fidzu : JBoss

To download the release go to . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES NEW FEATURES * Add option "Requires short state parameter" to OIDC IDP authentication ENHANCEMENTS * Run clustering compatibility tests on release/x.y branches * Improve logging for client sessions load * Upgrade to Infinispan 15.0.18.Final infinispan BUGS * Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci * Update MariaDB connector to 3.5.3 dist/quarkus * Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci * Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies * CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies * Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci * Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan * Loglevel recorded from build phase dist/quarkus * Can't update security-admin-console via admin UI with volatile sessions infinispan * LDAP / ModelException: At least one condition should be provided to OR query core * Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover ci * FIPS errors in CI * Multiple primary key defined when attempting to upgrade after 26.3.0 core * Service Account users now showing in the User List admin/ui * Unknown relation when removing realm role with --db-schema configured storage * Docs use em-dashes instead of double dashes for SPI options in regular text docs * UpdateTest CI failures ci * [26.3] MariaDB connector dependency is not properly overriden dist/quarkus

24 Jul 2025 12:00am GMT

These are some of the blogs I follow for high-signal content, real-world lessons, and emerging patterns. 1. The Burning Monk (Yan Cui) - Deep technical guides, real-world insights, and event-driven serverless at its best. 🔗 2. Off-by-none (Jeremy Daly) - Weekly curated newsletter filled with top serverless news, tools, and community updates. 🔗 3. A Cloud Guru Blog - Trusted training content with strong coverage of AWS, certifications, and serverless how-tos. 🔗 4. Serverless.com Blog - Official blog for the Serverless Framework team with tutorials, product updates, and ecosystem insights. 🔗 5. AWS Community Builders Blog - Real-world articles from active AWS contributors and thought leaders. 🔗 6. Serverless Transformation (Aleios) - Strategy-rich serverless insights, especially around event-driven architecture. 🔗 7. AWS Compute Blog - Deep dives into AWS Lambda, Step Functions, and compute services directly from AWS. 🔗 8. AWS Architecture Blog - High-level cloud-native architecture practices and guidance for scalable apps. 🔗 9. Lumigo Blog - Focused on observability, monitoring, and debugging in serverless environments. 🔗 10. Serverless360 Blog - Azure-first serverless content with strong focus on Azure Functions and service management. 🔗 11. Nick Tune's Blog - Sociotechnical thinking and service design strategies for microservices and serverless. 🔗 12. AWS Enterprise Strategy Blog - Executive cloud transformation strategies, ideal for leadership and enterprise architects. 🔗 13. Theodo Blog - Engineering-led content featuring serverless, migration, and rapid product delivery stories. 🔗 14. Serverless First (Paul Swail) - Practical daily tips, guides, and architecture breakdowns from an experienced consultant. 🔗 15. Serverless Land - AWS-curated library of patterns, tutorials, and EDA content for serverless professionals. 🔗 16. Lego Engineers Blog (Sheen Brisals & team) - Real enterprise-scale implementation stories from a global brand. 🔗 17. Serverless Chats Podcast - Interviews with top serverless minds - with full transcripts for every episode. 🔗 18. Serverless Guru Blog - Transformation-focused advice and engineering best practices from a consultancy team. 🔗 19. The Serverless Edge Blog - Cloud strategy, org design, and the "value flywheel effect" in serverless transformation. 🔗 20. InfoQ Serverless - Aggregated industry-wide coverage, articles, and videos on serverless and architecture. 🔗 21. Jeremy Daly's Personal Blog - Detailed architectural posts and in-depth serverless exploration beyond the newsletter. 🔗 22. Lee Gilmore's Blog - Valuable insights on enterprise serverless adoption and scaling strategies. 🔗 23. Ready, Set, Cloud (Allen Helton) - Friendly, digestible blog posts with great diagrams and tutorials. 🔗 24. Sheen Brisals's Blog - Engineering leadership perspectives with an emphasis on EDA and maturity. 🔗 25. Aiden Steele's Blog - Low-level AWS insights with rare gems on Lambda internals and advanced configurations. 🔗 26. Luc van Donkersgoed's Blog - Visual, simple explanations of complex cloud patterns and serverless tips. 🔗 27. Benjamen Pyle's Blog (Binary Heap) - Great technical content on building serverless in Rust. 🔗 28. Ben Kehoe's Blog - Deep strategic thinking on cloud operations, organizational design, and serverless ops. 🔗 29. Alex DeBrie's Blog - Author of The DynamoDB Book, Alex shares thorough serverless data modeling guides. 🔗 30. Last Week in AWS (Corey Quinn) - Hilarious, opinionated, and insightful commentary on all things AWS - including serverless. 🔗 31. AWS Fundamentals Blog - Accessible cloud concepts from community experts. 🔗 32. Vadym Kazulkin on Dev.to - Detailed explorations of Lambda SnapStart and Java serverless.🔗 33. Cloudonaut Blog (Wittig Brothers) - Production-grade AWS best practices and architectural tips. 🔗 Do you know other technical blogs on serverless or cloud? Comment below and share your favorites.

13 Jul 2025 8:59am GMT

To download the release go to . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Upgrade to Infinispan 15.0.16.Final * Update limitations of the preview feature rolling updates for patch releases infinispan BUGS * Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus * NPE during loading user groups with concurrent deletion storage * Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api * Mark options for additional datasources as preview dist/quarkus * Keycloak Operator 26.3.0 fails to update to 26.3.0 operator * Docs: server_development/topics/themes.adoc docs * Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled core

10 Jul 2025 12:00am GMT

UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Can we create automatically GH Issue for the PR sent by ""Sync with Keycloak Server and send PR with changes" ? client * Improve documentation of keycloak-admin-client and add compatibility section client * Sync with Keycloak server release/26.3 branch client * Test with supported keycloak server versions client BUGS * Test failures in last Keycloak-client-ci client

04 Jul 2025 12:00am GMT

To download the release go to . HIGHLIGHTS This release delivers advancements to optimize your system and improve the experience of users, developers and administrators: * Account recovery with 2FA recovery codes, protecting users from lockout. * Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions. * Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers. * Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments. * For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades. Read on to learn more about each new feature, and if you are upgrading from a previous release of Keycloak. RECOVERING YOUR ACCOUNT IF YOU LOSE YOUR 2FA CREDENTIALS When using for example a one-time-password (OTP) generators as a second factor for authenticating users (2FA), a user can get locked out of their account when they, for example, lose their phone that contains the OTP generator. To prepare for such a case, the recovery codes feature allows users to print a set of recovery codes as an additional second factor. If the recovery codes are then allowed as an alternative 2FA in the login flow, they can be used instead of the OTP generated passwords. With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature. For more information about this 2FA method, see the chapter in the Server Administration Guide. PERFORMANCE IMPROVEMENTS TO IMPORT, EXPORT AND MIGRATION The time it takes to run imports, exports or migrations involving a large number of realms has been improved. There is no longer a cumulative performance degradation for each additional realm processed. SIMPLIFIED REGISTRATION FOR WEBAUTHN AND PASSKEYS Both WebAuthn Register actions (webauthn-register and webauthn-register-passwordless) which are also used for Passkeys now support a parameter skip_if_exists when initiated by the application (AIA). This should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type. For more information, see the chapter in the Server Administration Guide. SIMPLIFIED LINKING OF THE USER ACCOUNT TO AN IDENTITY PROVIDER Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality and simplifies the error handling the calling of the client application, making it more useful for a broader audience. The custom protocol, which was previously used for client-initiated account linking, is now deprecated. BROKERING WITH OAUTH V2 COMPLIANT AUTHORIZATION SERVERS In previous releases Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google which are based on OAuth 2.0. The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. This then allows you to federate, for example, with Amazon or other providers. As this is a generic provider, you will need to specify the different claims and a user info endpoint in the provider's configuration. For more information, see the chapter in the Server Administration Guide. TRUSTED EMAIL VERIFICATION WHEN BROKERING OPENID CONNECT PROVIDERS Until now, the OpenID Connect broker did not support the standard email_verified claim available from the ID Tokens issued by OpenID Connect Providers. Starting with this release, Keycloak supports this standard claim as defined by the for federation. Whenever users are federated for the first time or re-authenticating and if the Trust email setting is enabled, Sync Mode is set to FORCE and the provider sends the email_verified claim, the user account will have their email marked according to the email_verified claim. If the provider does not send the claim, it defaults to the original behavior and sets the email as verified. ASYNCHRONOUS LOGGING FOR HIGHER THROUGHPUT AND LOWER LATENCY All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency. For more details on this opt-in feature, see the . ROLLING UPDATES FOR PATCH RELEASES FOR MINIMIZED DOWNTIME (PREVIEW) In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code. In this release, we extended this to perform rolling update when the new image contains a future patch release from the same major.minor release stream as a preview feature. This can reduce the service's downtime even further, as downtime is only needed when upgrading from a different minor or major version. Read more on how to enable this feature in . PASSKEYS INTEGRATED IN THE DEFAULT USERNAME FORMS In this release Keycloak integrates Passkeys in the default authentications forms. A new switch Enable Passkeys is available in the configuration, Authentication → Policies → Webauthn Passwordless Policy, that seamlessly incorporates passkeys support to the realm. With just one click, Keycloak offers conditional and modal user interfaces in the default login forms to allow users to authenticate with a passkey. The Passkeys feature is still in preview. Follow the guide to enable it. For more information, see . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES NEW FEATURES * Configurable probes in the Operator operator * Add supported config options for additional datasources dist/quarkus * Passkeys conditional UI: integration with username/password form authentication/webauthn * Name for OTP device should be unique account/api * Possibility to log details and representation to the jboss-logging listener * make MaxAuthAge configurable for required actions authentication * Passkeys conditional UI: integration with independent username and password form authentication/webauthn * Deprecate or remove the current conditionalUI authenticator authentication/webauthn ENHANCEMENTS * Get multiple users by Ids admin/api * Support IPv6 only environments dist/quarkus * Allow Keycloak operator to parameterize the Service annotations and labels * Temporarily Locked out users change the enabled flag of the user account/api * Support Syslog async properties dist/quarkus * Admin-UI: move PKCE Code Challenge Method setting from Advanced to Settings tab * Migration progress missing * Remove CACHE_EMBEDDED_REMOTE_STORE Feature * Ensure Client Initiated Account Linking behaves like other Application Initiated Actions authentication * Change User details page drop-down filter to make it easier to find the 'admin' role admin/ui * Remove user event types from admin UI is unusable admin/ui * Add ability for Quick Theme to import theme from a jar admin/ui * Quick Theme should allow naming the jar before download admin/ui * Add more validation for proxy-headers * Auto submit the "Organization Identity-First Login" form with pre-filled username field organizations * Enhance mapping from env variables to wildcards * Add `count` endpoint for organizations organizations * Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden core * Create CacheRemoteConfigProvider * Create CacheEmbeddedConfigProvider * Support Asynchronous logging * Improve Dutch translation for Theme base/login and base/email translations * Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm authentication * Client secret generation provides lower than expected entropy authentication * Improve migration performance core * Access Token IDs have less than 128 bits of entropy core * Add feedback when user sync process is triggered in user federation * Allow logging of slow database operations * Upgrade command rolling updates for patch releases / step 1: experimental * Upgrade command rolling updates for patch releases / step 2: preview * Clarify upgrade instructions * Allow setting locale when edit mode is `READ_ONLY` * Make recovery codes supported authentication * Change the title for Grafana dashboards guide to plural docs * Document operator `Auto` update strategy when used with `podTemplate` * Standardize introductory text in Keycloak guides * Update LDAP configuration with a hint how to enable password hashing in ApacheDS * Make distribution startup timeout configurable testsuite * Add description to groups * Ability to skip AIA for adding WebAuthn security key in case that user already has one authentication * Better tooltip for Strategy to increase wait time in brute force settings * Polishing recovery codes authentication * Use required action configuration instead of password policy for warning threshold authentication * Should we improve metadata of recovery code credential? authentication * Keycloak Operator: TTL for KeycloakRealmImport jobs docs * Message bundle hot reloading * Clarify when to use podman docs * Fix Securing Apps links to adapters docs * Email server credentials can be harvested through host/port manipulation admin/api * Fix doc link to FGAP v1 docs * Apply edits to Operators Guide docs * Change discovery in Kubernetes to `jdbc-ping` * JGroups: Switch to "per-destination" bundler for `jdbc-ping` * Protocol `openid-connect` should be selected as default for ClientScopes oid4vc * Edit Observability Guide docs * Make slow SQL and SQL comment prefix configurable * Fix callouts in Operator guide docs * Build user representations when searching based on the user profile settings user-profile * OpenTelemetry Tracing: Spans as part of the "commit" should be nested dist/quarkus * OpenTelementry Tracing: Show calls within a rest resource as nested dist/quarkus * Sessions from Infinispan should be mapped lazily for the Admin UI * Return only manage permissions when listing users via administration console * Speed up Infinispan list of all sessions be more eagerly remove old client sessions * Pass notifications in batches to remote and local ISPN cache infinispan * When logging in, all client sessions are loaded which is slow oidc * Add re-authentication when updating email via UPDATE_EMAIL feature * Redirect request from wrong version to the right version * Docs: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc oidc * Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method oidc * Document that a shell wrapper must not start replace PID 1 in containers * Revise DPoP Codes - refactor remove unused methods oidc * Revise Client Policies Codes - AbstractClientPoliciesTest oidc * Improve JGroups network bind address documetion * Identity provider with FORCE sync mode does not detect verified email change identity-brokering * Revise Client Policies Codes - ClientPoliciesAdminTest oidc * Revise Client Policies Codes - ClientPoliciesConditionTest oidc * Add missing id attributes for button elements of keycloak.v2 login theme * Create a POC of running 2 containers in the new testsuite * Create test cases for OIDC flows * Make the checkbox "Sign out from other devices" unchecked by default authentication * Revise Client Policies Codes - ClientPoliciesExecutorTest oidc * Revise Client Policies Codes - ClientPoliciesExtendedEventTest oidc * Unnecessary boxing/unboxing to parse a primitive. SAST saml * Revise Client Policies Codes - ClientPoliciesLoadUpdateTest oidc * Revise Client Policies Codes - ClientPoliciesTest oidc * Revise Client Policies Codes - SecureRedirectUrisEnforcerExecutorTest oidc * Passkeys conditional UI: integration with the organization authenticator authentication/webauthn * Upgrade webauthn4j to a newer version authentication/webauthn * Throw an exception if transport mTLS keystore or Truststore does not exist * Unrelated Types. SAST * Potential thread safety Issue with lazy init of transformerFactory at TransformerUtil. SAST * Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST * Abbreviate text in PKCE method configuration label in OIDC Client configuration admin/ui * Revise Client Policies Codes - OAuth 2.1 tests oidc * Revise Client Policies Codes - FAPI1Test oidc * Revise Client Policies Codes - FAPI2Test oidc * Revise Client Policies Codes - FAPICIBATest oidc * Sign of a bad copy/paste in logging of usserSessionLimitsAuthenticator authentication * Support more i18n keys for messages_ru.properties * Refactor the key value input so that it has an override for key and value component * Upgrade to Infinispan 15.0.15 * Upgrade Aurora PostgreSQL to a supported release * Document security implications of Keycloak CR operator * Icon for default role should have a separator to the role name admin/ui * ServerInfo View in Admin-Console should show CPU information * Make `ProviderConfigurationBuilder` fail when a duplicate property is added. * Support all i18n keys for messages_ru.properties translations * Update links specs in OIDC guide docs * Add link to OIDC Discovery Spec in the documentation of the certs endpoint oidc * Add templates for release notes and migration guide docs * Review Profile makes users prone to phishing attacks authentication * add (ky )kyrgyz language support translations * Default to num_owners=2 when the persistent-user-sessions feature is disabled infinispan * Clarify OpenShift v4 Identity Provider instructions * When redirecting old resource versions, keep query parameters * Clarify FIPS instructions * Add clarifying language around jgroups failure detection ports * Synchronization of Polish language in login template translations * Add missing translations in email and account theme for Polish lang translations * Update documentation about volatile sessions * [docs] fix spelling error in hostname.adoc * Documentation for passkeys for 26.3.0 authentication * Update javadoc of java admin-client for Keycloak 26.3 admin/client-java * Make abstract class AbstractUserRoleMappingMapper public BUGS * Passkey "Avoid same authenticator registration" doesn't work authentication/webauthn * OpenAPI spec: Missing attributes in ClientPolicyConditionRepresentation and ClientPolicyExecutorRepresentation schemas admin/api * account/ui spinner use patternfly v3 classes instead of patternfly v5 classes account/ui * Amazon Identity Provider does not accept scope = openid and Keycloak always sets it identity-brokering * Double click on social provider link causes page has expired error login/ui * wrong redirect after login timeout for parallel logins authentication * [Keycloak CI] - User Federation Tests - LDAPUserProfileTest.testMultipleLDAPProviders ci * "identity-provider-redirector" does not forward LOGIN_HINT of authentication session authentication * Social login - Instagram Login test fails, API changed ci * Keycloak container incorrectly read CGroups settings on Kernel 6.12 dist/quarkus * Login UI edit profile textarea doesn't have styles applied login/ui * Localization: when the user has forgotten the password, the email is sent in default language, instead of the selected one login/ui * Client scopes evaluate function shows sub claim in access token even if "basic" client scope is not selected admin/ui * External IDP error during Step-Up Authentication does no longer route back to browser flow authentication * account-console no longer provides nonce/state parameter account/ui * [Keycloak CI] - Quarkus IT (windows-latest, win) - QuarkusPropertiesDistTest ci * Unexpected Application Initiated Actions Cause Server Errors authentication * LDAP group mapper skips configured filter and imports all groups with memberOf strategy when fetching the user's groups ldap * User Federation: Remove imported users modal has wrong text admin/ui * Linking user in different browser doesn't work if original window/tab is closed identity-brokering * Realm context uses route and can't be used in libary admin/ui * User Attribute option of SAML "User Attribute Mapper for NameID" should be required admin/ui * MSADUserAccountControlStorageMapper attempts to persist a userAccountControl value of 0 on user create, resulting in LDAP error and incomplete user provisioning ldap * User email not registered when user has not the permission to edit his email core * Upload of JKS keystore fails with a server error admin/ui * Temporary failure in name resolution with nip.io ci * Unknown error on authentication-flow delete action admin/ui * RawKeycloakDistribution exit code is always 0 testsuite * Importing a realm from a directory fail if the realm contain organizations with users. import-export * Mail settings can't be provided via environment variables testsuite * Disable user row if not allowed to delete admin/ui * [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions * SAML client certificate not persisted admin/ui * [Keycloak Operator CI] - Test remote (slow) - UpdateTest.testExplicitStrategy ci * JWK Subtypes fail when mapping JWK to PublicKey core * Keycloak fails to start on MySQL Cluster due to missing primary key in databasechangelog dist/quarkus * Fix alignment of the 'Action' selectbox with the 'Enabled' switch for User federation admin/ui * Ldap federation seems to open and keep open a new thread/connection for each ldap request ldap * Update commands trigger build checks dist/quarkus * Duplicate Key Violation When Reauthenticating After Account Deletion via Google identity-brokering * Dropdown search input is not cleared after selecting with mouse admin/ui * Test coverage for count menthods when filtering admin/fine-grained-permissions * Password Policy Changes get overwritten in the UI admin/ui * Keycloak statefulset is not mapped to any headless service if installed via operator operator * Make group required when selecting a specific group creating a premission admin/ui * `content.json`'s isVisible flags are ignored in `Root.tsx`'s `mapRoutes` function, which makes the pages still accessible account/ui * [Keycloak JS CI] Admin UI E2E tests on Firefox have failures ci * Kerberos principal attribute value "comes back" when cleared. admin/ui * Building docker image of keycloak with curl using 2 stage process hangs docs * Test failures in CI in Chrome tests ci * StatefulSet reconciliation infinitely looping operator * Changing a password with the option log out all other sessions doesn't log out offline sessions core * [Organization] Failed authentication (ModelDuplicateException) when e-mail duplicates are allowed on the realm organizations * Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load admin/ui * Multi-stage docker builds fail --optimized validation dist/quarkus * Bug: Hosted Domain Validation Logic Issue in Keycloak Google Identity Provider identity-brokering * Filtering of user- and admin-events by dateTo always returns empty results admin/api * [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions * IPv6 support: Broker tests failing with proxy configuration ci * Downstream docs have duplicate ID on sampling docs * Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan * Permission details sometimes don't show the name of the client admin/fine-grained-permissions * [Docs] Broken link in ExternalLinksTest for importmap docs * Home button always redirects to master realm when permission denied admin/ui * UI: Readonly/disabled profile form input fields are visually indistinguishable from active fields account/ui * Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x storage * Missing null checks in IdentityProviderResource lead to NPE admin/api * Admin UI test "Enable user events" breaks as event metadata has changed admin/ui * [26.2.3/26.1.5] Regression: ClientList value is empty in UI for Custom UserStorageProviderFactory admin/ui * Authentication request can fail with `unknown_error` authentication * JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal) ldap * Keycloak operator with update strategy to Auto: missing imagePullSecrets operator * After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value oidc * Setting batch size to 0 in LDAP provider with pagination enabled leads to NPE ldap * Keycloak 26.2.0 UI Performance Degradation admin/ui * Fine-grained-permssion v2 Display problem admin/fine-grained-permissions * UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope oidc * Keycloak 26.2.0 can't authenticate to the H2 database after the upgrade core * After import of keys an export doesn't include these values admin/ui * Missing iteration key property in SigningIn Page account/ui * Optimized startup fails from `kc.spi-connections-http-client-default-expect-continue-enabled` passed at runtime dist/quarkus * Issue with SSL and `CertificatereloadManager` in Keycloak 26.2 when using Istio infinispan * Redirects to admin endpoint 404s on hostname-admin / request scheme mismatch core * Release note 26.2.0 has broken link docs * jwks_uri endpoint returns content-type as "application/json" instead of "application/jwk+json" or "application/jwk-set+json" oidc * Evaluate client scopes can corrupt UI completely admin/ui * [Operator CI] - Test remote (slow) ci * [Keycloak CI] - FIPS UT - Run crypto tests ci * Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc * Getting Started Podman: We are sorry... HTTPS required docs * [FGAP] [UI] Searching for permissions doesn't allow to search for all group permissions admin/fine-grained-permissions * Evaluation should consider roles granted to the user admin/fine-grained-permissions * Quick theme: logo is undefined if not set admin/ui * [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus * duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" infinispan * Uncaught server error during organization update when name already exists organizations * Groups view: Filter/search bar disappears and groups not shown after clearing empty search results admin/ui * Oracle driver problems in keycloak 26.2.1 dependencies * Account console: defaultLocale item in select locale field account/ui * Wrong UDP jgroups metric name docs * Serverinfo response grows over time admin/api * Quarkus devtools dependencies in 26.2.x dependencies * Deletion of a role is slow when when there are a lot of roles in the database core * Duplicate user entries when searching custom attributes core * Admin E2E tests ignores `RETRY_COUNT` environment variable admin/ui * Keycloak does not take into account value request parameter in the claims request for acr claim authentication * [OID4VCI] Documentation Errors docs * Avoid a NPE at org.keycloak.email.freemarker.beans.ProfileBean#getOrganizations when feature "organization" is disabled organizations * Aurora DB should not update automatically to the latest minor version ci * Inconsistent "grant_types" vs "grantTypes" Naming Causes GrantTypeCondition to Always Fail core * SLO measurement should mention a month as a period docs * Tests failing with embedded undertow due the infinispan testsuite * Ghost user entries in database from ldap causes import errors ldap * CVE-2025-3910 Two factor authentication bypass * CVE-2025-3501 Keycloak hostname verification * Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui * Client Scope with mapper Organization Membership - claim disappears as soon as user is member of more than one Organisation organizations * Client Scope with mapper Organization Membership - organizations claim disappears when Include in token scope is off organizations * Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode ci * Non-closing HTML tag in footer example docs * quarkus runtime options are treated as buildtime options dist/quarkus * JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio infinispan * Typos in French login and email messages templates translations * Scheduled Task cannot access realm when feature fpap:v2 is active, but realm has it not configured admin/fine-grained-permissions * Inconsistent "Forgot Password" behavior reveals user account information login/ui * Incorrect tooltip over enabled features admin/ui * Check if suspicious log about CORS is correct * [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui * UI does not show user's attributes after reentering the Attributes TAB admin/ui * Update Job Pod is listed in the keycloak discovery service operator * Refreshed tokens are not persisted for IDP token exchange token-exchange * UI does not show organization's attributes after reentering the Attributes TAB account/ui * Autocomplete in Mapper type of user federation broken admin/ui * Forms IT tests breaks with Chrome 136.0.7103.59 ci * Inconsistency in User enabled status in Rest query results. core * Enabling "HTTP-POST binding response" is not reflected in the SP metadata saml * Error when requesting token inspection for a access token requested by a offline token authorization-services * Unable to change the OTP hash algorithm admin/ui * Keycloak not using custom Infinispan config infinispan * Can't change locale on expired page login/ui * Duplicate validation message "Please specify username." shown on login form login/ui * Fetching 1250 group children much slower in v26 vs. v25 admin/api * Hide update email link in account console when email is read-only in user profile user-profile * Clicking on the jump links removes the localization of the UI admin/ui * Authorization documentation shows the wrong view authorization-services * Recreate update is not scaling down the statefulset to zero operator * Users Credentials tab crashes on orphan LDAP user admin/ui * User listing broken because of missing `is_temporary_admin` attribute admin/ui * Hibernate LazyInitializationException when deleting client with CompositeRoles core * POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api * ModelDuplicateException since Keycloak v26 when logging into Keycloak core * SAML certificate in UI not refreshed after keystore import account/ui * SMTP password overwritten with asterisks core * Client sessions are not cached when loaded from the database core * Documentation has outdated link to the "latest" branch of quickstarts docs * [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci * Do not show warning ISPN000312: Lost data because of graceful leaver infinispan * Custom classes for checkbox are not applied on password reset form in keycloak.v2 login theme login/ui * [FGAP] Clients empty when using role based policy and roles inherited from groups admin/fine-grained-permissions * [Keycloak CI] - Several failures HTTP response code 429 - too many requests ci * MigrationModel duplicate entry on Recreate Upgrade in Cluster with 2+ nodes dist/quarkus * JS CI fails with merging playwright reports admin/ui * Missing Quarkus flag for syslog logging dist/quarkus * Missing angle bracket authentication * Searching user by attributes force an exact request even if not asked admin/ui * Liquibase update failed from KC 26.1 to KC 26.2 with PostgreSQL JDBC driver 42.7.5 storage * Admin UI key permissionPoliciesHelp possible typo admin/ui * Admin UI doesn't use conditionsHelpItem message key admin/ui * ModelDuplicateException on next login after deleting an account storage * Locale set to English even when only one Locale is enabled admin/ui * Admin UI shows message "Imported users have been removed" twice admin/ui * Operator error: desiredPullSecrets is null operator * LDAP Edit mode option is required but not marked admin/ui * [Keycloak JavaScript CI] - Admin UI E2E (firefox) ci * [Keycloak CI] - Cookies Tests - KcOidcBrokerTokenExchangeTest * Allow mapping Admin roles to server administrator only admin/fine-grained-permissions * Custom tabs implementing UiTabProvider/UiTabProviderFactory not displayed since KC26.2.0 admin/ui * Change connection settings totle to OAuth2 settings * Cache TLS is not available with protocol UDP after upgrading from 26.2.4 to 26.2.5 infinispan * Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#checkAuthenticatorTimeLocale ci * Federated user IDs are not correctly evicted from cache storage * Make UPDATE_TIME unique for MIGRATION_MODEL table * Emphasize using StatefulSet instead of Deployment operator * Error creating user in Windows Active Directory over LDAP ldap * [Keycloak Operator CI] - Test OLM Installation ci * NPE during external-internal token exchange in case that user exists token-exchange * Two same tests in KcOidcBrokerTokenExchangeTest testsuite * Unable to set LoA field in auth-flow-enforcer core * Transparent filter panel in Admin > Events > Search events form admin/ui * Incorrect placeholder for "delete multiple users" title in German translation translations * Avoid unbalanced curly braces in message properties translations * Brute force detection permanent lockout flag not shown for users auto-unlocked after temporary lockout admin/ui * SQL error when logging in for first time (per user) after Keycloak upgrade core * Admin UI doesn't show client names from resource bundle admin/ui * Client Registration with fake scope oidc * Documentation of Argon2 hash-length configuration property is incorrect. authentication * `UserStorageManager.getUserById` called multiple times on `POST /realms/{realm}/protocol/{protocol}/token` storage * Setting of `type` of `Argon2PasswordHashProviderFactory` is incorrect, authentication * PasswordHashingTest#testPasswordRehashedWhenCredentialImportedWithDifferentKeySize fails to successfully log in core * Capitalize each word of the string "security admin console" * Case sensitive Organization/IDP linking on domain organizations * LDAP: error code 19 - pwdChangedTime: no user modification allowed ldap * Webauthn policy data resets to previous state after binding flow admin/ui * Account UI goBack link doesn't render when referrer query string is set account/ui * [Keycloak CI] - Windows: local maven repository error ci * Issue with Handling Negative Values in Certain Fields of Brute Force Detection authentication * [Keycloak-Operator]: Rolling Updates -- Strategy=Auto, operator error keycloak-update-job is invalid -- Strategy=Explicit, operator always replaces operator * Labeler fails to set version of parent issue ci * Outdated information in HA Keycloak deployment docs * Failing WebAuthn IT (chrome) / WebAuthnSigningInTest.passwordlessWebAuthnTest authentication/webauthn * Multiple QuarkusJpaUpdaterProvider calls during boot dist/quarkus * Missing highlighting of deprecated and disabled-by-default features admin/ui * Unable to retrieve `attributes` with organization get members endpoint admin/api * Link to dynamic client registration section is broken in docs oidc * Compilation error in AbstractWebAuthnAccountTest testsuite * WebAuthn Passwordless Policy Timeout Field Causes Syntax Error When Value Exceeds 1000 Seconds Due to Locale-Specific Number Formatting in FTL Generated JavaScript adapter/javascript * Federation unlink failure message contains double single quotes translations * Missing adjustment about offline session caches for volatile sessions infinispan * On change of language, confirmation is shown in old language account/ui * Creating a user profile attribute "displayName" does not work as expected. user-profile * Account UI e2e tests do not run in CI account/ui * Authentication flows documentation should match new GUI docs * DefaultLazyLoader is not thread safe, but is used in a shared instance of CachedRealm infinispan * Nightly build shows outdated information on the Keycloak website docs * UI Customization missing footer example admin/ui * Account console reports duplicate keys in development mode account/ui * Negative expiration for token exchange using an offline session token-exchange * Translation key missing from Greek translations. translations * Front logout channel broken in 26.2.5 for saml saml * Potential copy-paste issue in PersistentClientSessionEntity.java storage * quarkus-next: update Quarkus snapshots url dist/quarkus * Multiple resources that match same URI with different scope cause inconsistent authorization response authorization-services * Allow passkeys login when user has no password credential authentication/webauthn

03 Jul 2025 12:00am GMT

The talks and speakers have now been announced for Keycloak's Identity Summit. Save your spot today! 📍 - taking place in Amsterdam on August 28th, 2025! This year's edition of the Keycloak Identity Summit promises more content, more connections, and even more opportunities to engage with the people shaping the future of identity and access management. TALK HIGHLIGHTS Our talks highlight the broad spectrum of the Keycloak ecosystem: How to run it with confidence and securely, how extend it, and how to apply it in existing and new scenarios. See below for a short-list of topics we cover: * Human and Workload Identities: Bridging the Gap with Keycloak * AI Meets Identity: Managing Keycloak with Natural Language via MCP * Observability in Keycloak: Where Does It Hurt? * The Event Sorcerer with the Keycloak: The Battle against Dynamic Configuration * Protectors of the Realm: Breaking and Fixing Keycloak Configurations A GREAT PLACE TO NETWORK Networking lunch Our extended lunch break is designed to help you meet fellow attendees, swap ideas, and build meaningful professional connections in a relaxed setting. Meet the maintainers We will have a panel discussion with the maintainers. Ask your questions live and get a response from the experts! Business drinks Stick around after the last session for informal networking over drinks. Want to sponsor this year's Business Drink? Get in touch with us-we'd love to partner with you! GET YOUR TICKET AND JOIN US! Whether you're a developer, architect, security specialist, or product owner, KEYCONF25 is your opportunity to gain knowledge, grow your network, and contribute to the future of the Keycloak community. 📅 August 28th, 2025 📍 Amsterdam, Netherlands Tickets are now available at - secure your spot! WANT TO GET INVOLVED? Let's continue building a stronger, smarter IAM community-together. We can't wait to see you in Amsterdam!

27 Jun 2025 12:00am GMT

24 Jun 2025 12:00am GMT

19 Jun 2025 12:00am GMT

Last year's KubeCon India was a great success, and Keycloak will be part of this year's edition in Hyderabad on August 7-8. A lot of people use Keycloak and develop extensions in for Keycloak in India, so we are thrilled to connect with the community. Connect with me in to have your contributions or projects mentioned in the talk! TALKS AT KUBECON The schedule of KubeCon + CloudNativeCon India 2025 has been released, see below talks about Keycloak: * Wednesday August 6, 2025 11:37 IST Alexander Schwartz, Red Hat * Wednesday August 6, 2025 12:10 IST Alexander Schwartz & Rishabh Singh, Red Hat PROJECT PAVILLION The Keycloak project table in the Project Pavillion is the place to meet the Keycloak maintainers, contributors and the larger community. We will be there in the afternoons, while other projects will be there during the mornings. See below for the location and the times. Wednesday, August 6: 3:10 pm - 7:15 pm Thursday, August 7: 1:25 pm - 3:50 pm Meet us at Table number 3 in the Hyderabad International Convention Centre, Hall 4, solutions showcase. SEE YOU THERE! We're preparing for KubeCon India 2025 and can't wait to connect with our community. Mark your calendars and join us. Let me know in to have your contributions or projects mentioned in the talk! See you in Hyderabad!

12 Jun 2025 12:00am GMT

To download the release go to . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Fix Securing Apps links to adapters docs * Email server credentials can be harvested through host/port manipulation admin/api * Fix doc link to FGAP v1 docs * Apply edits to Operators Guide docs * Edit Observability Guide docs * Fix callouts in Operator guide docs * Sessions from Infinispan should be mapped lazily for the Admin UI * Speed up Infinispan list of all sessions be more eagerly remove old client sessions * When logging in, all client sessions are loaded which is slow oidc BUGS * Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc * [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests dist/quarkus * [OID4VCI] Documentation Errors docs * Aggregated policy: Cannot select policies that do not appear in the drop-down list admin/ui * quarkus runtime options are treated as buildtime options dist/quarkus * [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider admin/ui * UI does not show user's attributes after reentering the Attributes TAB admin/ui * Refreshed tokens are not persisted for IDP token exchange token-exchange * UI does not show organization's attributes after reentering the Attributes TAB account/ui * Autocomplete in Mapper type of user federation broken admin/ui * Forms IT tests breaks with Chrome 136.0.7103.59 ci * Unable to change the OTP hash algorithm admin/ui * Keycloak not using custom Infinispan config infinispan * Duplicate validation message "Please specify username." shown on login form login/ui * Clicking on the jump links removes the localization of the UI admin/ui * Authorization documentation shows the wrong view authorization-services * Recreate update is not scaling down the statefulset to zero operator * Hibernate LazyInitializationException when deleting client with CompositeRoles core * POST realm API returns 400 on conflict instead of 409 in version 26.2.4 admin/api * Documentation has outdated link to the "latest" branch of quickstarts docs * [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance ci

28 May 2025 12:00am GMT

The Token Exchange feature has been available in Keycloak for a long time, but only as a preview feature. With the release of Keycloak 26.2, we're happy to share that Standard Token Exchange is now officially supported and fully compliant with . WHAT IS TOKEN EXCHANGE? 🔄 Token Exchange is a mechanism that allows a client to exchange one token for another. In the context of Keycloak, this means a client can exchange a token originally issued for another client and receive a new token issued specifically for itself. Token Exchange is especially helpful in these scenarios: 🎯 DIFFERENT AUDIENCE When a token was issued for one service but needs to be used to access another, Token Exchange can issue a new token with the appropriate audience. 🔐 SCOPED PERMISSIONS If a client needs to access a service with more limited permissions, it can exchange its token for one with reduced or more specific scopes. WHAT'S NEW? 🆕 * ✅ Official support (no longer a preview feature) * 📘 Compliance with RFC 8693 (OAuth 2.0 Token Exchange) * 🖱️ Simple configuration via the Admin Console (just a switch in client settings) * 🛡️ Integration with Client Policies to enforce custom rules. You can restrict exchanges to specific clients, or deny exchanges based on requested scopes. HOW TO GET STARTED 🚀 If you're using Keycloak 26.2 or later, there's nothing extra to enable. Token Exchange is ready to use, just open the client settings in the admin console and enable the dedicated switch. If you're still using the preview feature of token exchange, check the and the to understand the differences and plan your migration. 📄 For full setup instructions and configuration details, refer to the . WHAT'S NEXT? 🔍 We're continuing to expand Token Exchange support with future enhancements such as: * 🔄 Exchanging tokens issued by external identity providers * 👤 Using token exchange to impersonate users Stay tuned for updates in upcoming releases. -------------------------------------------------------------------------------- We'd love to hear what you think about this feature and how we can improve it. Feedback and contributions from the community are always welcome.

26 May 2025 12:00am GMT

Hitachi Ltd. uses Keycloak to make financial grade security easier. They are providing an API management cloud service for Japanese banks. Banks can open their APIs (like accessing bank accounts) to third-party fintech companies securely by using the service. One of the biggest challenges in the development phase was authorizing APIs for financial grade security. For API authorization in the financial sector, Financial-grade API (FAPI) is specified by the OpenID Foundation and widely adopted. By using Keycloak as an authorization server of the API management cloud service, they can provide a fully FAPI conformant API authorization for their customers. Read more on their challenges and the solution in this ! We are now starting to collect all case studies at . If you want to share your case study with the Keycloak community, to sort out the details.

19 May 2025 12:00am GMT

19 May 2025 12:00am GMT

Keycloak relies on email functionality for tasks like password resets, user verifications, and notifications. A common setup is for Keycloak to authenticate to the SMTP server with a username and password. With issue , the Keycloak community raised the need for token-based authentication with XOAUTH2, as some providers deprecated the authentication for SMTP with passwords. With Keycloak 26.2, the SMTP AUTH configuration now supports XOAUTH2. As Keycloak's role is that of an application, it uses the client credentials grant to fetch the token. The SMTP AUTH configuration in Keycloak now supports all required fields to fetch such a token with client id and client secret. When implementing this functionality, I found that while it works with Microsoft Azure and Office365, it would need a different mechanism for providers like Google. So let's follow through this example, and then discuss if we need something different from SMTP altogether. CONFIGURING KEYCLOAK TO SEND EMAILS WITH XOAUTH2 The following assumes that you are working with Keycloak 26.2. In a realm, navigate to Realm Settings → Email and fill in the fields. To see the new XOAUTH2 feature, enable Authentication via the radio-button and switch the Authentication Type from Password to Token. You can find further details in the documentation on . Once you fill all the settings for gathering an access token and the username, you can test the configuration via the built-in "Test connection" button. CHALLENGES WITH REAL WORLD CLOUD PROVIDERS Testing Microsoft Azure, I found it supports fetching an XOAUTH2 token through a client credentials grant using a client secret. It needs several configuration changes in several places on Microsoft Azure to make it work, which is annoying, but eventually it all works in Keycloak 26.2. Google does not support the client credentials grant with a client secret, but requires sending a JWT token. Therefore, it does not work with Keycloak 26.2 yet, as that would need additional functionality and even more configuration options for Keycloak. Please vote on issue to add Google with SMTP and XOAUTH2 to a future Keycloak release. When analyzing the Google APIs, we found that a Google Enterprise account seems to have no possibility of restricting the sender email address. So any email address, even the CEO's email address, could be as a sender with Google and XOAUTH2 authentication, which feels wrong. Looking at the different capabilities of those two cloud providers, it raises the question of how to support scenarios for additional providers: Should Keycloak show provider-specific configuration screens, or would we need to make the UI even more generic and complex? RE-THINKING SENDING MESSAGES TO USERS While implementing XOAUTH2, I learned a lot more details on a modern cloud-provider's perspective handle sending of emails. Another big impulse came from discussions during the Hackathon. Let's break apart what happens when we talk about the current email functionality of Keycloak: * Keycloak is sending a message to an identity. This message could be any format, and building a message could be separated from the actual delivery of that message. * An identity could have all kinds of message handles and email just one of them. Also, the way to send an email in a cloud world might no longer be the Simple Mail Transfer Protocol (SMTP), but an HTTP- and JSON-based API. To me, working with SMTP and XOAUTH2 feels like working on something quite ancient. So what might be other steps for the bright future of Keycloak regarding sending messages to identities? Providers offer HTTP-based messaging APIs to send email without using SMTP. Looking at these and remembering the discussions from the Keycloak DevDay 2025 Hackathon: * Why use email addresses at all? * All kinds of handles could reach an identity. * In some parts of the planet, only mobile phones are used to reach out to somebody. * In development scenarios, even a chat-message to, for example, Slack might be enough. I started a discussion about the . Please join the discussion and let me know what you think.

18 May 2025 12:00am GMT

, a videoconferencing solution, needed a secure and scalable Identity and Access Management (IAM) solution to authenticate users across various services. Keycloak meets OpenTalk's goals for security, user sovereignty, data privacy and regulatory requirements, so they use it in their architecture. Read more on their challenges and the solution in the first ! We are now starting to collect all case studies at . If you want to share your case study with the Keycloak community, to sort out the details.

15 May 2025 12:00am GMT

15 May 2025 12:00am GMT