Keycloak - Package Updates

Package Updates

[1.0.1]

• Update keycloak to 26.1.4
• Full Changelog

Package Updates

[1.1.0]

• Add dynamic builds . Configure options in /app/data/env.sh

Package Updates

[1.1.1]

• Update keycloak to 26.1.5
• Full Changelog

Package Updates

[1.2.0]

• Update keycloak to 26.2.0
• Full Changelog
• Supported Standard Token Exchange
• Fine-grained admin permissions supported
• Guides for metrics and Grafana dashboards
• Zero-configuration secure cluster communication
• Rolling updates for optimized and customized images
• Additional query parameters in Admin Events API
• Logs support ECS format
• New cache for CRLs loaded for the X.509 authenticator
• Operator creates NetworkPolicies to restrict traffic
• Option to reload trust and key material for the management interface

Package Updates

[1.2.1]

• Update keycloak to 26.2.1
• Full Changelog
• #​38956 Clarify upgrade instructions
• #​39057 Change the title for Grafana dashboards guide to plural docs
• #​39059 Document operator Auto update strategy when used with podTemplate
• #​38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
• #​38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
• #​38767 Make group required when selecting a specific group creating a premission admin/ui
• #​38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
• #​38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
• #​38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
• #​38937 Liquibase checksum mismatch when upgrading from Keycloak 22.0.4 directly to 26.2.x storage

Package Updates

[1.2.2]

• Update keycloak to 26.2.2
• Full Changelog
• #39142 Make distribution startup timeout configurable testsuite
• #39349 CVE-2025-3910 Two factor authentication bypass
• #39350 CVE-2025-3501 Keycloak hostname verification

Package Updates

[1.2.3]

• Update keycloak to 26.2.3
• Full Changelog
• #38985 Possibility to log details and representation to the jboss-logging listener
• #39080 Standardize introductory text in Keycloak guides
• #38145 Unknown error on authentication-flow delete action <code>admin/ui</code>
• #38482 SAML client certificate not persisted <code>admin/ui</code>
• #38660 Ldap federation seems to open and keep open a new thread/connection for each ldap request <code>ldap</code>
• #38671 Duplicate Key Violation When Reauthenticating After Account Deletion via Google <code>identity-brokering</code>
• #38703 Password Policy Changes get overwritten in the UI <code>admin/ui</code>
• #38799 Kerberos principal attribute value "comes back" when cleared. <code>admin/ui</code>
• #38873 Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load <code>admin/ui</code>
• #38911 Filtering of user- and admin-events by dateTo always returns empty results <code>admin/api</code>

Package Updates

[1.2.4]

• Update keycloak to 26.2.4
• Full Changelog
• #35278 Double click on social provider link causes page has expired error <code>login/ui</code>
• #39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value <code>oidc</code>
• #39023 Keycloak 26.2.0 UI Performance Degradation <code>admin/ui</code>
• #39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" <code>infinispan</code>
• #39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio <code>infinispan</code>
• #39500 Update Job Pod is listed in the keycloak discovery service <code>operator</code>

Package Updates

[1.2.5]

• Update keycloak to 26.2.5
• Full Changelog
• Fix Securing Apps links to adapters docs
• Email server credentials can be harvested through host/port manipulation admin/api
• Fix doc link to FGAP v1 docs
• Apply edits to Operators Guide docs
• Edit Observability Guide docs
• Fix callouts in Operator guide docs
• Sessions from Infinispan should be mapped lazily for the Admin UI
• Speed up Infinispan list of all sessions be more eagerly remove old client sessions
• When logging in, all client sessions are loaded which is slow oidc
• Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc

Package Updates

[1.3.0]

• Update keycloak to 26.3.0
• Full Changelog
• Account recovery with 2FA recovery codes, protecting users from lockout.
• Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
• Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
• Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
• For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.
• The custom protocol, which was previously used for client-initiated account linking, is now deprecated.
• #21995 Configurable probes in the Operator operator
• #29116 Add supported config options for additional datasources dist/quarkus
• #29596 Passkeys conditional UI: integration with username/password form authentication/webauthn
• #38465 Name for OTP device should be unique account/api
• #38985 Possibility to log details and representation to the jboss-logging listener