Update dependency keycloak/keycloak to v24 (!38) · Merge requests · FSI Ansible / keycloak

Renovate Bot requested to merge renovate/keycloak-keycloak-24.x into main Mar 04, 2024

This MR contains the following updates:

Package	Update	Change
keycloak/keycloak	major	`21.0.1` -> `24.0.3`

Release Notes

keycloak/keycloak (keycloak/keycloak)

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap

Bugs

#24201 Cannot disable LDAP-backed user if importEnabled=false ldap
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
#28638 Missing permission to read configmaps in `keycloak-operator-role` operator

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
#27481 Edit High Availability guide
#27484 Edit 23.0 changes part of Upgrading Guide
#27632 Integrate downstream Upgrading Guide changes into upstream
#27696 Upgrade to Quarkus 3.8.2 dist/quarkus
#27867 Corrections to Securing Apps Guide
#27871 Upgrade to Infinispan 14.0.26 core
#27953 Address feedback to Keycloak Server guide docs
#27955 Address term Keycloak in Server Administration Guide docs
#28009 Address edits to the Operator Guide
#28033 Upgrade Infinispan to 14.0.27.Final
#28084 Upgrade to Quarkus 3.8.3 dist/quarkus

Bugs

#14501 Getting failed to initialize js message if consent is rejected by user account/ui
#15403 No email send on TOTP/Authenticator app removal core
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
#23701 Attribute search does not work with federated users with ldap. admin/ui
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
#26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
#27117 user sessions not accessible in all cluster nodes infinispan
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
#27245 Account console does not correctly treat link / unlink account account/ui
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
#27275 Invalidating offline token is not working from client sessions tab authentication
#27366 Social login - test failures with unexpected status code testsuite
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
#27504 Cpu and memory sizing typo docs
#27529 LegacyUserCredentialManager class not found storage
#27540 URL change for liquibase docs docs
#27548 Custom Browser Flow not working anymore admin/ui
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
#27597 dropping KC_PROXY=edge causes startup error core
#27611 Cannot modify realm email settings since keycloak 24 user-profile
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
#27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
#27719 Wrong Welcome page image in the documentation docs
#27745 Registration template in login2 is broken login/ui
#27761 Snyk workflow failure ci
#27779 Broken Migration "MigrateTo24_0_0" core
#27780 Fixing downstream documentation build docs
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
#27820 Account console confusing with WebAuthn account/ui
#27841 ES translation causes FreeMarker rendering issues translations
#27852 VerifyUserProfile invalidates user cache on every login core
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
#27882 Incorrect version of bctls-fips in the docs docs
#27892 Truststore handling for the Operator is not documented operator
#27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
#27900 Performance impact in changed hashing measured wrong authentication
#27925 Keycloak docs state that there are http metrics, but they are disabled docs
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
#27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
#27967 ORA-01450 when updating keycloak 23 -> 24 storage
#27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
#28001 MySQL connector artifact should be ignored dist/quarkus
#28012 Keycloak CR Truststore should not have a name operator
#28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn

Highlights

Operator deploys nightly build instead of 24.0.0

Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0.

As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled.

If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with the wrong versions. To check if you are affected connect to your database and run the following SQL command:

SELECT * from migration_model WHERE version = '999.0.0';

If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:

UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

`v24.0.0`

Compare Source

Highlights

Supported user profile and progressive profiling

The user profile preview feature is promoted to be fully supported and user profile is enabled by default.

In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.

The following are a few highlights of this feature;

Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of scope parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user.
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.

The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.

We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:

For more details about user profile capabilities, see the Server Administration Guide.

Breaking changes to the User Profile SPI

In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.

Changes to Freemarker templates to render pages based on the user profile and realm

In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:

login-update-profile.ftl
register.ftl
update-email.ftl

For more details, see the Upgrading Guide.

New Freemarker template for the update profile page at first login through a broker

In this release, the server renders the update profile page when the user is authenticating through a broker for the first time using the idp-review-user-profile.ftl template.

For more details, see the Upgrading Guide.

Java adapter deprecation and removal

Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.

With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.

The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.

The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.

Jetty adapter removed

Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.

New Welcome Page

The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.

If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.

New Account Console now the default

We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.

This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.

If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.

Keycloak JS

Using `exports` field in `package.json`

The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.

PKCE enabled by default

The Keycloak JS adapter now sets the pkceMethod option to S256 by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod option to false to disable it.

Changes to Password Hashing

In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.

As part of this change, the default password hashing provider has changed from pbkdf2-sha256 to pbkdf2-sha512. Also, the number of default hash iterations for pbkdf2 based password hashing algorithms changed. This change means better security aligned with latest recommendations, but it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm and hashIterations to your realm. For more details, see the Upgrading Guide.

OAuth/OIDC related improvements

Lightweight access tokens support

This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.

This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.

Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.

A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.

Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.

OAuth 2.1 support

This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.

Scope parameter supported in the refresh token flow

Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.

Client policy executor for secure redirect URIs

A new client policy executor secure-redirect-uris-enforcer is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance, you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on. Thanks to Lex Cao and Takashi Norimatsu for the contribution.

Client policy executor for enforcing DPoP

A new client policy executor dpop-bind-enforcer is introduced. You can use it to enforce DPoP for a particular client if dpop preview is enabled. Thanks to Takashi Norimatsu for the contribution.

Supporting EdDSA

You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT. This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt authentication to third party identity providers. Thanks to Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.

EC Keys supported by JavaKeystore provider

The provider JavaKeystoreProvider for providing realm keys now supports EC keys in addition to previously supported RSA keys. Thanks to Stefan Wiedemann for the contribution.

Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers

OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.

OAuth Grant Type SPI

The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.

CORS improvements

The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI is internal and may change at a future release. Thanks to Dmitry Telegin for the contribution.

Truststore improvements

Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores, or use the new truststore-paths config option. For details refer to the relevant guide.

Versioned Features

Features now support versioning. To preserve backward compatibility, all existing features (including account2 and account3) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.

For details refer to the features guide.

Keycloak CR Truststores

You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:

spec:
  truststores:
    mystore:
      secret:
        name: mystore-secret
    myotherstore:
      secret:
        name: myotherstore-secret

Currently only Secrets are supported.

Trust Kubernetes CA

The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.

Automatic certificate management for SAML identity providers

The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL to ON. The certificates are automatically downloaded and cached in the public-key-storage SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.

See the documentation for more details about the new options.

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keyloak with the multi-site feature. For more details, see Enabling and disabling features.

Keycloak CR Optimized Field

The Keycloak CR now includes an startOptimized field, which may be used to override the default assumption about whether to use the --optimized flag for the start command. As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.

Enhanced reverse proxy settings

It is now possible to separately enable parsing of either Forwarded or X-Forwarded-* headers by using the new --proxy-headers option. For details, see the Reverse Proxy Guide. The original --proxy option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.

Changes to the user representation in both Admin API and Account contexts

In this release, we are encapsulating the root user attributes (such as username, email, firstName, lastName, and locale) by moving them to a base/abstract class in order to align how these attributes are marshalled and unmarshalled when using both Admin and Account REST APIs.

This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.

For more details, see the Upgrading Guide.

Sequential loading of offline sessions and remote sessions

Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.

For more details, see the Upgrading Guide.

Performing actions on behalf of another already authenticated user is not longer possible

In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.

Changes to the email verification flow

In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.

In addition to that, a new error (EMAIL_ALREADY_VERIFIED) event will be fired to indicate an attempt to verify an already verified email. You can use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.

Deprecated offline session preloading

The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.

For more details, see the Upgrading Guide.

Configuration option for offline session lifespan override in memory

To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.

For more details, see the Server Administration Guide.

Infinispan metrics use labels for cache manager and cache names

When enabling metrics for Keycloak8217;s embedded caches, the metrics now use labels for the cache manager and the cache names.

For more details, see the Upgrading Guide.

User attribute value length extension

As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.

For more details, see the Upgrading Guide.

Brute Force Protection changes

There have been a couple of enhancements to the Brute Protection:

When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
The property failedLoginNotBefore has been added to the brute-force/users/{userId} endpoint

Authorization Policy

In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.

Keycloak CR cache-config-file option

The Keycloak CR now allows for specifying the cache-config-file option by using the cache spec configMapFile field, for example:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  cache:
    configMapFile:
      name: my-configmap
      key: config.xml

Keycloak CR resources options

The Keycloak CR now allows for specifying the resources options for managing compute resources for the Keycloak container. It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.

When no values are specified, the default requests memory is set to 1700MiB, and the limits memory is set to 2GiB.

You can specify your custom values based on your requirements as follows:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  resources:
    requests:
      cpu: 1200m
      memory: 896Mi
    limits:
      cpu: 6
      memory: 3Gi

For more details, see the Operator Advanced configuration.

Temporary lockout log replaced with event

There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT when a user is temporarily locked out by the brute force protector. The log with ID KC-SERVICES0053 has been removed as the new event offers the information in a structured form.

For more details, see the Upgrading Guide.

Updates to cookies

Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.

SAML User Attribute Mapper For NameID now suggests only valid NameID formats

User Attribute Mapper For NameID allowed setting Name ID Format option to the following values:

urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity

However, Keycloak does not support receiving AuthnRequest document with one of these NameIDPolicy, therefore these mappers would never be used. The supported options were updated to only include the following Name ID Formats:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Different JVM memory settings when running in container

Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container. The JVM options -Xms, and -Xmx were replaced by -XX:InitialRAMPercentage, and -XX:MaxRAMPercentage.

For more details, see the Running Keycloak in a container guide.

GELF log handler has been deprecated

With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.

Support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.

To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#15190 RestAPI endpoint "send-verify-email" sending execute actions email template. admin/api
#19586 @keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token admin/client-js
#23539 User profile attributes should only accept a single value unless configured otherwise user-profile
#25167 Implement POST logout in Keycloak JS adapter/javascript
#25446 CORS SPI oidc
#25676 Introduce new CLI config options for Infinispan remote store dist/quarkus
#25702 Encrypt network communication in JGroups dist/quarkus
#25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
#25903 Create new landing page for admin console
#25941 Issue Verifiable Credentials in the JWT-VC format core
#26028 Remove conditional statements about Windows / Linux from the docs docs
#26250 OAuth 2.0 Grant Type SPI oidc
#26455 Supported option to specify maximum threads used to handle HTTP requests dist/quarkus
#26456 Supported option to specify resource management for pods in Keycloak CR dist/quarkus
#26458 Support custom Infinispan configuration file in Keycloak CR operator
#26460 Supported option to specify site name for multi-site deployments dist/quarkus
#26500 Cookie Provider
#26936 Support EC Key-Imports for the JavaKeystoreKeyProvider
#27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties

Enhancements

#9508 Rename "Resident key" to "Discoverable Credential" docs
#9758 User attributes with a text more than 255 characters storage
#9784 Add truststore options to Keycloak CR operator
#10794 Support importing Kubernetes CA operator
#12009 Support for scope parameter in the refresh flow oidc
#12352 Align Operator config naming with Quarkus distribution operator
#12946 Add X509 thumbprint to JWT when using private_key_jwt oidc
#13250 --verbose option doesn't work in Quarkus distribution dist/quarkus
#15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms authentication/webauthn
#15714 Supporting EdDSA oidc
#16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations authentication
#17574 Add failedLoginNotBefore field to existing brute force detection status API
#17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available admin/ui
#19190 Add "amr" to already implemented "acr" support
#19285 Disable Groovy Closures when bootstrapping Picocli dist/quarkus
#20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui
#21074 Identity providers: pagination in admin console
#21343 Upgrade welcome theme to PatternFly 5 welcome/ui
#21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation
#21578 Scope parameter in Oauth 2.0 token exchange
#21771 List reload button for admin panel admin/ui
#22436 Query users by 'LDAP_ID' is not working ldap
#22922 Use Infinispan BOM instead of direct Infinispan dependencies storage
#23057 Localization tabs admin/ui
#23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header
#23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc authorization-services
#23854 Use upstream Quarkus functionality for non-blocking probes dist/quarkus
#23878 User profile configuration scoped to user-federation provider user-profile
#23896 Changes in declarative user profile should result in admin events user-profile
#24094 Map Store Removal: Delete map profiles from testsuite storage
#24097 Map Store Removal: Delete container providers that were added to the base testsuite storage
#24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages storage
#24103 Map Store Removal: Delete GlobalLockProvider storage
#24105 Map Store Removal: Rename Legacy* classes storage
#24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage" storage
#24148 Add config property to specify a list of truststores
#24202 Cache stampede after client invalidation storage
#24245 Parse default UserProfile configuration in the build time
#24250 Allow selecting attributes from user profile when managing token mappers user-profile
#24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
#24412 Accessibility of 2FA method selection login/ui
#24422 UMA 2 not evaluating as expected when using permission tickets authorization-services
#24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #24310 saml
#24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite storage
#24668 Features versioning
#24793 Map Store Removal: Remove `LockObjectsForModification` storage
#24798 Add truststores to keycloak cr
#24860 Initialize Infinispan earlier in the build chain dist/quarkus
#24926 Add polish translations admin/ui
#24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base core
#25058 Add Polish Translations to Account UI account/ui
#25074 Update Kerberos provider for user-profile user-profile
#25075 Update SSSD provider for user-profile user-profile
#25103 Remove product from server info admin/ui
#25113 Add a test for the LoadBalancerCheck
#25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation user-profile
#25149 Replace the existing themes with the dynamic templates from user profile user-profile
#25236 Documentation about Australia Consumer Data Right security profile
#25238 Add missing Arabic messages
#25287 Upgrade Infinispan to 14.0.21.Final
#25288 Map Store Removal: Remove protostream dependency storage
#25300 Deprecate offline session preloading infinispan
#25308 Map Store Removal: Revert changes made to backchannelLogout storage
#25309 Map Store Removal: Remove ResponseSessionTask storage
#25314 Supporting OAuth 2.1 for confidential clients oidc
#25315 Client policies : executor for enforcing DPoP oidc
#25316 Supporting OAuth 2.1 for public clients oidc
#25328 Tests for client scopes/evaluate tab are missing
#25375 Extra tests for realm roles
#25388 Enable concurrent remote operations for Infinispan storage
#25403 Implements attributes field in KeycloakProfile interface admin/client-js
#25404 Adapt incremental build for latest changes in themes module ci
#25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan storage
#25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String
#25487 Add extra tests for realm-settings in admin-ui
#25637 Client policies: executor for validate and match a redirect URI oidc
#25638 Keycloak native implementation of SD-JWT core
#25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider
#25691 More info on UserProfileContext user-profile
#25738 Tooltips improvements when configuring user profile attribute user-profile
#25770 X509 client certificate login label extends out of form login/ui
#25823 Ability to declare a default "First broker login flow" per Realm
#25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template
#25882 RealmResourceProvider is not working as expected since version 23.0.0 core
#25897 Admin UI: Show realm display name on welcome page admin/ui
#25908 Could not format default value for log formats dist/quarkus
#25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures docs
#25935 Create Infinispan metrics with labels instead of long metric names
#25962 Missing localization of cs+sk messages
#25979 User profile attribute names with strange characters docs
#25985 Enable verify-profile required action by default user-profile
#26068 Reduce internal unsupported options in the Keycloak HA documentation
#26083 Change RHDG references to Infinispan
#26092 Do not use raw parameterized PropertyMapper dist/quarkus
#26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190 docs
#26172 Permanently lock users out after X temporary lockouts during a brute force attack authentication
#26198 Comprehensive log for the LoggingDistTest and Quarkus IT testsuite
#26220 Don't differentiate Windows for getting started docs
#26223 Use `--http-max-queued-requests` option in Keycloak HA documentation docs
#26241 Do not use general debug log level for tests testsuite
#26315 Fully remove reasteasy-core
#26320 Allow formating numbers when rendering attributes user-profile
#26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete
#26402 Improve wording in Concepts for configuring thread pools section in documentation
#26416 Remove support for old cookie path
#26430 Implement stricter controls at token endpoint for PKCE verification
#26457 Remove support for multiple AUTH_SESSION_ID cookies
#26469 Documentation for verify-profile required action enabled by default docs
#26485 Add missing Arabic translations translations
#26489 Ability to have alternative default user-profile configuration user-profile
#26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces storage
#26552 Do we need to hide "required" settings for email? user-profile
#26570 Upgrade liquibase to 4.25.1
#26585 Improve UX of read-only attributes user-profile
#26587 Documentation for SuppressRefreshTokenRotationExecutor oidc
#26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI admin/ui
#26598 Map Store Removal: deprecate model legacy module storage
#26626 Brute force detection should issue event for temporary lockout core
#26634 Documentation for default validation changes due user-profile enabled docs
#26683 Remove explicitly set `lit-element` version dist/quarkus
#26689 Update Maven dependency versions for docs docs
#26701 Upgrade to Quarkus 3.7.1 dist/quarkus
#26730 Add Multi-AZ Aurora DB to CI store-integration-tests
#26776 Update documentation to use new Infinispan configuration options
#26781 Update HA guide about non-blocking probes docs
#26810 Shorter lifespan for offline session cache entries in memory storage
#26812 Upgrade to embedded Infinispan 14.0.24 storage
#26819 Use version specific tag for Keycloak images in the docs docs
#26859 Upgrade to Quarkus 3.8 dist/quarkus
#26898 User profile: Add regression test for select inputs
#26910 Keycloak Operator should add service-ca.crt to the truststore operator
#26916 Upgrade to Quarkus 3.7.2 dist/quarkus
#26919 doc: add a clear mention in the documentation about the storage of the refresh and access token docs
#26921 Use latest OLM version for Operator CI testsuite
#26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory dist/quarkus
#26967 Aurora Postgres IT: Upload flaky and surefire test reports
#27036 Upgrade to Quarkus 3.7.3 dist/quarkus
#27048 Add Amazon Aurora PostgreSQL to the list of tested databases
#27078 Update Keycloak HA Guide new resource limit settings
#27084 Remove the preview note from Keycloak's HA guide
#27093 "Open ID Connect" in docs / UIs should be "OpenID Connect"
#27105 Add New User Registration Option on WebAuthn Authentication UI authentication/webauthn
#27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs
#27123 Use AWS JDBC Wrapper in CI tests
#27125 Add warning about too long attribute values
#27143 Distinguish user registration action label from the security key registration action's one authentication/webauthn
#27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents authentication/webauthn
#27148 Allow overriding the default validators added to attributes user-profile
#27169 Tweak the default memory request and limit in the Operator operator
#27190 a11y improvements on login page
#27226 Upgrade to Quarkus 3.7.4 dist/quarkus
#27238 Add option to clients to use lightweight access token oidc
#27280 Upgrade to Infinispan 14.0.25
#27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. identity-brokering
#27315 Change docker image to container image
#27324 Remove RHSSO product documentation from upgrading guide docs
#27326 Edit Keycloak 24.0 release notes docs
#27327 Harmonize behaviour of different CertificateUtilsProvider implementations
#27440 Edit Keycloak 23.x Release Notes
#27452 Edit Keycloak 24 Upgrade guide

Bugs

#9871 Remove Infinispan workarounds introduced to prevent deadlocks storage
#11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response saml
#13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256 authentication
#13368 Issue when using DenyAuthenticator in direct-grant flow authentication
#14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke) testsuite
#14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added dist/quarkus
#14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials) authentication
#16260 Incorrect handling of OptionParserException in kcadm admin/cli
#17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP user-profile
#17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms admin/api
#19183 token-exchange does apply clientScopes of the origin client token-exchange
#19294 Error on starting keycloak when foldername contains ")" using kc.bat. dist/quarkus
#19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards authentication
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable admin/ui
#20867 Control redirect after password reset core
#21127 During password reset, the baseURL is not shown on the info page after browser restart authentication
#21151 Realm import stack overflow import-export
#21409 Brute Force Detection is disabled when updating frontenUrl via admin client authentication
#21542 Context path missing in URL on OTP page to switch between QR code and manual code core
#21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step core
#21951 Unable to use `<` as part of a password admin/cli
#22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes storage
#22401 Common resources in Welcome page didn't resolve correctly welcome/ui
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
#22507 User profile attributes not localized in account console V3 user-profile
#22540 Description of "Configuring sources for Keycloak" inconsistent / misleading docs
#22555 Docs: server_development/topics/identity-brokering.adoc docs
#22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI admin/ui
#22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
#22836 Invalid redirect uri when identity provider alias has spaces identity-brokering
#22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode ci
#22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null authentication
#23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution core
#23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently storage
#23217 NoSuchFileException with ${kc.home.dir} on Windows dist/quarkus
#23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address admin/api
#23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue storage
#23399 Audience is lost after refreshing a RPT authorization-services
#23683 Default-Value in UI for krbPrincipalAttribute is error prone admin/ui
#23699 Account v3 theme - Localization not working on account console account/ui
#23786 Failure: FipsDistTest ci
#23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode admin/api
#24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme account/ui
#24141 LDAP user mapper for username: user appears twice in the GUI ldap
#24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company core
#24200 NPE in User Session Note mapper on Token Exchange token-exchange
#24219 admin-fine-grained-authz + client authorization settings requires view-client role admin/ui
#24323 Refresh request ignores scope parameter from refresh request oidc
#24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak operator
#24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration admin/api
#24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event user-profile
#24459 Keycloak fails to start when uninstalling custom provider dist/quarkus
#24464 Tabbing is not working in forms inside dropdown admin/ui
#24485 NullPointerException when key is not available in the database oidc
#24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33 dependencies
#24508 Deadlock when pre-loading remote sessions from external Infinispan storage
#24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page authentication
#24626 Upgrade testsuite to use SpringBoot 2.7 ci
#24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user. authorization-services
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
#24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui
#24767 Improve LDAP Condition implementations ldap
#24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI admin/ui
#24923 Importing Keycloak breaks typescript in esModule adapter/javascript
#24960 OpenAPI spec doesn't match the admin API admin/api
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
#24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys oidc
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
#25001 Client redirect_uri check must be compared using exact string matching oidc
#25016 Make password visibility css classes configurable for themes login/ui
#25033 Typo in the balloon help of SAML Username Template Importer core
#25041 Incomplete Spanish translations for Admin UI translations
#25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
#25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console admin/ui
#25060 fix debug log string core
#25078 Log Injection during WebAuthn authentication/registration authentication
#25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups admin/api
#25110 User Profile attribute with "Options" shows options of another attribute if none set on it user-profile
#25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter admin/api
#25173 Make sure username is lowercase when normalizing attributes user-profile
#25183 NullPointerException thrown for UPConfig.getGroups() user-profile
#25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci
#25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc
#25235 Unable to start after updating Docker container dist/quarkus
#25290 Social Login Tests unable to retrieve Federated Access Token from user session testsuite
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
#25322 Warning "Event object wasn't available in remote cache" when using remote store
#25392 Admin Console: Realm Dropdown should only show the realms the user has access to admin/ui
#25417 Avoid keycloak-admin-client in UI to call admin console UI extension admin/ui
#25423 Confusing error message by pr-backport.sh when not authenticated to gh ci
#25433 Key provider UI issue while saving - RSA admin/ui
#25449 Clean up translations for DE/EN/NL for a first test-run of Weblate translations
#25451 Admin cli failing when adding roles to a 3rd group in a list admin/cli
#25463 Unnecessary user profile metdata sent on user update user-profile
#25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect user-profile
#25502 Account v3 theme - theme.properties Custom theme scripts not loading account/ui
#25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy user-profile
#25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins) oidc
#25565 OpenAPI: POST for /admin/realms response is 201 admin/api
#25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile testsuite
#25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated oidc
#25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201 admin/api
#25604 OpenAPI: Client authz endpoints without responses admin/api
#25628 Translations missing in user details role mapping admin/ui
#25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword ci
#25636 "Disable realm?" displayed when disabling client admin/ui
#25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check testsuite
#25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API. admin/api
#25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201 admin/api
#25660 Incorrect version of the fix in release notes
#25677 Removing all group attributes no longer works with keycloak-admin-client (java) admin/client-java
#25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see admin/ui
#25699 Flaky test Job URL missing on some runs ci
#25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL user-profile
#25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet ci
#25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
#25746 Using kcadm.sh create components result to 400 Bad Request admin/cli
#25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest storage
#25753 Backchannel logout token is missing the "exp" claim oidc
#25783 Since 23, start-dev command line arguments parsing is buggy dist/quarkus
#25789 User events: labels overlap content admin/ui
#25827 admin ui uses hyphen instead of dot as realm attribute separator admin/ui
#25853 Timeouts after upgrade of download action v4 ci
#25878 HTML emails in Catalan don't contain links translations
#25883 ldap-group-mapper fails when empty member: attribute is present ldap
#25891 Optimize handling of terms and conditions during registration core
#25892 Test suite depends on artifacts built only when distribution profile is active ci
#25909 Keycloak HA Guide uses token for cross-site setup that expires
#25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
#25927 UI crash after using breadcrumb group navigation during an active group search admin/ui
#25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template authentication
#25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values. user-profile
#25951 Masthead tests fail often admin/ui
#25961 Native SQL Schema names broken on MySQL storage
#25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab user-profile
#25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols saml
#25981 GitHub Status check is green if the build fails ci
#26021 `mvn clean` does not work in js directory account/ui
#26032 Duplicate tooltip/label for refresh button on device activity page account/ui
#26036 subgroups clickopen not working admin/ui
#26040 Subgroups-check is incorrect, and therefore subgroups are not clickable admin/ui
#26051 Name ID Format field is confusing for User Attribute Mapper For NameID saml
#26052 Configure OTP Form regenerates Secret on reload authentication
#26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation admin/ui
#26060 Various Localization tab issues
#26075 Next time you start message references the wrong command dist/quarkus
#26088 Rest custom JAX-RS resource in kc 23: Method not allowed core
#26131 Localization: Realm overrides subtab admin/ui
#26132 Localization: Effective message bundles subtab admin/ui
#26148 Keycloak JavaScript CI: client_scopes_test.spec.ts ci
#26156 A11y critical violation in ProviderId form field admin/ui
#26168 KC_DB_DRIVER is not propagated properly admin/cli
#26177 Invalidate authentication session on repeated OTP failures authentication
#26180 Invalidate authentication session on repeated Recovery Code failures authentication
#26228 With fine grained permissions enabled, the grouptree rights check is not working correctly admin/ui
#26231 keycloak-admin-client missing recent changes to group query parameters admin/client-js
#26236 Ensure community-maintained translations are not part of product build account/ui
#26266 Importing Realm with declarative user profile attributes fails user-profile
#26281 Incorrect example in the Keycloak operator configuration operator
#26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode ci
#26295 Incomplete Chinese Translation for Login Page translations
#26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration user-profile
#26323 Reset credentials action fails when triggered from first broker login flow identity-brokering
#26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23 saml
#26334 Resource and permission titles missing for a new client admin/ui
#26335 Bind flow modal broken admin/ui
#26337 Write tests to cover binding a flow testsuite
#26350 Fix more A11y violations admin/ui
#26358 Apparently incorrect tooltip on "type" field for a "resource" in a client admin/ui
#26363 Search dialog for authorization policy is wrong? admin/ui
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26375 The role Unassign button enabled in admin console even if no roles are selected admin/ui
#26383 Labels for WebAuthN missing in Account Console account/ui
#26390 More A11y Violations Detected admin/ui
#26400 Workflow failure: Admin UI E2E - realm_test.spec.ts ci
#26407 Typo in disable dialog admin/ui
#26409 Duplicate `key` for credentials on sign in page account/ui
#26418 Failed to link identity broker to user with a verified email by IdP email verification flow identity-brokering
#26420 Labels for WebAuthN Passwordless missing in Account Console account/ui
#26427 Operator CSV uses wrong format for `createdAt` field operator
#26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab admin/ui
#26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
#26468 SPI-truststore-file-type option appears to be invalid docs
#26490 Update Keycloak sizing guide after change of default hashing configuration core
#26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP. storage
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26549 Mysterious settings changes due to Keycloak cluster changes admin/ui
#26564 Issues related to IDNHomographValidator user-profile
#26584 User details locale select broken in realm specific admin console admin/ui
#26588 Infinite loop during X509 authentication authentication
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
#26604 Arc container is null dist/quarkus
#26609 allow sending realm in request without changing the kc admin object admin/client-js
#26612 Wrong delete messages in Realm overrides admin/ui
#26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres) storage
#26631 Keycloak HA guide with blank and callout docs
#26635 Account UI ships too much Beer in user attributes user-profile
#26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow admin/ui
#26643 Replace "message bundle" text to "translation" in realm overrides admin/ui
#26649 PhantomJS does not send secure cookies over http://localhost core
#26651 [keycloak.js] useNonce parameter is all-or-nothing adapter/javascript
#26653 Disallow removing required filters when searching for effective message bundle. admin/ui
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core
#26668 Wrong help for "Create initial access token" expiration field admin/ui
#26686 Not possible to build documentation after quarkus upgrade docs
#26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy admin/ui
#26716 User Profile Applies Validation To Service Account Users user-profile
#26727 Auto layout of authenticator flow graph only applies the second time admin/ui
#26747 Tooltip for attribute name in user-profile configuration is incorrect user-profile
#26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation user-profile
#26782 Accessing userinfo fails with CORS when token is expired or session is deleted oidc
#26790 Workflow failure: Operator IT on OpenShift ci
#26792 User profile 'uri' validator not working user-profile
#26816 Keycloak server admin docs needs change with the new hashing iteration changes docs
#26818 bug in operator example yaml operator
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
#26830 Duplicate "Refresh" buttons present in admin-ui admin/ui
#26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password" authentication
#26853 Fixing anchors in security apps guide in prod profile docs
#26856 Remove custom user attributes section in server developer guide user-profile
#26937 Once all default client scopes are deleted from the realm we can't create a new custom role. core
#26941 When loading entries from a remote store at startup, no lifespan or expiry is set core
#26951 Roles admin REST API for creating roles: Composite roles are expanded admin/api
#26983 Group not found in list after creation core
#27002 Refresh doesn't work in Localization/Effective message bundles admin/ui
#27005 Unable to approve/deny permission requests account/ui
#27031 Having read-only attributes stored at a user leads to validation warning on every login user-profile
#27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated infinispan
#27120 Microsoft social login failure testsuite
#27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres) ci
#27137 Users with fine-grained permissions can not create a user admin/ui
#27140 Locale selector is unnecessarily visible without rights to locales admin/ui
#27162 Default locale is set to null when not explicitly choosing a locale admin/ui
#27173 Newly created authentication subflow is always disabled admin/ui
#27234 Cannot update email in account console with `update-email` feature enabled account/ui
#27243 Account console not working when lightweight-access-tokens used oidc
#27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo core
#27284 FolderTheme does not support Locales with extensions core
#27290 AWS JDBC driver throws ConcurrentModificationException storage
#27297 Check for duplicated usernames and emails when Login with email option is enabled user-profile
#27316 Server admin guide not building downstream due to missing IDs docs
#27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled admin/ui
#27344 Secure Redirect URI executor issues oidc
#27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI ci
#27406 JavaDocs generation broken after removal of resteasy-core
#27409 Apply remote store workaround also for configuration via CLI options
#27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor oidc

`v23.0.7`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#26810 Shorter lifespan for offline session cache entries in memory storage

Bugs

#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
#23786 Failure: FipsDistTest ci
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
#25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
#25883 ldap-group-mapper fails when empty member: attribute is present ldap
#25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
#25961 Native SQL Schema names broken on MySQL storage
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
#27120 Microsoft social login failure testsuite

`v23.0.6`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#26427 Operator CSV uses wrong format for `createdAt` field operator
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core

`v23.0.5`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

`v23.0.4`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

`v23.0.3`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

`v23.0.2`

Compare Source

Highlights

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keycloak with feature multi-site. Proceed to Enabling and disabling features guide for more details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#25113 Add a test for the LoadBalancerCheck
#25287 Upgrade Infinispan to 14.0.21.Final

Bugs

#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
#25001 Client redirect_uri check must be compared using exact string matching oidc
#25010 Bug: KC_DB_USERNAME environment variable is causing a crash in latest version dist/quarkus
#25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
#25108 Documentation Inconsistency about Open Banking(Finance) Brasil FAPI security profile docs
#25124 If a client does not have a URL the applications page in the account console links to about:blank account/ui
#25173 Make sure username is lowercase when normalizing attributes user-profile
#25183 NullPointerException thrown for UPConfig.getGroups() user-profile
#25307 Keycloak instance `HasErrors` true after update: `More than 1 secondary resource related to primary` operator

`v23.0.1`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#23841 Users page with LDAP User Storage Provider Cannot read properties of undefined admin/ui
#23872 Attempt to request storage access in Firefox oidc
#24261 „Unlink users“-Option greyed out in ldap federation admin/ui
#24958 Error handling in admin console when update of user fails due the 400 HTTP error code admin/ui
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
#24984 Operator is missing CRDs metadata in CSV operator
#25008 Group search when creating user admin/ui
#25022 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token oidc

`v23.0.0`

Compare Source

Highlights

OpenID Connect / OAuth 2.0

FAPI 2 drafts support

Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.

DPoP preview support

Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.

More flexibility for introspection endpoint

In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new switch Add to token introspection on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token, so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.

Feature flag for OAuth 2.0 device authorization grant flow

The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.

Authentication

Passkeys support

Keycloak has preview support for Passkeys.

Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user8217;s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.

WebAuthn improvements

WebAuthn policy now includes a new field: Extra Origins. It provides better interoperability with non-Web platforms (for example, native mobile applications). Thanks to Charley Wu for the contribution.

You are already logged-in

There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them, the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in. This is improved now as other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then restarted just in one browser tab and hence other browser tabs won8217;t follow automatically with the login. So we still plan improvements in this area.

Password policy for specify Maximum authentication time

Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.

Deployments

Preview support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.

A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Adapters

OpenID Connect WildFly and JBoss EAP

OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.

SAML WildFly and JBoss EAP

The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.

See the Securing Applications and Services Guide for the details.

Server distribution

Load Shedding support

Keycloak now features http-max-queued-requests option to allow proper rejecting of incoming requests under high load. For details refer to the production guide.

RESTEasy Reactive

Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI8217;s that depend directly on JAX-RS API should be compatible with this change. SPI8217;s that depend on RESTEasy Classic including ResteasyClientBuilder will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.

User profile

Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome. If you find any issues or have any improvements in mind, you are welcome to create Github issue, ideally with the label area/user-profile. It is also recommended to check the Upgrading Guide with the migration changes for this release for some additional informations related to the migration.

Group scalability

Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.

Themes

Localization files for themes default to UTF-8 encoding

Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.

See the migration guide for more details.

Storage

Removal of the Map Store

The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#23155 [WebAuthn] origin validation not support for non-Web platforms core

Enhancements

#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#10128 Improve failed test behaviour operator
#10620 Internationalized Domain Names in email address user-profile
#10713 Update the server to use RESTEasy Reactive
#10803 Persist session in JDBC store without using external infinispan cluster storage
#11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
#12406 Remove "You are already logged-in" during authentication authentication
#14009 CreatedTimestamp on REST import not used
#14165 Cannot refresh RPT tokens authorization-services
#14400 Add proxy options to Keycloak CR operator
#15018 Enhancements around proxy and hostname configuration
#15072 Allow setting a help text to an attribute user-profile
#15109 Refactor patch-sources.sh used by the Operator operator
#17258 Data too long for column 'DETAILS_JSON' storage
#20343 message bundles are not included in the realm export import-export
#20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
#20695 Add support for single-tenant in Microsoft Identity Provider
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
#20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
#21073 Identity providers: pagination in admin REST API
#21154 Allow existing mappers for Custom Identity Providers identity-brokering
#21181 Add FAPI 2.0 security profile as default profile of client policies
#21182 Enhancing Pluggable Features of Token Manager
#21183 More flexibility for Introspection endpoint oidc
#21200 DPoP support 1st phase
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
#21945 Release notes for FAPI 2
#22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
#22215 DPoP verification in UserInfo endpoint oidc
#22318 Allow overriding Account Console resources for full control and backwards compatibility
#22372 Expand Group providers to allow for paginated lookup of subgroups storage
#22725 Do not initialize barrier build items for deployment dist/quarkus
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
#23194 Add regex support in 'Condition - User attribute' execution authentication
#23340 Implement load shedding for RESTEasy reactive
#23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
#23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
#24024 User profile tweaks in registration forms user-profile
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
#24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
#24278 Transient users: documentation core
#24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
#24494 Transient users: Consents core
#24535 Moving UPConfig and related classes from keycloak-services user-profile
#24844 Add High Availability Guide to Keycloak's main repository
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml

Bugs

#468 Cant build it quickstarts
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
#19125 kcadm do not update defaultGroups docs
#19154 Non working API docs link docs
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
#20135 Searching for multiple types in the Events section gives an error admin/client-js
#20218 Role mappers must return a single value when they are not multivalued oidc
#20316 Email pattern is not compliant account/api
#20453 Admin UI incredibly slow with 300 realms admin/api
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
#20885 Key length is limited to 4000 characters storage
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
#21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
#21236 Keycloak Event clientId is null when ever a logout event is fired. core
#21555 Listing realms due to realm drop-down admin/ui
#21660 Wrong convert timestamp to date account/ui
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
#21805 Missing labels account console account/ui
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
#22177 Missing client_id validation match when authenticating client with JWT
#22191 Verification of iss at refresh token request oidc
#22332 Selecting resource on resource based permission gives error admin/ui
#22337 kc.sh errors if using characters like semicolon inside the arguments docs
#22375 Possible NullPointerException core
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
#22432 inputOptionLabels is not used by Admin UI admin/ui
#22583 Fine grained permissions not rendering account/ui
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
#22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
#22818 inputOptionLabels is not used by Account UI v3 account/ui
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
#22988 Cache stampede after realm cache invalidation infinispan
#23044 Docs: server_admin/topics/sessions/transient.adoc authentication
#23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
#23173 crypto/elytron package has several bugs core
#23180 TypeError in user profile admin-ui admin/ui
#23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
#23255 Several help text messages missing in saml identity provider admin/ui
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients. dependencies
#23582 Join group screen does not show child groups without filters admin/ui
#23616 invalid tag in .ftl file user-profile
#23692 Genetated access token exception then $ sign in client name core
#23733 OpenAPI spec doesn't match the admin API admin/api
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
#23789 Can not create attribute group before setting/removing an annotation user-profile
#23795 Spelling errors in TokenManager.java oidc
#23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
#24032 Group attributes are not saved if there are two attributes with the same key admin/ui
#24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
#24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
#24096 Document or avoid breaking change in UserSessionModel core
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
#24183 Username now shown when creating a user and edit username is not allowed user-profile
#24187 Admin UI group view shows attributes of previously viewed group admin/ui
#24293 b.map is not a function error when LDAP server is offline core
#24420 User profile behaves different in keycloak 22.0.5 user-profile
#24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
#24455 NPE when logging in with TransientUser storage
#24458 Unfriendly error message when user-storage provider not available admin/ui
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
#24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
#24672 Basic auth is not RFC 2617 compliant authentication
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
#24766 non-functioning session persistence when using JDBC over Infinispan infinispan
#24792 Invalid redirect_uri if it contains uppercase letters authentication
#24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Apr 19, 2024 by Renovate Bot

Update dependency keycloak/keycloak to v24

Release Notes

Upgrading

All resolved issues

Enhancements

Bugs

Upgrading

All resolved issues

Enhancements

Bugs

Highlights

Operator deploys nightly build instead of 24.0.0

Upgrading

Highlights

Supported user profile and progressive profiling

Breaking changes to the User Profile SPI

Changes to Freemarker templates to render pages based on the user profile and realm

New Freemarker template for the update profile page at first login through a broker

Java adapter deprecation and removal

Jetty adapter removed

New Welcome Page

New Account Console now the default

Keycloak JS

Using exports field in package.json

PKCE enabled by default

Changes to Password Hashing

OAuth/OIDC related improvements

Lightweight access tokens support

OAuth 2.1 support

Scope parameter supported in the refresh token flow

Client policy executor for secure redirect URIs

Client policy executor for enforcing DPoP

Supporting EdDSA

EC Keys supported by JavaKeystore provider

Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers

OAuth Grant Type SPI

CORS improvements

Truststore improvements

Versioned Features

Keycloak CR Truststores

Trust Kubernetes CA

Automatic certificate management for SAML identity providers

Non-blocking health check for load balancers

Keycloak CR Optimized Field

Enhanced reverse proxy settings

Changes to the user representation in both Admin API and Account contexts

Sequential loading of offline sessions and remote sessions

Performing actions on behalf of another already authenticated user is not longer possible

Changes to the email verification flow

Deprecated offline session preloading

Configuration option for offline session lifespan override in memory

Infinispan metrics use labels for cache manager and cache names

User attribute value length extension

Brute Force Protection changes

Authorization Policy

Keycloak CR cache-config-file option

Keycloak CR resources options

Temporary lockout log replaced with event

Updates to cookies

SAML User Attribute Mapper For NameID now suggests only valid NameID formats

Different JVM memory settings when running in container

GELF log handler has been deprecated

Support for multi-site active-passive deployments

Upgrading

All resolved issues

New features

Enhancements

Bugs

Upgrading

All resolved issues

Enhancements

Bugs

Upgrading

All resolved issues

Bugs

Upgrading

Upgrading

Upgrading

Highlights

Non-blocking health check for load balancers

Using `exports` field in `package.json`