github keycloak/keycloak 26.6.0
on GitHub

7 hours ago

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

  • JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.

  • Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.

  • Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.

  • Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.

  • The Keycloak Test Framework, replacing the previous Arquillian-based solution.

All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (supported)

JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.

In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.

Federated client authentication (supported)

Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.

Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.

Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.

New guide about Demonstrating Proof-of-Possession (DPoP)

A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.

See Securing applications with DPoP for more details.

Identity Brokering APIs V2 (preview)

A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).

For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.

Step-up authentication for SAML (preview)

The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.

OAuth Client ID Metadata Document (experimental)

OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.

See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.

Many thanks to Takashi Norimatsu for the contribution.

Administration

Workflows (supported)

Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.

In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.

For more details, see the Managing workflows chapter in the Server Administration Guide.

Organization groups

Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.

For more details, see the Managing organization groups guide.

New Groups scope for user membership changes

Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.

This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user’s current group memberships. The existing manage-membership scope keeps its current behavior for target group membership management operations.

Looking up client secrets via the Vault SPI

Secrets for clients can now be managed and looked up by the Vault SPI.

Thank you to Tero Saarni for contributing this change.

Forcing password change for LDAP users

There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.

Thank you to Tero Saarni for contributing this change.

Configuring and Running

Java 25 support

Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.

Zero-downtime patch releases (supported)

Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.

In this release, zero-downtime patch releases are promoted to supported and enabled by default. When using the Keycloak Operator, set the update strategy to Auto to benefit from this functionality.

For more details on the Operator configuration, see the Avoiding downtime with rolling updates guide.

Installation instructions for CloudNativePG

For those running Keycloak on Kubernetes, there is now a guide on how to deploy a PostgreSQL database on Kubernetes by leveraging the CloudNativePG Operator and how to connect Keycloak to the database.

See Deploying CloudNativePG in multiple availability zones in the High Availability Guide for details.

Simplified database operations

Several new command line options simplify the database operations for Keycloak and remove the need to use raw JDBC connection options:

  • Configure TLS for the database connection.

  • Database connection timeouts.

  • Transaction timeouts with production-ready defaults.

It also verifies the correct UTF-8 character encoding of the database at startup and prints a warning if this is not the case.

When running on orchestrators like Kubernetes, the startup and liveness probes return UP during database migrations, simplifying upgrades by removing the need to adjust the probes during upgrades.

See the migration guide for additional details on each aspect.

Graceful shutdown of HTTP stack

To allow rolling updates for configuration changes or version updates, a graceful shutdown of Keycloak nodes prevents users from seeing error responses when logging in or refreshing their tokens when nodes shut down.

Starting with this version, Keycloak supports a graceful shutdown of the HTTP stack. This includes delaying a shutdown after receiving a termination signal, connection draining for HTTP/1.1 and HTTP/2 connections during that period, and a shutdown timeout to finish ongoing requests.

The defaults are a shutdown delay and a shutdown timeout of one second each. This should be a good fit for setups where the reverse proxy is using TLS edge termination or re-encryption and the reverse proxy is notified about the Keycloak node shutting down at the same time as the Keycloak node. This is a common setup, for example, in Kubernetes environments.

Users should adjust those values depending on their proxy setup. See the section Graceful HTTP shutdown in the reverse proxy guide for more information.

New KCRAW_ prefix for environment variables to preserve literal values

Keycloak now supports a KCRAW_ prefix for environment variables to preserve values containing $ characters exactly as written, without expression evaluation.

When using the standard KC_ prefix, Keycloak (via SmallRye Config) evaluates expressions in values (for example, ${some_key} is resolved and $$ is collapsed to $). This can silently modify passwords or secrets injected by a secrets manager or orchestration tool where manual escaping is not feasible.

Setting KCRAW_<KEY> instead of KC_<KEY> preserves the value exactly as provided.

See the Preserving literal values with the KCRAW_ prefix section in the Server Configuration guide for details.

Automatic reload of lists with disallowed passwords

When a list of disallowed passwords (also known as blacklist) changes, it is automatically reloaded. This avoids the need for a server restart when the list changes.

Thank you to Tero Saarni for contributing this change.

Automatic truststore initialization on Kubernetes and OpenShift

Keycloak now automatically discovers and trusts cluster certificate authorities when running on Kubernetes or OpenShift, without requiring the Operator to preconfigure the truststore.

If present in the container filesystem, the following certificates are added to the system truststore at startup:

  • /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (Kubernetes service account CA)

  • /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt (OpenShift service CA)

This behavior is enabled by default and can be controlled with the server option --truststore-kubernetes-enabled=true|false (default: true).

Most deployments do not require any action. If you relied on the Operator to manage these truststore entries previously, the server now performs the same function directly.

Client certificate lookup providers for Traefik and Envoy

You can now use new client certificate lookup providers for Traefik and Envoy proxies. For details, see the Enabling Client Certificate Lookup section of the documentation.

Configurable Kubernetes Service name and port in the Keycloak Operator

The Keycloak Operator now supports overriding the name and port of the Kubernetes Service it creates for a Keycloak deployment.

Previously, the Service name was always derived as <cr-name>-service and the Service port always matched the container port. You can now use the spec.http.serviceName, spec.http.serviceHttpsPort, and spec.http.serviceHttpPort fields to configure these independently.

For more details, see the Advanced configuration guide.

Sensitive information is not displayed in the HTTP Access log

If you are using the HTTP Access logging capability, sensitive information is omitted. This means that tokens in the 'Authorization' HTTP header and specific sensitive cookies are not shown.

For more information, see Configuring HTTP access logging.

Configurable log file rotation

It is now possible to configure log file rotation when using Keycloak’s built-in file logging handler. This includes a simple option to fully disable log rotation, which is useful when using an external log rotation solution such as logrotate.

To disable log file rotation: 

bin/kc.sh start --log="console,file" --log-file-rotation-enabled=false

For more information, see the File logging guide.

HTTP access logs in a dedicated file

HTTP access logs can now be written to a dedicated file, separate from the server logs. This makes it easier to process and archive access logs independently for security auditing and compliance monitoring.

For more information, see Configuring HTTP access logging.

Customizable service fields in JSON log output

Keycloak now provides native options to customize the service.name and service.environment fields in JSON log output across all log handlers (console, file, and syslog).

Previously, when using the ECS format, service.name and service.environment could not be overridden through Keycloak configuration. This made it difficult to align JSON log fields with OpenTelemetry resource attributes.

You can now set these fields using log-service-name and log-service-environment.

For more information, see the Configuring logging guide.

New and updated translations

New translations for Indonesian and Armenian were added. A warm welcome to the new language maintainers for these languages! There are also new language maintainers for the Swedish translation, who translated all remaining message keys. Thank you so much!

Follow the translation progress on the translation status page, help translate, and read the translation guide on how to add additional languages.

Right-to-left language support in the Account UI

Support for right-to-left (RTL) languages was added to the Login UI, Admin UI, and email templates several releases ago. This release adds initial RTL support to the Account UI, which completes this effort.

Observability

Telemetry configuration via the Keycloak CR

Keycloak now supports configuring the OpenTelemetry properties via the Keycloak CR when using the Operator. These properties are shared among the available OpenTelemetry components - logs, metrics, and traces.

Custom request headers for OpenTelemetry

It is now possible to set request headers for exporting telemetry via OpenTelemetry Protocol (OTLP). This is mainly useful for providing tokens in the request.

You can specify these headers via the telemetry-header-<header> wildcard option, which accepts any custom header name. Alternatively, use telemetry-logs-header-<header> for OpenTelemetry Logs or telemetry-metrics-header-<header> for OpenTelemetry Metrics.

Service Monitor annotations and labels via the Keycloak CR

It is now possible to configure service monitor labels and annotations via the Keycloak CR when using the Operator.

For more details, see the Advanced Configuration Operator guide.

Extension Development

Keycloak Test Framework (supported)

The Keycloak Test Framework, based on JUnit 6, is now fully supported.

It replaces the previous solution built on top of Arquillian and JUnit 4. Behind the scenes, the framework handles the lifecycle of Keycloak, the database, and any injected resources such as realms and clients.

Tests simply declare what they want, including specific configuration, and the framework takes care of the rest.

For more information, see Keycloak Test Framework.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

  • #45156 Deprecate Token Exchange v1

New features

  • #10155 Step-up authentication for SAML clients authentication
  • #13102 Add support for specifying `client.secret` using vault core
  • #39888 Workflows
  • #42634 Federated client authentication
  • #43144 OAuth Identity and Authorization Chaining Across Domains
  • #43146 New test framework
  • #43152 Authorization Grants
  • #43252 Zero-downtime upgrades between patch releases of Keycloak
  • #43257 Support a Kubernetes Native Database
  • #43507 Add support for Organization-specific Groups
  • #43576 Authorization grant for social providers token-exchange/federated
  • #44833 [OID4VCI] Make natural_person configuration available in all formats oid4vc
  • #45106 OAuth Client ID Metadata Document
  • #45284 CIMD - Persistent CIMD oidc
  • #46633 keycloak operator: add support for different port and name for the kubernetes service definition in the keycloak CRD
  • #47011 Add debug helper utility to the test framework test-framework

Enhancements

  • #10618 Enhancements to logging config dist/quarkus
  • #14523 Add support for enforced password change with LDAP federation ldap
  • #17904 Support RTL UI account/ui
  • #19374 Allow absolute path for cache-config-file? dist/quarkus
  • #19453 The default database transaction timeout should not be applied to Liquibase or data migrations dist/quarkus
  • #20618 Support enabling access logs dist/quarkus
  • #27986 Remove Liquibase dependency version from Keycloak root pom
  • #33160 Add support for X509 client certificate lookup for Envoy
  • #33198 Introduce `resourcesCommonUrl` for E-Mail templates core
  • #33818 Request for Enhancement: Make x509cert-lookup SPI public
  • #34435 OTEL: Add tracing ID to user facing error message observability
  • #35298 Reverse proxy provided context path not working despite setting X-Forwarded-Prefix header dist/quarkus
  • #36226 Provide a read only view of Identity Provider Mappers configuration screen to the Keycloak Admin UI
  • #36710 Have a first-class CLI option to change Keycloak's transaction timeout dist/quarkus
  • #38884 Upgrade command rolling updates for patch releases / step 3: Infinispan/JGroups support
  • #38888 Avoid breaking DB changes during patch releases
  • #40902 More fully document operator upgrade scenarios, in particular with custom images docs
  • #41330 Improve logging of JpaUserSessionPersisterProvider#expire
  • #41353 Provide HTTP access logs written to file with rotation dist/quarkus
  • #41629 Remove Tracing workaround in Infinispan/JGroups classes
  • #42256 DB Connection Pool acquisition timeout errors on database failover core
  • #42626 Provide a way to add custom labels to generated ServiceMonitor
  • #42747 Make DPoP docs more detailed oidc
  • #42876 dev mode should bind only to localhost if possible
  • #42900 Move the logic of scanning Kubernetes CA to Keycloak dist/quarkus
  • #43589 Gracefully shutting down HTTP stack
  • #43701 Improve SimpleHttp API core
  • #43829 Add createdTimestamp filter (before/after) to /admin/realms/{realm}/users
  • #44090 ErrorId for error screens and logging
  • #44101 Allow re-using server when running tests with the new framework
  • #44364 Improve client creation with PKCE in admin console core
  • #44424 findClientSessionsClientIds performance issue storage
  • #44459 Adding the log to the required action to show the cause of syntax violation of the LDAP policy ldap
  • #44846 [OID4VCI]: Ensure OID4VCI optional fields are saved cleanly and use defaults oid4vc
  • #44849 [OID4VCI] Add UI support for `vc.credential_signing_alg` in OID4VCI client scopes oid4vc
  • #44973 Hide Remember Me session settings when Remember Me is disabled in realm login settings
  • #45006 [OID4VCI] Add support for user did as subject id oid4vc
  • #45188 Upgrade to quarkus 3.30.5
  • #45220 OTEL: Ability to specify headers for exporters observability
  • #45231 [OID4VCI] Generate pre-authorized codes using the JWT format oid4vc
  • #45254 Admin UI javascript bundle should have source mapping
  • #45278 Upgrade to Quarkus 3.33.x LTS
  • #45281 Add missing Swedish translations for admin theme messages translations
  • #45322 Linking user with idp fails with generic message if user is already linked identity-brokering
  • #45337 Upgrade to Quarkus 3.31
  • #45348 OTEL: Add Telemetry options to Keycloak CR observability
  • #45360 Document that the the HA architectures are tested with Openshift 4.18
  • #45467 Management interface endpoint lists available endpoints dist/quarkus
  • #45620 Change default not-before validation to 10 second instead of 0 oidc
  • #45623 Avoid unnecessary warning logs during the operator tests execution testsuite
  • #45629 HTTP access log written to file should be in a separate directory dist/quarkus
  • #45689 When a user joins a role or group, it should not read all existing roles and groups from the database
  • #45704 Invite existing users from Admin UI organizations
  • #45718 Improve error message when organization name cannot be used as alias
  • #45795 Promote Keycloak and KeycloakRealmImport CRDs to v2beta1
  • #45841 Add revert button to client credentials page
  • #45880 SAMLEndpoint - increase extensibility by increasing accessibility of some private fields/methods
  • #45882 Use GroupResource context in Groups so that Group components can be reused
  • #45884 Testframework core has dependency on testcontainers
  • #45898 Supported Configurations guide
  • #45909 Add theme clarification blurb to Realm Settings admin/ui
  • #45941 Do not use deprecated test containers in tests testsuite
  • #45944 OTEL: Use suggested 'code.function.name' for span attributes observability
  • #45965 [OID4VCI] Revisit and fix OAuthClient.credentialRequest() oid4vc
  • #45992 Clarify operator instructions involving Wildcard certificates and OpenShift
  • #45996 Enforce `LF` line endings on `*.tsx` files with `.gitattributes`
  • #45999 [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest() oid4vc
  • #46001 [OID4VCI] Revisit and fix OAuthClient.credentialOfferRequest() oid4vc
  • #46043 Upgrade to Quarkus 3.31.2 dist/quarkus
  • #46055 [OID4VCI] Confine test realm setup to TestCase.configureTestRealm()
  • #46156 Add node count and next-node selection to LoadBalancer API
  • #46164 Separate password and OTP brute force protection to prevent OTP bypass attacks by default
  • #46255 Upgrade to Quarkus 3.32.0.CR1 dist/quarkus
  • #46292 Allow to expose WellKnown provider via ServerMetadataResource
  • #46304 SPIFFE Identity Provider default TTL too low
  • #46355 [OID4VCI] Add support for CredentialScopeRepresentation oid4vc
  • #46395 X509 Certificates passed from Traefik PassTlsClientCert middleware broken since 26.5.0 authentication
  • #46421 Revisit Infinispan session idle and lifetime settings
  • #46429 Add username to BrokeredIdentityContext created from JWTBearer Grant token-exchange/federated
  • #46471 Aggregate client-id field for improved Infinispan query
  • #46494 Allow customizing federated identity lookup in JWTAuthorizationGrantType
  • #46531 Consider exposing UUID for admin api v2 resources
  • #46556 For MSSQL Server, set `sendStringParametersAsUnicode` to `false` by default storage
  • #46557 Keycloak should check the Unicode setup of the database on startup
  • #46603 Add Database CLI options for TLS encryption for databases
  • #46617 MCP Documentation for 26.6
  • #46626 Allow to configure Client Assertion max expiration for Kubernetes Identity Provider
  • #46627 Allow to configure Client Assertion max expiration for OIDC Identity Provider
  • #46657 Passwords containing `$$` or `${` patterns are mangled when set via environment variables (SmallRye expression evaluation) dist/quarkus
  • #46671 Allow custom timeouts in DBLockProvider
  • #46689 Remove user input reflection in Token Introspection error responses oidc
  • #46693 Group-level deny policies do not block `manage-group-membership` on group members admin/fine-grained-permissions
  • #46699 CIMD - Performance: Avoid repeated convertContentFilledList() in verifyUri()
  • #46701 CIMD - Performance: Single-pass HTTP Cache-Control header lookup
  • #46703 CIMD - Performance: Eliminate double URI parsing in ClientIdUriSchemeCondition.applyPolicy()
  • #46708 CIMD - Performance: Avoid streaming the directive list multipul times
  • #46711 Upgrade to Quarkus 3.32.1 dist/quarkus
  • #46728 Use quarkus properties ahead of keycloak defaults or map from values
  • #46757 Upgrade to jackson-core 2.21.1
  • #46765 Adding missing question mark
  • #46781 IdP alias is not clickable in organization's Identity Providers tab admin/ui
  • #46796 Document that export is not a backup
  • #46809 Set a default connection timeout for all databases types
  • #46872 Be more explicit on how to enable OTel Logs and Metrics in Operator observability
  • #46874 Be more explicit in using the OTel Logs level observability
  • #46890 Upgrade to Quarkus 3.32.2 dist/quarkus
  • #46936 Reduce tightly coupling between client policy contexts and conditions/executors oidc
  • #46964 Adding more Hungarian translations
  • #46972 Clarify credentials field availability in GET /admin/realms/{realm}/users documentation
  • #47038 Translation support for UI theme descriptions translations
  • #47081 Upgrade to Quarkus 3.32.3 dist/quarkus
  • #47130 Upgrade to Quarkus 3.33.0.CR1 dist/quarkus
  • #47140 Add CLI option for database connection timeout and provide it into quarkus.datasource.jdbc.login-timeout
  • #47146 Keycloak: no native option to customize JSON log service.name and service.environment fields observability
  • #47163 Enhancement: Password denylist file changes should not require server restart
  • #47187 Asynchronous server initialization
  • #47229 Identity Provider redirection via kc_idp_hint in Pushed Authorization Request oidc
  • #47416 Async startup doesn't be enabled when the health check is not enabled
  • #47535 Polishing CNPG installation docs
  • #47667 Update release-notes for CIMD

Bugs

  • #22569 Provide descriptions for default realm-management roles admin/ui
  • #26946 Multiple protocolMappers with the same name. admin/api
  • #28970 Documention about the default db-schema is ambiguous docs
  • #36593 Built-in authentication flows are not updated for KC 26 organizations
  • #37231 Set New Password Multiple Times via Password Reset Function login/ui
  • #38991 [Test framework] Embedded server -> dependency download error when no version is specified test-framework
  • #39127 Incorrect return code with JWT algorithm set to none authentication
  • #40510 Organization flow do not redirect when credentials exist organizations
  • #40753 Resource leak: FileInputStream in Util.readProperties(File) is never closed .SAST core
  • #40921 Reject invalid resource IDs in permission creation
  • #41165 Feishu login has been continuously failing as an identity provider identity-brokering
  • #41630 Warning log message SRCFG01008: The value default has been converted by a Boolean Converter to "false" dist/quarkus
  • #41924 Internal server error after changing Admin UI theme to "base" - An old, persisted problem admin/ui
  • #42222 Federation Cache Policy details not shown when editing provider in Keycloak 26.3+ admin/ui
  • #42836 Organization selection changes after token refresh organizations
  • #42839 UserInfo endpoint returns incorrect organization claim organizations
  • #43198 Operator status patching of keycloak failed operator
  • #43201 entity mappings not working on 26.4 core
  • #43356 Keycloak tests framework - issue to identify distribution directory inside ZIP file when version string uses suffix test-framework
  • #43613 case insensitive match on organization identity provider domain - In case 'ANY' option is chosen organizations
  • #43726 Slow evaluation of client roles with dots for role mapper and others identity-brokering
  • #43757 Code Examples in Authentication SPI Documentation Don't Match Quickstarts Repository authentication
  • #43854 OID4VCI credentials have invalid subject id value oid4vc
  • #43949 MultivaluedString in mappers is not saved to backend with shown default value admin/ui
  • #43991 Keycloak operator - Reconciliation failure operator
  • #44099 Out of memory after 3-4 restarts of embedded server testsuite
  • #44100 Issue with starting server results in connection refused exception in test testsuite
  • #44132 Bug -> Keycloak preview feature "scripts" is enabled by default authentication
  • #44283 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPGroupMapperTest#test06_addingUserToNewKeycloakGroup ci
  • #44403 DCR endpoint ignores client's requested token_endpoint_auth_method oidc
  • #44425 [Keycloak JS CI] Admin UI E2E Firefox failure ci
  • #44498 [quick-theme] Logo and Favicon problem login/ui
  • #44574 Unable to find contextual data of type: org.keycloak.models.KeycloakSession testsuite
  • #44598 SAML user created with null username when mapped attribute missing saml
  • #44622 OID4VCI functionality should be disabled for the realm when "Verified Credentials" switch is disabled oid4vc
  • #44637 Fail to import the realm with OID4VCI enabled import-export
  • #44670 CredentialEndpoint can be invoked with incorrect access token oid4vc
  • #44678 Inconsistent search when using wildcards admin/api
  • #44699 Not able to find key for credential signature if client scope was saved from admin console admin/ui
  • #44737 CredentialRequest requires that client scope is assigned as 'Optional' oid4vc
  • #44784 link to reset-credentials ignores default locale AND ui_locales login/ui
  • #44803 Unhandled IllegalArgumentException in SAMLRequestParser saml
  • #44807 [OID4VCI] Default values are not set for ClientScope core
  • #44819 Missing validation error label on UI when editing a user user-profile
  • #44824 Keycloak retains mapped firstName value and does not nullify it when upstream identity provider stops sending the claim identity-brokering
  • #44875 [OID4VCI] CredentialSignerException: Proof Type null is not supported for format ldp_vc oid4vc
  • #44905 Email is not updated based on upstream IdP email identity-brokering
  • #44961 Authorization_details added to token-response even when should not be oid4vc
  • #45005 [OID4VCI] Revisit and fix /credential_offer_uri endpoint oid4vc
  • #45058 Base theme: "user properties" and "register" required mark is missing the required class login/ui
  • #45069 Base theme: `login-config-totp`, `label`s have hardcoded `control-label` instead of `${properties.kcLabelClass!}` login/ui
  • #45160 NullPointer when using JwsHeader.builder().withx5c(certificate) oidc
  • #45162 Missing icons in v2 keycloak login theme login/ui
  • #45163 Guide refers to no longer existing Docker Registry oidc
  • #45164 Base theme: `login-config-totp`, buttons are not wrapped in a `kcFormGroupClass` login/ui
  • #45209 [OID4VCI] Issuer metadata contains unwanted 'id' for credential_configurations_supported oid4vc
  • #45219 User REST Admin API - count and search returns different amount of users account/api
  • #45227 Accessibility: Improve authenticator selector for screen readers and keyboard navigation login/ui
  • #45252 `.env.test` overrides values from environment testsuite
  • #45272 EventOptionsTest failing due to missing verifiable_credential options testsuite
  • #45324 Affirmative Aggregated Policies do not evaluate correctly for admin console admin/fine-grained-permissions
  • #45385 [OID4VCI] No key for id ... and algorithm ... available oid4vc
  • #45406 SearchDropdown clear button doesn't reset form fields, URI search broken authorization-services
  • #45422 Organizations login leaks IdP aliases when no Organization is resolved (IdP/tenant enumeration) organizations
  • #45425 OpenApiDistTest fails in CI ci
  • #45428 Admin UI: Wrong redirect for permissions accessed via resource details authorization-services
  • #45446 [OID4VCI] Default value for vc.credential_build_config.hash_algorithm causes _sd_alg to be invalid due to case sensitivity oid4vc
  • #45485 [OID4VCI] Inconsistencies in well-known OID4VC metadata (Same metadata for all formats) oid4vc
  • #45488 Filename not being displayed during imports admin/ui
  • #45501 ConcurrentModificationException in KeycloakProcessor#configureProfile dist/quarkus
  • #45519 User profile Attribute multiselect inputType not working since 26.4.0 user-profile
  • #45522 LoggingDistTest.httpAccessLogNotNamedPattern is not stable dist/quarkus
  • #45539 Avoid using some blacklist/whitelist wording in UI and docs admin/ui
  • #45561 NPE in Authorization Evaluation when parentPolicy is null during concurrent authz deletes authorization-services
  • #45564 Wrong nesting of semaphore release handling in Argon2 hashing core
  • #45586 Missing help text in Admin UI for adding client policy conditions admin/ui
  • #45587 SecureClientUrisExecutor doesn't allow for "+" weborigin oidc
  • #45606 Document back channel request limitations docs
  • #45669 Unable to resolve current project as a dependency to test framework server config testsuite
  • #45694 Unvalidated URL Construction in ResourceAdminManager via Matrix Parameter Injection core
  • #45724 [OID4VCI] Inconsistencies in OID4VCI metadata related to cryptographic bindings and proofs oid4vc
  • #45727 Refactor `SessionsResource` for better memory usage and performance infinispan
  • #45733 Admin UI theme logo not displaying from theme properties admin/ui
  • #45738 clients-registrations/default GET endpoint does not rotate Registration Access Token as documented oidc
  • #45740 `client-access-type` condition in Client Policy does not trigger for token request events core
  • #45747 Confusing admin behavior when multiple IDPs in a realm have the same issuer URL core
  • #45748 [OID4VCI] OpenID4VCI User Attribute Mapper does not support nested claims oid4vc
  • #45750 Test framework doesn't stop running Keycloak instance if reuse is turned off testsuite
  • #45760 Disabled organisation should not execute invitations organizations
  • #45812 ROPC: invalid_grant Error Response not RFC Compliant oidc
  • #45818 There is no save button on the TokenTab admin/ui
  • #45829 Useless warning logged when querying credentials for a user in a realm with password history enabled authentication
  • #45859 [OID4VCI] Duplicate processing of authorization_details from AuthorizationDetailsProcessorManager oid4vc
  • #45875 Workflows execution bypasses admin permission boundaries (manage-realm -> realm-admin) workflows
  • #45877 UiPageProvider components not filtered by implementation in the Admin UI admin/api
  • #45881 Flaky test: org.keycloak.testsuite.oauth.OfflineTokenTest#offlineTokenBrowserFlow ci
  • #45888 ServiceMonitor is not created due to missing fields docs
  • #45917 LDAP mapper of type "group-ldap-mapper" does not expose "objectGUID" for group in GUID format ldap
  • #45921 `Config should not be initialized until profile is determined` throw from Maven using embedded Keycloak dist/quarkus
  • #45922 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#optionalClaimNotReachedSucceeds ci
  • #45924 Make sure disabled organization is ignored when re-authenticating organizations
  • #45947 Selecting condition type when creating a client policy is too wide core
  • #45971 Paths with spaces are not decoded when trying to discover providers JAR file dist/quarkus
  • #45986 [KEYCLOAK CI] - AuroraDB IT - Run Aurora new database tests on EC2 ci
  • #45993 [quarkus-next] Fix build failure due to missing build step ordering constraints dist/quarkus
  • #46006 JpaOrganizationProvider.searchGroupsByName ignores search parameter organizations
  • #46009 Client sessions pagination does not work admin/ui
  • #46010 Missing anti-ID phishing check for getting client admin/api
  • #46015 Duplicate `{client-uuid}` path parameter in OpenAPI spec admin/api
  • #46040 Assign realm users to organization organizations
  • #46050 AuthorizationServices should prevent org group ids for group policies organizations
  • #46051 [OIDC4VCI] - Types in JWT_VC oid4vc
  • #46075 [quarkus-next] Tests fail due to missing build step ordering constraint on disableHealthCheckBean dist/quarkus
  • #46081 [Keycloak JS CI] `fetchWithError` throwing `NetworkError` ci
  • #46084 [quarkus-next] DatasourcesDistTest fails due to Quarkus stdout/stderr capture changes dist/quarkus
  • #46089 Deleting a resource on page 2 shows "No resources found" empty state while resources still exist in Authorization Resources tab authorization-services
  • #46095 [quarkus-next] configureResteasy() missing Quarkus build step dependency dist/quarkus
  • #46110 Distribution server sometimes uses wrong pid for started Keycloak server test-framework
  • #46121 Unable to initialize 'jakarta.el.ExpressionFactory' when starting the server in Quarkus' development mode dist/quarkus
  • #46159 Docs: authorization_services/topics/resource-server-default-config.adoc authorization-services
  • #46160 Keycloak from `quarkus/tests/junit5` doesn't throw exception when there's a startup failure dist/quarkus
  • #46175 AdminClient in MANAGED_REALM mode has bugs test-framework
  • #46187 [quarkus-next] Update error message for invalid duration in certificate reload test dist/quarkus
  • #46192 Checking non-converted FROM address when sending emails core
  • #46193 [UI Bug] Microsoft/OIDC IdP "Prompt" dropdown saves human-readable label instead of technical value admin/ui
  • #46235 Welcome screen URL is not correct with hostname set to url admin/ui
  • #46297 [OID4VCI] Attribute did should be added to user profile just if OID4VCI is enabled for the realm
  • #46314 Bundle issue in account-ui account/ui
  • #46321 [Keycloak CI] Azure and Aurora Migration tests failing ci
  • #46322 [Keycloak CI] New database tests fail on Aurora and Azure ci
  • #46350 The RestartLoginCookie does not allow for key rotation as it always uses the active key for verification login/ui
  • #46366 Missing `parentId` in the GroupRepresentation of @keycloak/keycloak-admin-client admin/client-js
  • #46374 [quick-theme] Background is not hot redeployed admin/ui
  • #46384 Resource selection not displayed in scope-based permission creation when resource is not in initial results admin/ui
  • #46403 Caching or role parsing should be realm specific infinispan
  • #46413 [Admin UI] User's organizations list is delayed/empty until an N+1 cascade of API calls completes admin/ui
  • #46445 Org Groups API does not return subGroupCount organizations
  • #46454 Organization groups not included in user's groups query. organizations
  • #46455 REST API doesn't allow moving org group to root organizations
  • #46493 show-config contains log related entries with null values dist/quarkus
  • #46503 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportUSB ci
  • #46512 Identity provider display names are not localized in Account Console account/ui
  • #46517 Inconsistent authentication error ordering core
  • #46542 Update dynamic client scope timeout admin/api
  • #46571 NPE when finding an org group by path when Organization feature disabled organizations
  • #46579 The PR not including arquillian integration tests does not pass GHA Testsuite Deprecation Check testsuite
  • #46606 Admin Console Admin associated roles is not usable for a large number of realms admin/ui
  • #46614 Base theme template uses inline styles in delete-account-confirm.ftl login/ui
  • #46628 When renaming the ClientPolicy, added conditions and profiles shouldn't disappear. oidc
  • #46639 [OID4VCI] Broken issuance due to errnoeous credential_identifier check oid4vc
  • #46644 Kiota fails silently when generation fails admin/client-js
  • #46647 Rfc9440 cert lookup should not treat exceeding the cert length as an error core
  • #46658 SCIM PUT endpoint allows resource modification via body ID override (IDOR) core
  • #46667 IntegrationTest sub class @testsetup called before super class testsuite
  • #46673 Raise minimum maximum number of `poolMaxSize` as value 3 shown in Keycloak example leads to acquisition timeout after switch to JDBC Ping docs
  • #46695 CIMD - Config Description Corrections: wildcard instead of regex oidc
  • #46697 CIMD - typos in comment lines oidc
  • #46716 UMA permission grant accepts expired ID token claim_token and issues RPT core
  • #46717 UMA permission grant accepts ID token issued to a different client core
  • #46718 UnsupportedOperationException in V1 Token Exchange Audience Validation (FGAPv2 Incompatibility) token-exchange
  • #46738 NullPointerException Crash in SessionCodeChecks When Client is Disabled During Authentication Flow authentication
  • #46745 Enhance network validation for SAML metadata descriptor URLs saml
  • #46750 OIDC error responses do not have no-cache headers set (at least not for the userinfo endpoint) oidc
  • #46774 Drawer splitter does not extend full page height in organization groups admin/ui
  • #46775 "Duplicate" function does not work correctly for organization groups admin/ui
  • #46776 Cannot select a group from search results in "Move to" dialog admin/ui
  • #46777 Organization group tree does not show expand toggles for groups with children admin/ui
  • #46778 Stale search results persist after clearing search in organization group tree admin/ui
  • #46780 Organization group tree search returns flat results instead of hierarchy organizations
  • #46792 Delete operation does not fire admin event v2 admin/api
  • #46808 Mute noisy "Unable to decode token, payload not found." log adapter/javascript
  • #46819 ArrayIndexOutOfBoundsException in ArtifactBindingUtils when SAMLart parameter is too short
  • #46848 NullPointerException in DPoPUtil oidc
  • #46857 Identity Provider mapper edit form loses ID and Name field values on save admin/ui
  • #46860 Cannot run /testsuite anymore - value of org.keycloak.common.Profile.getInstance() is null testsuite
  • #46861 Metadata check: cacheEmbedded.configFile always incompatible because of path infinispan
  • #46883 Flaky test: org.keycloak.testsuite.model.infinispan.EmbeddedInfinispanSplitBrainTest#testLocalCacheClearedOnMergeEvent ci
  • #46933 Client-scopes client policy condition not triggered during resource-owner-password-credentials grant request oidc
  • #46969 Authentication Failure with Mixed-Case Email Domain in Organizations organizations
  • #46997 Privilege Escalation via silent group resolution fallback in Identity Provider mappers when linked to Organizations organizations
  • #47002 [quarkus-next] Prometheus rejects user event metrics with inconsistent tag keys dist/quarkus
  • #47025 createCurlContainer method implicitly depends on DockerHub testsuite
  • #47043 Searching for organization groups with `populateHierarchy=true` exposes internal org group organizations
  • #47045 [OID4VCI] Credential definition must not contain `@context` when not using JSON-LD oid4vc
  • #47047 Unused message keys from console based logins login/ui
  • #47051 Search for organization group membership ignores search param organizations
  • #47055 `Include sub-group users` button does not work for org groups organizations
  • #47063 NPE when regenerating client secret when client policy with client-updater-context exists oidc
  • #47080 Do not allow managing invitations if not an invitation of the current organization organizations
  • #47084 Missing output encoding for organization name in login error messages organizations
  • #47085 Pin actions/checkout by commit SHA in translation-notify.yml ci
  • #47108 Org Groups children API does not return subGroupCount organizations
  • #47110 LDAP federation configuratation vendor dependent default values not visible in form ldap
  • #47114 ImmutableAttributeValidator doesn't lowercase emails when checking for changes ldap
  • #47137 Ensure org group membership checks the org the user is member of organizations
  • #47139 Performance regression when editing authentication flows after cherry-picking #46654 (realm invalidation triggers expensive role reload) core
  • #47157 Composite client role mappings endpoint is slow and degrades under concurrency with many client roles admin/api
  • #47162 Impersonation via Token Exchange fails after upgrade to KC 26.5 (form 26.3): java.lang.UnsupportedOperationException: Not supported in V2 at org.keycloak.services.resources.admin.fgap.ClientPermissionsV2.canExchangeTo( token-exchange
  • #47164 New test framework DisabledForServers annotation does not work testsuite
  • #47201 Env var default gets cut of at {} replacement login/ui
  • #47203 [OID4VCI] Small inconsistencies in some events oid4vc
  • #47221 Kiota generate client in calls github admin/client-js
  • #47251 [OID4VCI] Reduce log volume in CredentialScopeModelUtils oid4vc
  • #47271 Use of java.util.Random / Math.random() in OID4VC Nonce and Time Claim Generation oid4vc
  • #47321 [KEYCLOAK CI] - Account UI - unknown_error thrown by NetworkError account/ui
  • #47332 Missing release notes entry for OpenTelemetry span attributes location change observability
  • #47379 RetryConfig is ignored core
  • #47398 When adding a ClientProfile the Save button functionality is inconsistent admin/ui
  • #47412 Typos in docs: OpenTelementry docs
  • #47418 Agroal: Login timeout should be smaller than acquisition timeout dist/quarkus
  • #47427 New link error in documentation to facebook docs
  • #47444 Inaccuracies in client federation documentation and tooltips oidc
  • #47452 Deployed Javascript policy description not displayed in the Keycloak console authorization-services
  • #47454 Workflows editor uses proportional font instead of monospace admin/ui
  • #47473 [quarkus-next] Fix operator controller stalling after JOSDK 5.3.0 event filtering upgrade operator
  • #47495 JavaKeystoreKeyProvider generates a new random KID for symmetric keys (HMAC) on every restart or config change authorization-services
  • #47536 SCIM Authorization Bypass in User Group Management core
  • #47544 NullPointerException in OID4VCMapper when mapper configuration is missing or empty oid4vc
  • #47572 Possible NPE in DefaultKeycloakSession.getComponentProvider() core
  • #47587 [Operator CI] - Test remote - Waiting for more replicas timeout
  • #47646 Both Clusterless and Volatile-Session suites contains reference to removed test file. testsuite
  • #47675 LDAP Federation: time of the password change is not being read correctly for "389 DS/RHDS" ldap backend ldap
  • #47685 NPE when using HttpClient and enabled tracing observability
  • #47708 Failing test testNoConfigNoServerShowsV2Hint on Windows admin/api
  • #47720 Release nightly build for API docs is broken ci
  • #47753 Decorating LDAP user profile throws NPE preventing login ldap
Check out latest releases or
releases around keycloak/keycloak 26.6.0

Don't miss a new keycloak release

NewReleases is sending notifications on new releases.

Get notifications