Skip to content

Update dependency keycloak/keycloak to v25

Renovate Bot requested to merge renovate/keycloak-keycloak-25.x into main

This MR contains the following updates:

Package Update Change
keycloak/keycloak major 21.0.1 -> 25.0.1

Release Notes

keycloak/keycloak (keycloak/keycloak)

v25.0.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​19750 Use a proper FreeMarker template for the new consoles account/ui
  • #​30346 Enhance masking around config-keystore dist/quarkus

Bugs

  • #​25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
  • #​28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
  • #​30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
  • #​30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
  • #​30240 Custom attributes are removed during UPDATE PROFILE event core
  • #​30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
  • #​30302 Methods of SimpleHttp are after change now too much protected core
  • #​30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
  • #​30332 Operator fails to patch ingress after update to 25.0.0 operator
  • #​30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
  • #​30351 Migration of sessions in KC25 should run only on migration, not on imports
  • #​30368 Documentation : label error for persistent-user-sessions feature flag docs
  • #​30417 Keycloak 25 db guide shows unevaluated "ifeval docs
  • #​30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
  • #​30434 Improvements for ldap test authentication ldap
  • #​30492 partial_import_test fails randomly admin/ui

v25.0.0

Compare Source

Highlights

Account Console v2 theme removed

The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.

Java 21 support

Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.

Java 17 support is deprecated

OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.

Most of Java adapters removed

As stated in the release notes of previous Keycloak version, the most of Java adapters are now removed from the Keycloak codebase and downloads pages.

For OAuth 2.0/OIDC, this includes removal of the Tomcat adapter, WildFly/EAP adapter, Servlet Filter adapter, KeycloakInstalled desktop adapter, the jaxrs-oauth-client adapter, JAAS login modules, Spring adapter and SpringBoot adapters. You can check our older post for the list of some alternatives.

For SAML, this includes removal of the Tomcat adapter and Servlet filter adapter. SAML adapters are still supported with WildFly and JBoss EAP.

The generic Authorization Client library is still supported, and we still plan to support it. It aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries. You can check the quickstarts for some examples where this authorization client library is used together with the 3rd party Java adapters like Elytron OIDC or SpringBoot. You can check the quickstarts also for the example of SAML adapter used with WildFly.

Upgrade to PatternFly 5

In Keycloak 24, the Welcome page is updated to use PatternFly 5, the latest version of the design system that underpins the user interface of Keycloak. In this release, the Admin Console and Account Console are also updated to use PatternFly 5. If you want to extend and customize the Admin Console and Account Console, review the changes in PatternFly 5 and update your customizations accordingly.

Argon2 password hashing

Argon2 is now the default password hashing algorithm used by Keycloak in a non-FIPS environment.

Argon2 was the winner of the 2015 password hashing competition and is the recommended hashing algorithm by OWASP.

In Keycloak 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in Keycloak requires 7MB per-hashing request. To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To support the memory intensive nature of Argon2, we have updated the default GC from ParallelGC to G1GC for a better heap utilization.

New Hostname options

In response to the complexity and lack of intuitiveness experienced with previous hostname configuration settings, we are proud to introduce Hostname v2 options.

We have listened to your feedback, tackled the tricky issues, and created a smoother experience for managing hostname configuration. Be aware that even the behavior behind these options has changed and requires your attention - if you are dealing with custom hostname settings.

Hostname v2 options are supported by default, as the old hostname options are deprecated and will be removed in the following releases. You should migrate to them as soon as possible.

New options are activated by default, so Keycloak will not recognize the old ones.

For information on how to migrate, see the Upgrading Guide.

Persistent user sessions

Previous versions of Keycloak stored only offline user and offline client sessions in the databases. The new feature persistent-user-session stores online user sessions and online client sessions not only in memory, but also in the database. This will allow a user to stay logged in even if all instances of Keycloak are restarted or upgraded.

The feature is a preview feature and disabled by default. To use it, add the following to your build command:

bin/kc.sh build --features=persistent-user-session ...

For more details see the Enabling and disabling features guide. The sizing guide contains a new paragraph describing the updated resource requirements when this feature is enabled.

For information on how to upgrade, see the Upgrading Guide.

Cookies updates

SameSite attribute set for all cookies

The following cookies did not use to set the SameSite attribute, which in recent browser versions results in them defaulting to SameSite=Lax:

  • KC_STATE_CHECKER now sets SameSite=Strict

  • KC_RESTART now sets SameSite=None

  • KEYCLOAK_LOCALE now sets SameSite=None

  • KEYCLOAK_REMEMBER_ME now sets SameSite=None

The default value SameSite=Lax causes issues with POST based bindings, mostly applicable to SAML, but also used in some OpenID Connect / OAuth 2.0 flows.

Removing KC_AUTH_STATE cookie

The cookie KC_AUTH_STATE is removed and it is no longer set by the Keycloak server as this server no longer needs this cookie.

Deprecated cookie methods removed

The following APIs for setting custom cookies have been removed:

  • ServerCookie - replaced by NewCookie.Builder

  • LocaleSelectorProvider.KEYCLOAK_LOCALE - replaced by CookieType.LOCALE

  • HttpCookie - replaced by NewCookie.Builder

  • HttpResponse.setCookieIfAbsent(HttpCookie cookie) - replaced by HttpResponse.setCookieIfAbsent(NewCookie cookie)

Addressed 'You are already logged in' for expired authentication sessions

The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, Keycloak is able to redirect back to the client application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more details, see Server Administration Guide authentication sessions.

Lightweight access token to be even more lightweight

In previous releases, the support for lightweight access token was added. In this release, we managed to remove even more built-in claims from the lightweight access token. The claims are added by protocol mappers. Some of them affect even the regular access tokens or ID tokens as they were not strictly required by the OIDC specification.

  • Claims sub and auth_time are added by protocol mappers now, which are configured by default on the new client scope basic, which is added automatically to all the clients. The claims are still added to the ID token and access token as before, but not to lightweight access token.

  • Claim nonce is added only to the ID token now. It is not added to a regular access token or lightweight access token. For backwards compatibility, you can add this claim to an access token by protocol mapper, which needs to be explicitly configured.

  • Claim session_state is not added to any token now. It is still possible to add it by protocol mapper if needed. There is still the other dedicated claim sid supported by the specification, which was available in previous versions as well and which has exactly the same value.

For more details, see the Upgrading Guide..

Support for application/jwt media-type in token introspection endpoint

You can use the HTTP Header Accept: application/jwt when invoking a token introspection endpoint. When enabled for a particular client, it returns a claim jwt from the token introspection endpoint with the full JWT access token, which can be useful especially for the use-cases when the client calling introspection endpoint used lightweight access token. Thanks to Thomas Darimont for the contribution.

Password policy for check if password contains Username

Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.

Required actions improvements

In the Admin Console, you can now configure some required actions in the Required actions tab of a particular realm. Currently, the Update password is the only built-in configurable required action. It supports setting Maximum Age of Authentication, which is the maximum time users can update their password by the kc_action parameter (used for instance when updating password in the Account Console) without re-authentication. The sorting of required actions is also improved. When there are multiple required actions during authentication, all actions are sorted together regardless of whether those are actions set during authentication (for instance by the kc_action parameter) or actions added to the user account manually by an administrator. Thanks to Thomas Darimont and Daniel Fesenmeyer for the contributions.

Passkeys improvements

The support for Passkeys conditional UI was added. When the Passkeys preview feature is enabled, there is a dedicated authenticator available, which means you can select from a list of available passkeys accounts and authenticate a user based on that. Thanks to Takashi Norimatsu for the contribution.

Default client profile for SAML

The default client profile to have secured SAML clients was added. When browsing through client policies of a realm in the Admin Console, you see a new client profile saml-security-profile. When it is used, there are security best practices applied for SAML clients such as signatures are enforced, SAML Redirect binding is disabled, and wildcard redirect URLs are prohibited.

Authenticator for override existing IDP link during first-broker-login

There was new authenticator Confirm override existing link added. This authenticator allows to override linked IDP username for the Keycloak user, which was already linked to different IDP identity before. More details in the Server Administration Guide. Thanks to Lex Cao for the contribution.

OpenID for Verifiable Credential Issuance - experimental support

There is work in progress on the support of OpenID for Verifiable Credential Issuance (OID4VCI). Right now, this is still work in progress, but things are being gradually added. Keycloak can act as an OID4VC Issuer with support of Pre-Authorized code flow. There is support for verifiable credentials in the JWT-VC, SD-JWT-VC and VCDM formats. Thanks to the members of the OAuth SIG groups for the contributions and feedback and especially thanks to Stefan Wiedemann, Francis Pouatcha, Takashi Norimatsu and Yutaka Obuchi.

Searching by user attribute no longer case insensitive

When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using Keycloak​8217;s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.

Breaking fix in authorization client library

For users of the keycloak-authz-client library, calling AuthorizationResource.getPermissions(​8230;​8203;) now correctly returns a List<Permission>.

Previously, it would return a List<Map> at runtime, even though the method declaration advertised List<Permission>.

This fix will break code that relied on casting the List or its contents to List<Map>. If you have used this method in any capacity, you are likely to have done this and be affected.

IDs are no longer set when exporting authorization settings for a client

When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client.

Management port for metrics and health endpoints

Metrics and health checks endpoints are no longer accessible through the standard Keycloak server port. As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port 9000.

It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable.

Keycloak Operator assumes the management interface is turned on by default. For more details, see Configuring the Management Interface.

Syslog for remote logging

Keycloak now supports Syslog protocol for remote logging. It utilizes the protocol defined in RFC 5424. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.

For more information, see the Configuring logging guide.

Change to class EnvironmentDependentProviderFactory

The method EnvironmentDependentProviderFactory.isSupported() was deprecated for several releases and has now been removed.

For more details, see the Upgrading Guide.

All cache options are runtime

It is now possible to specify the cache, cache-stack, and cache-config-file options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them.

For more details, see the Upgrading Guide.

High availability guide enhanced

The high availability guide now contains a guide on how to configure an AWS Lambda to prevent an intended automatic failback from the Backup site to the Primary site.

Removing deprecated methods from AccessToken, IDToken, and JsonWebToken classes

In this release, we are finally removing deprecated methods from the following classes:

  • AccessToken

  • IDToken

  • JsonWebToken

For more details, see the Upgrading Guide.

Method getExp added to SingleUseObjectKeyModel

As a consequence of the removal of deprecated methods from AccessToken, IDToken, and JsonWebToken, the SingleUseObjectKeyModel also changed to keep consistency with the method names related to expiration values.

For more details, see the Upgrading Guide.

Support for PostgreSQL 16

The supported and tested databases now include PostgreSQL 16.

Introducing support for Customer Identity and Access Management (CIAM) and Multi-tenancy

In this release, we are delivering Keycloak Organizations as a technology preview feature.

This feature provides a realm with some core CIAM capabilities, which will serve as the baseline for more capabilities in the future to address Business-to-Business (B2B) and Business-to-Business-to-Customers (B2B2C) use cases.

In terms of functionality, the feature is completed. However, we still have work to do to make it fully supported in the next major release. This remaining work is mainly about preparing the feature for production deployments with a focus on scalability. Also, depending on the feedback we get until the next major release, we might eventually accept additional capabilities and add more value to the feature, without compromising its roadmap.

For more details, see Server Administration Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #​25940 Support Credentials Issuance through the OID4VCI Protocol oid4vc
  • #​25942 Issue Verifiable Credentials in the SD-JWT-VC format oid4vc
  • #​25943 Issue Verifiable Credentials in the VCDM format oid4vc
  • #​25945 Extend Account Console to support Credentials Issuance Self-Service account/ui
  • #​26201 Introduce a new Authenticator to handle duplicate IdP broker links authentication
  • #​27673 Hardcoded SAML metadata URL in admin-v2 admin/ui
  • #​27728 Reflect new hostname v2 options in Keycloak CR operator
  • #​27729 Add documentation for Hostname v2 docs
  • #​27730 Release notes and Migration guide for Hostname v2 docs
  • #​28030 Create Argon2 password hashing provider
  • #​28400 Make RequiredActions configurable
  • #​28608 Allow onboarding organization members through a registration invitation link
  • #​28750 CLI options to disable encryption and authentication to external Infinispan dist/quarkus
  • #​28938 Need inline translation assistance for user profile attribute groups.
  • #​29491 Remove Oracle JDBC driver out of the box docs
  • #​29539 Add CRUD for organizations to admin client
  • #​29627 Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 oid4vc
  • #​29634 Expose JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification oid4vc

Enhancements

  • #​11757 Declarative User Profile: local-date validation and html5-date clash user-profile
  • #​13113 Conditionally enable and disable CLI options dist/quarkus
  • #​16295 JsonSerialization does not load all available modules from the classpath
  • #​17530 Add Portuguese translations
  • #​19334 Support management port for health and metrics in Quarkus 3 dist/quarkus
  • #​20736 uma-ticket returns 403 even though user has access, when User Realm Role isn't present in access Token authorization-services
  • #​20792 Make it clear that `Client Offline Token Max` should not be set when `Offline Session Max Limited` is disabled for realm admin/ui
  • #​20916 DefaultHttpClientFactory should handle the encoding of the response core
  • #​21185 Protocol mapper and client scope for sub claim
  • #​21344 Upgrade account theme to PatternFly 5 account/ui
  • #​21345 Upgrade admin theme to PatternFly 5 admin/ui
  • #​21439 Allow options to support any value in addition to a list of pre-defined values. dist/quarkus
  • #​21562 Make sure admin events are not referencing sensitive data from their representation admin/api
  • #​21961 Allow to provider password to kcadm (keycloak-admin-cli) via environment variable admin/cli
  • #​22436 Query users by 'LDAP_ID' is not working ldap
  • #​22711 Enable theme caches by default in start-dev dist/quarkus
  • #​24192 Refine how ConfigSource names are being used dist/quarkus
  • #​24264 Passkeys: Supporting WebAuthn Conditional UI authentication/webauthn
  • #​24466 Look if checks in IntrospectionEndpoint can be simplified oidc
  • #​25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
  • #​25114 User Profile "Input placeholder" and other annotations - Use Localization keys user-profile
  • #​26162 Optimize query batching and result fetching by tuning Hibernate parameters
  • #​26443 Show an error message when file does not exist for the `config-file` parameter dist/quarkus
  • #​26504 Localization Proposal 2 admin/ui
  • #​26654 Initial client policies integration for SAML saml
  • #​26657 Map Storage Removal: Remove deprecated model/legacy module storage
  • #​26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap
  • #​26713 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention authentication/webauthn
  • #​27264 Trivy Analysis warnings should be fixed
  • #​27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
  • #​27442 Use browser router for Account Console account/ui
  • #​27481 Edit High Availability guide
  • #​27484 Edit 23.0 changes part of Upgrading Guide
  • #​27494 Use JDK17 functionality in the KC Operator operator
  • #​27508 Use new remote-store options in HA guides
  • #​27509 Upgrade to Aurora Postgres 15.5
  • #​27515 `ClusterProvider` should no longer be deprecated now that "legacy" is the default
  • #​27527 CS and SK localized messages need an update
  • #​27544 Expose quarkus syslog logging now GELF is being deprecated from Keycloak dist/quarkus
  • #​27545 Simplify handling of profile features in test cases
  • #​27549 Make general `cache` options runtime dist/quarkus
  • #​27574 Support for script providers when running in embedded mode testsuite
  • #​27602 Remove offline session preloading
  • #​27614 Remove additional handlers for health and metrics endpoints dist/quarkus
  • #​27632 Integrate downstream Upgrading Guide changes into upstream
  • #​27696 Upgrade to Quarkus 3.8.2 dist/quarkus
  • #​27724 Enable Infinispan metrics by default
  • #​27787 Missing API documentation for /admin/realms/{realm}/groups/{group-id}
  • #​27871 Upgrade to Infinispan 14.0.26 core
  • #​27924 Enable http metrics once Quarkus 3.8.3 is available
  • #​27953 Address feedback to Keycloak Server guide docs
  • #​27976 Persist online sessions to the database
  • #​27997 Make the Language Selector sorted and searchable
  • #​28009 Address edits to the Operator Guide
  • #​28033 Upgrade Infinispan to 14.0.27.Final
  • #​28035 update for messages_de.properties required translations
  • #​28084 Upgrade to Quarkus 3.8.3 dist/quarkus
  • #​28120 Default password hashing algorithm should be set to default password hash provider
  • #​28142 Update HA Guide now that non-XA mode is the default
  • #​28145 Align help output for Quarkus distribution across Windows and Linux dist/quarkus
  • #​28161 Use Argon2 password hashing by default
  • #​28178 Provide histograms for http server metrics
  • #​28256 Prevent duplicate form submission in Create realm dialog in admin ui admin/ui
  • #​28318 Use the same new code for persistent sessions for offline sessions core
  • #​28336 Provide a dedicated way of updating Quarkus classloading indices
  • #​28388 Handle concurrent writes to sessions more gracefullly
  • #​28429 Add details to error messages, especially around refresh tokens
  • #​28436 When LDAP groups synchronization fails, show root cause in admin UI admin/api
  • #​28448 Avoid deprecated `jboss-modules` method usage
  • #​28453 More conventional looking conditional element in authentication diagram admin/ui
  • #​28460 Polishing docs for lightweight tokens oidc
  • #​28477 The concurrency of hashing leads to increased memory usage and CPU throttling
  • #​28501 Batch updates to the database to avoid using too many IOPS
  • #​28517 Java 21 support
  • #​28567 Change user_id value for REFRESH_TOKEN and REFRESH_TOKEN_ERROR events oidc
  • #​28616 Add ui-tab context information into the onCreate
  • #​28650 Improve german translations for admin ui
  • #​28654 Refine the warning produced when a non-cli build-time property is used at runtime dist/quarkus
  • #​28672 For client-credential-grants, there shouldn't be an interaction with the authentication cache
  • #​28729 Emphasize the need for setting container limit docs
  • #​28814 Add missing german translations for user federation in admin UI
  • #​28848 Automatically fill username when authenticating to through a broker
  • #​28861 Improve the performance of the PermissionTicketStore.findGrantedResources method authorization-services
  • #​28862 Improve persistent sessions DB throughput for logins/logouts by batching
  • #​28879 Indicate whether a user is transient or not in user sessions list
  • #​28880 Upgrade to Quarkus 3.8.4 dist/quarkus
  • #​28906 ID fields in SessionWrapper should be immutable
  • #​28926 Store extended error message in events for client credential grants
  • #​28935 Ensure GroupResource.getSubGroups doesn't rely on no-arg version of GroupModel.getSubGroupsStream to avoid prematurely loading all subgroups storage
  • #​28939 OIDC: Backchannel logout token should use "typ":"logout+jwt" oidc
  • #​28974 Replace tooltip for adding a translation to an attribute with a text underneath `Display name`
  • #​29023 Support adding existing users to an organization
  • #​29068 Infinispan 15.0.3.Final
  • #​29073 Use cache.compute() method to improve the replace retry loop
  • #​29118 Conditionally run Quarkus IT in GHA based on code changes testsuite
  • #​29124 Use Java locale translations instead of manually edited translations translations
  • #​29166 Improve details for user error events in OIDC protocol endpoints oidc
  • #​29183 Minor corrections to High Availability Guide docs
  • #​29203 Revisit SessionsResource#realmSessions as it current loads all sessions into memory
  • #​29223 Complete transistion away from Resteasy core
  • #​29280 Update Create Realm in Keycloak 24 Getting Started
  • #​29319 Don't sort persistent sessions when retrieving a list
  • #​29348 Set default role mapping filter in the role mapping modal
  • #​29375 Allow migration of non-persistent sessions to persistent sessions
  • #​29392 Avoid conflicts when writing make store keys
  • #​29431 Make sure organization groups can not be managed but when managing an organization
  • #​29460 Email validation for managed members should only fail if it does not match the domain set to a broker
  • #​29489 Describe how to enable and disable persistent sessions for an installation docs
  • #​29561 Revisit rolling configuration upgrades for persistent-sessions feature
  • #​29639 Enhance documentation for REST API for X.509 Direct Grant Flow usage authentication
  • #​29724 VC issuance in Authz Code flow without considering “scope” parameter
  • #​29743 Infinispan 15.0.4.Final
  • #​29750 Require external Infinispan be of version 15 or greater
  • #​29778 Upgrade Selenium and Arquillian dependencies in testsuite testsuite
  • #​29780 Unify approach for WebAuthn tests testsuite
  • #​29787 Document Failover Lambda for Active/Passive deployments
  • #​29794 Show a message when confirming an invitation link
  • #​29813 Snyk report to identify branches impacted by a CVE ci
  • #​29818 Avoid explicit flush when handling persistent sessions
  • #​29880 Improve documentation for the case when 'basic' client scope already exists storage
  • #​29883 Upgrade old Keycloak version for DB migration tests testsuite
  • #​29919 Avoid IntelliJ to automatically create start imports
  • #​30017 Improve Client Type Integration Tests oidc
  • #​30026 Conditionally execute WebAuthn tests when Account console UI is changed testsuite
  • #​30052 Add periodic synchronisation for Weblate contents
  • #​30104 Release notes for support application/jwt response in token introspection endpoint docs
  • #​30160 Upgrade to Quarkus 3.8.5 dist/quarkus
  • #​30241 Adding ability to get realm attributes in themes

Bugs

  • #​8887 Information not displayed when a logged in user reset his password authentication
  • #​9695 Add `id_token_signed_response_alg` when realm default algorithm is not `RS256` oidc
  • #​12298 Security bug: Timing Oracle @​ Authorization Grant Request , CWE 208 authentication
  • #​12326 AccessTokens generated from RefreshTokens without scope oidc
  • #​12585 False implementation of SAML element EncryptionMethod saml
  • #​12671 Slow user query by attribute storage
  • #​13045 Duplicated user consents storage
  • #​14084 DefaultBruteForceProtector leverages a single thread to write success/failed events authentication
  • #​14122 Refresh token rotation with multiple tabs oidc
  • #​14188 "1403 Killed" after starting a fresh build docs
  • #​14501 Getting failed to initialize js message if consent is rejected by user account/ui
  • #​15403 No email send on TOTP/Authenticator app removal core
  • #​16064 RS256 signed token validation fails oidc
  • #​16345 Unable to delete realm names with invalid URL characters admin/api
  • #​16520 AuthzClient getPermissions() deserializes to List and not List authorization-services
  • #​16873 Required actions execution order (session and user required actions) authentication
  • #​16948 search users by custom attributes admin/client-js
  • #​17154 User locale in server info has language and country switched around admin/api
  • #​17483 MultiVersionClusterTest not working for Quarkus based distribution storage
  • #​17678 Stop using nested components admin/ui
  • #​19671 Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug) oidc
  • #​19853 CRL Verification failing due to client certificate not being in a chain authentication
  • #​20411 Entering a single space in a regex password policy makes admin interface unusable. core
  • #​20490 SAML IDP initiated SSO getting cookie_not_found error saml
  • #​20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
  • #​20747 Keycloak admin cli creating/updating authention executions not respecting the priority value specified admin/api
  • #​21422 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink ci
  • #​22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled import-export
  • #​22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
  • #​23252 Invalid redirect after logging in using Twitter (X) testsuite
  • #​23528 NullPointerException in SAML IdP Logout request with SessionIndex and without NameID identity-brokering
  • #​23701 Attribute search does not work with federated users with ldap. admin/ui
  • #​23832 New admin console doesn't support automatic logout account/ui
  • #​23833 Account console v2 doesn't support automatic logout account/ui
  • #​23900 Duplicate path in groups claim oidc
  • #​23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
  • #​24201 Cannot disable LDAP-backed user if importEnabled=false ldap
  • #​24414 Container labels inherited from UBI image dist/quarkus
  • #​24462 Remove non-unique `id` attributes from `webauthn-authenticate.ftl` login/ui
  • #​24568 iframe for frontend logout gets blocked if a custom CSP header is used core
  • #​24571 Parallel builds stopped working admin/ui
  • #​24795 Not proper remove for nested sub-flows from DB core
  • #​24878 NoClassDefFoundError for Apache XML and EAP8 adapter/jee-saml
  • #​24936 Negative token expiration when changing client session max lifetime oidc
  • #​25038 ServerRequestFilter / ServerResponseFilter not being picked up extensions
  • #​25219 Restrict the access to 'whoami' endpoint for tokens issued for the admin console client admin/api
  • #​25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
  • #​25514 Errors in Outgoing HTTP requests documentation docs
  • #​25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
  • #​25778 Incorrect JSON format returned in case of existing user (with user federation) admin/api
  • #​25807 Space in realm name breaks initial console uris admin/api
  • #​25815 Loosing refresh token with Google Identity Provider identity-brokering
  • #​25975 Failing to import client's authorisation settings through UI authorization-services
  • #​25993 PostgreSQL deadlock causes 400 client error instead of 500 server error storage
  • #​26019 Identity provider sync mode: incorrect selection in case of null admin/ui
  • #​26100 Device verification flow does not require consent under certain circumstances oidc
  • #​26108 Realm improper input sanitization core
  • #​26109 Improper Input Validation and Sanitization Leads to persistent partial Denial of Service admin/api
  • #​26113 Revoked Token may be valid for a short time after expiring oidc
  • #​26364 Duplicate emails is On when Email as username and Login with email are On admin/ui
  • #​26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
  • #​26438 Keycloak cannot run on windows machine in dev-mode. Because non-English systems cannot support keycloak's package's. dist/quarkus
  • #​26439 Incorrect position of nonce in OCSP request authentication
  • #​26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
  • #​26515 Wrong rendering duplicated options in guides docs
  • #​26658 `LogoutEvent` is not fired on required UpdatePassword action core
  • #​26667 Can't access hidden tabs on the left in admin UI admin/ui
  • #​26868 Login via brokerage to identity provider fails with clients having UUID with uppercase letter identity-brokering
  • #​26893 Access tokens includes nonce claim oidc
  • #​26915 Deleting sub-realm roles throw errors (even tho it succeeded) authorization-services
  • #​26981 Workflow failure Quarkus IT - StartCommandDistTest#testWarningWhenOverridingBuildOptionsDuringStart ci
  • #​27021 Workflow failure: Fuse adapter tests ci
  • #​27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists ci
  • #​27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
  • #​27184 Editing built-in client policy profiles are silently reverted oidc
  • #​27201 Missing `exp` claim from Offline tokens when `Offline Session Max Limited` is disabled core
  • #​27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
  • #​27245 Account console does not correctly treat link / unlink account account/ui
  • #​27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
  • #​27275 Invalidating offline token is not working from client sessions tab authentication
  • #​27308 Warnings in log during normal startup dist/quarkus
  • #​27349 Google Authenticator now supports SHA256 and SHA512 authentication
  • #​27366 Social login - test failures with unexpected status code testsuite
  • #​27391 Log warning when not using scope `openid` oidc
  • #​27416 Missing feature ID for tech preview feature in docs docs
  • #​27444 type of clients.findRole() in @​keycloak/keycloak-admin-client is wrong admin/client-js
  • #​27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
  • #​27499 LdapSyncTest failures running with external Active Directory testsuite
  • #​27504 Cpu and memory sizing typo docs
  • #​27506 Readable realm name no longer visible in logs, but realm id is used instead core
  • #​27512 Getting subgroups does pagination before filtering core
  • #​27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided oidc
  • #​27529 LegacyUserCredentialManager class not found storage
  • #​27538 User tab "Identity Provider Links" is not available when only "view-users" or "manage-users" realm-management role is assigned as in the v1 Keycloak theme account/ui
  • #​27540 URL change for liquibase docs docs
  • #​27548 Custom Browser Flow not working anymore admin/ui
  • #​27558 Client registration policy "Allowed Protocol Mapper Types" prevents clients from self-updating via the client registration api admin/api
  • #​27565 Admin Console tests are failing due to changes in supported authenticators testsuite
  • #​27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
  • #​27597 dropping KC_PROXY=edge causes startup error core
  • #​27604 Account console dev environment broken account/ui
  • #​27609 Mixed use of javax and jakarta in org.keycloak.admin.client adapter/jee
  • #​27611 Cannot modify realm email settings since keycloak 24 user-profile
  • #​27620 Incomplete documentation when an email about changed credentials is sent docs
  • #​27622 In the account console, the link "Back to security-admin-console" disappears after the first navigation account/ui
  • #​27628 Only allow a known refferer URI for the Account Console account/ui
  • #​27643 Password policy for not having username in the password authentication
  • #​27646 Account Console REST API for /linked-accounts Returns Multiple Access-Control-Allow-Origin Headers account/api
  • #​27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
  • #​27683 Quarkus-next build failure: Could not find artifact io.quarkus:quarkus-extension-maven-plugin ci
  • #​27691 Unable to set a newly created flow in First Login Flow override for a SAML identity provider admin/ui
  • #​27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
  • #​27709 Account console does not work with `--http-relative-path` account/ui
  • #​27719 Wrong Welcome page image in the documentation docs
  • #​27745 Registration template in login2 is broken login/ui
  • #​27756 SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY core
  • #​27761 Snyk workflow failure ci
  • #​27779 Broken Migration "MigrateTo24_0_0" core
  • #​27780 Fixing downstream documentation build docs
  • #​27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
  • #​27798 Performance problem with Amazon JDBC wrapper version 2.3.4
  • #​27820 Account console confusing with WebAuthn account/ui
  • #​27824 Can't register webauthn passwordless key when RS1 signature algorithm is configured in policies authentication/webauthn
  • #​27837 Translation values not loaded for User Profile attributes admin/ui
  • #​27838 User Profile translations - value put in wrong field after search user-profile
  • #​27839 Incorrect Length Validation for Attribute admin/cli
  • #​27840 Race condition loading serverinfo in admin console admin/ui
  • #​27841 ES translation causes FreeMarker rendering issues translations
  • #​27846 Authenticator Example module compilation failure authentication
  • #​27852 VerifyUserProfile invalidates user cache on every login core
  • #​27854 Required action selection is broken admin/ui
  • #​27868 Documentation is referring to deprecated/unmaintained examples docs
  • #​27875 SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor saml
  • #​27877 Get Groups in admin/cli returns all groups and not the groups that meets the condition specified in -q option admin/cli
  • #​27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
  • #​27882 Incorrect version of bctls-fips in the docs docs
  • #​27890 Webauthn token stops working on migration to 24 authentication/webauthn
  • #​27892 Truststore handling for the Operator is not documented operator
  • #​27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
  • #​27900 Performance impact in changed hashing measured wrong authentication
  • #​27917 User search field loses focus after first input in realms with user federation admin/ui
  • #​27925 Keycloak docs state that there are http metrics, but they are disabled docs
  • #​27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
  • #​27944 Admin tests: Failing realm_settings_events_test test admin/ui
  • #​27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
  • #​27962 message of groups is wrong in messages_ja.properties admin/ui
  • #​27965 Groups help message is only "Groups" admin/ui
  • #​27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
  • #​27967 ORA-01450 when updating keycloak 23 -> 24 storage
  • #​27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
  • #​27984 Username LDAP attribute other than uid is difficult ldap
  • #​28001 MySQL connector artifact should be ignored dist/quarkus
  • #​28004 JWK key ignored due to missing required field 'use' despite matching KID oidc
  • #​28012 Keycloak CR Truststore should not have a name operator
  • #​28016 User Profile attribute translation saves wrong key to realm overrides admin/ui
  • #​28069 Token setting missing admin/ui
  • #​28079 Group search does not work in user view admin/ui
  • #​28080 Paging issue in groups via user view admin/ui
  • #​28090 kc.sh may leak credentials core
  • #​28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
  • #​28103 Deleting translations after attribute deletion admin/ui
  • #​28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn
  • #​28143 Navigation broken on local development account/ui
  • #​28174 HA guide erroneously refers to AWS Global Accelerator docs
  • #​28187 Admin UI drag & drop in flow config seems to delete actions admin/ui
  • #​28201 Locale label missing on login page for Brazilian Portuguese, Greek and Persian translations
  • #​28207 JAVA_OPTS are not set under Windows dist/quarkus
  • #​28215 Inconsistent handling of product vs. community in HA guide table-of-contents docs
  • #​28220 Admin API: User PUT operation clears firstname, lastname email fields admin/api
  • #​28231 username contains invalid characters user-profile
  • #​28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
  • #​28284 scroll bar is missing inn clients view keycloak admin GUI core
  • #​28303 WARN - Event object wasn't available in remote cache after event was received infinispan
  • #​28330 org.keycloak.documentation.test.ExternalLinksTest fails with incorrect status code reported back in the results docs
  • #​28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
  • #​28341 ConditionalLoaAuthenticator documentation incorrect re: unauthenticated users. authentication
  • #​28370 PodTemplateTest assertions are ignored testsuite
  • #​28374 Syntax highlighting for log example is wrong in downsream dist/quarkus
  • #​28377 Broken lists in import/export server guide docs
  • #​28381 Password denylist Doesn't Work As Expected authentication
  • #​28389 New username-password policy check is reversed user-profile
  • #​28409 Unclosed span bracket in register.ftl login/ui
  • #​28416 Keycloak is not returning proper error message for PUT /users admin API user-profile
  • #​28431 Dedicated client scopes always show up when searching admin/ui
  • #​28443 Declarative User Profile: The use of the "select-radiobuttons" with options validation display is broken user-profile
  • #​28463 Error in refresh flow with scope parameter oidc
  • #​28465 Review cookie attributes and set SameSite for all cookies
  • #​28479 Authentication flow diagram incorrect branching in some flows admin/ui
  • #​28484 inputOptionLabels is truncating text that is not wrapped for localization account/ui
  • #​28486 Help text wrong in key provider admin/ui
  • #​28490 Missing help text for Brute Force Mode admin/ui
  • #​28495 IdP Linking: Usernames sometimes lowercase and sometimes uppercase identity-brokering
  • #​28509 Workflow failure: ManagementDistTest ci
  • #​28514 Message for searchClientRegistration is missing admin/ui
  • #​28519 Cards in IDP and User federation are not shown to be clicable admin/ui
  • #​28523 [LDAPStorageProvider] NPE if user is cached but has been deleted in ldap ldap
  • #​28531 notBefore and setToNow untranslated admin/ui
  • #​28546 LDAP provider add has 3 lines on top of screen admin/ui
  • #​28555 Collision with base testsuite dependency
  • #​28564 UserStorageSyncManager int overflow storage
  • #​28575 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28576 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28577 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28579 Brute force detection fails with read-only LDAP users authentication
  • #​28606 OrganizationTest.testAttributes fails in GHA CI testsuite
  • #​28624 Incorrect user info in the head when using lightweight access token for account-console account/ui
  • #​28628 Invalide objects comparison in Java core
  • #​28638 Missing permission to read configmaps in `keycloak-operator-role` operator
  • #​28640 Unable to see user's inherited role if user has no directly assigned roles admin/ui
  • #​28649 docker-v2 authentication fails with KC-SERVICES0097: Invalid request: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.ClientModel.getClientScopes(boolean)" because "this.client" is null core
  • #​28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui admin/ui
  • #​28684 "Extend to children" button in authorization group policies is wrongly disabled admin/ui
  • #​28702 Unable to fetch realm names when contains special characters admin/ui
  • #​28704 Remove invalid "this." from keycloak-admin-client README admin/client-js
  • #​28725 Keycloak 24.0.2 - Enlisted connection used without active transaction storage
  • #​28744 Invalid label `validatingX509Certs` in new SAML identity provider screen admin/ui
  • #​28746 Translations missing for recovery codes in KC 24 account/ui
  • #​28747 ID is shown prematurely on Identity Provider Mapper after Save admin/ui
  • #​28748 Webauthn Policy timeout accepts values > 8 hours admin/ui
  • #​28798 `passwordPoliciesHelp.notContainsUsername` missing in admin console admin/ui
  • #​28801 NPE when listing sessions in UI if associated user is gone core
  • #​28818 Child groups filtering returns all groups admin/ui
  • #​28821 Failure reset time is applied to Permanent Lockout authentication
  • #​28824 Inconsistent Group Ordering in Keycloak API Responses For Client Policies Causing Drift Detection Challenges admin/fine-grained-permissions
  • #​28825 Keycloak Operator 24.x - the keycloak custom image tag is being overwritten with nightly pull operator
  • #​28881 socketTimeoutUnits and establishConnectionTimeoutUnits in HttpClientBuilder are not used core
  • #​28896 Master realm can be deleted admin/api
  • #​28911 clients_saml_test.spec.ts fails in main admin/ui
  • #​28915 Possible NPE when exporting user policy authorization-services
  • #​28947 IndexWrapper warnings when starting Keycloak dist/quarkus
  • #​28948 Auto-build shouldn't warn about unavailable runtime options dist/quarkus
  • #​28949 Conditional cache options are not evaluated correctly dist/quarkus
  • #​28964 Compilation error in latest main (conflicting MRs for oid4vc and changes for EnvironmentDependentFactory) core
  • #​28968 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code enabled even if oid4vc_vci feature is disabled oid4vc
  • #​28979 MULTIVALUED_STRING_TYPE does not show in UI if empty admin/ui
  • #​28982 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnsupportedCredential ci
  • #​28983 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriInvalidToken ci
  • #​28984 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredential ci
  • #​28985 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnauthorized ci
  • #​28986 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUnauthorized ci
  • #​28987 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialInvalidToken ci
  • #​28988 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnauthorized ci
  • #​28989 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testCredentialIssuance ci
  • #​28990 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutNonce ci
  • #​28991 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOffer ci
  • #​28992 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithABrokenNote ci
  • #​28993 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferURI ci
  • #​28994 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutAPreparedOffer ci
  • #​28995 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedFormat ci
  • #​28996 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedCredential ci
  • #​29027 Creating client-scope without protocol causes GUI bug admin/api
  • #​29033 Argon2 password hashing leads to increased Major GC's in Keycloak's JVM during load tests authentication
  • #​29035 Admin console message bundle contains duplicate keys admin/ui
  • #​29039 Preflight request with OPTIONS method for token introspection endpoint not working. authentication
  • #​29057 not able to disable declarative_ui feature
  • #​29072 Startup probe should check for existence of an Admin user before returning 200 dist/quarkus
  • #​29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
  • #​29132 Documentation cites wrong endpoint for Docker Registry v2 Authentication docs
  • #​29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address core
  • #​29141 Fix waiting for change to take effect in SessionTimeoutsTest
  • #​29142 LDAP - GroupToGroup Mapper throws "ENTRY_EXISTS" Error ldap
  • #​29147 local user login not possible after LDAP connection problem ldap
  • #​29154 Update docs to distinguish between product names and CR names docs
  • #​29190 JS Admin Client does not support q query parameter on users.count() and clients.find() methods admin/client-js
  • #​29206 LDAP user creation reports error but user is created ldap
  • #​29213 Bad formatting of permissions error in admin console admin/ui
  • #​29233 Broken link in documentation docs
  • #​29235 Tests for persistent sessions are not performed infinispan
  • #​29237 The select for a locale behaves as a multi-select in the admin and account UI when it should be single value admin/ui
  • #​29246 Flaky test: org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType ci
  • #​29247 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled ci
  • #​29248 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange ci
  • #​29249 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation ci
  • #​29250 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed ci
  • #​29251 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount ci
  • #​29252 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation ci
  • #​29253 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient ci
  • #​29259 `auth-server-feature` does not work for `auth-server-quarkus-embedded` testsuite
  • #​29263 Default value for MULTIVALUED_STRING_TYPE in authenticator config is ignored admin/ui
  • #​29266 Documentation Enhancements Admin Rest API Group to Client Role Mappings docs
  • #​29287 Upgraded docker to 24, now unable to browse "authentication" page in one of my realms. authentication
  • #​29294 Listing of sessions is very slow when we have tens of thousands sessions (+ not able to know the exact number of sessions) admin/ui
  • #​29309 JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT core
  • #​29311 POST /{realm}/clients-initial-access is allowing invalid data like count = -1 and expiration date-time can be set earlier than the creation date-time oidc
  • #​29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
  • #​29336 Unlocking and saving the user's temporary lock will render the user disabled. account/ui
  • #​29352 Fix user-facing typos in error messages core
  • #​29362 Custom user attributes are not shown for service account users in the Admin UI admin/ui
  • #​29376 kc export fails when using User Federation (LDAP) with SSL/TLS import-export
  • #​29385 Restart authentication event type is not generated authentication
  • #​29408 Need to show translation for attributes group on Registration form admin/ui
  • #​29426 Potential bug introduced to JavaKeystoreKeyProvider in #​26936 admin/api
  • #​29429 NPE when Organization feature enabled core
  • #​29440 clients_tests is unstable admin/ui
  • #​29458 Empty CSP header value breaks security filter authentication
  • #​29471 Cypress tests store videos even for passing tests ci
  • #​29495 Fixing realm removal when removing groups and brokers associated with an organization core
  • #​29507 realm_settings_user_profile_enabled fails randomly admin/ui
  • #​29525 Maven clean build doesn't clean admin client generated files ci
  • #​29528 Failure: SessionTimeoutsTest ci
  • #​29551 OAuth 2.0 Device Polling Interval - Setting in Realms settings/Token Plus-Minus to change value not working admin/ui
  • #​29554 Cypress failing on video recording ci
  • #​29579 Increased augmentation time after Quarkus 3.8.4 upgrade dist/quarkus
  • #​29592 Remote caches and other site's caches might get out-of-sync when persistent sessions are used core
  • #​29599 Org domain removal from IDP is not properly propagated to the DB core
  • #​29602 SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29607 CVE-2024-30172 - Infinite loop in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29608 CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29609 CVE-2024-29857 - Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29620 Wrong Media Type / Format of SD JWT VC oid4vc
  • #​29625 Database driver install examples can lead to permission errors in some circumstances docs
  • #​29630 Unable to import realms with organization feature enabled core
  • #​29640 Admin console development fail due to whoami endpoint admin/ui
  • #​29641 Admin Console uses a wrong URL type for auth server admin/ui
  • #​29644 Unmanaged Attributes drop down doesn't reflect the value admin/ui
  • #​29688 client_authorization_test fails admin/ui
  • #​29699 Snyk Report is not preventing duplicates ci
  • #​29738 Broken translations for loa-condition-level and loa-max-age admin/ui
  • #​29756 MigrateTo25_0_0 does not complete within default transaction timeout storage
  • #​29788 OpenAPI: Missing content definition for authentication flow executions GET API admin/api
  • #​29802 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSession ci
  • #​29805 Supported Credential Type is not evaluated when applying the Protocol Mapper in OID4VCI oid4vc
  • #​29808 LDAP User federation: LDAP: error code 49 - Invalid Credentials ldap
  • #​29814 package com.google.common.hash does not exist when building keycloak-api-docs-dist docs
  • #​29816 Aggregated javadoc generation fix + missing keycloak-operator javadoc dist/quarkus
  • #​29868 Missing Text for x509 translations
  • #​29869 Kubernetes resources point to non-existing Operator image operator
  • #​29875 Upgrade supported PostgreSQL to version 16 ci
  • #​29885 Unable to create an LD-Credentials/VCDM provider for OID4VC oid4vc
  • #​29931 Cannot access the account console account/ui
  • #​29939 Increased GC overhead in the continuous performance tests after G1GC compiler change dist/quarkus
  • #​29948 Reason not logged in event for invalid SAML request saml
  • #​29968 x509 SAN UPN other name is not handled in JDK 21 authentication
  • #​29976 CI for JS not running all the tasks ci
  • #​29981 Enabling and disabling functions are not working properly in KC GUI admin/ui
  • #​29982 Revert editorconfig for properties files as trailing blanks are used ci
  • #​29984 Nightly build for API docs is broken
  • #​30018 SessionTimeoutsTest failing even after retry, probably due to insufficient cleanup testsuite
  • #​30023 Using {application.session.host} in backchannel logout url prevents from saving client admin/api
  • #​30024 Sign out button in the account console has wrong Selenium locator testsuite
  • #​30028 Typo in the upgrading guide for persistent sessions docs
  • #​30049 All roles are populated as inherited roles if a single role is added to a dedicated client scope admin/ui
  • #​30068 Update RFC reference in subject: Likely typo RFC2553 -> RFC2253, Consider RFC4514 admin/ui
  • #​30079 The OID4VC tests break automation account/ui
  • #​30086 Remove sources folder before invoking JakartaTransformer
  • #​30102 Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error admin/ui
  • #​30120 Option `cache-remote-tls-enabled` is missing the default dist/quarkus
  • #​30126 Client scope names not shown in evaluate section in client-scopes tab admin/ui
  • #​30134 Malformed dependency version causing the build failure testsuite
  • #​30196 Test PoC does not run with Quarkus fork join worker
  • #​30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
  • #​30206 Use forkjoin pool factory in testsuite for embedded Quarkus Auth Server testsuite
  • #​30218 Locale dropdowns not working account/ui
  • #​30220 Base theme contains properties without default values login/ui

v24.0.5

Compare Source

Highlights

Security issue with PAR clients using client_secret_post based authentication

This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified in the OIDC specification), it is highly encouraged to rotate the client secrets of your clients after upgrading to this version.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​29073 Use cache.compute() method to improve the replace retry loop
  • #​29280 Update Create Realm in Keycloak 24 Getting Started

Bugs

  • #​29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
  • #​29206 LDAP user creation reports error but user is created ldap
  • #​29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
  • #​29458 Empty CSP header value breaks security filter authentication
  • #​29471 Cypress tests store videos even for passing tests ci
  • #​29525 Maven clean build doesn't clean admin client generated files ci
  • #​29554 Cypress failing on video recording ci
  • #​29625 Database driver install examples can lead to permission errors in some circumstances docs

v24.0.4

Compare Source

Highlights

Partial update to user attributes when updating users through the Admin User API is no longer supported

When updating user attributes through the Admin User API, you cannot execute partial updates when updating the user attributes, including the root attributes like username, email, firstName, and lastName.

For more details, see the Upgrading Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​27508 Use new remote-store options in HA guides
  • #​28429 Add details to error messages, especially around refresh tokens
  • #​28729 Emphasize the need for setting container limit docs
  • #​28880 Upgrade to Quarkus 3.8.4 dist/quarkus
  • #​29183 Minor corrections to High Availability Guide docs

Bugs

  • #​16345 Unable to delete realm names with invalid URL characters admin/api
  • #​22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled import-export
  • #​24568 iframe for frontend logout gets blocked if a custom CSP header is used core
  • #​24878 NoClassDefFoundError for Apache XML and EAP8 adapter/jee-saml
  • #​27021 Workflow failure: Fuse adapter tests ci
  • #​27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists ci
  • #​27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided oidc
  • #​28079 Group search does not work in user view admin/ui
  • #​28187 Admin UI drag & drop in flow config seems to delete actions admin/ui
  • #​28220 Admin API: User PUT operation clears firstname, lastname email fields admin/api
  • #​28303 WARN - Event object wasn't available in remote cache after event was received infinispan
  • #​28377 Broken lists in import/export server guide docs
  • #​28431 Dedicated client scopes always show up when searching admin/ui
  • #​28514 Message for searchClientRegistration is missing admin/ui
  • #​28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui admin/ui
  • #​28684 "Extend to children" button in authorization group policies is wrongly disabled admin/ui
  • #​28911 clients_saml_test.spec.ts fails in main admin/ui
  • #​29072 Startup probe should check for existence of an Admin user before returning 200 dist/quarkus
  • #​29094 Fix the client name help grammatical error admin/ui
  • #​29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address core
  • #​29147 local user login not possible after LDAP connection problem ldap
  • #​29154 Update docs to distinguish between product names and CR names docs
  • #​29233 Broken link in documentation docs

v24.0.3

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap

Bugs

  • #​24201 Cannot disable LDAP-backed user if importEnabled=false ldap
  • #​28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
  • #​28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
  • #​28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
  • #​28638 Missing permission to read configmaps in `keycloak-operator-role` operator

v24.0.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
  • #​27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
  • #​27481 Edit High Availability guide
  • #​27484 Edit 23.0 changes part of Upgrading Guide
  • #​27632 Integrate downstream Upgrading Guide changes into upstream
  • #​27696 Upgrade to Quarkus 3.8.2 dist/quarkus
  • #​27867 Corrections to Securing Apps Guide
  • #​27871 Upgrade to Infinispan 14.0.26 core
  • #​27953 Address feedback to Keycloak Server guide docs
  • #​27955 Address term Keycloak in Server Administration Guide docs
  • #​28009 Address edits to the Operator Guide
  • #​28033 Upgrade Infinispan to 14.0.27.Final
  • #​28084 Upgrade to Quarkus 3.8.3 dist/quarkus

Bugs

  • #​14501 Getting failed to initialize js message if consent is rejected by user account/ui
  • #​15403 No email send on TOTP/Authenticator app removal core
  • #​20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
  • #​22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
  • #​23701 Attribute search does not work with federated users with ldap. admin/ui
  • #​23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
  • #​25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
  • #​25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
  • #​26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
  • #​27117 user sessions not accessible in all cluster nodes infinispan
  • #​27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
  • #​27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
  • #​27245 Account console does not correctly treat link / unlink account account/ui
  • #​27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
  • #​27275 Invalidating offline token is not working from client sessions tab authentication
  • #​27366 Social login - test failures with unexpected status code testsuite
  • #​27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
  • #​27504 Cpu and memory sizing typo docs
  • #​27529 LegacyUserCredentialManager class not found storage
  • #​27540 URL change for liquibase docs docs
  • #​27548 Custom Browser Flow not working anymore admin/ui
  • #​27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
  • #​27597 dropping KC_PROXY=edge causes startup error core
  • #​27611 Cannot modify realm email settings since keycloak 24 user-profile
  • #​27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
  • #​27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
  • #​27719 Wrong Welcome page image in the documentation docs
  • #​27745 Registration template in login2 is broken login/ui
  • #​27761 Snyk workflow failure ci
  • #​27779 Broken Migration "MigrateTo24_0_0" core
  • #​27780 Fixing downstream documentation build docs
  • #​27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
  • #​27820 Account console confusing with WebAuthn account/ui
  • #​27841 ES translation causes FreeMarker rendering issues translations
  • #​27852 VerifyUserProfile invalidates user cache on every login core
  • #​27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
  • #​27882 Incorrect version of bctls-fips in the docs docs
  • #​27892 Truststore handling for the Operator is not documented operator
  • #​27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
  • #​27900 Performance impact in changed hashing measured wrong authentication
  • #​27925 Keycloak docs state that there are http metrics, but they are disabled docs
  • #​27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
  • #​27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
  • #​27967 ORA-01450 when updating keycloak 23 -> 24 storage
  • #​27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
  • #​28001 MySQL connector artifact should be ignored dist/quarkus
  • #​28012 Keycloak CR Truststore should not have a name operator
  • #​28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn

v24.0.1

Compare Source

Highlights

Operator deploys nightly build instead of 24.0.0

Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0.

As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled.

If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with the wrong versions. To check if you are affected connect to your database and run the following SQL command:

SELECT * from migration_model WHERE version = '999.0.0';

If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:

UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

v24.0.0

Compare Source

Highlights

Supported user profile and progressive profiling

The user profile preview feature is promoted to be fully supported and user profile is enabled by default.

In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.

The following are a few highlights of this feature;

  • Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.

  • Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.

  • Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.

  • Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.

  • Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.

  • Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of scope parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user.

  • Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.

The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.

We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:

For more details about user profile capabilities, see the Server Administration Guide.

Breaking changes to the User Profile SPI

In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.

Changes to Freemarker templates to render pages based on the user profile and realm

In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:

  • login-update-profile.ftl

  • register.ftl

  • update-email.ftl

For more details, see the Upgrading Guide.

New Freemarker template for the update profile page at first login through a broker

In this release, the server renders the update profile page when the user is authenticating through a broker for the first time using the idp-review-user-profile.ftl template.

For more details, see the Upgrading Guide.

Java adapter deprecation and removal

Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.

With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.

The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.

The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.

Jetty adapter removed

Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.

New Welcome Page

The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.

If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.

New Account Console now the default

We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.

This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.

If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.

Keycloak JS

Using exports field in package.json

The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.

PKCE enabled by default

The Keycloak JS adapter now sets the pkceMethod option to S256 by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod option to false to disable it.

Changes to Password Hashing

In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.

As part of this change, the default password hashing provider has changed from pbkdf2-sha256 to pbkdf2-sha512. Also, the number of default hash iterations for pbkdf2 based password hashing algorithms changed. This change means better security aligned with latest recommendations, but it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm and hashIterations to your realm. For more details, see the Upgrading Guide.

OAuth/OIDC related improvements

Lightweight access tokens support

This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.

This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.

Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.

A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.

Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.

OAuth 2.1 support

This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.

Scope parameter supported in the refresh token flow

Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.

Client policy executor for secure redirect URIs

A new client policy executor secure-redirect-uris-enforcer is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance, you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on. Thanks to Lex Cao and Takashi Norimatsu for the contribution.

Client policy executor for enforcing DPoP

A new client policy executor dpop-bind-enforcer is introduced. You can use it to enforce DPoP for a particular client if dpop preview is enabled. Thanks to Takashi Norimatsu for the contribution.

Supporting EdDSA

You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT. This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt authentication to third party identity providers. Thanks to Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.

EC Keys supported by JavaKeystore provider

The provider JavaKeystoreProvider for providing realm keys now supports EC keys in addition to previously supported RSA keys. Thanks to Stefan Wiedemann for the contribution.

Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers

OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.

OAuth Grant Type SPI

The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.

CORS improvements

The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI is internal and may change at a future release. Thanks to Dmitry Telegin for the contribution.

Truststore improvements

Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores, or use the new truststore-paths config option. For details refer to the relevant guide.

Versioned Features

Features now support versioning. To preserve backward compatibility, all existing features (including account2 and account3) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.

For details refer to the features guide.

Keycloak CR Truststores

You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:

spec:
  truststores:
    mystore:
      secret:
        name: mystore-secret
    myotherstore:
      secret:
        name: myotherstore-secret

Currently only Secrets are supported.

Trust Kubernetes CA

The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.

Automatic certificate management for SAML identity providers

The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL to ON. The certificates are automatically downloaded and cached in the public-key-storage SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.

See the documentation for more details about the new options.

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keyloak with the multi-site feature. For more details, see Enabling and disabling features.

Keycloak CR Optimized Field

The Keycloak CR now includes an startOptimized field, which may be used to override the default assumption about whether to use the --optimized flag for the start command. As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.

Enhanced reverse proxy settings

It is now possible to separately enable parsing of either Forwarded or X-Forwarded-* headers by using the new --proxy-headers option. For details, see the Reverse Proxy Guide. The original --proxy option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.

Changes to the user representation in both Admin API and Account contexts

In this release, we are encapsulating the root user attributes (such as username, email, firstName, lastName, and locale) by moving them to a base/abstract class in order to align how these attributes are marshalled and unmarshalled when using both Admin and Account REST APIs.

This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.

For more details, see the Upgrading Guide.

Sequential loading of offline sessions and remote sessions

Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.

For more details, see the Upgrading Guide.

Performing actions on behalf of another already authenticated user is not longer possible

In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.

Changes to the email verification flow

In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.

In addition to that, a new error (EMAIL_ALREADY_VERIFIED) event will be fired to indicate an attempt to verify an already verified email. You can use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.

Deprecated offline session preloading

The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.

For more details, see the Upgrading Guide.

Configuration option for offline session lifespan override in memory

To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.

For more details, see the Server Administration Guide.

Infinispan metrics use labels for cache manager and cache names

When enabling metrics for Keycloak​8217;s embedded caches, the metrics now use labels for the cache manager and the cache names.

For more details, see the Upgrading Guide.

User attribute value length extension

As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.

For more details, see the Upgrading Guide.

Brute Force Protection changes

There have been a couple of enhancements to the Brute Protection:

  1. When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.

  2. In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.

  3. The property failedLoginNotBefore has been added to the brute-force/users/{userId} endpoint

Authorization Policy

In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.

Keycloak CR cache-config-file option

The Keycloak CR now allows for specifying the cache-config-file option by using the cache spec configMapFile field, for example:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  cache:
    configMapFile:
      name: my-configmap
      key: config.xml

Keycloak CR resources options

The Keycloak CR now allows for specifying the resources options for managing compute resources for the Keycloak container. It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.

When no values are specified, the default requests memory is set to 1700MiB, and the limits memory is set to 2GiB.

You can specify your custom values based on your requirements as follows:

apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  resources:
    requests:
      cpu: 1200m
      memory: 896Mi
    limits:
      cpu: 6
      memory: 3Gi

For more details, see the Operator Advanced configuration.

Temporary lockout log replaced with event

There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT when a user is temporarily locked out by the brute force protector. The log with ID KC-SERVICES0053 has been removed as the new event offers the information in a structured form.

For more details, see the Upgrading Guide.

Updates to cookies

Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.

SAML User Attribute Mapper For NameID now suggests only valid NameID formats

User Attribute Mapper For NameID allowed setting Name ID Format option to the following values:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

However, Keycloak does not support receiving AuthnRequest document with one of these NameIDPolicy, therefore these mappers would never be used. The supported options were updated to only include the following Name ID Formats:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

Different JVM memory settings when running in container

Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container. The JVM options -Xms, and -Xmx were replaced by -XX:InitialRAMPercentage, and -XX:MaxRAMPercentage.

For more details, see the Running Keycloak in a container guide.

GELF log handler has been deprecated

With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.

Support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.

To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #​15190 RestAPI endpoint "send-verify-email" sending execute actions email template. admin/api
  • #​19586 @​keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token admin/client-js
  • #​23539 User profile attributes should only accept a single value unless configured otherwise user-profile
  • #​25167 Implement POST logout in Keycloak JS adapter/javascript
  • #​25446 CORS SPI oidc
  • #​25676 Introduce new CLI config options for Infinispan remote store dist/quarkus
  • #​25702 Encrypt network communication in JGroups dist/quarkus
  • #​25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
  • #​25903 Create new landing page for admin console
  • #​25941 Issue Verifiable Credentials in the JWT-VC format core
  • #​26028 Remove conditional statements about Windows / Linux from the docs docs
  • #​26250 OAuth 2.0 Grant Type SPI oidc
  • #​26455 Supported option to specify maximum threads used to handle HTTP requests dist/quarkus
  • #​26456 Supported option to specify resource management for pods in Keycloak CR dist/quarkus
  • #​26458 Support custom Infinispan configuration file in Keycloak CR operator
  • #​26460 Supported option to specify site name for multi-site deployments dist/quarkus
  • #​26500 Cookie Provider
  • #​26936 Support EC Key-Imports for the JavaKeystoreKeyProvider
  • #​27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties

Enhancements

  • #​9508 Rename "Resident key" to "Discoverable Credential" docs
  • #​9758 User attributes with a text more than 255 characters storage
  • #​9784 Add truststore options to Keycloak CR operator
  • #​10794 Support importing Kubernetes CA operator
  • #​12009 Support for scope parameter in the refresh flow oidc
  • #​12352 Align Operator config naming with Quarkus distribution operator
  • #​12946 Add X509 thumbprint to JWT when using private_key_jwt oidc
  • #​13250 --verbose option doesn't work in Quarkus distribution dist/quarkus
  • #​15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms authentication/webauthn
  • #​15714 Supporting EdDSA oidc
  • #​16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations authentication
  • #​17574 Add failedLoginNotBefore field to existing brute force detection status API
  • #​17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available admin/ui
  • #​19190 Add "amr" to already implemented "acr" support
  • #​19285 Disable Groovy Closures when bootstrapping Picocli dist/quarkus
  • #​20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui
  • #​21074 Identity providers: pagination in admin console
  • #​21343 Upgrade welcome theme to PatternFly 5 welcome/ui
  • #​21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation
  • #​21578 Scope parameter in Oauth 2.0 token exchange
  • #​21771 List reload button for admin panel admin/ui
  • #​22436 Query users by 'LDAP_ID' is not working ldap
  • #​22922 Use Infinispan BOM instead of direct Infinispan dependencies storage
  • #​23057 Localization tabs admin/ui
  • #​23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header
  • #​23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc authorization-services
  • #​23854 Use upstream Quarkus functionality for non-blocking probes dist/quarkus
  • #​23878 User profile configuration scoped to user-federation provider user-profile
  • #​23896 Changes in declarative user profile should result in admin events user-profile
  • #​24094 Map Store Removal: Delete map profiles from testsuite storage
  • #​24097 Map Store Removal: Delete container providers that were added to the base testsuite storage
  • #​24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages storage
  • #​24103 Map Store Removal: Delete GlobalLockProvider storage
  • #​24105 Map Store Removal: Rename Legacy* classes storage
  • #​24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage" storage
  • #​24148 Add config property to specify a list of truststores
  • #​24202 Cache stampede after client invalidation storage
  • #​24245 Parse default UserProfile configuration in the build time
  • #​24250 Allow selecting attributes from user profile when managing token mappers user-profile
  • #​24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
  • #​24412 Accessibility of 2FA method selection login/ui
  • #​24422 UMA 2 not evaluating as expected when using permission tickets authorization-services
  • #​24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #​24310 saml
  • #​24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite storage
  • #​24668 Features versioning
  • #​24793 Map Store Removal: Remove `LockObjectsForModification` storage
  • #​24798 Add truststores to keycloak cr
  • #​24860 Initialize Infinispan earlier in the build chain dist/quarkus
  • #​24926 Add polish translations admin/ui
  • #​24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base core
  • #​25058 Add Polish Translations to Account UI account/ui
  • #​25074 Update Kerberos provider for user-profile user-profile
  • #​25075 Update SSSD provider for user-profile user-profile
  • #​25103 Remove product from server info admin/ui
  • #​25113 Add a test for the LoadBalancerCheck
  • #​25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation user-profile
  • #​25149 Replace the existing themes with the dynamic templates from user profile user-profile
  • #​25236 Documentation about Australia Consumer Data Right security profile
  • #​25238 Add missing Arabic messages
  • #​25287 Upgrade Infinispan to 14.0.21.Final
  • #​25288 Map Store Removal: Remove protostream dependency storage
  • #​25300 Deprecate offline session preloading infinispan
  • #​25308 Map Store Removal: Revert changes made to backchannelLogout storage
  • #​25309 Map Store Removal: Remove ResponseSessionTask storage
  • #​25314 Supporting OAuth 2.1 for confidential clients oidc
  • #​25315 Client policies : executor for enforcing DPoP oidc
  • #​25316 Supporting OAuth 2.1 for public clients oidc
  • #​25328 Tests for client scopes/evaluate tab are missing
  • #​25375 Extra tests for realm roles
  • #​25388 Enable concurrent remote operations for Infinispan storage
  • #​25403 Implements attributes field in KeycloakProfile interface admin/client-js
  • #​25404 Adapt incremental build for latest changes in themes module ci
  • #​25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan storage
  • #​25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String
  • #​25487 Add extra tests for realm-settings in admin-ui
  • #​25637 Client policies: executor for validate and match a redirect URI oidc
  • #​25638 Keycloak native implementation of SD-JWT core
  • #​25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider
  • #​25691 More info on UserProfileContext user-profile
  • #​25738 Tooltips improvements when configuring user profile attribute user-profile
  • #​25770 X509 client certificate login label extends out of form login/ui
  • #​25823 Ability to declare a default "First broker login flow" per Realm
  • #​25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template
  • #​25882 RealmResourceProvider is not working as expected since version 23.0.0 core
  • #​25897 Admin UI: Show realm display name on welcome page admin/ui
  • #​25908 Could not format default value for log formats dist/quarkus
  • #​25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures docs
  • #​25935 Create Infinispan metrics with labels instead of long metric names
  • #​25962 Missing localization of cs+sk messages
  • #​25979 User profile attribute names with strange characters docs
  • #​25985 Enable verify-profile required action by default user-profile
  • #​26068 Reduce internal unsupported options in the Keycloak HA documentation
  • #​26083 Change RHDG references to Infinispan
  • #​26092 Do not use raw parameterized PropertyMapper dist/quarkus
  • #​26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190 docs
  • #​26172 Permanently lock users out after X temporary lockouts during a brute force attack authentication
  • #​26198 Comprehensive log for the LoggingDistTest and Quarkus IT testsuite
  • #​26220 Don't differentiate Windows for getting started docs
  • #​26223 Use `--http-max-queued-requests` option in Keycloak HA documentation docs
  • #​26241 Do not use general debug log level for tests testsuite
  • #​26315 Fully remove reasteasy-core
  • #​26320 Allow formating numbers when rendering attributes user-profile
  • #​26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete
  • #​26402 Improve wording in Concepts for configuring thread pools section in documentation
  • #​26416 Remove support for old cookie path
  • #​26430 Implement stricter controls at token endpoint for PKCE verification
  • #​26457 Remove support for multiple AUTH_SESSION_ID cookies
  • #​26469 Documentation for verify-profile required action enabled by default docs
  • #​26485 Add missing Arabic translations translations
  • #​26489 Ability to have alternative default user-profile configuration user-profile
  • #​26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces storage
  • #​26552 Do we need to hide "required" settings for email? user-profile
  • #​26570 Upgrade liquibase to 4.25.1
  • #​26585 Improve UX of read-only attributes user-profile
  • #​26587 Documentation for SuppressRefreshTokenRotationExecutor oidc
  • #​26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI admin/ui
  • #​26598 Map Store Removal: deprecate model legacy module storage
  • #​26626 Brute force detection should issue event for temporary lockout core
  • #​26634 Documentation for default validation changes due user-profile enabled docs
  • #​26683 Remove explicitly set `lit-element` version dist/quarkus
  • #​26689 Update Maven dependency versions for docs docs
  • #​26701 Upgrade to Quarkus 3.7.1 dist/quarkus
  • #​26730 Add Multi-AZ Aurora DB to CI store-integration-tests
  • #​26776 Update documentation to use new Infinispan configuration options
  • #​26781 Update HA guide about non-blocking probes docs
  • #​26810 Shorter lifespan for offline session cache entries in memory storage
  • #​26812 Upgrade to embedded Infinispan 14.0.24 storage
  • #​26819 Use version specific tag for Keycloak images in the docs docs
  • #​26859 Upgrade to Quarkus 3.8 dist/quarkus
  • #​26898 User profile: Add regression test for select inputs
  • #​26910 Keycloak Operator should add service-ca.crt to the truststore operator
  • #​26916 Upgrade to Quarkus 3.7.2 dist/quarkus
  • #​26919 doc: add a clear mention in the documentation about the storage of the refresh and access token docs
  • #​26921 Use latest OLM version for Operator CI testsuite
  • #​26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory dist/quarkus
  • #​26967 Aurora Postgres IT: Upload flaky and surefire test reports
  • #​27036 Upgrade to Quarkus 3.7.3 dist/quarkus
  • #​27048 Add Amazon Aurora PostgreSQL to the list of tested databases
  • #​27078 Update Keycloak HA Guide new resource limit settings
  • #​27084 Remove the preview note from Keycloak's HA guide
  • #​27093 "Open ID Connect" in docs / UIs should be "OpenID Connect"
  • #​27105 Add New User Registration Option on WebAuthn Authentication UI authentication/webauthn
  • #​27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs
  • #​27123 Use AWS JDBC Wrapper in CI tests
  • #​27125 Add warning about too long attribute values
  • #​27143 Distinguish user registration action label from the security key registration action's one authentication/webauthn
  • #​27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents authentication/webauthn
  • #​27148 Allow overriding the default validators added to attributes user-profile
  • #​27169 Tweak the default memory request and limit in the Operator operator
  • #​27190 a11y improvements on login page
  • #​27226 Upgrade to Quarkus 3.7.4 dist/quarkus
  • #​27238 Add option to clients to use lightweight access token oidc
  • #​27280 Upgrade to Infinispan 14.0.25
  • #​27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call. identity-brokering
  • #​27315 Change docker image to container image
  • #​27324 Remove RHSSO product documentation from upgrading guide docs
  • #​27326 Edit Keycloak 24.0 release notes docs
  • #​27327 Harmonize behaviour of different CertificateUtilsProvider implementations
  • #​27440 Edit Keycloak 23.x Release Notes
  • #​27452 Edit Keycloak 24 Upgrade guide

Bugs

  • #​9871 Remove Infinispan workarounds introduced to prevent deadlocks storage
  • #​11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response saml
  • #​13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256 authentication
  • #​13368 Issue when using DenyAuthenticator in direct-grant flow authentication
  • #​14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke) testsuite
  • #​14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added dist/quarkus
  • #​14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials) authentication
  • #​16260 Incorrect handling of OptionParserException in kcadm admin/cli
  • #​17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP user-profile
  • #​17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms admin/api
  • #​19183 token-exchange does apply clientScopes of the origin client token-exchange
  • #​19294 Error on starting keycloak when foldername contains ")" using kc.bat. dist/quarkus
  • #​19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards authentication
  • #​20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable admin/ui
  • #​20867 Control redirect after password reset core
  • #​21127 During password reset, the baseURL is not shown on the info page after browser restart authentication
  • #​21151 Realm import stack overflow import-export
  • #​21409 Brute Force Detection is disabled when updating frontenUrl via admin client authentication
  • #​21542 Context path missing in URL on OTP page to switch between QR code and manual code core
  • #​21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step core
  • #​21951 Unable to use `<` as part of a password admin/cli
  • #​22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes storage
  • #​22401 Common resources in Welcome page didn't resolve correctly welcome/ui
  • #​22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
  • #​22507 User profile attributes not localized in account console V3 user-profile
  • #​22540 Description of "Configuring sources for Keycloak" inconsistent / misleading docs
  • #​22555 Docs: server_development/topics/identity-brokering.adoc docs
  • #​22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI admin/ui
  • #​22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
  • #​22836 Invalid redirect uri when identity provider alias has spaces identity-brokering
  • #​22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode ci
  • #​22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null authentication
  • #​23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution core
  • #​23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently storage
  • #​23217 NoSuchFileException with ${kc.home.dir} on Windows dist/quarkus
  • #​23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address admin/api
  • #​23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue storage
  • #​23399 Audience is lost after refreshing a RPT authorization-services
  • #​23683 Default-Value in UI for krbPrincipalAttribute is error prone admin/ui
  • #​23699 Account v3 theme - Localization not working on account console account/ui
  • #​23786 Failure: FipsDistTest ci
  • #​23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode admin/api
  • #​24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme account/ui
  • #​24141 LDAP user mapper for username: user appears twice in the GUI ldap
  • #​24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company core
  • #​24200 NPE in User Session Note mapper on Token Exchange token-exchange
  • #​24219 admin-fine-grained-authz + client authorization settings requires view-client role admin/ui
  • #​24323 Refresh request ignores scope parameter from refresh request oidc
  • #​24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak operator
  • #​24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration admin/api
  • #​24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event user-profile
  • #​24459 Keycloak fails to start when uninstalling custom provider dist/quarkus
  • #​24464 Tabbing is not working in forms inside dropdown admin/ui
  • #​24485 NullPointerException when key is not available in the database oidc
  • #​24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33 dependencies
  • #​24508 Deadlock when pre-loading remote sessions from external Infinispan storage
  • #​24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page authentication
  • #​24626 Upgrade testsuite to use SpringBoot 2.7 ci
  • #​24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user. authorization-services
  • #​24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
  • #​24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui
  • #​24767 Improve LDAP Condition implementations ldap
  • #​24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI admin/ui
  • #​24923 Importing Keycloak breaks typescript in esModule adapter/javascript
  • #​24960 OpenAPI spec doesn't match the admin API admin/api
  • #​24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
  • #​24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys oidc
  • #​24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
  • #​25001 Client redirect_uri check must be compared using exact string matching oidc
  • #​25016 Make password visibility css classes configurable for themes login/ui
  • #​25033 Typo in the balloon help of SAML Username Template Importer core
  • #​25041 Incomplete Spanish translations for Admin UI translations
  • #​25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
  • #​25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console admin/ui
  • #​25060 fix debug log string core
  • #​25078 Log Injection during WebAuthn authentication/registration authentication
  • #​25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups admin/api
  • #​25110 User Profile attribute with "Options" shows options of another attribute if none set on it user-profile
  • #​25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter admin/api
  • #​25173 Make sure username is lowercase when normalizing attributes user-profile
  • #​25183 NullPointerException thrown for UPConfig.getGroups() user-profile
  • #​25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci
  • #​25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc
  • #​25235 Unable to start after updating Docker container dist/quarkus
  • #​25290 Social Login Tests unable to retrieve Federated Access Token from user session testsuite
  • #​25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
  • #​25322 Warning "Event object wasn't available in remote cache" when using remote store
  • #​25392 Admin Console: Realm Dropdown should only show the realms the user has access to admin/ui
  • #​25417 Avoid keycloak-admin-client in UI to call admin console UI extension admin/ui
  • #​25423 Confusing error message by pr-backport.sh when not authenticated to gh ci
  • #​25433 Key provider UI issue while saving - RSA admin/ui
  • #​25449 Clean up translations for DE/EN/NL for a first test-run of Weblate translations
  • #​25451 Admin cli failing when adding roles to a 3rd group in a list admin/cli
  • #​25463 Unnecessary user profile metdata sent on user update user-profile
  • #​25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect user-profile
  • #​25502 Account v3 theme - theme.properties Custom theme scripts not loading account/ui
  • #​25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy user-profile
  • #​25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins) oidc
  • #​25565 OpenAPI: POST for /admin/realms response is 201 admin/api
  • #​25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile testsuite
  • #​25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated oidc
  • #​25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201 admin/api
  • #​25604 OpenAPI: Client authz endpoints without responses admin/api
  • #​25628 Translations missing in user details role mapping admin/ui
  • #​25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword ci
  • #​25636 "Disable realm?" displayed when disabling client admin/ui
  • #​25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check testsuite
  • #​25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API. admin/api
  • #​25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201 admin/api
  • #​25660 Incorrect version of the fix in release notes
  • #​25677 Removing all group attributes no longer works with keycloak-admin-client (java) admin/client-java
  • #​25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see admin/ui
  • #​25699 Flaky test Job URL missing on some runs ci
  • #​25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL user-profile
  • #​25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet ci
  • #​25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
  • #​25746 Using kcadm.sh create components result to 400 Bad Request admin/cli
  • #​25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest storage
  • #​25753 Backchannel logout token is missing the "exp" claim oidc
  • #​25783 Since 23, start-dev command line arguments parsing is buggy dist/quarkus
  • #​25789 User events: labels overlap content admin/ui
  • #​25827 admin ui uses hyphen instead of dot as realm attribute separator admin/ui
  • #​25853 Timeouts after upgrade of download action v4 ci
  • #​25878 HTML emails in Catalan don't contain links translations
  • #​25883 ldap-group-mapper fails when empty member: attribute is present ldap
  • #​25891 Optimize handling of terms and conditions during registration core
  • #​25892 Test suite depends on artifacts built only when distribution profile is active ci
  • #​25909 Keycloak HA Guide uses token for cross-site setup that expires
  • #​25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
  • #​25927 UI crash after using breadcrumb group navigation during an active group search admin/ui
  • #​25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template authentication
  • #​25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values. user-profile
  • #​25951 Masthead tests fail often admin/ui
  • #​25961 Native SQL Schema names broken on MySQL storage
  • #​25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab user-profile
  • #​25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols saml
  • #​25981 GitHub Status check is green if the build fails ci
  • #​26021 `mvn clean` does not work in js directory account/ui
  • #​26032 Duplicate tooltip/label for refresh button on device activity page account/ui
  • #​26036 subgroups clickopen not working admin/ui
  • #​26040 Subgroups-check is incorrect, and therefore subgroups are not clickable admin/ui
  • #​26051 Name ID Format field is confusing for User Attribute Mapper For NameID saml
  • #​26052 Configure OTP Form regenerates Secret on reload authentication
  • #​26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation admin/ui
  • #​26060 Various Localization tab issues
  • #​26075 Next time you start message references the wrong command dist/quarkus
  • #​26088 Rest custom JAX-RS resource in kc 23: Method not allowed core
  • #​26131 Localization: Realm overrides subtab admin/ui
  • #​26132 Localization: Effective message bundles subtab admin/ui
  • #​26148 Keycloak JavaScript CI: client_scopes_test.spec.ts ci
  • #​26156 A11y critical violation in ProviderId form field admin/ui
  • #​26168 KC_DB_DRIVER is not propagated properly admin/cli
  • #​26177 Invalidate authentication session on repeated OTP failures authentication
  • #​26180 Invalidate authentication session on repeated Recovery Code failures authentication
  • #​26228 With fine grained permissions enabled, the grouptree rights check is not working correctly admin/ui
  • #​26231 keycloak-admin-client missing recent changes to group query parameters admin/client-js
  • #​26236 Ensure community-maintained translations are not part of product build account/ui
  • #​26266 Importing Realm with declarative user profile attributes fails user-profile
  • #​26281 Incorrect example in the Keycloak operator configuration operator
  • #​26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode ci
  • #​26295 Incomplete Chinese Translation for Login Page translations
  • #​26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration user-profile
  • #​26323 Reset credentials action fails when triggered from first broker login flow identity-brokering
  • #​26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23 saml
  • #​26334 Resource and permission titles missing for a new client admin/ui
  • #​26335 Bind flow modal broken admin/ui
  • #​26337 Write tests to cover binding a flow testsuite
  • #​26350 Fix more A11y violations admin/ui
  • #​26358 Apparently incorrect tooltip on "type" field for a "resource" in a client admin/ui
  • #​26363 Search dialog for authorization policy is wrong? admin/ui
  • #​26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
  • #​26375 The role Unassign button enabled in admin console even if no roles are selected admin/ui
  • #​26383 Labels for WebAuthN missing in Account Console account/ui
  • #​26390 More A11y Violations Detected admin/ui
  • #​26400 Workflow failure: Admin UI E2E - realm_test.spec.ts ci
  • #​26407 Typo in disable dialog admin/ui
  • #​26409 Duplicate `key` for credentials on sign in page account/ui
  • #​26418 Failed to link identity broker to user with a verified email by IdP email verification flow identity-brokering
  • #​26420 Labels for WebAuthN Passwordless missing in Account Console account/ui
  • #​26427 Operator CSV uses wrong format for `createdAt` field operator
  • #​26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab admin/ui
  • #​26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
  • #​26468 SPI-truststore-file-type option appears to be invalid docs
  • #​26490 Update Keycloak sizing guide after change of default hashing configuration core
  • #​26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP. storage
  • #​26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
  • #​26549 Mysterious settings changes due to Keycloak cluster changes admin/ui
  • #​26564 Issues related to IDNHomographValidator user-profile
  • #​26584 User details locale select broken in realm specific admin console admin/ui
  • #​26588 Infinite loop during X509 authentication authentication
  • #​26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
  • #​26604 Arc container is null dist/quarkus
  • #​26609 allow sending realm in request without changing the kc admin object admin/client-js
  • #​26612 Wrong delete messages in Realm overrides admin/ui
  • #​26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres) storage
  • #​26631 Keycloak HA guide with blank and callout docs
  • #​26635 Account UI ships too much Beer in user attributes user-profile
  • #​26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow admin/ui
  • #​26643 Replace "message bundle" text to "translation" in realm overrides admin/ui
  • #​26649 PhantomJS does not send secure cookies over http://localhost core
  • #​26651 [keycloak.js] useNonce parameter is all-or-nothing adapter/javascript
  • #​26653 Disallow removing required filters when searching for effective message bundle. admin/ui
  • #​26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core
  • #​26668 Wrong help for "Create initial access token" expiration field admin/ui
  • #​26686 Not possible to build documentation after quarkus upgrade docs
  • #​26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy admin/ui
  • #​26716 User Profile Applies Validation To Service Account Users user-profile
  • #​26727 Auto layout of authenticator flow graph only applies the second time admin/ui
  • #​26747 Tooltip for attribute name in user-profile configuration is incorrect user-profile
  • #​26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation user-profile
  • #​26782 Accessing userinfo fails with CORS when token is expired or session is deleted oidc
  • #​26790 Workflow failure: Operator IT on OpenShift ci
  • #​26792 User profile 'uri' validator not working user-profile
  • #​26816 Keycloak server admin docs needs change with the new hashing iteration changes docs
  • #​26818 bug in operator example yaml operator
  • #​26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
  • #​26830 Duplicate "Refresh" buttons present in admin-ui admin/ui
  • #​26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password" authentication
  • #​26853 Fixing anchors in security apps guide in prod profile docs
  • #​26856 Remove custom user attributes section in server developer guide user-profile
  • #​26937 Once all default client scopes are deleted from the realm we can't create a new custom role. core
  • #​26941 When loading entries from a remote store at startup, no lifespan or expiry is set core
  • #​26951 Roles admin REST API for creating roles: Composite roles are expanded admin/api
  • #​26983 Group not found in list after creation core
  • #​27002 Refresh doesn't work in Localization/Effective message bundles admin/ui
  • #​27005 Unable to approve/deny permission requests account/ui
  • #​27031 Having read-only attributes stored at a user leads to validation warning on every login user-profile
  • #​27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated infinispan
  • #​27120 Microsoft social login failure testsuite
  • #​27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres) ci
  • #​27137 Users with fine-grained permissions can not create a user admin/ui
  • #​27140 Locale selector is unnecessarily visible without rights to locales admin/ui
  • #​27162 Default locale is set to null when not explicitly choosing a locale admin/ui
  • #​27173 Newly created authentication subflow is always disabled admin/ui
  • #​27234 Cannot update email in account console with `update-email` feature enabled account/ui
  • #​27243 Account console not working when lightweight-access-tokens used oidc
  • #​27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo core
  • #​27284 FolderTheme does not support Locales with extensions core
  • #​27290 AWS JDBC driver throws ConcurrentModificationException storage
  • #​27297 Check for duplicated usernames and emails when Login with email option is enabled user-profile
  • #​27316 Server admin guide not building downstream due to missing IDs docs
  • #​27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled admin/ui
  • #​27344 Secure Redirect URI executor issues oidc
  • #​27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI ci
  • #​27406 JavaDocs generation broken after removal of resteasy-core
  • #​27409 Apply remote store workaround also for configuration via CLI options
  • #​27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor oidc

v23.0.7

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​26810 Shorter lifespan for offline session cache entries in memory storage

Bugs

  • #​22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui
  • #​23786 Failure: FipsDistTest ci
  • #​25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap
  • #​25731 /admin/realms/{realm}/groups Endpoint is slow admin/api
  • #​25883 ldap-group-mapper fails when empty member: attribute is present ldap
  • #​25912 LDAP federation reports "Creating new LDAP Store..." on every login ldap
  • #​25961 Native SQL Schema names broken on MySQL storage
  • #​26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
  • #​26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
  • #​26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&) login/ui
  • #​27120 Microsoft social login failure testsuite

v23.0.6

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

  • #​26427 Operator CSV uses wrong format for `createdAt` field operator
  • #​26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core
  • #​26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core

v23.0.5

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

v23.0.4

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

v23.0.3

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

v23.0.2

Compare Source

Highlights

Non-blocking health check for load balancers

A new health check endpoint available at /lb-check was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.

This endpoint is not available by default. To enable it, run Keycloak with feature multi-site. Proceed to Enabling and disabling features guide for more details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

  • #​25113 Add a test for the LoadBalancerCheck
  • #​25287 Upgrade Infinispan to 14.0.21.Final

Bugs

  • #​24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set saml
  • #​24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive core
  • #​25001 Client redirect_uri check must be compared using exact string matching oidc
  • #​25010 Bug: KC_DB_USERNAME environment variable is causing a crash in latest version dist/quarkus
  • #​25051 Unexpected Application Error when clicking "Cancel" on user creation page admin/ui
  • #​25108 Documentation Inconsistency about Open Banking(Finance) Brasil FAPI security profile docs
  • #​25124 If a client does not have a URL the applications page in the account console links to about:blank account/ui
  • #​25173 Make sure username is lowercase when normalizing attributes user-profile
  • #​25183 NullPointerException thrown for UPConfig.getGroups() user-profile
  • #​25307 Keycloak instance `HasErrors` true after update: `More than 1 secondary resource related to primary` operator

v23.0.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

  • #​23841 Users page with LDAP User Storage Provider Cannot read properties of undefined admin/ui
  • #​23872 Attempt to request storage access in Firefox oidc
  • #​24261 „Unlink users“-Option greyed out in ldap federation admin/ui
  • #​24958 Error handling in admin console when update of user fails due the 400 HTTP error code admin/ui
  • #​24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same saml
  • #​24984 Operator is missing CRDs metadata in CSV operator
  • #​25008 Group search when creating user admin/ui
  • #​25022 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token oidc

v23.0.0

Compare Source

Highlights

OpenID Connect / OAuth 2.0

FAPI 2 drafts support

Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.

DPoP preview support

Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.

More flexibility for introspection endpoint

In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new switch Add to token introspection on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token, so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.

Feature flag for OAuth 2.0 device authorization grant flow

The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.

Authentication

Passkeys support

Keycloak has preview support for Passkeys.

Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user​8217;s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.

WebAuthn improvements

WebAuthn policy now includes a new field: Extra Origins. It provides better interoperability with non-Web platforms (for example, native mobile applications). Thanks to Charley Wu for the contribution.

You are already logged-in

There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them, the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in. This is improved now as other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then restarted just in one browser tab and hence other browser tabs won​8217;t follow automatically with the login. So we still plan improvements in this area.

Password policy for specify Maximum authentication time

Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.

Deployments

Preview support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.

A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Adapters

OpenID Connect WildFly and JBoss EAP

OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.

SAML WildFly and JBoss EAP

The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.

See the Securing Applications and Services Guide for the details.

Server distribution

Load Shedding support

Keycloak now features http-max-queued-requests option to allow proper rejecting of incoming requests under high load. For details refer to the production guide.

RESTEasy Reactive

Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI​8217;s that depend directly on JAX-RS API should be compatible with this change. SPI​8217;s that depend on RESTEasy Classic including ResteasyClientBuilder will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.

User profile

Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome. If you find any issues or have any improvements in mind, you are welcome to create Github issue, ideally with the label area/user-profile. It is also recommended to check the Upgrading Guide with the migration changes for this release for some additional informations related to the migration.

Group scalability

Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.

Themes

Localization files for themes default to UTF-8 encoding

Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.

See the migration guide for more details.

Storage

Removal of the Map Store

The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #​23155 [WebAuthn] origin validation not support for non-Web platforms core

Enhancements

  • #​431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
  • #​505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
  • #​510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
  • #​9318 User profile configuration API is incorrectly typed docs
  • #​10128 Improve failed test behaviour operator
  • #​10620 Internationalized Domain Names in email address user-profile
  • #​10713 Update the server to use RESTEasy Reactive
  • #​10803 Persist session in JDBC store without using external infinispan cluster storage
  • #​11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
  • #​12406 Remove "You are already logged-in" during authentication authentication
  • #​14009 CreatedTimestamp on REST import not used
  • #​14165 Cannot refresh RPT tokens authorization-services
  • #​14400 Add proxy options to Keycloak CR operator
  • #​15018 Enhancements around proxy and hostname configuration
  • #​15072 Allow setting a help text to an attribute user-profile
  • #​15109 Refactor patch-sources.sh used by the Operator operator
  • #​17258 Data too long for column 'DETAILS_JSON' storage
  • #​20343 message bundles are not included in the realm export import-export
  • #​20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
  • #​20695 Add support for single-tenant in Microsoft Identity Provider
  • #​20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
  • #​20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
  • #​21073 Identity providers: pagination in admin REST API
  • #​21154 Allow existing mappers for Custom Identity Providers identity-brokering
  • #​21181 Add FAPI 2.0 security profile as default profile of client policies
  • #​21182 Enhancing Pluggable Features of Token Manager
  • #​21183 More flexibility for Introspection endpoint oidc
  • #​21200 DPoP support 1st phase
  • #​21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
  • #​21945 Release notes for FAPI 2
  • #​22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
  • #​22215 DPoP verification in UserInfo endpoint oidc
  • #​22318 Allow overriding Account Console resources for full control and backwards compatibility
  • #​22372 Expand Group providers to allow for paginated lookup of subgroups storage
  • #​22725 Do not initialize barrier build items for deployment dist/quarkus
  • #​22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
  • #​23194 Add regex support in 'Condition - User attribute' execution authentication
  • #​23340 Implement load shedding for RESTEasy reactive
  • #​23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
  • #​23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
  • #​24024 User profile tweaks in registration forms user-profile
  • #​24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
  • #​24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
  • #​24278 Transient users: documentation core
  • #​24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
  • #​24494 Transient users: Consents core
  • #​24535 Moving UPConfig and related classes from keycloak-services user-profile
  • #​24844 Add High Availability Guide to Keycloak's main repository
  • #​24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml

Bugs

  • #​468 Cant build it quickstarts
  • #​503 Automate Keycloak version replacement quickstarts
  • #​508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
  • #​515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
  • #​8939 PAR fails to authenticate for public client oidc
  • #​9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
  • #​10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
  • #​11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
  • #​12062 Declarative User Profile export user-profile
  • #​12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
  • #​14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
  • #​16379 Inconsistent handling of parenthesis in auth flow name admin/api
  • #​16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
  • #​19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
  • #​19125 kcadm do not update defaultGroups docs
  • #​19154 Non working API docs link docs
  • #​19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
  • #​20135 Searching for multiple types in the Events section gives an error admin/client-js
  • #​20218 Role mappers must return a single value when they are not multivalued oidc
  • #​20316 Email pattern is not compliant account/api
  • #​20453 Admin UI incredibly slow with 300 realms admin/api
  • #​20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
  • #​20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
  • #​20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
  • #​20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
  • #​20885 Key length is limited to 4000 characters storage
  • #​21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
  • #​21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
  • #​21236 Keycloak Event clientId is null when ever a logout event is fired. core
  • #​21555 Listing realms due to realm drop-down admin/ui
  • #​21660 Wrong convert timestamp to date account/ui
  • #​21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
  • #​21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
  • #​21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
  • #​21805 Missing labels account console account/ui
  • #​21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
  • #​21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
  • #​22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
  • #​22177 Missing client_id validation match when authenticating client with JWT
  • #​22191 Verification of iss at refresh token request oidc
  • #​22332 Selecting resource on resource based permission gives error admin/ui
  • #​22337 kc.sh errors if using characters like semicolon inside the arguments docs
  • #​22375 Possible NullPointerException core
  • #​22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
  • #​22432 inputOptionLabels is not used by Admin UI admin/ui
  • #​22583 Fine grained permissions not rendering account/ui
  • #​22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
  • #​22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
  • #​22818 inputOptionLabels is not used by Account UI v3 account/ui
  • #​22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
  • #​22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
  • #​22988 Cache stampede after realm cache invalidation infinispan
  • #​23044 Docs: server_admin/topics/sessions/transient.adoc authentication
  • #​23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
  • #​23173 crypto/elytron package has several bugs core
  • #​23180 TypeError in user profile admin-ui admin/ui
  • #​23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
  • #​23255 Several help text messages missing in saml identity provider admin/ui
  • #​23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
  • #​23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients. dependencies
  • #​23582 Join group screen does not show child groups without filters admin/ui
  • #​23616 invalid tag in .ftl file user-profile
  • #​23692 Genetated access token exception then $ sign in client name core
  • #​23733 OpenAPI spec doesn't match the admin API admin/api
  • #​23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
  • #​23789 Can not create attribute group before setting/removing an annotation user-profile
  • #​23795 Spelling errors in TokenManager.java oidc
  • #​23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
  • #​24032 Group attributes are not saved if there are two attributes with the same key admin/ui
  • #​24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
  • #​24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
  • #​24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
  • #​24096 Document or avoid breaking change in UserSessionModel core
  • #​24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
  • #​24183 Username now shown when creating a user and edit username is not allowed user-profile
  • #​24187 Admin UI group view shows attributes of previously viewed group admin/ui
  • #​24293 b.map is not a function error when LDAP server is offline core
  • #​24420 User profile behaves different in keycloak 22.0.5 user-profile
  • #​24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
  • #​24455 NPE when logging in with TransientUser storage
  • #​24458 Unfriendly error message when user-storage provider not available admin/ui
  • #​24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
  • #​24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
  • #​24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
  • #​24672 Basic auth is not RFC 2617 compliant authentication
  • #​24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
  • #​24766 non-functioning session persistence when using JDBC over Infinispan infinispan
  • #​24792 Invalid redirect_uri if it contains uppercase letters authentication
  • #​24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js

v22.0.5

Compare Source

v22.0.4

Compare Source

v22.0.3

Compare Source

v22.0.2

Compare Source

v22.0.1

Compare Source

v22.0.0

Compare Source

v21.1.2

Compare Source

v21.1.1

Compare Source

v21.1.0

Compare Source

v21.0.2

Compare Source


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by Renovate Bot

Merge request reports