Enabling and disabling features

Enabling features

Some supported features, and all preview features, are disabled by default. To enable a feature, enter this command:

bin/kc.[sh|bat] build --features="<name>[,<name>]"

For example, to enable docker and token-exchange, enter this command:

bin/kc.[sh|bat] build --features="docker,token-exchange"

To enable all preview features, enter this command:

bin/kc.[sh|bat] build --features="preview"

Enabled feature may be versioned, or unversioned. If you use a versioned feature name, e.g. feature:v1, that exact feature version will be enabled as long as it still exists in the runtime. If you instead use an unversioned name, e.g. just feature, the selection of the particular supported feature version may change from release to release according to the following precedence:

The highest default supported version
The highest non-default supported version
The highest deprecated version
The highest preview version
The highest experimental version

Disabling features

To disable a feature that is enabled by default, enter this command:

bin/kc.[sh|bat] build --features-disabled="<name>[,<name>]"

For example to disable impersonation, enter this command:

bin/kc.[sh|bat] build --features-disabled="impersonation"

You can disable all default features by entering this command:

bin/kc.[sh|bat] build --features-disabled="default"

This command can be used in combination with features to explicitly set what features should be available. It is not allowed to have a feature in both the features-disabled list and the features list.

When a feature is disabled all versions of that feature are disabled.

Supported features

The following list contains supported features that are enabled by default, and can be disabled if not needed.

account-api: Account Management REST API
account3: Account Console version 3
admin-api: Admin API
admin2: New Admin Console
authorization: Authorization Service
ciba: OpenID Connect Client Initiated Backchannel Authentication (CIBA)
client-policies: Client configuration policies
device-flow: OAuth 2.0 Device Authorization Grant
hostname-v1: Hostname Options V1
impersonation: Ability for admins to impersonate users
js-adapter: Host keycloak.js and keycloak-authz.js through the Keycloak server
kerberos: Kerberos
par: OAuth 2.0 Pushed Authorization Requests (PAR)
step-up-authentication: Step-up Authentication
web-authn: W3C Web Authentication (WebAuthn)

Disabled by default

The following list contains supported features that are disabled by default, and can be enabled if needed.

docker: Docker Registry protocol
fips: FIPS 140-2 mode
multi-site: Multi-site support

Preview features

Preview features are disabled by default and are not recommended for use in production. These features may change or be removed at a future release.

admin-fine-grained-authz: Fine-Grained Admin Permissions
client-secret-rotation: Client Secret Rotation
dpop: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
recovery-codes: Recovery codes
scripts: Write custom authenticators using JavaScript
token-exchange: Token Exchange Service
update-email: Update Email Action

Relevant options

Value

	Value
`features` Enables a set of one or more features. CLI: `--features` Env: `KC_FEATURES`	`account-api[:v1]`, `account2[:v1]`, `account3[:v1]`, `admin-api[:v1]`, `admin-fine-grained-authz[:v1]`, `admin2[:v1]`, `authorization[:v1]`, `ciba[:v1]`, `client-policies[:v1]`, `client-secret-rotation[:v1]`, `client-types[:v1]`, `declarative-ui[:v1]`, `device-flow[:v1]`, `docker[:v1]`, `dpop[:v1]`, `dynamic-scopes[:v1]`, `fips[:v1]`, `hostname[:v1]`, `impersonation[:v1]`, `js-adapter[:v1]`, `kerberos[:v1]`, `linkedin-oauth[:v1]`, `login2[:v1]`, `multi-site[:v1]`, `offline-session-preloading[:v1]`, `oid4vc-vci[:v1]`, `par[:v1]`, `preview`, `recovery-codes[:v1]`, `scripts[:v1]`, `step-up-authentication[:v1]`, `token-exchange[:v1]`, `transient-users[:v1]`, `update-email[:v1]`, `web-authn[:v1]`
`features-disabled` Disables a set of one or more features. CLI: `--features-disabled` Env: `KC_FEATURES_DISABLED`	`account-api`, `account2`, `account3`, `admin-api`, `admin-fine-grained-authz`, `admin2`, `authorization`, `ciba`, `client-policies`, `client-secret-rotation`, `client-types`, `declarative-ui`, `device-flow`, `docker`, `dpop`, `dynamic-scopes`, `fips`, `impersonation`, `js-adapter`, `kerberos`, `linkedin-oauth`, `login2`, `multi-site`, `offline-session-preloading`, `oid4vc-vci`, `par`, `preview`, `recovery-codes`, `scripts`, `step-up-authentication`, `token-exchange`, `transient-users`, `update-email`, `web-authn`

features

Enables a set of one or more features.

CLI: --features
Env: KC_FEATURES

account-api[:v1], account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1], admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], client-types[:v1], declarative-ui[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], login2[:v1], multi-site[:v1], offline-session-preloading[:v1], oid4vc-vci[:v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]

features-disabled

Disables a set of one or more features.

CLI: --features-disabled
Env: KC_FEATURES_DISABLED

account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, client-types, declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, linkedin-oauth, login2, multi-site, offline-session-preloading, oid4vc-vci, par, preview, recovery-codes, scripts, step-up-authentication, token-exchange, transient-users, update-email, web-authn