Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
• #34382 Make the organization chapter of Server Admin guide available on downstream

Bugs

• #14562 Broken Promise implementation for AuthZ JS adapter/javascript
• #25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
• #33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
• #33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
• #33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
• #33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
• #34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
• #34050 Listing federated LDAP users is very slow with import enabled ldap
• #34093 java.util.ConcurrentModificationException when process user sessions update infinispan
• #34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs

• #15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
• #19101 Uncaught (in promise): QuotaExceededError adapter/javascript
• #20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
• #28978 some GUI validation check missing admin/ui
• #30832 Organization API not available from OpenAPI documentation admin/api
• #31724 Logout not working after removing Identity Provider of user identity-brokering
• #33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
• #33844 Wrong documentation link in keycloak-js readme docs
• #33902 Not persisted config settings prevent server start dist/quarkus
• #33948 [PERF] OpenTelemetry is initialized even when disabled
• #33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
• #33991 Doc CI - broken links error docs
• #34009 grammatical error in "Managing Organizations" documentation docs
• #34015 Home URL for security-admin-console is broken admin/ui
• #34028 Custom keycloak login theme styles.css return error 404 login/ui
• #34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
• #34063 Respect the locale set to a user when redering verify email pages user-profile
• #34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
• #34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
• #34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
• #34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
• #34224 Deleting a user leads to ISPN marshalling exception

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
• #33275 Better logging when error happens during transaction commit storage

Bugs

• #8935 keycloak.js example from the documentation leads to error path adapter/javascript
• #19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
• #31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
• #32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
• #32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
• #32844 Login V2: Missing "dir" attributes login/ui
• #32847 Admin UI defaults to master realm even without permissions to it admin/ui
• #32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
• #33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
• #33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
• #33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
• #33557 Unable to submit forms in Safari account/ui
• #33576 Broken links / anchors after KC26 release docs
• #33578 In imported realms, the ability to use environment variables has disappeared import-export
• #33585 Fix runaway asterisk formatting in TLS documentation docs
• #33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
• #33642 RTL not working on keycloak.v2 login template login/ui
• #33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
• #33699 Failure to redirect to organization IdP when the organization scope is included organizations
• #33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
• #33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
• #33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
• #33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
• #33814 NPE when device representation cannot be parsed authentication
• #33817 NEP when Default Role is not present on CachedRealm infinispan
• #33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
• #33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
• #33883 Auth not possible for auth session where user was enabled in the meantime authentication
• #33907 NPE thrown in whoami endpoint admin/ui
• #33967 password is a required field admin/ui

Highlights

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

• #30604 Network response was not OK. saml
• #31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
• #32100 Remember Me with External Infinispan is not works properly infinispan
• #32578 WebAuthn Flows Broken in login.v2 login/ui
• #32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
• #32731 KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus admin/client-java
• #32799 Realm import fails when client configures default_acr values import-export
• #32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
• #33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
• #33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

• #32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
• #32754 CVE-2024-7341 Session fixation in the SAML adapters adapter/saml

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #31963 Upgrade to Infinispan 15.0.7.Final

Bugs

• #31299 NPM library of account-ui is unusable (@keycloak/keycloak-account-ui version 25.0.1) account/ui
• #31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
• #31340 Hidden options shown in help all dist/quarkus
• #31386 Joining group for user doesn't list correct number of groups admin/ui
• #31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
• #31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
• #31545 Event tables have broken aria-labels admin/ui
• #31558 MSSQL test container can't start ci
• #31598 CURL commands in build don't check the response code ci
• #31633 localization not work with user attribute display name in users add admin/ui
• #31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
• #31718 Documentation for `Delete Credential` action and related changes authentication
• #31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
• #31835 Windows builds fail too often due to problems with the download of Node ci
• #31918 Network error attempting to view events without permissions admin/ui
• #31929 Network error attempting to view user registeration without permissions admin/ui
• #32059 Look around window cannot be set to 0 admin/ui
• #32127 Offline session bug on 25.0.2 core
• #32150 Session list doesn't handle non-existing client gracefully core
• #32178 Table names for persistent sessions upgrading guide is wrong docs
• #32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
• #32195 Migration to persistent sessions fails from Keycloak version <22 storage

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #30094 Do not inherit 'https-client-auth' property for the management interface
• #30537 Document how Admin REST API endpoints work with Hostname config docs
• #30856 Remove inclusive language foreword docs

Bugs

• #19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
• #26042 Issue when start-dev in 23.0.1 dist/quarkus
• #28489 Missing help text on tokens tab admin/ui
• #29407 Need refresh attributes group translations on Users > Details tab admin/ui
• #29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
• #29761 bug: disabling all default features no longer works core
• #29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
• #30329 Client secret rotation UI shows wrong rotated secret admin/ui
• #30355 New operator failing on health checks operator
• #30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
• #30436 Client Roles are not shown when clientId property is set admin/ui
• #30440 UI theme bug in KC 25.0.0 admin/ui
• #30444 Failed to evaluate permissions when fetchRoles is enabled on role policies authorization-services
• #30449 Migration stuck if versions incompatible operator
• #30521 "Client Offline Session Max" no longer available admin/ui
• #30541 Account UI resources try to load from admin path instead of frontend path account/ui
• #30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
• #30591 Invalid character in spanish translation file for Identity Provider Link Template translations
• #30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
• #30662 User policy -> select user shows user id instead of user name. admin/ui
• #30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
• #30717 Broken external links docs
• #30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
• #30837 Cannot find requested client with clientId ldap
• #30866 admin-cli invalid credentials admin/cli
• #30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
• #30947 Error when trying to edit authentication sub-flow name / description admin/ui
• #30992 Realm cannot be deleted if there are tons of consents storage
• #31014 "Verify Email" may cause other Required Actions to be ignored authentication
• #31050 Caching docs should name parameter runtime parameters, not build parameters docs
• #31146 IDP SAML Certificate should be text-area not text admin/ui
• #31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
• #31171 Single use tokens, like action tokens, has a claim `expiration` core
• #31187 Recaptcha links changed in the Google Docs docs
• #31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
• #31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
• #31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
• #31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
• #31244 IdP redirect URL shows hostname_admin admin/ui
• #31267 multiple ldap url's not working on one realm ldap

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #19750 Use a proper FreeMarker template for the new consoles account/ui
• #30346 Enhance masking around config-keystore dist/quarkus

Bugs

• #25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
• #28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
• #30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
• #30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
• #30240 Custom attributes are removed during UPDATE PROFILE event core
• #30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
• #30302 Methods of SimpleHttp are after change now too much protected core
• #30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
• #30332 Operator fails to patch ingress after update to 25.0.0 operator
• #30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
• #30351 Migration of sessions in KC25 should run only on migration, not on imports
• #30368 Documentation : label error for persistent-user-sessions feature flag docs
• #30417 Keycloak 25 db guide shows unevaluated "ifeval docs
• #30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
• #30434 Improvements for ldap test authentication ldap
• #30492 partial_import_test fails randomly admin/ui

Highlights

bin/kc.sh build --features=persistent-user-session ...