+
Skip to content

Releases: keycloak/keycloak

nightly

27 Sep 02:22
@keycloak-bot keycloak-bot
nightly
55c53d3
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
nightly Pre-release
Pre-release 
Run account console resource tests in parralel (#43316)

Closes #43315

Signed-off-by: Jon Koops <jonkoops@gmail.com>
Loading

26.4.0

30 Sep 11:49
@keycloak-bot keycloak-bot
26.4.0
4e25e47
Compare
Choose a tag to compare
26.4.0 Latest
Latest

Highlights

This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:

  • Passkeys for seamless, passwordless authentication of users.

  • Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.

  • Simplified deployments across multiple availability zones to boost availability.

  • FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.

  • DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

Passkeys integration (supported)

Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.

For more information, see Passkeys.

FAPI 2 Final (supported)

Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.

Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.

Thank you to Takashi Norimatsu for contributing this.

For more details, see the Securing applications Guides.

DPoP (supported)

Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:

  • Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.

  • All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.

  • Possibility to require the dpop_jkt parameter in the OIDC authentication request.

Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.

For more information, see the DPoP section in the documentation.

FIPS 140-2 mode now supports EdDSA

With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.

Listing supported OAuth standards on one page

A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.

Integration

Federated client authentication (preview)

Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.

This feature is currently preview, and expected to become supported in 26.5.

Automatic certificate management for SAML clients

The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL. This also allows for seamless rotation of certificates.

For more information, see Creating a SAML client in the Server Administration Guide.

Serving as an authorization server in MCP

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.

To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.

The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.

Administration

Update Email Workflow (supported)

Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.

For more information, see Update Email Workflow.

Optional email domain for organizations

In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.

When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.

Hiding identity providers from the Account Console

You can now control which identity providers appear in the Account Console based on different options using the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.

For more information, see General configuration.

Enforce recovery codes setup after setting up OTP

If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.

New conditional authenticator

The Conditional - ...

Read more

Contributors

consumes
Assets 22

26.3.5

25 Sep 06:23
@keycloak-bot keycloak-bot
26.3.5
8d6ab96
Compare
Choose a tag to compare
26.3.5

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #41371 Upgrade to Quarkus 3.20.3 LTS dist/quarkus
  • #41373 Remove explicit MariaDB connector dependency dist/quarkus

Bugs

  • #41418 Access to user details for restricted admin fails after enabling organizationin realm organizations
  • #42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui core
  • #42491 CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability dist/quarkus
  • #42492 CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability dist/quarkus
  • #42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name' core
  • #42769 Missing switch "ID Token as detached signature" in the admin console client settings oidc
  • #42922 Dynamic Client Registration invalidates the realm cache core
Loading

26.3.4

12 Sep 13:28
@keycloak-bot keycloak-bot
26.3.4
fc23f6f
Compare
Choose a tag to compare
26.3.4

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #40630 Double check when working with multithreading. SAST
  • #42245 Upgrade to Quarkus 3.20.2.2

Bugs

  • #35825 Per client session idle time capped by realm level client idle timeout core
  • #40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors authentication
  • #40463 Login to Account Console produces two consecutive LOGIN events account/ui
  • #40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
  • #41427 Parallel token exchange fails if client session is expired token-exchange
  • #41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
  • #41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
  • #42012 Client session timestamp not updated in the database if running multiple nodes infinispan
  • #42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables. operator
  • #42158 Bug in configuration keycoak via keycloak.conf dist/quarkus
  • #42164 [Keycloak CI - Docs] Broken links core
  • #42178 Integer validation error not shown for user profile fields user-profile
  • #42182 Validation errors for required actions don't show translated messages admin/ui
  • #42270 Missing double-dash in the events documentation core
  • #42339 Allowed Client Scopes add openid scope in scope list oidc
  • #42369 Missing client session offline settings on realm level in the admin UI admin/ui
Loading

26.3.3

20 Aug 10:12
@keycloak-bot keycloak-bot
26.3.3
e5daa1f
Compare
Choose a tag to compare
26.3.3

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #41558 Ensure cache configuration has correct number of owners
  • #41934 Infinispan 15.0.19.Final
  • #41963 Upgrade to Quarkus 3.20.2.1 dist/quarkus

Bugs

  • #39562 Breaking template change: Unknown `locale` input field added to user-profile registration page user-profile
  • #40984 Backchannel logout token with an unexpected signature algorithm key oidc
  • #41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax core
  • #41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token core
  • #41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date` dist/quarkus
  • #41290 Concurrent starts with JDBC_PING lead to a split cluster infinispan
  • #41390 JDBC_PING2 doesn't merge split clusters after a while infinispan
  • #41421 Broken link securing-cache-communication in caching docs docs
  • #41423 Duplicate IDs in generated all configuration docs docs
  • #41469 Uncaught exception cases unclosed spans in tracing dist/quarkus
  • #41488 Synchronize Maven surefire plugin with Quarkus dist/quarkus
  • #41491 ExternalLinks are broken in documentation docs
  • #41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation ldap
  • #41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min) ldap
  • #41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method oidc
  • #41643 Test SMTP connection fails when no port is specified admin/api
  • #41663 Typo in the caching doc docs
  • #41677 Provider default regression dist/quarkus
  • #41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages core
  • #41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles ldap
  • #41906 Backwards incompatible changes to 26.3.0 cause NullPoointerException when requesting /certificates/jwt.credential/generate-and-download authentication
  • #41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label login/ui
Loading

26.3.2

24 Jul 10:14
@keycloak-bot keycloak-bot
26.3.2
6d4f529
Compare
Choose a tag to compare
26.3.2

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #40237 Add option "Requires short state parameter" to OIDC IDP authentication

Enhancements

  • #40970 Run clustering compatibility tests on release/x.y branches
  • #41034 Improve logging for client sessions load
  • #41257 Upgrade to Infinispan 15.0.18.Final infinispan

Bugs

  • #39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci
  • #39634 Update MariaDB connector to 3.5.3 dist/quarkus
  • #39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci
  • #40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies
  • #40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies
  • #40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci
  • #40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
  • #40977 Loglevel recorded from build phase dist/quarkus
  • #40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
  • #40995 LDAP / ModelException: At least one condition should be provided to OR query core
  • #41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover ci
  • #41038 FIPS errors in CI
  • #41082 Multiple primary key defined when attempting to upgrade after 26.3.0 core
  • #41103 Service Account users now showing in the User List admin/ui
  • #41105 Unknown relation when removing realm role with --db-schema configured storage
  • #41152 Docs use em-dashes instead of double dashes for SPI options in regular text docs
  • #41204 UpdateTest CI failures ci
  • #41370 [26.3] MariaDB connector dependency is not properly overriden dist/quarkus
Loading

26.3.1

09 Jul 15:41
@keycloak-bot keycloak-bot
26.3.1
618fda4
Compare
Choose a tag to compare
26.3.1

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #40851 Upgrade to Infinispan 15.0.16.Final
  • #40962 Update limitations of the preview feature rolling updates for patch releases infinispan

Bugs

  • #35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
  • #40368 NPE during loading user groups with concurrent deletion storage
  • #40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
  • #40838 Mark options for additional datasources as preview dist/quarkus
  • #40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
  • #40930 Docs: server_development/topics/themes.adoc docs
  • #40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core
Loading

26.3.0

02 Jul 12:26
@keycloak-bot keycloak-bot
26.3.0
88d87bc
Compare
Choose a tag to compare
26.3.0

Highlights

This release delivers advancements to optimize your system and improve the experience of users, developers and administrators:

  • Account recovery with 2FA recovery codes, protecting users from lockout.

  • Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.

  • Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.

  • Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.

  • For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.

Read on to learn more about each new feature, and find additional details in the upgrading guide if you are upgrading from a previous release of Keycloak.

Recovering your account if you lose your 2FA credentials

When using for example a one-time-password (OTP) generators as a second factor for authenticating users (2FA), a user can get locked out of their account when they, for example, lose their phone that contains the OTP generator. To prepare for such a case, the recovery codes feature allows users to print a set of recovery codes as an additional second factor. If the recovery codes are then allowed as an alternative 2FA in the login flow, they can be used instead of the OTP generated passwords.

With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature.

For more information about this 2FA method, see the Recovery Codes chapter in the Server Administration Guide.

Performance improvements to import, export and migration

The time it takes to run imports, exports or migrations involving a large number of realms has been improved. There is no longer a cumulative performance degradation for each additional realm processed.

Simplified registration for WebAuthn and Passkeys

Both WebAuthn Register actions (webauthn-register and webauthn-register-passwordless) which are also used for Passkeys now support a parameter skip_if_exists when initiated by the application (AIA).

This should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type.

For more information, see the Registering WebAuthn credentials using AIA chapter in the Server Administration Guide.

Simplified linking of the user account to an identity provider

Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality and simplifies the error handling the calling of the client application, making it more useful for a broader audience.

The custom protocol, which was previously used for client-initiated account linking, is now deprecated.

Brokering with OAuth v2 compliant authorization servers

In previous releases Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google which are based on OAuth 2.0.

The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. This then allows you to federate, for example, with Amazon or other providers. As this is a generic provider, you will need to specify the different claims and a user info endpoint in the provider’s configuration.

For more information, see the OAuth v2 identity providers chapter in the Server Administration Guide.

Trusted email verification when brokering OpenID Connect Providers

Until now, the OpenID Connect broker did not support the standard email_verified claim available from the ID Tokens issued by OpenID Connect Providers.

Starting with this release, Keycloak supports this standard claim as defined by the OpenID Connect Core Specification for federation.

Whenever users are federated for the first time or re-authenticating and if the Trust email setting is enabled, Sync Mode is set to FORCE and the provider sends the email_verified claim, the user account will have their email marked according to the email_verified claim. If the provider does not send the claim, it defaults to the original behavior and sets the email as verified.

Asynchronous logging for higher throughput and lower latency

All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency.

For more details on this opt-in feature, see the Logging guide.

Rolling updates for patch releases for minimized downtime (preview)

In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code.

In this release, we extended this to perform rolling update when the new image contains a future patch release from the same major.minor release stream as a preview feature. This can reduce the service’s downtime even further, as downtime is only needed when upgrading from a different minor or major version.

Read more on how to enable this feature in update compatibility command.

Passkeys integrated in the default username forms

In this release Keycloak integrates Passkeys in the default authentications forms. A new switch Enable Passkeys is available in the configuration, AuthenticationPoliciesWebauthn Passwordless Policy, that seamlessly incorporates passkeys support to the realm. With just one click, Keycloak offers conditional and modal user interfaces in the default login forms to allow users to authenticate with a passkey.

The Passkeys feature is still in preview. Follow the Enabling and disabling features guide to enable it.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #21995 Configurable probes in the Operator operator
  • #29116 Add supported c...
Read more
Loading

26.2.5

28 May 06:49
@keycloak-bot keycloak-bot
26.2.5
73e5f4b
Compare
Choose a tag to compare
26.2.5

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #39469 Fix Securing Apps links to adapters docs
  • #39486 Email server credentials can be harvested through host/port manipulation admin/api
  • #39541 Fix doc link to FGAP v1 docs
  • #39543 Apply edits to Operators Guide docs
  • #39572 Edit Observability Guide docs
  • #39590 Fix callouts in Operator guide docs
  • #39638 Sessions from Infinispan should be mapped lazily for the Admin UI
  • #39651 Speed up Infinispan list of all sessions be more eagerly remove old client sessions
  • #39665 When logging in, all client sessions are loaded which is slow oidc

Bugs

  • #39130 Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc
  • #39157 [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus
  • #39264 [OID4VCI] Documentation Errors docs
  • #39358 Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui
  • #39450 quarkus runtime options are treated as buildtime options dist/quarkus
  • #39496 [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui
  • #39499 UI does not show user's attributes after reentering the Attributes TAB admin/ui
  • #39502 Refreshed tokens are not persisted for IDP token exchange token-exchange
  • #39509 UI does not show organization's attributes after reentering the Attributes TAB account/ui
  • #39538 Autocomplete in Mapper type of user federation broken admin/ui
  • #39540 Forms IT tests breaks with Chrome 136.0.7103.59 ci
  • #39612 Unable to change the OTP hash algorithm admin/ui
  • #39614 Keycloak not using custom Infinispan config infinispan
  • #39663 Duplicate validation message “Please specify username.” shown on login form login/ui
  • #39693 Clicking on the jump links removes the localization of the UI admin/ui
  • #39697 Authorization documentation shows the wrong view authorization-services
  • #39710 Recreate update is not scaling down the statefulset to zero operator
  • #39724 Hibernate LazyInitializationException when deleting client with CompositeRoles core
  • #39753 POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api
  • #39798 Documentation has outdated link to the "latest" branch of quickstarts docs
  • #39800 [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci
Loading

26.2.4

08 May 09:10
@keycloak-bot keycloak-bot
26.2.4
39a17c5
Compare
Choose a tag to compare
26.2.4

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #39418 Clarify when to use podman docs

Bugs

  • #35278 Double click on social provider link causes page has expired error login/ui
  • #38918 IPv6 support: Broker tests failing with proxy configuration ci
  • #39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc
  • #39023 Keycloak 26.2.0 UI Performance Degradation admin/ui
  • #39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan
  • #39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan
  • #39500 Update Job Pod is listed in the keycloak discovery service operator
Loading
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载