Keycloak 22.0.0 released

July 11 2023

To download the release go to Keycloak downloads.

Release notes

Server Distribution

Java 11 support removed

Running the Keycloak server with Java 11 is no longer supported. Java 11 was deprecated in Keycloak 21 with the announced plan to be removed in Keycloak 22.

Upgrade to Quarkus 3.x

Keycloak upgraded to version 3.2.0.Final of the Quarkus Java framework. Quarkus 3.x continues the tradition of propelling Java development by moving fast and providing a cutting-edge user experience with the latest technologies.

Transition from Java EE to Jakarta EE

As part of upgrading to Quarkus 3.x Keycloak migrated its codebase from Java EE (Enterprise Edition) to its successor Jakarta EE, which brings various changes into Keycloak. We have upgraded all Jakarta EE specifications in order to support Jakarta EE 10.

Context and dependency injection no longer enabled to JAX-RS Resources

In order to provide a better runtime and leverage as much as possible the underlying stack, all injection points for contextual data using the javax.ws.rs.core.Context annotation were removed. The expected improvement in performance involves no longer creating proxies instances multiple times during the request lifecycle, and drastically reducing the amount of reflection code at runtime.

Upgrade to Hibernate ORM 6

Keycloak now benefits from the upgrade to Hibernate ORM 6.2, which includes improved performance, better SQL, modern JDK support, and support for modern RDBMS features.

Elytron credential store replacement

The previous and now removed WildFly distribution provided a built-in vault provider that reads secrets from a keystore-backed Elytron credential store. As this is no longer available, we have added a new implementation of the Keycloak Vault SPI called Keycloak KeyStore Vault. As the name suggests, this implementation reads secrets from a Java keystore file. Such secrets can be then used within multiple places of the Administration Console. For further details, see our guide and the latest documentation.

KeyStore Config Source added

In relation to the KeyStore Vault news, we also integrated Quarkus’s recently released feature called KeyStore Config Source. This means that among the already existing configuration sources (CLI parameters, environment variables and files), you can now configure your Keycloak server via configuration properties stored in a Java keystore file. You can learn more about this feature in the Configuration guide.

Hostname debug tool

As a number of users have had problems with configuring the hostname for the server correctly there is now a new helper tool to allow debugging the configuration.

Passthrough proxy mode changes

Installations which use Keycloak’s --proxy configuration setting with mode passthrough should review the documentation as the behavior of this mode has changed.

Export and Import perform an automatic build

In previous releases, the export and import commands required a build command to be run first. Starting with this release, the export and import commands perform an automatic rebuild of Keycloak if a build time configuration has changed.

Admin Console

Account Console v1 removal

The old Account Console (v1) is now completely removed. This version of the Account Console was marked as deprecated in Keycloak 12.

Account Console v3 promoted to preview

In version 21.1.0 of Keycloak the new Account Console (version 3) was introduced as an experimental feature. Starting this version it has been promoted to a preview feature.

Account Console template variables removed

Two of the variables exposed to the Account Console V2 and V3 templates (isEventsEnabled and isTotpConfigured) were left unused, and have been removed in this release.

It is possible that if a developer extended the Account Console theme, he or she could make use of these variables. So make sure that these variables are no longer used if you are extending the base theme.

Changes to custom Admin Console messages

The Admin Console (and soon also the new Account Console) works slightly different than the rest of Keycloak in regards to how keys for internationalized messages are parsed. This is due to the fact that it uses the i18next library for internationalization. Therefore when defining custom messages for the Admin Console under "Realm Settings" ➡ "Localization" best practices for i18next must be taken into account. Specifically, when defining a message for the Admin Console it is it important to specify a namespace in the key of your message.

For example, let’s assume we want to overwrite the welcome message shown to the user when a new realm has been created. This message is located in the dashboard namespace, same as the name of the original file that holds the messages (dashboard.json). If we wanted to overwrite this message we’ll have to use the namespace as a prefix followed by the key of the message separated by a colon, in this case it would become dashboard:welcome.

JavaScript adapter

Legacy Promise API removed

With this release, we have removed the legacy Promise API methods from the Keycloak JS adapter. This means that calling .success() and .error() on promises returned from the adapter is no longer possible.

Required to be instantiated with the `new` operator

In a previous release we started to actively log deprecation warnings when the Keycloak JS adapter is constructed without the new operator. Starting this release doing so will throw an exception instead. This is to align with the expected behavior of JavaScript classes, which will allow further refactoring of the adapter in the future.

Admin API

Renamed Admin library artifacts

After the upgrade to Jakarta EE, artifacts for Keycloak Admin clients were renamed to more descriptive names with consideration for long-term maintainability. We still provide two separate Keycloak Admin clients, one with Jakarta EE and the other with Java EE support.

Support for count users based on custom attributes

The User API now supports querying the number of users based on custom attributes. For that, a new q parameter was added to the /{realm}/users/count endpoint.

The q parameter expects the following format q=<name>:<value> <name>:<value>. Where <name> and <value> represent the attribute name and value, respectively.

Operator

k8s.keycloak.org/v2alpha1 changes

The are additional fields available in the keycloak.status to facilitate keycloak being a scalable resource. There are also additional fields that make the status easier to interpret such as observedGeneration and condition observedGeneration and lastTransitionTime fields.

The condition status field was changed from a boolean to a string for conformance with standard Kubernetes conditions. In the CRD it will temporarily be represented as accepting any content, but it will only ever be a string. Please make sure any of your usage of this field is updated to expect the values "True", "False", or "Unknown", rather than true or false.

Co-management of Operator Resources

In scenarios where advanced management is needed you may now directly update most fields on operator managed resources that have not been set by the operator directly. This can be used as an alternative to the unsupported stanza of the Keycloak spec. Like the unsupported stanza these direct modifications are not considered supported. If your modifications prevent the operator from being able to manage the resource, there Keycloak CR will show this error condition and the operator will log it.

Identity Brokering

Essential claim configuration in OpenID Connect identity providers

OpenID Connect identity providers support a new configuration to specify that the ID tokens issued by the identity provider must have a specific claim, otherwise the user can not authenticate through this broker.

The option is disabled by default; when it is enabled, you can specify the name of the JWT token claim to filter and the value to match (supports regular expression format).

Support for JWE encrypted ID Tokens and UserInfo responses in OpenID Connect providers

The OpenID Connect providers now support Json Web Encryption (JWE) for the ID Token and the UserInfo response. The providers use the realm keys defined for the selected encryption algorithm to perform the decryption.

Hardcoded group mapper

The new hardcorded group mapper allows adding a specific group to users brokered from an Identity Provider.

User session note mapper

The new user session note mapper allows mapping a claim to the user session notes.

LDAP Federation

LDAPS-only Truststore option removed

LDAP option to use truststore SPI Only for ldaps has been removed. This parameter is used to select truststore for TLS-secured LDAP connection: either internal Keycloak truststore is picked (Always), or the global JVM one (Never).

Deployments where Only for ldaps was used will automatically behave as if Always option was selected for TLS-secured LDAP connections.

Removed Openshift integration feature

The openshift-integration preview feature that allowed replacing the internal IdP in OpenShift 3.x with Keycloak was removed from Keycloak codebase into separate extension project.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#8750 Require user to agree to 'terms and conditions' during registration keycloak
#11089 Securing credentials/passwords not possible with Quarkus distribution keycloak dist/quarkus
#11632 Enable Horizontal Pod Autoscaling for Keycloak deployed with the new Operator keycloak
#15101 Support OpenJDK 19 keycloak
#15910 Hostname debug tool keycloak dist/quarkus
#17252 Add Keycloak Keystore Vault implementation keycloak dist/quarkus
#17659 Claim to User Session Note Idp Mapper keycloak oidc
#19650 Supporting reference access/refresh tokens keycloak
#19968 Allow changing admin console logo and favicon from theme.properties keycloak
#20016 Group attribute query is missing QueryParams in java admin client keycloak admin/client-java
#20262 SSSD integration in Quarkus distribution keycloak
#20625 Add support to the Operator for setting default labels on Keycloak pods keycloak operator
#21254 Support for JWE IDToken and UserInfo tokens in OIDC brokers keycloak identity-brokering

Enhancements

#356 Update QuickStarts documentation to Quarkus distribution keycloak-quickstarts
#357 Re-enable test that where disabled when updating test for the Quarkus dist keycloak-quickstarts
#407 Nashorn dependency no longer needed in quickstarts keycloak-quickstarts
#412 Doublecheck "provider" quickstarts with quarkus3 based Keycloak distribution keycloak-quickstarts
#416 user-storage-* provider quickstarts keycloak-quickstarts
#417 Event listener sysout quickstart keycloak-quickstarts
#421 Event store mem quickstart keycloak-quickstarts
#428 Extend-account-console quickstart keycloak-quickstarts
#436 Remove keycloak-remote profile keycloak-quickstarts
#1791 Clarification on user registration and identity brokering keycloak-documentation
#8753 Reset Credentials Flow does not delete existing OTP keycloak authentication
#9075 Remove any unnecessary dependency from distribution keycloak dist/quarkus
#9434 OTP base32 decode improvements keycloak
#10285 Expose deployment errors in the status field of Keycloak CR keycloak operator
#10562 Support multiple KC instances in a single namespace keycloak operator
#10736 Use SchemaSwap instead of shell script for Realm CRD generatio keycloak operator
#10911 Use Quarkus JOSDK to generate CSV for OLM in the operator keycloak operator
#11015 Use dist Quarkus version in the operator keycloak dist/quarkus
#11561 Non ASCII characters in TOTP secret not supported in 2FA configurations keycloak authentication
#11759 Add support to indicate desired locale on init func with onLoad: 'login-required' options keycloak adapter/javascript
#12593 Add a name to the keycloak port in the service keycloak
#13074 Operator CRD status incompatible with kstatus keycloak operator
#14747 Addition of Custom User Attribute Filter to Users API Count Endpoint keycloak
#15003 Enable IPv6 dualstack support by default keycloak dist/quarkus
#15044 Clean `RealmProvider` from methods from other areas keycloak storage
#15046 Remove methods for old default roles approach keycloak storage
#15136 Back to Application link should be client specific with the UPDATE_EMAIL feature keycloak
#15434 Customize log messages for user storage LDAP configuration in KC shown in admin UI keycloak
#15454 Update migration guide with the changes that need to be done for developers using JAX-RS in their extensions keycloak
#15490 Update Datastore provider to contain full data model keycloak storage
#15789 "Failed to add user 'admin' ..." should not be an ERROR keycloak dist/quarkus
#15947 support parameters like "uri" and "matchingUri" in the UMA grant token endpoint keycloak
#16535 Group Attribute Search Erroneously returns when searching for nested group keycloak storage
#16800 Operator Support for missing leading slash and present trailing slash in `http-relative-path` keycloak operator
#16849 Add "Enable new user after creation" option for Active Directory keycloak
#16902 Refine the set of RPMs included in the keycloak container image keycloak dist/quarkus
#16967 Minimize the RPM content of the Operator container keycloak operator
#16977 CRDB optimization: Optimize selects targeting the primary key or unique keys keycloak storage
#17470 security enhancement : representation of admin events & credentials keycloak
#17484 Migrate realms if configured to use RH-SSO themes keycloak
#19792 Javascript example not printing errors keycloak docs
#19924 Allow pre-filled GitHub issue forms via links from docs keycloak docs
#19959 Add missing Spanish translations for login keycloak translations
#19965 Add `lang` attribute to HTML tag of UIs keycloak account/ui
#19990 Only add Access properties on groups, if the fine grain feature is on keycloak
#20067 Upgrading to Infinispan 14.0.8 keycloak
#20191 Conditional login through identity provider keycloak
#20200 account console v3 theme.properties customizations keycloak
#20216 Correct formatting in Server Developer guide keycloak
#20250 Adhere to HTML standard when using `ul`-element keycloak
#20263 SSSD documentation updated for quarkus distribution keycloak
#20265 SSSD testing with GH actions keycloak
#20303 UserPropertyMapper generated exceptions on mapping keycloak
#20305 Upgrade JNA library keycloak
#20386 Client executor for reject implicit grant when enabled for clients keycloak oidc
#20388 Upgrade owasp html sanitizer to newest version keycloak
#20469 Look ahead window setting in OTP policy is not accurate keycloak admin/ui
#20486 Enable `simple-cache` for `local-cache` keycloak
#20496 Move openshift client integration to separate extension keycloak core
#20497 Move http-challenge authentication flow and the related authenticators to the extension keycloak authentication
#20548 Also run Cypress tests on Firefox keycloak testsuite
#20576 Allow custom annotation in Ingress keycloak
#20582 Show warning message when overriding build options during starts keycloak
#20623 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in PAR request keycloak
#20674 Increase the length of password hash iterations password-policy input in admin ui keycloak admin/ui
#20689 Removing unnecessary message from main command help text keycloak
#20710 FAPI 2.0 security profile - not allow an authorization request whose parameters were not included in Request Object pushed to PAR request keycloak
#20773 Add Hardcoded Group mapper to Identify Provider configuration keycloak
#20783 Ability for users to view credentials without manage user permissions keycloak admin/api
#20791 Update docs (and maybe tooltips) for timeout changes keycloak docs
#20817 Improve start page on the account ui keycloak account/ui
#20994 Update securing_applications guide for latest adapter changes (community) keycloak docs
#21064 Allow any JGroups stack with --cache-stack keycloak
#21163 Support for the `locale` user attribute keycloak
#21167 Add missing Polish translations keycloak translations
#21176 Remove adapters from product documentation keycloak docs
#21272 Upgrade to Quarkus 3.2.0.Final keycloak
#21283 Add `iat` claim to JWT that is passed to CIBA HttpAuthenticationChannel keycloak
#21476 When essential claim check fails the error message should provide detailed information keycloak
#21493 Enable publishNotReadyAddresses for discovery service keycloak

Bugs

#369 Quickstarts for action-token-authenticator / action-token-required-action not working keycloak-quickstarts
#409 Legacy quickstart tests are failing since quarkus3 upgrade keycloak-quickstarts
#437 Tests does not work on OpenJDK 17 for quickstarts keycloak-quickstarts
#9299 Refresh token with offline_access scope affected by session idle/session max keycloak oidc
#9313 LDAPS Bind test fails with SSLHandshakeException while LDAP connection test works keycloak ldap
#10110 Unable to add more than 6 acceptable AAGUIDs for WebAuthn keycloak authentication/webauthn
#10195 User search with LDAP federation not consistent keycloak ldap
#11079 SLO and ACS Binding are linked with AuthnRequest Binding in SAML Identity Broker Metadata keycloak saml
#11728 SSSD Federation fails with NPE after upgrade keycloak authentication
#11990 Negative refresh token expiration (exp timestamp in the past) keycloak oidc
#12012 KEYCLOAK-17116 Copy of Browser Flow overrides an original one keycloak authentication
#12018 Trust Store hostname-verification-policy=ANY seems to be ignored keycloak docs
#12720 Clearify the use of `db-url-properties` keycloak docs
#12745 [keycloak-js] multiple init call with onload option as check-sso cause redirects keycloak adapter/javascript
#12939 importing bin/kc.[sh|bat] import --file doesn't work when using external database keycloak dist/quarkus
#13542 MigrationTest for KC 17 failures in the pipeline keycloak testsuite
#13543 RecoveryAuthnCodesAuthenticatorTest failures in the pipeline keycloak testsuite
#13922 Switching Locale after Completing an admin triggered required action yields an error keycloak authentication
#14441 Client-secret with special character (+) for authorization is failing in 19.0.2 keycloak oidc
#14617 ID token is not including roles keycloak oidc
#14851 Realm update fails when realm has many Identity Providers configured and saves rep. with Admin Events keycloak admin/api
#14854 Client session lifespan doesn't consider user session lifespan keycloak authentication
#15337 User Session Note Mapper no longer adds IMPERSONATOR_USERNAME as SAML attribute keycloak saml
#15536 Able to modify built-in flow keycloak admin/api
#15782 Unable to perform export when server was started with new storage keycloak dist/quarkus
#15845 Realm localization: Inconsistent message resolving regarding language fallbacks for different themes keycloak core
#15853 Incorrect Signature algorithms presented by Client Authenticator keycloak oidc
#15898 Keycloak Export only accept H2 datase-URL (Datasource: URL format error; must be jdbc:h2 ... but is jdbc:mariadb: ...) keycloak dist/quarkus
#16165 SSSD User Federation dissapeared in 20.0.1/20.0.2 keycloak authentication
#16166 Set OpenShift as a "Social Identity Provider" cannot work keycloak identity-brokering
#16321 Single client export bug keycloak docs
#16507 Hibernate 6 upgrade: Warning SqmDynamicInstantiation about dynamic Map instantiation keycloak storage
#16551 Quarkus 3: RealmModelTest.testRealmLocalizationTexts fails keycloak testsuite
#16577 Setting user password and entering "password confirmation" first leads to blocking of "save" keycloak admin/ui
#16613 Impossible to update a federated user credential label keycloak admin/api
#16833 Update documentation around `View all users` behavior in the new admin console keycloak docs
#16992 upgrading from v18.0.2 to 19.0.3 or 20.0.3 fails with ERROR duplicate key value violates unique constraint "constraint_3c" keycloak core
#17130 Theme & Provider folder empty in KeyCloak 20.0.3 keycloak docs
#17288 New Referrer-policy breaks cross-origin SP<->IdP (KC) keycloak saml
#17294 Make LDAP `searchForUsersStream` consistent with other storages keycloak storage
#17304 javax.net.ssl.SSLException exceptions because org.keycloak.adapters.HttpClientBuilder ignores connectionTTL setting keycloak oidc
#17312 Error updating old version (Keycloak 8) to Keycloak 20. NPE thrown due the realm.getDefaultRole() keycloak core
#17377 Error: realms.removeSession wrong generic type keycloak admin/client-js
#17388 Incorrect Url on Keycloak Health - Liveness and Readiness, no Startup Probes keycloak operator
#17581 `JpaUserProvider` count methods are inconsistent with `searchForUser`'s param filter handling keycloak storage
#19096 Memory issue with PathCache when running the traffic keycloak authorization-services
#19136 Report an issue link points to Jira instead of GHI keycloak docs
#19155 Priority not sent to server when adding new RSA key provider keycloak admin/ui
#19156 Server Deployment documentation is not updated to Quarkus keycloak docs
#19193 Slow Query Caused By Composite Indexes Order On Broker Link Table keycloak storage
#19257 User ID is ignored in partial import keycloak import-export
#19323 Hibernate 6: Entity in Key not returned when querying keycloak storage
#19368 Facebook identity provider not working keycloak identity-brokering
#19485 SignatureProvider not showing up in the Default Signature Algorithm list keycloak admin/ui
#19530 Custom ResetCredentialEmail does not work after upgrade to Keycloak 21 keycloak core
#19575 Account Console II doesn't remove TOTP from UserStorage keycloak account/api
#19596 A way to override internal SPI after KC 21 keycloak core
#19638 Custom User Storage Provider doesn't look up users after saving changes keycloak admin/ui
#19675 Gzip cache is only invalidated upon Keycloak version changes keycloak core
#19677 AlreadyLoggedIn when impersonating a user in a SAML client keycloak core
#19725 Operator restarts occasionally result in recreation of managed keycloak Statefulset Pods keycloak operator
#19746 Email settings erased after any change on realm settings keycloak admin/ui
#19763 Documentation for User Storage Spi is incorrect keycloak storage
#19777 Custom providers are not loaded properly in KC21 keycloak core
#19805 Custom SignatureProviderFactory is not working as expected after Keycloak 21 upgrade keycloak core
#19814 Testsuite must rely on IDs from Keycloak keycloak testsuite
#19818 Support for realm-less entities in login failures keycloak storage
#19844 NPE when updating a subflow in an authentication flow keycloak admin/api
#19849 Incorrect HTTP status reported when DNS resolver is not available (and DB connection unavailable due to that) keycloak core
#19852 Admin UI does not respect default values for custom authenticator configurations keycloak admin/ui
#19897 Create a Client Policy on realm with client-roles or client-scopes condition raises an expection on the Client details keycloak admin/ui
#19932 Test app is not functioning - https://www.keycloak.org/app/ keycloak docs
#19933 Account v3 - account console link redirect to master realm keycloak account/ui
#19942 New Flow created for Post Login Flow IDP not mark "Used by" at Flows keycloak admin/ui
#19950 Logout redirect URL truncated since v20 keycloak oidc
#19957 User search with more than two keywords returns empty list keycloak storage
#19982 Default Roles show all roles if "Hide inherited roles" is not checked keycloak admin/ui
#20007 Conditional user attribute authenticator does not match the joined groups keycloak oidc
#20009 authenticator javaScript Provider always failed the login, user context is lost and break the login keycloak core
#20013 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet keycloak ci
#20020 Cannot find @Generated annotation for ServicesLogger keycloak dependencies
#20070 Update passthrough behavior and docs keycloak dist/quarkus
#20077 Conditionally build WildFly adapters for our testsuite keycloak testsuite
#20085 Custom theme - url.resourcesCommonPath references wrong theme keycloak admin/api
#20097 FederatedUserLink always points to LDAP keycloak admin/ui
#20101 Duplicated serverPrincipal property in LDAPStorageProviderFactory keycloak storage
#20105 Unable to template emails in EventListenerProvider (No realm in provided KeycloakSession) keycloak authentication
#20119 Support for non-XA databases keycloak storage
#20182 User defined message bundles do not apply correctly to Admin Console keycloak admin/ui
#20194 Valid redirect URI & web origin input fields display when "Standard flow" is disabled keycloak admin/ui
#20202 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testLazyClientSessionStatsFetching keycloak ci
#20259 Failing ExternalLinks tests for old Keycloak JIRA Links keycloak docs
#20261 Quarkus 3 build properties break product build keycloak dist/quarkus
#20269 Flaky test: org.keycloak.testsuite.model.infinispan.CacheExpirationTest#testCacheExpiration keycloak ci
#20329 Additional Provider Info only shows at end of list not below provider keycloak admin/ui
#20331 Keycloak-js crasher: Missing null checks. Websites that have inline scripts without a src attribute as src attributes are not required. keycloak adapter/javascript
#20332 Error 500 after signin to admin console: NullPointerException keycloak core
#20349 WebAuthn test fails in the GHA keycloak testsuite
#20372 keycloak-js-admin-client and keycloak-js-adapter do not build when a maven proxy is configured keycloak
#20384 Fix User Federation tests after Q3 upgrade keycloak testsuite
#20385 Servlet tests for JBoss-based adapters with TLS are broken keycloak testsuite
#20387 Productization issue related to JNA upgrade keycloak dependencies
#20401 SAML error not shown to user keycloak admin/ui
#20426 ClientScope changes don't invalidate the realm cache keycloak storage
#20433 Administration / Keycloak Admin REST API documentation can no longer be generated keycloak docs
#20443 Avoid NPE while fetching offline sessions keycloak storage
#20459 Changing the email address has no impact at username regardless "Email as username" toggle keycloak user-profile
#20481 Fix tests related to file storage keycloak testsuite
#20489 Admin UI - unable to load user's groups when large number of groups defined for the realm keycloak admin/ui
#20498 When user federation is enabled, admin console user search doesn't show search field keycloak admin/ui
#20503 Enabled User Event Types not visible when "Save events" disabled. keycloak admin/ui
#20506 User events settings - "Save events" toggle doesn't always activate Save button. keycloak admin/ui
#20510 Ensure proper escaping for LDAP keycloak storage
#20534 For versions > 18.x.x client mapper is not able to override "name" for OpenID tokens keycloak oidc
#20536 [Declarative User Profile] Optional attributes become required keycloak admin/ui
#20540 `register-node-at-startup` in EAP Client Adapter eventually causes "java.lang.OutOfMemoryError: unable to create native thread keycloak adapter/jee
#20541 Identity providers initialization has to use models keycloak storage
#20550 Update example custom cache configuration for v>21 keycloak docs
#20564 keycloak-admin-client does not url-encode client id and secret for basic auth as defined in RFC6749 keycloak admin/client-js
#20599 Introduced additional dependencies in the testsuite keycloak testsuite
#20615 Moving a group to root loses all its members keycloak admin/ui
#20622 FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error keycloak oidc
#20635 Add back examples for Kubernetes and Openshift to the quickstarts keycloak core
#20656 Reset password does not show option to sign out from other devices keycloak authentication
#20670 Could not process response from SAML identity provider because "this.text" is null keycloak identity-brokering
#20671 Userinfo endpoint doesn't accept charset keycloak oidc
#20673 Missing SAML Allow ECP Flow option keycloak admin/ui
#20694 Selecting one mapper and switch page select them all keycloak admin/ui
#20700 REST API Documentation ref wrong keycloak docs
#20703 Realm export performance heavily depends on the amount of users per file keycloak import-export
#20723 Keycloak deployed via new keycloak-operator triggers OpenShift alert `IngressWithoutClassName` keycloak operator
#20725 Denial of Service/100% CPU usage: CRLUtils in infinite loop if more than one CRL list is used from different CAs keycloak core
#20732 Keycloak erases form data on validation when `login_hint` is present keycloak account/ui
#20757 SEND_RESET_PASSWORD event is not stored keycloak admin/api
#20782 Mappers tab is not reachable on identity provider settings keycloak admin/ui
#20831 Webauthn signature algorithms are improperly encoded as strings keycloak authentication/webauthn
#20835 There is no server side pagination for sessions keycloak admin/ui
#20847 Private key JWT authentication no longer works on Keycloak 21 keycloak authentication
#20851 Empty shortVerificationUri not the same with default (null) value keycloak authentication
#20855 Session cross-reference / transaction mismatch keycloak core
#20878 Emails with non-ascii characters are not allowed since v21.0.0 keycloak user-profile
#20888 Flaky test: org.keycloak.operator.testsuite.integration.ClusteringTest#testKeycloakScaleAsExpected keycloak operator
#20895 Keycloak's default http client doesn't check HTTP response code keycloak core
#20920 keycloak-server from testsuite won't start keycloak testsuite
#20947 Partial Import is not working for resource Type in keycloak 21.1.1 keycloak import-export
#20951 Jump links render wrong on small screens keycloak admin/ui
#20954 Performance degradation when upgrading from RHSSO 7.6 to KC22 caused by TLSv1.3 processing keycloak dist/quarkus
#20974 Avoid loading classes and resources from new store if legacy is enabled keycloak storage
#20977 NPE when shutting down JPA after a failed initialization keycloak storage
#20978 processGrantRequest in TokenEndPoint uses new TokenManager instead of this.tokenMananager keycloak oidc
#21045 Custom User Storage Provider gets disabled when saved keycloak admin/ui
#21047 Role details not visible unless the user has "View Realm" enabled keycloak admin/ui
#21095 Group list isn't filtered based on permission like user lists keycloak admin/fine-grained-permissions
#21106 Service Account Impersonation fails and results in weird browser state keycloak core
#21120 Client scopes mapping not available for users with "view-clients" and "query-clients" keycloak admin/ui
#21234 custom user storage provider update in admin-ui disables it, and stores value “t” as enabled keycloak admin/ui
#21242 GroupResource POST /children cannot update existing subgroups keycloak admin/api
#21263 Broken Links / Redirects Issues in Docs - 2023-06-27 keycloak docs
#21290 UserSessionConcurrencyTest#testConcurrentNotesChange fails intermittently keycloak testsuite
#21295 UserSessionProviderModelTest#testRemoteCachesParallel sessions are not removed after the test keycloak testsuite
#21300 Keycloak Docs for Native App Redirect URI Should Recommend the IP literal keycloak docs
#21307 3rd party check in iframe not working anymore in safari and keycloak 21.1.2 keycloak oidc
#21317 [docs] External Links Errors - saml.xml.org http -> https redirect keycloak docs
#21349 List of tested database in docs doesn't match pom.xml keycloak docs
#21358 NPE in Edit Identity Provider Mapper on second Save keycloak admin/ui
#21394 SSSD users with capitals in the email cannot login to keycloak keycloak core
#21412 JavascriptAdapterTest is broken due to the multiple initialization of JS adapter keycloak testsuite
#21427 Nexus staging plugin failing after Java 11 deprecation keycloak ci
#21451 Cookie error on second browser tab keycloak core
#21456 Quarkus 3.2 changed the property for quarkus.transaction-manager.object-store-directory keycloak dist/quarkus
#21491 Wrong message for sync actions on LDAP role mapper keycloak admin/ui