Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #41558 Ensure cache configuration has correct number of owners #41934 Infinispan 15.0.19.Final #41963 Upgrade to Quarkus 3.20.2.1 dist/quarkus Bugs #39562 Breaking template change: Unknown `locale` input field added to user-profile registration page user-profile #40984 Backchannel logout token with an unexpected signature al...| Keycloak Blog
The next edition of Keycloak DevDay expands to a 2-day event taking place again in Darmstadt, Germany on March 5th and 6th, 2026.| Keycloak
BRZ migrated the Austrian Business Service Portal with 2M+ users to Keycloak. The Austrian Business Service Portal (USP) is the central online eGovernment platform for entrepreneurs and businesses. It connects businesses with various Austrian online government services, where businesses can access all digital services and information in one place. The USP was launched in 2010 by the Austrian Federal Computing Center (BRZ, abbreviated from the German name Bundesrechenzentrum). The BRZ is the m...| Keycloak Blog
Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #134 Can we create automatically GH Issue for the PR sent by ""Sync with Keycloak Server and send PR with changes" ? client #166 Improve documentation of keycloak-admin-client and add compatibility section client #170 Sync with Keycloak server release/26.3 branch client #172 Test with supported keycloak server versions client Bugs #165 Test failures in last Keycloak-client-...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights This release delivers advancements to optimize your system and improve the experience of users, developers and administrators: Account recovery with 2FA recovery codes, protecting users from lockout. Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions. Broader connectivity with the ability to broker wit...| Keycloak Blog
The talks and speakers have now been announced for Keycloak’s Identity Summit. Save your spot today! 📍 KEYCONF25 – taking place in Amsterdam on August 28th, 2025! This year’s edition of the Keycloak Identity Summit promises more content, more connections, and even more opportunities to engage with the people shaping the future of identity and access management. Talk highlights Our talks highlight the broad spectrum of the Keycloak ecosystem: How to run it with confidence and securely...| Keycloak Blog
Keycloak - the open source identity and access management solution. Add single-sign-on and authentication to applications and secure services with minimum effort.| Keycloak
Keycloak will be at KubeCon India in Hyderabad! Join us for talks, and connect with maintainers and the community at the project pavillion!| Keycloak
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39469 Fix Securing Apps links to adapters docs #39486 Email server credentials can be harvested through host/port manipulation admin/api #39541 Fix doc link to FGAP v1 docs #39543 Apply edits to Operators Guide docs #39572 Edit Observability Guide docs #39590 Fix callouts in Operator guide docs #39638 Sessions from Infinisp...| Keycloak Blog
Keycloak 26.2 brings Token Exchange out of preview with an officially supported version compliant with OAuth 2.0 Token Exchange specification.| Keycloak
Hitachi is providing an API management cloud service for Japanese banks and used Keycloak to search the API.| Keycloak
Keycloak relies on email functionality for tasks like password resets, user verifications, and notifications. A common setup is for Keycloak to authenticate to the SMTP server with a username and password. With issue #17432, the Keycloak community raised the need for token-based authentication with XOAUTH2, as some providers deprecated the authentication for SMTP with passwords. With Keycloak 26.2, the SMTP AUTH configuration now supports XOAUTH2. As Keycloak’s role is that of an applicatio...| Keycloak Blog
OpenTalk, a videoconferencing solution, needed a secure and scalable Identity and Access Management (IAM) solution to authenticate users and chose Keycloak.| Keycloak
Notable changes| www.keycloak.org
Keycloak's latest release introduces new suported version of long-in-preview feature fine-grained admin permissions.| Keycloak
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39418 Clarify when to use podman docs Bugs #35278 Double click on social provider link causes page has expired error login/ui #38918 IPv6 support: Broker tests failing with proxy configuration ci #39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues New features #38985 Possibility to log details and representation to the jboss-logging listener Enhancements #39080 Standardize introductory text in Keycloak guides Bugs #38104 Temporary failure in name resolution with nip.io ci #38145 Unknown error on authentication-flow delete action admin/ui #38482 SAML client certificate not persiste...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #39142 Make distribution startup timeout configurable testsuite Bugs #39125 [Keycloak CI] - FIPS UT - Run crypto tests ci #39349 CVE-2025-3910 Two factor authentication bypass #39350 CVE-2025-3501 Keycloak hostname verification| Keycloak Blog
KeyConf24 was a fantastic success, bringing together identity and access management professionals, developers, and community members from across Europe. The day was packed with insightful talks, deep dives into Keycloak, and incredible conversations between some of the brightest minds in IAM. Now, we’re excited to take things even further. 📍 Introducing KEYCONF25 – taking place in Amsterdam on August 28th, 2025! This year’s edition of the Keycloak Identity Summit promises more conten...| Keycloak Blog
When running a central single sign on service like Keycloak in production, you need to understand how well the system performs and whether there are service degradations. Having a proper monitoring stack in place is essential for this. Moreover, when the system performance degrades, it is crucial to identify which part of the system is causing the problem to address it. In the latest Keycloak release, all the above became more straightforward and works without additional extensions. Read on t...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #38956 Clarify upgrade instructions #39057 Change the title for Grafana dashboards guide to plural docs #39059 Document operator `Auto` update strategy when used with `podTemplate` Bugs #38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions #38692 Test coverage f...| Keycloak Blog
Keycloak had a very active presence at this year’s KubeCon EU in London. This blog presents a few of the highlights as well as ways you can contribute to Keycloak’s CNCF journey. Project Pavilion Keycloak hosted a project pavilion stand during Wednesday, Thursday and Friday afternoon slots. Attending the booth were Keycloak contributors Takashi Norimatsu and Yoshiyuki Tabata from Hitachi, alongside Martin Bartos and Ryan Emerson from Red Hat. During these sessions, we had the opportunity ...| Keycloak Blog
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues New features #120 Add release notes so they can be pulled into the website client Enhancements #111 Close session when client is closed client #135 Testing and document keycloak-client with Java 11 client #147 Update PR-CHECKLIST client #158 Sync with Keycloak server after Keycloak 26.2 release client Bugs #150 POM contains invalid SCM URLs client| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Supported Standard Token Exchange In this release, we added support for the Standard token exchange! The token exchange feature was in preview for a long time, so we are glad to finally support the standard token exchange. For now, this is limited to exchanging the Internal token to internal token compliant with the Token exchange specification. It does not yet cover use cases related to identity brokering or subject impersonation. ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #38409 Upgrade to Quarkus 3.15.4 dist/quarkus #38764 OTel: Unable to disable sampling at runtime; tracing-sampler-ratio validation prevents setting 0.0 dist/quarkus Bugs #36482 The root cause of error is suppressed in KC 26 at building dependencies #37792 Save Button Not Enabled When Switching OTP Type from "Time Based" to "...| Keycloak Blog
Keycloak runs in a lot of regions and countries. Translations help Keycloak to reach a wider audience by making the platform usable for speakers of various languages. For translations, Keycloak now integrates with Weblate to simplify the process. The community can use a web-based frontend to contribute translations, and the language maintainers get automated notifications and review the translations. Read on for more details on the process. We had an online Q&A session for AMER/EMEA and APAC ...| Keycloak Blog
This year is the first time there is a KubeCon in Japan, and the Keycloak project is excited to be part of it! Join us on June 16-17 2025 in Tokyo, Japan for this exciting event. Register today to get tickets for the standard rate. Keycloak has a powerful community in Japan, and we have received several contributions in the past. There will be two talks about Keycloak (see below). Talks at KubeCon The schedule of KubeCon + CloudNativeCon Japan 2025 has been released, see below talks about Key...| Keycloak Blog
The call for papers and the registration for KeycloakCon 2025 Japan is now open! Submit your talks to the first-ever KeycloakCon in Japan. KeycloakCon 2025 Japan is a half-day meetup in Tokyo, Japan on June 13 where the community of Keycloak gathers. It provides opportunities for technical lectures, growth, and networking with talks related Identity and Access Management (IAM) and Single Sign On (SSO). This event is designed to share insights from developers and maintainers, as well as the la...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #37433 Allow admin to disable automatic refresh of event views admin/ui #37711 Upgrade to Infinispan 15.0.14 Bugs #37320 Cannot fetch realm role that was renamed admin/api #37621 When calling the token revoke endpoint multiple times with the same token, a database REVOKED-TOKEN constraint error is reported storage #37843 Adm...| Keycloak Blog
We are thrilled to announce that Keycloak will be at KubeCon Europe, London April 1-4th 2025. Keycloak’s presence at previous KubeCons was a huge success, and we are always eager to meet Keycloak enthusiasts, users and newcomers alike. At this year’s event we will be hosting a Kiosk in the Project Pavilion, as well as presenting a talk about Evolving OpenID Connect and Observability. Keycloak community Meet & Greet at the Project Pavilion Takashi Norimatsu from Hitachi, Ryan Emerson and M...| Keycloak Blog
Join the event on March 11th to look behind the scenes of how the development of Keycloak is organized, and subscribe to the Meetup to get invitations for future events. Read on to find out about previous topics that have been recorded and upcoming events. --- It happened to me several times that I was sitting in a workshop about any topic and the term “Keycloak” was used. Not in a spectacular tone, but rather like “We have Keycloak for this and that, and it just works!” Christoph Kof...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Send Reset Email force login again for federated users after reset credentials In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated user...| Keycloak Blog
FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event. Several talks regarding OpenID Connect and Keycloak have been recorded, and are now available online to re-watch. See below for the links to the videos. Meeting the Keycloak community on-site As an incubating project of the Cloud Native Computing Foundation (CNCF), we were happy to share the space...| Keycloak Blog
Highlights Today marks a significant milestone in the evolution of Keycloak JS with the release of version 26.2.0. This new version represents a shift in how the JavaScript adapter develops and evolves alongside the Keycloak ecosystem. Although this new version introduces no functional changes to the adapter, it does include several organizational changes. The most notable change is that Keycloak JS now breaks free from the main Keycloak project’s release cycle. As announced earlier this ye...| Keycloak Blog
The Keycloak homepage has an updated community extensions page! Thanks to Martin Bartoš, each extension shows off with its GitHub stars. This should provide you with a better overview which extensions are popular with the community. If an extension you use is listed there, give a star! Are you missing an extension? Create an issue in our GitHub issue tracker to let us know so we can add it. Click on image below to get the extensions page, or navigate via the Community page and choose “Exte...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Deprecated features #525 Drop support for end-of-life versions of Node.js nodejs-connect Enhancements #573 Convert tests to standard modules to upgrade dependencies nodejs-connect #576 Upgrade `@keycloak/keycloak-admin-client` to latest version nodejs-connect Bugs #567 Connections with an error code are not terminated nodejs-connect #571...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights New option in X.509 authenticator to abort authentication if CRL is outdated The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL ...| Keycloak Blog
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #113 Wrong logger class client #117 Remove JEE from the title of GH actions client #127 Sync after Keycloak server 26.1.0 release client #130 Test with keycloak server images 24.0, 26.0 and 26.1 client Bugs #115 ProviderTest failing with latest nightly build client #124 The action "Sync with Keycloak Server and send PR with changes" sends PR, which does not have DCO on the ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Transport stack jdbc-ping as new default Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments. Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replica...| Keycloak Blog
Keycloak Terraform Provider Releases We’re excited to announce the release of the Keycloak Terraform Provider 5.0 with support for Keycloak 24/26. You can find the repository here. Following our announcement in December 2024, we released Keycloak Terraform Provider 4.5 with a new license and dependency upgrades for Keycloak versions older than 23.0.0. If you are still using the old Keycloak Terraform Provider by mrparkers you can take a look at the migration notes to use the new Keycloak Te...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #33569 Show User Events on dedicated tab on Client-/User-Details #34091 Username Form should support autocomplete login/ui Bugs #34072 The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui #34207 logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc #...| Keycloak Blog
FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event. Those staying home will be able to watch the live stream of the talks and ask questions online. Members of the Keycloak project will be on-site like last year, and there will be talks from both the Keycloak community and the Keycloak team. See below for places to meet other Keycloak enthusiasts, a...| Keycloak Blog
Keycloak 26 now uses by default the Persistent user sessions feature. In this blog post, we uncover the background on why we introduced this feature, what are the alternatives and what is the future. Session storages in Keycloak 26 cheatsheet This section provides a TLDR guidance on what sessions storages exist and when each of them should be used with Keycloak 26. The following sections provide more details on each storage type and reasoning behind introducing or dropping each of them. Numbe...| Keycloak Blog
Videos to re-watch This year, the Keycloak project was present at multiple conferences. Here are the videos to watch for the holiday break if you haven’t watched them yet: KubeCon NA, KeyConf, Keycloak DevDay, Devoxx France and KubeCon Europe. When going through the list, I found that at least two of the talks have not been published on the Keycloak blog yet. So here they are: FOSDEM in February with the talk Add user self-management, brokerage and federation to your infrastructure with Key...| Keycloak Blog
New Repository Location We’re excited to announce that the Keycloak Terraform Provider has officially moved under the Keycloak organization! You can find the new repository location here. The Journey So Far Thanks to our community survey, we confirmed that the Keycloak Terraform Provider by mrparkers is the most widely used tool for realm configuration management. The move to the Keycloak organization is a natural next step in making this essential tool a core part of the Keycloak ecosystem...| Keycloak Blog
Keycloak had a very active presence at this year’s KubeCon NA in Salt Lake City, Utah. This blog presents a few of the highlights as well as ways you can contribute to Keycloak’s CNCF journey. Project Pavilion Keycloak hosted a project pavilion stand during Wednesday, Thursday and Friday afternoon slots. Attending the booth were Keycloak contributors Yoshiyuki Tabata from Hitachi and Ryan Emerson, Martin Bartos and Kamesh Akella from Red Hat. During these sessions, we discussed all things...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #34882 Edits to Authorization Services guide #34916 Addresse QE comments on Server Administration guide #34931 Upgrade to ISPN 15.0.11.Final Bugs #10233 Locale Setting for Update Password Mail admin/api #17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication #30631 Upgrade ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Admin events might include now additional details about the context when the event is fired In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table. Updates to documentation of X.509 client certificate lookup via proxy Potential vulnerable configurations ha...| Keycloak Blog
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #90 Update MD files client #93 Move upgrading guide for keycloak-client libraries to the client documentation client #101 Setup GH action (or script), which will send PR for automatically sync with keycloak server client Bugs #105 Unnecessary `httpclient` dependency in `keycloak-client-common-synced` module client| Keycloak Blog
How It All Started The idea to replace the current test suite has been on the table for multiple years. Initially, it was meant to be only a refactoring of the current approach on how to write tests, but after a few internal discussions and refactor updates it turned out a new test suite, based on a new framework would be a better solution. It would be good to mention a few drawbacks, that stand out when working with the current test suite. First of all, is the complexity of various configura...| Keycloak Blog
KeyConf24, our 2024 Keycloak Identity Summit, happened in Vienna in September this year. We were excited to have a full room on site, and 150+ people watching online. Thanks to our event sponsor adorsys, all recorded videos are now available online at the event’s website: https://keyconf.dev/. Re-watch the talks and learn from practitioners, developers and maintainers. Thanks to all our sponsors adorsys, Banfico, Hitachi and Red Hat who made this event possible! Wallets are Key - the state ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights LDAP users are created as enabled by default when using Microsoft Active Directory If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default. In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with...| Keycloak Blog
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #92 Setup CI during nightly build client #99 Sync with keycloak server 26.0.4 client Bugs #94 Tests failing with latest Keycloak server nightly client| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java #34382 Make the organization chapter of Server Admin guide available on downstream Bugs #14562 Broken Promise implementation for AuthZ JS adapter/javascript #25917 Allow increasing wait time on each failure after the max nu...| Keycloak Blog
Keycloak DevDay 2025 is just around the corner, and we would like to invite you to a special pre-event: the Keycloak Hackathon! Hackathon: actively help shape Keycloak On the day before DevDay, on March 5, our hackathon will give you the opportunity to actively contribute to the further development of Keycloak. Whether you write code, work on the documentation, improve translations or maintain issues in the issue tracker - everyone can take part. The hackathon offers you the opportunity to pi...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus Bugs #15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript #19101 Uncaught (in promise): QuotaExceededError adapter/javascript #20287 When using `oidcProvider` confi...| Keycloak Blog
Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #92 Setup CI during nightly build client Bugs #89 ClientTest failing with latest Keycloak nightly client| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator #33275 Better logging when error happens during transaction commit storage Bugs #8935 keycloak.js example from the documentation leads to error path adapter/javascript #19358 Issue with concurrent user & group delete, unable to ...| Keycloak Blog
We are thrilled to announce that Keycloak will be at KubeCon Salt Lake City, Utah in Nov 2024. There are several Keycloak specific sessions lined up during this conference, and we will be hosting a Kiosk at the Project Pavilion at KubeCon. What is KubeCon? Keycloak’s presence in the previous KubeCons was a huge success, and we continue to have a lot of fun interacting with Keycloak enthusiasts, users, newcomers alike. KubeCon is a fast-growing Cloud Native tech conference expected to have u...| Keycloak Blog
With four major releases of Keycloak every year it can be a daunting task to keep deployments up to date. Especially, since the number of breaking changes have drastically increased the last couple years. Combine this with the importance of patching deployments quickly for vulnerabilities, this can leave many deployments open to known vulnerabilities as the time and effort required to update to the latest release is too costly. Additionally, currently Keycloak client libraries are released to...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Organizations supported Starting with Keycloak 26, the Organizations feature is fully supported. Client libraries updates Dedicated release cycle for the client libraries From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the ...| Keycloak Blog
Highlights Dedicated release cycle for the client libraries From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server. The client libraries are these artifacts: Java admin client - Maven artifact org.keycloak:key...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #30604 Network response was not OK. saml #31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui #32100 Remember Me with External Infinispan is not works properly infinispan #32578 WebAuthn Flows Broken in login.v2 login/ui #32643 Dots are not allowed in the path in Hostname v2 ...| Keycloak Blog
Three months ago, the Keycloak project conducted a survey to gather insights on realm configuration tooling within our community. The number of responses overwhelmed us! With a total of 433 (!) submissions, it highlighted the diverse range of options our community uses for configuring realms. Thank You for your valuable feedback! Popular Tools in Use The survey revealed a variety of tools employed by the community for realm configuration, including: Terraform Provider for Keycloak Keycloak-Co...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml #32754 CVE-2024-7341 Session fixation in the SAML adapters adapter/saml| Keycloak Blog
We’re excited to announce the release of two new npm packages designed to supercharge your Keycloak customization efforts. These React component libraries, built on top of PatternFly, provide the essential building blocks for crafting Keycloak account and admin consoles. The tool generates sample code for a custom console using our "Composable UI" technique. Essentially, this means that you can build your console out of exported Keycloak components that we intend to support in future releas...| Keycloak Blog
After an initial installation of Keycloak, users today spend a significant amount of time optimizing their installations, keeping them up to date and secure. When doing this, they follow the principles of Site Reliability Engineers, among others automation, setting service level objectives, keeping things simple and monitoring. As of today, Keycloak doesn’t provide much documentation and best practices in that area. The Keycloak project is also looking for faster feedback on changes so that...| Keycloak Blog
KeyConf24, our 2024 Keycloak Identity Summit, will happen on September 19th, which is just around the corner! This year’s event promises to be even bigger and better, with a program packed full of relevant, cutting-edge topics. This year due to high demand and limited space on-site, we’re offering for the first time a live stream, so the Keycloak community can join remotely. What to Expect at KeyConf24 The talks have been selected, and the program is now online at https://keyconf.dev/. Ex...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #31963 Upgrade to Infinispan 15.0.7.Final Bugs #31299 NPM library of account-ui is unusable (@keycloak/keycloak-account-ui version 25.0.1) account/ui #31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui #31340 Hidden options shown in help all dist/quarkus #31386 Joining group for u...| Keycloak Blog
We (Sebastian and me (Niko)) are excited to announce the next edition of Keycloak DevDay! Save the Date DevDay is taking place in Darmstadt, Germany on March, 6th 2025. The location is about 30 minutes away from Frankfurt/Main Airport by public transport, see website for details. It will be again a 1-day conference with talks, panels, discussions and an OpenSpace/Unconference format, with lots of opportunities for networking and exchange among like-minded people. Of course, there will also be...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #30094 Do not inherit 'https-client-auth' property for the management interface #30537 Document how Admin REST API endpoints work with Hostname config docs #30856 Remove inclusive language foreword docs Bugs #19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui #26042 Issue when start-dev in 23.0.1 ...| Keycloak Blog
Numerous options exist for managing Keycloak Realm configurations within the Keycloak ecosystem. We know that configuration as code is an essential topic for DevOps and that the Keycloak ecosystem needs an excellent solution to make this possible. As the Keycloak team, we want to understand better what works best for the community and how we can improve the support for Realm configuration Management tools. So that we in the Keycloak community have a representative picture of the configuration...| Keycloak Blog
Dear Keycloak community, Thanks to the collaborative work with a lot of folks from the community and Red Hat’s IT, we are delivering in Keycloak 25 the Keycloak Organizations feature. We are pleased to announce the beginning of a long journey to support Customer Identity and Access Management (CIAM) and, to some degree, also support for multi-tenancy when a realm needs to integrate with third parties such as customers and business partners. Keycloak Organizations is a feature that leverages...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #19750 Use a proper FreeMarker template for the new consoles account/ui #30346 Enhance masking around config-keystore dist/quarkus Bugs #25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc #28643 Encountering `NullPointerException` - `KeycloakIdent...| Keycloak Blog
Back in February this year, we (Sebastian and me (Niko)) hosted the very first edition of Keycloak DevDay - a one-day, community-driven conference - in Frankfurt/Main, Germany. The event was a blast and completely sold-out, plus many additional participants online in the two parallel live streams. We were able to welcome attendees from all over Europe. Thank you all for being part of this incredible event! 🙏 For all of you who couldn’t attend, we have published all the recorded and live ...| Keycloak Blog
Previous versions of Keycloak would store regular user sessions (also called online user sessions) only in memory. Due to that, all users would be logged out when you shut down or restart the Keycloak cluster. With Keycloak 25, there is a preview feature “persistent user sessions”, which stores the user sessions in its database. If a session is not found in memory, it is loaded from the database, and the user can continue to use their session without the need to re-authenticate. The previ...| Keycloak Blog
KeyConf23 was an incredible success, bringing together nearly 60 passionate members of the Keycloak community in London. The energy and collaboration were palpable as attendees delved into the latest developments in identity and access management. We witnessed thought-provoking discussions, learned from industry experts, and forged valuable connections. Building on that momentum, we’re thrilled to announce KeyConf24, our 2024 Keycloak Identity Summit! This year’s event promises to be even...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Account Console v2 theme removed The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme. Java 21 support Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions. Java 17 support is deprecated OpenJDK 17 support is deprecated...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Security issue with PAR clients using client_secret_post based authentication This release contains the fix of the important security issue affecting some OIDC confidential clients using PAR (Pushed authorization request). In case you use OIDC confidential clients together with PAR and you use client authentication based on client_id and client_secret sent as parameters in the HTTP request body (method client_secret_post specified i...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Partial update to user attributes when updating users through the Admin User API is no longer supported When updating user attributes through the Admin User API, you cannot execute partial updates when updating the user attributes, including the root attributes like username, email, firstName, and lastName. For more details, see the Upgrading Guide. Upgrading Before upgrading refer to the migration guide for a complete list of chang...| Keycloak Blog
A single sign on solution for your customers and employees shouldn’t be a single-point-of-failure in your architecture. At Devoxx France 2024, Ryan Emerson and Alexander Schwartz presented, from an architects and developer perspective, how Keycloak approached the problem. They describe which architecture the Keycloak team chose, the challenges they faced and which tools helped along the way. The slides and the recorded video are linked below. Scroll down for additional links and details of ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap Bugs #24201 Cannot disable LDAP-backed user if importEnabled=false ldap #28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identit...| Keycloak Blog
After a packed week of fantastic talks at KubeCon + CloudNativeCon Europe 2024 in Paris, we’re delighted to share our impressions with the rest of the Keycloak community. Keycloak and OAuth2 Token Exchange for Microservice API Security The presence of Keycloak in many presentations highlighted its importance in the cloud-native ecosystem. Notably, the talk “OAuth2 Token Exchange for Microservice API Security” by Ahmet Soormally & Letz Yaara on OAuth2 Token Exchange (RFC 8693) underscore...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #25057 Inconsistent behaviour on getting user permissions using authorization authorization-services #27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs #27481 Edit High Availability guide #27484 Edit 23.0 changes part of Upgrading Guide #27632 Integrate downstream Upgrading Guide changes into ...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Operator deploys nightly build instead of 24.0.0 Due to an issue in the release process when deploying Keycloak using the Operator it installed the nightly container instead of 24.0.0. As a quick fix to the issue, the 24.0.0 container was tagged with nightly, and the nightly releases was temporarily disabled. If you installed or upgraded to 24.0.0 using the Operator before 5pm CET yesterday the database may have been updated with th...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Supported user profile and progressive profiling The user profile preview feature is promoted to be fully supported and user profile is enabled by default. In the past months, the Keycloak team spent a huge amount of effort in polishing the user profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and polishing were done based on the thorough testing and feedback from our ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #26810 Shorter lifespan for offline session cache entries in memory storage Bugs #22431 Localization: Admin UI doesn't pick up message bundles from realms other than master admin/ui #23786 Failure: FipsDistTest ci #25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off ldap #25883 ...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #26427 Operator CSV uses wrong format for `createdAt` field operator #26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number core #26665 Unable to modify access token lifespan at realm level. Keycloak stops working. core| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues New features #25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x #26028 Remove conditional statements about Windows / Linux from the docs docs Enhancements #20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2 admin/ui #26006 Clarification needed of us...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #9693 PubKeySignRegisterTest failures in WebAuthn tests testsuite #24508 Deadlock when pre-loading remote sessions from external Infinispan storage #24763 Remove sign out action for offline sessions admin/ui #25016 Make password visibility css classes configurable for themes login/ui #25096 Meaning of briefRepresentation query param...| Keycloak Blog
For a Customer Identity and Access Management (CIAM) system, high availability is essential as it is a single point for all systems where customers log in. For Keycloak 23, there is a new and updated High Availability guide describing multi-site setups. With detailed instructions and blueprints targeting cloud infrastructure, this is documented, tested, and ready to be tried out. Read on to find out what is new, and take a peek behind the scenes how this setup has been evaluated, tested and i...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Enhancements #25388 Enable concurrent remote operations for Infinispan storage Bugs #24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token admin/ui #25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup ci #25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol oidc #2...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights Non-blocking health check for load balancers A new health check endpoint available at /lb-check was added. The execution is running in the event loop which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue. This behavior is useful, for example, in multi-site deployment where we do not want to fail over to the other site under heavy load. The endpoint is ...| Keycloak Blog
Are you passionate about Keycloak and eager to dive deeper into this incredible Open Source IAM solution? Then don’t miss Keycloak Developer Day – a one-day, community-driven conference in Frankfurt/Main Germany in February 2024, dedicated to Keycloak and its vibrant community. Community Event to celebrate Keycloak Niko and I (Sebastian) have been active in the Keycloak community for years and have been using Keycloak in many customer projects. We co-organize the Java User Group Darmstadt...| Keycloak Blog
To download the release go to Keycloak downloads. Upgrading Before upgrading refer to the migration guide for a complete list of changes. All resolved issues Bugs #23841 Users page with LDAP User Storage Provider Cannot read properties of undefined admin/ui #23872 Attempt to request storage access in Firefox oidc #24261 „Unlink users“-Option greyed out in ldap federation admin/ui #24958 Error handling in admin console when update of user fails due the 400 HTTP error code admin/ui #24961 K...| Keycloak Blog
To download the release go to Keycloak downloads. Highlights OpenID Connect / OAuth 2.0 FAPI 2 drafts support Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution. DPoP preview support Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (...| Keycloak Blog
For any Open Source project, it is important that any contributions contain code that can legally be contributed to the project, and that the project has the right to distribute it under its license. There are many ways to achieve this, where two popular approaches are Developer Certificate of Origin (DCO) and Contributor License Agreement (CLA). Developer Certificate of Origin (DCO) is the most lightweight approach, which requires contributors to sign-off on individual commits that are part ...| Keycloak Blog