keycloak-js 26.1.0

on Node.js Yarn

Highlights

darkMode=false

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #24992 Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core
• #25006 Use optional realm attribute for authenticationrequest parameter max size/number validation configuration
• #26178 Support dark mode, at least for the login pages login/ui
• #26466 Operator support for setting default value of `http-pool-max-threads` operator
• #27736 Used encrypted JGroups connection by default in Operator deployments operator
• #29399 JDBC_PING2 as default discovery protocol
• #32135 Option to specify trusted proxies dist/quarkus
• #32488 Enabling authorization_details for client grant tokens until RAR is fully implemented
• #33043 Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener
• #34957 Ability to specify log category levels through separate options dist/quarkus
• #35110 Enhance WebAuthn registration to support custom FIDO2 origin validation
• #35231 Ability to reject authentication to users without 2FA configured authentication
• #35639 Allow users to specify the start page of a custom account-console theme account/ui
• #36081 Authentication flow condition for client scope authentication

Enhancements

• #10138 Align admin console for client for backchannel and frontchannel logout oidc
• #10701 AuthenticationRequest add "create" prompt for sign-up oidc
• #13852 js adapter just sets error to true upon error updateToken adapter/javascript
• #16545 Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc
• #16884 Support to enforce LoA in authentication flow for a client (Step-up) authentication
• #17014 Allow custom message for brute force temporary lockout authentication
• #23805 H2 Database should be opt-in and well-documented storage
• #23881 Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage
• #26780 Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services
• #29511 Allow to restrict ProviderConfigProperty input to int values
• #29570 Generalize or remove stack trace information found in error message exception handling
• #29859 Keycloak native verification of an SD-JWT based vp_token oid4vc
• #31764 Run tests with original `keycloak` login theme in nightly
• #31842 Allow to create certificates for provider-keys authentication
• #32092 OTEL: Add Keycloak CR support for Tracing options operator
• #32094 OTEL: Apache HTTP client OpenTelemetry instrumentation
• #32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
• #32114 OTEL: Instrument parts of Keycloak with OTEL spans
• #32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
• #32657 Readonly profile attribute profile has unwanted not translated placeholder account/ui
• #32773 [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc
• #33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
• #33233 Add ui to override patternfly colors and logo
• #33275 Better logging when error happens during transaction commit storage
• #33484 Consolidate the logic for determining a local address core
• #33492 Remove retry in LoginPage.resetPassword testsuite
• #33496 Add CopyToClipboardButton to UserID in Admin UI
• #33498 Expose membership type in the Admin UI for organization members admin/ui
• #33559 Add an example nginx reverse proxy configuration
• #33569 Show User Events on dedicated tab on Client-/User-Details
• #33605 Add a reference to http-enabled in TLS/SSL setup
• #33646 Upgrade Infinispan to 15.0.10.Final
• #33651 Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments
• #33678 Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn
• #33702 Prevent Keycloak from starting with wrong `work` cache configuration
• #33717 Create a new base login theme
• #33821 Add switch to disable dark mode
• #33932 Background SQL statements show without a connected trace dist/quarkus
• #33939 Enable virtual threads in Infinispan and JGroups by default
• #34026 Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication
• #34027 Sign the AUTH_SESSION_ID cookie value authentication
• #34091 Username Form should support autocomplete login/ui
• #34137 Standardize error messages from client and server in login theme (keycloak.v2) login/ui
• #34253 Deprecate other transport stacks (ec2, azure, google)
• #34265 Add JDBC_PING2 stacks for both TCP and UDP
• #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
• #34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
• #34330 Delete Openshift 3.x identity provider
• #34351 Support for the Croatian language
• #34380 Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times
• #34382 Make the organization chapter of Server Admin guide available on downstream
• #34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
• #34393 Improve build time of the js module
• #34524 Add ability to enable support for Verifiable Credentials per Realm account/ui
• #34536 Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled
• #34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
• #34583 Microsoft login - add prompt param configure
• #34630 Avoid multi-release and java16 specific sources in the core module oidc
• #34640 Update certain email templates for password recovery to match English translation format
• #34658 Document network ports for Keycloak clustering
• #34659 [Operator] Enhance the Keycloak Operator with Network Policies operator
• #34695 Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering
• #34711 OTEL: Provide Tracing SPI
• #34755 Disable trim_trailing_whitespace in editorconfig to reduce noise in PRs
• #34760 Improving the error message when failing to query an LDAP provider ldap
• #34804 Allow a request object by considering a clock skew for smooth interoperability oidc
• #34805 Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc
• #34848 Too many exceptions created when validating user profile
• #34850 Avoid throwing exceptions when issuing reflection on user model
• #34855 Add conditional text to Installation Locations
• #34873 Update Leveraging JaKarta EE in Server Development guide
• #34880 Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus
• #34882 Edits to Authorization Services guide
• #34894 Allow a DPoP Proof by considering a clock skew for smooth interoperability
• #34916 Addresse QE comments on Server Administration guide
• #34931 Upgrade to ISPN 15.0.11.Final
• #34990 Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc
• #35003 Expose templateName in attributes when rendering freemarker templates login/ui
• #35077 Upgrade to Quarkus 3.15.2 dist/quarkus
• #35080 Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core
• #35103 [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui
• #35180 Improve test method signature and gather more info about assertions testsuite
• #35192 Resolve scopes from authenticated client sessions when selecting attributes
• #35225 Allow configuring retries for JavaScript tests using environment variable ci
• #35243 Allow asking for additional scopes when querying the account console root URL
• #35252 Add WHY issues are important for each PR no matter how small to CONTRIBUTING.md docs
• #35254 CONTRIBUTING.md has confusing ordered list with two times point 5
• #35331 Updated tested PostgreSQL version to 17
• #35333 Updated tested MariaDB version to 11.4
• #35335 Updated tested MySQL version to 8.4
• #35402 Consistent use of log.debugf to avoid generating too much GC overhead
• #35415 Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later
• #35419 OTEL: Enhance traces with spans for each RestEASY resource
• #35425 OTEL: Show spans in transaction completion at the end of a request
• #35430 OTEL: Group persistent session work activities in parent span or link them
• #35457 Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details
• #35478 Add password validation to update-password
• #35506 Support for multiple values of some parameters in the grant SPI oidc
• #35573 Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors
• #35588 Update release notes for Keycloak 26.1.0 with new community additions docs
• #35598 [Operator] Network Policy Rules operator
• #35604 Removing unnecessary configuration from auth servers
• #35640 Update the sizing guide with an indicator on which user events to use
• #35676 Reduce debounce time in RealmSelector
• #35714 Replace `uuid` module with `crypto.randomUUID()`
• #35758 Set the LDAP connection pooling protocols by default to plain and tls
• #35775 Document the performance numbers from the ARM based ROSA cluster runs
• #35807 Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start)
• #35834 Use MeterProvider as suggested by the Micrometer team to avoid GC overhead
• #35852 Enable LDAP Connection pooling by default
• #35856 Release note about node.js adapter and javascript adapter released independently of keycloak server docs
• #35859 Update upgrading notes with the changes related to core clients docs
• #35939 Rescue dutch translations from aborted Weblate PR
• #36015 Update the CA translation translations
• #36039 Tune caching guide list of stacks for the upcoming release
• #36047 Align realm name placeholder in the docs docs
• #36048 Add metric for number of password validations
• #36059 OTEL: Add tracing for credential validation
• #36079 Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci
• #36087 Allow tracing packets sent to and from LDAP for troubleshooting purposes
• #36211 Help texts in the admin UI should end with a dot admin/ui
• #36263 OTEL: merge Operator tracing test cases
• #36388 Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework
• #36389 Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework
• #36425 Make @EnableFeature to handle the case with added provider of currently non-used SPI testsuite
• #36442 Prepare a new guide for Keycloak's own metrics in the observability guide

Bugs

• #8935 keycloak.js example from the documentation leads to error path adapter/javascript
• #10233 Locale Setting for Update Password Mail admin/api
• #10417 Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage
• #11008 Incorrect get the members of a group imported from LDAP ldap
• #12309 IllegalArgumentException on canceled Account Linking oidc
• #12919 Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication
• #14562 Broken Promise implementation for AuthZ JS adapter/javascript
• #15058 Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc
• #15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
• #16451 Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api
• #17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
• #17433 robots.txt causes indexing authentication/webauthn
• #17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
• #19101 Uncaught (in promise): QuotaExceededError adapter/javascript
• #19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
• #19652 Members are inhereted from LDAP group with the same name ldap
• #20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
• #23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
• #24493 Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage
• #25085 Inconsistent TypeScript definitions in the module @keycloak/keycloak-admin-client while compiling admin/client-js
• #25675 Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite
• #25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
• #27378 update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication
• #27856 Social login - Stack Overflow test fails ci
• #28241 NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange
• #28328 Declining terms and conditions in account-console results in error account/ui
• #28978 some GUI validation check missing admin/ui
• #29289 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci
• #29290 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci
• #30037 Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci
• #30204 When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core
• #30364 Make sure it is not possible to run snapshot server against production DB by default core
• #30453 Event type not set in reset-credential flow under some conditions resulting in an error page authentication
• #30631 Upgrade to 25 throws: Statement violates GTID consistency core
• #30832 Organization API not available from OpenAPI documentation admin/api
• #30994 Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci
• #31091 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci
• #31180 token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange
• #31359 Offline sessions are not removed from admin console after sign out all active sessions core
• #31415 Selection list does not close after outside click admin/ui
• #31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
• #31469 Show account page before login core
• #31492 Misleading docs and functionality around cache-ispn.xml dist/quarkus
• #31638 Error when non-admin user accesses admin console admin/fine-grained-permissions
• #31724 Logout not working after removing Identity Provider of user identity-brokering
• #31727 KC doesn’t enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication
• #31835 Windows builds fail too often due to problems with the download of Node ci
• #31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
• #32143 UserId too long to add Security Key WebauthN authentication/webauthn
• #32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
• #32270 High CPU usage on logout when using remote Infinispan only setup infinispan
• #32348 none of the enabled features are shown as such in the admin console docs
• #32356 creating short admin password in BCFIPS approved mode gives "Internal server error" page core
• #32462 "Cookie not found" in multi-step auth flows / mobile browsers core
• #32476 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci
• #32550 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci
• #32610 addExecutionFlow endpoint does not return right ID admin/api
• #32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
• #32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
• #32650 Requesting `offline_access` without an established session results in two sessions oidc
• #32658 Authentication sessions do not handle concurrent writes core
• #32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
• #32677 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci
• #32767 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci
• #32786 Organization Domain not marked as a required field in the Admin UI admin/ui
• #32801 Requested `grant_types` inconsistent with created `grant_types` for OpenID Connect Dynamic Client Registration oidc
• #32844 Login V2: Missing "dir" attributes login/ui
• #32847 Admin UI defaults to master realm even without permissions to it admin/ui
• #32901 Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts admin/ui
• #32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
• #32992 Role descriptions do not wrap in the UI admin/ui
• #33020 Incorrect Disclosure Handling in SdJwtVP.of(String) Method oid4vc
• #33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
• #33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
• #33125 Duplicate principals not allowed in keystore authentication
• #33132 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithEmailUserAndRememberMe ci
• #33195 Any one Client role mapping to user/group generating two events on admin events tab. core
• #33232 400 error logged as 500 identity-brokering
• #33282 Icons for social providers broken in login screen if the provider is created with non-default alias admin/ui
• #33309 Admin UI e is undefined if required action recreated with own alias admin/ui
• #33349 Double scroll bar due to warning banner admin/ui
• #33352 Wrong translation issues in greek translation translations
• #33404 Permission cannot be evaluated when only role and client are provided authorization-services
• #33408 Link to existing account form: IDP Alias displayed instead of IDP Display Name login/ui
• #33435 404 in admin console when unlinking managed user from organizations admin/ui
• #33505 Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2 ci
• #33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
• #33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
• #33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
• #33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #33557 Unable to submit forms in Safari account/ui
• #33576 Broken links / anchors after KC26 release docs
• #33578 In imported realms, the ability to use environment variables has disappeared import-export
• #33585 Fix runaway asterisk formatting in TLS documentation docs
• #33596 Cleanup how static state is set for import / export dist/quarkus
• #33599 Upgrade Selenium testsuite
• #33603 Repeated "to a" in the help text for the "User Attribute" mapper admin/ui
• #33607 Fix v2 login layout login/ui
• #33614 Client Secret Required Bug When Using "JWT Signed with Private Key" for (Keycloak/) OpenID Connect Provider admin/ui
• #33618 No message for `policyGroupsHelp` admin/ui
• #33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
• #33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
• #33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
• #33642 RTL not working on keycloak.v2 login template login/ui
• #33649 Validation of http truststore or keystore file masks if the file exists dist/quarkus
• #33653 Test "Duplicate Group" unstable in Admin UI / job is failing admin/ui
• #33699 Failure to redirect to organization IdP when the organization scope is included organizations
• #33729 Not possible to configure custom client authenticator in Admin UI authentication
• #33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
• #33734 Client Policy throws "Invalid Redirect Uri" if Standard Flow is disabled oidc
• #33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
• #33767 Aurora IT tests failing periodically with download of node ci
• #33775 Admin client returns HTTP code `400 Bad Request` when using x509 certificate admin/client-java
• #33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
• #33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
• #33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
• #33793 FOUC in Firefox on login UI login/ui
• #33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
• #33810 Stabilise my-resources.spec test account/ui
• #33814 NPE when device representation cannot be parsed authentication
• #33817 NEP when Default Role is not present on CachedRealm infinispan
• #33820 client-jwt ES256 error when doing CODE_TO_TOKEN oidc
• #33844 Wrong documentation link in keycloak-js readme docs
• #33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
• #33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
• #33883 Auth not possible for auth session where user was enabled in the meantime authentication
• #33902 Not persisted config settings prevent server start dist/quarkus
• #33907 NPE thrown in whoami endpoint admin/ui
• #33933 Recovery authentication codes are numbered inconsistently login/ui
• #33940 ResetPasswordTest.resetPasswordExpiredCode Error -> AbstractKeycloakTest.deleteAllCookiesForRealm:297 core
• #33941 Cannot install latest version (26.0.0) of the adapter using Galleon adapter/jee
• #33948 [PERF] OpenTelemetry is initialized even when disabled
• #33967 password is a required field admin/ui
• #33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
• #33970 Windows kc.bat handling of serveral parameter types is not correct dist/quarkus
• #33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
• #33991 Doc CI - broken links error docs
• #34000 Handle removal of online session for the directGrant and clientCredentials
• #34001 Handle removal of online session for authorization_code when `scope=offline_access`is used oidc
• #34009 grammatical error in "Managing Organizations" documentation docs
• #34013 Add More Info to Organization Events organizations
• #34015 Home URL for security-admin-console is broken admin/ui
• #34017 [Admin UI] Broken autocomplete input on the "Create resource-based permission" form admin/ui
• #34023 Flaky Test ResetPasswordTest.resetPasswordLoggedUser:188->openResetPasswordUrlAndDoFlow:252 testsuite
• #34028 Custom keycloak login theme styles.css return error 404 login/ui
• #34041 [Windows] Wrong expansion of ${kc.home.dir} causes NoSuchFile exception dist/quarkus
• #34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
• #34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
• #34050 Listing federated LDAP users is very slow with import enabled ldap
• #34054 Onclick focus issue in the Username field of Clients / / Client Scopes / Evaluate admin/ui
• #34063 Respect the locale set to a user when redering verify email pages user-profile
• #34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
• #34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
• #34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui
• #34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #34093 java.util.ConcurrentModificationException when process user sessions update infinispan
• #34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
• #34149 Group select dialog: Subgroups not displayed initially due to pagination admin/ui
• #34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
• #34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
• #34176 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" token service endpoint returns NullPointerException authorization-services
• #34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
• #34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc
• #34224 Deleting a user leads to ISPN marshalling exception
• #34229 Group search in user view doesn't work as expected for nested groups admin/ui
• #34233 Service accounts visible under user search in Admin console admin/api
• #34257 Docs: Dead link docs
• #34273 Flaky Test: BrowserFlowTest.testAlternativeNonInteractiveExecutorInSubflow() testsuite
• #34276 PEM files distributed as part of SAML adapter configs are missing -----BEGIN and -----END blocks saml
• #34298 NullPointerException in ConditionalOtpFormAuthenticator.java authentication
• #34301 Remove inaccurate statement about master realm imports docs
• #34304 Fix DB overflow for EVENT_ENTITY table and SESSION_ID column in case that incorrect data are sent core
• #34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
• #34352 ParEndpoint#request corrupts values added in request object oidc
• #34356 Admin UI doesn't show realms when using login through identity provider admin/fine-grained-permissions
• #34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
• #34402 [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui
• #34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap
• #34432 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #34440 [Trivy] - Workflow failure ci
• #34444 NullPointerException in RoleResolveUtil when admin-cli uses lightweight token admin/cli
• #34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
• #34460 kc.config.args exposed in show-config dist/quarkus
• #34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
• #34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap
• #34474 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #34508 Username and password should be optional for multi-site deployment infinispan
• #34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
• #34530 Flaky test: org.keycloak.testsuite.actions.TermsAndConditionsTest#termsDeclined ci
• #34540 Renaming realm in UI broken admin/api
• #34547 Non compliant OpenID Client Authentication when `client_secret_jwt` with PAR (Pushed Authorization Requests) oidc
• #34549 Quarkus dev mode does not work dist/quarkus
• #34558 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkTestAppWithoutRedirectUriParam ci
• #34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
• #34572 Text in "Choose a policy type" is not wrapping admin/ui
• #34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
• #34592 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #34602 Rework global event listener for metrics core
• #34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
• #34605 Error on testsuite "group_test" on Cypress admin/ui
• #34611 AdminEventQueryTest test fails after adding global event listener core
• #34614 Remove duplicate lines in userprofile freemarker template login/ui
• #34616 Fix typo in log message account/ui
• #34624 Securing apps guide breaks downstream docs
• #34634 Missing downstream explicit name for anchors docs
• #34635 Feature in higher version takes precedence even if it has lower type order
• #34636 Client Protocol Mappers with non UUID ids cannot be edited admin/ui
• #34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
• #34652 Continuous reload when KC_AUTH_SESSION_HASH expires authentication
• #34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
• #34675 Keys tab showing disabled and inactive keys as active admin/ui
• #34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
• #34687 New credential templates broken in KC26 login/ui
• #34750 calling openid-connect/auth with previous version valid cookies generate internal server error authorization-services
• #34769 Invalid flag for addDefaultRequiredActions infinispan
• #34776 GroupMappersTest test fails in keycloak-client core
• #34794 CVE-2024-10973 - Cleartext Transmission of Sensitive Information in org.keycloak:keycloak-quarkus-server
• #34811 AdminUI: Alphabetically sort "Event saved type" in the events listing admin/ui
• #34817 Log handler specific log levels support only lower-case levels dist/quarkus
• #34818 Liquibase outputs update summary directly to standard out dist/quarkus
• #34824 [Keycloak CI] - Base IT - KerberosLdapCrossRealmTrustTest.test03SpnegoLoginUsernamePassword ldap
• #34832 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerPrivateKeyJwtCustomAudienceTest ci
• #34834 [Jenkins Keycloak CI] - Cookies Tests - KcSamlBrokerTest
• #34835 [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerLdapTest ci
• #34842 Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof oidc
• #34844 [Keycloak CI] - Quarkus IT - StartCommandDistTest and BuildAndStartDistTest dist/quarkus
• #34853 [Jenkins Keycloak CI] - Adapter Cookies Tests - Failures with Firefox strict cookies ci
• #34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
• #34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
• #34875 Clients invalidated on each client credential grant core
• #34876 Incomplete registration form when edit email is disabled and email is set as username user-profile
• #34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
• #34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
• #34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
• #34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
• #34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
• #34968 Unable to scroll/swipe through the main menu on macOS admin/ui
• #34973 ES256 key continue to be used to sign token even after expiry oidc
• #34975 getAll() organization members only returns the first 10 members organizations
• #34987 KC25 Migration guide for caching options needs clarification
• #34995 MySQL database migration issue core
• #35006 Mis-formatted unordered list in the caching docs
• #35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
• #35047 PersistentSessionsWorker: retry with 0 backoff ms. core
• #35048 Filter events by user id and client not working admin/ui
• #35052 `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export
• #35060 Cannot request additional scopes when using the account console account/api
• #35068 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled core
• #35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
• #35088 Flaky test: org.keycloak.testsuite.adapter.servlet.SAMLClockSkewAdapterTest#testTokenTimeIsValid ci
• #35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
• #35214 CVE-2024-10270 Potential Denial of Service
• #35215 CVE-2024-10492 Keycloak path trasversal
• #35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
• #35217 CVE-2024-10039 Bypassing mTLS validation
• #35219 Account UI E2E / `personal-info/personal-info.spec.ts` is unstable ci
• #35226 Typo www.recatcha.net -> www.recaptcha.net in docs docs
• #35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
• #35232 reCAPTCHA v3 not working login/ui
• #35240 Links to guides in Observability section are still pointing to server section docs
• #35256 Typos in `.md` and `.adoc` files, detected using codespell and manual review docs
• #35273 Edit Help Mode descriptor for Roles in policy form admin/ui
• #35276 Your login attempt timed out authentication
• #35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
• #35289 Maven clean shouldn't be skipped by default on Windows
• #35290 Database migration fails after upgrading operator to v26.0.6 core
• #35317 Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api
• #35324 Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations
• #35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services
• #35340 Errors in persian and tukish translations in account translations
• #35352 Multiselect Checkboxes in user profile don't allow to unset value user-profile
• #35357 Resolve scopes from bearer tokens when processing requests to the Account API
• #35386 log-syslog-max-length is ignored dist/quarkus
• #35405 [Keycloak CI] - Quarkus UT (windows-latest) - Keycloak Quarkus Server Deployment ci
• #35410 SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml
• #35414 Capitalization in Hungarian translation needs improvement translations
• #35416 Mis-formatted definition list of hashing algorithms
• #35421 Showing LDAP error message when failing to reset password ldap
• #35427 OTEL: OTelTracingProvider should be request-scoped dist/quarkus
• #35429 access token or refresh token will be reset when another is set admin/ui
• #35448 Flaky test: org.keycloak.testsuite.model.DBLockTest.testTwoLocksCurrently ci
• #35451 Update Infinispan examples in the High Availability guide docs
• #35475 Delete user confirm title is wrong admin/ui
• #35481 Events: Wrong text for user id search admin/ui
• #35483 Event Representation is not shown for Admin Events in UI admin/ui
• #35486 When using the token revocation endpoint with refresh-token, all sessions from the user+client are terminated oidc
• #35488 [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci
• #35496 `QuarkusPropertiesDistTest` fails on Windows testsuite
• #35526 Initial keycloak bootstrap suggestion is not correct. dist/quarkus
• #35529 IPA-Tuura federation: password field shows password in plaintext core
• #35544 Upgrading guide 26.0.6 is missing in the built document docs
• #35550 JVM crash when running base testsuite test from command line using auth-server-quarkus-embedded dist/quarkus
• #35570 Invoking `BaseUpdater.markDeleted()` more than once cause the transient status to be lost infinispan
• #35591 Embedded test server fails when running from `mvn` dist/quarkus
• #35611 Code quote for http-enabled is incorrect, missing relevant option in reverse proxy documentation docs
• #35612 Fix broken Dependabot configuration
• #35634 Temporary password toggle in set password dialog is cut off in admin-console admin/ui
• #35637 Inconsistency when returning user attributes when executing a seach or fetching users by ID from external user storage providers ldap
• #35643 Improve sssd note about synchronization of groups docs
• #35664 realm_test.spec fails on firefox admin/ui
• #35675 New install doesn't allow admin user creation dist/quarkus
• #35704 token exchange response expires_in inconsistent behavior token-exchange
• #35706 Support for X-Forwarded-Prefix should not be implied docs
• #35723 POST create client with id exceed 36 characters length response status 500 instead of 403 admin/api
• #35732 Missing userId in LOGIN_ERROR event for permanent lockout authentication
• #35745 GET .../organizations/{id}/members/{id} multiple ids organizations
• #35760 Event for setting up recovery codes authentication
• #35766 Fix grammar in documentation page docs
• #35767 Typo in using custom Keycloak image for Operator guide docs
• #35770 Quarkus.properties should not use -cf or --config-file flag docs
• #35793 Update to KC 26.x from <26 fails if admin-cli client deleted core
• #35796 Keycloak incorrect usage of UserPolicy and cache. authorization-services
• #35802 Keycloak arquillian testsuite not working with the default profile testsuite
• #35813 Token revocation may not correctly revoke related access tokens
• #35822 Exact searches should be the default when querying user by attributes admin/api
• #35827 Regression Mysql 8 support as the upgrade script do not use temporary table storage
• #35830 Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization organizations
• #35854 Unused LDAP provider options are still exposed
• #35863 Selecting one role selects all admin/ui
• #35874 MapComponent UI Not Displaying Saved Values in Keycloak React Admin UI admin/ui
• #35876 Typo in username pt_BR translation in account console account/ui
• #35904 Failing since may be reported incorrectly on health probe dist/quarkus
• #35914 Map Configuration Property in Custom UserStorageProviderFactory Not Displayed in UI After Saving admin/ui
• #35935 Organization Scope mismatch organizations
• #35937 Duplicate entry in admin message properties admin/ui
• #35947 Broken links in getting-started guide pointing to quickstarts latest branch docs
• #35964 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testExceedMaxTemporaryLockouts ci
• #35971 Wrong content-type for content.json account/ui
• #36009 Unable to use custom handlers for HTTP OPTIONS method in subresources dist/quarkus
• #36012 Double submit on otp form causes error login/ui
• #36037 Translations specified in the admin console do not override the translations specified in a theme translations
• #36038 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTokenExchangeTest#testInternalExternalTokenExchangeStoredToken ci
• #36053 IDPs can not be found anymore by "Issuer" value when exchanging tokens identity-brokering
• #36055 Unnecessary text in documentation docs
• #36061 NPE when Kerberos Server is unreachable core
• #36090 Incompatible method of admin-client in Keycloak 26.1 and missing javadoc admin/client-java
• #36117 max-count for session caches is not set by default for local Infinispan config dist/quarkus
• #36121 Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} admin/api
• #36168 Fix invalid url in keycloak.js log message adapter/javascript
• #36172 "Remove role" alert text is wrong admin/ui
• #36241 Profile attribute inputs incorrectly marked as required when minimum length is configured admin/ui
• #36249 Error when re-authenticating when organization is enabled organizations
• #36297 PasswordAgePolicy triggering NullPointerException when credentail does not have createdDate core
• #36301 KeycloakServer application not working anymore testsuite
• #36332 PersistentSessionsWorker: Cannot access delegate without a transaction ldap
• #36347 Roll-back change to startup timeout operator
• #36375 [Keycloak CI] - Bse IT/Store IT - IdentityProviderTest ci
• #36394 CVE-2024-11736 Unrestricted admin use of system and environment variables
• #36395 CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers
• #36401 Metric `vendor_jgroups_*` is unstable and can change in upcoming releases infinispan
• #36410 When running Keycloak in testutils with Undertow, the admin UI thows NoMessageBodyWriterFoundFailure admin/ui
• #36432 Too much space around "Forgot Password" button (keycloak.v2) login/ui