Keycloak - Package Updates

Package Updates

[1.1.0]

• Add dynamic builds . Configure options in /app/data/env.sh

Package Updates

[1.1.1]

• Update keycloak to 26.1.5
• Full Changelog

Package Updates

[1.2.0]

• Update keycloak to 26.2.0
• Full Changelog
• Supported Standard Token Exchange
• Fine-grained admin permissions supported
• Guides for metrics and Grafana dashboards
• Zero-configuration secure cluster communication
• Rolling updates for optimized and customized images
• Additional query parameters in Admin Events API
• Logs support ECS format
• New cache for CRLs loaded for the X.509 authenticator
• Operator creates NetworkPolicies to restrict traffic
• Option to reload trust and key material for the management interface

Package Updates

[1.2.1]

• Update keycloak to 26.2.1
• Full Changelog
• #​38956 Clarify upgrade instructions
• #​39057 Change the title for Grafana dashboards guide to plural docs
• #​39059 Document operator Auto update strategy when used with podTemplate
• #​38458 [FGAP] [UI] Permission search doesn't execute correct consequent search request admin/fine-grained-permissions
• #​38692 Test coverage for count menthods when filtering admin/fine-grained-permissions
• #​38767 Make group required when selecting a specific group creating a premission admin/ui
• #​38913 [FGAP] AvailableRoleMappings do not consider all-clients permissions admin/fine-grained-permissions
• #​38925 Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4 infinispan
• #​38929 Permission details sometimes don't show the name of the client admin/fine-grained-permissions
• #​38937 Liquibase checksum mismatch when upgrading from Keycloak 22.0.4 directly to 26.2.x storage

Package Updates

[1.2.2]

• Update keycloak to 26.2.2
• Full Changelog
• #39142 Make distribution startup timeout configurable testsuite
• #39349 CVE-2025-3910 Two factor authentication bypass
• #39350 CVE-2025-3501 Keycloak hostname verification

Package Updates

[1.2.3]

• Update keycloak to 26.2.3
• Full Changelog
• #38985 Possibility to log details and representation to the jboss-logging listener
• #39080 Standardize introductory text in Keycloak guides
• #38145 Unknown error on authentication-flow delete action <code>admin/ui</code>
• #38482 SAML client certificate not persisted <code>admin/ui</code>
• #38660 Ldap federation seems to open and keep open a new thread/connection for each ldap request <code>ldap</code>
• #38671 Duplicate Key Violation When Reauthenticating After Account Deletion via Google <code>identity-brokering</code>
• #38703 Password Policy Changes get overwritten in the UI <code>admin/ui</code>
• #38799 Kerberos principal attribute value "comes back" when cleared. <code>admin/ui</code>
• #38873 Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load <code>admin/ui</code>
• #38911 Filtering of user- and admin-events by dateTo always returns empty results <code>admin/api</code>

Package Updates

[1.2.4]

• Update keycloak to 26.2.4
• Full Changelog
• #35278 Double click on social provider link causes page has expired error <code>login/ui</code>
• #39021 After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value <code>oidc</code>
• #39023 Keycloak 26.2.0 UI Performance Degradation <code>admin/ui</code>
• #39173 duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3" <code>infinispan</code>
• #39454 JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio <code>infinispan</code>
• #39500 Update Job Pod is listed in the keycloak discovery service <code>operator</code>

Package Updates

[1.2.5]

• Update keycloak to 26.2.5
• Full Changelog
• Fix Securing Apps links to adapters docs
• Email server credentials can be harvested through host/port manipulation admin/api
• Fix doc link to FGAP v1 docs
• Apply edits to Operators Guide docs
• Edit Observability Guide docs
• Fix callouts in Operator guide docs
• Sessions from Infinispan should be mapped lazily for the Admin UI
• Speed up Infinispan list of all sessions be more eagerly remove old client sessions
• When logging in, all client sessions are loaded which is slow oidc
• Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level oid4vc

Package Updates

[1.3.0]

• Update keycloak to 26.3.0
• Full Changelog
• Account recovery with 2FA recovery codes, protecting users from lockout.
• Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
• Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
• Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
• For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.
• The custom protocol, which was previously used for client-initiated account linking, is now deprecated.
• #21995 Configurable probes in the Operator operator
• #29116 Add supported config options for additional datasources dist/quarkus
• #29596 Passkeys conditional UI: integration with username/password form authentication/webauthn
• #38465 Name for OTP device should be unique account/api
• #38985 Possibility to log details and representation to the jboss-logging listener

Package Updates

[1.3.1]

• Update keycloak to 26.3.1
• Full Changelog

Package Updates

[1.3.2]

• Update keycloak to 26.3.2
• Full Changelog
• #40237 Add option "Requires short state parameter" to OIDC IDP authentication
• #40970 Run clustering compatibility tests on release/x.y branches
• #41034 Improve logging for client sessions load
• #41257 Upgrade to Infinispan 15.0.18.Final infinispan
• #39634 Update MariaDB connector to 3.5.3 dist/quarkus
• #40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies
• #40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies
• #40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
• #40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
• #40995 LDAP / ModelException: At least one condition should be provided to OR query core

Package Updates

[1.3.3]

• Update keycloak to 26.3.3
• Full Changelog
• #​39562 Breaking template change: Unknown locale input field added to user-profile registration page <code>user-profile</code>
• #​40984 Backchannel logout token with an unexpected signature algorithm key <code>oidc</code>
• #​41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax <code>core</code>
• #​41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token <code>core</code>
• #​41268 --optimized flag and providers jar are incompatible when used with tools changing last-modify-date <code>dist/quarkus</code>
• #​41290 Concurrent starts with JDBC_PING lead to a split cluster <code>infinispan</code>
• #​41390 JDBC_PING2 doesn't merge split clusters after a while <code>infinispan</code>
• #​41421 Broken link securing-cache-communication in caching docs <code>docs</code>
• #​41423 Duplicate IDs in generated all configuration docs <code>docs</code>
• #​41469 Uncaught exception cases unclosed spans in tracing <code>dist/quarkus</code>

Package Updates

[1.3.4]

• Update keycloak to 26.3.4
• Full Changelog
• #​40630 Double check when working with multithreading. SAST
• #​42245 Upgrade to Quarkus 3.20.2.2
• #​35825 Per client session idle time capped by realm level client idle timeout core
• #​40374 Random but frequent duplicate key value violates unique constraint "constraint_offl_us_ses_pk2" errors authentication
• #​40463 Login to Account Console produces two consecutive LOGIN events account/ui
• #​40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
• #​41427 Parallel token exchange fails if client session is expired token-exchange
• #​41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
• #​41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
• #​42012 Client session timestamp not updated in the database if running multiple nodes infinispan

Package Updates

[1.3.5]

• Update keycloak to 26.3.5
• Full Changelog

Package Updates

[1.4.0]

• Update keycloak to 26.4.0
• Full Changelog
• Passkeys for seamless, passwordless authentication of users.
• Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
• Simplified deployments across multiple availability zones to boost availability.
• FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
• DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
• FIPS 140-2 mode now supports EdDSA
• Listing supported OAuth standards on one page
• Automatic certificate management for SAML clients
• Update Email Workflow (supported)
• Optional email domain for organizations

Package Updates

[1.4.1]

• Update keycloak to 26.4.1
• Full Changelog
• #​43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus
• #​42990 Hide read-only email attribute in update profile context with update email enabled user-profile
• #​43357 JDBC_PING should publish its physical address on startup
• #​40965 Group permission denies to view user admin/fine-grained-permissions
• #​41292 openid-connect flow is missing response type on language change authentication
• #​42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
• #​42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
• #​42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
• #​43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
• #​43070 Update email page with pending verification email messages prefilled with old email user-profile

Package Updates

[1.4.2]

• Update keycloak to 26.4.2
• Full Changelog
• #43351 Make pending email verification attribute removable by admin user-profile
• #43650 SPIFFE should support OIDC JWK endpoint
• #30939 Vulnerability in brute force detection settings authentication
• #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
• #43244 UI crash on admin /users/add-user since 26.4.0 admin/ui
• #43561 Server does not shutdown gracefully when started with --optimized core

Package Updates

[1.4.3]

• Update keycloak to 26.4.4
• Full Changelog
• #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
• #43076 Add rate limiter for sending verification emails in context of update email
• #43509 Role authorization for workflows. admin/api
• #41270 Cannot save new attribute group admin/ui
• #41271 Changing user profile attribute results in an error everytime admin/ui
• #43082 ExternalLinksTest is broken due to missing path parameters docs
• #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
• #43160 Regression in DEBUG_PORT handling since 26.4.0 host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
• #43460 FGAP/UI: reset-password succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
• #43505 DPoP proof replay check doesn't consider clock skew oidc

Package Updates

[1.4.4]

• Update keycloak to 26.4.5
• Full Changelog
• #​43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml <code>core</code>
• #​43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled <code>user-profile</code>
• #​43793 import does not seem to run db migration <code>import-export</code>
• #​43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled <code>authorization-services</code>
• #​44010 Ordering attributes will unset the unmanaged attribute policy <code>user-profile</code>
• #​44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true <code>dist/quarkus</code>
• #​44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol <code>admin/ui</code>

Package Updates

[1.4.5]

• Update keycloak to 26.4.6
• Full Changelog
• This release adds filtering of LDAP referrals by default.
• #43323 Sessions not removed when user is deleted infinispan
• #43738 UPDATE_EMAIL action invalidates old email login/ui
• #43812 Admin console sends non-JSON payload with content-type: application/json admin/ui
• #44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering
• #44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan
• #44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan
• #44269 Admin Client creates malformed paths for requests admin/client-js
• #44287 Caching of static theme resources in dev mode is disabled core