fix(deps): update dependency keycloak-js to v26 (!157) · Merge requests · biletado / frontend / angular

This MR contains the following updates:

Package	Type	Update	Change
keycloak-js (source)	dependencies	major	`^25.0.0` -> `^26.0.0`

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

keycloak/keycloak (keycloak-js)

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34882 Edits to Authorization Services guide
#34916 Addresse QE comments on Server Administration guide
#34931 Upgrade to ISPN 15.0.11.Final

Bugs

#10233 Locale Setting for Update Password Mail admin/api
#17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
#30631 Upgrade to 25 throws: Statement violates GTID consistency core
#32143 UserId too long to add Security Key WebauthN authentication/webauthn
#32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
#32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
#33071 RESTART_AUTHENTICATION_ERROR in Iphone devices (using safari and chrome browser) oidc
#33195 Any one Client role mapping to user/group generating two events on admin events tab. core
#33810 Stabilise my-resources.spec test account/ui
#34233 Service accounts visible under user search in Admin console admin/api
#34391 Error on "check a11y" tests on Cypress admin/ui
#34560 Switching 'Email as Username' alters existing custom usernames to email addresses, causing LDAP sync issues core
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34590 Attributes missing in OrganizationRepresentation when using Admin REST API in Keycloak 26 admin/api
#34678 [Admin UI] [Create resource-based permission] Resource input is disabled admin/ui
#34858 Deprecated CLI options and new options are not stable in their sorting dist/quarkus
#34864 On logout from admin console, a serverinfo call with 401 response in the logs admin/ui
#34888 Authentication Link and IDP Fails with 400 Bad Request After Migrating to Version 26 and Delete Authentification authentication
#34899 Upgrade 24 to 25 fails because db jpa changes drop nonexisting indexes. core
#34930 Update Email doesn't update username when Email as Username and Attributes are enabled user-profile
#34944 Adding "sub" claim to lightweight access token causes HTTP 403 Forbidden Error in Keycloak 26.0.5 oidc
#34975 getAll() organization members only returns the first 10 members organizations
#34987 KC25 Migration guide for caching options needs clarification
#35006 Mis-formatted unordered list in the caching docs
#35015 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsRemoval ci
#35087 Flaky test: org.keycloak.testsuite.model.session.AuthenticationSessionTest#testConcurrentAuthenticationSessionsCreation ci
#35229 Fix typo in v24 changelog: "longer" -> "no longer" docs
#35232 reCAPTCHA v3 not working login/ui
#35276 Your login attempt timed out authentication
#35282 [Keycloak CI] - Test PoC failing on Keycloak 26.0 branch
#35288 Upgrade 26.0.5 -> 26.0.6 completely breaks admin events in the admin UI admin/ui
#35328 Error when creating a permission ticket when there are 2 or more Keycloak servers in a cluster authorization-services

Highlights

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

Updates to documentation of X.509 client certificate lookup via proxy

Potential vulnerable configurations have been identified in the X.509 client certificate lookup when using a reverse proxy. Additional configuration steps might be required depending on your current configuration. Make sure to review the updated reverse proxy guide if you have configured the client certificate lookup via a proxy header.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
#34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
#34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
#34855 Add conditional text to Installation Locations
#34873 Update Leveraging JaKarta EE in Server Development guide
#34887 Apply QE edits to High Availability guide

Bugs

#609 Workflow failure - Jakarta - SAMLServiceProviderTest.testAccessAccountManagement
#11008 Incorrect get the members of a group imported from LDAP ldap
#17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
#19652 Members are inhereted from LDAP group with the same name ldap
#23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
#27856 Social login - Stack Overflow test fails ci
#31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
#32786 Organization Domain not marked as a required field in the Admin UI admin/ui
#33531 Previously entered translations should persist in the translation dialog for the attribute groups admin/ui
#34013 Add More Info to Organization Events organizations
#34065 Users without `view-realm` can't see user lockout state in Admin UI admin/ui
#34201 OIDC IdP Unable to validate signatures using validatingPublicKey certificate admin/ui
#34335 NPE in Organization(s)Resource when using Quarkus Rest Client admin/api
#34401 Incorrect Content-Type Expectation for POST /admin/realms/{realm}/organizations/{id}/members in Keycloak API admin/api
#34465 Missing help icons in Webauthn Policy and Webauthn Passwordless Policy missing in admin ui admin/ui
#34519 Clicking on link to Keycloak documentation from Keycloak admin UI does nothing instead of opening documentation admin/ui
#34549 Quarkus dev mode does not work dist/quarkus
#34572 Text in "Choose a policy type" is not wrapping admin/ui
#34603 NPE in InfinispanOrganizationProvider if userCache is disabled infinispan
#34624 Securing apps guide breaks downstream docs
#34634 Missing downstream explicit name for anchors docs
#34644 KC_CACHE_EMBEDDED_MTLS_ENABLED is ignored infinispan
#34671 `ClientConnection.getRemoteAddr` can return a hostname when behind a reverse proxy core
#34687 New credential templates broken in KC26 login/ui
#34905 [Keycloak CI] Outdated surefire artifacts names - Quarkus IT and UT ci
#35213 CVE-2024-10451 Sensitive Data Exposure in Keycloak Build Process
#35214 CVE-2024-10270 Potential Denial of Service
#35215 CVE-2024-10492 Keycloak path trasversal
#35216 CVE-2024-9666 Keycloak proxy header handling Denial-of-Service (DoS) vulnerability
#35217 CVE-2024-10039 Bypassing mTLS validation

`v26.0.5`

Compare Source

Highlights

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with others LDAP vendors supported by the LDAP provider.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

#31415 Selection list does not close after outside click admin/ui
#33607 Fix v2 login layout login/ui
#33618 No message for `policyGroupsHelp` admin/ui
#33640 Customizable footer (Keycloak 26) not displaying in keycloak.v2 login theme login/ui
#34301 Remove inaccurate statement about master realm imports docs
#34450 [26.0.2] Migration from 25.0.1 Identity Provider Errors identity-brokering
#34467 Do not rely on the `pwdLastSet` attribute when updating AD entries ldap

`v26.0.4`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
#34382 Make the organization chapter of Server Admin guide available on downstream

Bugs

#14562 Broken Promise implementation for AuthZ JS adapter/javascript
#25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
#33627 ClassNotFoundException OracleXADataSource/OracleDataSource using IDELauncher with Keycloak 26.0.0 dist/quarkus
#33731 Client Scope updates are not replicated on a distributed keycloak setup in kubernetes admin/api
#33798 CVE-2021-44549 - org.eclipse.angus/angus-mail: Enabling Secure Server Identity Checks for Safer SMTPS Communication dist/quarkus
#33987 keycloak.v2 registration: Password policy validation error "errorList is null" login/ui
#34042 LDAP Pagination not working for role membership in GET_ROLES_FROM_USER_MEMBEROF_ATTRIBUTE strategy ldap
#34050 Listing federated LDAP users is very slow with import enabled ldap
#34093 java.util.ConcurrentModificationException when process user sessions update infinispan
#34412 LDAP: searching users with import disabled is slower since fix for 34050 ldap

`v26.0.2`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus

Bugs

#15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
#19101 Uncaught (in promise): QuotaExceededError adapter/javascript
#20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
#28978 some GUI validation check missing admin/ui
#30832 Organization API not available from OpenAPI documentation admin/api
#31724 Logout not working after removing Identity Provider of user identity-brokering
#33072 Passkeys: Infinite (re-)loading loop on browsers with WebAuthn Conditional UI disabled authentication/webauthn
#33844 Wrong documentation link in keycloak-js readme docs
#33902 Not persisted config settings prevent server start dist/quarkus
#33948 [PERF] OpenTelemetry is initialized even when disabled
#33968 Not possible to close dialog boxes when clicking buttons or the close icon admin/ui
#33991 Doc CI - broken links error docs
#34009 grammatical error in "Managing Organizations" documentation docs
#34015 Home URL for security-admin-console is broken admin/ui
#34028 Custom keycloak login theme styles.css return error 404 login/ui
#34049 Org Invite: `linkExpiration` template variable represents 54 years in minutes organizations
#34063 Respect the locale set to a user when redering verify email pages user-profile
#34069 Do not show domain match message in the identity-first login when no login hint is provided organizations
#34075 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#34095 Keycloak 26.0.0/26.0.1 Import Issue: Multiple Realms Not Imported, Duplicated Realm Imported Instead import-export
#34151 JS password validation doesn't work as intended with uppercase and lowercase minimum requirements login/ui
#34155 cli options starting or ending with ; or containing ;; mangle the cli handling dist/quarkus
#34224 Deleting a user leads to ISPN marshalling exception

`v26.0.1`

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

#32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
#33275 Better logging when error happens during transaction commit storage

Bugs

#8935 keycloak.js example from the documentation leads to error path adapter/javascript
#19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
#31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
#32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
#32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
#32844 Login V2: Missing "dir" attributes login/ui
#32847 Admin UI defaults to master realm even without permissions to it admin/ui
#32962 Possible issue with unavailable CryptoIntegration when using keycloak-authz-client with private_key_jwt and ECDSA algorithm oidc
#33513 Can get authorization code on a non verified user with some specific kc_action (AIA) oidc
#33539 Keycloak In Docker: ERROR: Strict hostname resolution configured but no hostname setting provided docs
#33549 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#33557 Unable to submit forms in Safari account/ui
#33576 Broken links / anchors after KC26 release docs
#33578 In imported realms, the ability to use environment variables has disappeared import-export
#33585 Fix runaway asterisk formatting in TLS documentation docs
#33638 Non-optimized start command gives erroneous warnings for runtime spi options dist/quarkus
#33642 RTL not working on keycloak.v2 login template login/ui
#33645 keycloak-js register broken: createRegisterUrl not awaited adapter/javascript
#33699 Failure to redirect to organization IdP when the organization scope is included organizations
#33735 Organizations section is shown in account console if organizations is not enabled for a realm. account/ui
#33776 [Regression] 26.0.0 return empty "access: []" JWT for Docker-v2 Auth provider, resulting in "access denied" authentication
#33777 Error when adding or removing a user from an organisation when there are 2 or more Keycloak servers in a cluster organizations
#33780 Upgrade to 26 fails with 'ERROR: index "idx_us_sess_id_on_cl_sess" does not exist' core
#33814 NPE when device representation cannot be parsed authentication
#33817 NEP when Default Role is not present on CachedRealm infinispan
#33874 [Keycloak CI] - AuroraDB IT - Error creating EC2 runner instance
#33875 [Keycloak CI] - FIPS IT - Failed to fetch maven
#33883 Auth not possible for auth session where user was enabled in the meantime authentication
#33907 NPE thrown in whoami endpoint admin/ui
#33967 password is a required field admin/ui

`v26.0.0`

Compare Source

Highlights

Organizations supported

Starting with Keycloak 26, the Organizations feature is fully supported.

Client libraries updates

Dedicated release cycle for the client libraries

From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.

The client libraries are these artifacts:

Java admin client - Maven artifact org.keycloak:keycloak-admin-client
Java authorization client - Maven artifact org.keycloak:keycloak-authz-client
Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

For details about supported versions of client libraries with server versions, see the Upgrading Guide.

User sessions persisted by default

Keycloak 25 introduced the feature persistent-user-sessions. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.

It is possible to revert this behavior to the previous state by disabling the feature. Follow the Volatile user sessions section in Configuring distributed caches guide for more details.

For information on how to upgrade, see the Upgrading Guide.

New default login theme

There is now a new version (v2) of the keycloak login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.

The previous version (v1) is now deprecated, and will be removed in a future release.

For all new realms, keycloak.v2 will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to keycloak.v2.

Highly available multi-site deployments

Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:

Keycloak deployments are now able to handle user requests simultaneously in both sites.
Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.
The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.
Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.

For information on how to migrate, see the Upgrading Guide.

Admin Bootstrapping and Recovery

In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.

It is now possible to run the start or start-dev commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.

For detailed instructions and more information on this topic, refer to the Admin Bootstrap and Recovery guide.

OpenTelemetry Tracing preview

The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.

For more information, see the Enabling Tracing guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the Francis Pouatcha, Pascal Knüppel, Takashi Norimatsu, Ingrid Kamga, Stefan Wiedemann and Thomas Darimont

DPoP improvements

The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the authorization_code grant type. Support also exists for the DPoP token type on the UserInfo endpoint.

Many thanks to Pascal Knüppel for the contribution.

Removal of GELF logging handler

GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the Logging guide.

Lightweight access tokens for Admin REST API

Lightweight access tokens can now be used on the admin REST API. The security-admin-console and admin-cli clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.

Keycloak JavaScript adapter now standalone

Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.

For a complete breakdown of the changes consult the Upgrading Guide.

Hostname v1 feature removed

The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the Configuring the hostname (v2) and the initial migration guide.

Automatic redirect from root to relative path

User is automatically redirected to the path where Keycloak is hosted when the http-relative-path property is specified. It means when the relative path is set to /auth, and the user access localhost:8080/, the page is redirected to localhost:8080/auth.

The same applies to the management interface when the http-management-relative-path or http-relative-path property is specified.

It improves user experience as users no longer need to set the relative path to the URL explicitly.

Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

For information on how to migrate, see the Upgrading Guide.

Client Attribute condition in Client Policies

The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.

Many thanks to Yoshiyuki Tabata for the contribution.

Specify different log levels for log handlers

It is possible to specify log levels for all available log handlers, such as console, file, or syslog. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.

For more information, see the Logging guide.

Proxy option removed

The deprecated proxy option was removed. This option was deprecated in Keycloak 24 and replaced by the proxy-headers option in combination with hostname options as needed. For more details, see using a reverse proxy and the initial migration guide.

Option `proxy-trusted-addresses` added

The proxy-trusted-addresses can be used when the proxy-headers option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.

Option `proxy-protocol-enabled` added

The proxy-protocol-enabled option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.

Option to reload trust and key material added

The https-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).

Options to configure cache max-count added

The --cache-embedded-${CACHE_NAME}-max-count= can be set to define an upper bound on the number of cache entries in the specified cache.

The `https-trust-store-*` options have been undeprecated

Based on the community feedback, we decided to undeprecate https-trust-store-* options to allow better granularity in trusted certificates.

The `java-keystore` key provider supports more algorithms and vault secrets

The java-keystore key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the vault. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.

For more information about this subject, see Configuring realm keys.

Adding support for ECDH-ES encryption key management algorithms

Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: epk, apu and apv. Currently Keycloak implementation only manages the compulsory epk while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the JSON Web Algorithms (JWA).

Also, a new key provider, ecdh-generated, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.

Many thanks to Justin Tay for the contribution.

Support for multiple instances of a social broker in a realm

It is now possible to have multiple instances of the same social broker in a realm.

Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the organization feature, it should be possible to link different instances of the same social broker to different organizations.

When creating a social broker, you should now provide an Alias and optionally a Display name just like any other broker.

New generalized event types for credentials

There are now generalized events for updating (UPDATE_CREDENTIAL) and removing (REMOVE_CREDENTIAL) a credential. The credential type is described in the credential_type attribute of the events. The new event types are supported by the Email Event Listener.

The following event types are now deprecated and will be removed in a future version: UPDATE_PASSWORD, UPDATE_PASSWORD_ERROR, UPDATE_TOTP, UPDATE_TOTP_ERROR, REMOVE_TOTP, REMOVE_TOTP_ERROR

Customizable Footer in login Themes

The template.ftl file in the base/login and the keycloak.v2/login theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.

The new footer.ftl template provides a content macro that is rendered at the bottom of the "login box".

Keycloak CR supports standard scheduling options

The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.

For more details, see the Operator Advanced Configuration.

KeycloakRealmImport CR supports placeholder replacement

The KeycloakRealmImport CR now exposes spec.placeholders to create environment variables for placeholder replacement in the import.

For more details, see the Operator Realm Import.

Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties.

For more details, see Configuring the connection pool.

Infinispan marshalling changes to Infinispan Protostream

Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.

Warning

JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version.

Infinispan Protostream is based on Protocol Buffers (proto 3), which has the advantage of backwards/forwards compatibility.

Removal of OSGi metadata

Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.

Group-related events no longer fired when removing a realm

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the GroupRemovedEvent are no longer fired when removing a realm.

For information on how to migrate, see the Upgrading Guide.

Identity Providers no longer available from the realm representation

As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.

For information on how to migrate, see the Upgrading Guide.

Securing Applications documentation converted into the guide format

The Securing Applications and Services documentation was converted into the new format similar to the Server Installation and Configuration documentation converted in the previous releases. The documentation is now available under Keycloak Guides.

Removal of legacy cookies

Keycloak no longer sends _LEGACY cookies, which where introduced as a work-around to older browsers not supporting the SameSite flag on cookies.

The _LEGACY cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over http outside of localhost. As an alternative to the _LEGACY cookies Keycloak now doesn8217;t set the secure flag and sets SameSite=Lax instead of SameSite=None when it detects an insecure context is used.

Property `origin` in the `UserRepresentation` is deprecated

The origin property in the UserRepresentation is deprecated and planned to be removed in future releases.

Instead, prefer using the federationLink property to obtain the provider to which a user is linked with.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

#600 De-couple quickstarts from statically served Keycloak JS quickstarts

New features

#20342 Duplicate groups in the admin console of Keycloak admin/ui
#26178 Support dark mode, at least for the login pages login/ui
#29324 Bootstrapping an admin user using a dedicated command dist/quarkus
#29755 Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider
#30002 Bootstrapping an admin service account using a dedicated command dist/quarkus
#30009 Warnings for temporary admin user and service account core
#30011 Document admin bootstrapping and recovery docs
#30682 Group assignment: Display disabled information from user admin/ui
#30795 Initiate create events if ClientScopes are created
#31421 Add Events for Organization Creation and Member Assignment organizations
#31642 Include organization attributes and information in ID and access tokens organizations
#31643 Implement invitation-only self-registration for realm users organizations
#32030 Retry remote cache operations with back off
#32135 Option to specify trusted proxies dist/quarkus
#32553 Expose Password Policies in FreeMarker Context for Login Themes

Enhancements

#583 Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT quickstarts
#10114 Specific events for webauthn register authentication/webauthn
#10492 Support proxy_protocol
#14073 SAML 2.0 HTTP-Artifact binding
#15769 update or replace base64-js and js-sha256 adapter/javascript
#16750 Google login - add prompt=select_account option core
#19564 response_type none is oidc spec but ignored in the current implementation. oidc
#19750 Use a proper FreeMarker template for the new consoles account/ui
#21072 Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings"
#21261 Identity providers: Pagination in account console (and account REST API)
#21342 Upgrade login theme to PatternFly 5 login/ui
#23179 kcadm should have a command to verify connection admin/cli
#23596 Support generated ECDH realm keys oidc
#23597 Support ECDH-ES JWE algorithms oidc
#23771 Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk dist/quarkus
#24815 Hostname config check on welcome page
#25391 Improve auto behavior with operator and --optimized
#25541 Add an option for a custom welcome page to disable bootstrapping of admin account welcome/ui
#26262 Remove need to update Quarkus tests when profile features change dist/quarkus
#26470 Add a field to the RealmImportSpec to toggle replacing ENV variable placeholders
#27040 [keycloak-js] Expose didInitialize as a public method/property adapter/javascript
#27298 Validate spi options wrt build / run time dist/quarkus
#27432 Document how to specify CPU and memory limits/requests for the Operator operator
#27884 Automatic update of bcfips versions in the docs docs
#27947 Rename Dockerfile to Containerfile in the docs docs
#28017 Un-friendly error message for Fail Import option in keycloak GUI import-export
#28140 External Infinispan as cache - Part 1
#28311 Detect clients which refresh their access tokens too early
#28581 Support OpenTelemetry tracing
#28648 External Infinispan as cache - Part 2
#28754 External Infinispan as cache - Part 3 / login failures cache
#28755 External Infinispan as cache - Part 4 / user + client sessions online + offline
#29200 Clarify import/export usage of options
#29258 Support pod affinity settings in the Keycloak Operator operator
#29303 Active/Active XSite fencing
#29394 Infinispan Protostream
#29480 GET users endpoint is making lots of requests to the database storage
#29665 Please clarify in the docs that the replacement of KC_PROXY=edge is not just KC_PROXY_HEADERS, but one MUST set KC_HTTP_ENABLED=true.
#29698 Improve SAML2 Metadata Validation Exception messages saml
#29725 VC issuance in Authz Code flow with considering “scope” parameter oid4vc
#29974 Add support of RTL UI in login pages login/ui
#29986 private AuthzClient.createPatSupplier
#30003 Bootstrapping an admin user or service account at server startup dist/quarkus
#30004 Bootstrapping an admin user or service account using the Operator operator
#30010 Update the welcome page to create a temporary admin user dist/quarkus
#30094 Do not inherit 'https-client-auth' property for the management interface
#30118 Admin UI - Fixed save buttons on the bottom at the page
#30165 Handle proxy related env vars in the Operator operator
#30243 Protobuf schema compatibility check (maven plugin)
#30267 Protect the disabling of the main keycloak account admin/api
#30286 Add missing translation for oid4vc protocol
#30337 Introduce packages for organization tests organizations
#30338 Refactor organization tests organizations
#30346 Enhance masking around config-keystore dist/quarkus
#30419 Credential Issuer Metadata: Support Optional ```claims``` Object in ```credential_configurations_supported``` in ```openid-credential-issuer``` endpoint oid4vc
#30445 Batch cluster events
#30454 Server crash when using kc.sh with -Dkeycloak.profile=experimental dist/quarkus
#30525 Enhance Verifiable Credential Signing Service Flexibility and Key Rotation oid4vc
#30537 Document how Admin REST API endpoints work with Hostname config docs
#30542 Use correct scope within maven-plugin core
#30623 Make sure not possible to import jakarta classes in admin-client-jee admin/client-java
#30629 Cleanup dependencies of keycloak-client-registration-api to not have dependency on server admin/client-java
#30707 prevent removing the flow when used by client flow overrides authentication
#30743 Make sure users created through a registration link are managed members organizations
#30746 Allow auto-redirect existing users federated from organization broker when using the username organizations
#30747 Support for members joining multiple organizations organizations
#30829 Print keycloak's server response when using keycloak-admin-client admin/client-js
#30855 Make persistent user sessions and external Infinispan co-exist
#30856 Remove inclusive language foreword docs
#30873 Exchange VC Format class for String constantns oid4vc
#30880 Add vault support to JavaKeystoreKeyProvider core
#30907 Implement advanced verification of SD-JWT in Keycloak oid4vc
#30918 VerifiableCredential: Exchange java.util.Date for java.time.Instant oid4vc
#30924 Keycloak Operator should use the port name and not the port number for the ingress operator
#30931 Enable ProtoStream encoding for External Infinispan feature
#30934 Drop `AuthenticatedClientSessionStore` from user sessions
#30995 Document LDAP connection pool configuration
#30999 Make ProofType for CredentialRequest a string instead of enum oid4vc
#31005 Override of begin transaction in AbstractKeycloakTransaction
#31006 Conditionally redirect existing users to a broker based on their credentials organizations
#31029 Refactor HA guide
#31046 ConditionalRemove interface for External Infinispan feature
#31056 Avoid iterating and updating all group policies when removing groups authorization-services
#31064 Add simple cache to cache-local.xml
#31076 Oauth2GrantType.Context requires getter-methods oidc
#31086 Manipulate redirect on OpenID redirect with custom implementation oidc
#31183 Show Display Name (if available) and Realm Id on Realm Dropdown Button admin/ui
#31226 Release notes for JavaKeystoreProvider updates docs
#31343 Can we remove distribution/feature-packs directory? adapter/jee
#31388 [Organizations] Add a count() method to the OrganizationMembersResource core
#31390 Allow custom login themes to define a footer ftl fragment login/ui
#31438 Support for authenticating and issuing tokens in the context of a organization organizations
#31489 Remove keycloak-undertow-adapter-spi adapter/saml
#31491 Add a deprecation warning when old `KEYCLOAK_ADMIN`, `KEYCLOAK_ADMIN_PASSWORD` env vars are used dist/quarkus
#31513 Support lightweight access tokens for Admin REST API oidc
#31514 Allow Embedded Cache sizes to be configured via the CLI
#31547 Use correct error code in error response in token exchange token-exchange
#31548 Add issued_token_type to token-exchange response token-exchange
#31581 Allow optional inclusion of Issue At TIme (iat) and Not Before (nbf) claim to a verifiable credential oid4vc
#31625 import placeholders should be converted to an option
#31648 Change default name of bootstrap service account dist/quarkus
#31670 Make sure the storage provider ID is always available from `UserModel.getFederationLink`
#31676 Upgrade to Quarkus 3.13.2 dist/quarkus
#31681 Add x5c and jwk header to JWSBuilder oidc
#31699 Optimize Remote Infinispan performance on removal of entry
#31701 Optimize CPU cycles for persistent sessions
#31725 Revoked tokens table is missing an index
#31766 Client Policy - Condition : Client - Client Attribute oidc
#31786 The console takes a very long time to display group members with LDAP provider ldap
#31807 Simplify enabling MULTI_SITE setup in KC26
#31816 Class CertificateUtils should support creation of EC certificates oidc
#31845 JavaScript build should not cache Keycloak Java artifacts and should rotate PNPM cache
#31876 Non clustered Keycloak with External Infinispan feature
#31894 Redirect after cancelling a required action should contain kc_action parameter authentication
#31908 Add docs for the OpenTelemetry tracing docs
#31932 Upgrade to next Quarkus LTS dist/quarkus
#31963 Upgrade to Infinispan 15.0.7.Final
#32023 Add ECDH-ES encyption algorithms to the java keystore key provider core
#32033 References to removed artifacts and obsolete properties in root pom.xml
#32056 OTEL: Service name isn't configurable and doesn't comply with conventions
#32095 OTEL: Dynamic service name for tracing in K8s environment operator
#32131 Remove session related caches from external Infinispan in HA guide
#32158 Add an endpoint to the `organizations` endpoint to return the organizations for a given user organizations
#32188 Quarkus IDE Debugging should set JVM options like kc.sh
#32198 error message "Address already in use" should state which address/port in particular
#32231 OTEL: Profile Feature dist/quarkus
#32265 Enable persistent sessions by default
#32273 Optimize Persistent Sessions SQL for session list
#32312 Relocate Quarkus resteasy-reactive dependencies to REST
#32314 Syslog: add necessary options to cover the major usability dist/quarkus
#32328 Upgrade to Infinispan 15.0.8
#32343 Upgrade Keycloak's sizing guide for KC26 and persistent sessions
#32387 Documentation for persistent sessions enabled by default
#32388 Make update IdentityProvider admin REST API more efficient.
#32389 Upgrade to Quarkus 3.13.3 dist/quarkus
#32416 Skip creating sessions cache when Persistent Sessions is enabled
#32428 Performance optimization when checking secure context
#32517 Upgrade to Quarkus 3.14.2 dist/quarkus
#32525 Document Syslog app-name option
#32579 Set autocomplete="one-time-code" in OTP login form login/ui
#32582 Remove tables `user_session`, `user_session_note` and `client_session`
#32583 Review the number indexes for offline session tables
#32586 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17 dependencies
#32588 Search Identity Providers by alias or display name
#32590 Remove `version()` projection from Ickle Queries
#32596 Rename `remote-cache` Feature
#32619 Possibility to separately specify log levels for log handlers
#32683 Optimize LogoutEndpoint.backchannelLogout endpoint identity-brokering
#32717 Make it explicit which options are needed when using optimized image with the Operator operator
#32745 Review the RTO and RPO in the multi-site docs after the A/A failure and recovery tests
#32746 Add organization id to the organization claim of the access token
#32803 Update the HA guide with fencing lambda taking Infinispan caches offline
#32804 Remove `org.keycloak.utils.ProxyClassLoader`
#32845 Add client side password policy checks
#32852 Prevent deadlocks on concurrent user updates
#32863 Redirect to relative-path from the root path dist/quarkus
#32906 Reduce the cost of updating user attributes in JPA store core
#32968 [OID4VCI] Show OpenID4VCI Credential Issuer Metadata link in admin ui oid4vc
#32970 Upgrade to Quarkus 3.14.4 dist/quarkus
#33010 Bootstrap admin client should use lightweight access tokens dist/quarkus
#33015 FolderThemeProvider should select theme from available themes core
#33040 Provide more information when there is an error to possibly debug
#33143 Add the Troubleshooting and Health checks guide to Keycloak
#33163 Use INFO Log Level for status in Migration Logic in DefaultMigrationManager
#33201 [Organizations] Allow orgs to define the redirect URI after user registers or accepts invitation link organizations
#33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
#33325 Refactor loading resources from themes
#33384 Document supported configurations and limitations for multi-site
#33405 Use feature versions for admin3, account3, and login2
#33426 Minor tweaks in SAML documentation adapter/saml
#33515 Use `crypto.randomUUID()` to generate UUIDs for Keycloak JS adapter/javascript

Bugs

#555 Failures in `ExtendAdminConsoleTest` quickstarts
#565 Build fails in the extension quickstarts
#567 Tests in user-storage-simple quickstart are failing in main branch quickstarts
#572 Action-token quickstarts don't compile with latest Keycloak quickstarts
#574 Incorrect Keycloak version in the main branch of quickstarts quickstarts
#595 Jakarta tests are failing with latest main quickstarts
#607 Workflow failure - JavaScript quickstarts
#10730 realm import: error if ldap groupmapper has a group path set import-export
#13505 locale attribute not set after registration authentication
#17857 New Admin UI does not send e-mails if account-client is disabled core
#19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
#20371 Double form submit in Admin UI possible leading to error mesages admin/ui
#20431 Fine-grained admin permission client manage does not work admin/ui
#23028 Documentation: Authorization Services documentation contains duplicated image authorization-services
#23496 Rename "Realm name" field to "Realm ID" field in realm creation screen admin/ui
#25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
#25339 "Invalid Username" when "Email as Username" is used and the email contains special characters user-profile
#25440 page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt authentication
#25794 Flaky test: org.keycloak.testsuite.model.DBLockTest#testTwoLocksCurrently storage
#25837 Infinispan Cache(embedded) data is not being updated during mergeView event infinispan
#26042 Issue when start-dev in 23.0.1 dist/quarkus
#26117 Flaky test: org.keycloak.testsuite.oidc.AuthenticationMethodReferenceTest#testAmrPastMaxAge oidc
#26176 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
#26435 NullPointerException when using client scope policy for token-exchange token-exchange
#26794 MULTIVALUED_LIST_TYPE not working for client mappers admin/ui
#27506 Readable realm name no longer visible in logs, but realm id is used instead core
#27536 "User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added account/ui
#27677 Translations missing for user events in admin ui translations
#27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
#28020 Firefox Webauthn Registration "SecurityError: The operation is insecure." authentication/webauthn
#28418 SSO Session Idle: session is still active after session idle time expired oidc
#28489 Missing help text on tokens tab admin/ui
#28633 Client roles won't open (Forbidden) with Fine Grained Permission (without view-clients realm-management role) account/ui
#28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
#28865 NullPointerException on RealmCacheSession when upgrading Keycloak 23.0.4 to 24.0.2 infinispan
#28953 Flaky test: org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfileWithoutRemoveCustomAttributes ci
#29098 User profile validation pattern error-message not rendered from messages_en.properties admin/ui
#29211 Network error attempting to view default realm roles without permissions admin/ui
#29271 TrustedHostClientRegistrationPolicyTest#testGithubDomain failing in clean checkout testsuite
#29385 Restart authentication event type is not generated authentication
#29407 Need refresh attributes group translations on Users > Details tab admin/ui
#29413 Realm client unset protocol not preserved admin/ui
#29468 realm_settings_general_tab_test.spec fails randomly admin/ui
#29486 Default theme logs font related console errors on firefox login/ui
#29542 The EmailEventListenerProvider throws an exception on brute force lockout events authentication
#29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
#29615 Get effective roles for user needs more privileges than expected admin/api
#29761 bug: disabling all default features no longer works core
#29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
#29866 Missing Cache-Control header when "response_type" parameter is missing in login request authentication
#29878 Updating a client protocol mappers through Admi CLI (kcadm) resets the client service account roles admin/cli
#29978 Admin UI slow performance loading 600+ realms admin/ui
#30048 Save button is not activated at first modification on "Client scope details" admin/ui
#30111 Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken ci
#30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
#30143 User in subgroup not synchronized and still appears as not in the subgroup account/ui
#30181 [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP oidc
#30188 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
#30235 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30236 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
#30240 Custom attributes are removed during UPDATE PROFILE event core
#30271 Client role descriptions are not localized admin/ui
#30276 The "Quarkus development mode" instructions in quarkus/README.md throw a ForkJoinPool error dist/quarkus
#30284 Executor consent-required does not work for client-roles condition oidc
#30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
#30302 Methods of SimpleHttp are after change now too much protected core
#30305 Importing organizations failing if there is no broker and members in the representation organizations
#30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
#30308 Organization resources in keycloak-admin-client-jee have dependencies on jakarta admin/client-java
#30312 Add an alias to organization organizations
#30313 Expose organization to theme templates organizations
#30329 Client secret rotation UI shows wrong rotated secret admin/ui
#30332 Operator fails to patch ingress after update to 25.0.0 operator
#30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
#30335 Google login on Social login test is failing ci
#30339 Identity-first login flow should be followed by asking for the user credentials rather than allowing providing the username again organizations
#30351 Migration of sessions in KC25 should run only on migration, not on imports
#30355 New operator failing on health checks operator
#30368 Documentation : label error for persistent-user-sessions feature flag docs
#30380 Incorrect warning log about deprecated options hostname, hostname-debug dist/quarkus
#30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
#30414 Login / Admin events filter by date under realm Events return incorrect results storage
#30417 Keycloak 25 db guide shows unevaluated "ifeval docs
#30425 Built-in scopes are not translated in the account console "applications" tab account/ui
#30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
#30434 Improvements for ldap test authentication ldap
#30436 Client Roles are not shown when clientId property is set admin/ui
#30440 UI theme bug in KC 25.0.0 admin/ui
#30449 Migration stuck if versions incompatible operator
#30460 The `start` command should automatically re-build when previous run was `start-dev` dist/quarkus
#30476 All user attributes readonly in admin ui and admin API after setting edit mode of one user federation to READ_ONLY core
#30485 Fix LoginFailureEntity protostream encoding infinispan
#30492 partial_import_test fails randomly admin/ui
#30511 Fix AuthenticatedClientSessionEntity protostream encoding infinispan
#30520 Flow steps back when changing locale or refreshing page on "Try another way page" authentication
#30521 "Client Offline Session Max" no longer available admin/ui
#30541 Account UI resources try to load from admin path instead of frontend path account/ui
#30550 [UI] group selection does not update attribute tab admin/ui
#30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
#30582 Localization prevents update of user-profile attributes admin/ui
#30591 Invalid character in spanish translation file for Identity Provider Link Template translations
#30599 client-jwt authentication fails on Token Introspection Endpoint oidc
#30604 Network response was not OK. saml
#30614 token exchange: exchange-sequence fails with Client session for client 'client-exchanger' not present in user session token-exchange
#30641 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
#30662 User policy -> select user shows user id instead of user name. admin/ui
#30663 A theme called `custom` is displayed as `Custom Attribute...` in the admin console admin/ui
#30677 LDAP connection pool params(maxsize, initsize, prefsize) picked up from backend ComponentModel and are not visible in Keycloak admin console ldap
#30678 Require SSL mode "External requests" does not work with IPv6 local addresses dist/quarkus
#30683 Infinite loader on the admin console for non-admin users admin/ui
#30703 Recovery codes missing from account console docs
#30705 Full details of errors not shown in admin and account console account/ui
#30706 Internal error occurs for the removed flow which override by the client authentication
#30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
#30717 Broken external links docs
#30730 Cannot explicitly disable KERBEROS feature core
#30758 Docs: server_admin/topics/login-settings/acr-to-loa-mapping.adoc docs
#30761 Protobuf deserialization has a default of an empty String core
#30765 fallback to the no override flow when the flow is missing in client override authentication
#30772 Rendering of granted client scopes in User Consents view broken in Admin UI admin/ui
#30794 Filtering by Client ID in the "User Client Role" mapper does not work anymore admin/ui
#30816 Docs: server_development/topics/themes.adoc docs
#30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
#30837 Cannot find requested client with clientId ldap
#30840 Incorrect order when instantiate ClientRemovedEvent infinispan
#30857 Check for being Offline type in refresh token flow must be done based on refresh token request parameter oidc
#30866 admin-cli invalid credentials admin/cli
#30874 DPoP Keycloak JS Adapter docs
#30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
#30935 Incorrect version comparison in ModelVersion storage
#30941 Fix docs about User Storage SPI JPA quickstart docs
#30945 Keycloak operator adds proxy by default which is depreacted operator
#30947 Error when trying to edit authentication sub-flow name / description admin/ui
#30967 Keycloak is not working in IBM AIX OS. dist/quarkus
#30969 Brute force protection: Lockout permanently uses parameters configured under lockout temporarily core
#30992 Realm cannot be deleted if there are tons of consents storage
#31001 User Federation settings changing when saving admin/ui
#31014 "Verify Email" may cause other Required Actions to be ignored authentication
#31021 Styling of recovery codes seems wrong login/ui
#31023 Keycloak 25 - protocol_mapper_config stores client_uid in usermodel.clientRoleMapping.clientId instead of client_id admin/ui
#31038 Home URL for account-console / security-admin-console broken in admin-ui admin/ui
#31040 Cannot reorder custom auth flow executions in admin-ui admin/ui
#31045 Users cache clears after creating client scope. infinispan
#31050 Caching docs should name parameter runtime parameters, not build parameters docs
#31062 Updating dynamically registered client's metadata drops `preferred_username` from ID token core
#31070 Search doesn't work for nested groups admin/ui
#31083 Docs: server_admin/topics/admin-console-permissions/fine-grain.adoc authorization-services
#31085 MULTIVALUED_STRING_TYPE not displaying 1 value while more than 1 value is working fine admin/ui
#31107 Not able to remove otp credential of user account/api
#31111 inputOptionLabelsI18nPrefix is take into consideration only for login-ui account/ui
#31115 Review filtering of session returned from the sessions cache core
#31143 KC.ORG user attribute shown - even if the organizations feature for the realm is disabled admin/ui
#31144 "Can not update organization group" error when trying to create organisation from REST API organizations
#31153 Cannot set unmanagedAttributePolicy without profile attributes admin/api
#31161 Keycloak 25: Only first required action is executed core
#31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
#31166 A lot (really!) dropdown/select fields in admin-ui remain open after selecting an action/entry. admin/ui
#31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
#31169 Wrong Sync Mode of newly created external IdentityProvider admin/api
#31171 Single use tokens, like action tokens, has a claim `expiration` core
#31182 Realm export - duplicated elements in browser flow. Organization user must click login button multiple times. import-export
#31187 Recaptcha links changed in the Google Docs docs
#31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
#31204 Bruteforce protector does not work when using organizations organizations
#31216 #kc-form-options div not wrapping its content correctly in login-password.ftl login/ui
#31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
#31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
#31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
#31228 Userprofile/Translation: user attribute cannot be saved because no translation was (even though it is present) admin/ui
#31240 Can't update the user where userName contains uppercase letters core
#31244 IdP redirect URL shows hostname_admin admin/ui
#31246 All pubic brokers are shown during authentication rather than only those associated with the current organization organizations
#31260 Download of Recovery Codes broken. File contains no Recovery Codes. login/ui
#31267 multiple ldap url's not working on one realm ldap
#31276 Account console won't load when using URL having a path as hostname config account/ui
#31291 Incosistent casing of built-in flow descriptions core
#31296 Revoke access tokens for persistent user sessions storage
#31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
#31319 keycloak.v2 broken in main login/ui
#31341 Keycloak URL for Brokerage in Admin UI still suggests "/realms" in the path admin/ui
#31368 logging-pattern failure in token-exchange token-exchange
#31386 Joining group for user doesn't list correct number of groups admin/ui
#31410 call to group-by-path does not return subGroupCount admin/api
#31413 Wrong command in exposing metrics from caches section docs
#31420 Seeing `Client cannot marshall the server's key media type` with external Infinispan after 25 upgrade infinispan
#31444 keycloak Public Client secret are updated frequently admin/api
#31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
#31480 dynamic MultiValuedListComponent default value not stringified admin/ui
#31515 Export users throws Disabled option: '--users' in v25 import-export
#31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
#31537 Creating client roles with fine grained permissions is not possible admin/fine-grained-permissions
#31545 Event tables have broken aria-labels admin/ui
#31558 MSSQL test container can't start ci
#31563 Link existing account to SSO by email not linking since v23 login/ui
#31575 AdvancedClaimToGroupMapper throws Exception if no claims are configured identity-brokering
#31585 Credential offer endpoint fails with 500 when bearer token has expired oid4vc
#31592 Description field for roles creation could be better instead of ${} values admin/ui
#31595 Misconfiguration of login settings causes login to not be possible admin/api
#31598 CURL commands in build don't check the response code ci
#31603 Can't delete kerberos user storage
#31612 Store Model Tests (jpa+cross-dc-infinispan+persistentsessions) - org.keycloak.testsuite.model.session.SessionTimeoutsTest infinispan
#31614 Endpoint /admin/users Degradation Based on Role admin/fine-grained-permissions
#31633 localization not work with user attribute display name in users add admin/ui
#31640 Admin Console Spins with hostname:v2 using security-admin-console Redirect URIs docs
#31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
#31704 ID is used as tab name instead of localized string admin/ui
#31712 The OID4VCI cross-device flow should not require the device to have an access token oid4vc
#31718 Documentation for `Delete Credential` action and related changes authentication
#31760 Persist revoke tokens with remote cache feature storage
#31780 SAML IdP configure does not parse IdP metadata.xml correctly saml
#31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
#31818 Management Interface is turned on even though nothing is exposed on it dist/quarkus
#31823 Ignoring JWK key Missing required field 'use' still happens in keycloak version 25.02 identity-brokering
#31828 EmbeddedInfinispanSplitBrainTest fails with "IllegalState Session not bound to a realm" core
#31829 Deleted authentication sessions should not be re-surrected with an update core
#31858 Custom component persist only some config keys admin/api
#31864 Certificate-Generation with EC signing RSA and vice versa does not work oidc
#31881 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#31882 Realm roles that do not exist are displayed in "Default roles" when "Hide inherited roles" is not checked admin/ui
#31892 Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. admin/api
#31893 In realm role ellipsis value is null admin/ui
#31918 Network error attempting to view events without permissions admin/ui
#31929 Network error attempting to view user registeration without permissions admin/ui
#31931 Failure to generate Ed448 token authentication
#31941 Cache guide does not properly print `cache-stack` values docs
#31944 Filter organization brokers in the account console organizations
#31947 Fix server guide cross-references for downstream docs docs
#31956 Admin console not usable when instance has a 1000 realms admin/ui
#31972 Unstable test ExternalInfinispanTest testsuite
#32016 `My password` string in `Signing in` page not getting translated in `keycloak.v3 account` theme account/ui
#32025 Not possible to import realm with newest Java admin-client against Keycloak 24 admin/client-java
#32059 Look around window cannot be set to 0 admin/ui
#32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
#32100 Remember Me with External Infinispan is not works properly infinispan
#32108 [Scalability of IDPs] Follow up: ensure organization aware IdentityProviderModel is used in the infinispan IDPProvider
#32117 Impossible to import RolePolicy with newest admin-client against Keycloak 24 admin/client-java
#32127 Offline session bug on 25.0.2 core
#32136 Missing TypeScript `populateHierarchy` param for keycloak admin client admin/client-js
#32150 Session list doesn't handle non-existing client gracefully core
#32153 Remote Infinispan code must not call JPA code in non-blocking thread core
#32156 SingleSelect-kind readonly attribute is not disabled in account console account/ui
#32176 Bootstrap options missing from help dist/quarkus
#32178 Table names for persistent sessions upgrading guide is wrong docs
#32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
#32182 `show-config` command outputs duplicate options dist/quarkus
#32194 UserRemovedEvent does not contain all user attributes infinispan
#32195 Migration to persistent sessions fails from Keycloak version <22 storage
#32197 Keycloak reuses AUTH_SESSION_ID of logged out sessions login/ui
#32205 Endpoint configurations shows hostname_admin admin/ui
#32238 Brokers associated with organization not filtered when linking brokers with an organization organizations
#32256 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
#32259 [Keycloak CI] - AuroraDB IT fails to start on EC2 due to lack of entropy regression storage
#32305 Temporary admin account notice logged to org.keycloak.events dist/quarkus
#32333 Legacy `KEYCLOAK_ADMIN` environment variable is not working dist/quarkus
#32368 KeycloakRealmImport not working with Istio service mesh operator
#32392 Validate organization alias for forbidden chars organizations
#32402 Additional datasources do not work dist/quarkus
#32415 Missing translations for required action webauthn-register login/ui
#32419 Joining group with text filter does not show all results even if backend returned them admin/ui
#32425 Duplicate message keys in admin messages_en.properties admin/ui
#32435 Multiple Logout Confirmation Actions Trigger NullPointerExceptions core
#32451 Wildcard search not working for custom user attributes admin/api
#32460 When Organization feature is enabled UserAdapter.getGroupsCount() returns wrong result organizations
#32465 SocialLoginTest failing after switching to the new IDP Provider
#32468 Warning Banner for Temporary Admin User shouldn't be placed under breadcrumbs admin/ui
#32473 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessAndWebAuthnAndWebAuthnPasswordlessLogin ci
#32477 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongSmtp ci
#32478 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithPasswordHistoryPolicy ci
#32481 Drag & drop issue with the step order in the Authentication settings of the Admin Console admin/ui
#32486 Identity Provider secret visible in Organization tab (API request) organizations
#32492 Welcome screen logo is bigger then the one on login welcome/ui
#32498 Flaky test BruteForceTest.testPermanentLockout() core
#32503 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#internalTransport ci
#32510 Login v2 username form login/ui
#32512 [Keycloak CI] - BruteForceTest.testPermanentLockout failures login/ui
#32513 [Keycloak CI] - OrganizationBruteForceTest.testPermanentLockout failures login/ui
#32514 [Keycloak CI] - ResetPasswordTest.resetPasswordExpiredCode failures login/ui
#32515 Invalid client data in /login-actions/authenticate causes an uncaught server error and a HTTP 500 response code authentication
#32531 Cannot invoke "org.keycloak.authentication.RequiredActionFactory.isConfigurable()" because "factory" is null account/ui
#32533 Admin UI messages sometimes miss details, and sometimes refer to details in the logs which are missing admin/ui
#32541 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewTabAndProperRedirectClient ci
#32542 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewBrowserSessionPreserveClient ci
#32544 Multiple bugs in the experimental UiTabProvider / UiTabProviderFactory admin/ui
#32546 "Include Client Audience" field is not mandatory admin/ui
#32547 The set value ‘Default Admin-Initiated Action Lifespan’ has no effect on the ‘Credential Reset’ form admin/ui
#32548 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#required ci
#32554 CRDs for the Operator are generated multiple times during the build operator
#32605 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#nfcTransport ci
#32606 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#bluetoothTransport ci
#32609 Continuous loading screen instead of access denied on account info page account/ui
#32615 Forms IT (chrome) ResetOtpTest fail testsuite
#32622 InvalidDestination Error for IDP-initiated SSO with Keycloak behind a Reverse Proxy saml
#32623 OAuth login error with custom scheme oidc
#32624 "Authentication" Link in Admin Portal Fails with 400 Bad Request After Migrating to Version 25 admin/ui
#32641 Help text under text field admin/ui
#32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
#32678 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordBeforeUserIsDisabled ci
#32689 Unable to import master realm with --import-realm dist/quarkus
#32698 On backchannel logout, a user ID with a dot on the broker side breaks the logout by user core
#32731 KeyCloak Admin Client uses non-standard `@nocache` annotation which is an issue for Quarkus admin/client-java
#32736 In the account console when I update the password the referrer dissapears account/ui
#32755 Leftover code in login-passkeys-conditional-authenticate.ftl login/ui
#32758 Keycloak admin console interface is out of screen admin/ui
#32761 The endpoint /admin/realms/{{realm}}/groups/{{group-id}}/members potentially fetch all user in database admin/api
#32764 When forcing re-authentication by passing maxAge value as 0 does not work adapter/javascript
#32770 Adapters backward compatibility tests are failing ci
#32782 `@noble/hashes/sha256` is bundled into Keycloak JS adapter/javascript
#32784 Flaky test: org.keycloak.testsuite.url.HostnameV2Test ci
#32789 CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core
#32798 Custom theme and not existing image: error 500 (No enum constant org.keycloak.theme.Theme.Type.IMG) login/ui
#32799 Realm import fails when client configures default_acr values import-export
#32802 Lightweight access token is not working for bootstrap admin client oidc
#32817 Error when deploying SAML application with the keys in PEM format inside keycloak-saml.xml adapter/saml
#32829 Login V2 theme: Pages specify fewer tabindex entries login/ui
#32830 Login v2 theme: Auto-focus on input fields no longer working and autocomplete changed login/ui
#32833 TOTP QR codes broken when realm display name contains colon character core
#32834 Admin UI does not display admin events expiration admin/ui
#32860 Database index creation isn’t skipped on large data sets in Keycloak 24 storage
#32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
#32880 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerExistingEmailAllowed ci
#32881 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy ci
#32891 Exceptions on X509 authentication are logged without a stack trace core
#32892 [Store Model Test] Failed test org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testOnRealmRemoved ci
#32896 Inconsistency of the access token iat after setting the time offset in the test suite authentication
#32915 Administrator username changed in master realm after configuring email address for SMTP connection test for another realm with "Email as username" enabled admin/ui
#32916 Device activity client name translations account/ui
#32923 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#usbTransport ci
#32930 Flaky test: org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testAttributeInputTypes ci
#32939 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessWithNonResidentCredentialLogin ci
#32942 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
#32984 Application names are not taking realm overrides into account account/ui
#33011 Admin bootstrap client should not have standard flow enabled dist/quarkus
#33023 Documentation CI is failing on broken links docs
#33037 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#discouraged ci
#33044 Next page not working for "Localization --> Realm overrides" admin/ui
#33054 Identity-first login screen has broken IDP icons admin/ui
#33058 Clusterless feature is not tested in Model tests testsuite
#33060 Tests are showing exception while trying to import admin user after organizations were enabled by default testsuite
#33064 Action expired error occurs when accessing regular registration page with Organizations enabled organizations
#33095 The "Valid redirect URIs" field is not displayed when the "Standard flow" is unchecked admin/ui
#33109 Infinite loop when accessing account management console account/ui
#33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
#33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
#33156 CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java dist/quarkus
#33172 Deprecation of https-trust-store-* weakens X509 browser authentication authentication
#33207 [Organizations] Preserve org id in exported realms core
#33224 [Keycloak CI] - Quarkus IT - StartCommandDistTest.testStartUsingAutoBuild ci
#33231 [Keycloak CI] - User Federation Tests - LDAPSamlIdPInitiatedVaryingLetterCaseTest ci
#33246 Unable to start Keycloak when metrics are enabled dist/quarkus
#33296 Migrating to a FIPS environment disallows all users from logging in authentication
#33300 Organization UI is overriding the alias with the org name when user navigates to another tab admin/ui
#33307 XA Transaction recovery support is enabled even thoug transaction-xa-enabled is false dist/quarkus
#33330 "somethingWentWrong" when opening Keycloak URL in unsecure context login/ui
#33331 Performance drop in cpuUsageForLoginsTest since 19.09.2024
#33336 Changing locale on passwordless or custom login flow does not work login/ui
#33342 Duplicate entry "duplicate" in Admin UI message properties admin/ui
#33347 Hostname v2 should enforce hostname is a full url if hostname-admin is used dist/quarkus
#33351 Wrong release notes for Login v1 theme deprecation login/ui
#33353 Performance regression when Organisations feature is enabled
#33355 ID token from refresh_token flow does not contain nonce even when using Nonce backwards compatible mapper oidc
#33362 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#preferredVerificationWrong ci
#33389 Banner is not wrapping properly admin/ui
#33390 Creating clientAttributesCondition in some client policy breaks the login to the realm authentication
#33412 User specific organisation entries shouldn't be placed in the realm cache core
#33415 Organization brokers should be hidden on login pages by default organizations
#33424 Organization data is cached for each user even if realm never enabled organizations organizations
#33439 Avoid caching `RealmModel` in `CachedOrganization` organizations
#33440 Test group_test.spec.ts Duplicate group fails repeatedly testsuite
#33461 AWS Lambda description for HA setup doesn't reflect latest changes for failure policy core
#33467 The "Client Secret" field does not expand to display the entire secret value admin/ui
#33508 Can't load theme resources on Windows core
#33517 Issue when running tests from IDE on embedded undertow ( org.jboss.threads.EnhancedQueueExecutor$Builder.setKeepAliveTime(java.time.Duration) ) testsuite

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Jan 12, 2025 by Ghost User

fix(deps): update dependency keycloak-js to v26

Release Notes

v26.0.7

Upgrading

All resolved issues

Enhancements

Bugs

v26.0.6

Highlights

Admin events might include now additional details about the context when the event is fired

Updates to documentation of X.509 client certificate lookup via proxy

Upgrading

All resolved issues

Enhancements

Bugs

v26.0.5

Highlights

LDAP users are created as enabled by default when using Microsoft Active Directory

Upgrading

All resolved issues

Bugs

v26.0.4

Upgrading

All resolved issues

Enhancements

Bugs

v26.0.2

Upgrading

All resolved issues

Enhancements

Bugs

v26.0.1

Upgrading

All resolved issues

Enhancements

Bugs

v26.0.0

Highlights

Organizations supported

Client libraries updates

Dedicated release cycle for the client libraries

Compatibility of the client libraries with the server

User sessions persisted by default

New default login theme

Highly available multi-site deployments

Admin Bootstrapping and Recovery

OpenTelemetry Tracing preview

OpenID for Verifiable Credential Issuance

DPoP improvements

Removal of GELF logging handler

Lightweight access tokens for Admin REST API

Keycloak JavaScript adapter now standalone

Hostname v1 feature removed

Automatic redirect from root to relative path

Persisting revoked access tokens across restarts

Client Attribute condition in Client Policies

Specify different log levels for log handlers

Proxy option removed

Option proxy-trusted-addresses added

Option proxy-protocol-enabled added

Option to reload trust and key material added

Options to configure cache max-count added

The https-trust-store-* options have been undeprecated

The java-keystore key provider supports more algorithms and vault secrets

Adding support for ECDH-ES encryption key management algorithms

Support for multiple instances of a social broker in a realm

New generalized event types for credentials

Customizable Footer in login Themes

Keycloak CR supports standard scheduling options

KeycloakRealmImport CR supports placeholder replacement

Configuring the LDAP Connection Pool

Infinispan marshalling changes to Infinispan Protostream

Removal of OSGi metadata

Group-related events no longer fired when removing a realm

Identity Providers no longer available from the realm representation

Securing Applications documentation converted into the guide format

Removal of legacy cookies

Property origin in the UserRepresentation is deprecated

Upgrading

All resolved issues

`v26.0.7`

`v26.0.6`

`v26.0.5`

`v26.0.4`

`v26.0.2`

`v26.0.1`

`v26.0.0`

Option `proxy-trusted-addresses` added

Option `proxy-protocol-enabled` added

The `https-trust-store-*` options have been undeprecated

The `java-keystore` key provider supports more algorithms and vault secrets

Property `origin` in the `UserRepresentation` is deprecated