keycloak · ahus1 · Jul 16, 2025 · Jul 14, 2025 · Jul 14, 2025
@@ -51,7 +51,7 @@ Supported password hashing algorithms are shown in the following table.
 It is highly recommended to use Argon2 when possible as it has significantly less CPU requirements compared to PBKDF2, while
 at the same time being more secure.
 
-The default password hashing algorithm for the server can be configured with `--spi-password-hashing--provider-default=<algorithm>`.
+The default password hashing algorithm for the server can be configured with `+--spi-password-hashing--provider-default=<algorithm>+`.
 
 To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM.
 To configure the Argon2 hashing provider, use its provider options.
@@ -141,14 +141,14 @@ Password must not be in a blacklist file.
 * The value of the blacklist file must be the name of the blacklist file, for example, `100k_passwords.txt`.
 * Blacklist files resolve against `+${kc.home.dir}/data/password-blacklists/+` by default. Customize this path using:
 ** The `keycloak.password.blacklists.path` system property.
-** The `blacklistsPath` property of the `passwordBlacklist` policy SPI configuration. To configure the blacklist folder using the CLI, use `--spi-password-policy--password-blacklist--blacklists-path=/path/to/blacklistsFolder`.
+** The `blacklistsPath` property of the `passwordBlacklist` policy SPI configuration. To configure the blacklist folder using the CLI, use `+--spi-password-policy--password-blacklist--blacklists-path=/path/to/blacklistsFolder+`.
 
 .A note about False Positives
 
 The current implementation uses a BloomFilter for fast and memory efficient containment checks, such as whether a given password is contained in a blacklist, with the possibility for false positives.
 
 * By default a false positive probability of `0.01%` is used.
-* To change the false positive probability by CLI configuration, use `--spi-password-policy--password-blacklist--false-positive-probability=0.00001`.
+* To change the false positive probability by CLI configuration, use `+--spi-password-policy--password-blacklist--false-positive-probability=0.00001+`.
 
 [[maximum-authentication-age]]
 ===== Maximum Authentication Age

@@ -1,4 +1,4 @@
- 
+
 === Auditing admin events
 
 You can record all actions that are performed by an administrator in the Admin Console. The Admin Console performs administrative actions by invoking the {project_name} REST interface and {project_name} audits these REST invocations. You can view the resulting events in the Admin Console.
@@ -35,9 +35,9 @@ You can now view admin events.
 .Admin events
 image:images/admin-events.png[Admin events]
 
-When the `Include Representation` switch is ON, it can lead to storing a lot of information in the database. You can set a maximum length of the representation by using the `--spi-events-store--jpa--max-field-length` argument. This setting is useful if you want to adhere to the underlying storage limitation. For example:
+When the `Include Representation` switch is ON, it can lead to storing a lot of information in the database. You can set a maximum length of the representation by using the `+--spi-events-store--jpa--max-field-length+` argument. This setting is useful if you want to adhere to the underlying storage limitation. For example:
 
 [source,bash]
 ----
 kc.[sh|bat] --spi-events-store--jpa--max-field-length=2500
-----
+----
@@ -226,7 +226,7 @@ To enable the Email Listener:
 .Event listeners
 image:images/event-listeners.png[Event listeners]
 
-You can exclude events by using the `--spi-events-listener--email--exclude-events` argument. For example:
+You can exclude events by using the `+--spi-events-listener--email--exclude-events+` argument. For example:
 
 [source,bash]
 ----

@@ -14,14 +14,14 @@ If you have a parent group and a child group, and a user that belongs only to th
 
 The hierarchy of a group is sometimes represented using the group path. The path is the complete list of names that represents the hierarchy of a specific group, from top to bottom and separated by slashes `/` (similar to files in a File System). For example a path can be `/top/level1/level2` which means that `top` is a top level group and is parent of `level1`, which in turn is parent of `level2`. This path represents unambiguously the hierarchy for the group `level2`.
 
-Because of historical reasons {project_name}, does not escape slashes in the group name itself. Therefore a group named `level1/group` under `top` uses the path `/top/level1/group`, which is misleading. {project_name} can be started with the option `--spi-group--jpa--escape-slashes-in-group-path` to `true` and then the slashes in the name are escaped with the character `~`. The escape char marks that the slash is part of the name and has no hierarchical meaning. The previous path example would be `/top/level1~/group` when escaped.
+Because of historical reasons {project_name}, does not escape slashes in the group name itself. Therefore a group named `level1/group` under `top` uses the path `/top/level1/group`, which is misleading. {project_name} can be started with the option `+--spi-group--jpa--escape-slashes-in-group-path+` to `true` and then the slashes in the name are escaped with the character `~`. The escape char marks that the slash is part of the name and has no hierarchical meaning. The previous path example would be `/top/level1~/group` when escaped.
 
 [source,bash]
 ----
 bin/kc.[sh|bat] start --spi-group--jpa--escape-slashes-in-group-path=true
 ----
 
-The following example includes a top-level *Sales* group and a child *North America* subgroup.  
+The following example includes a top-level *Sales* group and a child *North America* subgroup.
 
 To add a group:
 

@@ -129,7 +129,7 @@ To resolve this ambiguity, and any potential ambiguity involving SPI and provide
 
 An SPI property ending in `-enabled`, `-provider-default`, or `-provider` should use the new format or else a warning will be emitted. For example `spi-<spi-name>--<provider-name>--enabled` will be recognized as a build-time option without a warning.
 
-For instance, the correct way to reference your custom email template is: `--spi-email-template--mycustomprovider--enabled` (not `--spi-email-template-mycustomprovider-enabled`).
+For instance, the correct way to reference your custom email template is: `+--spi-email-template--mycustomprovider--enabled+` (not `+--spi-email-template-mycustomprovider-enabled+`).
 
 Options using the legacy format and ending in `-enabled`, `-provider-default`, or `-provider` will still be treated as a build-time option, but may not be in future releases.
 

@@ -61,7 +61,7 @@ The Typescript code `ConsentScopeRepresentation` for the Account Console already
 
 === Lifetime of offline session caches
 
-The options `--spi-user-sessions--infinispan--offline-session-cache-entry-lifespan-override` and `spi-user-sessions--infinispan--offline-client-session-cache-entry-lifespan-override` are now deprecated for removal.
+The options `+--spi-user-sessions--infinispan--offline-session-cache-entry-lifespan-override+` and `+--spi-user-sessions--infinispan--offline-client-session-cache-entry-lifespan-override+` are now deprecated for removal.
 
 Instead use the options `cache-embedded-offline-sessions-max-count` and `cache-embedded-offline-client-sessions-max-count` to limit the memory usage if the default of 10000 cache offline user and client sessions does not work in your scenario.