来源: https://github.com/keycloak/keycloak/releases/tag/26.4.0
keycloak/keycloak 26.4.0 Release Notes
Published at: 2025-09-30T11:49:13Z
Highlights
This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:
Passkeys for seamless, passwordless authentication of users.
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
Simplified deployments across multiple availability zones to boost availability.
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
Passkeys integration (supported)
Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.
For more information, see Passkeys.
FAPI 2 Final (supported)
Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.
Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.
Thank you to Takashi Norimatsu for contributing this.
For more details, see the Securing applications Guides.
DPoP (supported)
Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:
Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
Possibility to require the
dpop_jktparameter in the OIDC authentication request.
Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.
For more information, see the DPoP section in the documentation.
FIPS 140-2 mode now supports EdDSA
With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.
Listing supported OAuth standards on one page
A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.
Integration
Federated client authentication (preview)
Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.
This feature is currently preview, and expected to become supported in 26.5.
Automatic certificate management for SAML clients
The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL.
This also allows for seamless rotation of certificates.
For more information, see Creating a SAML client in the Server Administration Guide.
Serving as an authorization server in MCP
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.
To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.
The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.
Administration
Update Email Workflow (supported)
Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.
For more information, see Update Email Workflow.
Optional email domain for organizations
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
Hiding identity providers from the Account Console
You can now control which identity providers appear in the Account Console based on different options using
the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.
For more information, see General configuration.
Enforce recovery codes setup after setting up OTP
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.
New conditional authenticator
The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.
For more information about conditional flows, see Conditions in conditional flows.
Translations managed by Weblate
The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.
If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.
Configuring and Running
Enhancements for single-cluster and multi-cluster setups
This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.
This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.
Support for additional databases and versions
With this release, we added support for the following new database vendors:
EnterpriseDB (EDB) Advanced 17.6
Azure SQL Database and Azure SQL Managed Instance
Where the previous documentation stated only tested database version, it now states all the supported database versions as well.
Expose management interface via HTTP
Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.
Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface.
This allows monitoring those endpoints in environments where no TLS client is available.
Expose health endpoints on the main HTTP(S) port
With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the
management port. When this option is false you should block unwanted external traffic to /health at your proxy.
This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.
Specify a tlsSecret on the Keycloak CR ingress spec
To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.
Additional datasources configuration (supported)
Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.
Read more about it in the Configure multiple datasources guide.
Observability
Operator creates a ServiceMonitor automatically
The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the
monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The
specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that
metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable
this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.
HTTP access logging of incoming HTTP requests
Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.
For more information, see Configuring logging.
Showing context information in log messages (preview)
You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.
For more details on this opt-in feature, see Configuring logging.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #19732 "linked-accounts" endpoint displays all Identity providers
account/api - #40237 Add option "Requires short state parameter" to OIDC IDP
authentication - #40696 Wrap deprecated passkeys authenticator behind the feature
authentication/webauthn - #41316 Test suites config for the new test framework
test-framework - #41357 Disable tests for specific databases and servers in test framework
test-framework - #42313 Experimental SPIFFE identity provider
- #42742 Supported EnterpriseDB Advanced 17
- #42743 Supported Azure SQL
Enhancements
- #10063 Display transport media for WebAuthn authenticators in Account console
account/ui - #14644 External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token
identity-brokering - #17028 SAML: Adapter SP seamless certificate rotation
saml - #19213 Allow enabling debug and verbose via environment variables
dist/quarkus - #21816 Expose Keycloak config errors in the Keycloak CR status field
operator - #22730 REST API returns different amount of users
admin/api - #23972 Improve handling config options in scripts preventing re-augmentation
- #25668 Remove duplication of MP config initialization
dist/quarkus - #26277 DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer
oidc - #26995 Bad performance when requesting events of a user
- #27025 Move import/export validation to the Property Mappers
dist/quarkus - #28846 Allow the target attribute on in the kcSanitize
core - #29295 Exact match in users/count
- #30095 High Availability guides should make distinction between single-site and multi-site deployments
docs - #31285 Make domains for organisations optional
- #32129 Automatically create external caches for MULTI_SITE deployments
- #32569 Verify email when using UPDATE_EMAIL action without depending on realm wide setting
- #33942 Make sure Keycloak endpoints have DPoP validation
oidc - #34114 Operator: Support ConfigMaps for `Keycloak.spec.truststores`
- #34206 Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `` tags
core - #34244 Enable branding without code changes
- #34777 [Operator] Use TLS secret for Ingress
operator - #35441 Add FAPI 2.0 + DPoP security profile as default profile of client policies
oidc - #36160 Default values for User attributes.
- #36268 Configuration is not available outside of quarkus modules
- #37363 Allow custom labels on Operator Ingress
operator - #37600 Experimental support for authenticating clients with Kubernetes Service Accounts
- #38126 Improve documentation for the HEALTHCHECK Dockerfile directive
docs - #38897 Add WASM support to the MimeTypeUtil
- #39293 [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt`
oid4vc - #39299 Improve docs, and possibly defaults, around ldap pooling
- #39342 Description for using too many threads / connections is incomplete
core - #39658 OpenTelemetry Tracing: Visualize JGroups communication
infinispan - #39812 Add filter to include/fill MDC with request specific data for json logging
- #40061 Redundant null-checks. SAST
- #40067 Always null field in KeySelectorUtilizingKeyNameHint. SAST
- #40069 Possible dereference of Null
- #40226 Review and update the documentation regarding the UPDATE EMAIL feature
- #40227 Make UPDATE_EMAIL a supported feature
- #40231 Improve javadoc for admin-client methods with injecting own resteasyClient
admin/client-java - #40296 Update docs how to verify that a cluster has formed
- #40377 Allow to expose IDP custom config values to Keycloak themes
- #40388 Write documentation for additional datasources
docs - #40406 Create ServiceMonitor via KC Operator
- #40464 Improve extensibility of custom AccountConsole endpoint handling
account/ui - #40481 Provide CLI Parameters for jgroups.* options
infinispan - #40592 Upgrade to the Quarkus 3.24.2 version
dist/quarkus - #40619 When editing protocol mappers, shows required properties
admin/ui - #40629 Signs of fall-through behavior. SAST
- #40630 Double check when working with multithreading. SAST
- #40659 Possible Dereference of Null. SAST
- #40660 Resources leak. SAST
- #40677 Redundant null checks - operator new. SAST
- #40683 Remove workaround for handling Syslog counting framing
- #40687 Remove workaround for PostgreSQL and Liquibase
- #40739 Avoid floating promises in UI code
account/ui - #40761 Change naming for disabling additional datasource
- #40792 Changing default passwordless webauthn policy to follow recommended values in the documentation
authentication/webauthn - #40851 Upgrade to Infinispan 15.0.16.Final
- #40855 External-internal token exchange independent from FGAP v1
token-exchange/federated - #40858 Check cluster is correctly formed in ClusteredKeycloakServer
test-framework - #40874 Update code and documentation for import of a new realm
- #40875 Improve memory footprint of single file realm import
- #40923 Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm}
core - #40926 More secure call of Facebook debug token
token-exchange/federated - #40933 Allow configure encryption details for SAML clients
saml - #40962 Update limitations of the preview feature rolling updates for patch releases
infinispan - #40970 Run clustering compatibility tests on release/x.y branches
- #41014 Operator auto update hash
operator - #41022 Allow Features to declare that they support Rolling upgrades
- #41034 Improve logging for client sessions load
- #41045 Update email feature only enabled if the required action is enabled at the realm
- #41074 Import client sessions into Infinispan concurrently for persistent sessions
- #41119 FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions
oidc - #41120 FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies
oidc - #41121 FAPI 2.0 Security Profile Final - Documentation
oidc - #41138 Implement CompatibilityMetadataProvider for Cache CLI args
- #41151 Update Traditional Chinese locale to latest version
- #41161 Require setting DB kind for additional datasources
dist/quarkus - #41172 Upgrade to Quarkus 3.24.3
- #41176 Document supported OIDC/OAuth2 standards
oidc - #41186 Upgrade to Quarkus 3.25.0
dist/quarkus - #41192 Improve handling of datasource name specified in `persistence.xml` files
dist/quarkus - #41208 MDC logging should contain the authentication session and user session ID
- #41214 Document configuration changes that prevent rolling updates
- #41219 Document spi-user-sessions--infinispan--use-batches
- #41222 Provide DB SQL options support for additional datasources
dist/quarkus - #41229 Remove obsolete code for the Liquibase LogHistoryService
core - #41239 Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese
translations - #41246 Upgrade to Quarkus 3.24.4
dist/quarkus - #41257 Upgrade to Infinispan 15.0.18.Final
infinispan - #41259 Passkeys support in IdpUsernamePasswordForm
authentication/webauthn - #41283 Update ua-parser to 1.6.1
- #41293 Remove obsolete Liquibase FK snapshot generator
storage - #41297 Implement CompatibilityMetadataProvider for DB options
- #41303 Allow for health check on main interface
- #41312 FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies
oidc - #41313 FAPI 2.0 Message Signing Final - Documentation
oidc - #41328 Utilise table to display Features
- #41335 Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
- #41352 Provide simple HTTP access logs
dist/quarkus - #41354 Avoid OTP when logging in with passkey
- #41374 Upgrade to Quarkus 3.24.5
dist/quarkus - #41405 Add log details about client assertion for client authentication with Client-JWT
- #41455 Adds TiDB into the database test matrix
- #41459 Query parameter "claims" not forwarded to external provider
identity-brokering - #41551 Support for key size 3072 in rsa-generated key providers
- #41556 Switch passkeys to supported
authentication/webauthn - #41557 Update passkeys documentation after they are supported
docs - #41558 Ensure cache configuration has correct number of owners
- #41559 Simplify Cache Configuration file by removing built-in cache configurations
- #41561 Detect and handle KC split brain clusters
- #41585 Refactor high-availability guide to include both single and multi cluster architectures
- #41613 Ability to display 'authenticator provider' of the WebAuthn credential
authentication/webauthn - #41625 Login[v2]: "Update email" screen is not polished
login/ui - #41666 Default to stretched clusters on Kubernetes when possible
- #41670 Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
- #41717 Upgrade to Quarkus 3.25.2
dist/quarkus - #41729 Define default topologySpreadConstraints
- #41765 Add Azerbaijani translations
translations - #41766 Add the ability to set abritrary environment variables in Keycloak CR
- #41820 Add a warning about provider jars
- #41831 Improve autocomplete on mobile for OTP field
- #41836 Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
- #41837 Remove OIDCLoginProtocolService.certsHead()
oidc - #41870 Kazakh (kk) locale support with translations
translations - #41898 Clarify the documentation on automatic database schema downgrades
core - #41901 FGAP v2: RESET_PASSWORD capability for USERS
- #41933 Configure topology information in Infinispan
- #41934 Infinispan 15.0.19.Final
- #41950 Log applied cache configurations as part of debug logs
- #42016 More flexible handling of params, headers and entities for SimpleHTTP
- #42030 Could the list of supported DPoP algorithms be dynamically retrieved?
oidc - #42031 Minor enhancements in the DPoP related codebase
oidc - #42032 Switch DPoP feature to supported
oidc - #42047 Skip configuring `jdbc-ping` stack in local mode
- #42094 keycloak oob (out-of-band) copy button
login/ui - #42096 Concurrently update the remote caches
- #42180 Cache UserAgent parsing result
- #42186 Document network latency requirements for stretched clusters
- #42191 Document mtls considerations for probes
- #42203 Upgrade to Quarkus 3.27 LTS
- #42269 Some 409 API responses are missing from the OpenAPI spec
core - #42274 Session IDs and auth codes have less than 128 bits of entropy
- #42283 More efficient secure ID generator
- #42286 Support EdDSA for DPoP
oidc - #42293 Set Liquibase DB type based on the `db` option
storage - #42300 Validate wait_timeout parameter on MySQL and MariaDB
- #42304 Document tested and supported configurations for single-cluster deployments
- #42305 Document that single-cluster deployments expect all Keycloak instances to serve traffic
- #42308 Support Aurora PostgreSQL 17.5 in Keycloak's nightly run
- #42342 Upgrade to Quarkus 3.26.2
dist/quarkus - #42356 Support MariaDB 11.8 LTS
- #42358 Remove usage of the term "stretched" from single-cluster HA guides
- #42374 Concurrent update embedded caches and database
- #42381 [RLM] - Validate actions that support aggregating actions
- #42382 [RLM] - Immediate policies should not allow setting a time to their actions
- #42384 [RLM] Allow adding and removing actions to existing policies
- #42385 [RLM] Scheduled time of actions should be based on the previous action
- #42389 [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to
- #42392 Link to quay IO website for the Keycloak image in upstream
docs - #42409 Wrong form to enter username and password for an unknown user
organizations - #42499 Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec
oidc - #42525 Catch specific expeception and add logging when there is no active request context
- #42532 Edit Keycloak 26.4 release notes
- #42547 Replace UUID with composite key for client session cache
infinispan - #42564 Edit Keycloak 26.4 Upgrading Guide
- #42628 Lazy load client sessions
- #42697 [RLM] - Improve the Workflow JSON schema
- #42705 Document Caffeine cache metrics
- #42728 DPoP: documentation update
oidc - #42733 Test JDK 25 in CI
ci - #42740 Possibility to enforce authorization code binding to DPoP
oidc - #42746 Polishing of client switch on DPoP
oidc - #42751 Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients
core - #42755 [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms
oid4vc - #42756 Add missing Swedish translation for login theme
- #42888 [RLM] - Allow defining steps in a workflow that can run immediate or scheduled
- #42916 [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps
workflows - #42927 Update OID4VCI documentation with new .well-known URL format
oid4vc - #42955 Use JDK 25 Temurin in GHA CI
ci - #43017 OID4VCI in the release notes for 26.4.0
docs - #43035 Allow setting max age to the update email action
Bugs
- #26972 NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores
core - #35825 Per client session idle time capped by realm level client idle timeout
core - #35932 Importing a realm takes more than 1 minute when multiple others exist.
dist/quarkus - #36716 invalid_request when authenticating using PAR (Pushed Authorization Request) while Kerberos is enabled
authentication - #38016 User session limit exceeded for both realm and client removes the wrong session
core - #38556 Consistent behaviour for User API getUsers and count
admin/api - #38924 `--debug` does not work with docker container version of Keycloak
core - #38928 Can't install Keycloak Operator on OpenShift via OperatorHub on ARM
operator - #39079 AuthenticationFlowException when a user tries a password grant using a service account
authentication - #39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask
ci - #39122 Export fails with an unexpected error if the realm does not exist
core - #39608 Getting Keycloak exception with request 500 status code on /account with semicolon in URL
dist/quarkus - #39609 Users searchAttributes broken for empty value
admin/client-java - #39766 [Keycloak Operator CI] - Test local apiserver - Kube API Server did not start properly
ci - #39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover
ci - #39864 IdP redirect fails when user belongs to multiple organizations with organization:* scope
organizations - #40160 Action Tokens Copy Nonce Into JTI
core - #40192 REST Admin API - ClientsResource response with 200 OK even needed roles are missing
admin/api - #40368 NPE during loading user groups with concurrent deletion
storage - #40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors
authentication - #40383 KC should connect to a writer instance of PostgreSQL automatically
dist/quarkus - #40398 ModelDuplicateException on next login after deleting an account and back-channel logout
authentication - #40463 Login to Account Console produces two consecutive LOGIN events
account/ui - #40557 Uploading JSON import in UI causes extreme lag or entirely unresponsive page since 26.1
admin/ui - #40680 Inconsistency between UserModel.isMemberOf and RoleUtils.isMember (with LDAP involved)
authentication - #40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later
account/api - #40754 UserSession Offline removed from DB if not in cache
infinispan - #40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover
ci - #40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle
infinispan - #40786 Typo in Consent Scope Representation
account/api - #40788 Custom scope display name not shown in Account UI
account/ui - #40818 Identity provider links list is limited to 100 entries for a user in the admin UI
admin/ui - #40838 Mark options for additional datasources as preview
dist/quarkus - #40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow
oidc - #40890 Keycloak Operator 26.3.0 fails to update to 26.3.0
operator - #40903 Proxy detection needs tweaked for insecure context warning
dist/quarkus - #40930 Docs: server_development/topics/themes.adoc
docs - #40932 [Operator] UpdateTest.testImageChange throws TimeoutException
operator - #40935 NPE thrown when encoding a token without having a client set in the session
oidc - #40945 Unclear documentation for setting management server as http when main server is https
dist/quarkus - #40954 Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled
core - #40959 Update "Enabling and disabling features" documentation
docs - #40975 Make passkeys feature dependent on web_authn
authentication/webauthn - #40977 Loglevel recorded from build phase
dist/quarkus - #40980 Can't update security-admin-console via admin UI with volatile sessions
infinispan - #40984 Backchannel logout token with an unexpected signature algorithm key
oidc - #40995 LDAP / ModelException: At least one condition should be provided to OR query
core - #40997 Wildcard mappers should be implicitly handled and value propagated
dist/quarkus - #41008 Missing signin with passkeys feature when FORCED_REAUTHENTICATION = true
authentication/webauthn - #41018 Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover
ci - #41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax
core - #41029 DOC: 'Running Keycloak in a Container' inconsistent
docs - #41035 Skip update email required action if email attribute is not writable
- #41037 WebAuthN Setup: OperationError: A request is already pending.
authentication/webauthn - #41038 FIPS errors in CI
- #41041 Able to create a client without entering Client ID
admin/ui - #41044 Federated users incorrectly listed on first load due to uninitialized userProfileProvidersEnabled
admin/ui - #41080 Permission evaluatio for resource type Clients broken
admin/fine-grained-permissions - #41082 Multiple primary key defined when attempting to upgrade after 26.3.0
core - #41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token
core - #41103 Service Account users now showing in the User List
admin/ui - #41105 Unknown relation when removing realm role with --db-schema configured
storage - #41117 NUL byte characters are sent from query parameters to the database causing SQL exception
core - #41140 Blank Tab in Client Registration Access Policies
admin/ui - #41148 org.keycloak.authentication.forms.RegistrationPassword#validate -> java.lang.UnsupportedOperationException
authentication - #41152 Docs use em-dashes instead of double dashes for SPI options in regular text
docs - #41170 'exp' and 'iat' missing from claims_supported entry in OpenID Endpoint Configuration
oidc - #41181 FAPI 2.0 Message Singing Final - PAR endpoind does not return an appropriate error regarding a request object
oidc - #41184 CVE-2025-48924 - Uncontrolled Recursion vulnerability in Apache Commons Lang
- #41188 UserResources.addFederatedIdentity is missing OpenApi @Consumes annotation
admin/api - #41204 UpdateTest CI failures
ci - #41228 [quarkus-next] Migration tests failed for MySQL-based DB drivers
dist/quarkus - #41235 Group imports performance
import-export - #41242 Re-authentication with passkeys not easily possible
authentication/webauthn - #41268 `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date`
dist/quarkus - #41287 Failing test in account console
account/ui - #41289 Account test failing
account/ui - #41290 Concurrent starts with JDBC_PING lead to a split cluster
infinispan - #41295 Avoid additional execution of Liquibase changelog lock table statement
storage - #41299 [quarkus-next] Missing comment generated by Liquibase executor in the custom script
storage - #41331 Prevent sending massive amount of emails if a user clicks multiple times to get a new verify email link
core - #41339 Add and delete bundle test failing
admin/ui - #41388 Welcome page creates an temporary user
core - #41390 JDBC_PING2 doesn't merge split clusters after a while
infinispan - #41418 Access to user details for restricted admin fails after enabling organizationin realm
organizations - #41421 Broken link securing-cache-communication in caching docs
docs - #41423 Duplicate IDs in generated all configuration docs
docs - #41427 Parallel token exchange fails if client session is expired
token-exchange - #41466 [quarkus-next] @QuarkusTest fetches JARs again when executed
dist/quarkus - #41468 [quarkus-next] [windows] ClassNotFoundException: JvmOptionsBuilder
dist/quarkus - #41469 Uncaught exception cases unclosed spans in tracing
dist/quarkus - #41474 File choosing tests fail on Windows
admin/ui - #41488 Synchronize Maven surefire plugin with Quarkus
dist/quarkus - #41491 ExternalLinks are broken in documentation
docs - #41520 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation
ldap - #41532 LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min)
ldap - #41537 Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method
oidc - #41598 Kerberos playwright test flaky
admin/ui - #41609 RejectImplicitGrantExecutor does not return an error when a PAR request includes Implicit or Hybrid response type
oidc - #41620 Typos and AsciiDoc formatting in token exchange
docs - #41624 Duplicate fields in RealmRepresentation in OpenAPI JSON file
docs - #41641 Cannot use `dev-file` for additional datasources
storage - #41643 Test SMTP connection fails when no port is specified
admin/api - #41648 Flaky user profile test
admin/ui - #41653 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerWellKnownProviderTest#testMetaDataEndpointIsCorrectlySetup
ci - #41662 TiDB Many WAITING threads during high load scenario
core - #41663 Typo in the caching doc
docs - #41669 Keycloak SAML Adapter subsystem does not work in WildFly 37
adapter/saml - #41677 Provider default regression
dist/quarkus - #41683 SAML test is flaky
admin/ui - #41701 The same text shows up twice on the e-mail validity confirmation screen
account/ui - #41711 Another flaky SAML test
admin/ui - #41728 Node.js v22.18.0 causes JavaScript CI to fail
- #41744 Weblate does not show zh_hant for the admin UI
translations - #41752 Flaky Organization test
admin/ui - #41755 Forwarded `claims` parameter from the initial authorization request to brokered OPs is not URL encoded
identity-brokering - #41792 docs: Non interactive logout options missing documentation
oidc - #41799 Authorization filtering causes NullPointerException with "Null keys are not supported!" in searchForUserStream (26.3.1+)
account/api - #41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen)
core - #41804 OIDC identity provider token refresh fails with JsonMapperException
identity-brokering - #41808 CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages
core - #41821 Fix Jandex version collision to allow running tests using auth-server-quarkus-embedded
testsuite - #41823 Test flaky due to dual certificates
admin/ui - #41834 Clicking email confirmation links in Outlook results in a "stale link" error
core - #41842 memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles
ldap - #41854 KeycloakSession javadoc references keycloak-server.json
core - #41860 Unbalanced HTML in login form templates
login/ui - #41897 Hibernate 7.1 breaks TiDB support
ci - #41903 [Operator CI] - Test local apiserver - Could not load class with name KeycloakDistConfiguratorTest
ci - #41906 Backwards incompatible changes to 26.3.0 cause NullPointerException when requesting /certificates/jwt.credential/generate-and-download
authentication - #41909 Admin console provider info shows "Add providers"
admin/ui - #41913 [Store IT] - UserSessionRefreshTimePolicyTest unstable
ci - #41914 Role mapping `account.manage-account-links` not sufficient for Client initiated account linking
authentication - #41937 Display name for requireAction.idp_link, requireAction.delete_credential and requireAction.update_user_locale not mapping correctly
admin/ui - #41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider)
core - #41945 After upgrade to 26.3: Not possible to use Credentials having not-unique label
login/ui - #41994 Check for non-ascii local part on emails depending on SMTP configuration
core - #42006 Fix flaky tests for personal info in account console
account/ui - #42012 Client session timestamp not updated in the database if running multiple nodes
infinispan - #42018 Realm overrides test is flaky
admin/ui - #42033 [RLM] NPE during user authentication
core - #42044 Dynamic client authentication configuration uses wrong config
admin/ui - #42046 KeycloakRealmImport placeholder replacement provides access to sensitive environment variables.
operator - #42050 Recovery Codes are shown as "another way" even if not configured
login/ui - #42052 User Profile attribute annotation "inputType" yields in not savable attribute
user-profile - #42057 [Operator] Update job incorrectly inherits podTemplate configuration from unsupported.podTemplate
operator - #42069 Fix common failures when running the admin console tests on Firefox
- #42114 "Session/EntityManager is closed" during application startup "singleFile" users import
testsuite - #42139 Backwards compatibility awareness
identity-brokering - #42142 Dedicated client scope mappers missing
oidc - #42158 Bug in configuration keycoak via keycloak.conf
dist/quarkus - #42159 Docs: authorization_services/topics/permission-typed-resource-permission.adoc
authorization-services - #42164 [Keycloak CI - Docs] Broken links
core - #42165 [Keycloak CI - Admin UI, Account UI, Account E2E UI] Installing PNMP Error
ci - #42178 Integer validation error not shown for user profile fields
user-profile - #42182 Validation errors for required actions don't show translated messages
admin/ui - #42201 Local access required if KC_BOOTSTRAP_ADMIN_CLIENT_ID is set but not KC_BOOTSTRAP_ADMIN_USERNAME
login/ui - #42208 Audience mapper not honored when requesting organization scope
authentication - #42213 Importing SAML IdP metadata sets Validate Signatures to false even if signing certificate is provided
saml - #42263 Quarkus config (quarkus.properties) not picked up after 26.3.0
dist/quarkus - #42270 Missing double-dash in the events documentation
core - #42276 Admin UI hides local users when LDAP provider fails (generic error shown; forces workaround)
admin/ui - #42278 Flaky test: org.keycloak.testsuite.model.session.UserSessionConcurrencyTest#testConcurrentNotesChange
ci - #42334 Experimental features enabled warning shown multiple times
dist/quarkus - #42335 Colored output is lost during startup
dist/quarkus - #42339 Allowed Client Scopes add openid scope in scope list
oidc - #42360 LDAP mapper test is flaky
admin/ui - #42369 Missing client session offline settings on realm level in the admin UI
admin/ui - #42375 Client to be included cannot be configured for the OID4VCITargetRoleMapper anymore
oid4vc - #42390 OIDC fails if doens't have email mapper if a LDAP exists
ldap - #42403 ui-shared: Accessibility of Switch control
admin/ui - #42405 Old hmac-generated (32bit) is recreated when order is changed in realm keys ui
core - #42408 Organization without email domain shows an error when trying to link an Identity Provider
organizations - #42419 Client authenticators executed multiple times
oidc - #42426 Guides contain broken ha links
docs - #42496 Compilation error in RolePolicyConditionProvider
core - #42575 Locale selector displays incorrect label for Chinese
translations - #42650 Failing device-activitiy test in account-ui tests
oidc - #42652 NullPointerException when persisting a client session
infinispan - #42678 Operator ClusterRoleBinding contains hardcoded namespace
operator - #42706 Incorrect scheme in the WWW-Authenticate when Authorization: DPoP used
oidc - #42716 The core class EdECUtilsImpl is not present in the sources jar
core - #42726 Update of sssd should add IFP section to the configuration
core - #42736 Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name'
core - #42737 The new email is mandatory error for update profile action with enabled update email
user-profile - #42752 Keycloak build broken
ci - #42765 Can't log in to admin and account console due to Web Crypto API not being available
account/ui - #42769 Missing switch "ID Token as detached signature" in the admin console client settings
oidc - #42770 Introduce pending email verification message for UPDATE_EMAIL
core - #42786 Inconsistent spelling auth WebAuthn
core - #42792 IDX_EVENT_ENTITY_USER_ID_TYPE missing column EVENT_TIME
core - #42828 Remove environment information from the server-info
admin/api - #42833 Add validation of workflow steps also when adding single step to workflow
workflows - #42837 Identify-First form should disallow empty entry
organizations - #42856 Broken external link in documentation for npm.js.com
docs - #42867 LOGIN event without a user session
oidc - #42877 Valid scope parameter in access token request is rejected with invalid_scope error
oidc - #42887 SPIFFE IdP added to login screen when created via browser
identity-brokering - #42918 Typo in the latest documentation
docs - #42922 Dynamic Client Registration invalidates the realm cache
core - #42949 Username containing a '#' is truncated in Admin Console when hiding inherited roles
user-profile - #42958 Upgrade bc-fips dependencies
dependencies - #43002 Delete workflow has wrong messages.
admin/ui