Keycloak 26.5.0 released

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

Workflows to automate administrative tasks and process within a realm.
JWT Authorization Grants, our recommended alternative to external to internal token exchange.
Guide for using Keycloak as an authorization server for Model Context Protocol (MCP) servers.
Authenticating clients with Kubernetes service account tokens to avoid static client secrets.
OpenTelemetry support for metrics and logging, combining all observability information in this popular standard.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

JWT Authorization Grant (preview)

Keycloak 26.5 introduces a new feature called JWT Authorization Grant, which adds support for RFC 7523 to use external signed JWT assertions to request OAuth 2.0 access tokens.

To accept signed JWT assertions, a trust relationship must be established between the external provider and Keycloak. This trust relationship can be configured through an identity provider in a dedicated section of the OpenID Connect v1.0 identity provider, or through the new JWT Authorization Grant identity provider.

JWT Authorization Grant is recommended as an alternative to External to internal token exchange V1. This feature is in preview, and additional details are available in the dedicated documentation.

Using Keycloak as an authorization server for Model Context Protocol (MCP) servers

Using Keycloak as an authorization server for Model Context Protocol (MCP) servers is becoming popular, so this release ships additional documentation on how to do this.

See Integrating with Model Context Protocol (MCP) for the new guide.

Many thanks to Takashi Norimatsu for the contribution.

CORS enhancements

CORS (Cross Origin Resource Sharing) is a browser security feature that controls how web pages on one domain can request resources from a different domain.

For the OpenID Connect Dynamic Client Registration, you can now specify which CORS headers are allowed via the client registration access policies.

For the overall CORS configuration, you can now allow environment specific headers to be allowed using the SPI option spi-cors--default--allowed-headers.

Logout confirmation page

The client logout configuration now includes an option to show a logout confirmation page. When enabled, users will see a “You are logged out” confirmation page upon successful logout.

Many thanks to Sebastian Łaskawiec for the contribution.

Hiding OpenID Connect scopes from the discovery endpoint

Previously, all scopes of an OpenID Connect client were advertised in the discovery endpoint.

In some situation you might want to avoid it, as the calling client, for example, an MCP server might not support it, or you might want to hide some scopes for preventing their discovery via public APIs.

You can now prevent this by disabling Include in OpenID Provider Metadata.

Administration

Workflows (preview)

Keycloak introduces a new preview feature called Workflows, which allows administrators to automate administrative tasks and process within a realm, introducing a key capability for Identity Governance and Administration (IGA).

For more details, see the Server Administration Guide.

Federated client authentication (preview)

Federated client authentication remains preview due to receiving a number of enhancements and fixes.

There is now preview support to use Kubernetes service accounts tokens as credentials for clients, which avoids static secrets for OpenID Connect clients.

See Kubernetes identity providers in the Server Administration Guide for details.

Organization invitation management

Organization administrators can now manage organization invitations through both the Admin Console and REST API:

View all sent invitations with their current status (Pending, Expired)
Resend pending invitations to recipients
Delete invitation records from the system
Filter invitations by status for easier management

All invitations are now persistently stored in the database, providing better tracking and management capabilities.

The invitation management features are available in the Invitations tab when managing an organization in the Admin Console, and through the Organizations REST API endpoints under /admin/realms/{realm}/orgs/{orgId}/invitations.

New event `USER_SESSION_DELETED`

For each expired user session there is a new user event USER_SESSION_DELETED fired. This event is published approximately 3-10 minutes after the session has expired depending on job scheduling and load on the system. By default, this event is not persisted.

Configuring and Running

Containers for PowerPC 64-bit Little Endian architecture

The containers for both the Keycloak and its operator are not available as well for the PowerPC 64-bit Little Endian (ppc64le) architecture. This is in addition to the existing amd64 and arm64.

We expect this to allow users to optimize their usage of open hardware and power consumption.

Improved server response times

Authentication, user, and client sessions are now created on the respective Keycloak node and avoid extra remote calls to neighbors when reading or writing them to the embedded caches. When you have sticky sessions enabled in your loadbalancer, you will benefit from this feature automatically, and you should see reduced response times when authenticating users.

Expired user sessions are now deleted from the database in small batches, instead of issuing a delete statements that affects the whole table. This should allow for better response times when there are a lot of sessions in the table.

Enhanced HTTP performance (preview)

You can now enable a more efficient way to handle JSON data in the HTTP layer. This change increases throughput by ~5%, stabilizes response times, and reduces system resource usage.

In order to apply it, you need to explicitly enable the feature http-optimized-serializers.

Note	This feature is preview. We gather more feedback about potential issues in this discussion. We appreciate any feedback.

For more details, see the Configuring Keycloak for production guide.

Configure retry behavior for outgoing HTTP requests

Keycloak has now more flexibility how to configure retrying of outgoing HTTP requests. This is useful for handling transient network errors or temporary unavailability of the service where Keycloak needs to send HTTP request. Retry behavior is disabled by default and must be explicitly enabled. More details are available in the Outgoing HTTP requests documentation.

Many thanks to Chance Coleman for the contribution.

Enable/disable features via a single option

You can now enable or disable individual features using the feature-<name> option (like feature-spiffe=enabled).

This provides a more fine-grained way to manage features and eliminates the need to maintain long lists of enabled or disabled features.

The feature-<name> option takes precedence over both features and features-disabled.

For more details, see the Enabling and disabling features guide.

Client certificate lookup compliant with RFC 9440

You can now use a new client certificate lookup provider that is compliant with RFC 9440. This enables native support e.g. for Caddy and other reverse proxies that follow the RFC. For details, navigate to Enabling Client Certificate Lookup section of the documentation.

Running Keycloak as a Windows service

Keycloak can now be installed and run as a Windows service using Apache Commons Daemon (Procrun). The new tools windows-service CLI subcommand simplifies service installation and uninstallation.

The service runs kc.bat start as an external process, ensuring all environment variables and configuration files are respected. This provides seamless integration with the Windows Services management console and enables automatic startup on system boot without requiring a user to be logged on.

For more information, see the Running Keycloak as a Windows Service guide.

Observability

OpenTelemetry enhancements

OpenTelemetry Logs (preview)

Keycloak now supports exporting logs to OpenTelemetry collectors, enabling centralized log management. This preview feature allows you to export Keycloak logs to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

OpenTelemetry Metrics (experimental)

Keycloak now provides the experimental support for exporting metrics to OpenTelemetry collectors by using the Micrometer-to-OpenTelemetry bridge. This experimental feature allows you to export Keycloak metrics to any OpenTelemetry-compatible backend and use the same OpenTelemetry collector for logs, metrics and traces.

For more details, see the Centralize your observability stack with OpenTelemetry guide.

Export traces with custom request headers

It is now possible to set request headers for exporting traces via OpenTelemetry Protocol (OTLP). It is mainly useful for providing tokens in the request.

You can specify these headers via the tracing-header-<header> wildcard option, accepting any custom header name.

For more details, see the Root cause analysis with tracing guide.

MDC Logging feature (supported)

The log-mdc:v1 feature has been promoted from a preview feature to a supported feature.

MDC enables Keycloak to enrich log entries with contextual information such as realm, client, user ID and IP address, significantly improving debugging and observability.

For more details, see the Adding context for log messages guide.

All resolved issues

Deprecated features

#44121 Deprecate Fine-Grained Admin Permissions v1 admin/fine-grained-permissions

Removed features

#42905 Remove PostgreSQL 13.x support

New features

#20761 Support Caddy as a Reverse Proxy Provider for Client Certificate Authentication core

#37704 Support for running Keycloak as a Windows Service

#38809 Feature Request: Track Pending Organization Invitations in Keycloak Admin Console

#39221 Admin API v2: Blueprint

#41261 OpenTelemetry Support observability

#42482 Possibility to backchannel logout the clients belonging to a specific user session

#42912 Containers for ppc64le

#43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus

#43106 Expose scheduled tasks and start time

#44312 Add support to use `kcw` with remote test server test-framework

#44458 Expose a configuration option to always display a logout confirmation screen

Enhancements

#8863 Add CORS support to OIDC dynamic client registration endpoints

#10388 Allow to hide client scopes from scopes_supported in discovery endpoint

#12682 Allow CORS Access-Control-Allow-Headers customization core

#14509 Allow configuration for SMTP timeouts via configuration

#15502 Ability to remove offline_access tokens from the Account Management client and/or Admin interface core

#17268 [KC 20+] Obsolete/wrong documentation about service accounts?

#22938 Fine-grained admin permission client manage does not work for an Authorization enabled client admin/fine-grained-permissions

#33009 Delete Client and role's admin event doesn't have representation while other delete entities have the representation admin/ui

#33146 Prevent users configuring max-count=-1 for caches with a default upper-bound infinispan

#35836 SMTP Timeout Override

#38843 Set `automountServiceAccountToken: false` on Keycloak pods operator

#39881 Picture of the token-exchange flow in the documentation docs

#40799 Provide a way to add custom labels to Realm Import job of Keycloak operator

#41006 [OTel] Micrometer to OpenTelemetry bridge support for metrics observability

#41007 Including OTLP headers for authorization

#41019 Validate client session session timeout and lifetime settings on edit authentication

#41205 Make MDC logging supported

#41263 [OTel] Provide general options for telemetry settings observability

#41264 [OTel] Introduce preview support for OpenTelemetry Logs observability

#41425 Add more fields to the Welcome Page

#42124 Add operation to cancel a workflow execution for a resource

#42223 Create a LocalCacheProvider SPI

#42386 [RLM] Review the action execution thread model

#42401 Add configurable retry logic for OCSP certificate validation checks core

#42445 Default to log color enabled

#42446 Make picocli auto color match the quarkus logic

#42618 [RLM] - Allow updating workflow conditions

#42644 No longer able to set a Keycloak Admin Client timeout admin/client-js

#42687 [RLM] - Ability to define workflows with YAML

#42694 Workflows: review test coverage workflows

#42695 Workflows: Add OpenAPI annotations to all API methods

#42696 [RLM] Review implemented conditions and add toPredicate implementation

#42704 SELECT COUNT(*) FROM called multiple times for an index creation core

#42715 incorrect flow with login_hint specified for user in org email domain organizations

#42776 Session cache affinity

#42835 Make API endpoint linkable in documentation docs

#42910 [RLM] - Restarting a workflow for a resource based on the step chain workflows

#42911 [RLM] - Canceling workflows for a given resources when a new event is triggered

#42913 [RLM] - Allow using time-based tokens when setting fields that expect a period or time

#42917 Chore: Add missing translations for Korean (ko)

#42945 [PERF] Jackson reflection-free serialization/deserialization dist/quarkus

#42961 [RLM] - Cache expressions using as a component note

#42990 Hide read-only email attribute in update profile context with update email enabled user-profile

#42991 Final review and update for UPDATE_EMAIL documentation docs

#43015 Log FIPS provider using info debug level

#43076 Add rate limiter for sending verification emails in context of update email

#43125 Divide logging guide to sub-guides for every log handler observability

#43137 [RLM] Review naming of events to be in the past tense workflows

#43156 [Docs] Warn users about printing headers in HTTP access logs docs

#43183 Relax CORS policy on credential offer endpoint

#43214 [OID4VC] Ensure authorization_details from PAR requests are properly returned in token responses for conformace tests oid4vc

#43256 Expiry event for user sessions and timely DB removal of sessions

#43351 Make pending email verification attribute removable by admin user-profile

#43357 JDBC_PING should publish its physical address on startup

#43360 Add the user session in the session context when it is validated or created

#43362 Reduce the number entity manager flushes when creating a realm

#43365 When reading events for the database, read them read-only

#43421 All config formatting for list options could be improved

#43450 Workflows UI needs to implement authorization admin/ui

#43456 Run time comparisons in SD-JWT and SD-JWT VP verification with account of possible clock skew

#43466 Picocli refinements

#43509 Role authorization for workflows. admin/api

#43512 Export default routes from npm UI packages

#43536 Remove need to specify workflow condition parameter in double quotes workflows

#43537 Fix inconsistencies in workflow condition evaluation workflows

#43538 Ensure delete-user step doesn't trigger removal of federated user from federation provider workflows

#43541 Ability to enable/disable feature via single property

#43559 Add validation for Workflwow, Condition and Steps fields workflows

#43604 Warn or error on duplicate options dist/quarkus

#43611 Allow non-optimized start to run without a separate vm launch

#43643 Upgrade to Quarkus 3.27.1 dist/quarkus

#43650 SPIFFE should support OIDC JWK endpoint

#43660 Add operation to retrieve the workflows that are currently active for a resource workflows

#43661 Allow groups to be referenced by path in workflow conditions workflows

#43665 Workflows UI must allow for definition of workflows using YAML admin/ui

#43666 Admin client should be able to handle YAML payloads for workflows workflows

#43694 Avoid using UserCredentialManager from user storage extensions

#43715 Provide a way to evaluate event properties when matching events to workflows workflows

#43777 Add missing secret warning status

#43801 [OID4VCI] Handling KeyAttestationRequired properly oid4vc

#43802 Add autofocus property to "Sign in with passkey" button in keycloak.v2 login theme.

#43843 [Login UI v2] Configurable Password Visibility-Toggle Icons

#43912 Store workflows YAML definition as a blob workflows

#43931 Downscoping for standard token exchange token-exchange/standard

#44005 Improve error message for the HTTPS material loading observability

#44164 Add pagination and search by name capabilities to the workflows endpoint workflows

#44183 Allow UI to retrieve Workflow definitions without their ids workflows

#44266 Provide additional benchmarks for more than 100k users

#44274 Keycloak compatibility with PostgreSQL 18

#44296 Avoid un-escaped strings in the login templates for HTML entities login/ui

#44396 Ignore null values when serializing workflows using YAML workflows

#44494 Support EDB 18

#44500 HttpClient provider should allow connectionRequestTimeout to be settable

#44518 Disable state transfer for session caches when persistent sessions are enabled

#44548 Add MariaDB to MySQL description and specify SQL to support UTF-8

#44571 MCP Documentation for 26.5

#44611 Document recommended transaction isolation level for MS SQL in guides and warn if wrong level is detected on startup

#44621 [OID4VCI] Realign naming of attribute configuring algorithms for credential signing oid4vc

#44634 Enhance health check docs

#44645 Improve workflow concurrency settings to allow cancelling a workflow based on an event workflows

#44708 Improvements to the notify step workflows

#44736 Fix OID4VCI Wallet Interoperability Issues (Draft 15 Compatibility & Metadata Compliance) oid4vc

#44753 Avoid using HTML in backend messages in the login theme

#44787 Avoid flushing user information in batch mode

#44789 Allow restarting the step chain at a specific position workflows

#44801 Infinispan: LoginFailures entries should expire

#44842 Publish an event for logging out a single session or all sessions or all sessions via the Account Console events

#44843 Publish an event when the UserSessionLImitsAuthenticator terminates an older session events

#44865 Allow running scheduled workflows workflows

#44890 Update the Quarkus README for better clarity

#44910 Validate client session timeout and lifetime settings on realm settings edit

#44915 Add Basque (eu) translation support for Keycloak UI

#44936 Support running test methods on the server side

#45070 ServiceMonitor is not created by keycloak operator docs

Bugs

#26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci

#30939 Vulnerability in brute force detection settings authentication

#31401 Kcadm.sh: (Better) Error messages on 302 redirect responses

#34868 [Jenkins Operator CI] - Test remote - ClusteringTest on OpenShift ci

#38438 Avoid 'duplicated mappers' Quarkus message for kc.dir dist/quarkus

#38506 keycloak-test-framework-bom manages more dependencies than intended test-framework

#38991 [Test framework] Embedded server -> dependency download error when no version is specified test-framework

#39660 Failed shouldPreventPathFileSeparatorInVaultSecretId test on Windows testsuite

#40058 [FGAP] Make additional rest endpoints respect permissions admin/fine-grained-permissions

#40712 Authorization -> Evaluate: always returns "No search results" authorization-services

#40756 Wrong dependency registering in the testsuite testsuite

#40965 Group permission denies to view user admin/fine-grained-permissions

#40990 Fallback to English translations for unknown locale despite German being the realm default translations

#41270 Cannot save new attribute group admin/ui

#41271 Changing user profile attribute results in an error everytime admin/ui

#41292 openid-connect flow is missing response type on language change authentication

#42000 Incorrect logic of getArray() in ComponentModelScope core

#42166 [Keycloak CI - Store MSSQL] GroupTest.createMultiDeleteMultiReadMulti:157 testsuite

#42225 Slow initial GET /admin/realms/{realm}/users with cache enabled and large max parameter admin/api

#42470 UserStorageProviderModel parameter in ImportSynchronization.sync() method contains stale configuration data core

#42541 Searching by non-searchable attributes returns all clients core

#42552 Missing license field and miscellaneous fields in NPM packages admin/ui

#42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange

#42588 Key Type is not EC: ECDSA oidc

#42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci

#42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui

#42794 [Windows] Make TrustedHostClientRegistrationPolicyTest Robust to Canonical Hostname localhost testsuite

#42795 [Windows] Stabilize ResourceLoaderTest testsuite

#42851 Group description missing on partial import import-export

#42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services

#42914 Make sure TestEventsListenerProvider does not reuse the events in memory testsuite

#42960 KC_VERBOSE is not honored for a fast start dist/quarkus

#42971 create clients without required value admin/ui

#43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering

#43034 Saving Client “Advanced” sets Request Object signature/encryption attributes to “any” even when not changed oidc

#43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core

#43061 Option description stuck with link admin/ui

#43070 Update email page with pending verification email messages prefilled with old email user-profile

#43080 Fix punctuation for deleteConfirmGroup_one message admin/ui

#43082 ExternalLinksTest is broken due to missing path parameters docs

#43084 Fix anchors in the documentation docs

#43087 "Service accounts roles" should be "Service account roles" translations

#43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui

#43096 keycloak-operator 26.4.0 missing clusterrole permissions docs

#43104 Release notes fix for update email docs

#43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus

#43161 Restarting an user session broken for persistent sessions infinispan

#43164 Keycloak docs state that only TLSv1.3 is used docs

#43166 Backend url misses the path with reverse proxy admin/api

#43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement docs

#43195 Field "Created at" shows "Invalid Date" when created through KeycloakRealmImport

#43202 IntComponent doesn't show if a field is required admin/ui

#43212 Document missing artifact dependency for UserStoragePrivateUtil docs

#43218 Cannot revoke access token generated by Standard Token Exchange oidc

#43244 UI crash on admin `/users/add-user` since 26.4.0 admin/ui

#43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object ldap

#43262 XPathAttributeMapperTest fails on Ubuntu with OpenJDK 17 saml

#43263 FIPS1402JWKTest and FIPS1402SecureRandomTest fails on Ubuntu with OpenJDK 25 oidc

#43264 SdJwtTest and UndisclosedClaimTest fails on Windows with OpenJDK 17

#43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc

#43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc

#43286 Broken links on DB server configuration guide docs

#43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) saml

#43323 Sessions not removed when user is deleted infinispan

#43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled authentication

#43331 NullPointerException when disabling Admin Permissions (FGAP) in Realm - GET /users returns 500 admin/fine-grained-permissions

#43335 First JDBC_PING initialization happens in the JTA transaction context infinispan

#43349 Client session may be lost during session restart infinispan

#43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim

#43417 Spotless fails on `main` ci

#43447 [quarkus-next] DatasourcesConfigurationTest fails dist/quarkus

#43459 Invalid YAML in advanced Operator configurations docs

#43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions

#43477 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#setUpLinksTest ci

#43505 DPoP proof replay check doesn't consider clock skew oidc

#43515 Social provider icons not displayed when alias differs from provider type login/ui

#43516 Deleting Client is slow and fails when a lot of client sessions exist core

#43523 [Keycloak JavaScript CI] - Admin UI E2E (chromium) ci

#43532 kcadm.ssh config credentials fails when there is a % in the client secret admin/cli

#43544 Intra-document links not rendered in downstream docs

#43547 Unrecognized field "kty" (class org.keycloak.jose.jwk.JSONWebKeySet), not marked as ignorable (one known property: "keys"]) oidc

#43561 Server does not shutdown gracefully when started with --optimized core

#43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml core

#43578 "admin" client role now requires server admin user admin/api

#43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions

#43596 FGAP: user can no longer open account management page, broken by `reset-password` admin/fine-grained-permissions

#43621 Version 26.4.1 breaks existing ldap users with capital letters in username ldap

#43637 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#loginWithExistingUserWithBruteForceEnabled ci

#43639 Local user can't login when ldap error ldap

#43674 Setting "Backchannel logout session required" displayed incorrectly admin/ui

#43682 When syncing roles, the database layer can see deadlocks

#43687 H2 database URL augmentation does not consider db-url-properties dist/quarkus

#43698 Role Mapper is updating the user every time on login identity-brokering

#43713 Flaky test: org.keycloak.testsuite.oauth.ClientAuthSignedJWTTest#testClientWithGeneratedKeysJKS ci

#43717 Unused message properties for the LDAP mappers admin/ui

#43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled user-profile

#43720 Wrongly spelled LDAP edit mode in the docs ldap

#43723 Only add the none verifier when attestation conveyance preference is none (or default) authentication/webauthn

#43734 Refresh token allowed for offline session even the related scope is removed

#43736 FGAP V2: reset-password scope error when viewing users with Group permissions only core

#43738 UPDATE_EMAIL action invalidates old email login/ui

#43744 Increased memory usage due to leaking KeycloakSession instances admin/api

#43752 LDAP synchronization happens too often in a cluster and always clears the cache ldap

#43754 Flaky test: org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest ci

#43755 Flaky test: org.keycloak.testsuite.account.AccountRestServiceTest#listApplicationsWithoutPermission ci

#43759 QuarkusKeycloakSession not garbage collected when running Liquibase dist/quarkus

#43761 QuarkusKeycloakSession kept in memory for each timer core

#43763 Normalizing of Keycloak URLs not documented dist/quarkus

#43774 Under OLMv1 service monitor check uses wrong namespace operator

#43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider user-profile

#43793 import does not seem to run db migration import-export

#43812 Admin console sends non-JSON payload with content-type: application/json admin/ui

#43818 typos in Docs: server_admin/topics/sso-protocols/con-oidc-auth-flows.adoc oidc

#43819 partial import fails to overwrite existing groups import-export

#43832 Cannot issue vc of type oid4vc_natural_person oid4vc

#43835 useHash hook does not correctly extract hash from pushState URL admin/ui

#43845 [quarkus-next] Removed exception escaped OTel attribute dist/quarkus

#43853 Ensure the logout endpoint removes the authentication session oidc

#43863 JS CI failing after normalization testsuite

#43867 JS Policy is used in the "Default Policy" for Authorization authorization-services

#43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled authorization-services

#43886 Flaky test: org.keycloak.testsuite.model.session.UserSessionProviderOfflineModelTest#testLoadUserSessionsWithNotDeletedOfflineClientSessions ci

#43933 AUTH_SESSION_ID cookie has the incorrect route core

#43948 Adding a client mapper stays on creation screen, with error on second save admin/ui

#43973 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci

#43993 MessageFormatterMethod does not detect/map SimpleNumber causing IllegalArgumentException login/ui

#44010 Ordering attributes will unset the unmanaged attribute policy user-profile

#44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true dist/quarkus

#44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol admin/ui

#44057 Retrieving row count to evaluate index creation takes a long time on PostgreSQL and big tables core

#44113 Missing message properties when redenring pages for organization invites organizations

#44116 [OID4VCI] Credential Offer must be created by Issuer not Holder oid4vc

#44117 DockerClientTest failure testsuite

#44125 Double-encoding of query parameter values (e.g. acr_values) for version 26.4 identity-brokering

#44127 [Test Framework] Distribution server - logger output exception test-framework

#44156 [BUG] 'master' realm lockout due to NullPointerException when "Conditional 2FA" is moved before "Username Password Form" authentication/webauthn

#44163 Disabling/enabling workflows result in validation errors and the name is missing from representation core

#44179 Test failure in operator KeycloakIngressTest.testIngressTLSTermination operator

#44187 [Keycloak Docs CI] Broken links docs

#44189 [jdbc-ping] SQLIntegrityConstraintViolationException: Duplicate entry infinispan

#44217 OIDC identity provider should allow to setup JWKS URL (or hardcoded keys) when JWT authorization grant enabled identity-brokering

#44229 Unexpected FORMAT_FAILURE error when using cache-config-file with feature-disabled=persistent-user-sessions infinispan

#44246 Inconsistent formatting or RFC references docs

#44256 [OID4VCI] JWT VC Issuer Metadata well-known endpoint should be available at /.well-known/jwt-vc-issuer/realms/{realm} oid4vc

#44257 OIDC Dynamic Client Registration update problem when Service Account was enabled/ disabled oidc

#44268 Tests for Admin Client fail testsuite

#44269 Admin Client creates malformed paths for requests admin/client-js

#44278 Stack trace in browser console when updating password admin/ui

#44280 Unsupported Pod template can cause AUTO logic to keep StatefulSet at 0 replicas operator

#44287 Caching of static theme resources in dev mode is disabled core

#44289 Failure when decrypting SAML Assertions with HSM provided key saml

#44329 View-Group Permission shows Users in User-List admin/fine-grained-permissions

#44341 Grammar error in LDAP federation group mapper ldap

#44342 Logical error in Danish email verification message - tells users to ignore if they DID create account translations

#44349 Upgrade with Mysql and migration-strategy=manual when db user has non alter table permissions core

#44377 Unlocalized date format in (email messages) translations

#44387 Description of Passkey is not escaped on the login screen login/ui

#44398 Delete user step in workflows is not removing other scheduled steps the user might have workflows

#44399 Workflows are restarting on any event instead of the one that activates it workflows

#44400 Removing a user's group is not activating workflows that use the user-group-membership-removed event workflows

#44419 Compilation failure in OID4VCTimeNormalizationSdJwtTest

#44430 NPE when importing SAML EntityDescriptor without SPSSODescriptor saml

#44438 Intermittent ConcurrentModificationException during SAML initialization causing status code 400 for clients saml

#44455 ClassCastException on mixing AddressMapper with ClaimMapper oidc

#44480 Wrong persistent group permissions when multiple group membership changes happen in the same request core

#44522 The existence of an organization attribute called “id” is not validated organizations

#44540 [admin-api-v2] Create client does not return 201 status code admin/api

#44543 Missing Romanian locale from Supported locales translations

#44552 Manual sync not executed because of the last sync time ldap

#44558 LDAP group mapper executed multiple times in the same request ldap

#44577 Remote Infinispan should return count per client only for the current realm infinispan

#44586 [admin-api-v2] Incorrect DTO/DAO mapping admin/api

#44606 Unhandled error caused by unknown SAML tag during XML parsing saml

#44626 Compilation failure in JWTAuthorizationGrantJWTClaimsClientPoliciesTest authentication

#44642 Credential offer endpoint has parameter user_id, but expects username oid4vc

#44661 Moved link in developer.mozilla.org docs

#44700 ModelTests are broken after consolidating config logic testsuite

#44702 Alias in JWT Authorization Grant idp should not be editable token-exchange

#44712 Keycloak throws a 500 when invalid Accept header dist/quarkus

#44725 Typo: missing '>' on closing in keycloak.v2 link-idp-action.ftl login/ui

#44735 No "Sign in with Passkey" on first step with organization: scope authentication/webauthn

#44742 OID4VCIssuerEndpoint.getCredentialOfferPreflight uses incorrect name of the parameter oid4vc

#44776 Chrome and Firefox broken with new test framework on GtiHub Actions

#44779 OID4VC metadata endpoint returns deferred_credential_endpoint even if not supported oid4vc

#44791 Workflows look up entries from the database on each event

#44793 CredentialRequest with credentialIdentifier does not work when credential-offer was created by OAuth2 authorization_code grant oid4vc

#44796 Claims configued by OID4VCI protocol mappers as mandatory are not enforced to be mandatory oid4vc

#44802 Notification_id returned from the credential response oid4vc

#44908 Run on server with remote uses old classes testsuite

#44918 Workflow tests failing in CI testsuite

#44940 JWTClientSecretAuthenticator throws NPE if client assertion is not set oidc

#44947 Test framework supplier dependencies broken test-framework

#44956 Remove unused azure-credentials input from azure-create-database action ci

#44966 Missing message keys for USER_SESSION_DELETED admin/ui

#44971 DefaultCryptoSdJwsTest.shouldValidateAgeSinceIssued_IfJwtIsTooOld() sometimes fails in CI ci

#44990 Cannot run arquillian testsuite with quarkus-embedded due to dependency conflict testsuite

#45001 Workflows documentation references wrong events core

#45020 ${kc.org} Organisation Confirm Membership Title in messages_de.properties should be ${kc.org.name} translations

#45023 [Docs CI] ExternalLinksTest.checkExternalLinks:41 Broken links (1) in guide 'server_admin' docs

#45040 Docs: upgrading/topics/changes/changes-26_4_6.adoc docs

#45052 Default redirect URI for an organization should be the Home URL of the account client organizations

#45077 Workflows documentation has non-working workflow examples core

#45085 Missing repeatHelp translation key in Time policy admin/ui

#45108 Admin UI: User attribute filter reset does not refresh user list admin/ui

#45114 AdminEvent.getResourcePath() returns paths with duplicated slashes (//) after upgrading Keycloak (26.4.1 → 26.4.7) admin/client-java

#45133 AdminUI test Sessions › Add session data is broken admin/ui