Download Latest Version
26.4.1 source code.tar.gz (40.5 MB)
Get an email when there's a new version of Keycloak
Highlights
This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:
-
Passkeys for seamless, passwordless authentication of users.
-
Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.
-
Simplified deployments across multiple availability zones to boost availability.
-
FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
-
DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.
Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.
Security and Standards
Passkeys integration (supported)
Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.
For more information, see Passkeys.
FAPI 2 Final (supported)
Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.
Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.
Thank you to Takashi Norimatsu for contributing this.
For more details, see the Securing applications Guides.
DPoP (supported)
Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:
-
Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.
-
All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.
-
Possibility to require the
dpop_jktparameter in the OIDC authentication request.
Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.
For more information, see the DPoP section in the documentation.
FIPS 140-2 mode now supports EdDSA
With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.
Listing supported OAuth standards on one page
A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.
Integration
Federated client authentication (preview)
Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.
Automatic certificate management for SAML clients
The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL.
This also allows for seamless rotation of certificates.
For more information, see Creating a SAML client in the Server Administration Guide.
Serving as an authorization server in MCP
MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.
To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.
The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.
Administration
Update Email Workflow (supported)
Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.
For more information, see Update Email Workflow.
This feature is currently preview, and expected to become supported in 26.5.
Optional email domain for organizations
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
Hiding identity providers from the Account Console
You can now control which identity providers appear in the Account Console based on different options using
the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.
For more information, see General configuration.
Enforce recovery codes setup after setting up OTP
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.
New conditional authenticator
The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.
For more information about conditional flows, see Conditions in conditional flows.
Translations managed by Weblate
The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.
If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.
Configuring and Running
Enhancements for single-cluster and multi-cluster setups
This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.
This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.
Support for additional databases and versions
With this release, we added support for the following new database vendors:
-
EnterpriseDB (EDB) Advanced 17.6
-
Azure SQL Database and Azure SQL Managed Instance
Where the previous documentation stated only tested database version, it now states all the supported database versions as well.
Expose management interface via HTTP
Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.
Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface.
This allows monitoring those endpoints in environments where no TLS client is available.
Expose health endpoints on the main HTTP(S) port
With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the
management port. When this option is false you should block unwanted external traffic to /health at your proxy.
This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.
Specify a tlsSecret on the Keycloak CR ingress spec
To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.
Additional datasources configuration (supported)
Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.
Read more about it in the Configure multiple datasources guide.
Observability
Operator creates a ServiceMonitor automatically
The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the
monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The
specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that
metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable
this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.
HTTP access logging of incoming HTTP requests
Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.
For more information, see Configuring logging.
Showing context information in log messages (preview)
You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.
For more details on this opt-in feature, see Configuring logging.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #19732](https://github.com/href="https://github.com/keycloak/keycloak/issues/19732">/issues/19732) "linked-accounts" endpoint displays all Identity providers
account/api - #40237](https://github.com/href="https://github.com/keycloak/keycloak/issues/40237">/issues/40237) Add option "Requires short state parameter" to OIDC IDP
authentication - #40696](https://github.com/href="https://github.com/keycloak/keycloak/issues/40696">/issues/40696) Wrap deprecated passkeys authenticator behind the feature
authentication/webauthn - #41316](https://github.com/href="https://github.com/keycloak/keycloak/issues/41316">/issues/41316) Test suites config for the new test framework
test-framework - #41357](https://github.com/href="https://github.com/keycloak/keycloak/issues/41357">/issues/41357) Disable tests for specific databases and servers in test framework
test-framework - #42313](https://github.com/href="https://github.com/keycloak/keycloak/issues/42313">/issues/42313) Experimental SPIFFE identity provider
- #42742](https://github.com/href="https://github.com/keycloak/keycloak/issues/42742">/issues/42742) Supported EnterpriseDB Advanced 17
- #42743](https://github.com/href="https://github.com/keycloak/keycloak/issues/42743">/issues/42743) Supported Azure SQL
Enhancements
- #10063](https://github.com/href="https://github.com/keycloak/keycloak/issues/10063">/issues/10063) Display transport media for WebAuthn authenticators in Account console
account/ui - #14644](https://github.com/href="https://github.com/keycloak/keycloak/issues/14644">/issues/14644) External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token
identity-brokering - #17028](https://github.com/href="https://github.com/keycloak/keycloak/issues/17028">/issues/17028) SAML: Adapter SP seamless certificate rotation
saml - #19213](https://github.com/href="https://github.com/keycloak/keycloak/issues/19213">/issues/19213) Allow enabling debug and verbose via environment variables
dist/quarkus - #21816](https://github.com/href="https://github.com/keycloak/keycloak/issues/21816">/issues/21816) Expose Keycloak config errors in the Keycloak CR status field
operator - #22730](https://github.com/href="https://github.com/keycloak/keycloak/issues/22730">/issues/22730) REST API returns different amount of users
admin/api - #23972](https://github.com/href="https://github.com/keycloak/keycloak/issues/23972">/issues/23972) Improve handling config options in scripts preventing re-augmentation
- #25668](https://github.com/href="https://github.com/keycloak/keycloak/issues/25668">/issues/25668) Remove duplication of MP config initialization
dist/quarkus - #26277](https://github.com/href="https://github.com/keycloak/keycloak/issues/26277">/issues/26277) DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer
oidc - #26995](https://github.com/href="https://github.com/keycloak/keycloak/issues/26995">/issues/26995) Bad performance when requesting events of a user
- #27025](https://github.com/href="https://github.com/keycloak/keycloak/issues/27025">/issues/27025) Move import/export validation to the Property Mappers
dist/quarkus - #28846](https://github.com/href="https://github.com/keycloak/keycloak/issues/28846">/issues/28846) Allow the target attribute on in the kcSanitize
core - #29295](https://github.com/href="https://github.com/keycloak/keycloak/issues/29295">/issues/29295) Exact match in users/count
- #30095](https://github.com/href="https://github.com/keycloak/keycloak/issues/30095">/issues/30095) High Availability guides should make distinction between single-site and multi-site deployments
docs - #31285](https://github.com/href="https://github.com/keycloak/keycloak/issues/31285">/issues/31285) Make domains for organisations optional
- #32129](https://github.com/href="https://github.com/keycloak/keycloak/issues/32129">/issues/32129) Automatically create external caches for MULTI_SITE deployments
- #32569](https://github.com/href="https://github.com/keycloak/keycloak/issues/32569">/issues/32569) Verify email when using UPDATE_EMAIL action without depending on realm wide setting
- #33942](https://github.com/href="https://github.com/keycloak/keycloak/issues/33942">/issues/33942) Make sure Keycloak endpoints have DPoP validation
oidc - #34114](https://github.com/href="https://github.com/keycloak/keycloak/issues/34114">/issues/34114) Operator: Support ConfigMaps for `Keycloak.spec.truststores`
- #34206](https://github.com/href="https://github.com/keycloak/keycloak/issues/34206">/issues/34206) Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `<meta>` tags
core - #34244](https://github.com/href="https://github.com/keycloak/keycloak/issues/34244">/issues/34244) Enable branding without code changes
- #34777](https://github.com/href="https://github.com/keycloak/keycloak/issues/34777">/issues/34777) [Operator] Use TLS secret for Ingress
operator - #35441](https://github.com/href="https://github.com/keycloak/keycloak/issues/35441">/issues/35441) Add FAPI 2.0 + DPoP security profile as default profile of client policies
oidc - #36160](https://github.com/href="https://github.com/keycloak/keycloak/issues/36160">/issues/36160) Default values for User attributes.
- #36268](https://github.com/href="https://github.com/keycloak/keycloak/issues/36268">/issues/36268) Configuration is not available outside of quarkus modules
- #37363](https://github.com/href="https://github.com/keycloak/keycloak/issues/37363">/issues/37363) Allow custom labels on Operator Ingress
operator - #37600](https://github.com/href="https://github.com/keycloak/keycloak/issues/37600">/issues/37600) Experimental support for authenticating clients with Kubernetes Service Accounts
- #38126](https://github.com/href="https://github.com/keycloak/keycloak/issues/38126">/issues/38126) Improve documentation for the HEALTHCHECK Dockerfile directive
docs - #38897](https://github.com/href="https://github.com/keycloak/keycloak/issues/38897">/issues/38897) Add WASM support to the MimeTypeUtil
- #39293](https://github.com/href="https://github.com/keycloak/keycloak/issues/39293">/issues/39293) [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt`
oid4vc - #39299](https://github.com/href="https://github.com/keycloak/keycloak/issues/39299">/issues/39299) Improve docs, and possibly defaults, around ldap pooling
- #39342](https://github.com/href="https://github.com/keycloak/keycloak/issues/39342">/issues/39342) Description for using too many threads / connections is incomplete
core - #39658](https://github.com/href="https://github.com/keycloak/keycloak/issues/39658">/issues/39658) OpenTelemetry Tracing: Visualize JGroups communication
infinispan - #39812](https://github.com/href="https://github.com/keycloak/keycloak/issues/39812">/issues/39812) Add filter to include/fill MDC with request specific data for json logging
- #40061](https://github.com/href="https://github.com/keycloak/keycloak/issues/40061">/issues/40061) Redundant null-checks. SAST
- #40067](https://github.com/href="https://github.com/keycloak/keycloak/issues/40067">/issues/40067) Always null field in KeySelectorUtilizingKeyNameHint. SAST
- #40069](https://github.com/href="https://github.com/keycloak/keycloak/issues/40069">/issues/40069) Possible dereference of Null
- #40226](https://github.com/href="https://github.com/keycloak/keycloak/issues/40226">/issues/40226) Review and update the documentation regarding the UPDATE EMAIL feature
- #40227](https://github.com/href="https://github.com/keycloak/keycloak/issues/40227">/issues/40227) Make UPDATE_EMAIL a supported feature
- #40231](https://github.com/href="https://github.com/keycloak/keycloak/issues/40231">/issues/40231) Improve javadoc for admin-client methods with injecting own resteasyClient
admin/client-java - #40296](https://github.com/href="https://github.com/keycloak/keycloak/issues/40296">/issues/40296) Update docs how to verify that a cluster has formed
- #40377](https://github.com/href="https://github.com/keycloak/keycloak/issues/40377">/issues/40377) Allow to expose IDP custom config values to Keycloak themes
- #40388](https://github.com/href="https://github.com/keycloak/keycloak/issues/40388">/issues/40388) Write documentation for additional datasources
docs - #40406](https://github.com/href="https://github.com/keycloak/keycloak/issues/40406">/issues/40406) Create ServiceMonitor via KC Operator
- #40464](https://github.com/href="https://github.com/keycloak/keycloak/issues/40464">/issues/40464) Improve extensibility of custom AccountConsole endpoint handling
account/ui - #40481](https://github.com/href="https://github.com/keycloak/keycloak/issues/40481">/issues/40481) Provide CLI Parameters for jgroups.* options
infinispan - #40592](https://github.com/href="https://github.com/keycloak/keycloak/issues/40592">/issues/40592) Upgrade to the Quarkus 3.24.2 version
dist/quarkus - #40619](https://github.com/href="https://github.com/keycloak/keycloak/issues/40619">/issues/40619) When editing protocol mappers, shows required properties
admin/ui - #40629](https://github.com/href="https://github.com/keycloak/keycloak/issues/40629">/issues/40629) Signs of fall-through behavior. SAST
- #40630](https://github.com/href="https://github.com/keycloak/keycloak/issues/40630">/issues/40630) Double check when working with multithreading. SAST
- #40659](https://github.com/href="https://github.com/keycloak/keycloak/issues/40659">/issues/40659) Possible Dereference of Null. SAST
- #40660](https://github.com/href="https://github.com/keycloak/keycloak/issues/40660">/issues/40660) Resources leak. SAST
- #40677](https://github.com/href="https://github.com/keycloak/keycloak/issues/40677">/issues/40677) Redundant null checks - operator new. SAST
- #40683](https://github.com/href="https://github.com/keycloak/keycloak/issues/40683">/issues/40683) Remove workaround for handling Syslog counting framing
- #40687](https://github.com/href="https://github.com/keycloak/keycloak/issues/40687">/issues/40687) Remove workaround for PostgreSQL and Liquibase
- #40739](https://github.com/href="https://github.com/keycloak/keycloak/issues/40739">/issues/40739) Avoid floating promises in UI code
account/ui - #40761](https://github.com/href="https://github.com/keycloak/keycloak/issues/40761">/issues/40761) Change naming for disabling additional datasource
- #40792](https://github.com/href="https://github.com/keycloak/keycloak/issues/40792">/issues/40792) Changing default passwordless webauthn policy to follow recommended values in the documentation
authentication/webauthn - #40851](https://github.com/href="https://github.com/keycloak/keycloak/issues/40851">/issues/40851) Upgrade to Infinispan 15.0.16.Final
- #40855](https://github.com/href="https://github.com/keycloak/keycloak/issues/40855">/issues/40855) External-internal token exchange independent from FGAP v1
token-exchange/federated - #40858](https://github.com/href="https://github.com/keycloak/keycloak/issues/40858">/issues/40858) Check cluster is correctly formed in ClusteredKeycloakServer
test-framework - #40874](https://github.com/href="https://github.com/keycloak/keycloak/issues/40874">/issues/40874) Update code and documentation for import of a new realm
- #40875](https://github.com/href="https://github.com/keycloak/keycloak/issues/40875">/issues/40875) Improve memory footprint of single file realm import
- #40923](https://github.com/href="https://github.com/keycloak/keycloak/issues/40923">/issues/40923) Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm}
core - #40926](https://github.com/href="https://github.com/keycloak/keycloak/issues/40926">/issues/40926) More secure call of Facebook debug token
token-exchange/federated - #40933](https://github.com/href="https://github.com/keycloak/keycloak/issues/40933">/issues/40933) Allow configure encryption details for SAML clients
saml - #40962](https://github.com/href="https://github.com/keycloak/keycloak/issues/40962">/issues/40962) Update limitations of the preview feature rolling updates for patch releases
infinispan - #40970](https://github.com/href="https://github.com/keycloak/keycloak/issues/40970">/issues/40970) Run clustering compatibility tests on release/x.y branches
- #41014](https://github.com/href="https://github.com/keycloak/keycloak/issues/41014">/issues/41014) Operator auto update hash
operator - #41022](https://github.com/href="https://github.com/keycloak/keycloak/issues/41022">/issues/41022) Allow Features to declare that they support Rolling upgrades
- #41034](https://github.com/href="https://github.com/keycloak/keycloak/issues/41034">/issues/41034) Improve logging for client sessions load
- #41045](https://github.com/href="https://github.com/keycloak/keycloak/issues/41045">/issues/41045) Update email feature only enabled if the required action is enabled at the realm
- #41074](https://github.com/href="https://github.com/keycloak/keycloak/issues/41074">/issues/41074) Import client sessions into Infinispan concurrently for persistent sessions
- #41119](https://github.com/href="https://github.com/keycloak/keycloak/issues/41119">/issues/41119) FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions
oidc - #41120](https://github.com/href="https://github.com/keycloak/keycloak/issues/41120">/issues/41120) FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies
oidc - #41121](https://github.com/href="https://github.com/keycloak/keycloak/issues/41121">/issues/41121) FAPI 2.0 Security Profile Final - Documentation
oidc - #41138](https://github.com/href="https://github.com/keycloak/keycloak/issues/41138">/issues/41138) Implement CompatibilityMetadataProvider for Cache CLI args
- #41151](https://github.com/href="https://github.com/keycloak/keycloak/issues/41151">/issues/41151) Update Traditional Chinese locale to latest version
- #41161](https://github.com/href="https://github.com/keycloak/keycloak/issues/41161">/issues/41161) Require setting DB kind for additional datasources
dist/quarkus - #41172](https://github.com/href="https://github.com/keycloak/keycloak/issues/41172">/issues/41172) Upgrade to Quarkus 3.24.3
- #41176](https://github.com/href="https://github.com/keycloak/keycloak/issues/41176">/issues/41176) Document supported OIDC/OAuth2 standards
oidc - #41186](https://github.com/href="https://github.com/keycloak/keycloak/issues/41186">/issues/41186) Upgrade to Quarkus 3.25.0
dist/quarkus - #41192](https://github.com/href="https://github.com/keycloak/keycloak/issues/41192">/issues/41192) Improve handling of datasource name specified in `persistence.xml` files
dist/quarkus - #41208](https://github.com/href="https://github.com/keycloak/keycloak/issues/41208">/issues/41208) MDC logging should contain the authentication session and user session ID
- #41214](https://github.com/href="https://github.com/keycloak/keycloak/issues/41214">/issues/41214) Document configuration changes that prevent rolling updates
- #41219](https://github.com/href="https://github.com/keycloak/keycloak/issues/41219">/issues/41219) Document spi-user-sessions--infinispan--use-batches
- #41222](https://github.com/href="https://github.com/keycloak/keycloak/issues/41222">/issues/41222) Provide DB SQL options support for additional datasources
dist/quarkus - #41229](https://github.com/href="https://github.com/keycloak/keycloak/issues/41229">/issues/41229) Remove obsolete code for the Liquibase LogHistoryService
core - #41239](https://github.com/href="https://github.com/keycloak/keycloak/issues/41239">/issues/41239) Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese
translations - #41246](https://github.com/href="https://github.com/keycloak/keycloak/issues/41246">/issues/41246) Upgrade to Quarkus 3.24.4
dist/quarkus - #41257](https://github.com/href="https://github.com/keycloak/keycloak/issues/41257">/issues/41257) Upgrade to Infinispan 15.0.18.Final
infinispan - #41259](https://github.com/href="https://github.com/keycloak/keycloak/issues/41259">/issues/41259) Passkeys support in IdpUsernamePasswordForm
authentication/webauthn - #41283](https://github.com/href="https://github.com/keycloak/keycloak/issues/41283">/issues/41283) Update ua-parser to 1.6.1
- #41293](https://github.com/href="https://github.com/keycloak/keycloak/issues/41293">/issues/41293) Remove obsolete Liquibase FK snapshot generator
storage - #41297](https://github.com/href="https://github.com/keycloak/keycloak/issues/41297">/issues/41297) Implement CompatibilityMetadataProvider for DB options
- #41303](https://github.com/href="https://github.com/keycloak/keycloak/issues/41303">/issues/41303) Allow for health check on main interface
- #41312](https://github.com/href="https://github.com/keycloak/keycloak/issues/41312">/issues/41312) FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies
oidc - #41313](https://github.com/href="https://github.com/keycloak/keycloak/issues/41313">/issues/41313) FAPI 2.0 Message Signing Final - Documentation
oidc - #41328](https://github.com/href="https://github.com/keycloak/keycloak/issues/41328">/issues/41328) Utilise table to display Features
- #41335](https://github.com/href="https://github.com/keycloak/keycloak/issues/41335">/issues/41335) Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
- #41352](https://github.com/href="https://github.com/keycloak/keycloak/issues/41352">/issues/41352) Provide simple HTTP access logs
dist/quarkus - #41354](https://github.com/href="https://github.com/keycloak/keycloak/issues/41354">/issues/41354) Avoid OTP when logging in with passkey
- #41374](https://github.com/href="https://github.com/keycloak/keycloak/issues/41374">/issues/41374) Upgrade to Quarkus 3.24.5
dist/quarkus - #41405](https://github.com/href="https://github.com/keycloak/keycloak/issues/41405">/issues/41405) Add log details about client assertion for client authentication with Client-JWT
- #41455](https://github.com/href="https://github.com/keycloak/keycloak/issues/41455">/issues/41455) Adds TiDB into the database test matrix
- #41459](https://github.com/href="https://github.com/keycloak/keycloak/issues/41459">/issues/41459) Query parameter "claims" not forwarded to external provider
identity-brokering - #41551](https://github.com/href="https://github.com/keycloak/keycloak/issues/41551">/issues/41551) Support for key size 3072 in rsa-generated key providers
- #41556](https://github.com/href="https://github.com/keycloak/keycloak/issues/41556">/issues/41556) Switch passkeys to supported
authentication/webauthn - #41557](https://github.com/href="https://github.com/keycloak/keycloak/issues/41557">/issues/41557) Update passkeys documentation after they are supported
docs - #41558](https://github.com/href="https://github.com/keycloak/keycloak/issues/41558">/issues/41558) Ensure cache configuration has correct number of owners
- #41559](https://github.com/href="https://github.com/keycloak/keycloak/issues/41559">/issues/41559) Simplify Cache Configuration file by removing built-in cache configurations
- #41561](https://github.com/href="https://github.com/keycloak/keycloak/issues/41561">/issues/41561) Detect and handle KC split brain clusters
- #41585](https://github.com/href="https://github.com/keycloak/keycloak/issues/41585">/issues/41585) Refactor high-availability guide to include both single and multi cluster architectures
- #41613](https://github.com/href="https://github.com/keycloak/keycloak/issues/41613">/issues/41613) Ability to display 'authenticator provider' of the WebAuthn credential
authentication/webauthn - #41625](https://github.com/href="https://github.com/keycloak/keycloak/issues/41625">/issues/41625) Login[v2]: "Update email" screen is not polished
login/ui - #41666](https://github.com/href="https://github.com/keycloak/keycloak/issues/41666">/issues/41666) Default to stretched clusters on Kubernetes when possible
- #41670](https://github.com/href="https://github.com/keycloak/keycloak/issues/41670">/issues/41670) Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
- #41717](https://github.com/href="https://github.com/keycloak/keycloak/issues/41717">/issues/41717) Upgrade to Quarkus 3.25.2
dist/quarkus - #41729](https://github.com/href="https://github.com/keycloak/keycloak/issues/41729">/issues/41729) Define default topologySpreadConstraints
- #41765](https://github.com/href="https://github.com/keycloak/keycloak/issues/41765">/issues/41765) Add Azerbaijani translations
translations - #41766](https://github.com/href="https://github.com/keycloak/keycloak/issues/41766">/issues/41766) Add the ability to set abritrary environment variables in Keycloak CR
- #41820](https://github.com/href="https://github.com/keycloak/keycloak/issues/41820">/issues/41820) Add a warning about provider jars
- #41831](https://github.com/href="https://github.com/keycloak/keycloak/issues/41831">/issues/41831) Improve autocomplete on mobile for OTP field
- #41836](https://github.com/href="https://github.com/keycloak/keycloak/issues/41836">/issues/41836) Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
- #41837](https://github.com/href="https://github.com/keycloak/keycloak/issues/41837">/issues/41837) Remove OIDCLoginProtocolService.certsHead()
oidc - #41870](https://github.com/href="https://github.com/keycloak/keycloak/issues/41870">/issues/41870) Kazakh (kk) locale support with translations
translations - #41898](https://github.com/href="https://github.com/keycloak/keycloak/issues/41898">/issues/41898) Clarify the documentation on automatic database schema downgrades
core - #41901](https://github.com/href="https://github.com/keycloak/keycloak/issues/41901">/issues/41901) FGAP v2: RESET_PASSWORD capability for USERS
- #41933](https://github.com/href="https://github.com/keycloak/keycloak/issues/41933">/issues/41933) Configure topology information in Infinispan
- #41934](https://github.com/href="https://github.com/keycloak/keycloak/issues/41934">/issues/41934) Infinispan 15.0.19.Final
- #41950](https://github.com/href="https://github.com/keycloak/keycloak/issues/41950">/issues/41950) Log applied cache configurations as part of debug logs
- #42016](https://github.com/href="https://github.com/keycloak/keycloak/issues/42016">/issues/42016) More flexible handling of params, headers and entities for SimpleHTTP
- #42030](https://github.com/href="https://github.com/keycloak/keycloak/issues/42030">/issues/42030) Could the list of supported DPoP algorithms be dynamically retrieved?
oidc - #42031](https://github.com/href="https://github.com/keycloak/keycloak/issues/42031">/issues/42031) Minor enhancements in the DPoP related codebase
oidc - #42032](https://github.com/href="https://github.com/keycloak/keycloak/issues/42032">/issues/42032) Switch DPoP feature to supported
oidc - #42047](https://github.com/href="https://github.com/keycloak/keycloak/issues/42047">/issues/42047) Skip configuring `jdbc-ping` stack in local mode
- #42094](https://github.com/href="https://github.com/keycloak/keycloak/issues/42094">/issues/42094) keycloak oob (out-of-band) copy button
login/ui - #42096](https://github.com/href="https://github.com/keycloak/keycloak/issues/42096">/issues/42096) Concurrently update the remote caches
- #42180](https://github.com/href="https://github.com/keycloak/keycloak/issues/42180">/issues/42180) Cache UserAgent parsing result
- #42186](https://github.com/href="https://github.com/keycloak/keycloak/issues/42186">/issues/42186) Document network latency requirements for stretched clusters
- #42191](https://github.com/href="https://github.com/keycloak/keycloak/issues/42191">/issues/42191) Document mtls considerations for probes
- #42203](https://github.com/href="https://github.com/keycloak/keycloak/issues/42203">/issues/42203) Upgrade to Quarkus 3.27 LTS
- #42269](https://github.com/href="https://github.com/keycloak/keycloak/issues/42269">/issues/42269) Some 409 API responses are missing from the OpenAPI spec
core - #42274](https://github.com/href="https://github.com/keycloak/keycloak/issues/42274">/issues/42274) Session IDs and auth codes have less than 128 bits of entropy
- #42283](https://github.com/href="https://github.com/keycloak/keycloak/issues/42283">/issues/42283) More efficient secure ID generator
- #42286](https://github.com/href="https://github.com/keycloak/keycloak/issues/42286">/issues/42286) Support EdDSA for DPoP
oidc - #42293](https://github.com/href="https://github.com/keycloak/keycloak/issues/42293">/issues/42293) Set Liquibase DB type based on the `db` option
storage - #42300](https://github.com/href="https://github.com/keycloak/keycloak/issues/42300">/issues/42300) Validate wait_timeout parameter on MySQL and MariaDB
- #42304](https://github.com/href="https://github.com/keycloak/keycloak/issues/42304">/issues/42304) Document tested and supported configurations for single-cluster deployments
- #42305](https://github.com/href="https://github.com/keycloak/keycloak/issues/42305">/issues/42305) Document that single-cluster deployments expect all Keycloak instances to serve traffic
- #42308](https://github.com/href="https://github.com/keycloak/keycloak/issues/42308">/issues/42308) Support Aurora PostgreSQL 17.5 in Keycloak's nightly run
- #42342](https://github.com/href="https://github.com/keycloak/keycloak/issues/42342">/issues/42342) Upgrade to Quarkus 3.26.2
dist/quarkus - #42356](https://github.com/href="https://github.com/keycloak/keycloak/issues/42356">/issues/42356) Support MariaDB 11.8 LTS
- #42358](https://github.com/href="https://github.com/keycloak/keycloak/issues/42358">/issues/42358) Remove usage of the term "stretched" from single-cluster HA guides
- #42374](https://github.com/href="https://github.com/keycloak/keycloak/issues/42374">/issues/42374) Concurrent update embedded caches and database
- #42381](https://github.com/href="https://github.com/keycloak/keycloak/issues/42381">/issues/42381) [RLM] - Validate actions that support aggregating actions
- #42382](https://github.com/href="https://github.com/keycloak/keycloak/issues/42382">/issues/42382) [RLM] - Immediate policies should not allow setting a time to their actions
- #42384](https://github.com/href="https://github.com/keycloak/keycloak/issues/42384">/issues/42384) [RLM] Allow adding and removing actions to existing policies
- #42385](https://github.com/href="https://github.com/keycloak/keycloak/issues/42385">/issues/42385) [RLM] Scheduled time of actions should be based on the previous action
- #42389](https://github.com/href="https://github.com/keycloak/keycloak/issues/42389">/issues/42389) [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to
- #42392](https://github.com/href="https://github.com/keycloak/keycloak/issues/42392">/issues/42392) Link to quay IO website for the Keycloak image in upstream
docs - #42409](https://github.com/href="https://github.com/keycloak/keycloak/issues/42409">/issues/42409) Wrong form to enter username and password for an unknown user
organizations - #42499](https://github.com/href="https://github.com/keycloak/keycloak/issues/42499">/issues/42499) Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec
oidc - #42525](https://github.com/href="https://github.com/keycloak/keycloak/issues/42525">/issues/42525) Catch specific expeception and add logging when there is no active request context
- #42532](https://github.com/href="https://github.com/keycloak/keycloak/issues/42532">/issues/42532) Edit Keycloak 26.4 release notes
- #42547](https://github.com/href="https://github.com/keycloak/keycloak/issues/42547">/issues/42547) Replace UUID with composite key for client session cache
infinispan - #42564](https://github.com/href="https://github.com/keycloak/keycloak/issues/42564">/issues/42564) Edit Keycloak 26.4 Upgrading Guide
- #42628](https://github.com/href="https://github.com/keycloak/keycloak/issues/42628">/issues/42628) Lazy load client sessions
- #42697](https://github.com/href="https://github.com/keycloak/keycloak/issues/42697">/issues/42697) [RLM] - Improve the Workflow JSON schema
- #42705](https://github.com/href="https://github.com/keycloak/keycloak/issues/42705">/issues/42705) Document Caffeine cache metrics
- #42728](https://github.com/href="https://github.com/keycloak/keycloak/issues/42728">/issues/42728) DPoP: documentation update
oidc - #42733](https://github.com/href="https://github.com/keycloak/keycloak/issues/42733">/issues/42733) Test JDK 25 in CI
ci - #42740](https://github.com/href="https://github.com/keycloak/keycloak/issues/42740">/issues/42740) Possibility to enforce authorization code binding to DPoP
oidc - #42746](https://github.com/href="https://github.com/keycloak/keycloak/issues/42746">/issues/42746) Polishing of client switch on DPoP
oidc - #42751](https://github.com/href="https://github.com/keycloak/keycloak/issues/42751">/issues/42751) Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients
core - #42755](https://github.com/href="https://github.com/keycloak/keycloak/issues/42755">/issues/42755) [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms
oid4vc - #42756](https://github.com/href="https://github.com/keycloak/keycloak/issues/42756">/issues/42756) Add missing Swedish translation for login theme
- #42888](https://github.com/href="https://github.com/keycloak/keycloak/issues/42888">/issues/42888) [RLM] - Allow defining steps in a workflow that can run immediate or scheduled
- #42916](https://github.com/href="https://github.com/keycloak/keycloak/issues/42916">/issues/42916) [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps
workflows - #42927](https://github.com/href="https://github.com/keycloak/keycloak/issues/42927">/issues/42927) Update OID4VCI documentation with new .well-known URL format
oid4vc - #42955](https://github.com/href="https://github.com/keycloak/keycloak/issues/42955">/issues/42955) Use JDK 25 Temurin in GHA CI
ci - #43017](https://github.com/href="https://github.com/keycloak/keycloak/issues/43017">/issues/43017) OID4VCI in the release notes for 26.4.0
docs - #43035](https://github.com/href="https://github.com/keycloak/keycloak/issues/43035">/issues/43035) Allow setting max age to the update email action
Bugs
- #26972](https://github.com/href="https://github.com/keycloak/keycloak/issues/26972">/issues/26972) NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores
core - #35825](https://github.com/href="https://github.com/keycloak/keycloak/issues/35825">/issues/35825) Per client session idle time capped by realm level client idle timeout
core - #35932](https://github.com/href="https://github.com/keycloak/keycloak/issues/35932">/issues/35932) Importing a realm takes more than 1 minute when multiple others exist.
dist/quarkus - #36716](https://github.com/href="https://github.com/keycloak/keycloak/issues/36716">/issues/36716) invalid_request when authenticating using PAR (Pushed Authorization Request) while Kerberos is enabled
authentication - #38016](https://github.com/href="https://github.com/keycloak/keycloak/issues/38016">/issues/38016) User session limit exceeded for both realm and client removes the wrong session
core - #38556](https://github.com/href="https://github.com/keycloak/keycloak/issues/38556">/issues/38556) Consistent behaviour for User API getUsers and count
admin/api - #38924](https://github.com/href="https://github.com/keycloak/keycloak/issues/38924">/issues/38924) `--debug` does not work with docker container version of Keycloak
core - #38928](https://github.com/href="https://github.com/keycloak/keycloak/issues/38928">/issues/38928) Can't install Keycloak Operator on OpenShift via OperatorHub on ARM
operator - #39079](https://github.com/href="https://github.com/keycloak/keycloak/issues/39079">/issues/39079) AuthenticationFlowException when a user tries a password grant using a service account
authentication - #39091](https://github.com/href="https://github.com/keycloak/keycloak/issues/39091">/issues/39091) Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask
ci - #39122](https://github.com/href="https://github.com/keycloak/keycloak/issues/39122">/issues/39122) Export fails with an unexpected error if the realm does not exist
core - #39608](https://github.com/href="https://github.com/keycloak/keycloak/issues/39608">/issues/39608) Getting Keycloak exception with request 500 status code on /account with semicolon in URL
dist/quarkus - #39609](https://github.com/href="https://github.com/keycloak/keycloak/issues/39609">/issues/39609) Users searchAttributes broken for empty value
admin/client-java - #39766](https://github.com/href="https://github.com/keycloak/keycloak/issues/39766">/issues/39766) [Keycloak Operator CI] - Test local apiserver - Kube API Server did not start properly
ci - #39854](https://github.com/href="https://github.com/keycloak/keycloak/issues/39854">/issues/39854) Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover
ci - #39864](https://github.com/href="https://github.com/keycloak/keycloak/issues/39864">/issues/39864) IdP redirect fails when user belongs to multiple organizations with organization:* scope
organizations - #40160](https://github.com/href="https://github.com/keycloak/keycloak/issues/40160">/issues/40160) Action Tokens Copy Nonce Into JTI
core - #40192](https://github.com/href="https://github.com/keycloak/keycloak/issues/40192">/issues/40192) REST Admin API - ClientsResource response with 200 OK even needed roles are missing
admin/api - #40368](https://github.com/href="https://github.com/keycloak/keycloak/issues/40368">/issues/40368) NPE during loading user groups with concurrent deletion
storage - #40374](https://github.com/href="https://github.com/keycloak/keycloak/issues/40374">/issues/40374) Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors
authentication - #40383](https://github.com/href="https://github.com/keycloak/keycloak/issues/40383">/issues/40383) KC should connect to a writer instance of PostgreSQL automatically
dist/quarkus - #40398](https://github.com/href="https://github.com/keycloak/keycloak/issues/40398">/issues/40398) ModelDuplicateException on next login after deleting an account and back-channel logout
authentication - #40463](https://github.com/href="https://github.com/keycloak/keycloak/issues/40463">/issues/40463) Login to Account Console produces two consecutive LOGIN events
account/ui - #40557](https://github.com/href="https://github.com/keycloak/keycloak/issues/40557">/issues/40557) Uploading JSON import in UI causes extreme lag or entirely unresponsive page since 26.1
admin/ui - #40680](https://github.com/href="https://github.com/keycloak/keycloak/issues/40680">/issues/40680) Inconsistency between UserModel.isMemberOf and RoleUtils.isMember (with LDAP involved)
authentication - #40713](https://github.com/href="https://github.com/keycloak/keycloak/issues/40713">/issues/40713) Unable to configure TLS reloading in Keycloak version 26.2.0 or later
account/api - #40754](https://github.com/href="https://github.com/keycloak/keycloak/issues/40754">/issues/40754) UserSession Offline removed from DB if not in cache
infinispan - #40782](https://github.com/href="https://github.com/keycloak/keycloak/issues/40782">/issues/40782) Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover
ci - #40784](https://github.com/href="https://github.com/keycloak/keycloak/issues/40784">/issues/40784) Default jdbc-ping cluster setup for distributed caches fails in Oracle
infinispan - #40786](https://github.com/href="https://github.com/keycloak/keycloak/issues/40786">/issues/40786) Typo in Consent Scope Representation
account/api - #40788](https://github.com/href="https://github.com/keycloak/keycloak/issues/40788">/issues/40788) Custom scope display name not shown in Account UI
account/ui - #40818](https://github.com/href="https://github.com/keycloak/keycloak/issues/40818">/issues/40818) Identity provider links list is limited to 100 entries for a user in the admin UI
admin/ui - #40838](https://github.com/href="https://github.com/keycloak/keycloak/issues/40838">/issues/40838) Mark options for additional datasources as preview
dist/quarkus - #40857](https://github.com/href="https://github.com/keycloak/keycloak/issues/40857">/issues/40857) Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow
oidc - #40890](https://github.com/href="https://github.com/keycloak/keycloak/issues/40890">/issues/40890) Keycloak Operator 26.3.0 fails to update to 26.3.0
operator - #40903](https://github.com/href="https://github.com/keycloak/keycloak/issues/40903">/issues/40903) Proxy detection needs tweaked for insecure context warning
dist/quarkus - #40930](https://github.com/href="https://github.com/keycloak/keycloak/issues/40930">/issues/40930) Docs: server_development/topics/themes.adoc
docs - #40932](https://github.com/href="https://github.com/keycloak/keycloak/issues/40932">/issues/40932) [Operator] UpdateTest.testImageChange throws TimeoutException
operator - #40935](https://github.com/href="https://github.com/keycloak/keycloak/issues/40935">/issues/40935) NPE thrown when encoding a token without having a client set in the session
oidc - #40945](https://github.com/href="https://github.com/keycloak/keycloak/issues/40945">/issues/40945) Unclear documentation for setting management server as http when main server is https
dist/quarkus - #40954](https://github.com/href="https://github.com/keycloak/keycloak/issues/40954">/issues/40954) Keycloak 26.3.0 Regression: Failed to login if web-authn is disabled
core - #40959](https://github.com/href="https://github.com/keycloak/keycloak/issues/40959">/issues/40959) Update "Enabling and disabling features" documentation
docs - #40975](https://github.com/href="https://github.com/keycloak/keycloak/issues/40975">/issues/40975) Make passkeys feature dependent on web_authn
authentication/webauthn - #40977](https://github.com/href="https://github.com/keycloak/keycloak/issues/40977">/issues/40977) Loglevel recorded from build phase
dist/quarkus - #40980](https://github.com/href="https://github.com/keycloak/keycloak/issues/40980">/issues/40980) Can't update security-admin-console via admin UI with volatile sessions
infinispan - #40984](https://github.com/href="https://github.com/keycloak/keycloak/issues/40984">/issues/40984) Backchannel logout token with an unexpected signature algorithm key
oidc - #40995](https://github.com/href="https://github.com/keycloak/keycloak/issues/40995">/issues/40995) LDAP / ModelException: At least one condition should be provided to OR query
core - #40997](https://github.com/href="https://github.com/keycloak/keycloak/issues/40997">/issues/40997) Wildcard mappers should be implicitly handled and value propagated
dist/quarkus - #41008](https://github.com/href="https://github.com/keycloak/keycloak/issues/41008">/issues/41008) Missing signin with passkeys feature when FORCED_REAUTHENTICATION = true
authentication/webauthn - #41018](https://github.com/href="https://github.com/keycloak/keycloak/issues/41018">/issues/41018) Flaky test: org.keycloak.testsuite.cluster.ClientInvalidationClusterTest#crudWithFailover
ci - #41023](https://github.com/href="https://github.com/keycloak/keycloak/issues/41023">/issues/41023) Can't send e-mails to international e-mail addresses: bad UTF-8 syntax
core - #41029](https://github.com/href="https://github.com/keycloak/keycloak/issues/41029">/issues/41029) DOC: 'Running Keycloak in a Container' inconsistent
docs - #41035](https://github.com/href="https://github.com/keycloak/keycloak/issues/41035">/issues/41035) Skip update email required action if email attribute is not writable
- #41037](https://github.com/href="https://github.com/keycloak/keycloak/issues/41037">/issues/41037) WebAuthN Setup: OperationError: A request is already pending.
authentication/webauthn - #41038](https://github.com/href="https://github.com/keycloak/keycloak/issues/41038">/issues/41038) FIPS errors in CI
- #41041](https://github.com/href="https://github.com/keycloak/keycloak/issues/41041">/issues/41041) Able to create a client without entering Client ID
admin/ui - #41044](https://github.com/href="https://github.com/keycloak/keycloak/issues/41044">/issues/41044) Federated users incorrectly listed on first load due to uninitialized userProfileProvidersEnabled
admin/ui - #41080](https://github.com/href="https://github.com/keycloak/keycloak/issues/41080">/issues/41080) Permission evaluatio for resource type Clients broken
admin/fine-grained-permissions - #41082](https://github.com/href="https://github.com/keycloak/keycloak/issues/41082">/issues/41082) Multiple primary key defined when attempting to upgrade after 26.3.0
core - #41098](https://github.com/href="https://github.com/keycloak/keycloak/issues/41098">/issues/41098) Locked out after upgrade to 26.3.1 due to missing sub in lightweight access token
core - #41103](https://github.com/href="https://github.com/keycloak/keycloak/issues/41103">/issues/41103) Service Account users now showing in the User List
admin/ui - #41105](https://github.com/href="https://github.com/keycloak/keycloak/issues/41105">/issues/41105) Unknown relation when removing realm role with --db-schema configured
storage - #41117](https://github.com/href="https://github.com/keycloak/keycloak/issues/41117">/issues/41117) NUL byte characters are sent from query parameters to the database causing SQL exception
core - #41140](https://github.com/href="https://github.com/keycloak/keycloak/issues/41140">/issues/41140) Blank Tab in Client Registration Access Policies
admin/ui - #41148](https://github.com/href="https://github.com/keycloak/keycloak/issues/41148">/issues/41148) org.keycloak.authentication.forms.RegistrationPassword#validate -> java.lang.UnsupportedOperationException
authentication - #41152](https://github.com/href="https://github.com/keycloak/keycloak/issues/41152">/issues/41152) Docs use em-dashes instead of double dashes for SPI options in regular text
docs - #41170](https://github.com/href="https://github.com/keycloak/keycloak/issues/41170">/issues/41170) 'exp' and 'iat' missing from claims_supported entry in OpenID Endpoint Configuration
oidc - #41181](https://github.com/href="https://github.com/keycloak/keycloak/issues/41181">/issues/41181) FAPI 2.0 Message Singing Final - PAR endpoind does not return an appropriate error regarding a request object
oidc - #41184](https://github.com/href="https://github.com/keycloak/keycloak/issues/41184">/issues/41184) CVE-2025-48924 - Uncontrolled Recursion vulnerability in Apache Commons Lang
- #41188](https://github.com/href="https://github.com/keycloak/keycloak/issues/41188">/issues/41188) UserResources.addFederatedIdentity is missing OpenApi @Consumes annotation
admin/api - #41204](https://github.com/href="https://github.com/keycloak/keycloak/issues/41204">/issues/41204) UpdateTest CI failures
ci - #41228](https://github.com/href="https://github.com/keycloak/keycloak/issues/41228">/issues/41228) [quarkus-next] Migration tests failed for MySQL-based DB drivers
dist/quarkus - #41235](https://github.com/href="https://github.com/keycloak/keycloak/issues/41235">/issues/41235) Group imports performance
import-export - #41242](https://github.com/href="https://github.com/keycloak/keycloak/issues/41242">/issues/41242) Re-authentication with passkeys not easily possible
authentication/webauthn - #41268](https://github.com/href="https://github.com/keycloak/keycloak/issues/41268">/issues/41268) `--optimized` flag and providers jar are incompatible when used with tools changing `last-modify-date`
dist/quarkus - #41287](https://github.com/href="https://github.com/keycloak/keycloak/issues/41287">/issues/41287) Failing test in account console
account/ui - #41289](https://github.com/href="https://github.com/keycloak/keycloak/issues/41289">/issues/41289) Account test failing
account/ui - #41290](https://github.com/href="https://github.com/keycloak/keycloak/issues/41290">/issues/41290) Concurrent starts with JDBC_PING lead to a split cluster
infinispan - #41295](https://github.com/href="https://github.com/keycloak/keycloak/issues/41295">/issues/41295) Avoid additional execution of Liquibase changelog lock table statement
storage - #41299](https://github.com/href="https://github.com/keycloak/keycloak/issues/41299">/issues/41299) [quarkus-next] Missing comment generated by Liquibase executor in the custom script
storage - #41331](https://github.com/href="https://github.com/keycloak/keycloak/issues/41331">/issues/41331) Prevent sending massive amount of emails if a user clicks multiple times to get a new verify email link
core - #41339](https://github.com/href="https://github.com/keycloak/keycloak/issues/41339">/issues/41339) Add and delete bundle test failing
admin/ui - #41388](https://github.com/href="https://github.com/keycloak/keycloak/issues/41388">/issues/41388) Welcome page creates an temporary user
core - #41390](https://github.com/href="https://github.com/keycloak/keycloak/issues/41390">/issues/41390) JDBC_PING2 doesn't merge split clusters after a while
infinispan - #41418](https://github.com/href="https://github.com/keycloak/keycloak/issues/41418">/issues/41418) Access to user details for restricted admin fails after enabling organizationin realm
organizations - #41421](https://github.com/href="https://github.com/keycloak/keycloak/issues/41421">/issues/41421) Broken link securing-cache-communication in caching docs
docs - #41423](https://github.com/href="https://github.com/keycloak/keycloak/issues/41423">/issues/41423) Duplicate IDs in generated all configuration docs
docs - #41427](https://github.com/href="https://github.com/keycloak/keycloak/issues/41427">/issues/41427) Parallel token exchange fails if client session is expired
token-exchange - #41466](https://github.com/href="https://github.com/keycloak/keycloak/issues/41466">/issues/41466) [quarkus-next] @QuarkusTest fetches JARs again when executed
dist/quarkus - #41468](https://github.com/href="https://github.com/keycloak/keycloak/issues/41468">/issues/41468) [quarkus-next] [windows] ClassNotFoundException: JvmOptionsBuilder
dist/quarkus - #41469](https://github.com/href="https://github.com/keycloak/keycloak/issues/41469">/issues/41469) Uncaught exception cases unclosed spans in tracing
dist/quarkus - #41474](https://github.com/href="https://github.com/keycloak/keycloak/issues/41474">/issues/41474) File choosing tests fail on Windows
admin/ui - #41488](https://github.com/href="https://github.com/keycloak/keycloak/issues/41488">/issues/41488) Synchronize Maven surefire plugin with Quarkus
dist/quarkus - #41491](https://github.com/href="https://github.com/keycloak/keycloak/issues/41491">/issues/41491) ExternalLinks are broken in documentation
docs - #41520](https://github.com/href="https://github.com/keycloak/keycloak/issues/41520">/issues/41520) LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and KERBEROS_PRINCIPAL was null on creation
ldap - #41532](https://github.com/href="https://github.com/keycloak/keycloak/issues/41532">/issues/41532) LDAP Sync all users takes unexpectedly long in 26.3 (> 30 min)
ldap - #41537](https://github.com/href="https://github.com/keycloak/keycloak/issues/41537">/issues/41537) Getting error 405 "Method Not Allowed" when calling the "certs" endpoint with HEAD method
oidc - #41598](https://github.com/href="https://github.com/keycloak/keycloak/issues/41598">/issues/41598) Kerberos playwright test flaky
admin/ui - #41609](https://github.com/href="https://github.com/keycloak/keycloak/issues/41609">/issues/41609) RejectImplicitGrantExecutor does not return an error when a PAR request includes Implicit or Hybrid response type
oidc - #41620](https://github.com/href="https://github.com/keycloak/keycloak/issues/41620">/issues/41620) Typos and AsciiDoc formatting in token exchange
docs - #41624](https://github.com/href="https://github.com/keycloak/keycloak/issues/41624">/issues/41624) Duplicate fields in RealmRepresentation in OpenAPI JSON file
docs - #41641](https://github.com/href="https://github.com/keycloak/keycloak/issues/41641">/issues/41641) Cannot use `dev-file` for additional datasources
storage - #41643](https://github.com/href="https://github.com/keycloak/keycloak/issues/41643">/issues/41643) Test SMTP connection fails when no port is specified
admin/api - #41648](https://github.com/href="https://github.com/keycloak/keycloak/issues/41648">/issues/41648) Flaky user profile test
admin/ui - #41653](https://github.com/href="https://github.com/keycloak/keycloak/issues/41653">/issues/41653) Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerWellKnownProviderTest#testMetaDataEndpointIsCorrectlySetup
ci - #41662](https://github.com/href="https://github.com/keycloak/keycloak/issues/41662">/issues/41662) TiDB Many WAITING threads during high load scenario
core - #41663](https://github.com/href="https://github.com/keycloak/keycloak/issues/41663">/issues/41663) Typo in the caching doc
docs - #41669](https://github.com/href="https://github.com/keycloak/keycloak/issues/41669">/issues/41669) Keycloak SAML Adapter subsystem does not work in WildFly 37
adapter/saml - #41677](https://github.com/href="https://github.com/keycloak/keycloak/issues/41677">/issues/41677) Provider default regression
dist/quarkus - #41683](https://github.com/href="https://github.com/keycloak/keycloak/issues/41683">/issues/41683) SAML test is flaky
admin/ui - #41701](https://github.com/href="https://github.com/keycloak/keycloak/issues/41701">/issues/41701) The same text shows up twice on the e-mail validity confirmation screen
account/ui - #41711](https://github.com/href="https://github.com/keycloak/keycloak/issues/41711">/issues/41711) Another flaky SAML test
admin/ui - #41728](https://github.com/href="https://github.com/keycloak/keycloak/issues/41728">/issues/41728) Node.js v22.18.0 causes JavaScript CI to fail
- #41744](https://github.com/href="https://github.com/keycloak/keycloak/issues/41744">/issues/41744) Weblate does not show zh_hant for the admin UI
translations - #41752](https://github.com/href="https://github.com/keycloak/keycloak/issues/41752">/issues/41752) Flaky Organization test
admin/ui - #41755](https://github.com/href="https://github.com/keycloak/keycloak/issues/41755">/issues/41755) Forwarded `claims` parameter from the initial authorization request to brokered OPs is not URL encoded
identity-brokering - #41792](https://github.com/href="https://github.com/keycloak/keycloak/issues/41792">/issues/41792) docs: Non interactive logout options missing documentation
oidc - #41799](https://github.com/href="https://github.com/keycloak/keycloak/issues/41799">/issues/41799) Authorization filtering causes NullPointerException with "Null keys are not supported!" in searchForUserStream (26.3.1+)
account/api - #41801](https://github.com/href="https://github.com/keycloak/keycloak/issues/41801">/issues/41801) Lack of coordination in database creation in 26.3.0 causes deployment failures (Reopen)
core - #41804](https://github.com/href="https://github.com/keycloak/keycloak/issues/41804">/issues/41804) OIDC identity provider token refresh fails with JsonMapperException
identity-brokering - #41808](https://github.com/href="https://github.com/keycloak/keycloak/issues/41808">/issues/41808) CVE-2025-7962 In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages
core - #41821](https://github.com/href="https://github.com/keycloak/keycloak/issues/41821">/issues/41821) Fix Jandex version collision to allow running tests using auth-server-quarkus-embedded
testsuite - #41823](https://github.com/href="https://github.com/keycloak/keycloak/issues/41823">/issues/41823) Test flaky due to dual certificates
admin/ui - #41834](https://github.com/href="https://github.com/keycloak/keycloak/issues/41834">/issues/41834) Clicking email confirmation links in Outlook results in a "stale link" error
core - #41842](https://github.com/href="https://github.com/keycloak/keycloak/issues/41842">/issues/41842) memberOf attribute empty or values with a DN that does not match the role base DN fetches all roles
ldap - #41854](https://github.com/href="https://github.com/keycloak/keycloak/issues/41854">/issues/41854) KeycloakSession javadoc references keycloak-server.json
core - #41860](https://github.com/href="https://github.com/keycloak/keycloak/issues/41860">/issues/41860) Unbalanced HTML in login form templates
login/ui - #41897](https://github.com/href="https://github.com/keycloak/keycloak/issues/41897">/issues/41897) Hibernate 7.1 breaks TiDB support
ci - #41903](https://github.com/href="https://github.com/keycloak/keycloak/issues/41903">/issues/41903) [Operator CI] - Test local apiserver - Could not load class with name KeycloakDistConfiguratorTest
ci - #41906](https://github.com/href="https://github.com/keycloak/keycloak/issues/41906">/issues/41906) Backwards incompatible changes to 26.3.0 cause NullPointerException when requesting /certificates/jwt.credential/generate-and-download
authentication - #41909](https://github.com/href="https://github.com/keycloak/keycloak/issues/41909">/issues/41909) Admin console provider info shows "Add providers"
admin/ui - #41913](https://github.com/href="https://github.com/keycloak/keycloak/issues/41913">/issues/41913) [Store IT] - UserSessionRefreshTimePolicyTest unstable
ci - #41914](https://github.com/href="https://github.com/keycloak/keycloak/issues/41914">/issues/41914) Role mapping `account.manage-account-links` not sufficient for Client initiated account linking
authentication - #41937](https://github.com/href="https://github.com/keycloak/keycloak/issues/41937">/issues/41937) Display name for requireAction.idp_link, requireAction.delete_credential and requireAction.update_user_locale not mapping correctly
admin/ui - #41942](https://github.com/href="https://github.com/keycloak/keycloak/issues/41942">/issues/41942) Uncaught server error: org.keycloak.models.ModelException: Database operation failed : Sync LDAP Groups to Keycloak (Custom Provider)
core - #41945](https://github.com/href="https://github.com/keycloak/keycloak/issues/41945">/issues/41945) After upgrade to 26.3: Not possible to use Credentials having not-unique label
login/ui - #41994](https://github.com/href="https://github.com/keycloak/keycloak/issues/41994">/issues/41994) Check for non-ascii local part on emails depending on SMTP configuration
core - #42006](https://github.com/href="https://github.com/keycloak/keycloak/issues/42006">/issues/42006) Fix flaky tests for personal info in account console
account/ui - #42012](https://github.com/href="https://github.com/keycloak/keycloak/issues/42012">/issues/42012) Client session timestamp not updated in the database if running multiple nodes
infinispan - #42018](https://github.com/href="https://github.com/keycloak/keycloak/issues/42018">/issues/42018) Realm overrides test is flaky
admin/ui - #42033](https://github.com/href="https://github.com/keycloak/keycloak/issues/42033">/issues/42033) [RLM] NPE during user authentication
core - #42044](https://github.com/href="https://github.com/keycloak/keycloak/issues/42044">/issues/42044) Dynamic client authentication configuration uses wrong config
admin/ui - #42046](https://github.com/href="https://github.com/keycloak/keycloak/issues/42046">/issues/42046) KeycloakRealmImport placeholder replacement provides access to sensitive environment variables.
operator - #42050](https://github.com/href="https://github.com/keycloak/keycloak/issues/42050">/issues/42050) Recovery Codes are shown as "another way" even if not configured
login/ui - #42052](https://github.com/href="https://github.com/keycloak/keycloak/issues/42052">/issues/42052) User Profile attribute annotation "inputType" yields in not savable attribute
user-profile - #42057](https://github.com/href="https://github.com/keycloak/keycloak/issues/42057">/issues/42057) [Operator] Update job incorrectly inherits podTemplate configuration from unsupported.podTemplate
operator - #42069](https://github.com/href="https://github.com/keycloak/keycloak/issues/42069">/issues/42069) Fix common failures when running the admin console tests on Firefox
- #42114](https://github.com/href="https://github.com/keycloak/keycloak/issues/42114">/issues/42114) "Session/EntityManager is closed" during application startup "singleFile" users import
testsuite - #42139](https://github.com/href="https://github.com/keycloak/keycloak/issues/42139">/issues/42139) Backwards compatibility awareness
identity-brokering - #42142](https://github.com/href="https://github.com/keycloak/keycloak/issues/42142">/issues/42142) Dedicated client scope mappers missing
oidc - #42158](https://github.com/href="https://github.com/keycloak/keycloak/issues/42158">/issues/42158) Bug in configuration keycoak via keycloak.conf
dist/quarkus - #42159](https://github.com/href="https://github.com/keycloak/keycloak/issues/42159">/issues/42159) Docs: authorization_services/topics/permission-typed-resource-permission.adoc
authorization-services - #42164](https://github.com/href="https://github.com/keycloak/keycloak/issues/42164">/issues/42164) [Keycloak CI - Docs] Broken links
core - #42165](https://github.com/href="https://github.com/keycloak/keycloak/issues/42165">/issues/42165) [Keycloak CI - Admin UI, Account UI, Account E2E UI] Installing PNMP Error
ci - #42178](https://github.com/href="https://github.com/keycloak/keycloak/issues/42178">/issues/42178) Integer validation error not shown for user profile fields
user-profile - #42182](https://github.com/href="https://github.com/keycloak/keycloak/issues/42182">/issues/42182) Validation errors for required actions don't show translated messages
admin/ui - #42201](https://github.com/href="https://github.com/keycloak/keycloak/issues/42201">/issues/42201) Local access required if KC_BOOTSTRAP_ADMIN_CLIENT_ID is set but not KC_BOOTSTRAP_ADMIN_USERNAME
login/ui - #42208](https://github.com/href="https://github.com/keycloak/keycloak/issues/42208">/issues/42208) Audience mapper not honored when requesting organization scope
authentication - #42213](https://github.com/href="https://github.com/keycloak/keycloak/issues/42213">/issues/42213) Importing SAML IdP metadata sets Validate Signatures to false even if signing certificate is provided
saml - #42263](https://github.com/href="https://github.com/keycloak/keycloak/issues/42263">/issues/42263) Quarkus config (quarkus.properties) not picked up after 26.3.0
dist/quarkus - #42270](https://github.com/href="https://github.com/keycloak/keycloak/issues/42270">/issues/42270) Missing double-dash in the events documentation
core - #42276](https://github.com/href="https://github.com/keycloak/keycloak/issues/42276">/issues/42276) Admin UI hides local users when LDAP provider fails (generic error shown; forces workaround)
admin/ui - #42278](https://github.com/href="https://github.com/keycloak/keycloak/issues/42278">/issues/42278) Flaky test: org.keycloak.testsuite.model.session.UserSessionConcurrencyTest#testConcurrentNotesChange
ci - #42334](https://github.com/href="https://github.com/keycloak/keycloak/issues/42334">/issues/42334) Experimental features enabled warning shown multiple times
dist/quarkus - #42335](https://github.com/href="https://github.com/keycloak/keycloak/issues/42335">/issues/42335) Colored output is lost during startup
dist/quarkus - #42339](https://github.com/href="https://github.com/keycloak/keycloak/issues/42339">/issues/42339) Allowed Client Scopes add openid scope in scope list
oidc - #42360](https://github.com/href="https://github.com/keycloak/keycloak/issues/42360">/issues/42360) LDAP mapper test is flaky
admin/ui - #42369](https://github.com/href="https://github.com/keycloak/keycloak/issues/42369">/issues/42369) Missing client session offline settings on realm level in the admin UI
admin/ui - #42375](https://github.com/href="https://github.com/keycloak/keycloak/issues/42375">/issues/42375) Client to be included cannot be configured for the OID4VCITargetRoleMapper anymore
oid4vc - #42390](https://github.com/href="https://github.com/keycloak/keycloak/issues/42390">/issues/42390) OIDC fails if doens't have email mapper if a LDAP exists
ldap - #42403](https://github.com/href="https://github.com/keycloak/keycloak/issues/42403">/issues/42403) ui-shared: Accessibility of Switch control
admin/ui - #42405](https://github.com/href="https://github.com/keycloak/keycloak/issues/42405">/issues/42405) Old hmac-generated (32bit) is recreated when order is changed in realm keys ui
core - #42408](https://github.com/href="https://github.com/keycloak/keycloak/issues/42408">/issues/42408) Organization without email domain shows an error when trying to link an Identity Provider
organizations - #42419](https://github.com/href="https://github.com/keycloak/keycloak/issues/42419">/issues/42419) Client authenticators executed multiple times
oidc - #42426](https://github.com/href="https://github.com/keycloak/keycloak/issues/42426">/issues/42426) Guides contain broken ha links
docs - #42496](https://github.com/href="https://github.com/keycloak/keycloak/issues/42496">/issues/42496) Compilation error in RolePolicyConditionProvider
core - #42575](https://github.com/href="https://github.com/keycloak/keycloak/issues/42575">/issues/42575) Locale selector displays incorrect label for Chinese
translations - #42650](https://github.com/href="https://github.com/keycloak/keycloak/issues/42650">/issues/42650) Failing device-activitiy test in account-ui tests
oidc - #42652](https://github.com/href="https://github.com/keycloak/keycloak/issues/42652">/issues/42652) NullPointerException when persisting a client session
infinispan - #42678](https://github.com/href="https://github.com/keycloak/keycloak/issues/42678">/issues/42678) Operator ClusterRoleBinding contains hardcoded namespace
operator - #42706](https://github.com/href="https://github.com/keycloak/keycloak/issues/42706">/issues/42706) Incorrect scheme in the WWW-Authenticate when Authorization: DPoP used
oidc - #42716](https://github.com/href="https://github.com/keycloak/keycloak/issues/42716">/issues/42716) The core class EdECUtilsImpl is not present in the sources jar
core - #42726](https://github.com/href="https://github.com/keycloak/keycloak/issues/42726">/issues/42726) Update of sssd should add IFP section to the configuration
core - #42736](https://github.com/href="https://github.com/keycloak/keycloak/issues/42736">/issues/42736) Reset password in admin UI with 'not recently used' password policy leads to error 'Device already exists with the same name'
core - #42737](https://github.com/href="https://github.com/keycloak/keycloak/issues/42737">/issues/42737) The new email is mandatory error for update profile action with enabled update email
user-profile - #42752](https://github.com/href="https://github.com/keycloak/keycloak/issues/42752">/issues/42752) Keycloak build broken
ci - #42765](https://github.com/href="https://github.com/keycloak/keycloak/issues/42765">/issues/42765) Can't log in to admin and account console due to Web Crypto API not being available
account/ui - #42769](https://github.com/href="https://github.com/keycloak/keycloak/issues/42769">/issues/42769) Missing switch "ID Token as detached signature" in the admin console client settings
oidc - #42770](https://github.com/href="https://github.com/keycloak/keycloak/issues/42770">/issues/42770) Introduce pending email verification message for UPDATE_EMAIL
core - #42786](https://github.com/href="https://github.com/keycloak/keycloak/issues/42786">/issues/42786) Inconsistent spelling auth WebAuthn
core - #42792](https://github.com/href="https://github.com/keycloak/keycloak/issues/42792">/issues/42792) IDX_EVENT_ENTITY_USER_ID_TYPE missing column EVENT_TIME
core - #42828](https://github.com/href="https://github.com/keycloak/keycloak/issues/42828">/issues/42828) Remove environment information from the server-info
admin/api - #42833](https://github.com/href="https://github.com/keycloak/keycloak/issues/42833">/issues/42833) Add validation of workflow steps also when adding single step to workflow
workflows - #42837](https://github.com/href="https://github.com/keycloak/keycloak/issues/42837">/issues/42837) Identify-First form should disallow empty entry
organizations - #42856](https://github.com/href="https://github.com/keycloak/keycloak/issues/42856">/issues/42856) Broken external link in documentation for npm.js.com
docs - #42867](https://github.com/href="https://github.com/keycloak/keycloak/issues/42867">/issues/42867) LOGIN event without a user session
oidc - #42877](https://github.com/href="https://github.com/keycloak/keycloak/issues/42877">/issues/42877) Valid scope parameter in access token request is rejected with invalid_scope error
oidc - #42887](https://github.com/href="https://github.com/keycloak/keycloak/issues/42887">/issues/42887) SPIFFE IdP added to login screen when created via browser
identity-brokering - #42918](https://github.com/href="https://github.com/keycloak/keycloak/issues/42918">/issues/42918) Typo in the latest documentation
docs - #42922](https://github.com/href="https://github.com/keycloak/keycloak/issues/42922">/issues/42922) Dynamic Client Registration invalidates the realm cache
core - #42949](https://github.com/href="https://github.com/keycloak/keycloak/issues/42949">/issues/42949) Username containing a '#' is truncated in Admin Console when hiding inherited roles
user-profile - #42958](https://github.com/href="https://github.com/keycloak/keycloak/issues/42958">/issues/42958) Upgrade bc-fips dependencies
dependencies - #43002](https://github.com/href="https://github.com/keycloak/keycloak/issues/43002">/issues/43002) Delete workflow has wrong messages.
admin/ui