Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
-
Automate user provisioning with the SCIM API (preview)
-
Simplified multi-cluster high availability without external caches (preview)
-
Enhanced reverse proxy guides with blueprints for HAProxy and Traefik
-
Step-up authentication for SAML clients
Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.
Security and Standards
Stronger security for the Identity Brokering API
The Identity Brokering API allows applications to retrieve tokens obtained from external identity providers during federated login. Version 2 of this API replaces the legacy V1 with a more secure and standards-compliant design:
-
Client-level authorization — access to external tokens is controlled per client using dedicated settings (Allow retrieve external tokens and an identity provider allow list) instead of assigning broker roles to individual users.
-
Confidential clients only — public clients are rejected, ensuring that only authenticated clients can retrieve external tokens.
-
OAuth 2.0 compliant — the endpoint uses
POSTand returns standard JSON responses withaccess_token,error, anderror_descriptionfields. -
Session-based token storage — a new Store token in session option keeps tokens in the user session for faster access, with automatic cleanup on session expiry. Database storage remains available for persistence across sessions.
V2 is now supported but disabled by default. V1 is deprecated but still enabled by default for backward compatibility. In a future release, V1 will be removed and V2 will become the default.
For more information, see the Identity Brokering APIs chapter in the Server Developer Guide.
Progress on Verifiable Credentials (OID4VCI) (experimental)
Verifiable Credentials (OID4VCI) allow organizations to issue tamper-proof, cryptographically signed credentials — such as employee badges, academic diplomas, or professional certifications — that users can store in a digital wallet and present to third parties without involving the issuer.
OID4VCI remains an experimental feature in Keycloak, but this release brings substantial improvements from both the core team and the community:
-
Polishing of existing functionality and improving configuration. Everything is now configurable in the admin UI in addition to the admin REST API.
-
Lots of bugs fixed. Improved specification compliance.
-
Conformance with the OpenID4VC High Assurance Interoperability Profile (HAIP). This work involves the introduction of the dedicated Keycloak experimental feature
client-auth-abcafor Attestation based client authentication (ABCA). -
Management of verifiable credentials for individual users. This involves the ability for an administrator to create a verifiable credential for a user to indicate that this user can retrieve a verifiable credential, as well as the ability for users to start issuance of a verifiable credential from the Keycloak account console.
-
Pre-authorized code grant support is still experimental and was moved to the dedicated experimental feature
oid4vc-vci-preauth-code -
Support for credential refresh interval. Administrators can now configure a separate refresh interval (
vc.refresh_interval_in_seconds) in the client scope settings that controls how often wallets must refresh the credential, independent of the credential lifetime. When not explicitly set, defaults to 7 days or the credential lifetime, whichever is smaller. This enables regular credential rotation for enhanced security while maintaining user convenience through automatic refresh using the refresh token. For more information, see the Create Client Scopes with Mappers section in the OID4VCI configuration guide. -
Documentation updated and improved
Many community members were involved in the development. Many thanks to Awambeng, Pascal Knüppel, Dominik Schlosser, forkimenjeckayang, Ingrid Kamga, Keshav Deshpande, Naman Jain, Asish Kumar, Ogen Bertrand, Oluwatobi Mustapha, Hugo Hakim Damer, rameshkumarkoyya, Thomas Diesler and Palpable for the contributions!
Cross-domain token exchange with Identity Assertion JWT Grant (experimental)
When two organizations each run their own authorization server, users often need to re-authenticate when crossing between them — even though their identity was already verified. The Identity Assertion JWT Authorization Grant (ID-JAG) solves this by allowing one authorization server to present a signed identity assertion to another, which then issues an access token without requiring the user to log in again.
Keycloak provides partial experimental support for the Identity Assertion JWT Authorization Grant. It currently implements only the receiving authorization server role, accepting ID-JAG assertions at the token endpoint and issuing access tokens in return. Other parts of the ID-JAG specification are not yet implemented, so the complete flow is not currently supported.
To try it out, start Keycloak with the feature identity-assertion-jwt enabled.
Many thanks to Yutaka Obuchi for the contribution of this feature!
Automate user provisioning with the SCIM API (preview)
SCIM (System for Cross-domain Identity Management) is a standard protocol for reading and writing identity resources such as users and groups across multiple systems. It enables organizations to automate user provisioning and deprovisioning using widely available tooling — for example, integrating with identity governance platforms, HR systems, or other identity providers.
Keycloak has SCIM APIs for managing users and groups within a realm. The implementation covers full CRUD and PATCH operations, filtering and pagination, schema extensions including the Enterprise User extension, and schema discovery endpoints.
In this release, the SCIM API is being promoted to a preview feature. In the default profile it is disabled by default; to try it out, enable the scim-api feature.
For more details, see the Managing users and groups through SCIM documentation.
Real-time security signals to downstream applications (experimental)
When a user logs out, changes credentials, or gets disabled in Keycloak, downstream applications typically don’t learn about it until the next token refresh — leaving a window where stale sessions remain active. The OpenID Shared Signals Framework (SSF) closes this gap by letting identity providers push security events to relying parties in near real time.
Keycloak can now act as an SSF Transmitter, delivering signed Security Event Tokens (SETs) to registered receivers. It supports CAEP 1.0 and RISC 1.0 event profiles with both push (RFC 8935) and poll (RFC 8936) delivery methods. Events are persisted to a durable outbox so that no signal is lost across restarts, and a cluster-aware background drainer handles retries and exponential backoff. Each realm can opt in individually, and streams, subjects, and event types are managed through the admin console and REST API.
To enable SSF, start Keycloak with the feature ssf enabled.
For more details, see the Shared Signals Framework guide.
Standardized authorization decisions with AuthZen (experimental)
Applications that need fine-grained authorization typically call Keycloak’s proprietary authorization API, coupling them to its internal model. The OpenID AuthZEN Authorization API 1.0 defines a vendor-neutral protocol between Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs), enabling applications to request authorization decisions through a standard interface.
Keycloak now implements the AuthZEN Evaluation API as a PDP. Applications send evaluation requests describing a subject, resource, and action, and Keycloak returns a permit or deny decision based on its configured authorization policies. Both single and batch evaluation endpoints are available.
To enable AuthZen, start Keycloak with the feature authzen enabled.
For more details, see the AuthZen Authorization guide.
Authorize AI tools and MCP servers
The Model Context Protocol (MCP) is becoming the standard way for AI applications to connect to external tools and data sources. As MCP adoption grows, securing these connections with proper OAuth 2.0 authorization is critical.
Keycloak continues to improve its MCP authorization server capabilities. This release adds integration documentation for Claude Code as an MCP client, alongside the existing Visual Studio Code integration. Both use OAuth Client ID Metadata Document (CIMD) for dynamic client registration with PKCE-secured public client flows and localhost callbacks.
For setup instructions, see the Integrating with Model Context Protocol (MCP) guide.
Delegate access across services with Token Exchange Delegation (experimental)
In multi-service architectures, a backend service sometimes needs to act on behalf of a user at another service — for example, when a gateway delegates work to a downstream API. Standard Token Exchange handles client-to-client token swaps, but verifying that the requester is authorized to impersonate a specific user requires additional checks.
Keycloak introduces token exchange delegation as an experimental feature. It adds a new delegation parameterized scope type that validates whether the requesting user is authorized to act on behalf of the target user before the exchange is granted. The delegation scope requires user consent and is automatically reassessed on token refresh, so revoked impersonation rights take effect immediately.
To enable token exchange delegation, start Keycloak with the feature token-exchange-delegation enabled.
Step-up authentication for SAML clients
Step-up authentication allows applications to require a stronger level of authentication for sensitive operations. Previously, this capability was only available for OpenID Connect clients.
Keycloak now extends step-up authentication to the SAML protocol, enabling SAML service providers to request a specific authentication context class in their authentication requests. The feature step-up-authentication-saml has been promoted from preview to supported in this release.
For more information, see the Server Administration Guide.
Administration
Declarative client management with Admin API v2 (experimental)
Keycloak introduces a new REST API for managing OIDC and SAML clients. The new API provides strict validation, support for declarative configuration, and an accurate OpenAPI specification that enables reliable client generation. This addresses long-standing limitations of the original Admin REST API. This is the first resource in the Admin API v2, with additional resources to follow in future releases.
The API can be consumed through a Java client, an auto-generated JavaScript client, and a CLI.
The Keycloak Operator uses it to manage clients declaratively via KeycloakOIDCClient and KeycloakSAMLClient custom resources.
Enabling this feature also enables the OpenAPI specification endpoint on the management interface, which the CLI uses to adapt its commands to the connected server version.
To try it out, enable the client-admin-api:v2 feature.
For more details, see the Admin API v2 guide and the Managing Keycloak Clients operator guide. Feedback is welcome in the Client Admin API v2 GitHub Discussion.
Thanks to Robin Meese for contributing the OpenAPI endpoint on the management interface and the Java admin client, and to Sebastian Schuster for his participation in the Admin API working group and the Go client analysis.
Fine-grained delegation for organization administration
Managing organizations in Keycloak previously required the manage-realm role — a high-privilege role that grants far more access than most organization administrators need. This release introduces dedicated admin roles and Fine-Grained Admin Permissions for organizations, allowing administrators to delegate organization management without over-provisioning access.
New realm admin roles provide coarse-grained delegation:
-
manage-organizations— grants full read and write access to organizations, including creating, updating, and deleting organizations and their members. -
view-organizations— grants read-only access to organizations and their members (also requiresview-usersor Fine-Grained Admin Permissions for user visibility). -
query-organizations— grants the ability to search and list organizations without full view access, consistent with thequery-users/query-clients/query-groupspattern.
The manage-realm role continues to implicitly grant full organization management access for backward compatibility.
For per-organization granularity, organizations are now a first-class resource type in Fine-Grained Admin Permissions. Administrators can create permissions to control which specific organizations a delegated administrator can view or manage — for example, granting access to manage one organization without giving access to all organizations in the realm. When Fine-Grained Admin Permissions is enabled, organization member queries also respect user-level permissions, returning only members the administrator is permitted to view.
Automatic role inheritance through organization groups
Assigning roles to individual organization members does not scale well when an organization has hundreds of users who all need the same permissions. Organization groups now support realm and client role assignments, so administrators can assign a role once to the organization group and have it automatically appear in realm_access and resource_access token claims for all group members.
Additionally, the Organization Group Membership protocol mapper (OIDC and SAML) can include these roles within the organization claim, organized per organization, by enabling the Add group role mappings configuration option.
For more details, see the Managing organization groups guide.
Better passkey compatibility with new WebAuthn policy options
Passkeys let users sign in with biometrics or a security key instead of a password. To work correctly, the server must tell the browser whether it prefers a discoverable credential (a passkey stored on the device) or not — and the previous Yes/No option could not express the increasingly common preferred value.
The WebAuthn Policy and WebAuthn Passwordless Policy now provide a Discoverable credential option that follows the current WebAuthn specification, supporting required, preferred, and discouraged values. This improves compatibility with passkey providers such as iCloud Keychain, Google Password Manager, and 1Password. The previous Require Discoverable Credential option is now deprecated and planned for removal in a future release.
Easier realm discovery by display name search
Administrators often give realms short technical names (like acme-prod) but set a human-readable display name (like Acme Corporation). Previously, the admin console search only matched against the technical realm name, making it harder to find realms in large multi-tenant deployments.
Realm search now matches against the display name in addition to the realm name, so administrators can find realms by whichever name they remember.
Type-safe validation for parameterized scopes (experimental)
Parameterized scopes allow OAuth clients to request context-specific access — for example, project:12345 to request access to a particular project, or account:savings to scope a token to a specific bank account. Previously, the parameter value was validated only by an optional regex, making it easy to pass invalid or unexpected values.
Parameterized scopes can now define a parameter type that validates the captured value at request time. Built-in types include string, integer, boolean, username, and custom (validated against an admin-defined regex). The type is required when creating parameterized scopes with the feature enabled, ensuring that tokens always carry well-formed scope parameters.
For more details, see the Upgrading Guide.
Additional datasources may be excluded from health checks
When using multiple datasources, a failing non-critical datasource can cause the health check endpoint to report the entire deployment as unhealthy. Individual datasources can now be excluded from health checks, so optional or secondary datasources do not trigger unnecessary alerts or affect load balancer routing.
Read more about it in the Configure multiple datasources guide.
Configuring and Running
Enhanced reverse proxy guides with blueprints for HAProxy and Traefik
Running Keycloak in production requires a reverse proxy, but configuring TLS termination, certificate forwarding, and admin API security correctly across different proxies is error-prone.
The reverse proxy documentation has been significantly expanded with dedicated step-by-step guides for HAProxy and Traefik covering both TLS passthrough and re-encrypt modes, and also explain the concepts so they can be applied for other proxies as well.
For more details, see the Using a reverse proxy guide.
Simplified multi-cluster high availability without external caches (experimental)
The existing multi-cluster setup for Keycloak requires deploying and managing an external Infinispan cluster for cross-site session replication, along with vendor-specific fencing infrastructure for automated failover. This adds significant operational complexity and limits deployments to specific environments.
Multi-cluster v2 removes the external Infinispan requirement entirely. Keycloak instances connect directly to each other using embedded Infinispan caches and rely on the synchronously replicated database as the single source of truth. Cache invalidation across sites is handled through a database-backed outbox pattern. The load balancer can detect the downtime of a site without requiring external fencing infrastructure.
To enable this setup, start Keycloak with the feature stateless. For architecture details and a deployment blueprint, see the Multi-cluster deployments (v2) guide.
Keycloak Operator kustomize installation
Installing the Keycloak Operator on vanilla Kubernetes clusters previously required downloading and applying individual manifest files, making upgrades and customization harder to manage. The Operator can now be installed using kustomize, providing a declarative and reproducible installation method.
For installation instructions, see the Operator Guide.
Cluster-wide install mode for the Keycloak Operator (preview)
Organizations running multiple Keycloak instances across different Kubernetes namespaces previously needed to install a separate Operator in each namespace. The Keycloak Operator now exposes AllNamespaces as a supported OLM install mode, allowing a single Operator instance to reconcile Keycloak custom resources across all namespaces in the cluster. For non-OLM installations, cluster-wide deployment is available through the cluster-wide kustomization overlay.
Cluster-wide installation is in preview. For installation instructions and limitations, see the Operator Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #49427 [CVE-2026-9796] Admin role rename TOCTOU bypasses checkAdminRoles — realm-wide escalation from manage-clients
admin/rbac - #49430 [CVE-2026-9689] HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication
oidc - #49432 [CVE-2026-9798] CIBA authentication flow bypasses brute-force account lockout
oidc - #49766 [CVE-2026-11986] FGAP v1 allows unassigning any role
admin/fine-grained-permissions
Weaknesses
- #48717 SAML Identity Provider settings in the Admin UI are not asking for signatures by default
identity-brokering - #49137 Welcome page admin bootstrap bypasses local-only check when behind a same-host proxy without forwarding headers
admin/api - #49215 JWT Authorization Grant: namespace jti cache keys and reorder signature verification
oidc - #49312 Organization group members endpoint does not check Users permission
organizations - #49605 Member's organizations endpoint missing per-org FGAP filtering
organizations - #49660 OID4VCI: Missing disabled-client check in PreAuthorizedCodeGrantType
oid4vc - #49838 SD-JWT: Array index shifting in SdJwtVerificationContext leaves undisclosed placeholders in verified payload
oid4vc - #49920 WebAuthn: sign counter updated to stored+1 instead of assertion value
authentication/webauthn - #49921 WebAuthn: challenge not consumed after assertion validation
authentication/webauthn - #49922 FreeMarker: deprecated no-arg Configuration constructor pins engine to legacy 2.3.0 defaults
admin/ui - #49961 Themes: FolderTheme.getTemplate() missing path-containment check
account/ui - #50074 SSF admin endpoint: missing client-level authorization check exposes push delivery secret
ssf - #50316 Use constant-time comparison when validating OTP codes
authentication - #50460 SSF push URL allow-list bypass via authority-attached wildcard
ssf - #50464 SAML Step-Up: Over-achieved LoA collapses AuthnContextClassRef to AC_UNSPECIFIED on SSO re-entry
saml - #50466 SAML Step-Up: Three robustness issues in LoA mapping and classRef selection
saml - #50481 Cacheless: JpaSingleUseObjectProvider.putIfAbsent() missing lifespan validation present in put()
- #50482 Cacheless: Root authentication session lookup uses assert-only realm check — no-op in production
- #50483 Cacheless: LoginFailureExpirationAction compares milliseconds vs seconds — rows never reaped
- #50488 HAProxy guide: Missing unconditional del-header for Client-Cert before conditional set-header
- #50491 Client API v2: Operator secretRef resolves arbitrary Secrets without ownership validation
admin/api-v2 - #50494 Client API v2: Operator prefers HTTP over HTTPS when both are enabled
admin/api-v2 - #50534 Identity Broker v2: Internal exception message reflected in /token error response
oidc
Removed features
- #44013 Deprecate the Twitter IDP implementation due to old twitter4j library
identity-brokering - #48104 Remove support for token-exchange-external-internal:v2
token-exchange/federated - #49270 Remove the batching option for the persistent sessions
New features
- #9686 Store the Dynamic Scope parameter to avoid showing the Consent Screen every time there's an authentication
- #20128 Add support for `reencrypt` OpenShift Routes to the Operator
operator - #22042 More flexible imports in custom theme (i.e. CSS media queries)
account/ui - #35650 Compatibility profiles
- #44317 [OID4VCI] Add a client policy to require a credential offer
- #46543 Step-up authentication for SAML - supported
authentication - #48623 Make the admin client, from the admin-ui more easy to use
Enhancements
- #9915 Make the consent screen text for dynamic scopes customizable with a reference to the dynamic scope parameter
- #10696 Improve WebAuthn tests documentation
testsuite - #12223 Dynamic scopes: requested scopes get mixed up between token requests
oidc - #17758 [UX Review] Optimize the number box in the Time-policy creation page of client Authorization
admin/ui - #17762 [UX Review] Optimize the initial page of Keys in OIDC client
admin/ui - #17770 Remove unnecessary conditions from code
admin/ui - #17771 Caught errors should have the correct type associated with them
admin/ui - #22229 UI should prevent admins from defining a dynamic client scope with type Default
oidc - #24436 Account API - "/applications/{clientId}/consent" : Provide option to get enhanced ConsentScopeRepresentation
account/api - #24823 Adding client_id as prefix in client roles mapper
core - #26602 Allow user search by direct lookup via username and email
- #26699 Nested group members from Active Directory are not showing in Keycloak groups
ldap - #29558 Best practices for detecting support for Passkeys - support for isUserVerifyingPlatformAuthenticatorAvailable()
authentication/webauthn - #30328 Add ability to inspect generated SAML response for SAML Clients with client scope mappings
saml - #31641 Implement organization-specific admin roles with limited permissions
organizations - #32527 Provide default krb5.conf in Docker image or extend migration docs
docs - #34104 Improve robustness of backchannel logout with client sessions
- #38632 README.md Other Keycloak Projects
- #40026 Support subdomain matching for Organizations in IdP redirect logic
- #41164 Redirection Endpoint should be validated not to include a hash in the URL
oidc - #42513 Set residentKey instead of requireResidentKey in Webauthn creation request
authentication/webauthn - #42883 FIX multiple LDAP failover & document the possibility of having multiple LDAP URLs in LDAP provider
- #43955 Cluster-wide Operator MVP
- #45104 Add native "Remember Me" support to WebAuthn/Passkey Authentication Flows
login/ui - #45292 Search realms by "Display name" in the "Manage realms" view
admin/ui - #45295 Improve client authentication flows
authentication - #45497 Introduce granular roles for Organization management (manage-organizations, view-organizations)
organizations - #45866 Customize SAML service provider metadata
- #45900 Support multiple organization scopes in OIDC token requests
organizations - #46435 Good database instructions for a production ready Keycloak setup
- #46740 Prevent ASCII control characters in query parameters
- #46903 A User belonging to multiple organization should be allowed to change his organization choice during login
organizations - #46959 Enhance WebAuthn Conditional UI to auto-trigger passkey modal on page load
authentication/webauthn - #46981 Support experimental cluster-wide operator installation by using kubectl
operator - #47174 MySQL/TiDB: Configure DB socket timeouts on the fly during connection creation phase
dist/quarkus - #47284 Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions
admin/fine-grained-permissions - #47314 Token Exchange with sender constrained tokens missing cnf claim
oidc - #47327 Support mapping existing Realm and Client roles to Organization Groups
organizations - #47330 Document provided ProtocolMapper implementations
docs - #47356 Enhancement: Improve the performance of loading large password blacklists
- #47383 Add example for health check when using HTTPS
- #47431 Organization feature will only show linked IDPs if the user has already one linked
organizations - #47542 Use client-side Streaming for admin api v2 in the Java client
- #47762 Enhance quick-theme .jar generation.
admin/ui - #47851 OrganizationGroupMembershipMapper should support configurable token claim name
organizations - #47951 Add Vietnamese (vi) as a translation
translations - #47960 Add CLI options for mTLS database connections
- #47963 Update tested configurations for single- and multi-cluster to the recent OpenShift version
- #48053 Allow db-connect-timeout to be used for all datasources
dist/quarkus - #48059 Safeguard against wrong PID in containers
dist/quarkus - #48088 When a group is granted a role, it should not read all existing role mappings from the database
core - #48098 Expose hidden management options
- #48338 Add details to AdminEvent in UserResource.removeCredential
core - #48393 [CIMD] Document the existing query-string defense on the MCP Authorization Server docs page
- #48420 Upgrade `webauthn4j` to 0.30.3
authentication/webauthn - #48445 Enable passkeys configuration does not follow best UX
authentication/webauthn - #48539 Update WebAuthn Metadata service data
authentication/webauthn - #48540 Support icons for Passkeys credentials
authentication/webauthn - #48557 Show Groups tab in the account console when user is part of any group
account/ui - #48588 Fine Grained Authorization v2 : does not work PUT https://i/admin/realms//admin-permissions/groups/
admin/fine-grained-permissions - #48730 DB documentation doesn't state on how to check the transaction isolation for MSSQL
- #48755 User deletion latency grows with Infinispan session-cache fill level / size
infinispan - #48863 Include kid in details of CLIENT_LOGIN event of Signed JWT Client Authentication
- #48892 SSF: Track if stream was created by Keycloak or ssfReceiver
ssf - #48893 SSF: Remove "audience" field from create stream form
ssf - #48962 Add suggestions when features are incorrectly specified
dist/quarkus - #49037 Expose multi-namespace install modes
- #49040 Make `AbstractJWTClientValidator` / `FederatedJWTClientValidator` methods `protected` for extensibility
- #49177 Remove explicit --shutdown-timeouts configuration from proxy example configurations
- #49235 SSF: Move Push timeout settings to SSF Receiver tab
ssf - #49248 Consider additional datasources in health checks
- #49348 Ensure proper management of thread-bound resources.
- #49372 Unify buttons in horizontal layout for Login UI
login/ui - #49378 Login page title should use full width when locale selector is hidden
login/ui - #49424 Include subject to email template attributes
- #49453 Persistent sessions should be written as part of the original main transaction where possible
infinispan - #49469 Stateless mode: store volatile session data in the database
- #49491 Full user representation when querying organization members
organizations - #49573 Attribute for clients scopes to always require consent
token-exchange/subject-impersonation - #49608 Correct themes README
- #49645 Organization member read endpoints should document parent-gated org-level authorization contract
organizations - #49711 [Login UI] Improve credential selector layout
login/ui - #49757 Reverse proxy docs: should not proxy master realm
docs - #49873 How to thread dump with and without virtual threads
observability - #49947 Add OIDF conformance tests to CI
oidc - #49988 Docs should describe on how to detect if a graceful shutdown was successful
docs - #50050 SSF: Handle disabled SSF Receiver client
ssf - #50087 Generate queryable fields documentation from code
docs - #50134 Refresh client data after invalidating rotated secret in Credentials tab
- #50261 MCP Documentation for 26.7
- #50327 Improve OAuth Identity and Authorization Chaining Across Domains guide
- #50369 Composite-role expansion does an N+1 of `getChildRoles` queries (each with an auto-flush) that dominates Keycloak CPU on the cache-miss path
core - #50467 Prevent DoS when using complex filter conditions
workflows - #50476 Retarget quarkus-next to Quarkus 3.x branch after main switched to 4.0
Bugs
- #12142 IdP backchannel logout does not work with session id in logout
oidc - #20649 "Not username" and "Not email" options when creating/changing a password, should ignore letter case when comparing password to email or to username
authentication - #27431 New clients have a JavaScript default policy configured which causes problems on export/import
authorization-services - #32124 Backchannel logout notification client for Update_Password AIA is not having all the session ids
authentication - #33204 Identity Providers are missing from the login page if I request a reset password for an existing user
login/ui - #35104 Timestamp overflow in client secret rotation feature leads to next refresh time being set to the past
core - #37355 Web Crypto API not available in `login-status-iframe.html` when using admin console from insecure context
oidc - #38124 High values for client secret expiration result in expiration dates in the past
core - #40603 Account UI reports "Something went wrong" if user doesn't have permissions to view applications
account/ui - #44591 Terms and Conditions Accepted Timestamp
user-profile - #44620 Possible data loss when scaling Keycloak StatefulSet down (on Kubernetes)
infinispan - #44741 Device activity does not recognize iOS 26 correct
account/ui - #45420 [OID4VCI] Wrong typ value for SD-JWT VC
oid4vc - #45494 ScrollForm navigation does not update active section on click or scroll
admin/ui - #45568 Pending auth flow waiting for email verification succeeds even after password reset - providing room for pre-account takeover attacks
authentication - #45716 Problem with Standard Token Exchange with Dynamic Scopes feature enabled (Wrong default scopes)
token-exchange - #46083 "Full scope allowed" toggle reverts to previous state when switching between Scope and Mappers tabs in Dedicated scopes
admin/ui - #46088 Newly created resource appears on both current and next page in Authorization Resources tab
authorization-services - #46132 profile scope causes NumberFormatException
oidc - #46172 Issues when deleting several realms at the same time
admin/api - #46463 Input field for device user code is badly formatted
login/ui - #46634 Brute force detection counter does not work properly
authentication - #46742 Keycloak makes network requests to addresses in login certificates before verifying them
authentication - #46926 PAR endpoint enforces “Request Object Required” and expects request_uri
oidc - #46954 ClearExpiredEvents job crashes app and locks DB when EVENT_ENTITY Table has large amount of records
admin/ui - #46978 Document / validate .conf extension is required for --config-file option
dist/quarkus - #47017 Remember me does not work when organization scope is enabled on login session.
authentication - #47046 [OID4VCI] Credential definition type should include VerifiableCredential
oid4vc - #47061 Duplicated flows can have illegal characters in step name
authentication - #47202 DefaultLocaleUpdaterProvider: KEYCLOAK_LOCALE cookie not set for READ_ONLY federated users
ldap - #47274 [OID4VCI] Option 'Pre-Authorized code lifespan' should be renamed
oid4vc - #47294 Use SecureRandom instead of Random for D-Bus cookie generation in SSSD federation
authentication - #47341 Updating client scope fails if it was saved while the dynamic scopes feature was active in the past
oidc - #47386 [OID4VCI] TokenResponse requires credential_identifiers in authorization_details
- #47421 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode
ci - #47432 The cancel button in the custom UiTabProvider encounters an issue where it redirects to an incorrect URL and triggers an error.
admin/ui - #47477 Flaky test: org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2
ci - #47499 Maven windows wrapper trips over whitespace in pathname for setup
dependencies - #47500 Build Quarkus snapshots in quarkus-next workflow
ci - #47513 Review JwtProofValidator
oid4vc - #47523 The name "master" seems to be hard-coded in places and thus breaks KC_SPI_ADMIN_REALM
admin/ui - #47545 Keycloak ships source maps for Admin UI and Account UI
account/ui - #47560 Missing default value for max parameter in the Admin REST APIs docs
docs - #47659 SRCFG01008 warning in source Quarkus dev mode when kc.log-console-output=default (not reproducible via packaged kc.sh)
dist/quarkus - #47681 Log Injection and Audit Forgery in OIDC Authorization Endpoint (client_id parameter)
oidc - #47700 Duplicate entries created in Role Attributes during concurrent setSingleAttribute calls
storage - #47710 updated popover when there is no change
admin/ui - #47733 Able to update Identity Provider alias via admin console and API
admin/api - #47750 cache-embedded-mtls-enabled maps to a build time property, but is a runtime option
dist/quarkus - #47832 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes
ci - #47833 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testUserRemoved
ci - #47834 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testExpirationDistribution
ci - #47835 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoadingPropagationBetweenNodes
ci - #47898 [OID4VCI] Default client scopes not configured correctly
- #47914 Declarative UI: Avoid silent failure to add path params
admin/ui - #47923 account-console client can be deleted despite being a built-in internal client
admin/api - #47925 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval
ci - #47958 Admin UI Test is logging to the console
admin/ui - #47966 Client admin v2 API: service account role management fails for client roles
dist/quarkus - #47967 Generated openapi.yaml drifts on incremental builds
dist/quarkus - #47970 JDBC_PING2 will stall when in a two-node-split-brain one node dies
infinispan - #47978 Flaky test: org.keycloak.testsuite.model.session.UserSessionInitializerTest#testUserSessionPropagationBetweenSites
ci - #47979 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testOfflineSessionLazyLoading
ci - #47990 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation
ci - #47993 Docs: directory of keycloak-database-update.sql file
import-export - #48014 [OID4VCI] credential_offer_uri can only be consumed once
- #48024 Relax Client ID validation for the Signed JWT - Federated (Kubernetes Service Accounts)
oidc - #48035 [OID4VCI] Self-Signed x5c Bypasses Key Attestation Validation
oid4vc - #48044 OID4VC QR Code Unbounded Dimensions DoS
oid4vc - #48084 Admin console localizate realm name
admin/ui - #48119 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled
ci - #48120 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testCreateUserSessionsParallel
ci - #48121 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderModelTest#testStreamsMarshalling
ci - #48129 Stabilize Operator CI in quarkus-next
ci - #48137 Unhandled NullPointerException on Keycloak Server via GET parameter "key" with unsigned JWT
oidc - #48173 Maven cache is never extracted on Azure/Aurora VMs
ci - #48206 Registration with email verification - corner case scenario for pre-account takeover
authentication - #48230 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode
ci - #48284 UiPageProvider components not refreshed on page change
admin/ui - #48357 Restore Quarkus snapshot cache in unit-test-setup for quarkus-next
ci - #48366 OpenAPI spec key reordering on incremental builds
dist/quarkus - #48392 Migration fails for organization admin roles with LazyInitializationException
organizations - #48412 Add option to specify the CA Subject DN in the Client X.509 Authenticator
authentication - #48428 Keycloak issues tokens via implicit and hybrid flow when DPoP is enforced for the client
oidc - #48441 Flaky test: org.keycloak.testsuite.model.singleUseObject.SingleUseObjectModelTest#testCluster
ci - #48442 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent
ci - #48443 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testAuthSessions
ci - #48446 Flaky test: org.keycloak.testsuite.authz.PolicyEvaluationTest#
ci - #48456 Account Console v3: Cannot revoke consent for clients with URL-based or special character clientIds (Regression of #19515)
account/ui - #48458 Read-only multivalued user profile attributes are not grayed out in the account console
user-profile - #48459 Role update failes when no name is set
admin/api - #48487 Improper Authentication for required actions allows front-channel token issuance for disabled user in implicit/hybrid flow
oidc - #48514 Permission issue prevents user with manage-identity-provider role to access "realm roles" list when adding hardcoded role mapper
admin/ui - #48559 [quarkus-next] Model tests fail due to ByteBuddy removal from Hibernate runtime classpath
dist/quarkus - #48561 Quarkus UT (windows-latest) cancelled when ubuntu variant fails
ci - #48566 Admin console assets 404 in 26.6.x: quay.io/keycloak/keycloak:26.6 ships /opt/keycloak/data/tmp as root:root 0755, blocking gzip cache creation
dist/quarkus - #48589 Test framework startup timeout is ignored in DockerKeycloakDistribution
testsuite - #48592 Keycloak does an LDAP query with service account UUID when a token from a service account is used for obtaining a Requesting Party Token from a client with Authorization services
authorization-services - #48593 Management endpoint doesn't pick up HTTPS truststore
dist/quarkus - #48594 [quarkus-next] Aurora CI fails with missing quarkus-bom:999-SNAPSHOT on remote EC2 VM
storage - #48598 HttpDistTest.maxQueuedRequestsTest fails on runners with limited vCPUs
ci - #48610 Neither `INVITE_ORG` nor `REGISTER` event is triggered when a new user is invited to an organization
organizations - #48611 Docs: server_admin/topics/overview/how.adoc SAML 2.0 link is broken
saml - #48634 Verify Email gets added to all the users in the realm and blocks getting a REST Token
authentication - #48645 `ORGANIZATION_MEMBERSHIP` event with `ACTION` operation is missing `representation` and `detail` fields
admin/api - #48647 Flaky test: org.keycloak.testsuite.forms.RPInitiatedFrontChannelLogoutTest#testFrontChannelLogoutWithoutSessionRequired
ci - #48654 OrganizationProvider.count() used for existence checks causes severe database lag with large realms
organizations - #48666 User Storage Task sync event can lead to deadlocks and outdated information
storage - #48680 Realm display name localization placeholder is not expanded when resolving OTP issuer name
authentication - #48721 Introspect endpoint returns "invalid_request" instead of "invalid_client" on client authentication failure (RFC 7662)
oidc - #48749 Prevent setting different than default decisionStrategy for FGAP
admin/fine-grained-permissions - #48771 Identity Provider detail settings allow saving without changes
admin/ui - #48812 AutoUpdate force recreate
operator - #48834 NPE in `OrganizationGroupMembershipMapper` when no `organization` scope is requested
organizations - #48862 Flaky test: org.keycloak.testsuite.broker.OidcAdvancedClaimToGroupMapperTest#mapperStillWorksWhenTopLevelGroupIsConvertedToSubGroup
ci - #48868 OIDC bearer-only legacy clients lose client secret after updating basic attributes (name/description) on Keycloak 23
oidc - #48882 Save button on "Create organization" page is not enabled when name is pasted from clipboard
admin/ui - #48903 Regression: forced organization validation in 26.6 even without taking Organizations feature into use
organizations - #48917 Missing locale keys in Organization Membership protocol mapper
admin/ui - #48920 Test framework startup timeout is hardcoded to 5 minutes
testsuite - #48949 JS CI is failing in the Admin UI lint check
admin/ui - #49026 Admin UI: Enter key does not trigger search in Organization Members, Invitations, and User Organizations
admin/ui - #49057 Migration-strategy=manual bypasses DBA workflow for custom providers (re-opening #36525)
dist/quarkus - #49063 Authorization Evaluate results page hides the last resource behind the action bar
authorization-services - #49069 Missing and incorrect permission checks on organization invitation endpoints
organizations - #49083 Error while removing expired entries from database
storage - #49139 Starting FIPS mode in 26.6.1 fails with NoSuchAlgorithmException
core - #49146 Quick theme login style broken
admin/ui - #49176 SCIM: Incorrect location URL
scim - #49180 Unable to easily provide full certificate chain with HaProxySslClientCertificateLookup
authentication - #49185 HttpResponse.setStatus is not generally usable
- #49189 LDAP: objectGUID binary attribute not converting to Base64/String in version 26.6.1 and 26.6.2
ldap - #49192 Compilation error because of setSystemPropertyOnServer
testsuite - #49249 Deprecate KeycloakContext.getRequestHeaders
- #49250 SSF: auto-notify-on-login fails with ReadOnlyException for users from a read-only LDAP federation
ssf - #49255 PAR authorization request with prompt=create does not open registration page
oidc - #49256 Oracle database ignores db-url-properties
dist/quarkus - #49257 Identity provider broker callback returns HTTP 502 for client-side input validation failures (missing state, missing code)
identity-brokering - #49267 JPA exception mapper swallows some intermediate exceptions
dist/quarkus - #49272 ReadOnlyAttributeUnchangedValidator.isUnchanged() does not handle omitted read-only attributes
user-profile - #49310 Backoff retry does not honor the timeout
core - #49342 Client secret rotation feature. Client Secret and Secret Rotated are always the same
oidc - #49388 Dynamic scopes do not work with CIBA
oidc - #49441 mutual-tls guide references wrong option
docs - #49451 UI allows invalid role-ldap-mapper configuration when "Use Realm Roles Mapping" is enabled together with Client ID selection.
admin/ui - #49452 Admin UI: Workflows menu link visible to users without sufficient permissions to use it
admin/ui - #49456 [CIMD] secure-redirect-uris-enforcer is not enforced for CIMD public clients during authorization requests
oidc - #49457 [CIMD] Client policy executor auto-configuration is not applied when a public client is created through CIMD
oidc - #49481 admin-client: TokenResponse.expiresIn typed as string but Keycloak returns a number
admin/client-js - #49490 [SAST] Dead local stores (Batch 2)
core - #49495 [SAST] Unchecked negative value in `readInteger()`
authorization-services - #49517 French translation for credentials related events are incorrect
translations - #49550 MySQL migration fail due to group replication enforcing PK for `CREATE TABLE ... AS SELECT`
storage - #49571 FilterUtils.unescapeJsonString() incorrectly decodes escaped backslash sequences
scim - #49575 [OID4VCI] Account console "Issue to Wallet" does not work when scope-name different than credential-config-id
account/ui - #49577 Azure/Aurora "Upload flaky tests" fails with 409 Conflict on duplicate artifact name
ci - #49612 keycloak-admin-client logs errors to the console in fetchWithError
admin/client-js - #49644 ExportImportTest is unstable in the windows tests
testsuite - #49674 Deleting admin-permissions client via v1 Admin API returns unknown_error instead of descriptive validation error
admin/fine-grained-permissions - #49702 UserSelect component limits the search results during autocompletion lookup
authorization-services - #49718 FreeMarkerLoginFormsProvider: handleThemeResources called twice per request due to getMessage() in createCommonAttributes
login/ui - #49720 Organization managed users should not be allowed to link other idps from the account console
identity-brokering - #49723 FIPS tests are broken in CI
testsuite - #49730 `--features=cimd` should add `none` to token_endpoint_auth_methods_supported
oidc - #49732 26.6.2 upgrade: `Cannot invoke "org.keycloak.authorization.model.Resource.getScopes()" because "resourceTypeResource" is null`
dist/quarkus - #49742 Simplified/ Traditional Chinese is displayed twice in locale selector
translations - #49762 NPE in MgmtPermissions.isRealmAdmin() when using AdminPermissions.evaluator() with FGAP V2 enabled
admin/fine-grained-permissions - #49793 OIDC: Client secret generation should ensure sufficient entropy for all configured HMAC signature algorithms
oidc - #49830 26.6.x upgrade runs unbounded OFFLINE_CLIENT_SESSION REALM_ID backfill, blocking startup on large data sets
storage - #49841 SCIM: ServiceProviderConfig endpoint returns filter.maxResults: 0 instead of 100
- #49847 SCIM endpoint returns 500 instead of 404 for unknown resource types
scim - #49869 Fix KcAdmV2EditCLITest.testEditNonExistentResource assertion when client is not found
admin/cli - #49908 Admin Console sessions page fails with unknown_error when federated user is deleted while an active session still exists
storage - #49909 Invalid token at openid connection client registration results in 500 instead of 401
authentication - #49952 TokenManager.isValidScope overload ignores provided AuthorizationRequestContext (incomplete #49388 refactor)
token-exchange - #49960 Brute-force detection: Authenticated session token refresh resets lockout counter
authentication - #49969 UserInfoEndpoint throws NullPointerException (HTTP 500) for JWTs with null or missing alg header
oidc - #49972 SSF Stream empty state shows extra text and refresh button
admin/ui - #49973 SCIM endpoint returns 500 instead of 401 for unauthenticated requests
scim - #49978 Kubernetes identity provider does not use documented default issuer
- #50014 Binding authentication flow leads to "flow.undefined" showing in admin ui
authentication - #50039 Creating a client with empty `redirectUris` or `webOrigins` causes ORA-01400 (NULL insert) on Oracle database
core - #50054 Warning of deprecated feature enabled
dist/quarkus - #50063 Unable to invite user to organization when their email is a substring of an already-invited email
organizations - #50092 Events search type filters don't filter while typing
admin/ui - #50128 kcw: line 109: cd: /home/myuser/Downloads: No such file or directory
- #50136 StackOverflowError when trying to reset Password of OrganizationUser with FGAP
authorization-services - #50139 Client Secret Rotation docs incorrectly mark feature as experimental instead of preview
docs - #50175 `KcAdmV2ClientCLITest#testListClientsWithFieldsProjection` is failing as query param cannot be exploded anymore
admin/cli - #50177 SAML client creation fails with "Error creating X509v1Certificate" when Client ID contains URL query string characters
saml - #50191 Admin UI dynamic Group provider config crashes without GroupsResourceContext in 26.6.3
admin/ui - #50195 Admin UI E2E realm-settings/general.spec.ts "realm enable/disable switch" failure
testsuite - #50201 LDAP user federation re-binds the service account on every operation since 26.6.0 (connection pool not reused)
ldap - #50268 `TokenManager#invokeTokenPostProcessors` doesn't respect `ProviderFactory#order`
oidc - #50286 ConcurrentModificationException reading client-registration policy config under parallel client registration
oidc - #50291 PathMatcher.buildUriFromTemplate throws StringIndexOutOfBoundsException for a template with an unclosed brace
authorization-services - #50300 TimeSelector clears input and switches units when value is 0 in Admin Console
authentication - #50308 NumberFormatException for PAR request URI lifespan
admin/api - #50353 Broken reference in rolling updates guide
docs - #50380 Workflow state removeAll() deletes records across all realms on realm removal
workflows - #50439 Base2 testsuite (new) often fails with timeout
ci - #50484 [quarkus-next] Config interceptors create SmallRyeConfig during test bootstrap causing ServiceConfigurationError
dist/quarkus - #50500 User Attribute mapper clears the value when custom attribute is selected
admin/ui - #50515 Kotlin jars are included unnecessarily in the server assembly
dist/quarkus - #50582 Keycloak 26.x Operator Fails to import a realm if the maxSecondaryAuthFailures field is present
- #50633 web-crypto-shim does not work after upgrade to uuid 14
authentication - #50712 Source and javadoc jars not generated
core