

Removal of robots.txt file

Transport stack `jdbc-ping` as new default

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`