+Highlights
+
+
+Supported user profile and progressive profiling
+
+
+The user profile preview feature is promoted to be fully supported and user profile is enabled by default.
+
+
+In the past months, the Keycloak team spent a huge amount of effort in polishing the user +profile feature to make it fully supported. In this release, we continued the effort. Lots of improvements, fixes and +polishing were done based on the thorough testing and feedback from our awesome community.
+
+
+The following are a few highlights of this feature;
+
+
+-
+
-
+
Fine-grained control over the attributes that users and administrators can manage so that you can prevent unexpected attributes and values from being set.
+
+ -
+
Ability to specify what user attributes are managed and should be displayed on the forms to regular users or administrators.
+
+ -
+
Dynamic forms - Previously, the forms where users created or updated their profiles, contain four basic attributes like username, email, first name and last name. The addition of any +attributes (or removing some default attributes) required you to create a custom theme. Now custom themes may not be needed because users see exactly the requested attributes based on the requirement of the particular deployment.
+
+ -
+
Validations - Ability to specify validators for the user attributes including built-in validators that you can use to specify a maximum or minimum length, a specific regex, or limiting a +particular attribute to be a URL or number.
+
+ -
+
Annotations - Ability to specify that particular attribute should be rendered for instance as a text area, an HTML select with specified options, or calendar or many other options. You can also bind JavaScript code to a specific field to change how an attribute is rendered and customize its behavior.
+
+ -
+
Progressive profiling - Ability to specify that some fields are required or available on the forms just for particular values of
+scopeparameter. This effectively allow progressive +profiling. You no longer need to ask the user for twenty attributes during registration; you can instead ask the user to fill in attributes incrementally according to the requirements of the individual client +applications that are used by the user.
+ -
+
Migration from previous versions - The user profile is now always enabled, but it operates as before for those who did not use this feature. You can +benefit from the user profile capabilities, but you are not required to use them. For migration instructions, see the Upgrading Guide.
+
+
+
+The first release of the user profile as a supported feature is just the starting point and the baseline for delivering many more capabilities around identity management.
+
+
+We would like to give huge thanks to the awesome Keycloak community as lots of ideas, requirements and contributions came from the community! Special thanks to:
+
+
+-
+
- + + +
- + + +
- + + +
- + + +
- + + +
- + + +
- + + +
- + + +
+
+For more details about user profile capabilities, see the Server Administration Guide.
+
+
+Breaking changes to the User Profile SPI
+
+
+In this release, changes to the User Profile SPI might impact existing implementations based on this SPI. For more details, see the +Upgrading Guide.
+
+
+Changes to Freemarker templates to render pages based on the user profile and realm
+
+
+In this release, the following templates were updated to make it possible to dynamically render attributes based +on the user profile configuration set to a realm:
+
+
+-
+
-
+
+login-update-profile.ftl
+ -
+
+register.ftl
+ -
+
+update-email.ftl
+
+
+For more details, see the Upgrading Guide.
+
+
+New Freemarker template for the update profile page at first login through a broker
+
+
+In this release, the server renders the update profile page when the user is authenticating through a broker for the
+first time using the idp-review-user-profile.ftl template.
+
+For more details, see the Upgrading Guide.
+
+
+Java adapter deprecation and removal
+
+
+Back in 2022 we announced the deprecation of Keycloak adapters in Keycloak 19. +To give the community more time to adopt this was delayed.
+
+
+With that in mind, this will be the last major release of Keycloak to include OpenID Connect and SAML adapters. +As Jetty 9.x has not been supported since 2022 the Jetty adapter has been removed already in this release.
+
+
+The generic Authorization Client library will continue to be supported, and aims to be used in combination with any +other OAuth 2.0 or OpenID Connect libraries.
+
+
+The only adapter we will continue to deliver is the SAML adapter for latest releases of WildFly and EAP 8.x. Reasoning +for continuing to support this is down to the fact that the majority of the SAML codebase in Keycloak was a contribution +from WildFly. As part of this contribution we agreed to maintain SAML adapters for WildFly and EAP in the long run.
+
+
+Jetty adapter removed
+
+
+Jetty 9.4 has not been supported in the community for a long time, and reached end-of-life in 2022. At the same time the +adapter has not been updated or tested with more recent versions of Jetty. For these reasons the Jetty adapter has been +removed from this release.
+
+
+New Welcome Page
+
+
+The 'welcome' page that appears at the first use of Keycloak is redesigned. It provides a better setup experience and conforms to the latest version of PatternFly. The simplified page layout includes only a form to register the first administrative user. After completing the registration, the user is sent directly to the Admin Console.
+
+
+
+
+
+
+Figure 1. New welcome page with a simplified layout and registration form
+
+
+If you use a custom theme, you may need to update it to support the new welcome page. For details, see the Upgrading Guide.
+
+
+New Account Console now the default
+
+
+We introduced version 3 of the Account Console in Keycloak 22 as a preview feature. In this release, we are making it the default version, and deprecating version 2 in the process, which will be removed in a subsequent release.
+
+
+This new version has built-in support for the user profile feature, which allows administrators to configure which attributes are available to users in the Account Console, and lands a user directly on their personal account page after logging in.
+
+
+
+
+
+
+Figure 2. New Account Console with custom attributes
+
+
+If you are using or extending the customization features of this theme, you may need to perform additional migrations. For more details, see the Upgrading Guide.
+
+
+Keycloak JS
+
+Using
+
+Using exports field in package.json
+
+
+The Keycloak JS adapter now uses the exports field in its package.json. This change improves support for more modern bundlers like Webpack 5 and Vite, but comes with some unavoidable breaking changes. See the Upgrading Guide for more details.
+
+PKCE enabled by default
+
+
+The Keycloak JS adapter now sets the pkceMethod option to S256 by default. This change enables Proof Key Code Exchange (PKCE) for all applications using the adapter. If you use the adapter on a system that does not support PKCE, you can set the pkceMethod option to false to disable it.
+
+Changes to Password Hashing
+
+
+In this release, we adapted the password hashing defaults to match the OWASP recommendations for Password Storage.
+
+
+As part of this change, the default password hashing provider has changed from pbkdf2-sha256 to pbkdf2-sha512.
+Also, the number of default hash iterations for pbkdf2 based password hashing algorithms changed. This change means better security aligned with latest recommendations, but
+it has impact on performance. It is possible to stick to the old behaviour by adding password policies hashAlgorithm and hashIterations to your realm. For more details, see the Upgrading Guide.
+
+OAuth/OIDC related improvements
+
+
+Lightweight access tokens support
+
+
+This release contains support for Lightweight access tokens. As a result, you can have smaller access tokens for specified clients. These tokens have only a few +claims, which is why they are smaller. Note that lightweight access token is still JWT signed by the realm key by default and still contains some very basic claims.
+
+
+This release introduces an Add to lightweight access token flag that is available on some OIDC protocol mappers. Use this flag to specify if a particular claim should be added to a lightweight +access token. It is OFF by default, which means that most claims are not added.
+
+
+Also, a client policy executor exists. Use it to specify if a particular client request +should use lightweight access tokens or regular access tokens. An alternative to the executor is to use an Always use lightweight access token flag on client advanced +settings, which causes that client to always use lightweight access tokens. An executor can be an alternative if you need +more flexibility. For instance, you may choose to use lightweight access tokens by default but use regular tokens only for the specified scope parameter.
+
+
+A previous release added an Add to token introspection switch. You use it to add +claims that are not present in the access token into the introspection endpoint response.
+
+
+Thanks to Shigeyuki Kabano for the contribution and Thanks to +Takashi Norimatsu for a help and review of this feature.
+
+
+OAuth 2.1 support
+
+
+This release contains optional OAuth 2.1 support. New client policy profiles were introduced in this release, which administrators can use to make sure that clients and particular client requests comply with the OAuth 2.1 specification. A dedicated client profile exists for confidential clients and a dedicated profile for public clients. +Thanks to Takashi Norimatsu and Shigeyuki Kabano for the contribution.
+
+
+Scope parameter supported in the refresh token flow
+
+
+Starting with this release, the scope parameter in the OAuth2/OIDC endpoint for token refresh is supported. Use this parameter to request access tokens with a smaller amount +of scopes than originally granted, which means you cannot increase access token scope. This scope limitation does not affect the scope of the refreshed refresh token. This function works as +described in the OAuth2 specification. +Thanks to Konstantinos Georgilakis for the contribution.
+
+
+Client policy executor for secure redirect URIs
+
+
+A new client policy executor secure-redirect-uris-enforcer is introduced. Use it to restrict which redirect URIs can be used by the clients. For instance,
+you can specify that client redirect URIs cannot have wildcards, should be just from specific domain, must be OAuth 2.1 compliant, and so on.
+Thanks to Lex Cao and Takashi Norimatsu for the contribution.
+
+Client policy executor for enforcing DPoP
+
+
+A new client policy executor dpop-bind-enforcer is introduced. You can use it to enforce DPoP for a particular client if dpop preview
+ is enabled.
+Thanks to Takashi Norimatsu for the contribution.
+
+Supporting EdDSA
+
+
+You can create EdDSA realm keys and use them as signature algorithms for various clients. For instance, you can use these keys to sign tokens or for client authentication with signed JWT.
+This feature includes identity brokering where Keycloak itself signs client assertions that are used for private_key_jwt authentication to third party identity providers.
+Thanks to
+Takashi Norimatsu and Muhammad Zakwan Bin Mohd Zahid for the contribution.
+
+EC Keys supported by JavaKeystore provider
+
+
+The provider JavaKeystoreProvider for providing realm keys now supports EC keys in addition to previously supported RSA keys.
+Thanks to Stefan Wiedemann for the contribution.
+
+Option to add X509 thumbprint to JWT when using private_key_jwt authentication for identity providers
+
+
+OIDC identity providers now have the Add X.509 Headers to the JWT option for the situation when client authentication with JWT signed by private key is used. This option can be useful +for interoperability with some identity providers such as Azure AD, which require the thumbprint to be present on the JWT. +Thanks to MT for the contribution.
+
+
+OAuth Grant Type SPI
+
+
+The Keycloak codebase includes an internal update to introduce the OAuth Grant Type SPI. This update allows additional flexibility when introducing custom grant types +supported by the Keycloak OAuth 2 token endpoint. +Thanks to Dmitry Telegin for the contribution.
+
+
+CORS improvements
+
+
+The CORS related Keycloak functionality was extracted into the SPI, which can allow additional flexibility. Note that CorsSPI is internal and may change at a future release.
+Thanks to Dmitry Telegin for the contribution.
+
+Truststore improvements
+
+
+Keycloak introduces improved truststores configuration options. The Keycloak truststore is now used across the server, including outgoing connections, mTLS, and database drivers. You no longer need to configure separate truststores for individual areas. To configure the truststore, you can put your truststores files or certificates in the default conf/truststores, or use the new truststore-paths config option. For details refer to the relevant guide.
+
+Versioned Features
+
+
+Features now support versioning. To preserve backward compatibility, all existing features (including account2 and account3) are marked as version 1. Newly introduced features will use versioning, which means that users can select between different implementations of desired features.
+
+For details refer to the features guide.
+
+
+Keycloak CR Truststores
+
+
+You may also take advantage of the new server-side handling of truststores by using the Keycloak CR, for example:
+
+
+
+
+spec:
+ truststores:
+ mystore:
+ secret:
+ name: mystore-secret
+ myotherstore:
+ secret:
+ name: myotherstore-secret
+
+Currently only Secrets are supported.
+
+
+Trust Kubernetes CA
+
+
+The cert for the Kubernetes CA is added automatically to your Keycloak Pods managed by the Operator.
+
+
+Automatic certificate management for SAML identity providers
+
+
+The SAML identity providers can now be configured to automatically download the signing certificates from the IDP entity metadata descriptor endpoint. In order to use the new feature, configure the Metadata descriptor URL option in the provider (the URL where the IDP metadata information with the certificates is published) and set Use metadata descriptor URL to ON. The certificates are automatically downloaded and cached in the public-key-storage SPI from that URL. The certificates can also be reloaded or imported from the Admin Console, using the action combo in the provider page.
+
+See the documentation for more details about the new options.
+
+
+Non-blocking health check for load balancers
+
+
+A new health check endpoint available at /lb-check was added.
+The execution is running in the event loop, which means this check is responsive also in overloaded situations when Keycloak needs to handle many requests waiting in request queue.
+This behavior is useful, for example, in multi-site deployment to avoid failing over to another site that is under heavy load.
+The endpoint is currently checking availability of the embedded and external Infinispan caches. Other checks may be added later.
+
+This endpoint is not available by default.
+To enable it, run Keyloak with the multi-site feature.
+For more details, see Enabling and disabling features.
+
+Keycloak CR Optimized Field
+
+
+The Keycloak CR now includes an startOptimized field, which may be used to override the default assumption about whether to use the --optimized flag for the start command.
+As a result, you can use the CR to configure build time options also when a custom Keycloak image is used.
+
+Enhanced reverse proxy settings
+
+
+It is now possible to separately enable parsing of either Forwarded or X-Forwarded-* headers by using the new --proxy-headers option.
+For details, see the Reverse Proxy Guide.
+The original --proxy option is now deprecated and will be removed in a future release. For migration instructions, see the Upgrading Guide.
+
+Changes to the user representation in both Admin API and Account contexts
+
+
+In this release, we are encapsulating the root user attributes (such as username, email, firstName, lastName, and locale) by moving them to a base/abstract class in order to align how these attributes
+are marshalled and unmarshalled when using both Admin and Account REST APIs.
+
+This strategy provides consistency in how attributes are managed by clients and makes sure they conform to the user profile +configuration set to a realm.
+
+
+For more details, see the Upgrading Guide.
+
+
+Sequential loading of offline sessions and remote sessions
+
+
+Starting with this release, the first member of a Keycloak cluster will load remote sessions sequentially instead of in parallel. +If offline session preloading is enabled, those will be loaded sequentially as well.
+
+
+For more details, see the Upgrading Guide.
+
+
+Performing actions on behalf of another already authenticated user is not longer possible
+
+
+In this release, you can no longer perform actions such as email verification if the user is already authenticated +and the action is bound to another user. For instance, a user can not complete the verification email flow if the email link +is bound to a different account.
+
+
+Changes to the email verification flow
+
+
+In this release, if a user tries to follow the link to verify the email and the email was previously verified, a proper message +will be shown.
+
+
+In addition to that, a new error (EMAIL_ALREADY_VERIFIED) event will be fired to indicate an attempt to verify an already verified email. You can
+use this event to track possible attempts to hijack user accounts in case the link has leaked or to alert users if they do not recognize the action.
+
+Deprecated offline session preloading
+
+
+The default behavior of Keycloak is to load offline sessions on demand. +The old behavior to preload them at startup is now deprecated, as pre-loading them at startup does not scale well with a growing number of sessions, and increases Keycloak memory usage. The old behavior will be removed in a future release.
+
+
+For more details, see the +Upgrading Guide.
+
+
+Configuration option for offline session lifespan override in memory
+
+
+To reduce memory requirements, we introduced a configuration option to shorten lifespan for offline sessions imported into the Infinispan caches. Currently, the offline session lifespan override is disabled by default.
+
+
+For more details, see the +Server Administration Guide.
+
+
+Infinispan metrics use labels for cache manager and cache names
+
+
+When enabling metrics for Keycloak’s embedded caches, the metrics now use labels for the cache manager and the cache names.
+
+
+For more details, see the +Upgrading Guide.
+
+
+User attribute value length extension
+
+
+As of this release, Keycloak supports storing and searching by user attribute values longer than 255 characters, which was previously a limitation.
+
+
+For more details, see the +Upgrading Guide.
+
+
+Brute Force Protection changes
+
+
+There have been a couple of enhancements to the Brute Protection:
+
+
+-
+
-
+
When an attempt to authenticate with an OTP or Recovery Code fails due to Brute Force Protection the active Authentication Session is invalidated. Any further attempts to authenticate with that session will fail.
+
+ -
+
In previous versions of Keycloak, the administrator had to choose between disabling users temporarily or permanently due to a Brute Force attack on their accounts. The administrator can now permanently disable a user after a given number of temporary lockouts.
+
+ -
+
The property
+failedLoginNotBeforehas been added to thebrute-force/users/{userId}endpoint
+
+
+Authorization Policy
+
+
+In previous versions of Keycloak, when the last member of a User, Group or Client policy was deleted then that policy would also be deleted. Unfortunately this could lead to an escalation of privileges if the policy was used in an aggregate policy. To avoid privilege escalation the effect policies are no longer deleted and an administrator will need to update those policies.
+
+
+Keycloak CR cache-config-file option
+
+
+The Keycloak CR now allows for specifying the cache-config-file option by using the cache spec configMapFile field, for example:
+
+
+
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+ name: example-kc
+spec:
+ ...
+ cache:
+ configMapFile:
+ name: my-configmap
+ key: config.xml
+
+Keycloak CR resources options
+
+
+The Keycloak CR now allows for specifying the resources options for managing compute resources for the Keycloak container.
+It provides the ability to request and limit resources independently for the main Keycloak deployment via the Keycloak CR, and for the realm import Job via the Realm Import CR.
+
+When no values are specified, the default requests memory is set to 1700MiB, and the limits memory is set to 2GiB.
+
+You can specify your custom values based on your requirements as follows:
+
+
+
+
+apiVersion: k8s.keycloak.org/v2alpha1
+kind: Keycloak
+metadata:
+ name: example-kc
+spec:
+ ...
+ resources:
+ requests:
+ cpu: 1200m
+ memory: 896Mi
+ limits:
+ cpu: 6
+ memory: 3Gi
+
+For more details, see the +Operator Advanced configuration.
+
+
+Temporary lockout log replaced with event
+
+
+There is now a new event USER_DISABLED_BY_TEMPORARY_LOCKOUT when a user is temporarily locked out by the brute force protector.
+The log with ID KC-SERVICES0053 has been removed as the new event offers the information in a structured form.
+
+For more details, see the +Upgrading Guide.
+
+
+Updates to cookies
+
+
+Cookie handling code has been refactored and improved, including a new Cookie Provider. This provides better consistency +for cookies handled by Keycloak, and the ability to introduce configuration options around cookies if needed.
+
+
+SAML User Attribute Mapper For NameID now suggests only valid NameID formats
+
+
+User Attribute Mapper For NameID allowed setting Name ID Format option to the following values:
+
+-
+
-
+
+urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
+ -
+
+urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
+ -
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
+ -
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:entity
+
+
+However, Keycloak does not support receiving AuthnRequest document with one of these NameIDPolicy, therefore these
+mappers would never be used. The supported options were updated to only include the following Name ID Formats:
+
+-
+
-
+
+urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+ -
+
+urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+ -
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+ -
+
+urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
+
+Different JVM memory settings when running in container
+
+
+Instead of specifying hardcoded values for the initial and maximum heap size, Keycloak uses relative values to the total memory of a container.
+The JVM options -Xms, and -Xmx were replaced by -XX:InitialRAMPercentage, and -XX:MaxRAMPercentage.
+
+For more details, see the +Running Keycloak in a container guide.
+
+
+GELF log handler has been deprecated
+
+
+With sunsetting of the underlying library providing integration +with GELF, Keycloak will no longer support the GELF log handler out-of-the-box. This feature will be removed in a future +release. If you require an external log management, consider using file log parsing.
+Upgrading
+Before upgrading refer to the migration guide for a complete list of changes.
+ +All resolved issues
+ + +New features
+-
+
- #15190 RestAPI endpoint "send-verify-email" sending execute actions email template.
admin/api
+ - #19586 @keycloak/keycloak-admin-client doesn't provide an ability to use optional client scope for access token
admin/client-js
+ - #23539 User profile attributes should only accept a single value unless configured otherwise
user-profile
+ - #25167 Implement POST logout in Keycloak JS
adapter/javascript
+ - #25446 CORS SPI
oidc
+ - #25676 Introduce new CLI config options for Infinispan remote store
dist/quarkus
+ - #25702 Encrypt network communication in JGroups
dist/quarkus
+ - #25733 Update Route53 HA guide to be compatible with ROSA and Openshift 4.14.x +
- #25903 Create new landing page for admin console +
- #25941 Issue Verifiable Credentials in the JWT-VC format
core
+ - #26028 Remove conditional statements about Windows / Linux from the docs
docs
+ - #26250 OAuth 2.0 Grant Type SPI
oidc
+ - #26455 Supported option to specify maximum threads used to handle HTTP requests
dist/quarkus
+ - #26456 Supported option to specify resource management for pods in Keycloak CR
dist/quarkus
+ - #26458 Support custom Infinispan configuration file in Keycloak CR
operator
+ - #26460 Supported option to specify site name for multi-site deployments
dist/quarkus
+ - #26500 Cookie Provider +
- #26936 Support EC Key-Imports for the JavaKeystoreKeyProvider +
- #27186 Meta description of admin-ui and account-ui cannot be changed in theme.properties +
Enhancements
+-
+
- #9508 Rename "Resident key" to "Discoverable Credential"
docs
+ - #9758 User attributes with a text more than 255 characters
storage
+ - #9784 Add truststore options to Keycloak CR
operator
+ - #10794 Support importing Kubernetes CA
operator
+ - #12009 Support for scope parameter in the refresh flow
oidc
+ - #12352 Align Operator config naming with Quarkus distribution
operator
+ - #12946 Add X509 thumbprint to JWT when using private_key_jwt
oidc
+ - #13250 --verbose option doesn't work in Quarkus distribution
dist/quarkus
+ - #15000 Add EdDSA/Ed25519 to WebAuthn Signature algorithms
authentication/webauthn
+ - #15714 Supporting EdDSA
oidc
+ - #16629 Increase the default iterations for Pbdkdf2-256/512 to match the updated OWASP recommendations
authentication
+ - #17574 Add failedLoginNotBefore field to existing brute force detection status API +
- #17735 Admin-UI: Show realm display name in realm drop down instead of realm id if available
admin/ui
+ - #19190 Add "amr" to already implemented "acr" support +
- #19285 Disable Groovy Closures when bootstrapping Picocli
dist/quarkus
+ - #20125 Role mapping tab no longer visible when using fine grained permissions after upgrade from 20.0.3 to 21.0.2
admin/ui
+ - #21074 Identity providers: pagination in admin console +
- #21343 Upgrade welcome theme to PatternFly 5
welcome/ui
+ - #21559 Provide raw OpenAPI specification alongside Keycloak Admin REST API html documentation +
- #21578 Scope parameter in Oauth 2.0 token exchange +
- #21771 List reload button for admin panel
admin/ui
+ - #22436 Query users by 'LDAP_ID' is not working
ldap
+ - #22922 Use Infinispan BOM instead of direct Infinispan dependencies
storage
+ - #23057 Localization tabs
admin/ui
+ - #23431 Allow user to select between `Forwarded` or `X-Forwarded-*` header +
- #23470 Docs: authorization_services/topics/service-authorization-obtaining-permission.adoc
authorization-services
+ - #23854 Use upstream Quarkus functionality for non-blocking probes
dist/quarkus
+ - #23878 User profile configuration scoped to user-federation provider
user-profile
+ - #23896 Changes in declarative user profile should result in admin events
user-profile
+ - #24094 Map Store Removal: Delete map profiles from testsuite
storage
+ - #24097 Map Store Removal: Delete container providers that were added to the base testsuite
storage
+ - #24102 Map Store Removal: Delete Profile.Feature.MAP_STORAGE and all its usages
storage
+ - #24103 Map Store Removal: Delete GlobalLockProvider
storage
+ - #24105 Map Store Removal: Rename Legacy* classes
storage
+ - #24107 Map Store Removal: Revert deprecated modules in model/legacy and rename "legacy" to "storage"
storage
+ - #24148 Add config property to specify a list of truststores +
- #24202 Cache stampede after client invalidation
storage
+ - #24245 Parse default UserProfile configuration in the build time +
- #24250 Allow selecting attributes from user profile when managing token mappers
user-profile
+ - #24344 Enhance error logs and error events during UserInfo endpoint and Token Introspection failure +
- #24412 Accessibility of 2FA method selection
login/ui
+ - #24422 UMA 2 not evaluating as expected when using permission tickets
authorization-services
+ - #24424 Query on update the ADFS FederationMetadata.xml on the keycloak instead of delete and recreating the IDP config #24310
saml
+ - #24567 Map Store Removal: Revert changes related to map store in test classes in base testsuite
storage
+ - #24668 Features versioning +
- #24793 Map Store Removal: Remove `LockObjectsForModification`
storage
+ - #24798 Add truststores to keycloak cr +
- #24860 Initialize Infinispan earlier in the build chain
dist/quarkus
+ - #24926 Add polish translations
admin/ui
+ - #24995 Avoid deprecated API usage in testsuite/integration-arquillian/tests/base
core
+ - #25058 Add Polish Translations to Account UI
account/ui
+ - #25074 Update Kerberos provider for user-profile
user-profile
+ - #25075 Update SSSD provider for user-profile
user-profile
+ - #25103 Remove product from server info
admin/ui
+ - #25113 Add a test for the LoadBalancerCheck +
- #25146 Decouple "factory" methods from the "provider" methods on UserProfileProvider implementation
user-profile
+ - #25149 Replace the existing themes with the dynamic templates from user profile
user-profile
+ - #25236 Documentation about Australia Consumer Data Right security profile +
- #25238 Add missing Arabic messages +
- #25287 Upgrade Infinispan to 14.0.21.Final +
- #25288 Map Store Removal: Remove protostream dependency
storage
+ - #25300 Deprecate offline session preloading
infinispan
+ - #25308 Map Store Removal: Revert changes made to backchannelLogout
storage
+ - #25309 Map Store Removal: Remove ResponseSessionTask
storage
+ - #25314 Supporting OAuth 2.1 for confidential clients
oidc
+ - #25315 Client policies : executor for enforcing DPoP
oidc
+ - #25316 Supporting OAuth 2.1 for public clients
oidc
+ - #25328 Tests for client scopes/evaluate tab are missing +
- #25375 Extra tests for realm roles +
- #25388 Enable concurrent remote operations for Infinispan
storage
+ - #25403 Implements attributes field in KeycloakProfile interface
admin/client-js
+ - #25404 Adapt incremental build for latest changes in themes module
ci
+ - #25415 Describe how to use Infinispan Batch CRs for automation with the external Infinispan
storage
+ - #25416 Update UserProfileProvider.setConfiguration to accept UPConfig instead of String +
- #25487 Add extra tests for realm-settings in admin-ui +
- #25637 Client policies: executor for validate and match a redirect URI
oidc
+ - #25638 Keycloak native implementation of SD-JWT
core
+ - #25666 [Admin UI] Allow to customize built-in components administration UI via ConfiguredProvider +
- #25691 More info on UserProfileContext
user-profile
+ - #25738 Tooltips improvements when configuring user profile attribute
user-profile
+ - #25770 X509 client certificate login label extends out of form
login/ui
+ - #25823 Ability to declare a default "First broker login flow" per Realm +
- #25872 Make the `user` attribute available to the `idp-review-user-profile.ftl` template +
- #25882 RealmResourceProvider is not working as expected since version 23.0.0
core
+ - #25897 Admin UI: Show realm display name on welcome page
admin/ui
+ - #25908 Could not format default value for log formats
dist/quarkus
+ - #25915 Make more clear in the documentation that the wait time is only increased on multiples of the max number of failures
docs
+ - #25935 Create Infinispan metrics with labels instead of long metric names +
- #25962 Missing localization of cs+sk messages +
- #25979 User profile attribute names with strange characters
docs
+ - #25985 Enable verify-profile required action by default
user-profile
+ - #26068 Reduce internal unsupported options in the Keycloak HA documentation +
- #26083 Change RHDG references to Infinispan +
- #26092 Do not use raw parameterized PropertyMapper
dist/quarkus
+ - #26146 Migration docs for https://github.com/keycloak/keycloak/issues/15190
docs
+ - #26172 Permanently lock users out after X temporary lockouts during a brute force attack
authentication
+ - #26198 Comprehensive log for the LoggingDistTest and Quarkus IT
testsuite
+ - #26220 Don't differentiate Windows for getting started
docs
+ - #26223 Use `--http-max-queued-requests` option in Keycloak HA documentation
docs
+ - #26241 Do not use general debug log level for tests
testsuite
+ - #26315 Fully remove reasteasy-core +
- #26320 Allow formating numbers when rendering attributes
user-profile
+ - #26325 Remove unused HttpResponse.setWriteCookiesOnTransactionComplete +
- #26402 Improve wording in Concepts for configuring thread pools section in documentation +
- #26416 Remove support for old cookie path +
- #26430 Implement stricter controls at token endpoint for PKCE verification +
- #26457 Remove support for multiple AUTH_SESSION_ID cookies +
- #26469 Documentation for verify-profile required action enabled by default
docs
+ - #26485 Add missing Arabic translations
translations
+ - #26489 Ability to have alternative default user-profile configuration
user-profile
+ - #26530 Map Store Removal: Remove `RealmModel` from authorization services interfaces
storage
+ - #26552 Do we need to hide "required" settings for email?
user-profile
+ - #26570 Upgrade liquibase to 4.25.1 +
- #26585 Improve UX of read-only attributes
user-profile
+ - #26587 Documentation for SuppressRefreshTokenRotationExecutor
oidc
+ - #26589 Allow Case-Insensitive Search on Provider Info Page in Admin UI
admin/ui
+ - #26598 Map Store Removal: deprecate model legacy module
storage
+ - #26626 Brute force detection should issue event for temporary lockout
core
+ - #26634 Documentation for default validation changes due user-profile enabled
docs
+ - #26683 Remove explicitly set `lit-element` version
dist/quarkus
+ - #26689 Update Maven dependency versions for docs
docs
+ - #26701 Upgrade to Quarkus 3.7.1
dist/quarkus
+ - #26730 Add Multi-AZ Aurora DB to CI store-integration-tests +
- #26776 Update documentation to use new Infinispan configuration options +
- #26781 Update HA guide about non-blocking probes
docs
+ - #26810 Shorter lifespan for offline session cache entries in memory
storage
+ - #26812 Upgrade to embedded Infinispan 14.0.24
storage
+ - #26819 Use version specific tag for Keycloak images in the docs
docs
+ - #26859 Upgrade to Quarkus 3.8
dist/quarkus
+ - #26898 User profile: Add regression test for select inputs +
- #26910 Keycloak Operator should add service-ca.crt to the truststore
operator
+ - #26916 Upgrade to Quarkus 3.7.2
dist/quarkus
+ - #26919 doc: add a clear mention in the documentation about the storage of the refresh and access token
docs
+ - #26921 Use latest OLM version for Operator CI
testsuite
+ - #26929 Ignore unrecognized truststore formats if `--truststore-paths` is a directory
dist/quarkus
+ - #26967 Aurora Postgres IT: Upload flaky and surefire test reports +
- #27036 Upgrade to Quarkus 3.7.3
dist/quarkus
+ - #27048 Add Amazon Aurora PostgreSQL to the list of tested databases +
- #27078 Update Keycloak HA Guide new resource limit settings +
- #27084 Remove the preview note from Keycloak's HA guide +
- #27093 "Open ID Connect" in docs / UIs should be "OpenID Connect" +
- #27105 Add New User Registration Option on WebAuthn Authentication UI
authentication/webauthn
+ - #27121 Remove references to Quarkus docs and absolute URLs from HA Guide docs +
- #27123 Use AWS JDBC Wrapper in CI tests +
- #27125 Add warning about too long attribute values +
- #27143 Distinguish user registration action label from the security key registration action's one
authentication/webauthn
+ - #27147 Replace "Security Key" with "Passkey" in WebAuthn UIs and their documents
authentication/webauthn
+ - #27148 Allow overriding the default validators added to attributes
user-profile
+ - #27169 Tweak the default memory request and limit in the Operator
operator
+ - #27190 a11y improvements on login page +
- #27226 Upgrade to Quarkus 3.7.4
dist/quarkus
+ - #27238 Add option to clients to use lightweight access token
oidc
+ - #27280 Upgrade to Infinispan 14.0.25 +
- #27281 Allow option of using client_id instead of id_token_hint with RP-initiated logout in brokered IDP config/call.
identity-brokering
+ - #27315 Change docker image to container image +
- #27324 Remove RHSSO product documentation from upgrading guide
docs
+ - #27326 Edit Keycloak 24.0 release notes
docs
+ - #27327 Harmonize behaviour of different CertificateUtilsProvider implementations +
- #27440 Edit Keycloak 23.x Release Notes +
- #27452 Edit Keycloak 24 Upgrade guide +
Bugs
+-
+
- #9871 Remove Infinispan workarounds introduced to prevent deadlocks
storage
+ - #11178 Event for MISSING_REQUIRED_DESTINATION with idp brokering incorrectly says error is related to logout even for a login response
saml
+ - #13080 Encoded token stored as KC_RESTART cookie uses weak algorithm- HS256
authentication
+ - #13368 Issue when using DenyAuthenticator in direct-grant flow
authentication
+ - #14448 Multiple failures in OfflineServletsAdapterTest (testServlet, testServletWithConsent, testServletWithRevoke)
testsuite
+ - #14581 HTTP Redirect 303 to wrong URL (in case port is not 80) when trailing slash is not added
dist/quarkus
+ - #14776 Mail verification isn't working for multiple accounts in one session (only on auto login by clicking the verification mail, not by logging in with the credentials)
authentication
+ - #16260 Incorrect handling of OptionParserException in kcadm
admin/cli
+ - #17155 UPDATED_PASSWORD user action shouldn't be triggered when login with linked IdP
user-profile
+ - #17449 Removing the Realm ID and saving causes the realm to be vanished from the list of the realms
admin/api
+ - #19183 token-exchange does apply clientScopes of the origin client
token-exchange
+ - #19294 Error on starting keycloak when foldername contains ")" using kc.bat.
dist/quarkus
+ - #19886 Allow configuration cookies with `SameSite=Strict` for better compliance with strict regulations and standards
authentication
+ - #20304 When choosing resources in scope-based permission, multiple resource can be selected but only one will be visable
admin/ui
+ - #20867 Control redirect after password reset
core
+ - #21127 During password reset, the baseURL is not shown on the info page after browser restart
authentication
+ - #21151 Realm import stack overflow
import-export
+ - #21409 Brute Force Detection is disabled when updating frontenUrl via admin client
authentication
+ - #21542 Context path missing in URL on OTP page to switch between QR code and manual code
core
+ - #21730 v 22.0.0 - when creating a new realm the registration flow does not have terms and conditions step
core
+ - #21951 Unable to use `<` as part of a password
admin/cli
+ - #22082 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceClientSessionsMultipleNodes
storage
+ - #22401 Common resources in Welcome page didn't resolve correctly
welcome/ui
+ - #22431 Localization: Admin UI doesn't pick up message bundles from realms other than master
admin/ui
+ - #22507 User profile attributes not localized in account console V3
user-profile
+ - #22540 Description of "Configuring sources for Keycloak" inconsistent / misleading
docs
+ - #22555 Docs: server_development/topics/identity-brokering.adoc
docs
+ - #22660 Implementing custom ClientAuthenticator loses access to Client Secret Input Field in the Admin UI
admin/ui
+ - #22691 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes
authentication
+ - #22836 Invalid redirect uri when identity provider alias has spaces
identity-brokering
+ - #22904 Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionAtSameNode
ci
+ - #22958 KeycloakErrorHandler NullPointerException String.toLowe rCase() because message is null
authentication
+ - #23023 Undocumented change in priority of X-Forwarded-* headers as of Quarkus distribution
core
+ - #23056 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently
storage
+ - #23217 NoSuchFileException with ${kc.home.dir} on Windows
dist/quarkus
+ - #23229 Realm client update via PUT returns invalid registration_client_uri with duplicated client ID in address
admin/api
+ - #23268 New Install with MySQL failing with REALM_SOCIAL_CONFIG ADD issue
storage
+ - #23399 Audience is lost after refreshing a RPT
authorization-services
+ - #23683 Default-Value in UI for krbPrincipalAttribute is error prone
admin/ui
+ - #23699 Account v3 theme - Localization not working on account console
account/ui
+ - #23786 Failure: FipsDistTest
ci
+ - #23966 Group members are displayed incorrectly when using LDAP in READ_ONLY mode
admin/api
+ - #24082 Selected locale is not taking into accoun in `keycloak.v3 account` theme
account/ui
+ - #24141 LDAP user mapper for username: user appears twice in the GUI
ldap
+ - #24144 Unable to locate entity descriptor: org.keycloak.examples.domainextension.jpa.Company
core
+ - #24200 NPE in User Session Note mapper on Token Exchange
token-exchange
+ - #24219 admin-fine-grained-authz + client authorization settings requires view-client role
admin/ui
+ - #24323 Refresh request ignores scope parameter from refresh request
oidc
+ - #24353 Keycloak operator tries to manipulate Secret which is not managed by Keycloak
operator
+ - #24361 Adding scopes via registration_client_uri does not work when using Dynamic Client Registration
admin/api
+ - #24369 UpdateUserLocaleAction does not trigger EventType.UPDATE_PROFILE event
user-profile
+ - #24459 Keycloak fails to start when uninstalling custom provider
dist/quarkus
+ - #24464 Tabbing is not working in forms inside dropdown
admin/ui
+ - #24485 NullPointerException when key is not available in the database
oidc
+ - #24506 Reopening 2 - CVE-2023-21971 - Update Connector/J to 8.0.33
dependencies
+ - #24508 Deadlock when pre-loading remote sessions from external Infinispan
storage
+ - #24595 Leaving Single Sign Out page open for too long and then confirming logout leads to error page
authentication
+ - #24626 Upgrade testsuite to use SpringBoot 2.7
ci
+ - #24651 Deleting a User or User Group might cause that all users suddenly get the permissions of the deleted user.
authorization-services
+ - #24652 SAML decryption fails if keycloak.saml.deprecated.encryption flag is set
saml
+ - #24718 Mapper Option "Add to access token" Toggled Off Despite Claim Added to Token
admin/ui
+ - #24767 Improve LDAP Condition implementations
ldap
+ - #24783 Keycloak Admin UI - Help text not localized in Realm Events Setting UI
admin/ui
+ - #24923 Importing Keycloak breaks typescript in esModule
adapter/javascript
+ - #24960 OpenAPI spec doesn't match the admin API
admin/api
+ - #24961 Keycloak not able to handle multiple validating X509 certificates when public key are the same
saml
+ - #24980 The `DefaultActionToken` serializes a JSON Object with duplicate keys
oidc
+ - #24986 `getMultiPartFormParameters()` always returns `EmptyMultivaluedMap` after upgrade to Resteasy Reactive
core
+ - #25001 Client redirect_uri check must be compared using exact string matching
oidc
+ - #25016 Make password visibility css classes configurable for themes
login/ui
+ - #25033 Typo in the balloon help of SAML Username Template Importer
core
+ - #25041 Incomplete Spanish translations for Admin UI
translations
+ - #25051 Unexpected Application Error when clicking "Cancel" on user creation page
admin/ui
+ - #25054 Read Only Access of the realm users' "Role mapping" tab is broken for Admin Console
admin/ui
+ - #25060 fix debug log string
core
+ - #25078 Log Injection during WebAuthn authentication/registration
authentication
+ - #25096 Meaning of briefRepresentation query parameter is inverted in GroupResource.getSubGroups
admin/api
+ - #25110 User Profile attribute with "Options" shows options of another attribute if none set on it
user-profile
+ - #25111 RealmAdminResource.getGroupByPathGroup does not work with space in path parameter
admin/api
+ - #25173 Make sure username is lowercase when normalizing attributes
user-profile
+ - #25183 NullPointerException thrown for UPConfig.getGroups()
user-profile
+ - #25208 GH Actions -> Keycloak CI -> MSSQL docker images fails during startup
ci
+ - #25231 CIBA and PAR are broken since 23.0.0 (NPE) when using http protocol
oidc
+ - #25235 Unable to start after updating Docker container
dist/quarkus
+ - #25290 Social Login Tests unable to retrieve Federated Access Token from user session
testsuite
+ - #25294 Kerberos principal attribute not found on LDAP user - even if kerberos authentication is off
ldap
+ - #25322 Warning "Event object wasn't available in remote cache" when using remote store +
- #25392 Admin Console: Realm Dropdown should only show the realms the user has access to
admin/ui
+ - #25417 Avoid keycloak-admin-client in UI to call admin console UI extension
admin/ui
+ - #25423 Confusing error message by pr-backport.sh when not authenticated to gh
ci
+ - #25433 Key provider UI issue while saving - RSA
admin/ui
+ - #25449 Clean up translations for DE/EN/NL for a first test-run of Weblate
translations
+ - #25451 Admin cli failing when adding roles to a 3rd group in a list
admin/cli
+ - #25463 Unnecessary user profile metdata sent on user update
user-profile
+ - #25475 User Profile: If required roles ("user") and reqired scopes are set, the required scopes have no effect
user-profile
+ - #25502 Account v3 theme - theme.properties Custom theme scripts not loading
account/ui
+ - #25515 Deleting an atribute from the UI is reseting the unmanaged attribute policy
user-profile
+ - #25544 Post Logout Redirect URIs "+" behavior is inconsistent with other usages (i.e. Web Origins)
oidc
+ - #25565 OpenAPI: POST for /admin/realms response is 201
admin/api
+ - #25566 Failure in SSSDUserProfileTest.test05MixedInternalDBUserProfile
testsuite
+ - #25584 iss not returned as query param in redirect to app when using "prompt=none" and user is not authenticated
oidc
+ - #25601 OpenAPI: POST /admin/realms/{realm}/clients response is 201
admin/api
+ - #25604 OpenAPI: Client authz endpoints without responses
admin/api
+ - #25628 Translations missing in user details role mapping
admin/ui
+ - #25633 Parsing of labels issue IDs doesn't work with colons and the "fixes" keyword
ci
+ - #25636 "Disable realm?" displayed when disabling client
admin/ui
+ - #25642 Failure in KeycloakDistConfiguratorTest's 'missingHostname' check
testsuite
+ - #25649 OpenAPI: In ClientRepresentation the property oauth2DeviceAuthorizationGrantEnabled was not known by the API.
admin/api
+ - #25656 OpenAPI: POST /admin/realms/{realm}/clients-initial-access response is 201
admin/api
+ - #25660 Incorrect version of the fix in release notes +
- #25677 Removing all group attributes no longer works with keycloak-admin-client (java)
admin/client-java
+ - #25679 `/admin/realms/{realm-name}/ui-ext/realms` endpoint leaks realms the user doesn't have access to see
admin/ui
+ - #25699 Flaky test Job URL missing on some runs
ci
+ - #25704 Custom Validator is never executed when UserProfileContext is UPDATE_EMAIL
user-profile
+ - #25714 Flaky test: org.keycloak.testsuite.adapter.servlet.OfflineServletsAdapterTest#testServlet
ci
+ - #25731 /admin/realms/{realm}/groups Endpoint is slow
admin/api
+ - #25746 Using kcadm.sh create components result to 400 Bad Request
admin/cli
+ - #25752 [CI] Store Model Tests failures - UserSessionProviderOfflineModelTest, OfflineSessionPersistenceTest, UserSessionInitializerTest
storage
+ - #25753 Backchannel logout token is missing the "exp" claim
oidc
+ - #25783 Since 23, start-dev command line arguments parsing is buggy
dist/quarkus
+ - #25789 User events: labels overlap content
admin/ui
+ - #25827 admin ui uses hyphen instead of dot as realm attribute separator
admin/ui
+ - #25853 Timeouts after upgrade of download action v4
ci
+ - #25878 HTML emails in Catalan don't contain links
translations
+ - #25883 ldap-group-mapper fails when empty member: attribute is present
ldap
+ - #25891 Optimize handling of terms and conditions during registration
core
+ - #25892 Test suite depends on artifacts built only when distribution profile is active
ci
+ - #25909 Keycloak HA Guide uses token for cross-site setup that expires +
- #25912 LDAP federation reports "Creating new LDAP Store..." on every login
ldap
+ - #25927 UI crash after using breadcrumb group navigation during an active group search
admin/ui
+ - #25934 On invalid submission, IdpUsernamePasswordForm sends back the user to the standard UsernamePasswordForm template
authentication
+ - #25939 Declartive user profile. When multiple attributes with options validator are defined and 1 is selected on UI shown that 2 of them have values.
user-profile
+ - #25951 Masthead tests fail often
admin/ui
+ - #25961 Native SQL Schema names broken on MySQL
storage
+ - #25977 No error message displayed when trying to add read-only attribute to some user in `Attributes` tab
user-profile
+ - #25980 Force reauthentication is ignored during identity brokering when mapping between OIDC and SAML protocols
saml
+ - #25981 GitHub Status check is green if the build fails
ci
+ - #26021 `mvn clean` does not work in js directory
account/ui
+ - #26032 Duplicate tooltip/label for refresh button on device activity page
account/ui
+ - #26036 subgroups clickopen not working
admin/ui
+ - #26040 Subgroups-check is incorrect, and therefore subgroups are not clickable
admin/ui
+ - #26051 Name ID Format field is confusing for User Attribute Mapper For NameID
saml
+ - #26052 Configure OTP Form regenerates Secret on reload
authentication
+ - #26059 Attempting to update settings for realm with "dots" in the name fails due to client side validation
admin/ui
+ - #26060 Various Localization tab issues +
- #26075 Next time you start message references the wrong command
dist/quarkus
+ - #26088 Rest custom JAX-RS resource in kc 23: Method not allowed
core
+ - #26131 Localization: Realm overrides subtab
admin/ui
+ - #26132 Localization: Effective message bundles subtab
admin/ui
+ - #26148 Keycloak JavaScript CI: client_scopes_test.spec.ts
ci
+ - #26156 A11y critical violation in ProviderId form field
admin/ui
+ - #26168 KC_DB_DRIVER is not propagated properly
admin/cli
+ - #26177 Invalidate authentication session on repeated OTP failures
authentication
+ - #26180 Invalidate authentication session on repeated Recovery Code failures
authentication
+ - #26228 With fine grained permissions enabled, the grouptree rights check is not working correctly
admin/ui
+ - #26231 keycloak-admin-client missing recent changes to group query parameters
admin/client-js
+ - #26236 Ensure community-maintained translations are not part of product build
account/ui
+ - #26266 Importing Realm with declarative user profile attributes fails
user-profile
+ - #26281 Incorrect example in the Keycloak operator configuration
operator
+ - #26291 Workflow failure: FIPS IT - KcSamlEncryptedIdTest#testEncryptedElementIsReadableInDeprecatedMode
ci
+ - #26295 Incomplete Chinese Translation for Login Page
translations
+ - #26308 Error when migrating from a realm where the user profile component does not hold any entry in the configuration
user-profile
+ - #26323 Reset credentials action fails when triggered from first broker login flow
identity-brokering
+ - #26330 HTTP status code 413 Request Entity Too Large for large SAMLResponse since Keycloak 23
saml
+ - #26334 Resource and permission titles missing for a new client
admin/ui
+ - #26335 Bind flow modal broken
admin/ui
+ - #26337 Write tests to cover binding a flow
testsuite
+ - #26350 Fix more A11y violations
admin/ui
+ - #26358 Apparently incorrect tooltip on "type" field for a "resource" in a client
admin/ui
+ - #26363 Search dialog for authorization policy is wrong?
admin/ui
+ - #26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
+ - #26375 The role Unassign button enabled in admin console even if no roles are selected
admin/ui
+ - #26383 Labels for WebAuthN missing in Account Console
account/ui
+ - #26390 More A11y Violations Detected
admin/ui
+ - #26400 Workflow failure: Admin UI E2E - realm_test.spec.ts
ci
+ - #26407 Typo in disable dialog
admin/ui
+ - #26409 Duplicate `key` for credentials on sign in page
account/ui
+ - #26418 Failed to link identity broker to user with a verified email by IdP email verification flow
identity-brokering
+ - #26420 Labels for WebAuthN Passwordless missing in Account Console
account/ui
+ - #26427 Operator CSV uses wrong format for `createdAt` field
operator
+ - #26452 Row remains selected when "cancel" clicked on deleting translation in the Localization/Realm Overrides tab
admin/ui
+ - #26464 "Test connection" on LDAPS URI does not test TLS handshake
admin/api
+ - #26468 SPI-truststore-file-type option appears to be invalid
docs
+ - #26490 Update Keycloak sizing guide after change of default hashing configuration
core
+ - #26507 Failed to link the user with an existing read-token role from the federation provider when AddReadTokenRoleOnCreate was enabled for the IdP.
storage
+ - #26529 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode
ci
+ - #26549 Mysterious settings changes due to Keycloak cluster changes
admin/ui
+ - #26564 Issues related to IDNHomographValidator
user-profile
+ - #26584 User details locale select broken in realm specific admin console
admin/ui
+ - #26588 Infinite loop during X509 authentication
authentication
+ - #26597 Keycloak UI meets "Internal Sever Error" after save "Refresh Token Max Reuse" number
core
+ - #26604 Arc container is null
dist/quarkus
+ - #26609 allow sending realm in request without changing the kc admin object
admin/client-js
+ - #26612 Wrong delete messages in Realm overrides
admin/ui
+ - #26618 CLIENT_ATTRIBUTES index idx_client_att_by_name_value no longer exists since KC 20 (postgres)
storage
+ - #26631 Keycloak HA guide with blank and callout
docs
+ - #26635 Account UI ships too much Beer in user attributes
user-profile
+ - #26636 Immediately reflect flow binding status on flow definition page in Admin UI when binding an auth flow
admin/ui
+ - #26643 Replace "message bundle" text to "translation" in realm overrides
admin/ui
+ - #26649 PhantomJS does not send secure cookies over http://localhost
core
+ - #26651 [keycloak.js] useNonce parameter is all-or-nothing
adapter/javascript
+ - #26653 Disallow removing required filters when searching for effective message bundle.
admin/ui
+ - #26665 Unable to modify access token lifespan at realm level. Keycloak stops working.
core
+ - #26668 Wrong help for "Create initial access token" expiration field
admin/ui
+ - #26686 Not possible to build documentation after quarkus upgrade
docs
+ - #26697 When creating a user federation mapper changing the type doesn't change User Roles Retrieve Strategy
admin/ui
+ - #26716 User Profile Applies Validation To Service Account Users
user-profile
+ - #26727 Auto layout of authenticator flow graph only applies the second time
admin/ui
+ - #26747 Tooltip for attribute name in user-profile configuration is incorrect
user-profile
+ - #26750 Empty error message when validation issue due the PersonNameProhibitedValidator validation
user-profile
+ - #26782 Accessing userinfo fails with CORS when token is expired or session is deleted
oidc
+ - #26790 Workflow failure: Operator IT on OpenShift
ci
+ - #26792 User profile 'uri' validator not working
user-profile
+ - #26816 Keycloak server admin docs needs change with the new hashing iteration changes
docs
+ - #26818 bug in operator example yaml
operator
+ - #26826 Freemarker erroneously escapes/sanitizes URL in template.ftl (&)
login/ui
+ - #26830 Duplicate "Refresh" buttons present in admin-ui
admin/ui
+ - #26834 Disabling "Reset OTP" in "Reset credentials" flow throws error on "forgot password"
authentication
+ - #26853 Fixing anchors in security apps guide in prod profile
docs
+ - #26856 Remove custom user attributes section in server developer guide
user-profile
+ - #26937 Once all default client scopes are deleted from the realm we can't create a new custom role.
core
+ - #26941 When loading entries from a remote store at startup, no lifespan or expiry is set
core
+ - #26951 Roles admin REST API for creating roles: Composite roles are expanded
admin/api
+ - #26983 Group not found in list after creation
core
+ - #27002 Refresh doesn't work in Localization/Effective message bundles
admin/ui
+ - #27005 Unable to approve/deny permission requests
account/ui
+ - #27031 Having read-only attributes stored at a user leads to validation warning on every login
user-profile
+ - #27095 Cache Keys for Group pagination and other entries cannot be invalidated and updated
infinispan
+ - #27120 Microsoft social login failure
testsuite
+ - #27133 Workflow failure: Keycloak CI - Store IT (aurora-postgres)
ci
+ - #27137 Users with fine-grained permissions can not create a user
admin/ui
+ - #27140 Locale selector is unnecessarily visible without rights to locales
admin/ui
+ - #27162 Default locale is set to null when not explicitly choosing a locale
admin/ui
+ - #27173 Newly created authentication subflow is always disabled
admin/ui
+ - #27234 Cannot update email in account console with `update-email` feature enabled
account/ui
+ - #27243 Account console not working when lightweight-access-tokens used
oidc
+ - #27271 AuthorityKeyIdentifierExtension should be calculated from caCert (if it present) in generateV3Certificate, not from subjPubKeyInfo
core
+ - #27284 FolderTheme does not support Locales with extensions
core
+ - #27290 AWS JDBC driver throws ConcurrentModificationException
storage
+ - #27297 Check for duplicated usernames and emails when Login with email option is enabled
user-profile
+ - #27316 Server admin guide not building downstream due to missing IDs
docs
+ - #27337 Workflow failure: Admin UI E2E - realm_settings_user_profile_enabled
admin/ui
+ - #27344 Secure Redirect URI executor issues
oidc
+ - #27345 Workflow failure: Keycloak CI - OAuth 2.0 Grant Type SPI
ci
+ - #27406 JavaDocs generation broken after removal of resteasy-core +
- #27409 Apply remote store workaround also for configuration via CLI options +
- #27412 OAuth 2.1 default profile lacks oauth-2-1-compliant setting for SecureRedirectUrisEnforcerExecutor
oidc
+