Releases: keycloak/keycloak
nightly
Review workflows test coverage (#45041) Closes #42694 Signed-off-by: Stefan Guilhen <[email protected]>
26.4.7
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #43156 [Docs] Warn users about printing headers in HTTP access logs
docs - #43643 Upgrade to Quarkus 3.27.1
dist/quarkus
Bugs
26.4.6
Highlights
This release adds filtering of LDAP referrals by default. This change enhances security and aligns with best practices for LDAP configurations.
If you can not upgrade to this release yet, we recommend disabling LDAP referrals in all LDAP providers in all of your realms.
For detailed upgrade instructions, review the upgrading guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Security fixes
- #44478 CVE-2025-13467 Deserialization of untrusted data in ldap user federation
Bugs
- #43323 Sessions not removed when user is deleted
infinispan - #43738 UPDATE_EMAIL action invalidates old email
login/ui - #43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest
ci - #43812 Admin console sends non-JSON payload with content-type: application/json
admin/ui - #44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4
identity-brokering - #44187 [Keycloak Docs CI] Broken links
docs - #44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry
infinispan - #44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions
infinispan - #44269 Admin Client creates malformed paths for requests
admin/client-js - #44287 Caching of static theme resources in dev mode is disabled
core
26.4.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Bugs
- #42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP
ci - #43212 Document missing artifact dependency for UserStoragePrivateUtil
docs - #43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml
core - #43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled
user-profile - #43793 import does not seem to run db migration
import-export - #43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled
authorization-services - #44010 Ordering attributes will unset the unmanaged attribute policy
user-profile - #44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true
dist/quarkus - #44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol
admin/ui - #44117 DockerClientTest failure
testsuite
26.4.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
- #43076 Add rate limiter for sending verification emails in context of update email
- #43509 Role authorization for workflows.
admin/api
Bugs
- #41270 Cannot save new attribute group
admin/ui - #41271 Changing user profile attribute results in an error everytime
admin/ui - #43082 ExternalLinksTest is broken due to missing path parameters
docs - #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login
login/ui - #43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works
dist/quarkus - #43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage
admin/fine-grained-permissions - #43505 DPoP proof replay check doesn't consider clock skew
oidc - #43516 Deleting Client is slow and fails when a lot of client sessions exist
core - #43578 "admin" client role now requires server admin user
admin/api - #43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+)
admin/fine-grained-permissions - #43596 FGAP: user can no longer open account management page, broken by `reset-password`
admin/fine-grained-permissions - #43621 Version 26.4.1 breaks existing ldap users with capital letters in username
ldap - #43682 When syncing roles, the database layer can see deadlocks
- #43698 Role Mapper is updating the user every time on login
identity-brokering - #43723 Only add the none verifier when attestation conveyance preference is none (or default)
authentication/webauthn - #43734 Refresh token allowed for offline session even the related scope is removed
- #43736 FGAP V2: reset-password scope error when viewing users with Group permissions only
core - #43744 Increased memory usage due to leaking KeycloakSession instances
admin/api - #43759 QuarkusKeycloakSession not garbage collected when running Liquibase
dist/quarkus - #43761 QuarkusKeycloakSession kept in memory for each timer
core - #43763 Normalizing of Keycloak URLs not documented
dist/quarkus - #43774 Under OLMv1 service monitor check uses wrong namespace
operator - #43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider
user-profile - #43853 Ensure the logout endpoint removes the authentication session
oidc - #43863 JS CI failing after normalization
testsuite
26.4.2
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #42991 Final review and update for UPDATE_EMAIL documentation
docs - #43351 Make pending email verification attribute removable by admin
user-profile - #43650 SPIFFE should support OIDC JWK endpoint
Bugs
- #26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci - #30939 Vulnerability in brute force detection settings
authentication - #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon
identity-brokering - #43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement
docs - #43244 UI crash on admin `/users/add-user` since 26.4.0
admin/ui - #43544 Intra-document links not rendered in downstream
docs - #43561 Server does not shutdown gracefully when started with --optimized
core
26.4.1
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #43020 Secure Client-Initiated Renegotiation - disable by default
dist/quarkus
Enhancements
- #42990 Hide read-only email attribute in update profile context with update email enabled
user-profile - #43357 JDBC_PING should publish its physical address on startup
Bugs
- #40965 Group permission denies to view user
admin/fine-grained-permissions - #41292 openid-connect flow is missing response type on language change
authentication - #42565 Standard Token Exchange: chain of exchanges eventually fails
token-exchange - #42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+)
admin/ui - #42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion
authorization-services - #43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types
core - #43070 Update email page with pending verification email messages prefilled with old email
user-profile - #43096 keycloak-operator 26.4.0 missing clusterrole permissions
docs - #43104 Release notes fix for update email
docs - #43161 Restarting an user session broken for persistent sessions
infinispan - #43164 Keycloak docs state that only TLSv1.3 is used
docs - #43218 Cannot revoke access token generated by Standard Token Exchange
oidc - #43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object
ldap - #43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does
oidc - #43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does
oidc - #43286 Broken links on DB server configuration guide
docs - #43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required)
saml - #43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled
authentication - #43335 First JDBC_PING initialization happens in the JTA transaction context
infinispan - #43349 Client session may be lost during session restart
infinispan - #43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
- #43459 Invalid YAML in advanced Operator configurations
docs
26.4.0
Highlights
This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:
-
Passkeys for seamless, passwordless authentication of users.
-
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
-
Simplified deployments across multiple availability zones to boost availability.
-
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
-
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
Passkeys integration (supported)
Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.
For more information, see Passkeys.
FAPI 2 Final (supported)
Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.
Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.
Thank you to Takashi Norimatsu for contributing this.
For more details, see the Securing applications Guides.
DPoP (supported)
Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:
-
Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
-
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
-
Possibility to require the
dpop_jktparameter in the OIDC authentication request.
Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.
For more information, see the DPoP section in the documentation.
FIPS 140-2 mode now supports EdDSA
With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.
Listing supported OAuth standards on one page
A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.
Integration
Federated client authentication (preview)
Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.
This feature is currently preview, and expected to become supported in 26.5.
Automatic certificate management for SAML clients
The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL.
This also allows for seamless rotation of certificates.
For more information, see Creating a SAML client in the Server Administration Guide.
Serving as an authorization server in MCP
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.
To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.
The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.
Administration
Update Email Workflow (supported)
Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.
For more information, see Update Email Workflow.
Optional email domain for organizations
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
Hiding identity providers from the Account Console
You can now control which identity providers appear in the Account Console based on different options using
the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.
For more information, see General configuration.
Enforce recovery codes setup after setting up OTP
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.
New conditional authenticator
The Conditional - ...
Contributors
Assets 22
26.3.5
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
- #41371 Upgrade to Quarkus 3.20.3 LTS
dist/quarkus - #41373 Remove explicit MariaDB connector dependency
dist/quarkus
Bugs
- #41418 Access to user details for restricted admin fails after enabling organizationin realm
organizations - #42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui
core - #42491 CVE-2025-58057 - Netty BrotliDecoder / Data Amplification vulnerability
dist/quarkus - #42492 CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability
dist/quarkus - #42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name'
core - #42769 Missing switch "ID Token as detached signature" in the admin console client settings
oidc - #42922 Dynamic Client Registration invalidates the realm cache
core
26.3.4
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Enhancements
Bugs
- #35825 Per client session idle time capped by realm level client idle timeout
core - #40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors
authentication - #40463 Login to Account Console produces two consecutive LOGIN events
account/ui - #40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow
oidc - #41427 Parallel token exchange fails if client session is expired
token-exchange - #41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen)
core - #41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider)
core - #42012 Client session timestamp not updated in the database if running multiple nodes
infinispan - #42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables.
operator - #42158 Bug in configuration keycoak via keycloak.conf
dist/quarkus - #42164 [Keycloak CI - Docs] Broken links
core - #42178 Integer validation error not shown for user profile fields
user-profile - #42182 Validation errors for required actions don't show translated messages
admin/ui - #42270 Missing double-dash in the events documentation
core - #42339 Allowed Client Scopes add openid scope in scope list
oidc - #42369 Missing client session offline settings on realm level in the admin UI
admin/ui