Keycloak 23.0.0 released

November 23 2023

To download the release go to Keycloak downloads.

Highlights

OpenID Connect / OAuth 2.0

FAPI 2 drafts support

Keycloak has new client profiles fapi-2-security-profile and fapi-2-message-signing, which ensure Keycloak enforces compliance with the latest FAPI 2 draft specifications when communicating with your clients. Thanks to Takashi Norimatsu for the contribution.

DPoP preview support

Keycloak has preview for support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP). Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions.

More flexibility for introspection endpoint

In previous versions, introspection endpoint automatically returned most claims, which were available in the access token. Now there is new switch Add to token introspection on most of protocol mappers. This addition allows more flexibility as introspection endpoint can return different claims than access token. This is first step towards "Lightweight access tokens" support as access tokens can omit lots of the claims, which would be still returned by the introspection endpoint. When migrating from previous versions, the introspection endpoint should return same claims, which are returned from access token, so the behavior should be effectively the same by default after the migration. Thanks to Shigeyuki Kabano for the contribution.

Feature flag for OAuth 2.0 device authorization grant flow

The OAuth 2.0 device authorization grant flow now includes a feature flag, so you can easily disable this feature. This feature is still enabled by default. Thanks to Thomas Darimont for the contribution.

Authentication

Passkeys support

Keycloak has preview support for Passkeys.

Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced passkeys and device-bound passkeys can be used for both Same-Device and Cross-Device Authentication. However, passkeys operations success depends on the user’s environment. Make sure which operations can succeed in the environment. Thanks to Takashi Norimatsu for the contribution and thanks to Thomas Darimont for the help with the ideas and testing of this feature.

WebAuthn improvements

WebAuthn policy now includes a new field: Extra Origins. It provides better interoperability with non-Web platforms (for example, native mobile applications). Thanks to Charley Wu for the contribution.

You are already logged-in

There was an infamous issue that when user had login page opened in multiple browser tabs and authenticated in one of them, the attempt to authenticate in subsequent browser tabs opened the page You are already logged-in. This is improved now as other browser tabs just automatically authenticate as well after authentication of first browser tab. There are still corner cases when the behaviour is not 100% correct, like the scenario with expired authentication session, which is then restarted just in one browser tab and hence other browser tabs won’t follow automatically with the login. So we still plan improvements in this area.

Password policy for specify Maximum authentication time

Keycloak supports new password policy, which allows to specify the maximum age of an authentication with which a password may be changed by user without re-authentication. When this password policy is set to 0, the user will be required to re-authenticate to change the password in the Account Console or by other means. You can also specify a lower or higher value than the default value of 5 minutes. Thanks to Thomas Darimont for the contribution.

Deployments

Preview support for multi-site active-passive deployments

Deploying Keycloak to multiple independent sites is essential for some environments to provide high availability and a speedy recovery from failures. This release adds preview-support for active-passive deployments for Keycloak.

A lot of work has gone into testing and verifying a setup which can sustain load and recover from the failure scenarios. To get started, use the high-availability guide which also includes a comprehensive blueprint to deploy a highly available Keycloak to a cloud environment.

Adapters

OpenID Connect WildFly and JBoss EAP

OpenID Connect adapter for WildFly and JBoss EAP, which was deprecated in previous versions, has been removed in this release. It is being replaced by the Elytron OIDC adapter,which is included in WildFly, and provides a seamless migration from Keycloak adapters.

SAML WildFly and JBoss EAP

The SAML adapter for WildFly and JBoss EAP is no longer distributed as a ZIP download, but rather a Galleon feature pack, making it easier and more seamless to install.

See the Securing Applications and Services Guide for the details.

Server distribution

Load Shedding support

Keycloak now features http-max-queued-requests option to allow proper rejecting of incoming requests under high load. For details refer to the production guide.

RESTEasy Reactive

Keycloak has switched to RESTEasy Reactive. Applications using quarkus-resteasy-reactive should still benefit from a better startup time, runtime performance, and memory footprint, even though not using reactive style/semantics. SPI’s that depend directly on JAX-RS API should be compatible with this change. SPI’s that depend on RESTEasy Classic including ResteasyClientBuilder will not be compatible and will require update, this will also be true for other implementation of the JAX-RS API like Jersey.

User profile

Declarative user profile is still a preview feature in this release, but we are working hard on promoting it to a supported feature. Feedback is welcome. If you find any issues or have any improvements in mind, you are welcome to create Github issue, ideally with the label area/user-profile. It is also recommended to check the Upgrading Guide with the migration changes for this release for some additional informations related to the migration.

Group scalability

Performance around searching of groups is improved for the use-cases with many groups and subgroups. There are improvements, which allow paginated lookup of subgroups. Thanks to Alice for the contribution.

Themes

Localization files for themes default to UTF-8 encoding

Message properties files for themes are now read in UTF-8 encoding, with an automatic fallback to ISO-8859-1 encoding.

See the migration guide for more details.

Storage

Removal of the Map Store

The Map Store has been an experimental feature in previous releases. Starting with this release, it is removed and users should continue to use the current JPA store. See the migration guide for details.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

#23155 [WebAuthn] origin validation not support for non-Web platforms core

Enhancements

#431 Remove Wildfly/EAP OIDC and SAML adapter downloads web
#505 Quickstarts - Wildfly upgrade and README cleanup quickstarts
#510 SAML quickstart - provisioning of SAML adapter via Galleon quickstarts
#9318 User profile configuration API is incorrectly typed docs
#10128 Improve failed test behaviour operator
#10620 Internationalized Domain Names in email address user-profile
#10713 Update the server to use RESTEasy Reactive
#10803 Persist session in JDBC store without using external infinispan cluster storage
#11668 Declarative User Profile: weird behaviour in Account Management Console user-profile
#12406 Remove "You are already logged-in" during authentication authentication
#14009 CreatedTimestamp on REST import not used
#14165 Cannot refresh RPT tokens authorization-services
#14400 Add proxy options to Keycloak CR operator
#15018 Enhancements around proxy and hostname configuration
#15072 Allow setting a help text to an attribute user-profile
#15109 Refactor patch-sources.sh used by the Operator operator
#17258 Data too long for column 'DETAILS_JSON' storage
#20343 message bundles are not included in the realm export import-export
#20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
#20695 Add support for single-tenant in Microsoft Identity Provider
#20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()? oidc
#20884 [Admin Console v2] Policy creation at Permissions screen missing admin/ui
#21073 Identity providers: pagination in admin REST API
#21154 Allow existing mappers for Custom Identity Providers identity-brokering
#21181 Add FAPI 2.0 security profile as default profile of client policies
#21182 Enhancing Pluggable Features of Token Manager
#21183 More flexibility for Introspection endpoint oidc
#21200 DPoP support 1st phase
#21444 Set `client_id` when using `private_key_jwt` with OIDC IdP identity-brokering
#21945 Release notes for FAPI 2
#22034 Keycloak, javascript lib to not use the escape() function adapter/javascript
#22215 DPoP verification in UserInfo endpoint oidc
#22318 Allow overriding Account Console resources for full control and backwards compatibility
#22372 Expand Group providers to allow for paginated lookup of subgroups storage
#22725 Do not initialize barrier build items for deployment dist/quarkus
#22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider admin/ui
#23194 Add regex support in 'Condition - User attribute' execution authentication
#23340 Implement load shedding for RESTEasy reactive
#23527 Better usability when disabling user profile and loosing the previous cofiguration user-profile
#23891 Add feature flag for OAuth 2.0 device authorization grant flow oidc
#24024 User profile tweaks in registration forms user-profile
#24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias` identity-brokering
#24273 Add a property to the User Profile Email Validator for max length of the local part user-profile
#24278 Transient users: documentation core
#24387 Move some UserProfile and Validation classes into keycloak-server-spi user-profile
#24494 Transient users: Consents core
#24535 Moving UPConfig and related classes from keycloak-services user-profile
#24844 Add High Availability Guide to Keycloak's main repository
#24912 Add Galleon layer metadata to the SAML Galleon feature-pack adapter/jee-saml

Bugs

#468 Cant build it quickstarts
#503 Automate Keycloak version replacement quickstarts
#508 set-version script does not update package(-lock).json files in js and nodejs quickstarts quickstarts
#515 [Keycloak Quickstarts CI failure] loginToAdminConsole method fails in ArquillianSysoutEventListenerProviderTest.testEventListenerOutput due to Unable to locate element: {"method":"css selector","selector":"#username"} exception quickstarts
#8939 PAR fails to authenticate for public client oidc
#9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers oidc
#10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies adapter/javascript
#11699 Under heavy load, DefaultBruteForceProtector blocks the whole system authentication
#12062 Declarative User Profile export user-profile
#12171 Inconsistent authorization behavior when exporting data from a realm authorization-services
#14134 [keycloak 18] cannot import users with correct ID in partial import admin/api
#16379 Inconsistent handling of parenthesis in auth flow name admin/api
#16526 Token introspection response does not follow RFC6479 "scope" parameter format oidc
#19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page admin/api
#19125 kcadm do not update defaultGroups docs
#19154 Non working API docs link docs
#19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour authentication
#20135 Searching for multiple types in the Events section gives an error admin/client-js
#20218 Role mappers must return a single value when they are not multivalued oidc
#20316 Email pattern is not compliant account/api
#20453 Admin UI incredibly slow with 300 realms admin/api
#20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes user-profile
#20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow ci
#20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1 token-exchange
#20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required" user-profile
#20885 Key length is limited to 4000 characters storage
#21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients storage
#21123 NPE in getDefaultRequiredActionCaseInsensitively admin/api
#21236 Keycloak Event clientId is null when ever a logout event is fired. core
#21555 Listing realms due to realm drop-down admin/ui
#21660 Wrong convert timestamp to date account/ui
#21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator authentication
#21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator authentication
#21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak ldap
#21805 Missing labels account console account/ui
#21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak ldap
#21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log operator
#22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP ci
#22177 Missing client_id validation match when authenticating client with JWT
#22191 Verification of iss at refresh token request oidc
#22332 Selecting resource on resource based permission gives error admin/ui
#22337 kc.sh errors if using characters like semicolon inside the arguments docs
#22375 Possible NullPointerException core
#22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY' core
#22432 inputOptionLabels is not used by Admin UI admin/ui
#22583 Fine grained permissions not rendering account/ui
#22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute saml
#22814 user search with "q" parameter ignores keys of length 1 and returns all users admin/api
#22818 inputOptionLabels is not used by Account UI v3 account/ui
#22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save admin/api
#22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction admin/ui
#22988 Cache stampede after realm cache invalidation infinispan
#23044 Docs: server_admin/topics/sessions/transient.adoc authentication
#23128 Regex defect in federation script federation-sssd-setup.sh dist/quarkus
#23173 crypto/elytron package has several bugs core
#23180 TypeError in user profile admin-ui admin/ui
#23253 CLI args not recognized when running Quarkus dev mode dist/quarkus
#23255 Several help text messages missing in saml identity provider admin/ui
#23404 Cannot assign client roles to a user when a realm contains more than ~4000 clients storage
#23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients. dependencies
#23582 Join group screen does not show child groups without filters admin/ui
#23616 invalid tag in .ftl file user-profile
#23692 Genetated access token exception then $ sign in client name core
#23733 OpenAPI spec doesn't match the admin API admin/api
#23753 Insufficient guard against path traversal GzipResourceEncodingProvider core
#23789 Can not create attribute group before setting/removing an annotation user-profile
#23795 Spelling errors in TokenManager.java oidc
#23970 Keycloak does not export/import userprofile data when exporting the realm user-profile
#24032 Group attributes are not saved if there are two attributes with the same key admin/ui
#24035 Admin UI: Group details page is not updated by group list dropdown actions admin/ui
#24067 Duplicate attribute groups show in list in UserProfile in admin ui admin/ui
#24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled user-profile
#24096 Document or avoid breaking change in UserSessionModel core
#24160 HTTP/2 - Last parameter of POST form data contains 0x00 byte in some configurations. core
#24183 Username now shown when creating a user and edit username is not allowed user-profile
#24187 Admin UI group view shows attributes of previously viewed group admin/ui
#24293 b.map is not a function error when LDAP server is offline core
#24420 User profile behaves different in keycloak 22.0.5 user-profile
#24453 Email-verified checkbox not visible anymore when user profile is enabled admin/ui
#24455 NPE when logging in with TransientUser storage
#24458 Unfriendly error message when user-storage provider not available admin/ui
#24487 show/hide password in clear text button visible for hiden field in "forgot password" flow login/ui
#24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature) oidc
#24551 the `./kc.sh tools completion` command cannot be recognized correctly admin/cli
#24672 Basic auth is not RFC 2617 compliant authentication
#24697 User cannot update profile when some invalid attribute invisible to him is present on his profile user-profile
#24766 non-functioning session persistence when using JDBC over Infinispan infinispan
#24792 Invalid redirect_uri if it contains uppercase letters authentication
#24970 `jwt-decode` is being bundled into Keycloak JS admin/client-js