Keycloak - Package Updates
-
[1.3.1]
- Update keycloak to 26.3.1
- Full Changelog
-
[1.3.2]
- Update keycloak to 26.3.2
- Full Changelog
- #40237 Add option "Requires short state parameter" to OIDC IDP authentication
- #40970 Run clustering compatibility tests on release/x.y branches
- #41034 Improve logging for client sessions load
- #41257 Upgrade to Infinispan 15.0.18.Final infinispan
- #39634 Update MariaDB connector to 3.5.3 dist/quarkus
- #40553 Upgrade org.postgresql:postgresql to version 42.7.7 to address CVE-2025-49146 dependencies
- #40736 CVE-2025-49574 - Exposure of Resource to Wrong Sphere vulnerability in io.vertx:vertx-core dependencies
- #40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
- #40980 Can't update security-admin-console via admin UI with volatile sessions infinispan
- #40995 LDAP / ModelException: At least one condition should be provided to OR query core
-
[1.3.3]
- Update keycloak to 26.3.3
- Full Changelog
- #39562 Breaking template change: Unknown
localeinput field added to user-profile registration page <code>user-profile</code> - #40984 Backchannel logout token with an unexpected signature algorithm key <code>oidc</code>
- #41023 Can't send e-mails to international e-mail addresses: bad UTF-8 syntax <code>core</code>
- #41098 Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token <code>core</code>
- #41268
--optimizedflag and providers jar are incompatible when used with tools changinglast-modify-date<code>dist/quarkus</code> - #41290 Concurrent starts with JDBC_PING lead to a split cluster <code>infinispan</code>
- #41390 JDBC_PING2 doesn't merge split clusters after a while <code>infinispan</code>
- #41421 Broken link securing-cache-communication in caching docs <code>docs</code>
- #41423 Duplicate IDs in generated all configuration docs <code>docs</code>
- #41469 Uncaught exception cases unclosed spans in tracing <code>dist/quarkus</code>
-
[1.3.4]
- Update keycloak to 26.3.4
- Full Changelog
- #40630 Double check when working with multithreading. SAST
- #42245 Upgrade to Quarkus 3.20.2.2
- #35825 Per client session idle time capped by realm level client idle timeout core
- #40374 Random but frequent duplicate key value violates unique constraint "constraint_offl_us_ses_pk2" errors authentication
- #40463 Login to Account Console produces two consecutive LOGIN events account/ui
- #40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
- #41427 Parallel token exchange fails if client session is expired token-exchange
- #41801 Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen) core
- #41942 Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider) core
- #42012 Client session timestamp not updated in the database if running multiple nodes infinispan
-
[1.3.5]
- Update keycloak to 26.3.5
- Full Changelog
-
[1.4.0]
- Update keycloak to 26.4.0
- Full Changelog
- Passkeys for seamless, passwordless authentication of users.
- Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
- Simplified deployments across multiple availability zones to boost availability.
- FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
- DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
- FIPS 140-2 mode now supports EdDSA
- Listing supported OAuth standards on one page
- Automatic certificate management for SAML clients
- Update Email Workflow (supported)
- Optional email domain for organizations
-
[1.4.1]
- Update keycloak to 26.4.1
- Full Changelog
- #43020 Secure Client-Initiated Renegotiation - disable by default
dist/quarkus - #42990 Hide read-only email attribute in update profile context with update email enabled
user-profile - #43357 JDBC_PING should publish its physical address on startup
- #40965 Group permission denies to view user
admin/fine-grained-permissions - #41292 openid-connect flow is missing response type on language change
authentication - #42565 Standard Token Exchange: chain of exchanges eventually fails
token-exchange - #42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+)
admin/ui - #42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion
authorization-services - #43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types
core - #43070 Update email page with pending verification email messages prefilled with old email
user-profile
-
[1.4.2]
- Update keycloak to 26.4.2
- Full Changelog
- #43351 Make pending email verification attribute removable by admin user-profile
- #43650 SPIFFE should support OIDC JWK endpoint
- #30939 Vulnerability in brute force detection settings authentication
- #43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
- #43244 UI crash on admin
/users/add-usersince 26.4.0 admin/ui - #43561 Server does not shutdown gracefully when started with --optimized core
-
[1.4.3]
- Update keycloak to 26.4.4
- Full Changelog
- #10388 Allow to hide client scopes from scopes_supported in discovery endpoint
- #43076 Add rate limiter for sending verification emails in context of update email
- #43509 Role authorization for workflows.
admin/api - #41270 Cannot save new attribute group
admin/ui - #41271 Changing user profile attribute results in an error everytime
admin/ui - #43082 ExternalLinksTest is broken due to missing path parameters
docs - #43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login
login/ui - #43160 Regression in DEBUG_PORT handling since 26.4.0 host binding (*:port / 0.0.0.0:port) no longer works
dist/quarkus - #43460 FGAP/UI:
reset-passwordsucceeds but UI shows 403 without Users:manageadmin/fine-grained-permissions - #43505 DPoP proof replay check doesn't consider clock skew
oidc
-
[1.4.4]
- Update keycloak to 26.4.5
- Full Changelog
- #43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml <code>core</code>
- #43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled <code>user-profile</code>
- #43793 import does not seem to run db migration <code>import-export</code>
- #43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled <code>authorization-services</code>
- #44010 Ordering attributes will unset the unmanaged attribute policy <code>user-profile</code>
- #44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true <code>dist/quarkus</code>
- #44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol <code>admin/ui</code>
