Releases: keycloak/keycloak
26.4.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
- #42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP
ci - #43212 Document missing artifact dependency for UserStoragePrivateUtil
docs - #43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml
core - #43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled
user-profile - #43793 import does not seem to run db migration
import-export - #43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled
authorization-services - #44010 Ordering attributes will unset the unmanaged attribute policy
user-profile - #44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true
dist/quarkus - #44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol
admin/ui - #44117 DockerClientTest failure
testsuite
26.4.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
- #43076 Add rate limiter for sending verification emails in context of update email
- #43509 Role authorization for workflows.
admin/api
Bugs
- #41270 Cannot save new attribute group
admin/ui - #41271 Changing user profile attribute results in an error everytime
admin/ui - #43082 ExternalLinksTest is broken due to missing path parameters
docs - #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login
login/ui - #43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works
dist/quarkus - #43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage
admin/fine-grained-permissions - #43505 DPoP proof replay check doesn't consider clock skew
oidc - #43516 Deleting Client is slow and fails when a lot of client sessions exist
core - #43578 "admin" client role now requires server admin user
admin/api - #43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+)
admin/fine-grained-permissions - #43596 FGAP: user can no longer open account management page, broken by `reset-password`
admin/fine-grained-permissions - #43621 Version 26.4.1 breaks existing ldap users with capital letters in username
ldap - #43682 When syncing roles, the database layer can see deadlocks
- #43698 Role Mapper is updating the user every time on login
identity-brokering - #43723 Only add the none verifier when attestation conveyance preference is none (or default)
authentication/webauthn - #43734 Refresh token allowed for offline session even the related scope is removed
- #43736 FGAP V2: reset-password scope error when viewing users with Group permissions only
core - #43744 Increased memory usage due to leaking KeycloakSession instances
admin/api - #43759 QuarkusKeycloakSession not garbage collected when running Liquibase
dist/quarkus - #43761 QuarkusKeycloakSession kept in memory for each timer
core - #43763 Normalizing of Keycloak URLs not documented
dist/quarkus - #43774 Under OLMv1 service monitor check uses wrong namespace
operator - #43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider
user-profile - #43853 Ensure the logout endpoint removes the authentication session
oidc - #43863 JS CI failing after normalization
testsuite
26.4.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #42991 Final review and update for UPDATE_EMAIL documentation
docs - #43351 Make pending email verification attribute removable by admin
user-profile - #43650 SPIFFE should support OIDC JWK endpoint
Bugs
- #26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci - #30939 Vulnerability in brute force detection settings
authentication - #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon
identity-brokering - #43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement
docs - #43244 UI crash on admin `/users/add-user` since 26.4.0
admin/ui - #43544 Intra-document links not rendered in downstream
docs - #43561 Server does not shutdown gracefully when started with --optimized
core
26.4.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #43020 Secure Client-Initiated Renegotiation - disable by default
dist/quarkus
Enhancements
- #42990 Hide read-only email attribute in update profile context with update email enabled
user-profile - #43357 JDBC_PING should publish its physical address on startup
Bugs
- #40965 Group permission denies to view user
admin/fine-grained-permissions - #41292 openid-connect flow is missing response type on language change
authentication - #42565 Standard Token Exchange: chain of exchanges eventually fails
token-exchange - #42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+)
admin/ui - #42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion
authorization-services - #43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types
core - #43070 Update email page with pending verification email messages prefilled with old email
user-profile - #43096 keycloak-operator 26.4.0 missing clusterrole permissions
docs - #43104 Release notes fix for update email
docs - #43161 Restarting an user session broken for persistent sessions
infinispan - #43164 Keycloak docs state that only TLSv1.3 is used
docs - #43218 Cannot revoke access token generated by Standard Token Exchange
oidc - #43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object
ldap - #43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does
oidc - #43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does
oidc - #43286 Broken links on DB server configuration guide
docs - #43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required)
saml - #43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled
authentication - #43335 First JDBC_PING initialization happens in the JTA transaction context
infinispan - #43349 Client session may be lost during session restart
infinispan - #43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
- #43459 Invalid YAML in advanced Operator configurations
docs
26.4.0
Highlights
This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:
-
Passkeys for seamless, passwordless authentication of users.
-
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
-
Simplified deployments across multiple availability zones to boost availability.
-
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
-
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
Passkeys integration (supported)
Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.
For more information, see Passkeys.
FAPI 2 Final (supported)
Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.
Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.
Thank you to Takashi Norimatsu for contributing this.
For more details, see the Securing applications Guides.
DPoP (supported)
Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:
-
Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
-
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
-
Possibility to require the
dpop_jktparameter in the OIDC authentication request.
Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.
For more information, see the DPoP section in the documentation.
FIPS 140-2 mode now supports EdDSA
With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.
Listing supported OAuth standards on one page
A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.
Integration
Federated client authentication (preview)
Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.
This feature is currently preview, and expected to become supported in 26.5.
Automatic certificate management for SAML clients
The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL.
This also allows for seamless rotation of certificates.
For more information, see Creating a SAML client in the Server Administration Guide.
Serving as an authorization server in MCP
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.
To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.
The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.
Administration
Update Email Workflow (supported)
Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.
For more information, see Update Email Workflow.
Optional email domain for organizations
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
Hiding identity providers from the Account Console
You can now control which identity providers appear in the Account Console based on different options using
the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.
For more information, see General configuration.
Enforce recovery codes setup after setting up OTP
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.
New conditional authenticator
The Conditional - ...
Contributors
Assets 22
26.3.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #41371 Upgrade to Quarkus 3.20.3 LTS
dist/quarkus - #41373 Remove explicit MariaDB connector dependency
dist/quarkus
Bugs
- #41418 Access to user details for restricted admin fails after enabling organizationin realm
organizations - #42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui
core - #42491 CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability
dist/quarkus - #42492 CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability
dist/quarkus - #42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name'
core - #42769 Missing switch "ID Token as detached signature" in the admin console client settings
oidc - #42922 Dynamic Client Registration invalidates the realm cache
core
26.3.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
- #35825 Per client session idle time capped by realm level client idle timeout
core - #40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors
authentication - #40463 Login to Account Console produces two consecutive LOGIN events
account/ui - #40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow
oidc - #41427 Parallel token exchange fails if client session is expired
token-exchange - #41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen)
core - #41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider)
core - #42012 Client session timestamp not updated in the database if running multiple nodes
infinispan - #42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables.
operator - #42158 Bug in configuration keycoak via keycloak.conf
dist/quarkus - #42164 [Keycloak CI - Docs] Broken links
core - #42178 Integer validation error not shown for user profile fields
user-profile - #42182 Validation errors for required actions don't show translated messages
admin/ui - #42270 Missing double-dash in the events documentation
core - #42339 Allowed Client Scopes add openid scope in scope list
oidc - #42369 Missing client session offline settings on realm level in the admin UI
admin/ui
26.3.3
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #41558 Ensure cache configuration has correct number of owners
- #41934 Infinispan 15.0.19.Final
- #41963 Upgrade to Quarkus 3.20.2.1
dist/quarkus
Bugs
- #39562 Breaking template change: Unknown `locale` input field added to user-profile registration page
user-profile - #40984 Backchannel logout token with an unexpected signature algorithm key
oidc - #41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax
core - #41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token
core - #41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date`
dist/quarkus - #41290 Concurrent starts with JDBC_PING lead to a split cluster
infinispan - #41390 JDBC_PING2 doesn't merge split clusters after a while
infinispan - #41421 Broken link securing-cache-communication in caching docs
docs - #41423 Duplicate IDs in generated all configuration docs
docs - #41469 Uncaught exception cases unclosed spans in tracing
dist/quarkus - #41488 Synchronize Maven surefire plugin with Quarkus
dist/quarkus - #41491 ExternalLinks are broken in documentation
docs - #41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation
ldap - #41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min)
ldap - #41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method
oidc - #41643 Test SMTP connection fails when no port is specified
admin/api - #41663 Typo in the caching doc
docs - #41677 Provider default regression
dist/quarkus - #41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages
core - #41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles
ldap - #41906 Backwards incompatible changes to 26.3.0 cause NullPoointerException when requesting /certificates/jwt.credential/generate-and-download
authentication - #41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label
login/ui
26.3.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #40237 Add option "Requires short state parameter" to OIDC IDP
authentication
Enhancements
- #40970 Run clustering compatibility tests on release/x.y branches
- #41034 Improve logging for client sessions load
- #41257 Upgrade to Infinispan 15.0.18.Final
infinispan
Bugs
- #39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask
ci - #39634 Update MariaDB connector to 3.5.3
dist/quarkus - #39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover
ci - #40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146
dependencies - #40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core
dependencies - #40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover
ci - #40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle
infinispan - #40977 Loglevel recorded from build phase
dist/quarkus - #40980 Can't update security-admin-console via admin UI with volatile sessions
infinispan - #40995 LDAP / ModelException: At least one condition should be provided to OR query
core - #41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover
ci - #41038 FIPS errors in CI
- #41082 Multiple primary key defined when attempting to upgrade after 26.3.0
core - #41103 Service Account users now showing in the User List
admin/ui - #41105 Unknown relation when removing realm role with --db-schema configured
storage - #41152 Docs use em-dashes instead of double dashes for SPI options in regular text
docs - #41204 UpdateTest CI failures
ci - #41370 [26.3] MariaDB connector dependency is not properly overriden
dist/quarkus
26.3.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #40851 Upgrade to Infinispan 15.0.16.Final
- #40962 Update limitations of the preview feature rolling updates for patch releases
infinispan
Bugs
- #35932 Importing a realm takes more than 1 minute when multiple others exist.
dist/quarkus - #40368 NPE during loading user groups with concurrent deletion
storage - #40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later
account/api - #40838 Mark options for additional datasources as preview
dist/quarkus - #40890 Keycloak Operator 26.3.0 fails to update to 26.3.0
operator - #40930 Docs: server_development/topics/themes.adoc
docs - #40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled
core