To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #41558 Ensure cache configuration has correct number of owners #41934 Infinispan 15.0.19.Final #41963 Upgrade to Quarkus 3.20.2.1 dist/quarkus Bugs #39562 Breaking template change: Unknown `locale` input field added to user-profile registration page user-profile #40984 Backchannel logout token with an unexpected signature al...| Keycloak Blog
Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
To download the release go to Keycloak downloads. Highlights This release delivers advancements to optimize your system and improve the experience of users, developers and administrators: Account recovery with 2FA recovery codes, protecting users from lockout. Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions. Broader connectivity with the ability to broker wit...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39469 Fix Securing Apps links to adapters docs #39486 Email server credentials can be harvested through host/port manipulation admin/api #39541 Fix doc link to FGAP v1 docs #39543 Apply edits to Operators Guide docs #39572 Edit Observability Guide docs #39590 Fix callouts in Operator guide docs #39638 Sessions from Infinisp...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39418 Clarify when to use podman docs Bugs #35278 Double click on social provider link causes page has expired error login/ui #38918 IPv6 support: Broker tests failing with proxy configuration ci #39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues New features #38985 Possibility to log details and representation to the jboss-logging listener Enhancements #39080 Standardize introductory text in Keycloak guides Bugs #38104 Temporary failure in name resolution with nip.io ci #38145 Unknown error on authentication-flow delete action admin/ui #38482 SAML client certificate not persiste...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39142 Make distribution startup timeout configurable testsuite Bugs #39125 [Keycloak CI] - FIPS UT - Run crypto tests ci #39349 CVE-2025-3910 Two factor authentication bypass #39350 CVE-2025-3501 Keycloak hostname verification| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #38956 Clarify upgrade instructions #39057 Change the title for Grafana dashboards guide to plural docs #39059 Document operator `Auto` update strategy when used with `podTemplate` Bugs #38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions #38692 Test coverage f...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Supported Standard Token Exchange In this release, we added support for the Standard token exchange! The token exchange feature was in preview for a long time, so we are glad to finally support the standard token exchange. For now, this is limited to exchanging the Internal token to internal token compliant with the Token exchange specification. It does not yet cover use cases related to identity brokering or subject impersonation. ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #38409 Upgrade to Quarkus 3.15.4 dist/quarkus #38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus Bugs #36482 The root cause of error is suppressed in KC 26 at building dependencies #37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #37433 Allow admin to disable automatic refresh of event views admin/ui #37711 Upgrade to Infinispan 15.0.14 Bugs #37320 Cannot fetch realm role that was renamed admin/api #37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage #37843 Adm...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Send Reset Email force login again for federated users after reset credentials In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated user...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Deprecated features #525 Drop support for end-of-life versions of Node.js nodejs-connect Enhancements #573 Convert tests to standard modules to upgrade dependencies nodejs-connect #576 Upgrade `@keycloak/keycloak-admin-client` to latest version nodejs-connect Bugs #567 Connections with an error code are not terminated nodejs-connect #571...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights New option in X.509 authenticator to abort authentication if CRL is outdated The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Transport stack jdbc-ping as new default Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments. Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replica...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #33569 Show User Events on dedicated tab on Client-/User-Details #34091 Username Form should support autocomplete login/ui Bugs #34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui #34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc #...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #34882 Edits to Authorization Services guide #34916 Addresse QE comments on Server Administration guide #34931 Upgrade to ISPN 15.0.11.Final Bugs #10233 Locale Setting for Update Password Mail admin/api #17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication #30631 Upgrade ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Admin events might include now additional details about the context when the event is fired In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table. Updates to documentation of X.509 client certificate lookup via proxy Potential vulnerable configurations ha...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights LDAP users are created as enabled by default when using Microsoft Active Directory If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default. In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java #34382 Make the organization chapter of Server Admin guide available on downstream Bugs #14562 Broken Promise implementation for AuthZ JS adapter/javascript #25917 Allow increasing wait time on each failure after the max nu...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus Bugs #15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript #19101 Uncaught (in promise): QuotaExceededError adapter/javascript #20287 When using `oidcProvider` confi...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator #33275 Better logging when error happens during transaction commit storage Bugs #8935 keycloak.js example from the documentation leads to error path adapter/javascript #19358 Issue with concurrent user & group delete, unable to ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Organizations supported Starting with Keycloak 26, the Organizations feature is fully supported. Client libraries updates Dedicated release cycle for the client libraries From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #30604 Network response was not OK. saml #31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui #32100 Remember Me with External Infinispan is not works properly infinispan #32578 WebAuthn Flows Broken in login.v2 login/ui #32643 Dots are not allowed in the path in Hostname v2 ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml #32754 CVE-2024-7341 Session fixation in the SAML adapters adapter/saml| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #31963 Upgrade to Infinispan 15.0.7.Final Bugs #31299 NPM library of account-ui is unusable (@keycloak/keycloak-account-ui version 25.0.1) account/ui #31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui #31340 Hidden options shown in help all dist/quarkus #31386 Joining group for u...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #30094 Do not inherit 'https-client-auth' property for the management interface #30537 Document how Admin REST API endpoints work with Hostname config docs #30856 Remove inclusive language foreword docs Bugs #19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui #26042 Issue when start-dev in 23.0.1 ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #19750 Use a proper FreeMarker template for the new consoles account/ui #30346 Enhance masking around config-keystore dist/quarkus Bugs #25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc #28643 Encountering `NullPointerException` - `KeycloakIdent...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Account Console v2 theme removed The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme. Java 21 support Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions. Java 17 support is deprecated OpenJDK 17 support is deprecated...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Security issue with PAR clients using client_secret_post based authentication This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified i...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Partial update to user attributes when updating users through the Admin User API is no longer supported When updating user attributes through the Admin User API, you cannot execute partial updates when updating the user attributes, including the root attributes like username, email, firstName, and lastName. For more details, see the Upgrading Guide. Upgrading Before upgrading refer to the migration guide for a complete list of chang...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap Bugs #24201 Cannot disable LDAP-backed user if importEnabled=false ldap #28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identit...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #25057 Inconsistent behaviour on getting user permissions using authorization authorization-services #27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs #27481 Edit High Availability guide #27484 Edit 23.0 changes part of Upgrading Guide #27632 Integrate downstream Upgrading Guide changes into ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Operator deploys nightly build instead of 24.0.0 Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0. As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled. If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with th...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Supported user profile and progressive profiling The user profile preview feature is promoted to be fully supported and user profile is enabled by default. In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #26810 Shorter lifespan for offline session cache entries in memory storage Bugs #22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui #23786 Failure: FipsDistTest ci #25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap #25883 ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #26427 Operator CSV uses wrong format for `createdAt` field operator #26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core #26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues New features #25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x #26028 Remove conditional statements about Windows / Linux from the docs docs Enhancements #20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui #26006 Clarification needed of us...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #9693 PubKeySignRegisterTest failures in WebAuthn tests testsuite #24508 Deadlock when pre-loading remote sessions from external Infinispan storage #24763 Remove sign out action for offline sessions admin/ui #25016 Make password visibility css classes configurable for themes login/ui #25096 Meaning of briefRepresentation query param...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #25388 Enable concurrent remote operations for Infinispan storage Bugs #24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui #25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci #25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc #2...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Non-blocking health check for load balancers A new health check endpoint available at /lb-check was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #23841 Users page with LDAP User Storage Provider Cannot read properties of undefined admin/ui #23872 Attempt to request storage access in Firefox oidc #24261 „Unlink users“-Option greyed out in ldap federation admin/ui #24958 Error handling in admin console when update of user fails due the 400 HTTP error code admin/ui #24961 K...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights OpenID Connect / OAuth 2.0 FAPI 2 drafts support Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution. DPoP preview support Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #14820 Calling getTopLevelGroups is slow inside GroupLDAPStorageMapper#getLDAPGroupMappingsConverted keycloak storage #19348 Sort subgroups keycloak storage #22109 Add non-blocking liveness and readiness checks to Keycloak keycloak dist/quarkus #22200 External Link check for documentation logs warning and exception: WARN Fil...| Keycloak Blog