Keycloak 14.0.0


Client Policies and Financial-grade API (FAPI) Support

The Keycloak server has now official support for client policies and Financial-grade API (FAPI). This capability was previewed in earlier versions, but now it is more polished and properly documented. Thanks to Takashi Norimatsu, who did most of the work on this. Also thanks to Andrii Murashkin and Hryhorii Hevorkian, who did a great deal of the work on this feature as well. Finally thanks to all the members of the FAPI Special interest group for their help and feedback.

Improvements to User Profile SPI and support for declarative configuration

In this version, there were several improvements to the User Profile SPI in order to prepare the ground on how users profiles are managed in Keycloak.

One of these improvements is the support for configuring user profiles through the administration console. For more details proceed to Server Administration Guide

Thanks to the community and all the individuals involved in this effort.

Improvements to offline sessions

Offline session preloading has been improved and should be faster thanks to Peter Flintholm.

As a preview feature, offline session preloading can be skipped in favor of lazy loading thanks to Thomas Darimont's efforts. This feature has to be explicitly activated in the server configuration, see Server administration guide for details.

Other improvements

  • The support for configuring maximum number of active authentication sessions. The default value is set to 300 authentication sessions (browser tabs) per a browser’s session

Keycloak 13.0.0


Upgrade to Wildfly 23

The Keycloak server was upgraded to use Wildfly 23.0.2.Final as the underlying container.

OAuth 2.0 Device Authorization Grant (RFC 8628)

Support for OAuth 2.0 Device Authorization Grant is now available.

OpenID Connect Client Initiated Backchannel Authentication (CIBA)

Support for OpenID Connect Client Initiated Backchannel Authentication (CIBA) is now available.

Thanks to Takashi Norimatsu, Andrii Murashkin, Christophe Lannoy and members of the FAPI WG for the implementation and feedback.

SAML Artifact binding in server to client communication

Keycloak now supports communication with clients using SAML Artifact binding. A new Force Artifact Binding option was introduced in the client configuration, that forces communication with the client using artifact messages. For more details proceed to Server Administration Guide. Please note, that with this version, Keycloak SAML client adapter does NOT support Artifact binding.

Thanks to AlistairDoswald and harture.

Support PKCE for identity brokering

Keycloak can now leverage PKCE when brokering to an external OpenID Connect IdP.

Thanks to thomasdarimont.

Default roles processing improvement

Default roles are now internally stored as composite roles of a new role usually named default-roles-<realmName>. Instead of assigning both realm and all client default roles directly to newly created users or users imported through Identity Brokering, just the role is assigned to them and the rest of default roles are assigned as effective roles. This change improves performance of default roles processing, especially with larger number of clients, because it is no longer necessary to go through all clients.

Keycloak 12.0.0


Keycloak.X distribution preview

Introduction a preview of the new and upcoming Keycloak.X distribution. This distribution is powered by Quarkus, bringing significant improvements to startup time and memory consumption, as well as making it a lot easier to configure Keycloak.

New Account console is now the default

The new account console is no longer a preview feature and is now the default account console in Keycloak. The old account console will stay around for a while. For those that have a custom theme for the old account console the old console will be used by default, giving you the time to update your custom theme to the new account console.

OpenID Connect Back-Channel Logout

Support for OpenID Connect Back-Channel Logout is now available, thanks to DaSmoo and benjamin37.

Upgrade to Wildfly 21

The Keycloak server was upgraded to use Wildfly 21 as the underlying container.

Ability to request AuthnContext in SAML identity provider

Support for specification of AuthnContext section in authentication requests issued by SAML identity provider has been added.

Thanks to lscorcia

FAPI RW support and initial support to Client policies

There was lots of the work done to have support for Financial-grade API Read and Write API Security Profile (FAPI RW). This is available with the usage of Client policies and it is still in the preview state. You can expect more polishing in the next releases. Thanks to Takashi Norimatsu and all the members of the FAPI Special interest group.

Upgrade login theme to PatternFly 4

The Keycloak login theme components have been upgraded to PatternFly 4. The old PatternFly 3 runs simultaneously with the new one, so it’s possible to have PF3 components there.

There are also design changes in the login theme for better user experience. You can even define an icon for your custom Identity providers. For details, please refer to the docs.

Gatekeeper EOL

Gatekeeper reached end of life, in November 21. This means that we no longer support, or update it. The announcement is available here.

Other improvements

  • Support for OAuth2 Client Credentials grant without refresh token and without user session. Thanks to Thomas Darimont

  • Support for send access tokens to the OAuth2 Revocation endpoint

Keycloak 11.0.0


LDAPv3 password modify operation

Support for LDAPv3 password modify operation was added. Also the ability in the admin console to request metadata from the configured LDAP server to see if it supports LDAPv3 password modify operation.

Thanks to cachescrubber

Namespace support for LDAP group mapper

Namespace support for LDAP group mapper allows you to map groups from LDAP under specified branch (namespace) of the Keycloak groups tree. Previously groups from LDAP were always added as the top level groups in Keycloak.

Thanks to Torsten Juergeleit

Upgrade to WildFly 20

Keycloak server was upgraded to use WildFly 20.0.1.Final under the covers. For more details, please take a look at Upgrading Guide.

SAML POST binding is broken in the latest versions of browsers

The SameSite value None for JSESSIONID cookie is necessary for correct behavior of the Keycloak SAML adapter. Usage of a different value is causing resetting of the container’s session with each request to Keycloak, when the SAML POST binging is used. Refer to the following steps for Wildfly and Tomcat to keep the correct behavior. Notice, that this workaround should be working also with the previous versions of the adapter.

Other improvements

  • Support for client offline session lifespan. Thanks to Yoshiyuki Tabata

  • Czech translation. Thanks to Jakub Knejzlík

  • Possibility to fetch additional fields from the Facebook identity provider. Thanks to Bartosz Siemieńczuk

  • Support for AES 192 and AES 256 algorithms used for signed and encrypted ID tokens. Thanks to Takashi Norimatsu

  • Ability to specify signature algorithm in Signed JWT Client Authentication. Thanks to Takashi Norimatsu

Keycloak 10.0.0


Identity Brokering Sync Mode

With Identity Brokering Sync Mode it is now possible to control if user profiles are updated on first login, or every login from an external Identity Provider. It is also possible to override this behaviour on individual mappers.

Thanks to Martin Idel

Client Session Timeout for OpenID Connect / OAuth 2.0

Typically, an SSO session last for days if not months, while individual client sessions should ideally be a lot shorter. With the introduction of client session timeout it is now possible to configure a separate timeout for individual clients, as well as a default for all clients within a realm.

Thanks to Yoshiyuki Tabata

OAuth 2.0 Token Revocation (RFC 7009)

For applications that use Keycloak as an OAuth 2.0 Authorization Server there is now support to revoke refresh tokens through the token revocation endpoint.

Thanks to Yoshiyuki Tabata

Security Headers SPI and Response Filter

A new SPI was introduced to allow better flexibility when setting security related headers on responses. This provides a cleaner implementation within Keycloak, but also allows full customisation if needed. Security headers are now set by a response filter instead of within the code itself, which makes it less error prone, removing the chance that some response are missing headers.

Upgrade to WildFly 19

Keycloak server was upgraded to use WildFly 19 under the covers.

Other improvements

  • Support for invoking Application Initiated Actions added to Keycloak JavaScript adapter

  • Performance improvements to fetching resources and policies during evaluation

Keycloak 9.0.1


PromiseType removed from JavaScript adapter

The promiseType init option has been removed from the JavaScript adapter. Instead a promise that supports both native promise API and legacy Keycloak promise API is returned. This allows gradually migration of applications from the legacy/deprecated API to the native promise API.

Other improvements

Reverted breaking API changes to LocaleSelectorSPI

In 9.0.0 a breaking API change was introduced to LocaleSelectorSPI. With 9.0.1 the changes to this API is now reverted, and a new LocaleUpdatorSPI has been introduced.

Fixed the automatic resolution of KeycloakConfigResolver instances for Spring Boot Applications

In previous releases, Spring Boot applications had to manually implement the KeycloakConfigResolver interface or extend the built-in org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.

This release fixes the backward compatibility issue by resolving instances automatically in case none is provided. As well as still allowing applications to provide their own configuration resolver implementations.

Keycloak 9.0.0


Drools Policy Removed

The Drools Policy was finally removed after the deprecation period. If you need more complex policies you can still use JavaScript-based policies.

Pagination support for clients

Pagination support was added to clients in the Admin Console and REST API. Thanks to saibot94.

New Elytron Credential Store Vault Provider

A new built-in vault provider that reads secrets from a keystore-backed Elytron credential store has been added as a WildFly extension. The creation and management of the credential store is handled by Elytron using either the elytron subsystem or the script.

More updates to W3C WebAuthn and Authentication flows

In this release, we did some usability improvements to the authentication flows. It should be easier for the end user to choose between available authentication mechanisms for two-factor authentication. It should be more intuitive to log in with OTP or WebAuthn considering the fact that user can have more OTP or WebAuthn credentials. There is also better support for passwordless WebAuthn authentication. Finally, we did some work on defects related to the authentication flows.

Improved handling of user locale

A number of improvements have been made to how the locale for the login page is selected, as well as when the locale is updated for a user.

See the Server Administration Guide for more details.

Other improvements

  • Authorization Header token is only considered now when type is Bearer on Gatekeeper. Thanks to HansK-p

  • More algorithms are supported for the client authentication with signed client secret JWT. Namely HS384 and HS512 algorithms were added. Thanks to tnorimat

Keycloak 8.0.2


Starting with version 80, Google Chrome will change the default value for the SameSite cookie parameter to Lax. Therefore, changes were required to several Keycloak cookies (especially those which are used within the Javascript adapter for checking the session status using the iframe) to set SameSite parameter to None. Please note that this settings also requires setting the Secure parameter, hence starting with this version, the Javascript adapter will only be fully functional when using the SSL / TLS connection on the Keycloak side.

Keycloak 8.0.1


LDAP Issue

This release fixes a critical vulnerability in LDAP introduced in Keycloak 7. If you are using Keycloak 7.0.0, 7.0.1 or 8.0.0 in production we strongly suggest that you upgrade immediately.

WildFly 18.0.1.Final

Upgrade to WildFly 18.0.1.Final which includes updates to a number of CVEs in third-party libraries.

Keycloak 8.0.0



Several configuration fields can obtain their value from a vault instead of entering the value directly: LDAP bind password, SMTP password, and identity provider secrets.

Furthermore, new vault SPI has been introduced to enable development of extensions to access secrets from custom vaults.

New Default Hostname provider

The fixed and request hostname providers have been replaced with a single new default hostname provider. This provider comes with a number of improvements, including:

  • No need to change provider to set fixed base URL

  • Support different base URL for frontend and backend requests

  • Support changing context-path in cases where Keycloak is exposed on a different context-path through a reverse proxy

Messages in theme resources

Message bundles in theme resources enables internationalization of custom providers such as authenticators. They are also shared between all theme types, making it possible to for example share messages between the login and account console. Thanks to micedre.

RoleMappingsProvider SPI for the SAML adapters

We have added a new SPI that allows for the configuration of custom role mappers that are used by the SAML adapters to map the roles extracted from the SAML assertion into roles that exist in the SP application environment. This is particularly useful when the adapters need to communicate with third party IDPs and the roles set by the IDP in the assertion do not correspond to the roles that were defined for the SP application. The provider to be used can configured in the keycloak-saml.xml file or in the keycloak-saml subsystem. An implementation that performs the role mappings based on the contents of a properties file was also provided.

Notice that when Keycloak acts as the IDP we can use the built-in role mappers to perform any necessary mappings before setting the roles into the assertion, so this SPI will probably be redundant in this case. The RoleMappingsProvider SPI was designed for situations when the IDP offer no way to map roles before adding them to the assertion.

WildFly 18 Upgrade

Keycloak server was upgraded to use WildFly 18 under the covers.

W3C Web Authentication support

In this release, we added initial support for W3C Web Authentication (WebAuthn). There are a few limitations in current implementation, however we are working on further improvements in this area. Thanks to tnorimat for the contribution. Also thanks to ynojima for the help and feedback.

Support for password-less authentication, multi-factor authentication and multiple credentials per user

With the arrival of W3C Web Authentication support, we’ve refined the authentication flow system to be able to allow a user to select which authentication method is preferred for login (for example, the choice between an OTP credential and a WebAuthn credential). The new mechanisms also allow an administrator to craft flows for password-less login, for example just using WebAuthn as an authentication method. Please note that with these changes, any custom authentication flow you have created may need to be adapted to the new flow logic.

As a result of these changes, users can now have multiple OTP devices and multiple WebAuthn devices. The same system that allows a user to select which type of device to use during login also allows that user to select which specific device to use. Thanks to the Cloudtrust team: AlistairDoswald, sispeo and Fratt for their contributions, and to harture and Laurent for their help.

Other Improvements

System properties and environment variables support in

It is now possible to use system properties and environment variables within file. Thanks to Opa-

Support more signing algorithms for client authentication with signed JWT

Thanks to tnorimat, we support more signing algorithms for client authentication with signed JWT.

Configurable client authentication method for OIDC Identity providers

In this release, possibility to authenticate OIDC providers with signed JWT or basic authentication was added. So all the client authentication methods mentioned in the OIDC specification are supported now. Thanks to madgaet and rradillen for contributions.

Support enable/disable logging into the JavaScript adapter

Thanks to jonkoops now it’s possible to enable or disable logging for the JS adapter.

Credentials support removed from the JavaScript adapter

The option to provide client credentials in the JavaScript adapter was removed. Thanks to jonkoops

Updates for Gatekeeper

  • Secure token and logout endpoint were included in Gatekeeper. Thanks to fredbi

  • There was a bug on Gatekeeper which was making cookies to be applied to subdomains. Thanks to daniel-ac-martin the issue was fixed

  • Now Gatekeeper provides support to Same-site cookies. Thanks to fiji-flo

Deploying Scripts to the Server

Please take a look at 7.0.1 Release Notes for more details on how you can now deploy and run scripts to customize specific behavior.

Keycloak 7.0.1

Deploying Scripts to the Server

Until now, administrators were allowed to upload scripts to the server through the Keycloak Administration Console as well as through the RESTful Admin API.

For now on, this capability is disabled by default and users should prefer to deploy scripts directly to the server. For more details, please take a look at JavaScript Providers.

Keycloak 7.0.0


WildFly 17 Upgrade

Keycloak server was upgraded to use WildFly 17 under the covers.

Tomcat 9 adapter support

Java adapter for Apache Tomcat 8 and Apache Tomcat 9 was unified and now it serves for both of them.

New Account Console

A lot of work has been done on the new Account Console and Account REST API. It’s not quite ready yet, but it’s getting there and hopefully will be fully done for Keycloak 8.

Signed and Encrypted ID Token Support

Keycloak can support the signed and encrypted ID token according to the Json Web Encryption (JWE) specification. Thanks to tnorimat.

Testing and release automation

The Keycloak team has spent a significant amount of time on automation around testing and releases both for Keycloak and Red Hat Single Sign-On.

Other improvements

  • PKCE support added to JavaScript adapter. Thanks to thomasdarimont

  • Oracle database support added to Keycloak container image. Thanks to nerdstep

  • Clock Skew support added to SAML adapter. Thanks to steevebtib

  • TypeScript support for Node.js adapter. Thanks to evanshortiss

  • Gatekeeper now allows to provide unencrypted token in header, while encrypting in cookie. There was also a bug on Gatekeeper when Revoke Refresh Token is enabled on the Keycloak server. The issue was fixed. Thanks to fredbi

  • New tab in the Admin console to display the list of users for client roles. Thanks to unly

Keycloak 6.0.0

WildFly 16 Upgrade

Keycloak server was upgraded to use WildFly 16 under the covers.

SmallRye Health and Metrics extensions

Keycloak now comes enabled with the SmallRye Health and Metrics extensions which provides standard health and metrics endpoints. We will add some documentation as well as Keycloak specific metrics soon.

PS256 support

Thanks to tnorimat Keycloak now has support for signing and verifying tokens with PS256.

MP-JWT Client Scope

New built-in client scope to make it easy to issue tokens following the Eclipse MicroProfile specification.

Keycloak 5.0.0

WildFly 15 Upgrade

Keycloak server was upgraded to use WildFly 15 under the covers.

Keycloak 4.8.0.Final

OpenShift Integration

It is now possible to fully secure OpenShift 3.11 with Keycloak, including the ability to automatically expose Service Accounts as OAuth clients as clients to Keycloak.

This is currently a technology preview feature.

Rules/Drools Policy Marked as a Technology Preview Feature

Until now, Drools policies were enabled by default. But now, this policy type is only available as a technology preview feature and to use it you need to enable the preview profile or the corresponding feature. Take a look at the Authorization Services Guide for more details.

Support for DB2 removed

DB2 support has been deprecated for a while. With this release we have removed all support for DB2.

Keycloak 4.7.0.Final

Enhanced Remember Me

Introduced the ability to specify different session idle and max timeouts for remember me sessions. This enables remember me sessions to live longer than regular sessions.

Pagination support for Groups

Large numbers of groups have previously caused issues in the admin console. This is now resolved by the introduction of pagination of groups.

Improve startup time with large number of offline sessions

In the past, starting the server could take a long time if there were many offline sessions. This startup time has now been significantly reduced.

Keycloak 4.6.0.Final

Upgrade to WildFly 14

The Keycloak server was upgraded to use WildFly 14 under the covers.

Keycloak Gatekeeper

Keycloak Gatekeeper provides a security proxy that can be used to secure applications and services without an adapter. It can be installed locally alongside your application or as a sidecar on OpenShift or Kubernetes.

Huge thanks to gambol99 for contributing this work to Keycloak.

Keycloak 4.5.0.Final

Signature SPI

The Signature SPI makes it possible to plug-in additional signature algorithms. This enables additional signatures and also enables changing how signatures are generated. For example, using this allows using an HSM device to sign tokens.

Thanks to tnorimat for contributing a signficant part of this work.

New Signature Algorithms

Alongside the Signature SPI there is now also support for additional signature algorithms.

Keycloak now has support for RS256, RS384, RS512, ES256, ES384, ES512, HS256, HS384 and HS512.

Elliptic Curve Digital Signature Algorithm (ES256/384/512) are very interesting as they provide similar security properties as RSA signatures, but use significantly less CPU.

HMAC (HS256/384/512) are also very useful when you do not want your application to verify the signature itself. Since these are symmetric signatures only Keycloak is able to verify the signature, which requires the application to use the token introspection endpoint to verify tokens.

Thanks to tnorimat for contributing a signficant part of this work.

Better Audience Support for OpenID Connect clients

It is now possible to specify the audiences in the tokens issued for OpenID Connect clients. There is also support for verification of audience on the adapter side.

Minor improvements

  • Added LocaleSelector SPI, which allows to change the way how the locale will be resolved for a particular request. Thanks to knutz3n

  • Added an authenticator to automatically link Identity Provider identity to an existing account after first Idp authentication. Thanks to slominskir

Keycloak 4.4.0.Final

Upgrade to WildFly 13

The Keycloak server was upgraded to use WildFly 13 under the covers. This means update of the underlying dependencies and also some changes in the configuration. We now also support WildFly 13 adapter and we upgraded the underlying JDG/Infinispan server version for the Cross-DC setup. See Upgrading Guide for more details.

Authorization Services support in Node.js

Having authorization services support in Node.js makes it very easy to do fine-grained central authorization with the Node.js adapter.

Minor improvements

  • Update design for the welcome page

  • Allow passing current locale to OAuth2 IdPs. Thanks to knutz3n

  • Support Content-Security-Policy-Report-Only security header. Thanks to knutz3n

  • Script based ProtocolMapper for SAML. Thanks to AlistairDoswald

Keycloak 4.3.0.Final

Hostname SPI

The hostname SPI introduces a more flexible way to configure the hostname for Keycloak. There are two built-in providers. The first is request, which uses the request headers to determine the hostname. The second is fixed, which allows configuring a fixed hostname. The latter makes sure that only valid hostnames can be used and also allows internal applications to invoke Keycloak through an alternative URL.

For more details refer to the threat mitigation section in the Server Administration Guide.

X509 Client Authenticator

The newly added Client Authenticator uses X509 Client Certificates and Mutual TLS to secure a connection from the client. In addition to that the Keycloak Server validates Subject DN field of the client’s certificate.

Performance improvements to Authorization Services

For this release, we improved policy evaluation performance across the board, increasing reliability and throughput. The main changes we did were related with trying to optimize the policy evaluation path by avoiding unnecessary flows and collect decisions as soon as they happen. We also introduced a policy decision cache on a per request basis, avoiding redundant decisions from policies previously evaluated.

We are also working on other layers of cache which should give a much better experience. See KEYCLOAK-7952.

Choosing the response mode when obtaining permissions from the server

In previous versions, permissions were always returned from the server using standard OAuth2 response, containing the access and refresh tokens. In this release, clients can use a response_mode parameter to specify how the server should respond to an authorization request. This parameter accepts two values:

  • decision

    Indicating that responses should only contain a flag indicating whether or not permissions were granted by the server. Otherwise a 403 HTTP status code is returned.

  • permissions

    Indicating that a response should contain every single permission granted by the server using a JSON format.

NodeJS Policy Enforcer

The keycloak-nodejs-connect, an adapter for NodeJS, now supports constructs to protect resources based on decisions taken from the server. The new construct allows users to protect their resources using fine-grained permissions as follows:

app.get('/protected/resource', keycloak.enforcer('resource:view'), function (req, res) {
  res.json({message: 'access granted'});

Support hosted domain for Google logins

Login with Google now supports the hd parameter to restrict Google logins to a specific hosted domain at Google. When this is specified in the identity provider any login from a different domain is rejected.

Thanks to brushmate for the contribution.

Escape unsafe tags in HTML output

Most HTML output is already escaped for HTML tags, but there are some places where HTML tags are permitted. These are only where admin access is needed to update the value. Even though it would require admin access to update such fields we have added an extra layer of defence and are now escaping unsafe elements like <script>.

Keycloak 4.2.0.Final

Browser tab support for Cordova

We now have support for using browser tab and universal links in the JavaScript adapter for Cordova. This enables SSO between multiple applications as well as increases security.

Thanks to gtudan for the contribution.

SAML adapter multitenancy support

The SAML adapter can support multi-tenancy now just like the built in adapter for OpenID Connect.

An option to create claims with dots (.) in them

In previous versions, it was not possible to create claims in the token using a claim name containing a dot (.) character. Now it is possible to escape the dot character in the configuration, so a claim name with the dot character can be used.

Keycloak 4.1.0.Final

Making Spring Boot 2 the default starter

Starting with release 4.1, the Spring Boot starter will be based on the Spring Boot 2 adapter. If you are using an older Spring Boot version, the keycloak-legacy-spring-boot-starter is available.

Keycloak 4.0.0.Final

Client Scopes and support for OAuth 2 scope parameter

We added support for Client Scopes, which replaces Client Templates. Client Scopes are a more flexible approach and also provides better support for the OAuth scope parameter.

There are changes related to Client Scopes to the consent screen. The list on the consent screen is now linked to client scopes instead of protocol mappers and roles.

See the documentation and migration guide for more details.

OAuth 2 Certificate Bound Access Tokens

We now have a partial implementation of the specification OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens . More accurately we have support for the Certificate Bound Access Tokens. If your confidential client is able to use 2-way SSL, Keycloak will be able to add the hash of the client certificate into the tokens issued for the client. At this moment, it’s just the Keycloak itself, which verifies the token hashes (for example during refresh token requests). We plan to add support to adapters as well. We also plan to add support for Mutual TLS Client Authentication.

Thanks to tnorimat for the contribution.

Authorization Services

UMA 2.0 Support

UMA 2.0 is now supported for Authorization Services. Check the documentation for more details if you are coming from previous versions of Keycloak.

User-Managed Access through the Keycloak Account Service

Now end-users are able to manage their resources and the permissions associated with them through the Keycloak Account Service. From there, resource owners can now check their resources, share resources with another users as well approve requests from other users.

Asynchronous Authorization Flow

When using UMA, client applications can now choose whether or not an authorization request should start an authorization flow to ask for the resource owner approval. This functionality allows applications to ask for resource owner approval when trying to access one of his resources on behalf of another user.

User-Managed Permission API

Resource servers are now capable of associating additional policies to resources owned by a particular user. The new API provides operations to manage these permissions using different policy types such as role, group, user, client or a condition using JavaScript.

Pushed Claims

Clients applications are now able to send arbitrary claims to Keycloak along with an authorization request in order to evaluate permissions based on these claims. This is a very handy addition when access should be granted (or denied) in the scope of a specific transaction or based on information about the runtime.

Resource Attributes

It is now possible to associated attributes with resources protected by Keycloak and use these same attributes to evaluate permissions from your policies.

Policy enforcer now accepts regular access tokens

In some situations, you may want to just send regular access tokens to a resource server but still be able to enforce policies on these resources.

One of the main changes introduced by this release is that you are no longer required to exchange access tokens with RPTs in order to access resources protected by a resource server (when not using UMA). Depending on how the policy enforcer is configured on the resource server side, you can just send regular access tokens as a bearer token and permissions will still be enforced.

Policy enforcer can now load resources from the server on-demand

Until now, when deploying an application configured with a policy-enforcer, the policy enforcer would either load all protected paths from the server or just map these paths from the adapter configuration. Users can now decide to load paths on-demand from the server and avoid map these resources in the adapter configuration. Depending on how many protected resources you have this functionality can also improve the time to deploy an application.

Policy enforcer now supports configuring the resource cache

In order to avoid unnecessary hits to the server, the policy enforcer caches the mapping between protected resources and their corresponding paths in your application. Users can now configure the behaviour of the cache or even completely disable it.

Claim Information Points

The policy-enforcer definition on the adapters (keycloak.json) was also updated to support the concept of pushed claims. There you have the concept of a claim-information-point which can be set to push claims from different sources such as the HTTP request or even from an external HTTP service.

Improvements to the Evaluation API

The Evaluation API used to implement policies in Keycloak, especially JavaScript and Drools policies, provides now methods to:

  • Access information from the current realm such as check for user roles, groups and attributes

  • Push back arbitrary claims to the resource server in order to provide additional information on how a specific permissions should be enforced

Authorization Services

UMA 2.0

UMA 2.0 is now supported for Authorization Services, including support for users to manage user access through the account management console. There are also other additions and improvements to authorization services.

Pushed Claims

Clients can now push additional claims and have them used by policies when evaluating permissions.

Resource Attributes

It is now possible to define attributes on resources in order to have them used by policies when evaluating permissions.

Themes and Theme Resources

It is now possible to hot-deploy themes to Keycloak through a regular provider deployment. We have also added support for theme resources, which allows adding additional templates and resources without creating a theme. This is useful for custom authenticators that require additional pages to be added to the authentication flow.

We have also added support to override the theme for specific clients. If that is not adequate for your needs, then there is also a new Theme Selector SPI that allows you to implement custom logic to select the theme.

Instagram Identity Provider

We have added support to login with Instagram. Thanks to hguerrero for the contribution.

Search by User ID in Admin Console

To search for a user by id in the admin console you previously had to edit the URL. It is now possible to search directly in the user search field.


Spring Boot 2

We now have support for Spring Boot 2.

Fuse 7

We now have support for Fuse 7.

JavaScript - Native Promise Support

The JavaScript adapter now supports native promises. It retains support for the old style promises as well. Both can be used interchangeably.

JavaScript - Cordova Options

It is now possible to pass Cordova-specific options to login and other methods in the JavaScript adapter. Thanks to loorent for the contribution.