fidzu : JBoss

In the last two years we've been putting a lot of effort into improving how the WildFly project interacts with our community, including adding new communication channels like our , adding new and creating a transparent . WildFly has been a successful project for a long time now, and I believe that's largely because we are passionate about serving our community. To help us continue on this path, we are considering moving WildFly to a vendor-neutral software foundation. Our hope is that by doing this we could further expand our community, improve our openness and transparency, refresh our governance model, and encourage more participation by contributors not affiliated with Red Hat. IMPORTANT CONSIDERATIONS Moving to a foundation is not a trivial task, so it's critical that the choice we make is a net benefit to our community. To help ensure this, there are a number of key factors we're looking at when evaluating what foundation would be the best fit: * Flexibility to continue shipping third-party components using a wide array of Open Source Initiative (OSI)-approved Open Source licences. * Maintain as much as possible our current release processes. * Retain independence in decision making, particularly on technical matters. SUPPORT AND ALIGNMENT WITH RED HAT VALUES Red Hat is dedicated to participating in and supporting vendor-neutral collaboration projects, such as the Linux kernel, Kubernetes, and OpenJDK; doing so is part of the company's DNA. Red Hat business leaders are fully supportive of this move. COMMUNITY FEEDBACK We'd love to hear your thoughts on this. Let us know what you're thinking either on the , in the or in Best regards, Brian

03 Feb 2025 12:00am GMT

Today, we released Quarkus 3.18, with two months worth of new features and enhancements. It comes with a lot of enhancements and the following new features: * - Integrate Micrometer with WebSockets Next * - Reimplement security-webauthn on top of webauthn4j * - OIDC and OIDC Client: Support JWT bearer client authentication using client assertion loaded from filesystem * - Support for OIDC mTLS binding * - Support OidcProviderClient injection and token revocation * - Add OIDC Redis Token State Manager extension * - Allow to create static OIDC tenants programmatically * - OIDC Dev Services and UI changes * - TLS - Enable policy configuration for expired or not yet valid certificates * - Add support for encrypted PKCS#8 * - Exclude uri from OpenTelemetry Tracing * - Bump kubernetes-client-bom from 6.13.4 to 7.0.1 * - Introduce Report an Issue menu in DevUI * - Add a Dev UI screen for Agroal datasources * - Ability to configure extension dev mode JVM options * - Support for dev-mode-only conditional dependencies We are already hard at work preparing 3.19 and the upcoming 3.20 LTS. UPDATE To update to Quarkus 3.18, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.18. For more information about the adjustments you need to make to your applications, please refer to the . WHAT'S NEW? WEBSOCKETS.NEXT Our next-generation WebSockets extension continues to improve with each version. In 3.18, it comes with Micrometer integration. SECURITY You are used to it, each version comes with a lot of enhancements to our security layer, offering even more flexibility. This time, it comes with the complete rewrite of our Security Webauthn extension to leverage the WebAuthn4J library (if you are using this extension, please have a look at the as a lot of things have changed), a lot of new features for OIDC, and improvements to our TLS registry: * - Reimplement security-webauthn on top of webauthn4j * - OIDC and OIDC Client: Support JWT bearer client authentication using client assertion loaded from filesystem * - Support for OIDC mTLS binding * - Support OidcProviderClient injection and token revocation * - Add OIDC Redis Token State Manager extension * - Allow to create static OIDC tenants programmatically * - OIDC Dev Services and UI changes * - TLS - Enable policy configuration for expired or not yet valid certificates * - Add support for encrypted PKCS#8 OPENTELEMETRY TRACING When using OpenTelemetry Tracing, it happens quite often that you don't want to collect any trace for a given URI. 3.18 comes with the quarkus.otel.traces.suppress-application-uris that allows to define URIs that are going to be ignored. You can find more information about this new feature in the . KUBERNETES CLIENT The Kubernetes Client was upgraded to a major new version: Kubernetes Client 7. You can find more information about this upgrade in our . DEV UI We polished our Dev UI with two new features: * A screen to browse the tables exposes by your datasources * A quick link to report an issue to the Quarkus project on GitHub PREPARING OUR NEXT LTS We are also preparing our next LTS with various initiatives: * A lot of extensions were migrated to the new @ConfigMapping-based configuration infrastructure (and this effort will continue in the next versions). * We are making enhancements related to startup time and initial memory (RSS) usage. * We are removing code that was deprecated for a long time. Expect us to focus on polishing features and fixing issues for the upcoming 3.19 and 3.20. PLATFORM COMPONENT UPGRADES QUARKUS CXF Quarkus CXF 3.18 was released and is now available in . Check the release notes for more information about what is new in this release. CAMEL QUARKUS Camel Quarkus has been upgraded to 3.18.0. FULL CHANGELOG You can get the full changelog of , , and on GitHub. CONTRIBUTORS The Quarkus community is growing and has now . Many many thanks to each and everyone of them. In particular for the 3.18 release, thanks to Akulov S V, Ales Justin, Alex Martel, Alexander Pankin, Alexey Loubyansky, André Pantaleão, Andy Damevin, Ankush Saini, Antonio Musarra, Auri Munoz, Bassel Rachid, Blaz Mrak, Bruno Baptista, Bruno Marvin, Chris Laprun, Christian Ivanov, Christian Pieczewski, Clement Escoffier, Cristian Burlacu, Damien Clément d'Huart, Daniel Bobbert, Daniel Strobusch, Danilo Piazzalunga, David M. Lloyd, Davide D'Alto, Eduard Wagner, Emmanuel Ferdman, Eric Deandrea, Erik Mattheis, Fary Hurtado, Foivos Zakkak, Francesco Nigro, George Gastaldi, Georgios Andrianakis, Gianmarco Frangipane, Guillaume Smet, Gurubase.io, Harald Albers, HerrDerb, Holly Cummins, Inaki Villar, Ioannis Canellos, ivan.baricic, Jakub Jedlicka, Jan Martiska, Jeremie Bresson, Jochen Schalanda, Johnathan Gilday, Jorge Pinto, Jose, Julien Ponge, Katia Aresti, Ladislav Thon, Lars Andringa, Loïc Mathieu, luneo7, Maciej Lisowski, Marc Nuri, Marco Belladelli, Marco Bungart, Marco Collovati, Marek Skacelik, mariofusco, Martin Bartoš, Martin Kouba, Martin Panzer, Matej Novotny, Matheus Cruz, Max Rydahl Andersen, Michael Edgar, Michal Maléř, Michal Vavřík, Neon, Nuno Neto, ogomezdi, Ozan Gunalp, Ozzy Osborne, Peter Skopek, Phillip Krüger, rghara, Roberto Balarezo, Roberto Cortez, Rolfe Dlugy-Hegwer, Romain QUINIO, Rostislav Svoboda, row, Scott M Stark, Sergey Beryozkin, sergioruydev, Sola-ris, Stephan Strate, Stuart Douglas, Stéphane Épardaud, Thibault Meyer, Thomas Canava, tom, Trấn Nguyễn, vkn, xstefank, Yoann Rodière, Yoshikazu Nojima, zanmagerl, and Zheng Feng. COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .

29 Jan 2025 12:00am GMT

Today, I'm excited to introduce the Model Context Protocol (MCP) servers project. Model Context Protocol is the recent approach to enable AI models to interact with your applications and services in a nice decoupled way. The project is as far as I know the first one to provide a set of MCP servers implemented using Java and at least uniquely Quarkus. Intended to show-case the capabilities of the Model Context Protocol, and inspiration for what you can do with it - especially in Java. THE SERVERS At time of writing there are three servers implemented: JDBC Let your AI app introspect and interact to any JDBC-compatible database, let it be PostgreSQL, MySQL, MariaDB, SQLite, Oracle, etc. Filesystem Access the file system of your machine, let it be your home directory, your code directory, your project directory, etc. JavaFX Draw on a JavaFX canvas, get your AI to draw some art for you! Based on idea from Each server is implemented using Quarkus and Java, and each server is available to easily run using JBang. No need for user to install Java, Quarkus or any other Java tool. HOW TO USE THE SERVERS The general setup is to install , preferably using a package manager as then desktop apps are more likely to find jbang in the PATH. Then in your MCP client configure it with: jbang [server-name]@quarkiverse/quarkus-mcp-servers [arguments] For example to run the JDBC server to connect to a MariaDB database you would do: jbang mcp-jdbc-server@quarkiverse/quarkus-mcp-servers jdbc:mariadb://localhost:3306/test --user root --password mysecretpassword or use a downlodable SQLite database of Netflix movies: jbang mcp-jdbc-server@quarkiverse/quarkus-mcp-servers jdbc:sqlite:%{https://github.com/lerocha/netflixdb/releases/download/v1.0.0/netflixdb.sqlite} Tthe %{} syntax is a JBang feature to download a file from a URL in the command line and use it as a local file. Similar there is jbang jfx@quarkiverse/quarkus-mcp-servers to draw on a JavaFX canvas, and jbang filesystem@quarkiverse/quarkus-mcp-servers [path] to access the file system. TESTED MCP CLIENTS During development we tested the servers with the following clients: * * * There are more MCP clients out there, and we're sure that the servers will work with many more. Goose is noteworthy given it is opensource and available both as a desktop app (on MacOS) and as a cli tool. It was with full support for the Model Context Protocol. Here I configured Goose to use the SQLLite database from the Northwind sample database with this setup stored in ~/.config/goose/config.yaml: extensions: netflixdb: args: - jdbc@quarkiverse/quarkus-mcp-servers - jdbc:sqlite:%{https://github.com/lerocha/netflixdb/releases/download/v1.0.0/netflixdb.sqlite} cmd: jbang enabled: true envs: {} name: netflixdb type: stdio Note: we do recommend to use goose config to generate/edit the config file. With the above config Goose will be able to use the JDBC server to connect to the SQLLite database: UNIQUE FEATURES FOR QUARKUS MCP SERVERS All that is great, but why use Quarkus for implementing the MCP servers? First is that the programming model provided by Quarkus is very powerful, allowing you to easily focus on the business logic of your application. See for details on how to implement a server or look at the . Notice how compact it is! Second, is the wast Java ecosystem provides things like JDBC drivers which enables us to make a single server that works with any JDBC-compatible database. We use jbang to dynamically download and then launch the quarkus mcp server. Similar is done for jfx to the right OS specific JavaFX dependencies. Thirdly, ability to run the servers as a native executable. In the MCP servers project the filesystem server is you can download and gain a much faster startup time. There is also a lot of interesting things to come around how to use quarkus dev mode with MCP servers and testing - but that will be for another blog post. JBANG REQUIRED OR NOT ? JBang is in general not required to run an MCP server, but it makes it much easier and makes it possible for anyone, especially non-Java developers to use these servers. You can of course run a simple MCP servers as a normal Java application, but then you need to install right version of Java, download the server and their dependencies and run it like java -jar [path to server jar]. For the MCP servers project we have chosen to use JBang as we go beyond and utiize JBang to dynamically fetch drivers and OS specific deps. Without JBang that would be much harder, if not impossible to make consumable. SKY IS THE LIMIT! The Model Context Protocol opens up exciting possibilities for building intelligent applications using your application data with your favourite programming language and framework. With Quarkus MCP Servers, you have a powerful foundation to create your own Java based servers that can bridge AI with any data source or system you can imagine. Whether you want to connect to your favorite database, integrate with your company's internal systems, or build something completely new - the sky truly is the limit! The simplicity of implementing MCP servers with Quarkus means you can focus on the creative aspects rather than the plumbing. We'd love to see what you build! Leave a comment or consider contributing your MCP servers back to the community through the . Your implementation could help others solve similar problems or inspire them to create something even more amazing. So what are you waiting for? Grab the code, fire up your IDE, and start building your own MCP server today. The future of AI-powered applications is here, and you can be part of shaping it! Have Fun! p.s. Next week on Thursday February 6th we're hosting a where we will discuss the MCP server and client SDK's in Quarkus project and how you can use it to build your own MCP servers and extend your AI infused applications.

29 Jan 2025 12:00am GMT

29 Jan 2025 12:00am GMT

Quarkus releases an (Long-Term Support) version every six months. LTS is designed for users who prioritize stability over new features. These versions are maintained for one year and receive critical bug and CVE fixes. An overlap period allows a smooth upgrade to the next LTS. Until now, LTS micro-releases (e.g., 3.8.1, and 3.8.2) have occurred regularly but without a predictable schedule. We're changing this. TLDR: LTS releases will follow a predictable cadence, with micro-releases every two months. The section provides more details. RELEASES, RELEASES, AND MORE RELEASES Since its inception, Quarkus has followed a fast-paced release cycle: * Minor releases: Once per month (e.g., 3.16, 3.17). * Micro-releases: Weekly (e.g., 3.17.1, 3.17.2). The development process revolves around the main branch, which serves as the cutting edge of Quarkus development. Here's how the regular release process works: * Minor releases (3.y): A new branch is created from main, capturing all the changes from development up to that point. * Micro-releases (3.y.z): These only include bug fixes and CVE remediations, backported from main to the minor release branch. HOW LTS RELEASES DIFFER LTS releases prioritize stability over the latest features, and the process reflects this. Let's look at the example of 3.19 (a minor release) and 3.20 (the next LTS): 1. A new branch for 3.19 is created from main, containing the latest development at that time. 2. Bug fixes and CVE remediations are backported to the 3.19 branch for its micro-releases. 3. When preparing the LTS release (3.20), the branch is not created from main. Instead, it is created from the 3.19 branch, ensuring no new features from main are included. This approach improves the reliability of LTS releases by excluding potentially unstable or unproven changes. Once we had this initial release, we did not have clear rules about the new micro releases of the LTS (3.20.1, 3.20.2…). So, while we have a predictable release calendar for the regular micro and minor releases, LTS micro releases were irregular. A NEW CADENCE FOR LTS MICRO-RELEASES Starting with 3.15 LTS, we're introducing a predictable cadence for LTS micro-releases: * A new LTS version will be released every six months. * For each LTS, micro-releases will occur every two months (e.g., 3.20.1, 3.20.2). WHAT'S INCLUDED IN AN LTS MICRO-RELEASE? LTS micro-releases are strictly limited to: * Bug fixes considered low-risk. * CVE fixes (moderate and critical). * Dependency updates for CVE remediation or critical bug fixes. Nothing else. EMERGENCY EXCEPTIONS In the event of a critical CVE (because we know it will happen), we'll release an emergency micro-release outside the two-month cadence. These releases may follow a separate versioning scheme (e.g., 3.20.0.1) to indicate their exceptional nature (still under discussion). WHAT IF? What if I want a feature in the next LTS? To be included, the feature must be merged into main at least one month before the LTS branch is created. Don't play with the clock - having a feature merged can take time, and the CI tends to be busy just before releases. What if I want a feature to be added to an existing LTS? No. New features are only included in future LTS versions. For immediate access, consider using regular (non-LTS) releases. What if a bug fix is needed in the next LTS micro-release? We're happy to consider backporting bug fixes, provided they are low-risk. Risky fixes will require further discussion and may not be included. We will particularly consider bugs impacting features from previous LTS releases. What if I want to know what's included in the next LTS micro-release? We're establishing an LTS working group to improve transparency and track backports. What if a moderate CVE is reported against an LTS? The next LTS micro will include moderate CVE fixes every two months. Exceptional releases are only for important (where there is no mitigation) and critical CVEs. How will the Quarkus Platform align with this cadence? The Quarkus Platform will follow the same release schedule. If you are a platform member, we recommend subscribing to this coordination group if you have not already done so. TWO-LINE SUMMARY * For regular users: Monthly minor and weekly micro-releases continue as before. * For LTS users: Expect LTS versions every 6 months, with micro releases every 2 months. The next LTS will be . The dates and schedule are communicated on the .

28 Jan 2025 12:00am GMT

Recently we resumed the project as a way to test on containerized environments, such as Docker, Kubernetes, and OpenShift. The last (pre)release is , and it aims at filling the gap with the 1.18.2 release, by running against more recent versions of target environments (again, Docker, Kubernetes and OpenShift). This example provides the guidance to set up an automated integration test for a WildFly application that should be run on Docker. In order to do so, we'll start from the guide, which will be modified to show how to implement a JUnit test that will use an existing Dockerfile to automate the image build and execution. USE CASE The original article uses Maven archetypes to provide the reader with a ready-to-use WildFly application project. And it works great, definitely! But in the last section, the user is instructed on how to build the Docker image, and about testing it manually. This article is all about this: using Arquillian Cube to automate the image build, and the Docker container setup and execution, while leveraging annotations and APIs at the test class level, to let the developer focus on the actual test logic. In the following sections we'll see which steps we need to take in order to modify the original example and achieve what above. STEP BY STEP CHANGES As said, we need to start from the article, so make sure to go through it, then… DOCKER COMPOSE AND DOCKERFILE RESOURCES Let's start and create a new docker-build directory at the project root: mkdir docker-build and put the Dockerfile - i.e. the one we created in the original article - inside it. We'll need to change just one line, i.e. we should replace the path target/server with just server, we'll see why later on. As you can see, we reused the Dockerfile which we created in the original example, which defines how the image should be built. Then we should create a docker-compose.yml file at the project root, as well, with the following contents: version: '2' services: wildfly: build: context: docker-build ports: - "9991:9990" - "8081:8080" networks: - front-tier networks: front-tier: Here we've defined how the Docker container should run the image created previously. Specifically, we can see that a container named wildfly will be started, building an image as per the Dockerfile which is in the docker-build sub-directory, and exposing the container 8080 and 9990 ports via the host's 8081 and 9991 ones, respectively. That's all about what we need on the Docker side. Arquillian Cube will automate the docker compose build that will use the Dockerfile which was created already to build and run the WildFly application image. In the following section we'll modify the project POM to use Arquillian Cube. UPDATE THE EXAMPLE PROJECT POM First off, let's add the following properties to define some required versions: 2.0.0.Alpha1 1.8.0.Final 4.13.2 2.0.16 Then we need to comment out, or remove, the following declaration of the JUnit 5 BOM off the dependencyManagement section, since Arquillian Cube will use JUnit 4 instrumentation by default: and finally let's add the following dependencies to the dependencyManagment section, which are what we need to use Arquillian Cube: org.arquillian.cube arquillian-cube-bom pom import ${arquillian-cube.version} org.jboss.arquillian arquillian-bom pom import ${arquillian-core.version} junit junit ${junit.version} test org.slf4j slf4j-bom ${slf4j-api.version} test Once this is done, we actually need to depend on Arquillian Cube and related artifacts, which we'll do by adding the following to the dependencies section: org.arquillian.cube arquillian-cube-docker test org.jboss.arquillian.junit arquillian-junit-container test org.jboss.arquillian.junit arquillian-junit-standalone test junit junit test org.slf4j slf4j-api test org.slf4j slf4j-simple test while we'll have to remove the following ones: Last moves with our POM, let's add the following to the wildfly-maven-plugin configuration: org.wildfly.plugins wildfly-maven-plugin ${version.wildfly.maven.plugin} ${project.basedir}/docker-build/server true and let the maven-clean-plugin take care of such directory when cleaning things up, too: org.apache.maven.plugins maven-clean-plugin 3.3.2 ${project.basedir}/docker-build/server That's it, we're done with the POM, let's move on and see how the arquillian.xml file should be configured. UPDATE ARQUILLIAN.XML CONFIGURATION This is easy, we don't need a wildfly container anymore, so let's remove it. Then we need to configure the docker extension, specifically we'll just set the dockerContainersFile property, i.e. the path for the docker-compose.yml file: ./docker-compose.yml With all the above in place, the only thing left is the test class. CREATE A TEST CLASS FOR TESTING ON DOCKER Add the following contents to a new GettingStartedDockerIT.java class: package org.wildfly.examples; import jakarta.ws.rs.client.Client; import jakarta.ws.rs.client.ClientBuilder; import jakarta.ws.rs.core.Response; import org.arquillian.cube.HostIp; import org.arquillian.cube.HostPort; import org.jboss.arquillian.junit.Arquillian; import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; import java.net.URI; /** * Run integration tests with Arquillian to be able to test CDI beans */ @RunWith(Arquillian.class) public class GettingStartedDockerIT { @HostIp private String wildflyIp; @HostPort(containerName = "wildfly", value = 8080) int wildflyPort; @Test public void testHelloEndpoint() { try (Client client = ClientBuilder.newClient()) { final String name = "World"; Response response = client .target(URI.create("http://" + wildflyIp + ":" + wildflyPort + "/")) .path("/hello/" + name) .request() .get(); Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(String.format("Hello '%s'.", name), response.readEntity(String.class)); } } } As you can see, it's similar to the existing GettingStartedApplicationIT.java test class that the Maven archetype execution created for us in the original example, but we use a different runner, and inject the Docker container IP address and the host port which is mapping the exposed 8080 port. At this point we can remove the two existing test classes, i.e. GettingStartedServiceIT and GettingStartedApplicationIT.java. RUN THE TEST That's it, we can run Docker integration test by issuing the following command: mvn clean install and we'll see how Arquillian Cube will gather the docker extension configuration, then summarize the container definition, and eventually run the test: [INFO] ------------------------------------------------------- [INFO] T E S T S [INFO] ------------------------------------------------------- [INFO] Running org.wildfly.examples.GettingStartedDockerIT ... Jan 20, 2025 6:06:06 PM org.arquillian.cube.docker.impl.client.CubeDockerConfigurationResolver resolveSystemDefaultSetup INFO: Connected to docker (fburzigo-thinkpadp1gen3.rmtit.csb) using default settings version: 24.0.5 kernel: 6.11.4-201.fc40.x86_64 CubeDockerConfiguration: serverUri = unix:///var/run/docker.sock tlsVerify = false dockerServerIp = localhost definitionFormat = COMPOSE clean = false removeVolumes = true dockerContainers = containers: wildfly: alwaysPull: false buildImage: dockerfileLocation: docker-build noCache: true remove: true killContainer: false manual: false networkMode: front-tier networks: - front-tier portBindings: !!set 9991->9990/tcp: null 8081->8080/tcp: null readonlyRootfs: false removeVolumes: true networks: front-tier: driver: bridge [INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 16.69 s -- in org.wildfly.examples.GettingStartedDockerIT IN CONCLUSION Testing a WildFly application directly on Docker will make the test more similar to the actual environment where it will be run. Arquillian Cube provides an easy and effective way to test on Docker, with almost no configuration and instrumentation changes with respect to existing Arquillian based tests. The code for the example application which is described in this article is here: Fabio Burzigotti

27 Jan 2025 12:00am GMT

This weekend, I had the honor of speaking about In-Memory Databases at in Bilbao, Spain. It was a special moment for me because Bilbao is my hometown, where I completed my Software Engineering studies 20 years ago. Public speaking is always a challenge, but presenting in my hometown came with the added pressure of not wanting to disappoint. BilboStack is a 1000-attendees tech event featuring two tracks with four talks each in the morning, followed by networking sessions in the afternoon. This year marked its 13th edition. . WHAT DID I TALK ABOUT? I spoke about In-Memory Databases. One of their main use cases is caching and session replication, so I explained the basics of distributed caching. I covered: * Embedded caching with a library. * Embedded distributed caching, which works across multiple systems. * Using an in-memory database to keep applications stateless while managing caching through the database, making it easy to scale cpu or memory up or down. I also highlighted use cases such as real-time statistics, fast operations, and implementing security and backups for cross-site deployments (spanning multiple data centers). The talk was very well received, and I got great feedback. I kept the content general but also showcased how Infinispan, the open-source product I work on, fits these scenarios. DEMO AND SLIDES Demo and slides are available in this repository: . QUESTIONS I got many questions, but we did not have time to answer them during the session. Here are some of them, others will be answered in more detailed blog posts. CAN INFINISPAN BE COMPARED TO REDIS? Yes, Infinispan is a competitor to Redis and can even act as a drop-in replacement. This allows you to continue using your existing applications and clients while switching to Infinispan. Tristan Tarrant's video offers a detailed comparison: . IS "CLEAR THE CACHE" THE NEW "RESTART YOUR COMPUTER"? It often feels that way! Caches-whether browser-based or tools like Varnish-can trick us into thinking something is broken when it's not. Clearing the cache is often a quick fix. CAN IN-MEMORY DATABASES WORK WITH OTHER LANGUAGES OR VISUALIZATION TOOLS? Absolutely! In-memory databases support multiple programming languages via clients or APIs. These databases (e.g., Infinispan, Redis, Couchbase) also integrate with popular visualization tools and frameworks. ON VECTOR DATABASES Vector databases are growing in popularity for AI use cases, but in-memory databases like Infinispan have supported similar features for years. For example, Infinispan uses Hibernate Search and Lucene for full-text queries, and from Lucene 7.2, KNN/ANN searches, and vector indexing is supported too. This makes it easy to integrate with tools like without needing a separate vector database. For more details, see . FINAL WORDS BilboStack was amazing! The conference, held in Bilbao, is all in Spanish and was very well organized. Everything ran smoothly, and the Basque culture made it extra special. There was great food, traditional dances, live music, and plenty of chances to meet people and connect. It's not just a tech event - it's an experience. The talks aren't filmed because what happens at BilboStack stays there. You really have to be there to enjoy it fully! A huge thank you to the organizers for treating us, as speakers, so incredibly well. The effort and care they put into making us feel welcome and valued are like nowhere else. It was an honor to be part of such a well-organized and thoughtful event. Thank you for everything! See you soon Bilbao, and see you next year Bilbostack! Next time, in San Mamés!

27 Jan 2025 12:00am GMT

23 Jan 2025 12:00am GMT

We released Quarkus 3.17.8, the last maintenance release for our 3.17 release train. 3.18 will be released next week. UPDATE To update to Quarkus 3.17, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.17. For more information about the adjustments you need to make to your applications, please refer to the . FULL CHANGELOG You can get the full changelog of on GitHub. COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .

22 Jan 2025 12:00am GMT

Today, we released Quarkus 3.15.3, our second (we skipped 3.15.0) maintenance release for the 3.15 LTS stream. This release contains bugfixes and documentation improvements. It should be a safe upgrade for anyone already using 3.15. UPDATE To update to Quarkus 3.15, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update --stream=3.15 Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.15. FULL CHANGELOG You can get . COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .

21 Jan 2025 12:00am GMT

UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Wrong logger class client * Remove JEE from the title of GH actions client * Sync after Keycloak server 26.1.0 release client * Test with keycloak server images 24.0, 26.0 and 26.1 client BUGS * ProviderTest failing with latest nightly build client * The action "Sync with Keycloak Server and send PR with changes" sends PR, which does not have DCO on the commit client * The action "Sync with Keycloak Server and send PR with changes" takes only client-common-synced into consideration client

17 Jan 2025 12:00am GMT

We released Quarkus 3.17.7, a new maintenance release for our 3.17 release train. UPDATE To update to Quarkus 3.17, we recommend updating to the latest version of the Quarkus CLI and run: quarkus update Note that quarkus update can update your applications from any version of Quarkus (including 2.x) to Quarkus 3.17. For more information about the adjustments you need to make to your applications, please refer to the . FULL CHANGELOG You can get the full changelog of on GitHub. COME JOIN US We value your feedback a lot so please report bugs, ask for improvements… Let's build something great together! If you are a Quarkus user or just curious, don't be shy and join our welcoming community: * provide feedback on ; * craft some code and ; * discuss with us on and on the ; * ask your questions on .

15 Jan 2025 12:00am GMT

To download the release go to . HIGHLIGHTS TRANSPORT STACK JDBC-PING AS NEW DEFAULT Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments. Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments. Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak's database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated. The Keycloak Operator will continue to configure kubernetes as a transport stack. See the guide for more information. VIRTUAL THREADS ENABLED FOR INFINISPAN AND JGROUPS THREAD POOLS Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint. OPENTELEMETRY TRACING SUPPORTED In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default. There were made multiple improvements to the tracing capabilities in Keycloak such as: * Configuration via Keycloak CR in Keycloak Operator * Custom spans for: * Incoming/outgoing HTTP requests including Identity Providers brokerage * Database operations and connections * LDAP requests * Time-consuming operations (passwords hashing, persistent sessions operations, … ) For more information, see the guide. INFINISPAN DEFAULT XML CONFIGURATION LOCATION Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided. Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases. INDIVIDUAL OPTIONS FOR CATEGORY-SPECIFIC LOG LEVELS It is now possible to set category-specific log levels as individual log-level-category options. For more details, see the . OPENID FOR VERIFIABLE CREDENTIAL ISSUANCE The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable. You will find significant development and discussions in the . Anyone from the Keycloak community is welcome to join. Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to , , , , , and . MINIMUM ACR VALUE FOR THE CLIENT The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client. Many thanks to for the contribution. SUPPORT FOR PROMPT=CREATE Support now exists for the , which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms//protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak. Many thanks to for the contribution. OPTION TO CREATE CERTIFICATES FOR GENERATED EC KEYS A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys. Many thanks to for the contribution. AUTHORIZATION CODE BINDING TO A DPOP KEY Support now exists for including support for the DPoP with Pushed Authorization Requests. Many thanks to for the contribution. MAXIMUM COUNT AND LENGTH FOR ADDITIONAL PARAMETERS SENT TO OIDC AUTHENTICATION REQUEST The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored. Many thanks to and for the contribution. NETWORK POLICY SUPPORT ADDED TO THE KEYCLOAK OPERATOR Note Preview feature. To improve the security of your Kubernetes deployment, can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies. LDAP USERS ARE CREATED AS ENABLED BY DEFAULT WHEN USING MICROSOFT ACTIVE DIRECTORY If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default. In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider. NEW CONDITIONAL AUTHENTICATORS CONDITION - SUB-FLOW EXECUTED AND CONDITION - CLIENT SCOPE The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see . DEFINING DEPENDENCIES BETWEEN PROVIDER FACTORIES When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description. DARK MODE ENABLED FOR THE WELCOME THEME We've now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences. If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme: darkMode=false Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings. METRICS ON PASSWORD HASHING There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations. See and for more details. SIGN OUT ALL ACTIVE SESSIONS IN ADMIN CONSOLE NOW EFFECTIVELY REMOVES ALL SESSIONS In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated. This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions. DEDICATED RELEASE CYCLE FOR THE NODE.JS ADAPTER AND JAVASCRIPT ADAPTER From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server. UPDATES IN QUICKSTARTS The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release. UPDATED FORMAT OF KEYCLOAK_SESSION COOKIE AND AUTH_SESSION_ID COOKIE The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded. The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions. These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies. REMOVAL OF ROBOTS.TXT FILE The robots.txt file, previously included by default, is now removed. The default robots.txt file blocked all crawling, which prevented the noindex/nofollow directives from being followed. The desired default behaviour is for Keycloak pages to not show up in search engine results and this is accomplished by the existing X-Robots-Tag header, which is set to none by default. The value of this header can be overridden per-realm if a different behaviour is needed. If you previously added a rule in your reverse proxy configuration for this, you can now remove it. IMPORTED KEY PROVIDERS CHECK AND PASSIVATE KEYS WITH AN EXPIRED CETIFICATE The key providers that allow to import externally generated keys (rsa and java-keystore factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in Keycloak anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens. The default generated key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check. ADMIN EVENTS MIGHT INCLUDE NOW ADDITIONAL DETAILS ABOUT THE CONTEXT WHEN THE EVENT IS FIRED In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table. OPENSHIFT V3 IDENTITY BROKERING REMOVED As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak. UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES NEW FEATURES * Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core * Use optional realm attribute for authenticationrequest parameter max size/number validation configuration * Support dark mode, at least for the login pages login/ui * Operator support for setting default value of `http-pool-max-threads` operator * Used encrypted JGroups connection by default in Operator deployments operator * JDBC_PING2 as default discovery protocol * Option to specify trusted proxies dist/quarkus * Enabling authorization_details for client grant tokens until RAR is fully implemented * Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener * Ability to specify log category levels through separate options dist/quarkus * Enhance WebAuthn registration to support custom FIDO2 origin validation * Ability to reject authentication to users without 2FA configured authentication * Allow users to specify the start page of a custom account-console theme account/ui * Authentication flow condition for client scope authentication ENHANCEMENTS * Align admin console for client for backchannel and frontchannel logout oidc * AuthenticationRequest add "create" prompt for sign-up oidc * js adapter just sets error to true upon error updateToken adapter/javascript * Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc * Support to enforce LoA in authentication flow for a client (Step-up) authentication * Allow custom message for brute force temporary lockout authentication * H2 Database should be opt-in and well-documented storage * Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage * Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services * Allow to restrict ProviderConfigProperty input to int values * Generalize or remove stack trace information found in error message exception handling * Keycloak native verification of an SD-JWT based vp_token oid4vc * Run tests with original `keycloak` login theme in nightly * Allow to create certificates for provider-keys authentication * OTEL: Add Keycloak CR support for Tracing options operator * OTEL: Apache HTTP client OpenTelemetry instrumentation * [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus * OTEL: Instrument parts of Keycloak with OTEL spans * Clarify the behaviour of multiple Operator versions installed in the same cluster operator * Readonly profile attribute profile has unwanted not translated placeholder account/ui * [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc * Explicitly document that the Operator does not create an Ingress for Admin URL operator * Add ui to override patternfly colors and logo * Better logging when error happens during transaction commit storage * Consolidate the logic for determining a local address core * Remove retry in LoginPage.resetPassword testsuite * Add CopyToClipboardButton to UserID in Admin UI * Expose membership type in the Admin UI for organization members admin/ui * Add an example nginx reverse proxy configuration * Show User Events on dedicated tab on Client-/User-Details * Add a reference to http-enabled in TLS/SSL setup * Upgrade Infinispan to 15.0.10.Final * Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments * Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn * Prevent Keycloak from starting with wrong `work` cache configuration * Create a new base login theme * Add switch to disable dark mode * Background SQL statements show without a connected trace dist/quarkus * Enable virtual threads in Infinispan and JGroups by default * Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication * Sign the AUTH_SESSION_ID cookie value authentication * Username Form should support autocomplete login/ui * Standardize error messages from client and server in login theme (keycloak.v2) login/ui * Deprecate other transport stacks (ec2, azure, google) * Add JDBC_PING2 stacks for both TCP and UDP * Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java * Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes * Delete Openshift 3.x identity provider * Support for the Croatian language * Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times * Make the organization chapter of Server Admin guide available on downstream * Some dynamic imported functions are also statically imported making bundling them in-efficient * Improve build time of the js module * Add ability to enable support for Verifiable Credentials per Realm account/ui * Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled * Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs * Microsoft login - add prompt param configure * Avoid multi-release and java16 specific sources in the core module oidc * Update certain email templates for password recovery to match English translation format * Document network ports for Keycloak clustering * [Operator] Enhance the Keycloak Operator with Network Policies operator * Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering * OTEL: Provide Tracing SPI * Disable trim_trailing_whitespace in editorconfig to reduce noise in PRs * Improving the error message when failing to query an LDAP provider ldap * Allow a request object by considering a clock skew for smooth interoperability oidc * Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc * Too many exceptions created when validating user profile * Avoid throwing exceptions when issuing reflection on user model * Add conditional text to Installation Locations * Update Leveraging JaKarta EE in Server Development guide * Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus * Edits to Authorization Services guide * Allow a DPoP Proof by considering a clock skew for smooth interoperability * Addresse QE comments on Server Administration guide * Upgrade to ISPN 15.0.11.Final * Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc * Expose templateName in attributes when rendering freemarker templates login/ui * Upgrade to Quarkus 3.15.2 dist/quarkus * Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core * [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui * Improve test method signature and gather more info about assertions testsuite * Resolve scopes from authenticated client sessions when selecting attributes * Allow configuring retries for JavaScript tests using environment variable ci * Allow asking for additional scopes when querying the account console root URL * Add WHY issues are important for each PR no matter how small to CONTRIBUTING.md docs * CONTRIBUTING.md has confusing ordered list with two times point 5 * Updated tested PostgreSQL version to 17 * Updated tested MariaDB version to 11.4 * Updated tested MySQL version to 8.4 * Consistent use of log.debugf to avoid generating too much GC overhead * Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later * OTEL: Enhance traces with spans for each RestEASY resource * OTEL: Show spans in transaction completion at the end of a request * OTEL: Group persistent session work activities in parent span or link them * Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details * Add password validation to update-password * Support for multiple values of some parameters in the grant SPI oidc * Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors * Update release notes for Keycloak 26.1.0 with new community additions docs * [Operator] Network Policy Rules operator * Removing unnecessary configuration from auth servers * Update the sizing guide with an indicator on which user events to use * Reduce debounce time in RealmSelector * Replace `uuid` module with `crypto.randomUUID()` * Set the LDAP connection pooling protocols by default to plain and tls * Document the performance numbers from the ARM based ROSA cluster runs * Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start) * Use MeterProvider as suggested by the Micrometer team to avoid GC overhead * Enable LDAP Connection pooling by default * Release note about node.js adapter and javascript adapter released independently of keycloak server docs * Update upgrading notes with the changes related to core clients docs * Rescue dutch translations from aborted Weblate PR * Update the CA translation translations * Tune caching guide list of stacks for the upcoming release * Align realm name placeholder in the docs docs * Add metric for number of password validations * OTEL: Add tracing for credential validation * Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci * Allow tracing packets sent to and from LDAP for troubleshooting purposes * Help texts in the admin UI should end with a dot admin/ui * OTEL: merge Operator tracing test cases * Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework * Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework * Make @EnableFeature to handle the case with added provider of currently non-used SPI testsuite * Prepare a new guide for Keycloak's own metrics in the observability guide BUGS * keycloak.js example from the documentation leads to error path adapter/javascript * Locale Setting for Update Password Mail admin/api * Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage * Incorrect get the members of a group imported from LDAP ldap * IllegalArgumentException on canceled Account Linking oidc * Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication * Broken Promise implementation for AuthZ JS adapter/javascript * Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc * oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript * Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api * the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication * robots.txt causes indexing authentication/webauthn * Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap * Uncaught (in promise): QuotaExceededError adapter/javascript * Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services * Members are inhereted from LDAP group with the same name ldap * When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript * JavascriptAdapterTest errors when running with strict cookies on Firefox ci * Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage * Inconsistent TypeScript definitions in the module @keycloak/keycloak-admin-client while compiling admin/client-js * Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite * Allow increasing wait time on each failure after the max number of failures is reached authentication * update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication * Social login - Stack Overflow test fails ci * NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange * Declining terms and conditions in account-console results in error account/ui * some GUI validation check missing admin/ui * Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci * Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci * Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci * When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core * Make sure it is not possible to run snapshot server against production DB by default core * Event type not set in reset-credential flow under some conditions resulting in an error page authentication * Upgrade to 25 throws: Statement violates GTID consistency core * Organization API not available from OpenAPI documentation admin/api * Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci * Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci * token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange * Offline sessions are not removed from admin console after sign out all active sessions core * Selection list does not close after outside click admin/ui * Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap * Show account page before login core * Misleading docs and functionality around cache-ispn.xml dist/quarkus * Error when non-admin user accesses admin console admin/fine-grained-permissions * Logout not working after removing Identity Provider of user identity-brokering * KC doesn't enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication * Windows builds fail too often due to problems with the download of Node ci * Repeated email verifications while logging in through IDP caused by email case sensitivity authentication * UserId too long to add Security Key WebauthN authentication/webauthn * LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap * High CPU usage on logout when using remote Infinispan only setup infinispan * none of the enabled features are shown as such in the admin console docs * creating short admin password in BCFIPS approved mode gives "Internal server error" page core * "Cookie not found" in multi-step auth flows / mobile browsers core * Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci * Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci * addExecutionFlow endpoint does not return right ID admin/api * Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui * RP-Initiated logout using `POST` method fails in cross-origin setup oidc * Requesting `offline_access` without an established session results in two sessions oidc * Authentication sessions do not handle concurrent writes core * Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci * Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci * Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci * Organization Domain not marked as a required field in the Admin UI admin/ui * Requested `grant_types` inconsistent with created `grant_types` for OpenID Connect Dynamic Client Registration oidc * Login V2: Missing "dir" attributes login/ui * Admin UI defaults to master realm even without permissions to it admin/ui * Consider Replacing Monaco Editor or Bundling Resources Locally to Avoid CSP Conflicts admin/ui * Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc * Role descriptions do not wrap in the UI admin/ui * Incorrect Disclosure Handling in SdJwtVP.of(String) Method oid4vc * RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc * Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn * Duplicate principals not allowed in keystore authentication * Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithEmailUserAndRememberMe ci * Any one Client role mapping to user/group generating two events on admin events tab. core * 400 error logged as 500 identity-brokering * Icons for social providers broken in login screen if the provider is created with non-default alias admin/ui * Admin UI e is undefined if required action recreated with own alias admin/ui * Double scroll bar due to warning banner admin/ui * Wrong translation issues in greek translation translations * Permission cannot be evaluated when only role and client are provided authorization-services * Link to existing account form: IDP Alias displayed instead of IDP Display Name login/ui * 404 in admin console when unlinking managed user from organizations admin/ui * Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#testWithOTPAndRecoveryCodesAtLevel2 ci * Can get authorization code on a non verified user with some specific kc_action (AIA) oidc * Previously entered translations should persist in the translation dialog for the attribute groups admin/ui * Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs * Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci * Unable to submit forms in Safari account/ui * Broken links / anchors after KC26 release docs * In imported realms, the ability to use environment variables has disappeared import-export * Fix runaway asterisk formatting in TLS documentation docs * Cleanup how static state is set for import / export dist/quarkus * Upgrade Selenium testsuite * Repeated "to a" in the help text for the "User Attribute" mapper admin/ui * Fix v2 login layout login/ui * Client Secret Required Bug When Using "JWT Signed with Private Key" for (Keycloak/) OpenID Connect Provider admin/ui * No message for `policyGroupsHelp` admin/ui * ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus * Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus * Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui * RTL not working on keycloak.v2 login template login/ui * Validation of http truststore or keystore file masks if the file exists dist/quarkus * Test "Duplicate Group" unstable in Admin UI / job is failing admin/ui * Failure to redirect to organization IdP when the organization scope is included organizations * Not possible to configure custom client authenticator in Admin UI authentication * Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api * Client Policy throws "Invalid Redirect Uri" if Standard Flow is disabled oidc * Organizations section is shown in account console if organizations is not enabled for a realm. account/ui * Aurora IT tests failing periodically with download of node ci * Admin client returns HTTP code `400 Bad Request` when using x509 certificate admin/client-java * [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication * Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations * Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core * FOUC in Firefox on login UI login/ui * CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus * Stabilise my-resources.spec test account/ui * NPE when device representation cannot be parsed authentication * NEP when Default Role is not present on CachedRealm infinispan * client-jwt ES256 error when doing CODE_TO_TOKEN oidc * Wrong documentation link in keycloak-js readme docs * [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance * [Keycloak CI] - FIPS IT - Failed to fetch maven * Auth not possible for auth session where user was enabled in the meantime authentication * Not persisted config settings prevent server start dist/quarkus * NPE thrown in whoami endpoint admin/ui * Recovery authentication codes are numbered inconsistently login/ui * ResetPasswordTest.resetPasswordExpiredCode Error -> AbstractKeycloakTest.deleteAllCookiesForRealm:297 core * Cannot install latest version (26.0.0) of the adapter using Galleon adapter/jee * [PERF] OpenTelemetry is initialized even when disabled * password is a required field admin/ui * Not possible to close dialog boxes when clicking buttons or the close icon admin/ui * Windows kc.bat handling of serveral parameter types is not correct dist/quarkus * keycloak.v2 registration: Password policy validation error "errorList is null" login/ui * Doc CI - broken links error docs * Handle removal of online session for the directGrant and clientCredentials * Handle removal of online session for authorization_code when `scope=offline_access`is used oidc * grammatical error in "Managing Organizations" documentation docs * Add More Info to Organization Events organizations * Home URL for security-admin-console is broken admin/ui * [Admin UI] Broken autocomplete input on the "Create resource-based permission" form admin/ui * Flaky Test ResetPasswordTest.resetPasswordLoggedUser:188->openResetPasswordUrlAndDoFlow:252 testsuite * Custom keycloak login theme styles.css return error 404 login/ui * [Windows] Wrong expansion of ${kc.home.dir} causes NoSuchFile exception dist/quarkus * LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap * Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations * Listing federated LDAP users is very slow with import enabled ldap * Onclick focus issue in the Username field of Clients / / Client Scopes / Evaluate admin/ui * Respect the locale set to a user when redering verify email pages user-profile * Users without `view-realm` can't see user lockout state in Admin UI admin/ui * Do not show domain match message in the identity-first login when no login hint is provided organizations * The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui * Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci * java.util.ConcurrentModificationException when process user sessions update infinispan * Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export * Group select dialog: Subgroups not displayed initially due to pagination admin/ui * JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui * cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus * Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" token service endpoint returns NullPointerException authorization-services * OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui * logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc * Deleting a user leads to ISPN marshalling exception * Group search in user view doesn't work as expected for nested groups admin/ui * Service accounts visible under user search in Admin console admin/api * Docs: Dead link docs * Flaky Test: BrowserFlowTest.testAlternativeNonInteractiveExecutorInSubflow() testsuite * PEM files distributed as part of SAML adapter configs are missing -----BEGIN and -----END blocks saml * NullPointerException in ConditionalOtpFormAuthenticator.java authentication * Remove inaccurate statement about master realm imports docs * Fix DB overflow for EVENT_ENTITY table and SESSION_ID column in case that incorrect data are sent core * NPE in Organization(s)Resource when using Quarkus Rest Client admin/api * ParEndpoint#request corrupts values added in request object oidc * Admin UI doesn't show realms when using login through identity provider admin/fine-grained-permissions * Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api * [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui * LDAP: searching users with import disabled is slower since fix for 34050 ldap * Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci * [Trivy] - Workflow failure ci * NullPointerException in RoleResolveUtil when admin-cli uses lightweight token admin/cli * [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering * kc.config.args exposed in show-config dist/quarkus * Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui * Do not rely on the `pwdLastSet` attribute when updating AD entries ldap * Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci * Username and password should be optional for multi-site deployment infinispan * Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui * Flaky test: org.keycloak.testsuite.actions.TermsAndConditionsTest#termsDeclined ci * Renaming realm in UI broken admin/api * Non compliant OpenID Client Authentication when `client_secret_jwt` with PAR (Pushed Authorization Requests) oidc * Quarkus dev mode does not work dist/quarkus * Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkTestAppWithoutRedirectUriParam ci * Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core * Text in "Choose a policy type" is not wrapping admin/ui * Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api * Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci * Rework global event listener for metrics core * NPE in InfinispanOrganizationProvider if userCache is disabled infinispan * Error on testsuite "group_test" on Cypress admin/ui * AdminEventQueryTest test fails after adding global event listener core * Remove duplicate lines in userprofile freemarker template login/ui * Fix typo in log message account/ui * Securing apps guide breaks downstream docs * Missing downstream explicit name for anchors docs * Feature in higher version takes precedence even if it has lower type order * Client Protocol Mappers with non UUID ids cannot be edited admin/ui * KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan * Continuous reload when KC_AUTH_SESSION_HASH expires authentication * `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core * Keys tab showing disabled and inactive keys as active admin/ui * [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui * New credential templates broken in KC26 login/ui * calling openid-connect/auth with previous version valid cookies generate internal server error authorization-services * Invalid flag for addDefaultRequiredActions infinispan * GroupMappersTest test fails in keycloak-client core * CVE-2024-10973 - Cleartext Transmission of Sensitive Information in org.keycloak:keycloak-quarkus-server * AdminUI: Alphabetically sort "Event saved type" in the events listing admin/ui * Log handler specific log levels support only lower-case levels dist/quarkus * Liquibase outputs update summary directly to standard out dist/quarkus * [Keycloak CI] - Base IT - KerberosLdapCrossRealmTrustTest.test03SpnegoLoginUsernamePassword ldap * [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerPrivateKeyJwtCustomAudienceTest ci * [Jenkins Keycloak CI] - Cookies Tests - KcSamlBrokerTest * [Jenkins Keycloak CI] - Cookies Tests - KcOidcBrokerLdapTest ci * Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof oidc * [Keycloak CI] - Quarkus IT - StartCommandDistTest and BuildAndStartDistTest dist/quarkus * [Jenkins Keycloak CI] - Adapter Cookies Tests - Failures with Firefox strict cookies ci * Deprecated CLI options and new options are not stable in their sorting dist/quarkus * On logout from admin console, a serverinfo call with 401 response in the logs admin/ui * Clients invalidated on each client credential grant core * Incomplete registration form when edit email is disabled and email is set as username user-profile * Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication * Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core * [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci * Update Email doesn't update username when Email as Username and Attributes are enabled user-profile * Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc * Unable to scroll/swipe through the main menu on macOS admin/ui * ES256 key continue to be used to sign token even after expiry oidc * getAll() organization members only returns the first 10 members organizations * KC25 Migration guide for caching options needs clarification * MySQL database migration issue core * Mis-formatted unordered list in the caching docs * Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci * PersistentSessionsWorker: retry with 0 backoff ms. core * Filter events by user id and client not working admin/ui * `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export * Cannot request additional scopes when using the account console account/api * Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled core * Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci * Flaky test: org.keycloak.testsuite.adapter.servlet.SAMLClockSkewAdapterTest#testTokenTimeIsValid ci * CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process * CVE-2024-10270 Potential Denial of Service * CVE-2024-10492 Keycloak path trasversal * CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability * CVE-2024-10039 Bypassing mTLS validation * Account UI E2E / `personal-info/personal-info.spec.ts` is unstable ci * Typo www.recatcha.net -> www.recaptcha.net in docs docs * Fix typo in v24 changelog: "longer" -> "no longer" docs * reCAPTCHA v3 not working login/ui * Links to guides in Observability section are still pointing to server section docs * Typos in `.md` and `.adoc` files, detected using codespell and manual review docs * Edit Help Mode descriptor for Roles in policy form admin/ui * Your login attempt timed out authentication * Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui * Maven clean shouldn't be skipped by default on Windows * Database migration fails after upgrading operator to v26.0.6 core * Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api * Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations * Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services * Errors in persian and tukish translations in account translations * Multiselect Checkboxes in user profile don't allow to unset value user-profile * Resolve scopes from bearer tokens when processing requests to the Account API * log-syslog-max-length is ignored dist/quarkus * [Keycloak CI] - Quarkus UT (windows-latest) - Keycloak Quarkus Server Deployment ci * SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml * Capitalization in Hungarian translation needs improvement translations * Mis-formatted definition list of hashing algorithms * Showing LDAP error message when failing to reset password ldap * OTEL: OTelTracingProvider should be request-scoped dist/quarkus * access token or refresh token will be reset when another is set admin/ui * Flaky test: org.keycloak.testsuite.model.DBLockTest.testTwoLocksCurrently ci * Update Infinispan examples in the High Availability guide docs * Delete user confirm title is wrong admin/ui * Events: Wrong text for user id search admin/ui * Event Representation is not shown for Admin Events in UI admin/ui * When using the token revocation endpoint with refresh-token, all sessions from the user+client are terminated oidc * [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci * `QuarkusPropertiesDistTest` fails on Windows testsuite * Initial keycloak bootstrap suggestion is not correct. dist/quarkus * IPA-Tuura federation: password field shows password in plaintext core * Upgrading guide 26.0.6 is missing in the built document docs * JVM crash when running base testsuite test from command line using auth-server-quarkus-embedded dist/quarkus * Invoking `BaseUpdater.markDeleted()` more than once cause the transient status to be lost infinispan * Embedded test server fails when running from `mvn` dist/quarkus * Code quote for http-enabled is incorrect, missing relevant option in reverse proxy documentation docs * Fix broken Dependabot configuration * Temporary password toggle in set password dialog is cut off in admin-console admin/ui * Inconsistency when returning user attributes when executing a seach or fetching users by ID from external user storage providers ldap * Improve sssd note about synchronization of groups docs * realm_test.spec fails on firefox admin/ui * New install doesn't allow admin user creation dist/quarkus * token exchange response expires_in inconsistent behavior token-exchange * Support for X-Forwarded-Prefix should not be implied docs * POST create client with id exceed 36 characters length response status 500 instead of 403 admin/api * Missing userId in LOGIN_ERROR event for permanent lockout authentication * GET .../organizations/{id}/members/{id} multiple ids organizations * Event for setting up recovery codes authentication * Fix grammar in documentation page docs * Typo in using custom Keycloak image for Operator guide docs * Quarkus.properties should not use -cf or --config-file flag docs * Update to KC 26.x from core * Keycloak incorrect usage of UserPolicy and cache. authorization-services * Keycloak arquillian testsuite not working with the default profile testsuite * Token revocation may not correctly revoke related access tokens * Exact searches should be the default when querying user by attributes admin/api * Regression Mysql 8 support as the upgrade script do not use temporary table storage * Selected Organization not present in access_token of different client within same Realm if user belongs to multiple organization organizations * Unused LDAP provider options are still exposed * Selecting one role selects all admin/ui * MapComponent UI Not Displaying Saved Values in Keycloak React Admin UI admin/ui * Typo in username pt_BR translation in account console account/ui * Failing since may be reported incorrectly on health probe dist/quarkus * Map Configuration Property in Custom UserStorageProviderFactory Not Displayed in UI After Saving admin/ui * Organization Scope mismatch organizations * Duplicate entry in admin message properties admin/ui * Broken links in getting-started guide pointing to quickstarts latest branch docs * Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testExceedMaxTemporaryLockouts ci * Wrong content-type for content.json account/ui * Unable to use custom handlers for HTTP OPTIONS method in subresources dist/quarkus * Double submit on otp form causes error login/ui * Translations specified in the admin console do not override the translations specified in a theme translations * Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTokenExchangeTest#testInternalExternalTokenExchangeStoredToken ci * IDPs can not be found anymore by "Issuer" value when exchanging tokens identity-brokering * Unnecessary text in documentation docs * NPE when Kerberos Server is unreachable core * Incompatible method of admin-client in Keycloak 26.1 and missing javadoc admin/client-java * max-count for session caches is not set by default for local Infinispan config dist/quarkus * Issue with "403 Forbidden" Access /admin/realms/{realm}/authentication/executions/{executionId} admin/api * Fix invalid url in keycloak.js log message adapter/javascript * "Remove role" alert text is wrong admin/ui * Profile attribute inputs incorrectly marked as required when minimum length is configured admin/ui * Error when re-authenticating when organization is enabled organizations * PasswordAgePolicy triggering NullPointerException when credentail does not have createdDate core * KeycloakServer application not working anymore testsuite * PersistentSessionsWorker: Cannot access delegate without a transaction ldap * Roll-back change to startup timeout operator * [Keycloak CI] - Bse IT/Store IT - IdentityProviderTest ci * CVE-2024-11736 Unrestricted admin use of system and environment variables * CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers * Metric `vendor_jgroups_*` is unstable and can change in upcoming releases infinispan * When running Keycloak in testutils with Undertow, the admin UI thows NoMessageBodyWriterFoundFailure admin/ui * Too much space around "Forgot Password" button (keycloak.v2) login/ui

15 Jan 2025 12:00am GMT

Explore how to combine Quarkus, a modern Java framework optimized for cloud-native applications, with Ollama, a platform for running AI models locally with Jonathan Vila's article "Building local LLM AI-Powered Applications with Quarkus, Ollama and Testcontainers". Long Term Support (LTS) releases are designed for users who want to keep a given version for a longer period of time instead of following our monthly release pace. Quarkus 3.20 will be our next LTS version planned for release in late March. Read more about it in the blog post "Our next LTS will be Quarkus 3.20" from Guillaume Smet. Customizing your test resource manager and using a unified configuration, you can eliminate conflicts between the containers used by Liquibase and your application. Learn how in "Resolving Issues with Quarkus Tests, Test Containers, and Liquibase Integration" by tempmailgenerator on Reddit. You will also see the latest Quarkus Insights episodes, top tweets/discussions and upcoming Quarkus attended events. Check out ! Want to get newsletters in your inbox? using the on page form.

14 Jan 2025 12:00am GMT

KEYCLOAK TERRAFORM PROVIDER RELEASES We're excited to announce the release of the Keycloak Terraform Provider 5.0 with support for Keycloak 24/26. You can find the repository . Following our , we released Keycloak Terraform Provider 4.5 with a new license and dependency upgrades for Keycloak versions older than 23.0.0. If you are still using the old Keycloak Terraform Provider by you can take a look at the to use the new . CHANGES 4.5 MAINTENANCE RELEASE * CVE fixes * Go upgrade * Minor Dependency Upgrades * License change 5.0 RELEASE * Support for Keycloak 24 * Support for Keycloak 26 * Dependency Upgrades PLANNED NEXT RELEASES * 5.1 with support for managing organizations * patch releases on demand JOIN THE COMMUNITY We're grateful for all contributors who've helped make the Terraform Provider what it is today. We welcome new contributions, issue reports, feature suggestions, and fixes. Let's work together to make it even better! Explore the , join , and help shape the future of the Keycloak Terraform Provider.

13 Jan 2025 12:00am GMT

To download the release go to . UPGRADING Before upgrading refer to for a complete list of changes. ALL RESOLVED ISSUES ENHANCEMENTS * Show User Events on dedicated tab on Client-/User-Details * Username Form should support autocomplete login/ui BUGS * The Realm Selection Dropdown Breaks After 50 Realms In Database admin/ui * logout with client_id and/or post_logout_redirect_uri results in bad request on logout confirmation page oidc * [Keycloak 26.0.2] Getting "Forbidden, permission needed: query-clients" as temp-admin admin/ui * Keys tab showing disabled and inactive keys as active admin/ui * MySQL database migration issue core * Filter events by user id and client not working admin/ui * `organizationEnabled` and `verifiableCredentialsEnabled` attributes are present as attributes in an export * Edit Help Mode descriptor for Roles in policy form admin/ui * Database migration fails after upgrading operator to v26.0.6 core * Token issuer is null in executeActionsEmail and sendVerifyEmail if no clientId is passed admin/api * Strange Random behavior - Intermittent missing organization claim in Keycloak JWT token organizations * SAML Adapter Galleon Pack for EAP8 cannot use new metadata options for layers adapter/saml * Mis-formatted definition list of hashing algorithms * Showing LDAP error message when failing to reset password ldap * Delete user confirm title is wrong admin/ui * Events: Wrong text for user id search admin/ui * [Jekins Keycloak CI] - RH-SSO EAP adapters remote saml tests ci * Initial keycloak bootstrap suggestion is not correct. dist/quarkus * Upgrading guide 26.0.6 is missing in the built document docs * Temporary password toggle in set password dialog is cut off in admin-console admin/ui * New install doesn't allow admin user creation dist/quarkus * Exact searches should be the default when querying user by attributes admin/api * CVE-2024-11736 Unrestricted admin use of system and environment variables * CVE-2024-11734 Denial of Service in Keycloak Server via Security Headers

13 Jan 2025 12:00am GMT