Update dependency keycloak/keycloak to v25
This MR contains the following updates:
Package | Update | Change |
---|---|---|
keycloak/keycloak | major |
21.0.1 -> 25.0.2
|
Release Notes
keycloak/keycloak (keycloak/keycloak)
v25.0.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #30094 Do not inherit 'https-client-auth' property for the management interface
-
#30537 Document how Admin REST API endpoints work with Hostname config
docs
-
#30856 Remove inclusive language foreword
docs
Bugs
-
#19070 authBaseUrl error on different hostname-admin-url, hostname-url
admin/ui
-
#26042 Issue when start-dev in 23.0.1
dist/quarkus
-
#28489 Missing help text on tokens tab
admin/ui
-
#29407 Need refresh attributes group translations on Users > Details tab
admin/ui
-
#29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm
account/ui
-
#29761 bug: disabling all default features no longer works
core
-
#29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups
ldap
-
#30329 Client secret rotation UI shows wrong rotated secret
admin/ui
-
#30355 New operator failing on health checks
operator
-
#30383 Account Console (v3) no longer highlights the current page in the nav bar
account/ui
-
#30436 Client Roles are not shown when clientId property is set
admin/ui
-
#30440 UI theme bug in KC 25.0.0
admin/ui
-
#30444 Failed to evaluate permissions when fetchRoles is enabled on role policies
authorization-services
-
#30449 Migration stuck if versions incompatible
operator
-
#30521 "Client Offline Session Max" no longer available
admin/ui
-
#30541 Account UI resources try to load from admin path instead of frontend path
account/ui
-
#30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu
admin/ui
-
#30591 Invalid character in spanish translation file for Identity Provider Link Template
translations
- #30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
-
#30662 User policy -> select user shows user id instead of user name.
admin/ui
-
#30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created
admin/ui
-
#30717 Broken external links
docs
-
#30821 Testing connection to ldap on the settings page does not work in 25.0.1
ldap
-
#30837 Cannot find requested client with clientId
ldap
-
#30866 admin-cli invalid credentials
admin/cli
-
#30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment"
core
-
#30947 Error when trying to edit authentication sub-flow name / description
admin/ui
-
#30992 Realm cannot be deleted if there are tons of consents
storage
-
#31014 "Verify Email" may cause other Required Actions to be ignored
authentication
-
#31050 Caching docs should name parameter runtime parameters, not build parameters
docs
-
#31146 IDP SAML Certificate should be text-area not text
admin/ui
-
#31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined"
admin/ui
-
#31171 Single use tokens, like action tokens, has a claim `expiration`
core
-
#31187 Recaptcha links changed in the Google Docs
docs
-
#31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format
ldap
- #31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
-
#31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki
docs
-
#31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25
oidc
-
#31244 IdP redirect URL shows hostname_admin
admin/ui
-
#31267 multiple ldap url's not working on one realm
ldap
v25.0.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#19750 Use a proper FreeMarker template for the new consoles
account/ui
-
#30346 Enhance masking around config-keystore
dist/quarkus
Bugs
-
#25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider(
oidc
-
#28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally
admin/ui
-
#30115 Admin v2 theme - theme.properties Custom theme scripts not loading
admin/ui
-
#30201 Keycloak CI - failure in Store IT (aurora-postgres)
ci
-
#30240 Custom attributes are removed during UPDATE PROFILE event
core
-
#30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database
core
-
#30302 Methods of SimpleHttp are after change now too much protected
core
-
#30306 Upgrade to Keycloak 25 - Events bug in UI
admin/ui
-
#30332 Operator fails to patch ingress after update to 25.0.0
operator
-
#30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update
core
- #30351 Migration of sessions in KC25 should run only on migration, not on imports
-
#30368 Documentation : label error for persistent-user-sessions feature flag
docs
-
#30417 Keycloak 25 db guide shows unevaluated "ifeval
docs
-
#30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin"
admin/ui
-
#30434 Improvements for ldap test authentication
ldap
-
#30492 partial_import_test fails randomly
admin/ui
v25.0.0
Highlights
Account Console v2 theme removed
The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.
Java 21 support
Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.
Java 17 support is deprecated
OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.
Most of Java adapters removed
As stated in the release notes of previous Keycloak version, the most of Java adapters are now removed from the Keycloak codebase and downloads pages.
For OAuth 2.0/OIDC, this includes removal of the Tomcat adapter, WildFly/EAP adapter, Servlet Filter adapter, KeycloakInstalled
desktop adapter, the jaxrs-oauth-client
adapter, JAAS login modules, Spring adapter and SpringBoot adapters.
You can check our older post for the list of some alternatives.
For SAML, this includes removal of the Tomcat adapter and Servlet filter adapter. SAML adapters are still supported with WildFly and JBoss EAP.
The generic Authorization Client library is still supported, and we still plan to support it. It aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries. You can check the quickstarts for some examples where this authorization client library is used together with the 3rd party Java adapters like Elytron OIDC or SpringBoot. You can check the quickstarts also for the example of SAML adapter used with WildFly.
Upgrade to PatternFly 5
In Keycloak 24, the Welcome page is updated to use PatternFly 5, the latest version of the design system that underpins the user interface of Keycloak. In this release, the Admin Console and Account Console are also updated to use PatternFly 5. If you want to extend and customize the Admin Console and Account Console, review the changes in PatternFly 5 and update your customizations accordingly.
Argon2 password hashing
Argon2 is now the default password hashing algorithm used by Keycloak in a non-FIPS environment.
Argon2 was the winner of the 2015 password hashing competition and is the recommended hashing algorithm by OWASP.
In Keycloak 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in Keycloak requires 7MB per-hashing request. To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To support the memory intensive nature of Argon2, we have updated the default GC from ParallelGC to G1GC for a better heap utilization.
New Hostname options
In response to the complexity and lack of intuitiveness experienced with previous hostname configuration settings, we are proud to introduce Hostname v2 options.
We have listened to your feedback, tackled the tricky issues, and created a smoother experience for managing hostname configuration. Be aware that even the behavior behind these options has changed and requires your attention - if you are dealing with custom hostname settings.
Hostname v2 options are supported by default, as the old hostname options are deprecated and will be removed in the following releases. You should migrate to them as soon as possible.
New options are activated by default, so Keycloak will not recognize the old ones.
For information on how to migrate, see the Upgrading Guide.
Persistent user sessions
Previous versions of Keycloak stored only offline user and offline client sessions in the databases.
The new feature persistent-user-session
stores online user sessions and online client sessions not only in memory, but also in the database.
This will allow a user to stay logged in even if all instances of Keycloak are restarted or upgraded.
The feature is a preview feature and disabled by default. To use it, add the following to your build command:
bin/kc.sh build --features=persistent-user-session ...
For more details see the Enabling and disabling features guide. The sizing guide contains a new paragraph describing the updated resource requirements when this feature is enabled.
For information on how to upgrade, see the Upgrading Guide.
Cookies updates
SameSite attribute set for all cookies
The following cookies did not use to set the SameSite
attribute, which in recent browser versions results in them
defaulting to SameSite=Lax
:
-
KC_STATE_CHECKER
now setsSameSite=Strict
-
KC_RESTART
now setsSameSite=None
-
KEYCLOAK_LOCALE
now setsSameSite=None
-
KEYCLOAK_REMEMBER_ME
now setsSameSite=None
The default value SameSite=Lax
causes issues with POST based bindings, mostly applicable to SAML, but also used in
some OpenID Connect / OAuth 2.0 flows.
Removing KC_AUTH_STATE cookie
The cookie KC_AUTH_STATE
is removed and it is no longer set by the Keycloak server as this server no longer needs this cookie.
Deprecated cookie methods removed
The following APIs for setting custom cookies have been removed:
-
ServerCookie
- replaced byNewCookie.Builder
-
LocaleSelectorProvider.KEYCLOAK_LOCALE
- replaced byCookieType.LOCALE
-
HttpCookie
- replaced byNewCookie.Builder
-
HttpResponse.setCookieIfAbsent(HttpCookie cookie)
- replaced byHttpResponse.setCookieIfAbsent(NewCookie cookie)
Addressed 'You are already logged in' for expired authentication sessions
The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, Keycloak is able to redirect back to the client application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more details, see Server Administration Guide authentication sessions.
Lightweight access token to be even more lightweight
In previous releases, the support for lightweight access token was added. In this release, we managed to remove even more built-in claims from the lightweight access token. The claims are added by protocol mappers. Some of them affect even the regular access tokens or ID tokens as they were not strictly required by the OIDC specification.
-
Claims
sub
andauth_time
are added by protocol mappers now, which are configured by default on the new client scopebasic
, which is added automatically to all the clients. The claims are still added to the ID token and access token as before, but not to lightweight access token. -
Claim
nonce
is added only to the ID token now. It is not added to a regular access token or lightweight access token. For backwards compatibility, you can add this claim to an access token by protocol mapper, which needs to be explicitly configured. -
Claim
session_state
is not added to any token now. It is still possible to add it by protocol mapper if needed. There is still the other dedicated claimsid
supported by the specification, which was available in previous versions as well and which has exactly the same value.
For more details, see the Upgrading Guide..
Support for application/jwt media-type in token introspection endpoint
You can use the HTTP Header Accept: application/jwt
when invoking a token introspection endpoint. When enabled for a particular client, it returns a claim jwt
from the
token introspection endpoint with the full JWT access token, which can be useful especially for the use-cases when the client calling introspection endpoint used lightweight access
token. Thanks to Thomas Darimont for the contribution.
Password policy for check if password contains Username
Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.
Required actions improvements
In the Admin Console, you can now configure some required actions in the Required actions tab of a particular realm. Currently, the Update password is the only built-in configurable required action. It supports setting Maximum Age of Authentication, which is the maximum time users can update their password
by the kc_action
parameter (used for instance when updating password in the Account Console) without re-authentication. The sorting of required actions is also improved. When there are multiple required
actions during authentication, all actions are sorted together regardless of whether those are actions set during authentication (for instance by the kc_action
parameter) or actions added to the user account manually by an administrator.
Thanks to Thomas Darimont and Daniel Fesenmeyer for the contributions.
Passkeys improvements
The support for Passkeys conditional UI was added. When the Passkeys preview feature is enabled, there is a dedicated authenticator available, which means you can select from a list of available passkeys accounts and authenticate a user based on that. Thanks to Takashi Norimatsu for the contribution.
Default client profile for SAML
The default client profile to have secured SAML clients was added. When browsing through client policies of a realm in the Admin Console, you see a new client profile saml-security-profile
. When it is used, there are
security best practices applied for SAML clients such as signatures are enforced, SAML Redirect binding is disabled, and wildcard redirect URLs are prohibited.
Authenticator for override existing IDP link during first-broker-login
There was new authenticator Confirm override existing link
added. This authenticator allows to override linked IDP username for the Keycloak user, which was already linked to different
IDP identity before. More details in the Server Administration Guide. Thanks to Lex Cao for the contribution.
OpenID for Verifiable Credential Issuance - experimental support
There is work in progress on the support of OpenID for Verifiable Credential Issuance (OID4VCI). Right now, this is still work in progress, but things are being gradually added. Keycloak can act as an OID4VC Issuer with support of Pre-Authorized code flow. There is support for verifiable credentials in the JWT-VC, SD-JWT-VC and VCDM formats. Thanks to the members of the OAuth SIG groups for the contributions and feedback and especially thanks to Stefan Wiedemann, Francis Pouatcha, Takashi Norimatsu and Yutaka Obuchi.
Searching by user attribute no longer case insensitive
When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using Keycloak8217;s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.
Breaking fix in authorization client library
For users of the keycloak-authz-client
library, calling AuthorizationResource.getPermissions(8230;8203;)
now correctly returns a List<Permission>
.
Previously, it would return a List<Map>
at runtime, even though the method declaration advertised List<Permission>
.
This fix will break code that relied on casting the List or its contents to List<Map>
. If you have used this method in any capacity, you are likely to have done this and be affected.
IDs are no longer set when exporting authorization settings for a client
When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client.
Management port for metrics and health endpoints
Metrics and health checks endpoints are no longer accessible through the standard Keycloak server port.
As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port 9000
.
It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable.
Keycloak Operator assumes the management interface is turned on by default. For more details, see Configuring the Management Interface.
Syslog for remote logging
Keycloak now supports Syslog protocol for remote logging. It utilizes the protocol defined in RFC 5424. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.
For more information, see the Configuring logging guide.
Change to class EnvironmentDependentProviderFactory
The method EnvironmentDependentProviderFactory.isSupported()
was deprecated for several releases and has now been removed.
For more details, see the Upgrading Guide.
All cache
options are runtime
It is now possible to specify the cache
, cache-stack
, and cache-config-file
options during runtime.
This eliminates the need to execute the build phase and rebuild your image due to them.
For more details, see the Upgrading Guide.
High availability guide enhanced
The high availability guide now contains a guide on how to configure an AWS Lambda to prevent an intended automatic failback from the Backup site to the Primary site.
Removing deprecated methods from AccessToken
, IDToken
, and JsonWebToken
classes
In this release, we are finally removing deprecated methods from the following classes:
-
AccessToken
-
IDToken
-
JsonWebToken
For more details, see the Upgrading Guide.
Method getExp
added to SingleUseObjectKeyModel
As a consequence of the removal of deprecated methods from AccessToken
, IDToken
, and JsonWebToken
,
the SingleUseObjectKeyModel
also changed to keep consistency with the method names related to expiration values.
For more details, see the Upgrading Guide.
Support for PostgreSQL 16
The supported and tested databases now include PostgreSQL 16.
Introducing support for Customer Identity and Access Management (CIAM) and Multi-tenancy
In this release, we are delivering Keycloak Organizations as a technology preview feature.
This feature provides a realm with some core CIAM capabilities, which will serve as the baseline for more capabilities in the future to address Business-to-Business (B2B) and Business-to-Business-to-Customers (B2B2C) use cases.
In terms of functionality, the feature is completed. However, we still have work to do to make it fully supported in the next major release. This remaining work is mainly about preparing the feature for production deployments with a focus on scalability. Also, depending on the feedback we get until the next major release, we might eventually accept additional capabilities and add more value to the feature, without compromising its roadmap.
For more details, see Server Administration Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
-
#25940 Support Credentials Issuance through the OID4VCI Protocol
oid4vc
-
#25942 Issue Verifiable Credentials in the SD-JWT-VC format
oid4vc
-
#25943 Issue Verifiable Credentials in the VCDM format
oid4vc
-
#25945 Extend Account Console to support Credentials Issuance Self-Service
account/ui
-
#26201 Introduce a new Authenticator to handle duplicate IdP broker links
authentication
-
#27673 Hardcoded SAML metadata URL in admin-v2
admin/ui
-
#27728 Reflect new hostname v2 options in Keycloak CR
operator
-
#27729 Add documentation for Hostname v2
docs
-
#27730 Release notes and Migration guide for Hostname v2
docs
- #28030 Create Argon2 password hashing provider
- #28400 Make RequiredActions configurable
- #28608 Allow onboarding organization members through a registration invitation link
-
#28750 CLI options to disable encryption and authentication to external Infinispan
dist/quarkus
- #28938 Need inline translation assistance for user profile attribute groups.
-
#29491 Remove Oracle JDBC driver out of the box
docs
- #29539 Add CRUD for organizations to admin client
-
#29627 Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414
oid4vc
-
#29634 Expose JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification
oid4vc
Enhancements
-
#11757 Declarative User Profile: local-date validation and html5-date clash
user-profile
-
#13113 Conditionally enable and disable CLI options
dist/quarkus
- #16295 JsonSerialization does not load all available modules from the classpath
- #17530 Add Portuguese translations
-
#19334 Support management port for health and metrics in Quarkus 3
dist/quarkus
-
#20736 uma-ticket returns 403 even though user has access, when User Realm Role isn't present in access Token
authorization-services
-
#20792 Make it clear that `Client Offline Token Max` should not be set when `Offline Session Max Limited` is disabled for realm
admin/ui
-
#20916 DefaultHttpClientFactory should handle the encoding of the response
core
- #21185 Protocol mapper and client scope for sub claim
-
#21344 Upgrade account theme to PatternFly 5
account/ui
-
#21345 Upgrade admin theme to PatternFly 5
admin/ui
-
#21439 Allow options to support any value in addition to a list of pre-defined values.
dist/quarkus
-
#21562 Make sure admin events are not referencing sensitive data from their representation
admin/api
-
#21961 Allow to provider password to kcadm (keycloak-admin-cli) via environment variable
admin/cli
-
#22436 Query users by 'LDAP_ID' is not working
ldap
-
#22711 Enable theme caches by default in start-dev
dist/quarkus
-
#24192 Refine how ConfigSource names are being used
dist/quarkus
-
#24264 Passkeys: Supporting WebAuthn Conditional UI
authentication/webauthn
-
#24466 Look if checks in IntrospectionEndpoint can be simplified
oidc
-
#25057 Inconsistent behaviour on getting user permissions using authorization
authorization-services
-
#25114 User Profile "Input placeholder" and other annotations - Use Localization keys
user-profile
- #26162 Optimize query batching and result fetching by tuning Hibernate parameters
-
#26443 Show an error message when file does not exist for the `config-file` parameter
dist/quarkus
-
#26504 Localization Proposal 2
admin/ui
-
#26654 Initial client policies integration for SAML
saml
-
#26657 Map Storage Removal: Remove deprecated model/legacy module
storage
-
#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak
ldap
-
#26713 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention
authentication/webauthn
- #27264 Trivy Analysis warnings should be fixed
-
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR
docs
-
#27442 Use browser router for Account Console
account/ui
- #27481 Edit High Availability guide
- #27484 Edit 23.0 changes part of Upgrading Guide
-
#27494 Use JDK17 functionality in the KC Operator
operator
- #27508 Use new remote-store options in HA guides
- #27509 Upgrade to Aurora Postgres 15.5
- #27515 `ClusterProvider` should no longer be deprecated now that "legacy" is the default
- #27527 CS and SK localized messages need an update
-
#27544 Expose quarkus syslog logging now GELF is being deprecated from Keycloak
dist/quarkus
- #27545 Simplify handling of profile features in test cases
-
#27549 Make general `cache` options runtime
dist/quarkus
-
#27574 Support for script providers when running in embedded mode
testsuite
- #27602 Remove offline session preloading
-
#27614 Remove additional handlers for health and metrics endpoints
dist/quarkus
- #27632 Integrate downstream Upgrading Guide changes into upstream
-
#27696 Upgrade to Quarkus 3.8.2
dist/quarkus
- #27724 Enable Infinispan metrics by default
- #27787 Missing API documentation for /admin/realms/{realm}/groups/{group-id}
-
#27871 Upgrade to Infinispan 14.0.26
core
- #27924 Enable http metrics once Quarkus 3.8.3 is available
-
#27953 Address feedback to Keycloak Server guide
docs
- #27976 Persist online sessions to the database
- #27997 Make the Language Selector sorted and searchable
- #28009 Address edits to the Operator Guide
- #28033 Upgrade Infinispan to 14.0.27.Final
-
#28035 update for messages_de.properties required
translations
-
#28084 Upgrade to Quarkus 3.8.3
dist/quarkus
- #28120 Default password hashing algorithm should be set to default password hash provider
- #28142 Update HA Guide now that non-XA mode is the default
-
#28145 Align help output for Quarkus distribution across Windows and Linux
dist/quarkus
- #28161 Use Argon2 password hashing by default
- #28178 Provide histograms for http server metrics
-
#28256 Prevent duplicate form submission in Create realm dialog in admin ui
admin/ui
-
#28318 Use the same new code for persistent sessions for offline sessions
core
- #28336 Provide a dedicated way of updating Quarkus classloading indices
- #28388 Handle concurrent writes to sessions more gracefullly
- #28429 Add details to error messages, especially around refresh tokens
-
#28436 When LDAP groups synchronization fails, show root cause in admin UI
admin/api
- #28448 Avoid deprecated `jboss-modules` method usage
-
#28453 More conventional looking conditional element in authentication diagram
admin/ui
-
#28460 Polishing docs for lightweight tokens
oidc
- #28477 The concurrency of hashing leads to increased memory usage and CPU throttling
- #28501 Batch updates to the database to avoid using too many IOPS
- #28517 Java 21 support
-
#28567 Change user_id value for REFRESH_TOKEN and REFRESH_TOKEN_ERROR events
oidc
- #28616 Add ui-tab context information into the onCreate
- #28650 Improve german translations for admin ui
-
#28654 Refine the warning produced when a non-cli build-time property is used at runtime
dist/quarkus
- #28672 For client-credential-grants, there shouldn't be an interaction with the authentication cache
-
#28729 Emphasize the need for setting container limit
docs
- #28814 Add missing german translations for user federation in admin UI
- #28848 Automatically fill username when authenticating to through a broker
-
#28861 Improve the performance of the PermissionTicketStore.findGrantedResources method
authorization-services
- #28862 Improve persistent sessions DB throughput for logins/logouts by batching
- #28879 Indicate whether a user is transient or not in user sessions list
-
#28880 Upgrade to Quarkus 3.8.4
dist/quarkus
- #28906 ID fields in SessionWrapper should be immutable
- #28926 Store extended error message in events for client credential grants
-
#28935 Ensure GroupResource.getSubGroups doesn't rely on no-arg version of GroupModel.getSubGroupsStream to avoid prematurely loading all subgroups
storage
-
#28939 OIDC: Backchannel logout token should use "typ":"logout+jwt"
oidc
- #28974 Replace tooltip for adding a translation to an attribute with a text underneath `Display name`
- #29023 Support adding existing users to an organization
- #29068 Infinispan 15.0.3.Final
- #29073 Use cache.compute() method to improve the replace retry loop
-
#29118 Conditionally run Quarkus IT in GHA based on code changes
testsuite
-
#29124 Use Java locale translations instead of manually edited translations
translations
-
#29166 Improve details for user error events in OIDC protocol endpoints
oidc
-
#29183 Minor corrections to High Availability Guide
docs
- #29203 Revisit SessionsResource#realmSessions as it current loads all sessions into memory
- #29223 Complete transistion away from Resteasy core
- #29280 Update Create Realm in Keycloak 24 Getting Started
- #29319 Don't sort persistent sessions when retrieving a list
- #29348 Set default role mapping filter in the role mapping modal
- #29375 Allow migration of non-persistent sessions to persistent sessions
- #29392 Avoid conflicts when writing make store keys
- #29431 Make sure organization groups can not be managed but when managing an organization
- #29460 Email validation for managed members should only fail if it does not match the domain set to a broker
-
#29489 Describe how to enable and disable persistent sessions for an installation
docs
- #29561 Revisit rolling configuration upgrades for persistent-sessions feature
-
#29639 Enhance documentation for REST API for X.509 Direct Grant Flow usage
authentication
- #29724 VC issuance in Authz Code flow without considering “scope” parameter
- #29743 Infinispan 15.0.4.Final
- #29750 Require external Infinispan be of version 15 or greater
-
#29778 Upgrade Selenium and Arquillian dependencies in testsuite
testsuite
-
#29780 Unify approach for WebAuthn tests
testsuite
- #29787 Document Failover Lambda for Active/Passive deployments
- #29794 Show a message when confirming an invitation link
-
#29813 Snyk report to identify branches impacted by a CVE
ci
- #29818 Avoid explicit flush when handling persistent sessions
-
#29880 Improve documentation for the case when 'basic' client scope already exists
storage
-
#29883 Upgrade old Keycloak version for DB migration tests
testsuite
- #29919 Avoid IntelliJ to automatically create start imports
-
#30017 Improve Client Type Integration Tests
oidc
-
#30026 Conditionally execute WebAuthn tests when Account console UI is changed
testsuite
- #30052 Add periodic synchronisation for Weblate contents
-
#30104 Release notes for support application/jwt response in token introspection endpoint
docs
-
#30160 Upgrade to Quarkus 3.8.5
dist/quarkus
- #30241 Adding ability to get realm attributes in themes
Bugs
-
#8887 Information not displayed when a logged in user reset his password
authentication
-
#9695 Add `id_token_signed_response_alg` when realm default algorithm is not `RS256`
oidc
-
#12298 Security bug: Timing Oracle @ Authorization Grant Request , CWE 208
authentication
-
#12326 AccessTokens generated from RefreshTokens without scope
oidc
-
#12585 False implementation of SAML element EncryptionMethod
saml
-
#12671 Slow user query by attribute
storage
-
#13045 Duplicated user consents
storage
-
#14084 DefaultBruteForceProtector leverages a single thread to write success/failed events
authentication
-
#14122 Refresh token rotation with multiple tabs
oidc
-
#14188 "1403 Killed" after starting a fresh build
docs
-
#14501 Getting failed to initialize js message if consent is rejected by user
account/ui
-
#15403 No email send on TOTP/Authenticator app removal
core
-
#16064 RS256 signed token validation fails
oidc
-
#16345 Unable to delete realm names with invalid URL characters
admin/api
-
#16520 AuthzClient getPermissions() deserializes to List and not List
authorization-services
-
#16873 Required actions execution order (session and user required actions)
authentication
-
#16948 search users by custom attributes
admin/client-js
-
#17154 User locale in server info has language and country switched around
admin/api
-
#17483 MultiVersionClusterTest not working for Quarkus based distribution
storage
-
#17678 Stop using nested components
admin/ui
-
#19671 Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug)
oidc
-
#19853 CRL Verification failing due to client certificate not being in a chain
authentication
-
#20411 Entering a single space in a regex password policy makes admin interface unusable.
core
-
#20490 SAML IDP initiated SSO getting cookie_not_found error
saml
-
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow
authentication
-
#20747 Keycloak admin cli creating/updating authention executions not respecting the priority value specified
admin/api
-
#21422 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink
ci
-
#22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled
import-export
-
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow
core
-
#23252 Invalid redirect after logging in using Twitter (X)
testsuite
-
#23528 NullPointerException in SAML IdP Logout request with SessionIndex and without NameID
identity-brokering
-
#23701 Attribute search does not work with federated users with ldap.
admin/ui
-
#23832 New admin console doesn't support automatic logout
account/ui
-
#23833 Account console v2 doesn't support automatic logout
account/ui
-
#23900 Duplicate path in groups claim
oidc
-
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null"
import-export
-
#24201 Cannot disable LDAP-backed user if importEnabled=false
ldap
-
#24414 Container labels inherited from UBI image
dist/quarkus
-
#24462 Remove non-unique `id` attributes from `webauthn-authenticate.ftl`
login/ui
-
#24568 iframe for frontend logout gets blocked if a custom CSP header is used
core
-
#24571 Parallel builds stopped working
admin/ui
-
#24795 Not proper remove for nested sub-flows from DB
core
-
#24878 NoClassDefFoundError for Apache XML and EAP8
adapter/jee-saml
-
#24936 Negative token expiration when changing client session max lifetime
oidc
-
#25038 ServerRequestFilter / ServerResponseFilter not being picked up
extensions
-
#25219 Restrict the access to 'whoami' endpoint for tokens issued for the admin console client
admin/api
-
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide
docs
-
#25514 Errors in Outgoing HTTP requests documentation
docs
-
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface.
admin/api
-
#25778 Incorrect JSON format returned in case of existing user (with user federation)
admin/api
-
#25807 Space in realm name breaks initial console uris
admin/api
-
#25815 Loosing refresh token with Google Identity Provider
identity-brokering
-
#25975 Failing to import client's authorisation settings through UI
authorization-services
-
#25993 PostgreSQL deadlock causes 400 client error instead of 500 server error
storage
-
#26019 Identity provider sync mode: incorrect selection in case of null
admin/ui
-
#26100 Device verification flow does not require consent under certain circumstances
oidc
-
#26108 Realm improper input sanitization
core
-
#26109 Improper Input Validation and Sanitization Leads to persistent partial Denial of Service
admin/api
-
#26113 Revoked Token may be valid for a short time after expiring
oidc
-
#26364 Duplicate emails is On when Email as username and Login with email are On
admin/ui
-
#26396 How do you update a custom user storage provider jar that includes a version number?
dist/quarkus
-
#26438 Keycloak cannot run on windows machine in dev-mode. Because non-English systems cannot support keycloak's package's.
dist/quarkus
-
#26439 Incorrect position of nonce in OCSP request
authentication
-
#26464 "Test connection" on LDAPS URI does not test TLS handshake
admin/api
-
#26515 Wrong rendering duplicated options in guides
docs
-
#26658 `LogoutEvent` is not fired on required UpdatePassword action
core
-
#26667 Can't access hidden tabs on the left in admin UI
admin/ui
-
#26868 Login via brokerage to identity provider fails with clients having UUID with uppercase letter
identity-brokering
-
#26893 Access tokens includes nonce claim
oidc
-
#26915 Deleting sub-realm roles throw errors (even tho it succeeded)
authorization-services
-
#26981 Workflow failure Quarkus IT - StartCommandDistTest#testWarningWhenOverridingBuildOptionsDuringStart
ci
-
#27021 Workflow failure: Fuse adapter tests
ci
-
#27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists
ci
-
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration
authorization-services
-
#27184 Editing built-in client policy profiles are silently reverted
oidc
-
#27201 Missing `exp` claim from Offline tokens when `Offline Session Max Limited` is disabled
core
-
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table
core
-
#27245 Account console does not correctly treat link / unlink account
account/ui
-
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui
admin/ui
-
#27275 Invalidating offline token is not working from client sessions tab
authentication
-
#27308 Warnings in log during normal startup
dist/quarkus
-
#27349 Google Authenticator now supports SHA256 and SHA512
authentication
-
#27366 Social login - test failures with unexpected status code
testsuite
-
#27391 Log warning when not using scope `openid`
oidc
-
#27416 Missing feature ID for tech preview feature in docs
docs
-
#27444 type of clients.findRole() in @keycloak/keycloak-admin-client is wrong
admin/client-js
-
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException
authorization-services
-
#27499 LdapSyncTest failures running with external Active Directory
testsuite
-
#27504 Cpu and memory sizing typo
docs
-
#27506 Readable realm name no longer visible in logs, but realm id is used instead
core
-
#27512 Getting subgroups does pagination before filtering
core
-
#27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided
oidc
-
#27529 LegacyUserCredentialManager class not found
storage
-
#27538 User tab "Identity Provider Links" is not available when only "view-users" or "manage-users" realm-management role is assigned as in the v1 Keycloak theme
account/ui
-
#27540 URL change for liquibase docs
docs
-
#27548 Custom Browser Flow not working anymore
admin/ui
-
#27558 Client registration policy "Allowed Protocol Mapper Types" prevents clients from self-updating via the client registration api
admin/api
-
#27565 Admin Console tests are failing due to changes in supported authenticators
testsuite
-
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported
docs
-
#27597 dropping KC_PROXY=edge causes startup error
core
-
#27604 Account console dev environment broken
account/ui
-
#27609 Mixed use of javax and jakarta in org.keycloak.admin.client
adapter/jee
-
#27611 Cannot modify realm email settings since keycloak 24
user-profile
-
#27620 Incomplete documentation when an email about changed credentials is sent
docs
-
#27622 In the account console, the link "Back to security-admin-console" disappears after the first navigation
account/ui
-
#27628 Only allow a known refferer URI for the Account Console
account/ui
-
#27643 Password policy for not having username in the password
authentication
-
#27646 Account Console REST API for /linked-accounts Returns Multiple Access-Control-Allow-Origin Headers
account/api
-
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test
admin/ui
-
#27683 Quarkus-next build failure: Could not find artifact io.quarkus:quarkus-extension-maven-plugin
ci
-
#27691 Unable to set a newly created flow in First Login Flow override for a SAML identity provider
admin/ui
-
#27701 MTLS Cache options should be runtime options, not build time options
dist/quarkus
-
#27709 Account console does not work with `--http-relative-path`
account/ui
-
#27719 Wrong Welcome page image in the documentation
docs
-
#27745 Registration template in login2 is broken
login/ui
-
#27756 SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY
core
-
#27761 Snyk workflow failure
ci
-
#27779 Broken Migration "MigrateTo24_0_0"
core
-
#27780 Fixing downstream documentation build
docs
-
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme)
user-profile
- #27798 Performance problem with Amazon JDBC wrapper version 2.3.4
-
#27820 Account console confusing with WebAuthn
account/ui
-
#27824 Can't register webauthn passwordless key when RS1 signature algorithm is configured in policies
authentication/webauthn
-
#27837 Translation values not loaded for User Profile attributes
admin/ui
-
#27838 User Profile translations - value put in wrong field after search
user-profile
-
#27839 Incorrect Length Validation for Attribute
admin/cli
-
#27840 Race condition loading serverinfo in admin console
admin/ui
-
#27841 ES translation causes FreeMarker rendering issues
translations
-
#27846 Authenticator Example module compilation failure
authentication
-
#27852 VerifyUserProfile invalidates user cache on every login
core
-
#27854 Required action selection is broken
admin/ui
-
#27868 Documentation is referring to deprecated/unmaintained examples
docs
-
#27875 SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor
saml
-
#27877 Get Groups in admin/cli returns all groups and not the groups that meets the condition specified in -q option
admin/cli
-
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified
oidc
-
#27882 Incorrect version of bctls-fips in the docs
docs
-
#27890 Webauthn token stops working on migration to 24
authentication/webauthn
-
#27892 Truststore handling for the Operator is not documented
operator
-
#27894 Multi datasource configuration does not work in Keycloak 24.0.1
dist/quarkus
-
#27900 Performance impact in changed hashing measured wrong
authentication
-
#27917 User search field loses focus after first input in realms with user federation
admin/ui
-
#27925 Keycloak docs state that there are http metrics, but they are disabled
docs
-
#27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database
core
-
#27944 Admin tests: Failing realm_settings_events_test test
admin/ui
-
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs
storage
-
#27962 message of groups is wrong in messages_ja.properties
admin/ui
-
#27965 Groups help message is only "Groups"
admin/ui
-
#27966
🍺 instead of dot: Attributes in account UI are not loadeduser-profile
-
#27967 ORA-01450 when updating keycloak 23 -> 24
storage
-
#27981 User Profile: Inconsistent ordering of attributes between account and login themes
user-profile
-
#27984 Username LDAP attribute other than uid is difficult
ldap
-
#28001 MySQL connector artifact should be ignored
dist/quarkus
-
#28004 JWK key ignored due to missing required field 'use' despite matching KID
oidc
-
#28012 Keycloak CR Truststore should not have a name
operator
-
#28016 User Profile attribute translation saves wrong key to realm overrides
admin/ui
-
#28069 Token setting missing
admin/ui
-
#28079 Group search does not work in user view
admin/ui
-
#28080 Paging issue in groups via user view
admin/ui
-
#28090 kc.sh may leak credentials
core
-
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null
identity-brokering
-
#28103 Deleting translations after attribute deletion
admin/ui
-
#28113 WebAuthN registration broken after upgrading to 24.0.1
authentication/webauthn
-
#28143 Navigation broken on local development
account/ui
-
#28174 HA guide erroneously refers to AWS Global Accelerator
docs
-
#28187 Admin UI drag & drop in flow config seems to delete actions
admin/ui
-
#28201 Locale label missing on login page for Brazilian Portuguese, Greek and Persian
translations
-
#28207 JAVA_OPTS are not set under Windows
dist/quarkus
-
#28215 Inconsistent handling of product vs. community in HA guide table-of-contents
docs
-
#28220 Admin API: User PUT operation clears firstname, lastname email fields
admin/api
-
#28231 username contains invalid characters
user-profile
-
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly
admin/api
-
#28284 scroll bar is missing inn clients view keycloak admin GUI
core
-
#28303 WARN - Event object wasn't available in remote cache after event was received
infinispan
-
#28330 org.keycloak.documentation.test.ExternalLinksTest fails with incorrect status code reported back in the results
docs
-
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored
adapter/javascript
-
#28341 ConditionalLoaAuthenticator documentation incorrect re: unauthenticated users.
authentication
-
#28370 PodTemplateTest assertions are ignored
testsuite
-
#28374 Syntax highlighting for log example is wrong in downsream
dist/quarkus
-
#28377 Broken lists in import/export server guide
docs
-
#28381 Password denylist Doesn't Work As Expected
authentication
-
#28389 New username-password policy check is reversed
user-profile
-
#28409 Unclosed span bracket in register.ftl
login/ui
-
#28416 Keycloak is not returning proper error message for PUT /users admin API
user-profile
-
#28431 Dedicated client scopes always show up when searching
admin/ui
-
#28443 Declarative User Profile: The use of the "select-radiobuttons" with options validation display is broken
user-profile
-
#28463 Error in refresh flow with scope parameter
oidc
- #28465 Review cookie attributes and set SameSite for all cookies
-
#28479 Authentication flow diagram incorrect branching in some flows
admin/ui
-
#28484 inputOptionLabels is truncating text that is not wrapped for localization
account/ui
-
#28486 Help text wrong in key provider
admin/ui
-
#28490 Missing help text for Brute Force Mode
admin/ui
-
#28495 IdP Linking: Usernames sometimes lowercase and sometimes uppercase
identity-brokering
-
#28509 Workflow failure: ManagementDistTest
ci
-
#28514 Message for searchClientRegistration is missing
admin/ui
-
#28519 Cards in IDP and User federation are not shown to be clicable
admin/ui
-
#28523 [LDAPStorageProvider] NPE if user is cached but has been deleted in ldap
ldap
-
#28531 notBefore and setToNow untranslated
admin/ui
-
#28546 LDAP provider add has 3 lines on top of screen
admin/ui
- #28555 Collision with base testsuite dependency
-
#28564 UserStorageSyncManager int overflow
storage
-
#28575 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod
ci
-
#28576 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod
ci
-
#28577 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod
ci
-
#28579 Brute force detection fails with read-only LDAP users
authentication
-
#28606 OrganizationTest.testAttributes fails in GHA CI
testsuite
-
#28624 Incorrect user info in the head when using lightweight access token for account-console
account/ui
-
#28628 Invalide objects comparison in Java
core
-
#28638 Missing permission to read configmaps in `keycloak-operator-role`
operator
-
#28640 Unable to see user's inherited role if user has no directly assigned roles
admin/ui
-
#28649 docker-v2 authentication fails with KC-SERVICES0097: Invalid request: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.ClientModel.getClientScopes(boolean)" because "this.client" is null
core
-
#28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui
admin/ui
-
#28684 "Extend to children" button in authorization group policies is wrongly disabled
admin/ui
-
#28702 Unable to fetch realm names when contains special characters
admin/ui
-
#28704 Remove invalid "this." from keycloak-admin-client README
admin/client-js
-
#28725 Keycloak 24.0.2 - Enlisted connection used without active transaction
storage
-
#28744 Invalid label `validatingX509Certs` in new SAML identity provider screen
admin/ui
-
#28746 Translations missing for recovery codes in KC 24
account/ui
-
#28747 ID is shown prematurely on Identity Provider Mapper after Save
admin/ui
-
#28748 Webauthn Policy timeout accepts values > 8 hours
admin/ui
-
#28798 `passwordPoliciesHelp.notContainsUsername` missing in admin console
admin/ui
-
#28801 NPE when listing sessions in UI if associated user is gone
core
-
#28818 Child groups filtering returns all groups
admin/ui
-
#28821 Failure reset time is applied to Permanent Lockout
authentication
-
#28824 Inconsistent Group Ordering in Keycloak API Responses For Client Policies Causing Drift Detection Challenges
admin/fine-grained-permissions
-
#28825 Keycloak Operator 24.x - the keycloak custom image tag is being overwritten with nightly pull
operator
-
#28881 socketTimeoutUnits and establishConnectionTimeoutUnits in HttpClientBuilder are not used
core
-
#28896 Master realm can be deleted
admin/api
-
#28911 clients_saml_test.spec.ts fails in main
admin/ui
-
#28915 Possible NPE when exporting user policy
authorization-services
-
#28947 IndexWrapper warnings when starting Keycloak
dist/quarkus
-
#28948 Auto-build shouldn't warn about unavailable runtime options
dist/quarkus
-
#28949 Conditional cache options are not evaluated correctly
dist/quarkus
-
#28964 Compilation error in latest main (conflicting MRs for oid4vc and changes for EnvironmentDependentFactory)
core
-
#28968 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code enabled even if oid4vc_vci feature is disabled
oid4vc
-
#28979 MULTIVALUED_STRING_TYPE does not show in UI if empty
admin/ui
-
#28982 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnsupportedCredential
ci
-
#28983 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriInvalidToken
ci
-
#28984 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredential
ci
-
#28985 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnauthorized
ci
-
#28986 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUnauthorized
ci
-
#28987 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialInvalidToken
ci
-
#28988 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnauthorized
ci
-
#28989 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testCredentialIssuance
ci
-
#28990 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutNonce
ci
-
#28991 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOffer
ci
-
#28992 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithABrokenNote
ci
-
#28993 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferURI
ci
-
#28994 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutAPreparedOffer
ci
-
#28995 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedFormat
ci
-
#28996 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedCredential
ci
-
#29027 Creating client-scope without protocol causes GUI bug
admin/api
-
#29033 Argon2 password hashing leads to increased Major GC's in Keycloak's JVM during load tests
authentication
-
#29035 Admin console message bundle contains duplicate keys
admin/ui
-
#29039 Preflight request with OPTIONS method for token introspection endpoint not working.
authentication
- #29057 not able to disable declarative_ui feature
-
#29072 Startup probe should check for existence of an Admin user before returning 200
dist/quarkus
-
#29129 JGroups creates log messages as it switched internally to "trace"
dist/quarkus
-
#29132 Documentation cites wrong endpoint for Docker Registry v2 Authentication
docs
-
#29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address
core
- #29141 Fix waiting for change to take effect in SessionTimeoutsTest
-
#29142 LDAP - GroupToGroup Mapper throws "ENTRY_EXISTS" Error
ldap
-
#29147 local user login not possible after LDAP connection problem
ldap
-
#29154 Update docs to distinguish between product names and CR names
docs
-
#29190 JS Admin Client does not support q query parameter on users.count() and clients.find() methods
admin/client-js
-
#29206 LDAP user creation reports error but user is created
ldap
-
#29213 Bad formatting of permissions error in admin console
admin/ui
-
#29233 Broken link in documentation
docs
-
#29235 Tests for persistent sessions are not performed
infinispan
-
#29237 The select for a locale behaves as a multi-select in the admin and account UI when it should be single value
admin/ui
-
#29246 Flaky test: org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType
ci
-
#29247 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled
ci
-
#29248 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange
ci
-
#29249 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation
ci
-
#29250 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed
ci
-
#29251 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount
ci
-
#29252 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation
ci
-
#29253 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient
ci
-
#29259 `auth-server-feature` does not work for `auth-server-quarkus-embedded`
testsuite
-
#29263 Default value for MULTIVALUED_STRING_TYPE in authenticator config is ignored
admin/ui
-
#29266 Documentation Enhancements Admin Rest API Group to Client Role Mappings
docs
-
#29287 Upgraded docker to 24, now unable to browse "authentication" page in one of my realms.
authentication
-
#29294 Listing of sessions is very slow when we have tens of thousands sessions (+ not able to know the exact number of sessions)
admin/ui
-
#29309 JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT
core
-
#29311 POST /{realm}/clients-initial-access is allowing invalid data like count = -1 and expiration date-time can be set earlier than the creation date-time
oidc
-
#29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs"
admin/ui
-
#29336 Unlocking and saving the user's temporary lock will render the user disabled.
account/ui
-
#29352 Fix user-facing typos in error messages
core
-
#29362 Custom user attributes are not shown for service account users in the Admin UI
admin/ui
-
#29376 kc export fails when using User Federation (LDAP) with SSL/TLS
import-export
-
#29385 Restart authentication event type is not generated
authentication
-
#29408 Need to show translation for attributes group on Registration form
admin/ui
-
#29426 Potential bug introduced to JavaKeystoreKeyProvider in #26936
admin/api
-
#29429 NPE when Organization feature enabled
core
-
#29440 clients_tests is unstable
admin/ui
-
#29458 Empty CSP header value breaks security filter
authentication
-
#29471 Cypress tests store videos even for passing tests
ci
-
#29495 Fixing realm removal when removing groups and brokers associated with an organization
core
-
#29507 realm_settings_user_profile_enabled fails randomly
admin/ui
-
#29525 Maven clean build doesn't clean admin client generated files
ci
-
#29528 Failure: SessionTimeoutsTest
ci
-
#29551 OAuth 2.0 Device Polling Interval - Setting in Realms settings/Token Plus-Minus to change value not working
admin/ui
-
#29554 Cypress failing on video recording
ci
-
#29579 Increased augmentation time after Quarkus 3.8.4 upgrade
dist/quarkus
-
#29592 Remote caches and other site's caches might get out-of-sync when persistent sessions are used
core
-
#29599 Org domain removal from IDP is not properly propagated to the DB
core
-
#29602 SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on
dependencies
-
#29607 CVE-2024-30172 - Infinite loop in org.bouncycastle:bcprov-jdk18on
dependencies
-
#29608 CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on
dependencies
-
#29609 CVE-2024-29857 - Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk18on
dependencies
-
#29620 Wrong Media Type / Format of SD JWT VC
oid4vc
-
#29625 Database driver install examples can lead to permission errors in some circumstances
docs
-
#29630 Unable to import realms with organization feature enabled
core
-
#29640 Admin console development fail due to whoami endpoint
admin/ui
-
#29641 Admin Console uses a wrong URL type for auth server
admin/ui
-
#29644 Unmanaged Attributes drop down doesn't reflect the value
admin/ui
-
#29688 client_authorization_test fails
admin/ui
-
#29699 Snyk Report is not preventing duplicates
ci
-
#29738 Broken translations for loa-condition-level and loa-max-age
admin/ui
-
#29756 MigrateTo25_0_0 does not complete within default transaction timeout
storage
-
#29788 OpenAPI: Missing content definition for authentication flow executions GET API
admin/api
-
#29802 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSession
ci
-
#29805 Supported Credential Type is not evaluated when applying the Protocol Mapper in OID4VCI
oid4vc
-
#29808 LDAP User federation: LDAP: error code 49 - Invalid Credentials
ldap
-
#29814 package com.google.common.hash does not exist when building keycloak-api-docs-dist
docs
-
#29816 Aggregated javadoc generation fix + missing keycloak-operator javadoc
dist/quarkus
-
#29868 Missing Text for x509
translations
-
#29869 Kubernetes resources point to non-existing Operator image
operator
-
#29875 Upgrade supported PostgreSQL to version 16
ci
-
#29885 Unable to create an LD-Credentials/VCDM provider for OID4VC
oid4vc
-
#29931 Cannot access the account console
account/ui
-
#29939 Increased GC overhead in the continuous performance tests after G1GC compiler change
dist/quarkus
-
#29948 Reason not logged in event for invalid SAML request
saml
-
#29968 x509 SAN UPN other name is not handled in JDK 21
authentication
-
#29976 CI for JS not running all the tasks
ci
-
#29981 Enabling and disabling functions are not working properly in KC GUI
admin/ui
-
#29982 Revert editorconfig for properties files as trailing blanks are used
ci
- #29984 Nightly build for API docs is broken
-
#30018 SessionTimeoutsTest failing even after retry, probably due to insufficient cleanup
testsuite
-
#30023 Using {application.session.host} in backchannel logout url prevents from saving client
admin/api
-
#30024 Sign out button in the account console has wrong Selenium locator
testsuite
-
#30028 Typo in the upgrading guide for persistent sessions
docs
-
#30049 All roles are populated as inherited roles if a single role is added to a dedicated client scope
admin/ui
-
#30068 Update RFC reference in subject: Likely typo RFC2553 -> RFC2253, Consider RFC4514
admin/ui
-
#30079 The OID4VC tests break automation
account/ui
- #30086 Remove sources folder before invoking JakartaTransformer
-
#30102 Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error
admin/ui
-
#30120 Option `cache-remote-tls-enabled` is missing the default
dist/quarkus
-
#30126 Client scope names not shown in evaluate section in client-scopes tab
admin/ui
-
#30134 Malformed dependency version causing the build failure
testsuite
- #30196 Test PoC does not run with Quarkus fork join worker
-
#30201 Keycloak CI - failure in Store IT (aurora-postgres)
ci
-
#30206 Use forkjoin pool factory in testsuite for embedded Quarkus Auth Server
testsuite
-
#30218 Locale dropdowns not working
account/ui
-
#30220 Base theme contains properties without default values
login/ui
v24.0.5
Highlights
Security issue with PAR clients using client_secret_post based authentication
This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together
with PAR and you use client authentication based on client_id
and client_secret
sent as parameters in the HTTP request body (method client_secret_post
specified in the OIDC specification), it is
highly encouraged to rotate the client secrets of your clients after upgrading to this version.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #29073 Use cache.compute() method to improve the replace retry loop
- #29280 Update Create Realm in Keycloak 24 Getting Started
Bugs
-
#29129 JGroups creates log messages as it switched internally to "trace"
dist/quarkus
-
#29206 LDAP user creation reports error but user is created
ldap
-
#29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs"
admin/ui
-
#29458 Empty CSP header value breaks security filter
authentication
-
#29471 Cypress tests store videos even for passing tests
ci
-
#29525 Maven clean build doesn't clean admin client generated files
ci
-
#29554 Cypress failing on video recording
ci
-
#29625 Database driver install examples can lead to permission errors in some circumstances
docs
v24.0.4
Highlights
Partial update to user attributes when updating users through the Admin User API is no longer supported
When updating user attributes through the Admin User API, you cannot execute partial updates when updating the
user attributes, including the root attributes like username
, email
, firstName
, and lastName
.
For more details, see the Upgrading Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #27508 Use new remote-store options in HA guides
- #28429 Add details to error messages, especially around refresh tokens
-
#28729 Emphasize the need for setting container limit
docs
-
#28880 Upgrade to Quarkus 3.8.4
dist/quarkus
-
#29183 Minor corrections to High Availability Guide
docs
Bugs
-
#16345 Unable to delete realm names with invalid URL characters
admin/api
-
#22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled
import-export
-
#24568 iframe for frontend logout gets blocked if a custom CSP header is used
core
-
#24878 NoClassDefFoundError for Apache XML and EAP8
adapter/jee-saml
-
#27021 Workflow failure: Fuse adapter tests
ci
-
#27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists
ci
-
#27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided
oidc
-
#28079 Group search does not work in user view
admin/ui
-
#28187 Admin UI drag & drop in flow config seems to delete actions
admin/ui
-
#28220 Admin API: User PUT operation clears firstname, lastname email fields
admin/api
-
#28303 WARN - Event object wasn't available in remote cache after event was received
infinispan
-
#28377 Broken lists in import/export server guide
docs
-
#28431 Dedicated client scopes always show up when searching
admin/ui
-
#28514 Message for searchClientRegistration is missing
admin/ui
-
#28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui
admin/ui
-
#28684 "Extend to children" button in authorization group policies is wrongly disabled
admin/ui
-
#28911 clients_saml_test.spec.ts fails in main
admin/ui
-
#29072 Startup probe should check for existence of an Admin user before returning 200
dist/quarkus
-
#29094 Fix the client name help grammatical error
admin/ui
-
#29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address
core
-
#29147 local user login not possible after LDAP connection problem
ldap
-
#29154 Update docs to distinguish between product names and CR names
docs
-
#29233 Broken link in documentation
docs
v24.0.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak
ldap
Bugs
-
#24201 Cannot disable LDAP-backed user if importEnabled=false
ldap
-
#28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null
identity-brokering
-
#28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly
admin/api
-
#28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored
adapter/javascript
-
#28638 Missing permission to read configmaps in `keycloak-operator-role`
operator
v24.0.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#25057 Inconsistent behaviour on getting user permissions using authorization
authorization-services
-
#27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR
docs
- #27481 Edit High Availability guide
- #27484 Edit 23.0 changes part of Upgrading Guide
- #27632 Integrate downstream Upgrading Guide changes into upstream
-
#27696 Upgrade to Quarkus 3.8.2
dist/quarkus
- #27867 Corrections to Securing Apps Guide
-
#27871 Upgrade to Infinispan 14.0.26
core
-
#27953 Address feedback to Keycloak Server guide
docs
-
#27955 Address term Keycloak in Server Administration Guide
docs
- #28009 Address edits to the Operator Guide
- #28033 Upgrade Infinispan to 14.0.27.Final
-
#28084 Upgrade to Quarkus 3.8.3
dist/quarkus
Bugs
-
#14501 Getting failed to initialize js message if consent is rejected by user
account/ui
-
#15403 No email send on TOTP/Authenticator app removal
core
-
#20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow
authentication
-
#22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow
core
-
#23701 Attribute search does not work with federated users with ldap.
admin/ui
-
#23980 Keycloak Operator fails to install realm authentication flow because "flow is null"
import-export
-
#25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide
docs
-
#25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface.
admin/api
-
#26396 How do you update a custom user storage provider jar that includes a version number?
dist/quarkus
-
#27117 user sessions not accessible in all cluster nodes
infinispan
-
#27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration
authorization-services
-
#27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table
core
-
#27245 Account console does not correctly treat link / unlink account
account/ui
-
#27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui
admin/ui
-
#27275 Invalidating offline token is not working from client sessions tab
authentication
-
#27366 Social login - test failures with unexpected status code
testsuite
-
#27483 Authz-client AuthorizationResource.getPermissions() ClassCastException
authorization-services
-
#27504 Cpu and memory sizing typo
docs
-
#27529 LegacyUserCredentialManager class not found
storage
-
#27540 URL change for liquibase docs
docs
-
#27548 Custom Browser Flow not working anymore
admin/ui
-
#27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported
docs
-
#27597 dropping KC_PROXY=edge causes startup error
core
-
#27611 Cannot modify realm email settings since keycloak 24
user-profile
-
#27653 Admin tests: Flaky realm_settings_user_profile_enabled test
admin/ui
-
#27701 MTLS Cache options should be runtime options, not build time options
dist/quarkus
-
#27719 Wrong Welcome page image in the documentation
docs
-
#27745 Registration template in login2 is broken
login/ui
-
#27761 Snyk workflow failure
ci
-
#27779 Broken Migration "MigrateTo24_0_0"
core
-
#27780 Fixing downstream documentation build
docs
-
#27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme)
user-profile
-
#27820 Account console confusing with WebAuthn
account/ui
-
#27841 ES translation causes FreeMarker rendering issues
translations
-
#27852 VerifyUserProfile invalidates user cache on every login
core
-
#27878 Error when executing refresh grant, with scope param, without offline_access scope specified
oidc
-
#27882 Incorrect version of bctls-fips in the docs
docs
-
#27892 Truststore handling for the Operator is not documented
operator
-
#27894 Multi datasource configuration does not work in Keycloak 24.0.1
dist/quarkus
-
#27900 Performance impact in changed hashing measured wrong
authentication
-
#27925 Keycloak docs state that there are http metrics, but they are disabled
docs
-
#27954 Hibernate Dialect detection does not work anymore for Oracle DBs
storage
-
#27966
🍺 instead of dot: Attributes in account UI are not loadeduser-profile
-
#27967 ORA-01450 when updating keycloak 23 -> 24
storage
-
#27981 User Profile: Inconsistent ordering of attributes between account and login themes
user-profile
-
#28001 MySQL connector artifact should be ignored
dist/quarkus
-
#28012 Keycloak CR Truststore should not have a name
operator
-
#28113 WebAuthN registration broken after upgrading to 24.0.1
authentication/webauthn
v24.0.1
Highlights
Operator deploys nightly build instead of 24.0.0
Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly
container
instead of 24.0.0
.
As a quick fix to the issue, the 24.0.0
container was tagged with nightly
, and the nightly
releases was temporarily
disabled.
If you installed or upgraded to 24.0.0
using the Operator before 5pm CET yesterday the database may have been updated
with the wrong versions. To check if you are affected connect to your database and run the following SQL command:
SELECT * from migration_model WHERE version = '999.0.0';
If the above returns a matching row you will need to take some actions, otherwise database migrations will not run for future releases. To resolve this run the following SQL command:
UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v24.0.0
Highlights
Supported user profile and progressive profiling
The user profile preview feature is promoted to be fully supported and user profile is enabled by default.
In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our awesome community.
The following are a few highlights of this feature;
-
Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
-
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
-
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
-
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a particular attribute to be a URL or number.
-
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
-
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of
scope
parameter. This effectively allow progressive profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client applications that are used by the user. -
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.
The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.
We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:
For more details about user profile capabilities, see the Server Administration Guide.
Breaking changes to the User Profile SPI
In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the Upgrading Guide.
Changes to Freemarker templates to render pages based on the user profile and realm
In this release, the following templates were updated to make it possible to dynamically render attributes based on the user profile configuration set to a realm:
-
login-update-profile.ftl
-
register.ftl
-
update-email.ftl
For more details, see the Upgrading Guide.
New Freemarker template for the update profile page at first login through a broker
In this release, the server renders the update profile page when the user is authenticating through a broker for the
first time using the idp-review-user-profile.ftl
template.
For more details, see the Upgrading Guide.
Java adapter deprecation and removal
Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. To give the community more time to adopt this was delayed.
With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
The generic Authorization Client library will continue to be supported, and aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries.
The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
Jetty adapter removed
Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been removed from this release.
New Welcome Page
The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.
If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.
New Account Console now the default
We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.
If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.
Keycloak JS
Using exports
field in package.json
The Keycloak JS adapter now uses the exports
field in its package.json
. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.
PKCE enabled by default
The Keycloak JS adapter now sets the pkceMethod
option to S256
by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod
option to false
to disable it.
Changes to Password Hashing
In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.
As part of this change, the default password hashing provider has changed from pbkdf2-sha256
to pbkdf2-sha512
.
Also, the number of default hash iterations for pbkdf2
based password hashing algorithms changed. This change means better security aligned with latest recommendations, but
it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm
and hashIterations
to your realm. For more details, see the Upgrading Guide.
OAuth/OIDC related improvements
Lightweight access tokens support
This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.
This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight access token. It is OFF by default, which means that most claims are not added.
Also, a client policy executor exists. Use it to specify if a particular client request should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.
A previous release added an Add to token introspection switch. You use it to add claims that are not present in the access token into the introspection endpoint response.
Thanks to Shigeyuki Kabano for the contribution and Thanks to Takashi Norimatsu for a help and review of this feature.
OAuth 2.1 support
This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.
Scope parameter supported in the refresh token flow
Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as described in the OAuth2 specification. Thanks to Konstantinos Georgilakis for the contribution.
Client policy executor for secure redirect URIs
A new client policy executor secure-redirect-uris-enforcer
is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance,
you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on.
Thanks to Lex Cao and Takashi Norimatsu for the contribution.
Client policy executor for enforcing DPoP
A new client policy executor dpop-bind-enforcer
is introduced. You can use it to enforce DPoP for a particular client if dpop
preview
is enabled.
Thanks to Takashi Norimatsu for the contribution.
Supporting EdDSA
You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT.
This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt
authentication to third party identity providers.
Thanks to
Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.
EC Keys supported by JavaKeystore provider
The provider JavaKeystoreProvider
for providing realm keys now supports EC keys in addition to previously supported RSA keys.
Thanks to Stefan Wiedemann for the contribution.
Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers
OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. Thanks to MT for the contribution.
OAuth Grant Type SPI
The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types supported by the Keycloak OAuth 2 token endpoint. Thanks to Dmitry Telegin for the contribution.
CORS improvements
The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI
is internal and may change at a future release.
Thanks to Dmitry Telegin for the contribution.
Truststore improvements
Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores
, or use the new truststore-paths
config option. For details refer to the relevant guide.
Versioned Features
Features now support versioning. To preserve backward compatibility, all existing features (including account2
and account3
) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.
For details refer to the features guide.
Keycloak CR Truststores
You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:
spec:
truststores:
mystore:
secret:
name: mystore-secret
myotherstore:
secret:
name: myotherstore-secret
Currently only Secrets are supported.
Trust Kubernetes CA
The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.
Automatic certificate management for SAML identity providers
The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL
option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL
to ON
. The certificates are automatically downloaded and cached in the public-key-storage
SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.
See the documentation for more details about the new options.
Non-blocking health check for load balancers
A new health check endpoint available at /lb-check
was added.
The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keyloak with the multi-site
feature.
For more details, see Enabling and disabling features.
Keycloak CR Optimized Field
The Keycloak CR now includes an startOptimized
field, which may be used to override the default assumption about whether to use the --optimized
flag for the start command.
As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.
Enhanced reverse proxy settings
It is now possible to separately enable parsing of either Forwarded
or X-Forwarded-*
headers by using the new --proxy-headers
option.
For details, see the Reverse Proxy Guide.
The original --proxy
option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.
Changes to the user representation in both Admin API and Account contexts
In this release, we are encapsulating the root user attributes (such as username
, email
, firstName
, lastName
, and locale
) by moving them to a base/abstract class in order to align how these attributes
are marshalled and unmarshalled when using both Admin and Account REST APIs.
This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile configuration set to a realm.
For more details, see the Upgrading Guide.
Sequential loading of offline sessions and remote sessions
Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. If offline session preloading is enabled, those will be loaded sequentially as well.
For more details, see the Upgrading Guide.
Performing actions on behalf of another already authenticated user is not longer possible
In this release, you can no longer perform actions such as email verification if the user is already authenticated and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link is bound to a different account.
Changes to the email verification flow
In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message will be shown.
In addition to that, a new error (EMAIL_ALREADY_VERIFIED
) event will be fired to indicate an attempt to verify an already verified email. You can
use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.
Deprecated offline session preloading
The default behavior of Keycloak is to load offline sessions on demand. The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.
For more details, see the Upgrading Guide.
Configuration option for offline session lifespan override in memory
To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.
For more details, see the Server Administration Guide.
Infinispan metrics use labels for cache manager and cache names
When enabling metrics for Keycloak8217;s embedded caches, the metrics now use labels for the cache manager and the cache names.
For more details, see the Upgrading Guide.
User attribute value length extension
As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.
For more details, see the Upgrading Guide.
Brute Force Protection changes
There have been a couple of enhancements to the Brute Protection:
-
When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
-
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
-
The property
failedLoginNotBefore
has been added to thebrute-force/users/{userId}
endpoint
Authorization Policy
In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.
Keycloak CR cache-config-file option
The Keycloak CR now allows for specifying the cache-config-file
option by using the cache
spec configMapFile
field, for example:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
cache:
configMapFile:
name: my-configmap
key: config.xml
Keycloak CR resources options
The Keycloak CR now allows for specifying the resources
options for managing compute resources for the Keycloak container.
It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.
When no values are specified, the default requests
memory is set to 1700MiB
, and the limits
memory is set to 2GiB
.
You can specify your custom values based on your requirements as follows:
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: example-kc
spec:
...
resources:
requests:
cpu: 1200m
memory: 896Mi
limits:
cpu: 6
memory: 3Gi
For more details, see the Operator Advanced configuration.
Temporary lockout log replaced with event
There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT
when a user is temporarily locked out by the brute force protector.
The log with ID KC-SERVICES0053
has been removed as the new event offers the information in a structured form.
For more details, see the Upgrading Guide.
Updates to cookies
Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
SAML User Attribute Mapper For NameID now suggests only valid NameID formats
User Attribute Mapper For NameID allowed setting Name ID Format
option to the following values:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
-
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
-
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
However, Keycloak does not support receiving AuthnRequest
document with one of these NameIDPolicy
, therefore these
mappers would never be used. The supported options were updated to only include the following Name ID Formats:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Different JVM memory settings when running in container
Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container.
The JVM options -Xms
, and -Xmx
were replaced by -XX:InitialRAMPercentage
, and -XX:MaxRAMPercentage
.
For more details, see the Running Keycloak in a container guide.
GELF log handler has been deprecated
With sunsetting of the underlying library providing integration with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future release. If you require an external log management, consider using file log parsing.
Support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release supports active-passive deployments for Keycloak.
To get started, use the High Availability Guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
-
#15190 RestAPI endpoint "send-verify-email" sending execute actions email template.
admin/api
-
#19586 @keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token
admin/client-js
-
#23539 User profile attributes should only accept a single value unless configured otherwise
user-profile
-
#25167 Implement POST logout in Keycloak JS
adapter/javascript
-
#25446 CORS SPI
oidc
-
#25676 Introduce new CLI config options for Infinispan remote store
dist/quarkus
-
#25702 Encrypt network communication in JGroups
dist/quarkus
- #25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x
- #25903 Create new landing page for admin console
-
#25941 Issue Verifiable Credentials in the JWT-VC format
core
-
#26028 Remove conditional statements about Windows / Linux from the docs
docs
-
#26250 OAuth 2.0 Grant Type SPI
oidc
-
#26455 Supported option to specify maximum threads used to handle HTTP requests
dist/quarkus
-
#26456 Supported option to specify resource management for pods in Keycloak CR
dist/quarkus
-
#26458 Support custom Infinispan configuration file in Keycloak CR
operator
-
#26460 Supported option to specify site name for multi-site deployments
dist/quarkus
- #26500 Cookie Provider
- #26936 Support EC Key-Imports for the JavaKeystoreKeyProvider
- #27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties
Enhancements
-
#9508 Rename "Resident key" to "Discoverable Credential"
docs
-
#9758 User attributes with a text more than 255 characters
storage
-
#9784 Add truststore options to Keycloak CR
operator
-
#10794 Support importing Kubernetes CA
operator
-
#12009 Support for scope parameter in the refresh flow
oidc
-
#12352 Align Operator config naming with Quarkus distribution
operator
-
#12946 Add X509 thumbprint to JWT when using private_key_jwt
oidc
-
#13250 --verbose option doesn't work in Quarkus distribution
dist/quarkus
-
#15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms
authentication/webauthn
-
#15714 Supporting EdDSA
oidc
-
#16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations
authentication
- #17574 Add failedLoginNotBefore field to existing brute force detection status API
-
#17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available
admin/ui
- #19190 Add "amr" to already implemented "acr" support
-
#19285 Disable Groovy Closures when bootstrapping Picocli
dist/quarkus
-
#20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2
admin/ui
- #21074 Identity providers: pagination in admin console
-
#21343 Upgrade welcome theme to PatternFly 5
welcome/ui
- #21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation
- #21578 Scope parameter in Oauth 2.0 token exchange
-
#21771 List reload button for admin panel
admin/ui
-
#22436 Query users by 'LDAP_ID' is not working
ldap
-
#22922 Use Infinispan BOM instead of direct Infinispan dependencies
storage
-
#23057 Localization tabs
admin/ui
- #23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header
-
#23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc
authorization-services
-
#23854 Use upstream Quarkus functionality for non-blocking probes
dist/quarkus
-
#23878 User profile configuration scoped to user-federation provider
user-profile
-
#23896 Changes in declarative user profile should result in admin events
user-profile
-
#24094 Map Store Removal: Delete map profiles from testsuite
storage
-
#24097 Map Store Removal: Delete container providers that were added to the base testsuite
storage
-
#24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages
storage
-
#24103 Map Store Removal: Delete GlobalLockProvider
storage
-
#24105 Map Store Removal: Rename Legacy* classes
storage
-
#24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage"
storage
- #24148 Add config property to specify a list of truststores
-
#24202 Cache stampede after client invalidation
storage
- #24245 Parse default UserProfile configuration in the build time
-
#24250 Allow selecting attributes from user profile when managing token mappers
user-profile
- #24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure
-
#24412 Accessibility of 2FA method selection
login/ui
-
#24422 UMA 2 not evaluating as expected when using permission tickets
authorization-services
-
#24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #24310
saml
-
#24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite
storage
- #24668 Features versioning
-
#24793 Map Store Removal: Remove `LockObjectsForModification`
storage
- #24798 Add truststores to keycloak cr
-
#24860 Initialize Infinispan earlier in the build chain
dist/quarkus
-
#24926 Add polish translations
admin/ui
-
#24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base
core
-
#25058 Add Polish Translations to Account UI
account/ui
-
#25074 Update Kerberos provider for user-profile
user-profile
-
#25075 Update SSSD provider for user-profile
user-profile
-
#25103 Remove product from server info
admin/ui
- #25113 Add a test for the LoadBalancerCheck
-
#25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation
user-profile
-
#25149 Replace the existing themes with the dynamic templates from user profile
user-profile
- #25236 Documentation about Australia Consumer Data Right security profile
- #25238 Add missing Arabic messages
- #25287 Upgrade Infinispan to 14.0.21.Final
-
#25288 Map Store Removal: Remove protostream dependency
storage
-
#25300 Deprecate offline session preloading
infinispan
-
#25308 Map Store Removal: Revert changes made to backchannelLogout
storage
-
#25309 Map Store Removal: Remove ResponseSessionTask
storage
-
#25314 Supporting OAuth 2.1 for confidential clients
oidc
-
#25315 Client policies : executor for enforcing DPoP
oidc
-
#25316 Supporting OAuth 2.1 for public clients
oidc
- #25328 Tests for client scopes/evaluate tab are missing
- #25375 Extra tests for realm roles
-
#25388 Enable concurrent remote operations for Infinispan
storage
-
#25403 Implements attributes field in KeycloakProfile interface
admin/client-js
-
#25404 Adapt incremental build for latest changes in themes module
ci
-
#25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan
storage
- #25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String
- #25487 Add extra tests for realm-settings in admin-ui
-
#25637 Client policies: executor for validate and match a redirect URI
oidc
-
#25638 Keycloak native implementation of SD-JWT
core
- #25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider
-
#25691 More info on UserProfileContext
user-profile
-
#25738 Tooltips improvements when configuring user profile attribute
user-profile
-
#25770 X509 client certificate login label extends out of form
login/ui
- #25823 Ability to declare a default "First broker login flow" per Realm
- #25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template
-
#25882 RealmResourceProvider is not working as expected since version 23.0.0
core
-
#25897 Admin UI: Show realm display name on welcome page
admin/ui
-
#25908 Could not format default value for log formats
dist/quarkus
-
#25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures
docs
- #25935 Create Infinispan metrics with labels instead of long metric names
- #25962 Missing localization of cs+sk messages
-
#25979 User profile attribute names with strange characters
docs
-
#25985 Enable verify-profile required action by default
user-profile
- #26068 Reduce internal unsupported options in the Keycloak HA documentation
- #26083 Change RHDG references to Infinispan
-
#26092 Do not use raw parameterized PropertyMapper
dist/quarkus
-
#26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190
docs
-
#26172 Permanently lock users out after X temporary lockouts during a brute force attack
authentication
-
#26198 Comprehensive log for the LoggingDistTest and Quarkus IT
testsuite
-
#26220 Don't differentiate Windows for getting started
docs
-
#26223 Use `--http-max-queued-requests` option in Keycloak HA documentation
docs
-
#26241 Do not use general debug log level for tests
testsuite
- #26315 Fully remove reasteasy-core
-
#26320 Allow formating numbers when rendering attributes
user-profile
- #26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete
- #26402 Improve wording in Concepts for configuring thread pools section in documentation
- #26416 Remove support for old cookie path
- #26430 Implement stricter controls at token endpoint for PKCE verification
- #26457 Remove support for multiple AUTH_SESSION_ID cookies
-
#26469 Documentation for verify-profile required action enabled by default
docs
-
#26485 Add missing Arabic translations
translations
-
#26489 Ability to have alternative default user-profile configuration
user-profile
-
#26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces
storage
-
#26552 Do we need to hide "required" settings for email?
user-profile
- #26570 Upgrade liquibase to 4.25.1
-
#26585 Improve UX of read-only attributes
user-profile
-
#26587 Documentation for SuppressRefreshTokenRotationExecutor
oidc
-
#26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI
admin/ui
-
#26598 Map Store Removal: deprecate model legacy module
storage
-
#26626 Brute force detection should issue event for temporary lockout
core
-
#26634 Documentation for default validation changes due user-profile enabled
docs
-
#26683 Remove explicitly set `lit-element` version
dist/quarkus
-
#26689 Update Maven dependency versions for docs
docs
-
#26701 Upgrade to Quarkus 3.7.1
dist/quarkus
- #26730 Add Multi-AZ Aurora DB to CI store-integration-tests
- #26776 Update documentation to use new Infinispan configuration options
-
#26781 Update HA guide about non-blocking probes
docs
-
#26810 Shorter lifespan for offline session cache entries in memory
storage
-
#26812 Upgrade to embedded Infinispan 14.0.24
storage
-
#26819 Use version specific tag for Keycloak images in the docs
docs
-
#26859 Upgrade to Quarkus 3.8
dist/quarkus
- #26898 User profile: Add regression test for select inputs
-
#26910 Keycloak Operator should add service-ca.crt to the truststore
operator
-
#26916 Upgrade to Quarkus 3.7.2
dist/quarkus
-
#26919 doc: add a clear mention in the documentation about the storage of the refresh and access token
docs
-
#26921 Use latest OLM version for Operator CI
testsuite
-
#26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory
dist/quarkus
- #26967 Aurora Postgres IT: Upload flaky and surefire test reports
-
#27036 Upgrade to Quarkus 3.7.3
dist/quarkus
- #27048 Add Amazon Aurora PostgreSQL to the list of tested databases
- #27078 Update Keycloak HA Guide new resource limit settings
- #27084 Remove the preview note from Keycloak's HA guide
- #27093 "Open ID Connect" in docs / UIs should be "OpenID Connect"
-
#27105 Add New User Registration Option on WebAuthn Authentication UI
authentication/webauthn
- #27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs
- #27123 Use AWS JDBC Wrapper in CI tests
- #27125 Add warning about too long attribute values
-
#27143 Distinguish user registration action label from the security key registration action's one
authentication/webauthn
-
#27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents
authentication/webauthn
-
#27148 Allow overriding the default validators added to attributes
user-profile
-
#27169 Tweak the default memory request and limit in the Operator
operator
- #27190 a11y improvements on login page
-
#27226 Upgrade to Quarkus 3.7.4
dist/quarkus
-
#27238 Add option to clients to use lightweight access token
oidc
- #27280 Upgrade to Infinispan 14.0.25
-
#27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call.
identity-brokering
- #27315 Change docker image to container image
-
#27324 Remove RHSSO product documentation from upgrading guide
docs
-
#27326 Edit Keycloak 24.0 release notes
docs
- #27327 Harmonize behaviour of different CertificateUtilsProvider implementations
- #27440 Edit Keycloak 23.x Release Notes
- #27452 Edit Keycloak 24 Upgrade guide
Bugs
-
#9871 Remove Infinispan workarounds introduced to prevent deadlocks
storage
-
#11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response
saml
-
#13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256
authentication
-
#13368 Issue when using DenyAuthenticator in direct-grant flow
authentication
-
#14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke)
testsuite
-
#14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added
dist/quarkus
-
#14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials)
authentication
-
#16260 Incorrect handling of OptionParserException in kcadm
admin/cli
-
#17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP
user-profile
-
#17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms
admin/api
-
#19183 token-exchange does apply clientScopes of the origin client
token-exchange
-
#19294 Error on starting keycloak when foldername contains ")" using kc.bat.
dist/quarkus
-
#19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards
authentication
-
#20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable
admin/ui
-
#20867 Control redirect after password reset
core
-
#21127 During password reset, the baseURL is not shown on the info page after browser restart
authentication
-
#21151 Realm import stack overflow
import-export
-
#21409 Brute Force Detection is disabled when updating frontenUrl via admin client
authentication
-
#21542 Context path missing in URL on OTP page to switch between QR code and manual code
core
-
#21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step
core
-
#21951 Unable to use `<` as part of a password
admin/cli
-
#22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes
storage
-
#22401 Common resources in Welcome page didn't resolve correctly
welcome/ui
-
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master
admin/ui
-
#22507 User profile attributes not localized in account console V3
user-profile
-
#22540 Description of "Configuring sources for Keycloak" inconsistent / misleading
docs
-
#22555 Docs: server_development/topics/identity-brokering.adoc
docs
-
#22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI
admin/ui
-
#22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes
authentication
-
#22836 Invalid redirect uri when identity provider alias has spaces
identity-brokering
-
#22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode
ci
-
#22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null
authentication
-
#23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution
core
-
#23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently
storage
-
#23217 NoSuchFileException with ${kc.home.dir} on Windows
dist/quarkus
-
#23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address
admin/api
-
#23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue
storage
-
#23399 Audience is lost after refreshing a RPT
authorization-services
-
#23683 Default-Value in UI for krbPrincipalAttribute is error prone
admin/ui
-
#23699 Account v3 theme - Localization not working on account console
account/ui
-
#23786 Failure: FipsDistTest
ci
-
#23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode
admin/api
-
#24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme
account/ui
-
#24141 LDAP user mapper for username: user appears twice in the GUI
ldap
-
#24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company
core
-
#24200 NPE in User Session Note mapper on Token Exchange
token-exchange
-
#24219 admin-fine-grained-authz + client authorization settings requires view-client role
admin/ui
-
#24323 Refresh request ignores scope parameter from refresh request
oidc
-
#24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak
operator
-
#24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration
admin/api
-
#24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event
user-profile
-
#24459 Keycloak fails to start when uninstalling custom provider
dist/quarkus
-
#24464 Tabbing is not working in forms inside dropdown
admin/ui
-
#24485 NullPointerException when key is not available in the database
oidc
-
#24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33
dependencies
-
#24508 Deadlock when pre-loading remote sessions from external Infinispan
storage
-
#24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page
authentication
-
#24626 Upgrade testsuite to use SpringBoot 2.7
ci
-
#24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
authorization-services
-
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set
saml
-
#24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token
admin/ui
-
#24767 Improve LDAP Condition implementations
ldap
-
#24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI
admin/ui
-
#24923 Importing Keycloak breaks typescript in esModule
adapter/javascript
-
#24960 OpenAPI spec doesn't match the admin API
admin/api
-
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same
saml
-
#24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys
oidc
-
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive
core
-
#25001 Client redirect_uri check must be compared using exact string matching
oidc
-
#25016 Make password visibility css classes configurable for themes
login/ui
-
#25033 Typo in the balloon help of SAML Username Template Importer
core
-
#25041 Incomplete Spanish translations for Admin UI
translations
-
#25051 Unexpected Application Error when clicking "Cancel" on user creation page
admin/ui
-
#25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console
admin/ui
-
#25060 fix debug log string
core
-
#25078 Log Injection during WebAuthn authentication/registration
authentication
-
#25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups
admin/api
-
#25110 User Profile attribute with "Options" shows options of another attribute if none set on it
user-profile
-
#25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter
admin/api
-
#25173 Make sure username is lowercase when normalizing attributes
user-profile
-
#25183 NullPointerException thrown for UPConfig.getGroups()
user-profile
-
#25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup
ci
-
#25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol
oidc
-
#25235 Unable to start after updating Docker container
dist/quarkus
-
#25290 Social Login Tests unable to retrieve Federated Access Token from user session
testsuite
-
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off
ldap
- #25322 Warning "Event object wasn't available in remote cache" when using remote store
-
#25392 Admin Console: Realm Dropdown should only show the realms the user has access to
admin/ui
-
#25417 Avoid keycloak-admin-client in UI to call admin console UI extension
admin/ui
-
#25423 Confusing error message by pr-backport.sh when not authenticated to gh
ci
-
#25433 Key provider UI issue while saving - RSA
admin/ui
-
#25449 Clean up translations for DE/EN/NL for a first test-run of Weblate
translations
-
#25451 Admin cli failing when adding roles to a 3rd group in a list
admin/cli
-
#25463 Unnecessary user profile metdata sent on user update
user-profile
-
#25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect
user-profile
-
#25502 Account v3 theme - theme.properties Custom theme scripts not loading
account/ui
-
#25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy
user-profile
-
#25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins)
oidc
-
#25565 OpenAPI: POST for /admin/realms response is 201
admin/api
-
#25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile
testsuite
-
#25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated
oidc
-
#25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201
admin/api
-
#25604 OpenAPI: Client authz endpoints without responses
admin/api
-
#25628 Translations missing in user details role mapping
admin/ui
-
#25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword
ci
-
#25636 "Disable realm?" displayed when disabling client
admin/ui
-
#25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check
testsuite
-
#25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API.
admin/api
-
#25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201
admin/api
- #25660 Incorrect version of the fix in release notes
-
#25677 Removing all group attributes no longer works with keycloak-admin-client (java)
admin/client-java
-
#25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see
admin/ui
-
#25699 Flaky test Job URL missing on some runs
ci
-
#25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL
user-profile
-
#25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet
ci
-
#25731 /admin/realms/{realm}/groups Endpoint is slow
admin/api
-
#25746 Using kcadm.sh create components result to 400 Bad Request
admin/cli
-
#25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest
storage
-
#25753 Backchannel logout token is missing the "exp" claim
oidc
-
#25783 Since 23, start-dev command line arguments parsing is buggy
dist/quarkus
-
#25789 User events: labels overlap content
admin/ui
-
#25827 admin ui uses hyphen instead of dot as realm attribute separator
admin/ui
-
#25853 Timeouts after upgrade of download action v4
ci
-
#25878 HTML emails in Catalan don't contain links
translations
-
#25883 ldap-group-mapper fails when empty member: attribute is present
ldap
-
#25891 Optimize handling of terms and conditions during registration
core
-
#25892 Test suite depends on artifacts built only when distribution profile is active
ci
- #25909 Keycloak HA Guide uses token for cross-site setup that expires
-
#25912 LDAP federation reports "Creating new LDAP Store..." on every login
ldap
-
#25927 UI crash after using breadcrumb group navigation during an active group search
admin/ui
-
#25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
authentication
-
#25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values.
user-profile
-
#25951 Masthead tests fail often
admin/ui
-
#25961 Native SQL Schema names broken on MySQL
storage
-
#25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab
user-profile
-
#25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols
saml
-
#25981 GitHub Status check is green if the build fails
ci
-
#26021 `mvn clean` does not work in js directory
account/ui
-
#26032 Duplicate tooltip/label for refresh button on device activity page
account/ui
-
#26036 subgroups clickopen not working
admin/ui
-
#26040 Subgroups-check is incorrect, and therefore subgroups are not clickable
admin/ui
-
#26051 Name ID Format field is confusing for User Attribute Mapper For NameID
saml
-
#26052 Configure OTP Form regenerates Secret on reload
authentication
-
#26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation
admin/ui
- #26060 Various Localization tab issues
-
#26075 Next time you start message references the wrong command
dist/quarkus
-
#26088 Rest custom JAX-RS resource in kc 23: Method not allowed
core
-
#26131 Localization: Realm overrides subtab
admin/ui
-
#26132 Localization: Effective message bundles subtab
admin/ui
-
#26148 Keycloak JavaScript CI: client_scopes_test.spec.ts
ci
-
#26156 A11y critical violation in ProviderId form field
admin/ui
-
#26168 KC_DB_DRIVER is not propagated properly
admin/cli
-
#26177 Invalidate authentication session on repeated OTP failures
authentication
-
#26180 Invalidate authentication session on repeated Recovery Code failures
authentication
-
#26228 With fine grained permissions enabled, the grouptree rights check is not working correctly
admin/ui
-
#26231 keycloak-admin-client missing recent changes to group query parameters
admin/client-js
-
#26236 Ensure community-maintained translations are not part of product build
account/ui
-
#26266 Importing Realm with declarative user profile attributes fails
user-profile
-
#26281 Incorrect example in the Keycloak operator configuration
operator
-
#26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode
ci
-
#26295 Incomplete Chinese Translation for Login Page
translations
-
#26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration
user-profile
-
#26323 Reset credentials action fails when triggered from first broker login flow
identity-brokering
-
#26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23
saml
-
#26334 Resource and permission titles missing for a new client
admin/ui
-
#26335 Bind flow modal broken
admin/ui
-
#26337 Write tests to cover binding a flow
testsuite
-
#26350 Fix more A11y violations
admin/ui
-
#26358 Apparently incorrect tooltip on "type" field for a "resource" in a client
admin/ui
-
#26363 Search dialog for authorization policy is wrong?
admin/ui
-
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26375 The role Unassign button enabled in admin console even if no roles are selected
admin/ui
-
#26383 Labels for WebAuthN missing in Account Console
account/ui
-
#26390 More A11y Violations Detected
admin/ui
-
#26400 Workflow failure: Admin UI E2E - realm_test.spec.ts
ci
-
#26407 Typo in disable dialog
admin/ui
-
#26409 Duplicate `key` for credentials on sign in page
account/ui
-
#26418 Failed to link identity broker to user with a verified email by IdP email verification flow
identity-brokering
-
#26420 Labels for WebAuthN Passwordless missing in Account Console
account/ui
-
#26427 Operator CSV uses wrong format for `createdAt` field
operator
-
#26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab
admin/ui
-
#26464 "Test connection" on LDAPS URI does not test TLS handshake
admin/api
-
#26468 SPI-truststore-file-type option appears to be invalid
docs
-
#26490 Update Keycloak sizing guide after change of default hashing configuration
core
-
#26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP.
storage
-
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26549 Mysterious settings changes due to Keycloak cluster changes
admin/ui
-
#26564 Issues related to IDNHomographValidator
user-profile
-
#26584 User details locale select broken in realm specific admin console
admin/ui
-
#26588 Infinite loop during X509 authentication
authentication
-
#26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number
core
-
#26604 Arc container is null
dist/quarkus
-
#26609 allow sending realm in request without changing the kc admin object
admin/client-js
-
#26612 Wrong delete messages in Realm overrides
admin/ui
-
#26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres)
storage
-
#26631 Keycloak HA guide with blank and callout
docs
-
#26635 Account UI ships too much Beer in user attributes
user-profile
-
#26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow
admin/ui
-
#26643 Replace "message bundle" text to "translation" in realm overrides
admin/ui
-
#26649 PhantomJS does not send secure cookies over http://localhost
core
-
#26651 [keycloak.js] useNonce parameter is all-or-nothing
adapter/javascript
-
#26653 Disallow removing required filters when searching for effective message bundle.
admin/ui
-
#26665 Unable to modify access token lifespan at realm level. Keycloak stops working.
core
-
#26668 Wrong help for "Create initial access token" expiration field
admin/ui
-
#26686 Not possible to build documentation after quarkus upgrade
docs
-
#26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy
admin/ui
-
#26716 User Profile Applies Validation To Service Account Users
user-profile
-
#26727 Auto layout of authenticator flow graph only applies the second time
admin/ui
-
#26747 Tooltip for attribute name in user-profile configuration is incorrect
user-profile
-
#26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation
user-profile
-
#26782 Accessing userinfo fails with CORS when token is expired or session is deleted
oidc
-
#26790 Workflow failure: Operator IT on OpenShift
ci
-
#26792 User profile 'uri' validator not working
user-profile
-
#26816 Keycloak server admin docs needs change with the new hashing iteration changes
docs
-
#26818 bug in operator example yaml
operator
-
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&)
login/ui
-
#26830 Duplicate "Refresh" buttons present in admin-ui
admin/ui
-
#26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password"
authentication
-
#26853 Fixing anchors in security apps guide in prod profile
docs
-
#26856 Remove custom user attributes section in server developer guide
user-profile
-
#26937 Once all default client scopes are deleted from the realm we can't create a new custom role.
core
-
#26941 When loading entries from a remote store at startup, no lifespan or expiry is set
core
-
#26951 Roles admin REST API for creating roles: Composite roles are expanded
admin/api
-
#26983 Group not found in list after creation
core
-
#27002 Refresh doesn't work in Localization/Effective message bundles
admin/ui
-
#27005 Unable to approve/deny permission requests
account/ui
-
#27031 Having read-only attributes stored at a user leads to validation warning on every login
user-profile
-
#27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated
infinispan
-
#27120 Microsoft social login failure
testsuite
-
#27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres)
ci
-
#27137 Users with fine-grained permissions can not create a user
admin/ui
-
#27140 Locale selector is unnecessarily visible without rights to locales
admin/ui
-
#27162 Default locale is set to null when not explicitly choosing a locale
admin/ui
-
#27173 Newly created authentication subflow is always disabled
admin/ui
-
#27234 Cannot update email in account console with `update-email` feature enabled
account/ui
-
#27243 Account console not working when lightweight-access-tokens used
oidc
-
#27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo
core
-
#27284 FolderTheme does not support Locales with extensions
core
-
#27290 AWS JDBC driver throws ConcurrentModificationException
storage
-
#27297 Check for duplicated usernames and emails when Login with email option is enabled
user-profile
-
#27316 Server admin guide not building downstream due to missing IDs
docs
-
#27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled
admin/ui
-
#27344 Secure Redirect URI executor issues
oidc
-
#27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI
ci
- #27406 JavaDocs generation broken after removal of resteasy-core
- #27409 Apply remote store workaround also for configuration via CLI options
-
#27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
oidc
v23.0.7
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
-
#26810 Shorter lifespan for offline session cache entries in memory
storage
Bugs
-
#22431 Localization: Admin UI doesn't pick up message bundles from realms other than master
admin/ui
-
#23786 Failure: FipsDistTest
ci
-
#25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off
ldap
-
#25731 /admin/realms/{realm}/groups Endpoint is slow
admin/api
-
#25883 ldap-group-mapper fails when empty member: attribute is present
ldap
-
#25912 LDAP federation reports "Creating new LDAP Store..." on every login
ldap
-
#25961 Native SQL Schema names broken on MySQL
storage
-
#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
-
#26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&)
login/ui
-
#27120 Microsoft social login failure
testsuite
v23.0.6
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
v23.0.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
v23.0.2
Highlights
Non-blocking health check for load balancers
A new health check endpoint available at /lb-check
was added.
The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load.
The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
This endpoint is not available by default.
To enable it, run Keycloak with feature multi-site
.
Proceed to Enabling and disabling features guide for more details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
-
#24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set
saml
-
#24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive
core
-
#25001 Client redirect_uri check must be compared using exact string matching
oidc
-
#25010 Bug: KC_DB_USERNAME environment variable is causing a crash in latest version
dist/quarkus
-
#25051 Unexpected Application Error when clicking "Cancel" on user creation page
admin/ui
-
#25108 Documentation Inconsistency about Open Banking(Finance) Brasil FAPI security profile
docs
-
#25124 If a client does not have a URL the applications page in the account console links to about:blank
account/ui
-
#25173 Make sure username is lowercase when normalizing attributes
user-profile
-
#25183 NullPointerException thrown for UPConfig.getGroups()
user-profile
-
#25307 Keycloak instance `HasErrors` true after update: `More than 1 secondary resource related to primary`
operator
v23.0.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
-
#23841 Users page with LDAP User Storage Provider Cannot read properties of undefined
admin/ui
-
#23872 Attempt to request storage access in Firefox
oidc
-
#24261 „Unlink users“-Option greyed out in ldap federation
admin/ui
-
#24958 Error handling in admin console when update of user fails due the 400 HTTP error code
admin/ui
-
#24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same
saml
-
#24984 Operator is missing CRDs metadata in CSV
operator
-
#25008 Group search when creating user
admin/ui
-
#25022 NPE in checkAndBindMtlsHoKToken on Token Refresh when using SuppressRefreshTokenRotationExecutor and Certificate Bound Token
oidc
v23.0.0
Highlights
OpenID Connect / OAuth 2.0
FAPI 2 drafts support
Keycloak has new client profiles fapi-2-security-profile
and fapi-2-message-signing
, which ensure Keycloak enforces compliance with
the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.
DPoP preview support
Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.
More flexibility for introspection endpoint
In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new
switch Add to token introspection
on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different
claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned
by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token,
so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.
Feature flag for OAuth 2.0 device authorization grant flow
The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.
Authentication
Passkeys support
Keycloak has preview support for Passkeys.
Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.
Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user8217;s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.
WebAuthn improvements
WebAuthn policy now includes a new field: Extra Origins
. It provides better interoperability with non-Web platforms (for example, native mobile applications).
Thanks to Charley Wu for the contribution.
You are already logged-in
There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them,
the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in
. This is improved now as
other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still
corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then
restarted just in one browser tab and hence other browser tabs won8217;t follow automatically with the login.
So we still plan improvements in this area.
Password policy for specify Maximum authentication time
Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.
Deployments
Preview support for multi-site active-passive deployments
Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.
A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.
Adapters
OpenID Connect WildFly and JBoss EAP
OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.
SAML WildFly and JBoss EAP
The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.
See the Securing Applications and Services Guide for the details.
Server distribution
Load Shedding support
Keycloak now features http-max-queued-requests
option to allow proper rejecting of incoming requests under high load.
For details refer to the production guide.
RESTEasy Reactive
Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive
should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI8217;s that depend directly on JAX-RS API should be compatible with this change. SPI8217;s that depend on RESTEasy Classic including ResteasyClientBuilder
will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.
User profile
Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome.
If you find any issues or have any improvements in mind, you are welcome to create Github issue,
ideally with the label area/user-profile
. It is also recommended to check the Upgrading Guide with the migration changes for this
release for some additional informations related to the migration.
Group scalability
Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.
Themes
Localization files for themes default to UTF-8 encoding
Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.
See the migration guide for more details.
Storage
Removal of the Map Store
The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
-
#23155 [WebAuthn] origin validation not support for non-Web platforms
core
Enhancements
-
#431 Remove Wildfly/EAP OIDC and SAML adapter downloads
web
-
#505 Quickstarts - Wildfly upgrade and README cleanup
quickstarts
-
#510 SAML quickstart - provisioning of SAML adapter via Galleon
quickstarts
-
#9318 User profile configuration API is incorrectly typed
docs
-
#10128 Improve failed test behaviour
operator
-
#10620 Internationalized Domain Names in email address
user-profile
- #10713 Update the server to use RESTEasy Reactive
-
#10803 Persist session in JDBC store without using external infinispan cluster
storage
-
#11668 Declarative User Profile: weird behaviour in Account Management Console
user-profile
-
#12406 Remove "You are already logged-in" during authentication
authentication
- #14009 CreatedTimestamp on REST import not used
-
#14165 Cannot refresh RPT tokens
authorization-services
-
#14400 Add proxy options to Keycloak CR
operator
- #15018 Enhancements around proxy and hostname configuration
-
#15072 Allow setting a help text to an attribute
user-profile
-
#15109 Refactor patch-sources.sh used by the Operator
operator
-
#17258 Data too long for column 'DETAILS_JSON'
storage
-
#20343 message bundles are not included in the realm export
import-export
- #20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
- #20695 Add support for single-tenant in Microsoft Identity Provider
-
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()?
oidc
-
#20884 [Admin Console v2] Policy creation at Permissions screen missing
admin/ui
- #21073 Identity providers: pagination in admin REST API
-
#21154 Allow existing mappers for Custom Identity Providers
identity-brokering
- #21181 Add FAPI 2.0 security profile as default profile of client policies
- #21182 Enhancing Pluggable Features of Token Manager
-
#21183 More flexibility for Introspection endpoint
oidc
- #21200 DPoP support 1st phase
-
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP
identity-brokering
- #21945 Release notes for FAPI 2
-
#22034 Keycloak, javascript lib to not use the escape() function
adapter/javascript
-
#22215 DPoP verification in UserInfo endpoint
oidc
- #22318 Allow overriding Account Console resources for full control and backwards compatibility
-
#22372 Expand Group providers to allow for paginated lookup of subgroups
storage
-
#22725 Do not initialize barrier build items for deployment
dist/quarkus
-
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider
admin/ui
-
#23194 Add regex support in 'Condition - User attribute' execution
authentication
- #23340 Implement load shedding for RESTEasy reactive
-
#23527 Better usability when disabling user profile and loosing the previous cofiguration
user-profile
-
#23891 Add feature flag for OAuth 2.0 device authorization grant flow
oidc
-
#24024 User profile tweaks in registration forms
user-profile
-
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias`
identity-brokering
-
#24273 Add a property to the User Profile Email Validator for max length of the local part
user-profile
-
#24278 Transient users: documentation
core
-
#24387 Move some UserProfile and Validation classes into keycloak-server-spi
user-profile
-
#24494 Transient users: Consents
core
-
#24535 Moving UPConfig and related classes from keycloak-services
user-profile
- #24844 Add High Availability Guide to Keycloak's main repository
-
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack
adapter/jee-saml
Bugs
-
#468 Cant build it
quickstarts
-
#503 Automate Keycloak version replacement
quickstarts
-
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts
quickstarts
-
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception
quickstarts
-
#8939 PAR fails to authenticate for public client
oidc
-
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers
oidc
-
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies
adapter/javascript
-
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system
authentication
-
#12062 Declarative User Profile export
user-profile
-
#12171 Inconsistent authorization behavior when exporting data from a realm
authorization-services
-
#14134 [keycloak 18] cannot import users with correct ID in partial import
admin/api
-
#16379 Inconsistent handling of parenthesis in auth flow name
admin/api
-
#16526 Token introspection response does not follow RFC6479 "scope" parameter format
oidc
-
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page
admin/api
-
#19125 kcadm do not update defaultGroups
docs
-
#19154 Non working API docs link
docs
-
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour
authentication
-
#20135 Searching for multiple types in the Events section gives an error
admin/client-js
-
#20218 Role mappers must return a single value when they are not multivalued
oidc
-
#20316 Email pattern is not compliant
account/api
-
#20453 Admin UI incredibly slow with 300 realms
admin/api
-
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes
user-profile
-
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow
ci
-
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1
token-exchange
-
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required"
user-profile
-
#20885 Key length is limited to 4000 characters
storage
-
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients
storage
-
#21123 NPE in getDefaultRequiredActionCaseInsensitively
admin/api
-
#21236 Keycloak Event clientId is null when ever a logout event is fired.
core
-
#21555 Listing realms due to realm drop-down
admin/ui
-
#21660 Wrong convert timestamp to date
account/ui
-
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator
authentication
-
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator
authentication
-
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak
ldap
-
#21805 Missing labels account console
account/ui
-
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak
ldap
-
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log
operator
-
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP
ci
- #22177 Missing client_id validation match when authenticating client with JWT
-
#22191 Verification of iss at refresh token request
oidc
-
#22332 Selecting resource on resource based permission gives error
admin/ui
-
#22337 kc.sh errors if using characters like semicolon inside the arguments
docs
-
#22375 Possible NullPointerException
core
-
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY'
core
-
#22432 inputOptionLabels is not used by Admin UI
admin/ui
-
#22583 Fine grained permissions not rendering
account/ui
-
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute
saml
-
#22814 user search with "q" parameter ignores keys of length 1 and returns all users
admin/api
-
#22818 inputOptionLabels is not used by Account UI v3
account/ui
-
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save
admin/api
-
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction
admin/ui
-
#22988 Cache stampede after realm cache invalidation
infinispan
-
#23044 Docs: server_admin/topics/sessions/transient.adoc
authentication
-
#23128 Regex defect in federation script federation-sssd-setup.sh
dist/quarkus
-
#23173 crypto/elytron package has several bugs
core
-
#23180 TypeError in user profile admin-ui
admin/ui
-
#23253 CLI args not recognized when running Quarkus dev mode
dist/quarkus
-
#23255 Several help text messages missing in saml identity provider
admin/ui
-
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients
storage
-
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients.
dependencies
-
#23582 Join group screen does not show child groups without filters
admin/ui
-
#23616 invalid tag in .ftl file
user-profile
-
#23692 Genetated access token exception then $ sign in client name
core
-
#23733 OpenAPI spec doesn't match the admin API
admin/api
-
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider
core
-
#23789 Can not create attribute group before setting/removing an annotation
user-profile
-
#23795 Spelling errors in TokenManager.java
oidc
-
#23970 Keycloak does not export/import userprofile data when exporting the realm
user-profile
-
#24032 Group attributes are not saved if there are two attributes with the same key
admin/ui
-
#24035 Admin UI: Group details page is not updated by group list dropdown actions
admin/ui
-
#24067 Duplicate attribute groups show in list in UserProfile in admin ui
admin/ui
-
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled
user-profile
-
#24096 Document or avoid breaking change in UserSessionModel
core
-
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations.
core
-
#24183 Username now shown when creating a user and edit username is not allowed
user-profile
-
#24187 Admin UI group view shows attributes of previously viewed group
admin/ui
-
#24293 b.map is not a function error when LDAP server is offline
core
-
#24420 User profile behaves different in keycloak 22.0.5
user-profile
-
#24453 Email-verified checkbox not visible anymore when user profile is enabled
admin/ui
-
#24455 NPE when logging in with TransientUser
storage
-
#24458 Unfriendly error message when user-storage provider not available
admin/ui
-
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow
login/ui
-
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature)
oidc
-
#24551 the `./kc.sh tools completion` command cannot be recognized correctly
admin/cli
-
#24672 Basic auth is not RFC 2617 compliant
authentication
-
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile
user-profile
-
#24766 non-functioning session persistence when using JDBC over Infinispan
infinispan
-
#24792 Invalid redirect_uri if it contains uppercase letters
authentication
-
#24970 `jwt-decode` is being bundled into Keycloak JS
admin/client-js
v22.0.5
v22.0.4
v22.0.3
v22.0.2
v22.0.1
v22.0.0
v21.1.2
v21.1.1
v21.1.0
v21.0.2
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.