Download Latest Version
26.3.2 source code.tar.gz (39.8 MB)
Get an email when there's a new version of Keycloak
Highlights
This release delivers advancements to optimize your system and improve the experience of users, developers and administrators:
-
Account recovery with 2FA recovery codes, protecting users from lockout.
-
Simplified experiences for application developers with streamlined WebAuthn/Passkey registration and simplified account linking to identity providers via application initiated actions.
-
Broader connectivity with the ability to broker with any OAuth 2.0 compliant authorization server, and enhanced trusted email verification for OpenID Connect providers.
-
Asynchronous logging for higher throughput and lower latency, ensuring more efficient deployments.
-
For administrators, experimental rolling updates for patch releases mean minimized downtime and smoother upgrades.
Read on to learn more about each new feature, and find additional details in the upgrading guide if you are upgrading from a previous release of Keycloak.
Recovering your account if you lose your 2FA credentials
When using for example a one-time-password (OTP) generators as a second factor for authenticating users (2FA), a user can get locked out of their account when they, for example, lose their phone that contains the OTP generator. To prepare for such a case, the recovery codes feature allows users to print a set of recovery codes as an additional second factor. If the recovery codes are then allowed as an alternative 2FA in the login flow, they can be used instead of the OTP generated passwords.
With this release, the recovery codes feature is promoted from preview to a supported feature. For newly created realms, the browser flow now includes the Recovery Authentication Code Form as Disabled, and it can be switched to Alternative by admins if they want to use this feature.
For more information about this 2FA method, see the Recovery Codes chapter in the Server Administration Guide.
Performance improvements to import, export and migration
The time it takes to run imports, exports or migrations involving a large number of realms has been improved. There is no longer a cumulative performance degradation for each additional realm processed.
Simplified registration for WebAuthn and Passkeys
Both WebAuthn Register actions (webauthn-register and webauthn-register-passwordless) which are also used for Passkeys now support a parameter skip_if_exists when initiated by the application (AIA).
This should make it more convenient to use the AIA in scenarios where a user has already set up WebAuthn or Passkeys. The parameter allows skipping the action if the user already has a credential of that type.
For more information, see the Registering WebAuthn credentials using AIA chapter in the Server Administration Guide.
Simplified linking of the user account to an identity provider
Client-initiated linking a user account to the identity provider is now based on application-initiated action (AIA) implementation. This functionality aligns configuring this functionality and simplifies the error handling the calling of the client application, making it more useful for a broader audience.
The custom protocol, which was previously used for client-initiated account linking, is now deprecated.
Brokering with OAuth v2 compliant authorization servers
In previous releases Keycloak already supported federation with other OpenID Connect and SAML providers, as well as with several Social Providers like GitHub and Google which are based on OAuth 2.0.
The new OAuth 2.0 broker now closes the gap to federate with any OAuth 2.0 provider. This then allows you to federate, for example, with Amazon or other providers. As this is a generic provider, you will need to specify the different claims and a user info endpoint in the provider’s configuration.
For more information, see the OAuth v2 identity providers chapter in the Server Administration Guide.
Trusted email verification when brokering OpenID Connect Providers
Until now, the OpenID Connect broker did not support the standard email_verified claim available from the ID Tokens issued by OpenID Connect Providers.
Starting with this release, Keycloak supports this standard claim as defined by the OpenID Connect Core Specification for federation.
Whenever users are federated for the first time or re-authenticating and if the Trust email setting is enabled, Sync Mode is set to FORCE and the provider sends the email_verified claim, the user account will have their email marked according to the email_verified claim.
If the provider does not send the claim, it defaults to the original behavior and sets the email as verified.
Asynchronous logging for higher throughput and lower latency
All available log handlers now support asynchronous logging capabilities. Asynchronous logging helps deployments that require high throughput and low latency.
For more details on this opt-in feature, see the Logging guide.
Rolling updates for patch releases for minimized downtime (preview)
In the previous release, the Keycloak Operator was enhanced to support performing rolling updates of the Keycloak image if both images contain the same version. This is useful, for example, when switching to an optimized image, changing a theme or a provider source code.
In this release, we extended this to perform rolling update when the new image contains a future patch release from the same major.minor release stream as a preview feature.
This can reduce the service’s downtime even further, as downtime is only needed when upgrading from a different minor or major version.
Read more on how to enable this feature in update compatibility command.
Passkeys integrated in the default username forms
In this release Keycloak integrates Passkeys in the default authentications forms. A new switch Enable Passkeys is available in the configuration, Authentication → Policies → Webauthn Passwordless Policy, that seamlessly incorporates passkeys support to the realm. With just one click, Keycloak offers conditional and modal user interfaces in the default login forms to allow users to authenticate with a passkey.
The Passkeys feature is still in preview. Follow the Enabling and disabling features guide to enable it.
For more information, see Passkeys section in the Server Administration Guide.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #21995](https://github.com/href="https://github.com/keycloak/keycloak/issues/21995">/issues/21995) Configurable probes in the Operator
operator - #29116](https://github.com/href="https://github.com/keycloak/keycloak/issues/29116">/issues/29116) Add supported config options for additional datasources
dist/quarkus - #29596](https://github.com/href="https://github.com/keycloak/keycloak/issues/29596">/issues/29596) Passkeys conditional UI: integration with username/password form
authentication/webauthn - #38465](https://github.com/href="https://github.com/keycloak/keycloak/issues/38465">/issues/38465) Name for OTP device should be unique
account/api - #38985](https://github.com/href="https://github.com/keycloak/keycloak/issues/38985">/issues/38985) Possibility to log details and representation to the jboss-logging listener
- #39408](https://github.com/href="https://github.com/keycloak/keycloak/issues/39408">/issues/39408) make MaxAuthAge configurable for required actions
authentication - #40021](https://github.com/href="https://github.com/keycloak/keycloak/issues/40021">/issues/40021) Passkeys conditional UI: integration with independent username and password form
authentication/webauthn - #40033](https://github.com/href="https://github.com/keycloak/keycloak/issues/40033">/issues/40033) Deprecate or remove the current conditionalUI authenticator
authentication/webauthn
Enhancements
- #12025](https://github.com/href="https://github.com/keycloak/keycloak/issues/12025">/issues/12025) Get multiple users by Ids
admin/api - #21277](https://github.com/href="https://github.com/keycloak/keycloak/issues/21277">/issues/21277) Support IPv6 only environments
dist/quarkus - #23283](https://github.com/href="https://github.com/keycloak/keycloak/issues/23283">/issues/23283) Allow Keycloak operator to parameterize the Service annotations and labels
- #28713](https://github.com/href="https://github.com/keycloak/keycloak/issues/28713">/issues/28713) Temporarily Locked out users change the enabled flag of the user
account/api - #28851](https://github.com/href="https://github.com/keycloak/keycloak/issues/28851">/issues/28851) Support Syslog async properties
dist/quarkus - #30227](https://github.com/href="https://github.com/keycloak/keycloak/issues/30227">/issues/30227) Admin-UI: move PKCE Code Challenge Method setting from Advanced to Settings tab
- #33978](https://github.com/href="https://github.com/keycloak/keycloak/issues/33978">/issues/33978) Migration progress missing
- #34160](https://github.com/href="https://github.com/keycloak/keycloak/issues/34160">/issues/34160) Remove CACHE_EMBEDDED_REMOTE_STORE Feature
- #35446](https://github.com/href="https://github.com/keycloak/keycloak/issues/35446">/issues/35446) Ensure Client Initiated Account Linking behaves like other Application Initiated Actions
authentication - #36635](https://github.com/href="https://github.com/keycloak/keycloak/issues/36635">/issues/36635) Change User details page drop-down filter to make it easier to find the 'admin' role
admin/ui - #37532](https://github.com/href="https://github.com/keycloak/keycloak/issues/37532">/issues/37532) Remove user event types from admin UI is unusable
admin/ui - #37716](https://github.com/href="https://github.com/keycloak/keycloak/issues/37716">/issues/37716) Add ability for Quick Theme to import theme from a jar
admin/ui - #37717](https://github.com/href="https://github.com/keycloak/keycloak/issues/37717">/issues/37717) Quick Theme should allow naming the jar before download
admin/ui - #38091](https://github.com/href="https://github.com/keycloak/keycloak/issues/38091">/issues/38091) Add more validation for proxy-headers
- #38228](https://github.com/href="https://github.com/keycloak/keycloak/issues/38228">/issues/38228) Auto submit the "Organization Identity-First Login" form with pre-filled username field
organizations - #38259](https://github.com/href="https://github.com/keycloak/keycloak/issues/38259">/issues/38259) Enhance mapping from env variables to wildcards
- #38262](https://github.com/href="https://github.com/keycloak/keycloak/issues/38262">/issues/38262) Add `count` endpoint for organizations
organizations - #38433](https://github.com/href="https://github.com/keycloak/keycloak/issues/38433">/issues/38433) Make `ThemeManagerFactory` into a proper SPI so that it can be accessed/overridden
core - #38496](https://github.com/href="https://github.com/keycloak/keycloak/issues/38496">/issues/38496) Create CacheRemoteConfigProvider
- #38497](https://github.com/href="https://github.com/keycloak/keycloak/issues/38497">/issues/38497) Create CacheEmbeddedConfigProvider
- #38578](https://github.com/href="https://github.com/keycloak/keycloak/issues/38578">/issues/38578) Support Asynchronous logging
- #38614](https://github.com/href="https://github.com/keycloak/keycloak/issues/38614">/issues/38614) Improve Dutch translation for Theme base/login and base/email
translations - #38620](https://github.com/href="https://github.com/keycloak/keycloak/issues/38620">/issues/38620) Key generation for client authentication is always RSA 2048 with a 10-year validity, regardless of the selected algorithm
authentication - #38621](https://github.com/href="https://github.com/keycloak/keycloak/issues/38621">/issues/38621) Client secret generation provides lower than expected entropy
authentication - #38649](https://github.com/href="https://github.com/keycloak/keycloak/issues/38649">/issues/38649) Improve migration performance
core - #38663](https://github.com/href="https://github.com/keycloak/keycloak/issues/38663">/issues/38663) Access Token IDs have less than 128 bits of entropy
core - #38714](https://github.com/href="https://github.com/keycloak/keycloak/issues/38714">/issues/38714) Add feedback when user sync process is triggered in user federation
- #38863](https://github.com/href="https://github.com/keycloak/keycloak/issues/38863">/issues/38863) Allow logging of slow database operations
- #38882](https://github.com/href="https://github.com/keycloak/keycloak/issues/38882">/issues/38882) Upgrade command rolling updates for patch releases / step 1: experimental
- #38883](https://github.com/href="https://github.com/keycloak/keycloak/issues/38883">/issues/38883) Upgrade command rolling updates for patch releases / step 2: preview
- #38956](https://github.com/href="https://github.com/keycloak/keycloak/issues/38956">/issues/38956) Clarify upgrade instructions
- #38981](https://github.com/href="https://github.com/keycloak/keycloak/issues/38981">/issues/38981) Allow setting locale when edit mode is `READ_ONLY`
- #38994](https://github.com/href="https://github.com/keycloak/keycloak/issues/38994">/issues/38994) Make recovery codes supported
authentication - #39057](https://github.com/href="https://github.com/keycloak/keycloak/issues/39057">/issues/39057) Change the title for Grafana dashboards guide to plural
docs - #39059](https://github.com/href="https://github.com/keycloak/keycloak/issues/39059">/issues/39059) Document operator `Auto` update strategy when used with `podTemplate`
- #39080](https://github.com/href="https://github.com/keycloak/keycloak/issues/39080">/issues/39080) Standardize introductory text in Keycloak guides
- #39136](https://github.com/href="https://github.com/keycloak/keycloak/issues/39136">/issues/39136) Update LDAP configuration with a hint how to enable password hashing in ApacheDS
- #39142](https://github.com/href="https://github.com/keycloak/keycloak/issues/39142">/issues/39142) Make distribution startup timeout configurable
testsuite - #39172](https://github.com/href="https://github.com/keycloak/keycloak/issues/39172">/issues/39172) Add description to groups
- #39191](https://github.com/href="https://github.com/keycloak/keycloak/issues/39191">/issues/39191) Ability to skip AIA for adding WebAuthn security key in case that user already has one
authentication - #39198](https://github.com/href="https://github.com/keycloak/keycloak/issues/39198">/issues/39198) Better tooltip for Strategy to increase wait time in brute force settings
- #39213](https://github.com/href="https://github.com/keycloak/keycloak/issues/39213">/issues/39213) Polishing recovery codes
authentication - #39214](https://github.com/href="https://github.com/keycloak/keycloak/issues/39214">/issues/39214) Use required action configuration instead of password policy for warning threshold
authentication - #39243](https://github.com/href="https://github.com/keycloak/keycloak/issues/39243">/issues/39243) Should we improve metadata of recovery code credential?
authentication - #39338](https://github.com/href="https://github.com/keycloak/keycloak/issues/39338">/issues/39338) Keycloak Operator: TTL for KeycloakRealmImport jobs
docs - #39405](https://github.com/href="https://github.com/keycloak/keycloak/issues/39405">/issues/39405) Message bundle hot reloading
- #39418](https://github.com/href="https://github.com/keycloak/keycloak/issues/39418">/issues/39418) Clarify when to use podman
docs - #39469](https://github.com/href="https://github.com/keycloak/keycloak/issues/39469">/issues/39469) Fix Securing Apps links to adapters
docs - #39486](https://github.com/href="https://github.com/keycloak/keycloak/issues/39486">/issues/39486) Email server credentials can be harvested through host/port manipulation
admin/api - #39541](https://github.com/href="https://github.com/keycloak/keycloak/issues/39541">/issues/39541) Fix doc link to FGAP v1
docs - #39543](https://github.com/href="https://github.com/keycloak/keycloak/issues/39543">/issues/39543) Apply edits to Operators Guide
docs - #39544](https://github.com/href="https://github.com/keycloak/keycloak/issues/39544">/issues/39544) Change discovery in Kubernetes to `jdbc-ping`
- #39545](https://github.com/href="https://github.com/keycloak/keycloak/issues/39545">/issues/39545) JGroups: Switch to "per-destination" bundler for `jdbc-ping`
- #39563](https://github.com/href="https://github.com/keycloak/keycloak/issues/39563">/issues/39563) Protocol `openid-connect` should be selected as default for ClientScopes
oid4vc - #39572](https://github.com/href="https://github.com/keycloak/keycloak/issues/39572">/issues/39572) Edit Observability Guide
docs - #39587](https://github.com/href="https://github.com/keycloak/keycloak/issues/39587">/issues/39587) Make slow SQL and SQL comment prefix configurable
- #39590](https://github.com/href="https://github.com/keycloak/keycloak/issues/39590">/issues/39590) Fix callouts in Operator guide
docs - #39595](https://github.com/href="https://github.com/keycloak/keycloak/issues/39595">/issues/39595) Build user representations when searching based on the user profile settings
user-profile - #39617](https://github.com/href="https://github.com/keycloak/keycloak/issues/39617">/issues/39617) OpenTelemetry Tracing: Spans as part of the "commit" should be nested
dist/quarkus - #39619](https://github.com/href="https://github.com/keycloak/keycloak/issues/39619">/issues/39619) OpenTelementry Tracing: Show calls within a rest resource as nested
dist/quarkus - #39638](https://github.com/href="https://github.com/keycloak/keycloak/issues/39638">/issues/39638) Sessions from Infinispan should be mapped lazily for the Admin UI
- #39641](https://github.com/href="https://github.com/keycloak/keycloak/issues/39641">/issues/39641) Return only manage permissions when listing users via administration console
- #39651](https://github.com/href="https://github.com/keycloak/keycloak/issues/39651">/issues/39651) Speed up Infinispan list of all sessions be more eagerly remove old client sessions
- #39653](https://github.com/href="https://github.com/keycloak/keycloak/issues/39653">/issues/39653) Pass notifications in batches to remote and local ISPN cache
infinispan - #39665](https://github.com/href="https://github.com/keycloak/keycloak/issues/39665">/issues/39665) When logging in, all client sessions are loaded which is slow
oidc - #39670](https://github.com/href="https://github.com/keycloak/keycloak/issues/39670">/issues/39670) Add re-authentication when updating email via UPDATE_EMAIL feature
- #39723](https://github.com/href="https://github.com/keycloak/keycloak/issues/39723">/issues/39723) Redirect request from wrong version to the right version
- #39748](https://github.com/href="https://github.com/keycloak/keycloak/issues/39748">/issues/39748) Docs: server_admin/topics/clients/oidc/proc-using-a-service-account.adoc
oidc - #39761](https://github.com/href="https://github.com/keycloak/keycloak/issues/39761">/issues/39761) Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method
oidc - #39817](https://github.com/href="https://github.com/keycloak/keycloak/issues/39817">/issues/39817) Document that a shell wrapper must not start replace PID 1 in containers
- #39826](https://github.com/href="https://github.com/keycloak/keycloak/issues/39826">/issues/39826) Revise DPoP Codes - refactor remove unused methods
oidc - #39855](https://github.com/href="https://github.com/keycloak/keycloak/issues/39855">/issues/39855) Revise Client Policies Codes - AbstractClientPoliciesTest
oidc - #39872](https://github.com/href="https://github.com/keycloak/keycloak/issues/39872">/issues/39872) Improve JGroups network bind address documetion
- #39885](https://github.com/href="https://github.com/keycloak/keycloak/issues/39885">/issues/39885) Identity provider with FORCE sync mode does not detect verified email change
identity-brokering - #39889](https://github.com/href="https://github.com/keycloak/keycloak/issues/39889">/issues/39889) Revise Client Policies Codes - ClientPoliciesAdminTest
oidc - #39891](https://github.com/href="https://github.com/keycloak/keycloak/issues/39891">/issues/39891) Revise Client Policies Codes - ClientPoliciesConditionTest
oidc - #39909](https://github.com/href="https://github.com/keycloak/keycloak/issues/39909">/issues/39909) Add missing id attributes for button elements of keycloak.v2 login theme
- #39962](https://github.com/href="https://github.com/keycloak/keycloak/issues/39962">/issues/39962) Create a POC of running 2 containers in the new testsuite
- #39965](https://github.com/href="https://github.com/keycloak/keycloak/issues/39965">/issues/39965) Create test cases for OIDC flows
- #39975](https://github.com/href="https://github.com/keycloak/keycloak/issues/39975">/issues/39975) Make the checkbox "Sign out from other devices" unchecked by default
authentication - #39980](https://github.com/href="https://github.com/keycloak/keycloak/issues/39980">/issues/39980) Revise Client Policies Codes - ClientPoliciesExecutorTest
oidc - #39982](https://github.com/href="https://github.com/keycloak/keycloak/issues/39982">/issues/39982) Revise Client Policies Codes - ClientPoliciesExtendedEventTest
oidc - #39987](https://github.com/href="https://github.com/keycloak/keycloak/issues/39987">/issues/39987) Unnecessary boxing/unboxing to parse a primitive. SAST
saml - #40012](https://github.com/href="https://github.com/keycloak/keycloak/issues/40012">/issues/40012) Revise Client Policies Codes - ClientPoliciesLoadUpdateTest
oidc - #40014](https://github.com/href="https://github.com/keycloak/keycloak/issues/40014">/issues/40014) Revise Client Policies Codes - ClientPoliciesTest
oidc - #40016](https://github.com/href="https://github.com/keycloak/keycloak/issues/40016">/issues/40016) Revise Client Policies Codes - SecureRedirectUrisEnforcerExecutorTest
oidc - #40022](https://github.com/href="https://github.com/keycloak/keycloak/issues/40022">/issues/40022) Passkeys conditional UI: integration with the organization authenticator
authentication/webauthn - #40023](https://github.com/href="https://github.com/keycloak/keycloak/issues/40023">/issues/40023) Upgrade webauthn4j to a newer version
authentication/webauthn - #40024](https://github.com/href="https://github.com/keycloak/keycloak/issues/40024">/issues/40024) Throw an exception if transport mTLS keystore or Truststore does not exist
- #40027](https://github.com/href="https://github.com/keycloak/keycloak/issues/40027">/issues/40027) Unrelated Types. SAST
- #40030](https://github.com/href="https://github.com/keycloak/keycloak/issues/40030">/issues/40030) Potential thread safety Issue with lazy init of transformerFactory at TransformerUtil. SAST
- #40034](https://github.com/href="https://github.com/keycloak/keycloak/issues/40034">/issues/40034) Serialization issue in SAMLEntityAttributesParser - no void constructor in superclass. SAST
- #40039](https://github.com/href="https://github.com/keycloak/keycloak/issues/40039">/issues/40039) Abbreviate text in PKCE method configuration label in OIDC Client configuration
admin/ui - #40050](https://github.com/href="https://github.com/keycloak/keycloak/issues/40050">/issues/40050) Revise Client Policies Codes - OAuth 2.1 tests
oidc - #40052](https://github.com/href="https://github.com/keycloak/keycloak/issues/40052">/issues/40052) Revise Client Policies Codes - FAPI1Test
oidc - #40054](https://github.com/href="https://github.com/keycloak/keycloak/issues/40054">/issues/40054) Revise Client Policies Codes - FAPI2Test
oidc - #40056](https://github.com/href="https://github.com/keycloak/keycloak/issues/40056">/issues/40056) Revise Client Policies Codes - FAPICIBATest
oidc - #40060](https://github.com/href="https://github.com/keycloak/keycloak/issues/40060">/issues/40060) Sign of a bad copy/paste in logging of usserSessionLimitsAuthenticator
authentication - #40108](https://github.com/href="https://github.com/keycloak/keycloak/issues/40108">/issues/40108) Support more i18n keys for messages_ru.properties
- #40129](https://github.com/href="https://github.com/keycloak/keycloak/issues/40129">/issues/40129) Refactor the key value input so that it has an override for key and value component
- #40165](https://github.com/href="https://github.com/keycloak/keycloak/issues/40165">/issues/40165) Upgrade to Infinispan 15.0.15
- #40166](https://github.com/href="https://github.com/keycloak/keycloak/issues/40166">/issues/40166) Upgrade Aurora PostgreSQL to a supported release
- #40188](https://github.com/href="https://github.com/keycloak/keycloak/issues/40188">/issues/40188) Document security implications of Keycloak CR
operator - #40191](https://github.com/href="https://github.com/keycloak/keycloak/issues/40191">/issues/40191) Icon for default role should have a separator to the role name
admin/ui - #40208](https://github.com/href="https://github.com/keycloak/keycloak/issues/40208">/issues/40208) ServerInfo View in Admin-Console should show CPU information
- #40233](https://github.com/href="https://github.com/keycloak/keycloak/issues/40233">/issues/40233) Make `ProviderConfigurationBuilder` fail when a duplicate property is added.
- #40336](https://github.com/href="https://github.com/keycloak/keycloak/issues/40336">/issues/40336) Support all i18n keys for messages_ru.properties
translations - #40419](https://github.com/href="https://github.com/keycloak/keycloak/issues/40419">/issues/40419) Update links specs in OIDC guide
docs - #40440](https://github.com/href="https://github.com/keycloak/keycloak/issues/40440">/issues/40440) Add link to OIDC Discovery Spec in the documentation of the certs endpoint
oidc - #40441](https://github.com/href="https://github.com/keycloak/keycloak/issues/40441">/issues/40441) Add templates for release notes and migration guide
docs - #40446](https://github.com/href="https://github.com/keycloak/keycloak/issues/40446">/issues/40446) Review Profile makes users prone to phishing attacks
authentication - #40448](https://github.com/href="https://github.com/keycloak/keycloak/issues/40448">/issues/40448) add (ky )kyrgyz language support
translations - #40472](https://github.com/href="https://github.com/keycloak/keycloak/issues/40472">/issues/40472) Default to num_owners=2 when the persistent-user-sessions feature is disabled
infinispan - #40487](https://github.com/href="https://github.com/keycloak/keycloak/issues/40487">/issues/40487) Clarify OpenShift v4 Identity Provider instructions
- #40489](https://github.com/href="https://github.com/keycloak/keycloak/issues/40489">/issues/40489) When redirecting old resource versions, keep query parameters
- #40533](https://github.com/href="https://github.com/keycloak/keycloak/issues/40533">/issues/40533) Clarify FIPS instructions
- #40564](https://github.com/href="https://github.com/keycloak/keycloak/issues/40564">/issues/40564) Add clarifying language around jgroups failure detection ports
- #40566](https://github.com/href="https://github.com/keycloak/keycloak/issues/40566">/issues/40566) Synchronization of Polish language in login template
translations - #40579](https://github.com/href="https://github.com/keycloak/keycloak/issues/40579">/issues/40579) Add missing translations in email and account theme for Polish lang
translations - #40639](https://github.com/href="https://github.com/keycloak/keycloak/issues/40639">/issues/40639) Update documentation about volatile sessions
- #40641](https://github.com/href="https://github.com/keycloak/keycloak/issues/40641">/issues/40641) [docs] fix spelling error in hostname.adoc
- #40705](https://github.com/href="https://github.com/keycloak/keycloak/issues/40705">/issues/40705) Documentation for passkeys for 26.3.0
authentication - #40709](https://github.com/href="https://github.com/keycloak/keycloak/issues/40709">/issues/40709) Update javadoc of java admin-client for Keycloak 26.3
admin/client-java - #40765](https://github.com/href="https://github.com/keycloak/keycloak/issues/40765">/issues/40765) Make abstract class AbstractUserRoleMappingMapper public
Bugs
- #27945](https://github.com/href="https://github.com/keycloak/keycloak/issues/27945">/issues/27945) Passkey "Avoid same authenticator registration" doesn't work
authentication/webauthn - #32600](https://github.com/href="https://github.com/keycloak/keycloak/issues/32600">/issues/32600) OpenAPI spec: Missing attributes in ClientPolicyConditionRepresentation and ClientPolicyExecutorRepresentation schemas
admin/api - #33078](https://github.com/href="https://github.com/keycloak/keycloak/issues/33078">/issues/33078) account/ui spinner use patternfly v3 classes instead of patternfly v5 classes
account/ui - #35266](https://github.com/href="https://github.com/keycloak/keycloak/issues/35266">/issues/35266) Amazon Identity Provider does not accept scope = openid and Keycloak always sets it
identity-brokering - #35278](https://github.com/href="https://github.com/keycloak/keycloak/issues/35278">/issues/35278) Double click on social provider link causes page has expired error
login/ui - #36150](https://github.com/href="https://github.com/keycloak/keycloak/issues/36150">/issues/36150) wrong redirect after login timeout for parallel logins
authentication - #36320](https://github.com/href="https://github.com/keycloak/keycloak/issues/36320">/issues/36320) [Keycloak CI] - User Federation Tests - LDAPUserProfileTest.testMultipleLDAPProviders
ci - #36396](https://github.com/href="https://github.com/keycloak/keycloak/issues/36396">/issues/36396) "identity-provider-redirector" does not forward LOGIN_HINT of authentication session
authentication - #36562](https://github.com/href="https://github.com/keycloak/keycloak/issues/36562">/issues/36562) Social login - Instagram Login test fails, API changed
ci - #36609](https://github.com/href="https://github.com/keycloak/keycloak/issues/36609">/issues/36609) Keycloak container incorrectly read CGroups settings on Kernel 6.12
dist/quarkus - #36622](https://github.com/href="https://github.com/keycloak/keycloak/issues/36622">/issues/36622) Login UI edit profile textarea doesn't have styles applied
login/ui - #36986](https://github.com/href="https://github.com/keycloak/keycloak/issues/36986">/issues/36986) Localization: when the user has forgotten the password, the email is sent in default language, instead of the selected one
login/ui - #37202](https://github.com/href="https://github.com/keycloak/keycloak/issues/37202">/issues/37202) Client scopes evaluate function shows sub claim in access token even if "basic" client scope is not selected
admin/ui - #37269](https://github.com/href="https://github.com/keycloak/keycloak/issues/37269">/issues/37269) External IDP error during Step-Up Authentication does no longer route back to browser flow
authentication - #37447](https://github.com/href="https://github.com/keycloak/keycloak/issues/37447">/issues/37447) account-console no longer provides nonce/state parameter
account/ui - #37490](https://github.com/href="https://github.com/keycloak/keycloak/issues/37490">/issues/37490) [Keycloak CI] - Quarkus IT (windows-latest, win) - QuarkusPropertiesDistTest
ci - #37526](https://github.com/href="https://github.com/keycloak/keycloak/issues/37526">/issues/37526) Unexpected Application Initiated Actions Cause Server Errors
authentication - #37537](https://github.com/href="https://github.com/keycloak/keycloak/issues/37537">/issues/37537) LDAP group mapper skips configured filter and imports all groups with memberOf strategy when fetching the user's groups
ldap - #37555](https://github.com/href="https://github.com/keycloak/keycloak/issues/37555">/issues/37555) User Federation: Remove imported users modal has wrong text
admin/ui - #37559](https://github.com/href="https://github.com/keycloak/keycloak/issues/37559">/issues/37559) Linking user in different browser doesn't work if original window/tab is closed
identity-brokering - #37598](https://github.com/href="https://github.com/keycloak/keycloak/issues/37598">/issues/37598) Realm context uses route and can't be used in libary
admin/ui - #37648](https://github.com/href="https://github.com/keycloak/keycloak/issues/37648">/issues/37648) User Attribute option of SAML "User Attribute Mapper for NameID" should be required
admin/ui - #37720](https://github.com/href="https://github.com/keycloak/keycloak/issues/37720">/issues/37720) MSADUserAccountControlStorageMapper attempts to persist a userAccountControl value of 0 on user create, resulting in LDAP error and incomplete user provisioning
ldap - #37899](https://github.com/href="https://github.com/keycloak/keycloak/issues/37899">/issues/37899) User email not registered when user has not the permission to edit his email
core - #38049](https://github.com/href="https://github.com/keycloak/keycloak/issues/38049">/issues/38049) Upload of JKS keystore fails with a server error
admin/ui - #38104](https://github.com/href="https://github.com/keycloak/keycloak/issues/38104">/issues/38104) Temporary failure in name resolution with nip.io
ci - #38145](https://github.com/href="https://github.com/keycloak/keycloak/issues/38145">/issues/38145) Unknown error on authentication-flow delete action
admin/ui - #38161](https://github.com/href="https://github.com/keycloak/keycloak/issues/38161">/issues/38161) RawKeycloakDistribution exit code is always 0
testsuite - #38251](https://github.com/href="https://github.com/keycloak/keycloak/issues/38251">/issues/38251) Importing a realm from a directory fail if the realm contain organizations with users.
import-export - #38351](https://github.com/href="https://github.com/keycloak/keycloak/issues/38351">/issues/38351) Mail settings can't be provided via environment variables
testsuite - #38382](https://github.com/href="https://github.com/keycloak/keycloak/issues/38382">/issues/38382) Disable user row if not allowed to delete
admin/ui - #38458](https://github.com/href="https://github.com/keycloak/keycloak/issues/38458">/issues/38458) [FGAP] [UI] Permission search doesn't execute correct consequent search request
admin/fine-grained-permissions - #38482](https://github.com/href="https://github.com/keycloak/keycloak/issues/38482">/issues/38482) SAML client certificate not persisted
admin/ui - #38487](https://github.com/href="https://github.com/keycloak/keycloak/issues/38487">/issues/38487) [Keycloak Operator CI] - Test remote (slow) - UpdateTest.testExplicitStrategy
ci - #38542](https://github.com/href="https://github.com/keycloak/keycloak/issues/38542">/issues/38542) JWK Subtypes fail when mapping JWK to PublicKey
core - #38602](https://github.com/href="https://github.com/keycloak/keycloak/issues/38602">/issues/38602) Keycloak fails to start on MySQL Cluster due to missing primary key in databasechangelog
dist/quarkus - #38616](https://github.com/href="https://github.com/keycloak/keycloak/issues/38616">/issues/38616) Fix alignment of the 'Action' selectbox with the 'Enabled' switch for User federation
admin/ui - #38660](https://github.com/href="https://github.com/keycloak/keycloak/issues/38660">/issues/38660) Ldap federation seems to open and keep open a new thread/connection for each ldap request
ldap - #38662](https://github.com/href="https://github.com/keycloak/keycloak/issues/38662">/issues/38662) Update commands trigger build checks
dist/quarkus - #38671](https://github.com/href="https://github.com/keycloak/keycloak/issues/38671">/issues/38671) Duplicate Key Violation When Reauthenticating After Account Deletion via Google
identity-brokering - #38676](https://github.com/href="https://github.com/keycloak/keycloak/issues/38676">/issues/38676) Dropdown search input is not cleared after selecting with mouse
admin/ui - #38692](https://github.com/href="https://github.com/keycloak/keycloak/issues/38692">/issues/38692) Test coverage for count menthods when filtering
admin/fine-grained-permissions - #38703](https://github.com/href="https://github.com/keycloak/keycloak/issues/38703">/issues/38703) Password Policy Changes get overwritten in the UI
admin/ui - #38757](https://github.com/href="https://github.com/keycloak/keycloak/issues/38757">/issues/38757) Keycloak statefulset is not mapped to any headless service if installed via operator
operator - #38767](https://github.com/href="https://github.com/keycloak/keycloak/issues/38767">/issues/38767) Make group required when selecting a specific group creating a premission
admin/ui - #38783](https://github.com/href="https://github.com/keycloak/keycloak/issues/38783">/issues/38783) `content.json`'s isVisible flags are ignored in `Root.tsx`'s `mapRoutes` function, which makes the pages still accessible
account/ui - #38789](https://github.com/href="https://github.com/keycloak/keycloak/issues/38789">/issues/38789) [Keycloak JS CI] Admin UI E2E tests on Firefox have failures
ci - #38799](https://github.com/href="https://github.com/keycloak/keycloak/issues/38799">/issues/38799) Kerberos principal attribute value "comes back" when cleared.
admin/ui - #38801](https://github.com/href="https://github.com/keycloak/keycloak/issues/38801">/issues/38801) Building docker image of keycloak with curl using 2 stage process hangs
docs - #38812](https://github.com/href="https://github.com/keycloak/keycloak/issues/38812">/issues/38812) Test failures in CI in Chrome tests
ci - #38846](https://github.com/href="https://github.com/keycloak/keycloak/issues/38846">/issues/38846) StatefulSet reconciliation infinitely looping
operator - #38850](https://github.com/href="https://github.com/keycloak/keycloak/issues/38850">/issues/38850) Changing a password with the option log out all other sessions doesn't log out offline sessions
core - #38852](https://github.com/href="https://github.com/keycloak/keycloak/issues/38852">/issues/38852) [Organization] Failed authentication (ModelDuplicateException) when e-mail duplicates are allowed on the realm
organizations - #38873](https://github.com/href="https://github.com/keycloak/keycloak/issues/38873">/issues/38873) Client Credentials tab : "Allow regex pattern comparison" toggle is always "On" on page load
admin/ui - #38893](https://github.com/href="https://github.com/keycloak/keycloak/issues/38893">/issues/38893) Multi-stage docker builds fail --optimized validation
dist/quarkus - #38910](https://github.com/href="https://github.com/keycloak/keycloak/issues/38910">/issues/38910) Bug: Hosted Domain Validation Logic Issue in Keycloak Google Identity Provider
identity-brokering - #38911](https://github.com/href="https://github.com/keycloak/keycloak/issues/38911">/issues/38911) Filtering of user- and admin-events by dateTo always returns empty results
admin/api - #38913](https://github.com/href="https://github.com/keycloak/keycloak/issues/38913">/issues/38913) [FGAP] AvailableRoleMappings do not consider all-clients permissions
admin/fine-grained-permissions - #38918](https://github.com/href="https://github.com/keycloak/keycloak/issues/38918">/issues/38918) IPv6 support: Broker tests failing with proxy configuration
ci - #38920](https://github.com/href="https://github.com/keycloak/keycloak/issues/38920">/issues/38920) Downstream docs have duplicate ID on sampling
docs - #38925](https://github.com/href="https://github.com/keycloak/keycloak/issues/38925">/issues/38925) Blocking issue with increasing JVM thread count after migrating from 26.0.8 to 26.1.4
infinispan - #38929](https://github.com/href="https://github.com/keycloak/keycloak/issues/38929">/issues/38929) Permission details sometimes don't show the name of the client
admin/fine-grained-permissions - #38930](https://github.com/href="https://github.com/keycloak/keycloak/issues/38930">/issues/38930) [Docs] Broken link in ExternalLinksTest for importmap
docs - #38932](https://github.com/href="https://github.com/keycloak/keycloak/issues/38932">/issues/38932) Home button always redirects to master realm when permission denied
admin/ui - #38934](https://github.com/href="https://github.com/keycloak/keycloak/issues/38934">/issues/38934) UI: Readonly/disabled profile form input fields are visually indistinguishable from active fields
account/ui - #38937](https://github.com/href="https://github.com/keycloak/keycloak/issues/38937">/issues/38937) Liquibase checksum mismatch when upgrading from Keycloak ≤ 22.0.4 directly to 26.2.x
storage - #38938](https://github.com/href="https://github.com/keycloak/keycloak/issues/38938">/issues/38938) Missing null checks in IdentityProviderResource lead to NPE
admin/api - #38944](https://github.com/href="https://github.com/keycloak/keycloak/issues/38944">/issues/38944) Admin UI test "Enable user events" breaks as event metadata has changed
admin/ui - #38964](https://github.com/href="https://github.com/keycloak/keycloak/issues/38964">/issues/38964) [26.2.3/26.1.5] Regression: ClientList value is empty in UI for Custom UserStorageProviderFactory
admin/ui - #38970](https://github.com/href="https://github.com/keycloak/keycloak/issues/38970">/issues/38970) Authentication request can fail with `unknown_error`
authentication - #38982](https://github.com/href="https://github.com/keycloak/keycloak/issues/38982">/issues/38982) JpaRealmProvider getGroupByName return group duplicate due to change of comparison (like vs equal)
ldap - #39015](https://github.com/href="https://github.com/keycloak/keycloak/issues/39015">/issues/39015) Keycloak operator with update strategy to Auto: missing imagePullSecrets
operator - #39021](https://github.com/href="https://github.com/keycloak/keycloak/issues/39021">/issues/39021) After migrating to newer Keycloak, token refreshes using inherited offline sessions return access tokens with invalid exp value
oidc - #39022](https://github.com/href="https://github.com/keycloak/keycloak/issues/39022">/issues/39022) Setting batch size to 0 in LDAP provider with pagination enabled leads to NPE
ldap - #39023](https://github.com/href="https://github.com/keycloak/keycloak/issues/39023">/issues/39023) Keycloak 26.2.0 UI Performance Degradation
admin/ui - #39026](https://github.com/href="https://github.com/keycloak/keycloak/issues/39026">/issues/39026) Fine-grained-permssion v2 Display problem
admin/fine-grained-permissions - #39037](https://github.com/href="https://github.com/keycloak/keycloak/issues/39037">/issues/39037) UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope
oidc - #39046](https://github.com/href="https://github.com/keycloak/keycloak/issues/39046">/issues/39046) Keycloak 26.2.0 can't authenticate to the H2 database after the upgrade
core - #39055](https://github.com/href="https://github.com/keycloak/keycloak/issues/39055">/issues/39055) After import of keys an export doesn't include these values
admin/ui - #39061](https://github.com/href="https://github.com/keycloak/keycloak/issues/39061">/issues/39061) Missing iteration key property in SigningIn Page
account/ui - #39063](https://github.com/href="https://github.com/keycloak/keycloak/issues/39063">/issues/39063) Optimized startup fails from `kc.spi-connections-http-client-default-expect-continue-enabled` passed at runtime
dist/quarkus - #39065](https://github.com/href="https://github.com/keycloak/keycloak/issues/39065">/issues/39065) Issue with SSL and `CertificatereloadManager` in Keycloak 26.2 when using Istio
infinispan - #39085](https://github.com/href="https://github.com/keycloak/keycloak/issues/39085">/issues/39085) Redirects to admin endpoint 404s on hostname-admin / request scheme mismatch
core - #39096](https://github.com/href="https://github.com/keycloak/keycloak/issues/39096">/issues/39096) Release note 26.2.0 has broken link
docs - #39110](https://github.com/href="https://github.com/keycloak/keycloak/issues/39110">/issues/39110) jwks_uri endpoint returns content-type as "application/json" instead of "application/jwk+json" or "application/jwk-set+json"
oidc - #39119](https://github.com/href="https://github.com/keycloak/keycloak/issues/39119">/issues/39119) Evaluate client scopes can corrupt UI completely
admin/ui - #39124](https://github.com/href="https://github.com/keycloak/keycloak/issues/39124">/issues/39124) [Operator CI] - Test remote (slow)
ci - #39125](https://github.com/href="https://github.com/keycloak/keycloak/issues/39125">/issues/39125) [Keycloak CI] - FIPS UT - Run crypto tests
ci - #39130](https://github.com/href="https://github.com/keycloak/keycloak/issues/39130">/issues/39130) Authorization Code Flow Fails Scope Validation After Credential Definition Migration to Realm Level
oid4vc - #39144](https://github.com/href="https://github.com/keycloak/keycloak/issues/39144">/issues/39144) Getting Started Podman: We are sorry... HTTPS required
docs - #39146](https://github.com/href="https://github.com/keycloak/keycloak/issues/39146">/issues/39146) [FGAP] [UI] Searching for permissions doesn't allow to search for all group permissions
admin/fine-grained-permissions - #39150](https://github.com/href="https://github.com/keycloak/keycloak/issues/39150">/issues/39150) Evaluation should consider roles granted to the user
admin/fine-grained-permissions - #39156](https://github.com/href="https://github.com/keycloak/keycloak/issues/39156">/issues/39156) Quick theme: logo is undefined if not set
admin/ui - #39157](https://github.com/href="https://github.com/keycloak/keycloak/issues/39157">/issues/39157) [quarkus-next] TestEngine with ID 'junit-jupiter' failed to discover tests
dist/quarkus - #39173](https://github.com/href="https://github.com/keycloak/keycloak/issues/39173">/issues/39173) duplicate key value violates unique constraint "constraint_offl_cl_ses_pk3"
infinispan - #39179](https://github.com/href="https://github.com/keycloak/keycloak/issues/39179">/issues/39179) Uncaught server error during organization update when name already exists
organizations - #39180](https://github.com/href="https://github.com/keycloak/keycloak/issues/39180">/issues/39180) Groups view: Filter/search bar disappears and groups not shown after clearing empty search results
admin/ui - #39182](https://github.com/href="https://github.com/keycloak/keycloak/issues/39182">/issues/39182) Oracle driver problems in keycloak 26.2.1
dependencies - #39187](https://github.com/href="https://github.com/keycloak/keycloak/issues/39187">/issues/39187) Account console: defaultLocale item in select locale field
account/ui - #39206](https://github.com/href="https://github.com/keycloak/keycloak/issues/39206">/issues/39206) Wrong UDP jgroups metric name
docs - #39219](https://github.com/href="https://github.com/keycloak/keycloak/issues/39219">/issues/39219) Serverinfo response grows over time
admin/api - #39227](https://github.com/href="https://github.com/keycloak/keycloak/issues/39227">/issues/39227) Quarkus devtools dependencies in 26.2.x
dependencies - #39237](https://github.com/href="https://github.com/keycloak/keycloak/issues/39237">/issues/39237) Deletion of a role is slow when when there are a lot of roles in the database
core - #39246](https://github.com/href="https://github.com/keycloak/keycloak/issues/39246">/issues/39246) Duplicate user entries when searching custom attributes
core - #39259](https://github.com/href="https://github.com/keycloak/keycloak/issues/39259">/issues/39259) Admin E2E tests ignores `RETRY_COUNT` environment variable
admin/ui - #39262](https://github.com/href="https://github.com/keycloak/keycloak/issues/39262">/issues/39262) Keycloak does not take into account value request parameter in the claims request for acr claim
authentication - #39264](https://github.com/href="https://github.com/keycloak/keycloak/issues/39264">/issues/39264) [OID4VCI] Documentation Errors
docs - #39267](https://github.com/href="https://github.com/keycloak/keycloak/issues/39267">/issues/39267) Avoid a NPE at org.keycloak.email.freemarker.beans.ProfileBean#getOrganizations when feature "organization" is disabled
organizations - #39274](https://github.com/href="https://github.com/keycloak/keycloak/issues/39274">/issues/39274) Aurora DB should not update automatically to the latest minor version
ci - #39296](https://github.com/href="https://github.com/keycloak/keycloak/issues/39296">/issues/39296) Inconsistent "grant_types" vs "grantTypes" Naming Causes GrantTypeCondition to Always Fail
core - #39312](https://github.com/href="https://github.com/keycloak/keycloak/issues/39312">/issues/39312) SLO measurement should mention a month as a period
docs - #39336](https://github.com/href="https://github.com/keycloak/keycloak/issues/39336">/issues/39336) Tests failing with embedded undertow due the infinispan
testsuite - #39345](https://github.com/href="https://github.com/keycloak/keycloak/issues/39345">/issues/39345) Ghost user entries in database from ldap causes import errors
ldap - #39349](https://github.com/href="https://github.com/keycloak/keycloak/issues/39349">/issues/39349) CVE-2025-3910 Two factor authentication bypass
- #39350](https://github.com/href="https://github.com/keycloak/keycloak/issues/39350">/issues/39350) CVE-2025-3501 Keycloak hostname verification
- #39358](https://github.com/href="https://github.com/keycloak/keycloak/issues/39358">/issues/39358) Aggregated policy: Cannot select policies that do not appear in the drop-down list
admin/ui - #39402](https://github.com/href="https://github.com/keycloak/keycloak/issues/39402">/issues/39402) Client Scope with mapper Organization Membership - claim disappears as soon as user is member of more than one Organisation
organizations - #39403](https://github.com/href="https://github.com/keycloak/keycloak/issues/39403">/issues/39403) Client Scope with mapper Organization Membership - organizations claim disappears when Include in token scope is off
organizations - #39429](https://github.com/href="https://github.com/keycloak/keycloak/issues/39429">/issues/39429) Flaky test: org.keycloak.testsuite.model.session.OfflineSessionPersistenceTest#testPersistenceMultipleNodesClientSessionsAtRandomNode
ci - #39442](https://github.com/href="https://github.com/keycloak/keycloak/issues/39442">/issues/39442) Non-closing HTML tag in footer example
docs - #39450](https://github.com/href="https://github.com/keycloak/keycloak/issues/39450">/issues/39450) quarkus runtime options are treated as buildtime options
dist/quarkus - #39454](https://github.com/href="https://github.com/keycloak/keycloak/issues/39454">/issues/39454) JGroups errors when running a containerized Keycloak in Strict FIPS mode and with Istio
infinispan - #39457](https://github.com/href="https://github.com/keycloak/keycloak/issues/39457">/issues/39457) Typos in French login and email messages templates
translations - #39465](https://github.com/href="https://github.com/keycloak/keycloak/issues/39465">/issues/39465) Scheduled Task cannot access realm when feature fpap:v2 is active, but realm has it not configured
admin/fine-grained-permissions - #39485](https://github.com/href="https://github.com/keycloak/keycloak/issues/39485">/issues/39485) Inconsistent "Forgot Password" behavior reveals user account information
login/ui - #39487](https://github.com/href="https://github.com/keycloak/keycloak/issues/39487">/issues/39487) Incorrect tooltip over enabled features
admin/ui - #39492](https://github.com/href="https://github.com/keycloak/keycloak/issues/39492">/issues/39492) Check if suspicious log about CORS is correct
- #39496](https://github.com/href="https://github.com/keycloak/keycloak/issues/39496">/issues/39496) [26.2.3/26.1.5] Regression: empty ClientList in UI for Custom UserStorageProvider
admin/ui - #39499](https://github.com/href="https://github.com/keycloak/keycloak/issues/39499">/issues/39499) UI does not show user's attributes after reentering the Attributes TAB
admin/ui - #39500](https://github.com/href="https://github.com/keycloak/keycloak/issues/39500">/issues/39500) Update Job Pod is listed in the keycloak discovery service
operator - #39502](https://github.com/href="https://github.com/keycloak/keycloak/issues/39502">/issues/39502) Refreshed tokens are not persisted for IDP token exchange
token-exchange - #39509](https://github.com/href="https://github.com/keycloak/keycloak/issues/39509">/issues/39509) UI does not show organization's attributes after reentering the Attributes TAB
account/ui - #39538](https://github.com/href="https://github.com/keycloak/keycloak/issues/39538">/issues/39538) Autocomplete in Mapper type of user federation broken
admin/ui - #39540](https://github.com/href="https://github.com/keycloak/keycloak/issues/39540">/issues/39540) Forms IT tests breaks with Chrome 136.0.7103.59
ci - #39549](https://github.com/href="https://github.com/keycloak/keycloak/issues/39549">/issues/39549) Inconsistency in User enabled status in Rest query results.
core - #39596](https://github.com/href="https://github.com/keycloak/keycloak/issues/39596">/issues/39596) Enabling "HTTP-POST binding response" is not reflected in the SP metadata
saml - #39599](https://github.com/href="https://github.com/keycloak/keycloak/issues/39599">/issues/39599) Error when requesting token inspection for a access token requested by a offline token
authorization-services - #39612](https://github.com/href="https://github.com/keycloak/keycloak/issues/39612">/issues/39612) Unable to change the OTP hash algorithm
admin/ui - #39614](https://github.com/href="https://github.com/keycloak/keycloak/issues/39614">/issues/39614) Keycloak not using custom Infinispan config
infinispan - #39643](https://github.com/href="https://github.com/keycloak/keycloak/issues/39643">/issues/39643) Can't change locale on expired page
login/ui - #39663](https://github.com/href="https://github.com/keycloak/keycloak/issues/39663">/issues/39663) Duplicate validation message “Please specify username.” shown on login form
login/ui - #39668](https://github.com/href="https://github.com/keycloak/keycloak/issues/39668">/issues/39668) Fetching 1250 group children much slower in v26 vs. v25
admin/api - #39669](https://github.com/href="https://github.com/keycloak/keycloak/issues/39669">/issues/39669) Hide update email link in account console when email is read-only in user profile
user-profile - #39693](https://github.com/href="https://github.com/keycloak/keycloak/issues/39693">/issues/39693) Clicking on the jump links removes the localization of the UI
admin/ui - #39697](https://github.com/href="https://github.com/keycloak/keycloak/issues/39697">/issues/39697) Authorization documentation shows the wrong view
authorization-services - #39710](https://github.com/href="https://github.com/keycloak/keycloak/issues/39710">/issues/39710) Recreate update is not scaling down the statefulset to zero
operator - #39715](https://github.com/href="https://github.com/keycloak/keycloak/issues/39715">/issues/39715) Users Credentials tab crashes on orphan LDAP user
admin/ui - #39720](https://github.com/href="https://github.com/keycloak/keycloak/issues/39720">/issues/39720) User listing broken because of missing `is_temporary_admin` attribute
admin/ui - #39724](https://github.com/href="https://github.com/keycloak/keycloak/issues/39724">/issues/39724) Hibernate LazyInitializationException when deleting client with CompositeRoles
core - #39753](https://github.com/href="https://github.com/keycloak/keycloak/issues/39753">/issues/39753) POST realm API returns 400 on conflict instead of 409 in version 26.2.4
admin/api - #39759](https://github.com/href="https://github.com/keycloak/keycloak/issues/39759">/issues/39759) ModelDuplicateException since Keycloak v26 when logging into Keycloak
core - #39765](https://github.com/href="https://github.com/keycloak/keycloak/issues/39765">/issues/39765) SAML certificate in UI not refreshed after keystore import
account/ui - #39781](https://github.com/href="https://github.com/keycloak/keycloak/issues/39781">/issues/39781) SMTP password overwritten with asterisks
core - #39785](https://github.com/href="https://github.com/keycloak/keycloak/issues/39785">/issues/39785) Client sessions are not cached when loaded from the database
core - #39798](https://github.com/href="https://github.com/keycloak/keycloak/issues/39798">/issues/39798) Documentation has outdated link to the "latest" branch of quickstarts
docs - #39800](https://github.com/href="https://github.com/keycloak/keycloak/issues/39800">/issues/39800) [KEYCLOAK CI] - AuroraDB IT - Create EC2 runner instance
ci - #39816](https://github.com/href="https://github.com/keycloak/keycloak/issues/39816">/issues/39816) Do not show warning ISPN000312: Lost data because of graceful leaver
infinispan - #39843](https://github.com/href="https://github.com/keycloak/keycloak/issues/39843">/issues/39843) Custom classes for checkbox are not applied on password reset form in keycloak.v2 login theme
login/ui - #39850](https://github.com/href="https://github.com/keycloak/keycloak/issues/39850">/issues/39850) [FGAP] Clients empty when using role based policy and roles inherited from groups
admin/fine-grained-permissions - #39861](https://github.com/href="https://github.com/keycloak/keycloak/issues/39861">/issues/39861) [Keycloak CI] - Several failures HTTP response code 429 - too many requests
ci - #39866](https://github.com/href="https://github.com/keycloak/keycloak/issues/39866">/issues/39866) MigrationModel duplicate entry on Recreate Upgrade in Cluster with 2+ nodes
dist/quarkus - #39876](https://github.com/href="https://github.com/keycloak/keycloak/issues/39876">/issues/39876) JS CI fails with merging playwright reports
admin/ui - #39893](https://github.com/href="https://github.com/keycloak/keycloak/issues/39893">/issues/39893) Missing Quarkus flag for syslog logging
dist/quarkus - #39904](https://github.com/href="https://github.com/keycloak/keycloak/issues/39904">/issues/39904) Missing angle bracket
authentication - #39915](https://github.com/href="https://github.com/keycloak/keycloak/issues/39915">/issues/39915) Searching user by attributes force an exact request even if not asked
admin/ui - #39917](https://github.com/href="https://github.com/keycloak/keycloak/issues/39917">/issues/39917) Liquibase update failed from KC 26.1 to KC 26.2 with PostgreSQL JDBC driver 42.7.5
storage - #39918](https://github.com/href="https://github.com/keycloak/keycloak/issues/39918">/issues/39918) Admin UI key permissionPoliciesHelp possible typo
admin/ui - #39920](https://github.com/href="https://github.com/keycloak/keycloak/issues/39920">/issues/39920) Admin UI doesn't use conditionsHelpItem message key
admin/ui - #39923](https://github.com/href="https://github.com/keycloak/keycloak/issues/39923">/issues/39923) ModelDuplicateException on next login after deleting an account
storage - #39934](https://github.com/href="https://github.com/keycloak/keycloak/issues/39934">/issues/39934) Locale set to English even when only one Locale is enabled
admin/ui - #39937](https://github.com/href="https://github.com/keycloak/keycloak/issues/39937">/issues/39937) Admin UI shows message "Imported users have been removed" twice
admin/ui - #39939](https://github.com/href="https://github.com/keycloak/keycloak/issues/39939">/issues/39939) Operator error: desiredPullSecrets is null
operator - #39942](https://github.com/href="https://github.com/keycloak/keycloak/issues/39942">/issues/39942) LDAP Edit mode option is required but not marked
admin/ui - #39949](https://github.com/href="https://github.com/keycloak/keycloak/issues/39949">/issues/39949) [Keycloak JavaScript CI] - Admin UI E2E (firefox)
ci - #39950](https://github.com/href="https://github.com/keycloak/keycloak/issues/39950">/issues/39950) [Keycloak CI] - Cookies Tests - KcOidcBrokerTokenExchangeTest
- #39956](https://github.com/href="https://github.com/keycloak/keycloak/issues/39956">/issues/39956) Allow mapping Admin roles to server administrator only
admin/fine-grained-permissions - #39971](https://github.com/href="https://github.com/keycloak/keycloak/issues/39971">/issues/39971) Custom tabs implementing UiTabProvider/UiTabProviderFactory not displayed since KC26.2.0
admin/ui - #40003](https://github.com/href="https://github.com/keycloak/keycloak/issues/40003">/issues/40003) Change connection settings totle to OAuth2 settings
- #40046](https://github.com/href="https://github.com/keycloak/keycloak/issues/40046">/issues/40046) Cache TLS is not available with protocol UDP after upgrading from 26.2.4 to 26.2.5
infinispan - #40049](https://github.com/href="https://github.com/keycloak/keycloak/issues/40049">/issues/40049) Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#checkAuthenticatorTimeLocale
ci - #40085](https://github.com/href="https://github.com/keycloak/keycloak/issues/40085">/issues/40085) Federated user IDs are not correctly evicted from cache
storage - #40088](https://github.com/href="https://github.com/keycloak/keycloak/issues/40088">/issues/40088) Make UPDATE_TIME unique for MIGRATION_MODEL table
- #40090](https://github.com/href="https://github.com/keycloak/keycloak/issues/40090">/issues/40090) Emphasize using StatefulSet instead of Deployment
operator - #40096](https://github.com/href="https://github.com/keycloak/keycloak/issues/40096">/issues/40096) Error creating user in Windows Active Directory over LDAP
ldap - #40099](https://github.com/href="https://github.com/keycloak/keycloak/issues/40099">/issues/40099) [Keycloak Operator CI] - Test OLM Installation
ci - #40104](https://github.com/href="https://github.com/keycloak/keycloak/issues/40104">/issues/40104) NPE during external-internal token exchange in case that user exists
token-exchange - #40106](https://github.com/href="https://github.com/keycloak/keycloak/issues/40106">/issues/40106) Two same tests in KcOidcBrokerTokenExchangeTest
testsuite - #40128](https://github.com/href="https://github.com/keycloak/keycloak/issues/40128">/issues/40128) Unable to set LoA field in auth-flow-enforcer
core - #40135](https://github.com/href="https://github.com/keycloak/keycloak/issues/40135">/issues/40135) Transparent filter panel in Admin > Events > Search events form
admin/ui - #40139](https://github.com/href="https://github.com/keycloak/keycloak/issues/40139">/issues/40139) Incorrect placeholder for "delete multiple users" title in German translation
translations - #40151](https://github.com/href="https://github.com/keycloak/keycloak/issues/40151">/issues/40151) Avoid unbalanced curly braces in message properties
translations - #40159](https://github.com/href="https://github.com/keycloak/keycloak/issues/40159">/issues/40159) Brute force detection permanent lockout flag not shown for users auto-unlocked after temporary lockout
admin/ui - #40171](https://github.com/href="https://github.com/keycloak/keycloak/issues/40171">/issues/40171) SQL error when logging in for first time (per user) after Keycloak upgrade
core - #40180](https://github.com/href="https://github.com/keycloak/keycloak/issues/40180">/issues/40180) Admin UI doesn't show client names from resource bundle
admin/ui - #40187](https://github.com/href="https://github.com/keycloak/keycloak/issues/40187">/issues/40187) Client Registration with fake scope
oidc - #40195](https://github.com/href="https://github.com/keycloak/keycloak/issues/40195">/issues/40195) Documentation of Argon2 hash-length configuration property is incorrect.
authentication - #40213](https://github.com/href="https://github.com/keycloak/keycloak/issues/40213">/issues/40213) `UserStorageManager.getUserById` called multiple times on `POST /realms/{realm}/protocol/{protocol}/token`
storage - #40232](https://github.com/href="https://github.com/keycloak/keycloak/issues/40232">/issues/40232) Setting of `type` of `Argon2PasswordHashProviderFactory` is incorrect,
authentication - #40235](https://github.com/href="https://github.com/keycloak/keycloak/issues/40235">/issues/40235) PasswordHashingTest#testPasswordRehashedWhenCredentialImportedWithDifferentKeySize fails to successfully log in
core - #40240](https://github.com/href="https://github.com/keycloak/keycloak/issues/40240">/issues/40240) Capitalize each word of the string "security admin console"
- #40253](https://github.com/href="https://github.com/keycloak/keycloak/issues/40253">/issues/40253) Case sensitive Organization/IDP linking on domain
organizations - #40270](https://github.com/href="https://github.com/keycloak/keycloak/issues/40270">/issues/40270) LDAP: error code 19 - pwdChangedTime: no user modification allowed
ldap - #40284](https://github.com/href="https://github.com/keycloak/keycloak/issues/40284">/issues/40284) Webauthn policy data resets to previous state after binding flow
admin/ui - #40303](https://github.com/href="https://github.com/keycloak/keycloak/issues/40303">/issues/40303) Account UI goBack link doesn't render when referrer query string is set
account/ui - #40339](https://github.com/href="https://github.com/keycloak/keycloak/issues/40339">/issues/40339) [Keycloak CI] - Windows: local maven repository error
ci - #40353](https://github.com/href="https://github.com/keycloak/keycloak/issues/40353">/issues/40353) Issue with Handling Negative Values in Certain Fields of Brute Force Detection
authentication - #40360](https://github.com/href="https://github.com/keycloak/keycloak/issues/40360">/issues/40360) [Keycloak-Operator]: Rolling Updates -- Strategy=Auto, operator error keycloak-update-job is invalid -- Strategy=Explicit, operator always replaces
operator - #40365](https://github.com/href="https://github.com/keycloak/keycloak/issues/40365">/issues/40365) Labeler fails to set version of parent issue
ci - #40375](https://github.com/href="https://github.com/keycloak/keycloak/issues/40375">/issues/40375) Outdated information in HA Keycloak deployment
docs - #40402](https://github.com/href="https://github.com/keycloak/keycloak/issues/40402">/issues/40402) Failing WebAuthn IT (chrome) / WebAuthnSigningInTest.passwordlessWebAuthnTest
authentication/webauthn - #40408](https://github.com/href="https://github.com/keycloak/keycloak/issues/40408">/issues/40408) Multiple QuarkusJpaUpdaterProvider calls during boot
dist/quarkus - #40423](https://github.com/href="https://github.com/keycloak/keycloak/issues/40423">/issues/40423) Missing highlighting of deprecated and disabled-by-default features
admin/ui - #40438](https://github.com/href="https://github.com/keycloak/keycloak/issues/40438">/issues/40438) Unable to retrieve `attributes` with organization get members endpoint
admin/api - #40444](https://github.com/href="https://github.com/keycloak/keycloak/issues/40444">/issues/40444) Link to dynamic client registration section is broken in docs
oidc - #40451](https://github.com/href="https://github.com/keycloak/keycloak/issues/40451">/issues/40451) Compilation error in AbstractWebAuthnAccountTest
testsuite - #40474](https://github.com/href="https://github.com/keycloak/keycloak/issues/40474">/issues/40474) WebAuthn Passwordless Policy Timeout Field Causes Syntax Error When Value Exceeds 1000 Seconds Due to Locale-Specific Number Formatting in FTL Generated JavaScript
adapter/javascript - #40479](https://github.com/href="https://github.com/keycloak/keycloak/issues/40479">/issues/40479) Federation unlink failure message contains double single quotes
translations - #40483](https://github.com/href="https://github.com/keycloak/keycloak/issues/40483">/issues/40483) Missing adjustment about offline session caches for volatile sessions
infinispan - #40494](https://github.com/href="https://github.com/keycloak/keycloak/issues/40494">/issues/40494) On change of language, confirmation is shown in old language
account/ui - #40497](https://github.com/href="https://github.com/keycloak/keycloak/issues/40497">/issues/40497) Creating a user profile attribute "displayName" does not work as expected.
user-profile - #40498](https://github.com/href="https://github.com/keycloak/keycloak/issues/40498">/issues/40498) Account UI e2e tests do not run in CI
account/ui - #40514](https://github.com/href="https://github.com/keycloak/keycloak/issues/40514">/issues/40514) Authentication flows documentation should match new GUI
docs - #40531](https://github.com/href="https://github.com/keycloak/keycloak/issues/40531">/issues/40531) DefaultLazyLoader is not thread safe, but is used in a shared instance of CachedRealm
infinispan - #40542](https://github.com/href="https://github.com/keycloak/keycloak/issues/40542">/issues/40542) Nightly build shows outdated information on the Keycloak website
docs - #40596](https://github.com/href="https://github.com/keycloak/keycloak/issues/40596">/issues/40596) UI Customization missing footer example
admin/ui - #40598](https://github.com/href="https://github.com/keycloak/keycloak/issues/40598">/issues/40598) Account console reports duplicate keys in development mode
account/ui - #40611](https://github.com/href="https://github.com/keycloak/keycloak/issues/40611">/issues/40611) Negative expiration for token exchange using an offline session
token-exchange - #40632](https://github.com/href="https://github.com/keycloak/keycloak/issues/40632">/issues/40632) Translation key missing from Greek translations.
translations - #40637](https://github.com/href="https://github.com/keycloak/keycloak/issues/40637">/issues/40637) Front logout channel broken in 26.2.5 for saml
saml - #40663](https://github.com/href="https://github.com/keycloak/keycloak/issues/40663">/issues/40663) Potential copy-paste issue in PersistentClientSessionEntity.java
storage - #40694](https://github.com/href="https://github.com/keycloak/keycloak/issues/40694">/issues/40694) quarkus-next: update Quarkus snapshots url
dist/quarkus - #40695](https://github.com/href="https://github.com/keycloak/keycloak/issues/40695">/issues/40695) Multiple resources that match same URI with different scope cause inconsistent authorization response
authorization-services - #40717](https://github.com/href="https://github.com/keycloak/keycloak/issues/40717">/issues/40717) Allow passkeys login when user has no password credential
authentication/webauthn