Download Latest Version
26.6.1 source code.tar.gz (43.4 MB)
Get an email when there's a new version of Keycloak
Highlights
This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:
-
JWT Authorization Grant, enabling external-to-internal token exchange using externally signed JWT assertions.
-
Federated client authentication, eliminating the need to manage individual client secrets in Keycloak.
-
Workflows, enabling administrators to automate realm administrative tasks such as user and client lifecycle management.
-
Zero-downtime patch releases, allowing rolling updates within a minor release stream without service downtime.
-
The Keycloak Test Framework, replacing the previous Arquillian-based solution.
All of these features are now fully supported and no longer in preview. Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.
Security and Standards
JWT Authorization Grant (supported)
JWT Authorization Grant (RFC 7523) is designed to implement external-to-internal token exchange use cases. This grant allows using externally signed JWT assertions to request OAuth 2.0 access tokens.
In this release, JWT Authorization Grant is promoted from preview to supported. See the JWT Authorization Grant guide for additional details.
Federated client authentication (supported)
Federated client authentication allows clients to leverage existing credentials once a trust relationship with another issuer exists. It eliminates the need to assign and manage individual secrets for each client in Keycloak.
Federated client authentication is now promoted to supported, including support for client assertions issued by external OpenID Connect identity providers and Kubernetes Service Accounts.
Since the OAuth SPIFFE Client Authentication specification is still in draft status, this feature remains a preview feature in Keycloak.
New guide about Demonstrating Proof-of-Possession (DPoP)
A new guide for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) in the Securing applications Guides provides information on how to mitigate the risk of stolen tokens by making tokens sender-constrained.
See Securing applications with DPoP for more details.
Identity Brokering APIs V2 (preview)
A new preview version 2 for the Identity Brokering APIs is introduced in this release. When brokering is used during the authentication process, Keycloak allows you to store tokens and responses issued by the external Identity Provider. Applications can call a specific endpoint to retrieve those tokens, which, in turn, can be used to get extra user information or invoke endpoints in the external trust domain. The new version improves the token retrieval endpoint to substitute the internal to external Token Exchange (use case for the legacy Token Exchange V1).
For more information, see the chapter Identity Brokering APIs in the Server Developer Guide.
Step-up authentication for SAML (preview)
The feature step-up-authentication-saml extends the step-up authentication to include the SAML protocol and clients. This feature is in preview mode. Additional information is available in the Server Administration Guide.
OAuth Client ID Metadata Document (experimental)
OAuth Client ID Metadata Document (CIMD) is an emerging standard that defines a JSON document format for describing OAuth 2.0 client metadata. Since version 2025-11-25, the Model Context Protocol (MCP) requires an authorization server to comply with CIMD. Keycloak now includes experimental support for CIMD, allowing it to serve as an authorization server for MCP version 2025-11-25 or later.
See Integrating with Model Context Protocol (MCP) for the updated guide including CIMD.
Many thanks to Takashi Norimatsu for the contribution.
Administration
Workflows (supported)
Workflows allow administrators to automate and orchestrate realm administrative tasks, bringing key capabilities of Identity Governance and Administration (IGA) to Keycloak. By defining workflows in YAML format, you can automate the lifecycle of realm resources such as users and clients based on events, conditions, and schedules.
In this release, Workflows is promoted from preview to supported. This release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.
For more details, see the Managing workflows chapter in the Server Administration Guide.
Organization groups
Organizations now support isolated group hierarchies, allowing each organization to manage its own teams and departments without naming conflicts across the realm. This update includes Identity Provider mappers to automatically assign federated users to organization groups based on external claims. Group membership is automatically included in OIDC tokens and SAML assertions when an organization context is requested.
For more details, see the Managing organization groups guide.
New Groups scope for user membership changes
Fine-Grained Admin Permissions (FGAP) now includes a new Groups scope: manage-membership-of-members.
This scope is now used as the group-side bridge for evaluating user-side manage-group-membership permissions based on a user’s current group memberships.
The existing manage-membership scope keeps its current behavior for target group membership management operations.
Looking up client secrets via the Vault SPI
Secrets for clients can now be managed and looked up by the Vault SPI.
Thank you to Tero Saarni for contributing this change.
Forcing password change for LDAP users
There is now initial support for LDAP password policy control. The support is limited to prompting users to update their password when the LDAP server indicates that the password must be changed. Previously, Keycloak let the user in and ignored the mandatory password reset. There is a new optional setting “Enable LDAP password policy” in the LDAP advanced settings to enable this.
Thank you to Tero Saarni for contributing this change.
Configuring and Running
Java 25 support
Keycloak now supports running with OpenJDK 25. The server container image continues to use OpenJDK 21 for now to support FIPS mode. For details, see the note in the FIPS guide.
Zero-downtime patch releases (supported)
Zero-downtime patch releases allow you to perform rolling updates when upgrading to a newer patch version within the same major.minor release stream without service downtime.
In this release, zero-downtime patch releases are promoted to supported and enabled by default.
When using the Keycloak Operator, set the update strategy to Auto to benefit from this functionality.
For more details on the Operator configuration, see the Avoiding downtime with rolling updates guide.
Installation instructions for CloudNativePG
For those running Keycloak on Kubernetes, there is now a guide on how to deploy a PostgreSQL database on Kubernetes by leveraging the CloudNativePG Operator and how to connect Keycloak to the database.
See Deploying CloudNativePG in multiple availability zones in the High Availability Guide for details.
Simplified database operations
Several new command line options simplify the database operations for Keycloak and remove the need to use raw JDBC connection options:
-
Configure TLS for the database connection.
-
Database connection timeouts.
-
Transaction timeouts with production-ready defaults.
It also verifies the correct UTF-8 character encoding of the database at startup and prints a warning if this is not the case.
When running on orchestrators like Kubernetes, the startup and liveness probes return UP during database migrations, simplifying upgrades by removing the need to adjust the probes during upgrades.
See the migration guide for additional details on each aspect.
Graceful shutdown of HTTP stack
To allow rolling updates for configuration changes or version updates, a graceful shutdown of Keycloak nodes prevents users from seeing error responses when logging in or refreshing their tokens when nodes shut down.
Starting with this version, Keycloak supports a graceful shutdown of the HTTP stack. This includes delaying a shutdown after receiving a termination signal, connection draining for HTTP/1.1 and HTTP/2 connections during that period, and a shutdown timeout to finish ongoing requests.
The defaults are a shutdown delay and a shutdown timeout of one second each. This should be a good fit for setups where the reverse proxy is using TLS edge termination or re-encryption and the reverse proxy is notified about the Keycloak node shutting down at the same time as the Keycloak node. This is a common setup, for example, in Kubernetes environments.
Users should adjust those values depending on their proxy setup. See the section Graceful HTTP shutdown in the reverse proxy guide for more information.
New KCRAW_ prefix for environment variables to preserve literal values
Keycloak now supports a KCRAW_ prefix for environment variables to preserve values containing $ characters exactly as written, without expression evaluation.
When using the standard KC_ prefix, Keycloak (via SmallRye Config) evaluates expressions in values (for example, ${some_key} is resolved and $$ is collapsed to $).
This can silently modify passwords or secrets injected by a secrets manager or orchestration tool where manual escaping is not feasible.
Setting KCRAW_<KEY> instead of KC_<KEY> preserves the value exactly as provided.
See the Preserving literal values with the KCRAW_ prefix section in the Server Configuration guide for details.
Automatic reload of lists with disallowed passwords
When a list of disallowed passwords (also known as blacklist) changes, it is automatically reloaded. This avoids the need for a server restart when the list changes.
Thank you to Tero Saarni for contributing this change.
Automatic truststore initialization on Kubernetes and OpenShift
Keycloak now automatically discovers and trusts cluster certificate authorities when running on Kubernetes or OpenShift, without requiring the Operator to preconfigure the truststore.
If present in the container filesystem, the following certificates are added to the system truststore at startup:
-
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt(Kubernetes service account CA) -
/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt(OpenShift service CA)
This behavior is enabled by default and can be controlled with the server option --truststore-kubernetes-enabled=true|false (default: true).
Most deployments do not require any action. If you relied on the Operator to manage these truststore entries previously, the server now performs the same function directly.
Client certificate lookup providers for Traefik and Envoy
You can now use new client certificate lookup providers for Traefik and Envoy proxies. For details, see the Enabling Client Certificate Lookup section of the documentation.
Configurable Kubernetes Service name and port in the Keycloak Operator
The Keycloak Operator now supports overriding the name and port of the Kubernetes Service it creates for a Keycloak deployment.
Previously, the Service name was always derived as <cr-name>-service and the Service port always matched the container port.
You can now use the spec.http.serviceName, spec.http.serviceHttpsPort, and spec.http.serviceHttpPort fields to
configure these independently.
For more details, see the Advanced configuration guide.
Sensitive information is not displayed in the HTTP Access log
If you are using the HTTP Access logging capability, sensitive information is omitted. This means that tokens in the 'Authorization' HTTP header and specific sensitive cookies are not shown.
For more information, see Configuring HTTP access logging.
Configurable log file rotation
It is now possible to configure log file rotation when using Keycloak’s built-in file logging handler.
This includes a simple option to fully disable log rotation, which is useful when using an external log rotation solution such as logrotate.
To disable log file rotation:
bin/kc.sh start --log="console,file" --log-file-rotation-enabled=falseFor more information, see the File logging guide.
HTTP access logs in a dedicated file
HTTP access logs can now be written to a dedicated file, separate from the server logs. This makes it easier to process and archive access logs independently for security auditing and compliance monitoring.
For more information, see Configuring HTTP access logging.
Customizable service fields in JSON log output
Keycloak now provides native options to customize the service.name and service.environment fields in JSON log output across all log handlers (console, file, and syslog).
Previously, when using the ECS format, service.name and service.environment could not be overridden through Keycloak configuration.
This made it difficult to align JSON log fields with OpenTelemetry resource attributes.
You can now set these fields using log-service-name and log-service-environment.
For more information, see the Configuring logging guide.
New and updated translations
New translations for Indonesian and Armenian were added. A warm welcome to the new language maintainers for these languages! There are also new language maintainers for the Swedish translation, who translated all remaining message keys. Thank you so much!
Follow the translation progress on the translation status page, help translate, and read the translation guide on how to add additional languages.
Right-to-left language support in the Account UI
Support for right-to-left (RTL) languages was added to the Login UI, Admin UI, and email templates several releases ago. This release adds initial RTL support to the Account UI, which completes this effort.
Observability
Telemetry configuration via the Keycloak CR
Keycloak now supports configuring the OpenTelemetry properties via the Keycloak CR when using the Operator. These properties are shared among the available OpenTelemetry components - logs, metrics, and traces.
For more details, see the Centralize your observability stack with OpenTelemetry guide.
Custom request headers for OpenTelemetry
It is now possible to set request headers for exporting telemetry via OpenTelemetry Protocol (OTLP). This is mainly useful for providing tokens in the request.
You can specify these headers via the telemetry-header-<header> wildcard option, which accepts any custom header name.
Alternatively, use telemetry-logs-header-<header> for OpenTelemetry Logs or telemetry-metrics-header-<header> for OpenTelemetry Metrics.
For more details, see the Centralize your observability stack with OpenTelemetry guide.
Service Monitor annotations and labels via the Keycloak CR
It is now possible to configure service monitor labels and annotations via the Keycloak CR when using the Operator.
For more details, see the Advanced Configuration Operator guide.
Extension Development
Keycloak Test Framework (supported)
The Keycloak Test Framework, based on JUnit 6, is now fully supported.
It replaces the previous solution built on top of Arquillian and JUnit 4. Behind the scenes, the framework handles the lifecycle of Keycloak, the database, and any injected resources such as realms and clients.
Tests simply declare what they want, including specific configuration, and the framework takes care of the rest.
For more information, see Keycloak Test Framework.
Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
Deprecated features
- #45156](https://github.com/href="https://github.com/keycloak/keycloak/issues/45156">/issues/45156) Deprecate Token Exchange v1
New features
- #10155](https://github.com/href="https://github.com/keycloak/keycloak/issues/10155">/issues/10155) Step-up authentication for SAML clients
authentication - #13102](https://github.com/href="https://github.com/keycloak/keycloak/issues/13102">/issues/13102) Add support for specifying `client.secret` using vault
core - #39888](https://github.com/href="https://github.com/keycloak/keycloak/issues/39888">/issues/39888) Workflows
- #42634](https://github.com/href="https://github.com/keycloak/keycloak/issues/42634">/issues/42634) Federated client authentication
- #43144](https://github.com/href="https://github.com/keycloak/keycloak/issues/43144">/issues/43144) OAuth Identity and Authorization Chaining Across Domains
- #43146](https://github.com/href="https://github.com/keycloak/keycloak/issues/43146">/issues/43146) New test framework
- #43152](https://github.com/href="https://github.com/keycloak/keycloak/issues/43152">/issues/43152) Authorization Grants
- #43252](https://github.com/href="https://github.com/keycloak/keycloak/issues/43252">/issues/43252) Zero-downtime upgrades between patch releases of Keycloak
- #43257](https://github.com/href="https://github.com/keycloak/keycloak/issues/43257">/issues/43257) Support a Kubernetes Native Database
- #43507](https://github.com/href="https://github.com/keycloak/keycloak/issues/43507">/issues/43507) Add support for Organization-specific Groups
- #43576](https://github.com/href="https://github.com/keycloak/keycloak/issues/43576">/issues/43576) Authorization grant for social providers
token-exchange/federated - #44833](https://github.com/href="https://github.com/keycloak/keycloak/issues/44833">/issues/44833) [OID4VCI] Make natural_person configuration available in all formats
oid4vc - #45106](https://github.com/href="https://github.com/keycloak/keycloak/issues/45106">/issues/45106) OAuth Client ID Metadata Document
- #45284](https://github.com/href="https://github.com/keycloak/keycloak/issues/45284">/issues/45284) CIMD - Persistent CIMD
oidc - #46633](https://github.com/href="https://github.com/keycloak/keycloak/issues/46633">/issues/46633) keycloak operator: add support for different port and name for the kubernetes service definition in the keycloak CRD
- #47011](https://github.com/href="https://github.com/keycloak/keycloak/issues/47011">/issues/47011) Add debug helper utility to the test framework
test-framework
Enhancements
- #10618](https://github.com/href="https://github.com/keycloak/keycloak/issues/10618">/issues/10618) Enhancements to logging config
dist/quarkus - #14523](https://github.com/href="https://github.com/keycloak/keycloak/issues/14523">/issues/14523) Add support for enforced password change with LDAP federation
ldap - #17904](https://github.com/href="https://github.com/keycloak/keycloak/issues/17904">/issues/17904) Support RTL UI
account/ui - #19374](https://github.com/href="https://github.com/keycloak/keycloak/issues/19374">/issues/19374) Allow absolute path for cache-config-file?
dist/quarkus - #19453](https://github.com/href="https://github.com/keycloak/keycloak/issues/19453">/issues/19453) The default database transaction timeout should not be applied to Liquibase or data migrations
dist/quarkus - #20618](https://github.com/href="https://github.com/keycloak/keycloak/issues/20618">/issues/20618) Support enabling access logs
dist/quarkus - #27986](https://github.com/href="https://github.com/keycloak/keycloak/issues/27986">/issues/27986) Remove Liquibase dependency version from Keycloak root pom
- #33160](https://github.com/href="https://github.com/keycloak/keycloak/issues/33160">/issues/33160) Add support for X509 client certificate lookup for Envoy
- #33198](https://github.com/href="https://github.com/keycloak/keycloak/issues/33198">/issues/33198) Introduce `resourcesCommonUrl` for E-Mail templates
core - #33818](https://github.com/href="https://github.com/keycloak/keycloak/issues/33818">/issues/33818) Request for Enhancement: Make x509cert-lookup SPI public
- #34435](https://github.com/href="https://github.com/keycloak/keycloak/issues/34435">/issues/34435) OTEL: Add tracing ID to user facing error message
observability - #35298](https://github.com/href="https://github.com/keycloak/keycloak/issues/35298">/issues/35298) Reverse proxy provided context path not working despite setting X-Forwarded-Prefix header
dist/quarkus - #36226](https://github.com/href="https://github.com/keycloak/keycloak/issues/36226">/issues/36226) Provide a read only view of Identity Provider Mappers configuration screen to the Keycloak Admin UI
- #36710](https://github.com/href="https://github.com/keycloak/keycloak/issues/36710">/issues/36710) Have a first-class CLI option to change Keycloak's transaction timeout
dist/quarkus - #38884](https://github.com/href="https://github.com/keycloak/keycloak/issues/38884">/issues/38884) Upgrade command rolling updates for patch releases / step 3: Infinispan/JGroups support
- #38888](https://github.com/href="https://github.com/keycloak/keycloak/issues/38888">/issues/38888) Avoid breaking DB changes during patch releases
- #40902](https://github.com/href="https://github.com/keycloak/keycloak/issues/40902">/issues/40902) More fully document operator upgrade scenarios, in particular with custom images
docs - #41330](https://github.com/href="https://github.com/keycloak/keycloak/issues/41330">/issues/41330) Improve logging of JpaUserSessionPersisterProvider#expire
- #41353](https://github.com/href="https://github.com/keycloak/keycloak/issues/41353">/issues/41353) Provide HTTP access logs written to file with rotation
dist/quarkus - #41629](https://github.com/href="https://github.com/keycloak/keycloak/issues/41629">/issues/41629) Remove Tracing workaround in Infinispan/JGroups classes
- #42256](https://github.com/href="https://github.com/keycloak/keycloak/issues/42256">/issues/42256) DB Connection Pool acquisition timeout errors on database failover
core - #42626](https://github.com/href="https://github.com/keycloak/keycloak/issues/42626">/issues/42626) Provide a way to add custom labels to generated ServiceMonitor
- #42747](https://github.com/href="https://github.com/keycloak/keycloak/issues/42747">/issues/42747) Make DPoP docs more detailed
oidc - #42876](https://github.com/href="https://github.com/keycloak/keycloak/issues/42876">/issues/42876) dev mode should bind only to localhost if possible
- #42900](https://github.com/href="https://github.com/keycloak/keycloak/issues/42900">/issues/42900) Move the logic of scanning Kubernetes CA to Keycloak
dist/quarkus - #43589](https://github.com/href="https://github.com/keycloak/keycloak/issues/43589">/issues/43589) Gracefully shutting down HTTP stack
- #43701](https://github.com/href="https://github.com/keycloak/keycloak/issues/43701">/issues/43701) Improve SimpleHttp API
core - #43829](https://github.com/href="https://github.com/keycloak/keycloak/issues/43829">/issues/43829) Add createdTimestamp filter (before/after) to /admin/realms/{realm}/users
- #44090](https://github.com/href="https://github.com/keycloak/keycloak/issues/44090">/issues/44090) ErrorId for error screens and logging
- #44101](https://github.com/href="https://github.com/keycloak/keycloak/issues/44101">/issues/44101) Allow re-using server when running tests with the new framework
- #44364](https://github.com/href="https://github.com/keycloak/keycloak/issues/44364">/issues/44364) Improve client creation with PKCE in admin console
core - #44424](https://github.com/href="https://github.com/keycloak/keycloak/issues/44424">/issues/44424) findClientSessionsClientIds performance issue
storage - #44459](https://github.com/href="https://github.com/keycloak/keycloak/issues/44459">/issues/44459) Adding the log to the required action to show the cause of syntax violation of the LDAP policy
ldap - #44846](https://github.com/href="https://github.com/keycloak/keycloak/issues/44846">/issues/44846) [OID4VCI]: Ensure OID4VCI optional fields are saved cleanly and use defaults
oid4vc - #44849](https://github.com/href="https://github.com/keycloak/keycloak/issues/44849">/issues/44849) [OID4VCI] Add UI support for `vc.credential_signing_alg` in OID4VCI client scopes
oid4vc - #44973](https://github.com/href="https://github.com/keycloak/keycloak/issues/44973">/issues/44973) Hide Remember Me session settings when Remember Me is disabled in realm login settings
- #45006](https://github.com/href="https://github.com/keycloak/keycloak/issues/45006">/issues/45006) [OID4VCI] Add support for user did as subject id
oid4vc - #45188](https://github.com/href="https://github.com/keycloak/keycloak/issues/45188">/issues/45188) Upgrade to quarkus 3.30.5
- #45220](https://github.com/href="https://github.com/keycloak/keycloak/issues/45220">/issues/45220) OTEL: Ability to specify headers for exporters
observability - #45231](https://github.com/href="https://github.com/keycloak/keycloak/issues/45231">/issues/45231) [OID4VCI] Generate pre-authorized codes using the JWT format
oid4vc - #45254](https://github.com/href="https://github.com/keycloak/keycloak/issues/45254">/issues/45254) Admin UI javascript bundle should have source mapping
- #45278](https://github.com/href="https://github.com/keycloak/keycloak/issues/45278">/issues/45278) Upgrade to Quarkus 3.33.x LTS
- #45281](https://github.com/href="https://github.com/keycloak/keycloak/issues/45281">/issues/45281) Add missing Swedish translations for admin theme messages
translations - #45322](https://github.com/href="https://github.com/keycloak/keycloak/issues/45322">/issues/45322) Linking user with idp fails with generic message if user is already linked
identity-brokering - #45337](https://github.com/href="https://github.com/keycloak/keycloak/issues/45337">/issues/45337) Upgrade to Quarkus 3.31
- #45348](https://github.com/href="https://github.com/keycloak/keycloak/issues/45348">/issues/45348) OTEL: Add Telemetry options to Keycloak CR
observability - #45360](https://github.com/href="https://github.com/keycloak/keycloak/issues/45360">/issues/45360) Document that the the HA architectures are tested with Openshift 4.18
- #45467](https://github.com/href="https://github.com/keycloak/keycloak/issues/45467">/issues/45467) Management interface endpoint lists available endpoints
dist/quarkus - #45620](https://github.com/href="https://github.com/keycloak/keycloak/issues/45620">/issues/45620) Change default not-before validation to 10 second instead of 0
oidc - #45623](https://github.com/href="https://github.com/keycloak/keycloak/issues/45623">/issues/45623) Avoid unnecessary warning logs during the operator tests execution
testsuite - #45629](https://github.com/href="https://github.com/keycloak/keycloak/issues/45629">/issues/45629) HTTP access log written to file should be in a separate directory
dist/quarkus - #45689](https://github.com/href="https://github.com/keycloak/keycloak/issues/45689">/issues/45689) When a user joins a role or group, it should not read all existing roles and groups from the database
- #45704](https://github.com/href="https://github.com/keycloak/keycloak/issues/45704">/issues/45704) Invite existing users from Admin UI
organizations - #45718](https://github.com/href="https://github.com/keycloak/keycloak/issues/45718">/issues/45718) Improve error message when organization name cannot be used as alias
- #45795](https://github.com/href="https://github.com/keycloak/keycloak/issues/45795">/issues/45795) Promote Keycloak and KeycloakRealmImport CRDs to v2beta1
- #45841](https://github.com/href="https://github.com/keycloak/keycloak/issues/45841">/issues/45841) Add revert button to client credentials page
- #45880](https://github.com/href="https://github.com/keycloak/keycloak/issues/45880">/issues/45880) SAMLEndpoint - increase extensibility by increasing accessibility of some private fields/methods
- #45882](https://github.com/href="https://github.com/keycloak/keycloak/issues/45882">/issues/45882) Use GroupResource context in Groups so that Group components can be reused
- #45884](https://github.com/href="https://github.com/keycloak/keycloak/issues/45884">/issues/45884) Testframework core has dependency on testcontainers
- #45898](https://github.com/href="https://github.com/keycloak/keycloak/issues/45898">/issues/45898) Supported Configurations guide
- #45909](https://github.com/href="https://github.com/keycloak/keycloak/issues/45909">/issues/45909) Add theme clarification blurb to Realm Settings
admin/ui - #45941](https://github.com/href="https://github.com/keycloak/keycloak/issues/45941">/issues/45941) Do not use deprecated test containers in tests
testsuite - #45944](https://github.com/href="https://github.com/keycloak/keycloak/issues/45944">/issues/45944) OTEL: Use suggested 'code.function.name' for span attributes
observability - #45965](https://github.com/href="https://github.com/keycloak/keycloak/issues/45965">/issues/45965) [OID4VCI] Revisit and fix OAuthClient.credentialRequest()
oid4vc - #45992](https://github.com/href="https://github.com/keycloak/keycloak/issues/45992">/issues/45992) Clarify operator instructions involving Wildcard certificates and OpenShift
- #45996](https://github.com/href="https://github.com/keycloak/keycloak/issues/45996">/issues/45996) Enforce `LF` line endings on `*.tsx` files with `.gitattributes`
- #45999](https://github.com/href="https://github.com/keycloak/keycloak/issues/45999">/issues/45999) [OID4VCI] Revisit and fix OAuthClient.credentialOfferUriRequest()
oid4vc - #46001](https://github.com/href="https://github.com/keycloak/keycloak/issues/46001">/issues/46001) [OID4VCI] Revisit and fix OAuthClient.credentialOfferRequest()
oid4vc - #46043](https://github.com/href="https://github.com/keycloak/keycloak/issues/46043">/issues/46043) Upgrade to Quarkus 3.31.2
dist/quarkus - #46055](https://github.com/href="https://github.com/keycloak/keycloak/issues/46055">/issues/46055) [OID4VCI] Confine test realm setup to TestCase.configureTestRealm()
- #46156](https://github.com/href="https://github.com/keycloak/keycloak/issues/46156">/issues/46156) Add node count and next-node selection to LoadBalancer API
- #46164](https://github.com/href="https://github.com/keycloak/keycloak/issues/46164">/issues/46164) Separate password and OTP brute force protection to prevent OTP bypass attacks by default
- #46255](https://github.com/href="https://github.com/keycloak/keycloak/issues/46255">/issues/46255) Upgrade to Quarkus 3.32.0.CR1
dist/quarkus - #46292](https://github.com/href="https://github.com/keycloak/keycloak/issues/46292">/issues/46292) Allow to expose WellKnown provider via ServerMetadataResource
- #46304](https://github.com/href="https://github.com/keycloak/keycloak/issues/46304">/issues/46304) SPIFFE Identity Provider default TTL too low
- #46355](https://github.com/href="https://github.com/keycloak/keycloak/issues/46355">/issues/46355) [OID4VCI] Add support for CredentialScopeRepresentation
oid4vc - #46395](https://github.com/href="https://github.com/keycloak/keycloak/issues/46395">/issues/46395) X509 Certificates passed from Traefik PassTlsClientCert middleware broken since 26.5.0
authentication - #46421](https://github.com/href="https://github.com/keycloak/keycloak/issues/46421">/issues/46421) Revisit Infinispan session idle and lifetime settings
- #46429](https://github.com/href="https://github.com/keycloak/keycloak/issues/46429">/issues/46429) Add username to BrokeredIdentityContext created from JWTBearer Grant
token-exchange/federated - #46471](https://github.com/href="https://github.com/keycloak/keycloak/issues/46471">/issues/46471) Aggregate client-id field for improved Infinispan query
- #46494](https://github.com/href="https://github.com/keycloak/keycloak/issues/46494">/issues/46494) Allow customizing federated identity lookup in JWTAuthorizationGrantType
- #46531](https://github.com/href="https://github.com/keycloak/keycloak/issues/46531">/issues/46531) Consider exposing UUID for admin api v2 resources
- #46556](https://github.com/href="https://github.com/keycloak/keycloak/issues/46556">/issues/46556) For MSSQL Server, set `sendStringParametersAsUnicode` to `false` by default
storage - #46557](https://github.com/href="https://github.com/keycloak/keycloak/issues/46557">/issues/46557) Keycloak should check the Unicode setup of the database on startup
- #46603](https://github.com/href="https://github.com/keycloak/keycloak/issues/46603">/issues/46603) Add Database CLI options for TLS encryption for databases
- #46617](https://github.com/href="https://github.com/keycloak/keycloak/issues/46617">/issues/46617) MCP Documentation for 26.6
- #46626](https://github.com/href="https://github.com/keycloak/keycloak/issues/46626">/issues/46626) Allow to configure Client Assertion max expiration for Kubernetes Identity Provider
- #46627](https://github.com/href="https://github.com/keycloak/keycloak/issues/46627">/issues/46627) Allow to configure Client Assertion max expiration for OIDC Identity Provider
- #46657](https://github.com/href="https://github.com/keycloak/keycloak/issues/46657">/issues/46657) Passwords containing `$$` or `${` patterns are mangled when set via environment variables (SmallRye expression evaluation)
dist/quarkus - #46671](https://github.com/href="https://github.com/keycloak/keycloak/issues/46671">/issues/46671) Allow custom timeouts in DBLockProvider
- #46689](https://github.com/href="https://github.com/keycloak/keycloak/issues/46689">/issues/46689) Remove user input reflection in Token Introspection error responses
oidc - #46693](https://github.com/href="https://github.com/keycloak/keycloak/issues/46693">/issues/46693) Group-level deny policies do not block `manage-group-membership` on group members
admin/fine-grained-permissions - #46699](https://github.com/href="https://github.com/keycloak/keycloak/issues/46699">/issues/46699) CIMD - Performance: Avoid repeated convertContentFilledList() in verifyUri()
- #46701](https://github.com/href="https://github.com/keycloak/keycloak/issues/46701">/issues/46701) CIMD - Performance: Single-pass HTTP Cache-Control header lookup
- #46703](https://github.com/href="https://github.com/keycloak/keycloak/issues/46703">/issues/46703) CIMD - Performance: Eliminate double URI parsing in ClientIdUriSchemeCondition.applyPolicy()
- #46708](https://github.com/href="https://github.com/keycloak/keycloak/issues/46708">/issues/46708) CIMD - Performance: Avoid streaming the directive list multipul times
- #46711](https://github.com/href="https://github.com/keycloak/keycloak/issues/46711">/issues/46711) Upgrade to Quarkus 3.32.1
dist/quarkus - #46728](https://github.com/href="https://github.com/keycloak/keycloak/issues/46728">/issues/46728) Use quarkus properties ahead of keycloak defaults or map from values
- #46757](https://github.com/href="https://github.com/keycloak/keycloak/issues/46757">/issues/46757) Upgrade to jackson-core 2.21.1
- #46765](https://github.com/href="https://github.com/keycloak/keycloak/issues/46765">/issues/46765) Adding missing question mark
- #46781](https://github.com/href="https://github.com/keycloak/keycloak/issues/46781">/issues/46781) IdP alias is not clickable in organization's Identity Providers tab
admin/ui - #46796](https://github.com/href="https://github.com/keycloak/keycloak/issues/46796">/issues/46796) Document that export is not a backup
- #46809](https://github.com/href="https://github.com/keycloak/keycloak/issues/46809">/issues/46809) Set a default connection timeout for all databases types
- #46872](https://github.com/href="https://github.com/keycloak/keycloak/issues/46872">/issues/46872) Be more explicit on how to enable OTel Logs and Metrics in Operator
observability - #46874](https://github.com/href="https://github.com/keycloak/keycloak/issues/46874">/issues/46874) Be more explicit in using the OTel Logs level
observability - #46890](https://github.com/href="https://github.com/keycloak/keycloak/issues/46890">/issues/46890) Upgrade to Quarkus 3.32.2
dist/quarkus - #46936](https://github.com/href="https://github.com/keycloak/keycloak/issues/46936">/issues/46936) Reduce tightly coupling between client policy contexts and conditions/executors
oidc - #46964](https://github.com/href="https://github.com/keycloak/keycloak/issues/46964">/issues/46964) Adding more Hungarian translations
- #46972](https://github.com/href="https://github.com/keycloak/keycloak/issues/46972">/issues/46972) Clarify credentials field availability in GET /admin/realms/{realm}/users documentation
- #47038](https://github.com/href="https://github.com/keycloak/keycloak/issues/47038">/issues/47038) Translation support for UI theme descriptions
translations - #47081](https://github.com/href="https://github.com/keycloak/keycloak/issues/47081">/issues/47081) Upgrade to Quarkus 3.32.3
dist/quarkus - #47130](https://github.com/href="https://github.com/keycloak/keycloak/issues/47130">/issues/47130) Upgrade to Quarkus 3.33.0.CR1
dist/quarkus - #47140](https://github.com/href="https://github.com/keycloak/keycloak/issues/47140">/issues/47140) Add CLI option for database connection timeout and provide it into quarkus.datasource.jdbc.login-timeout
- #47146](https://github.com/href="https://github.com/keycloak/keycloak/issues/47146">/issues/47146) Keycloak: no native option to customize JSON log service.name and service.environment fields
observability - #47163](https://github.com/href="https://github.com/keycloak/keycloak/issues/47163">/issues/47163) Enhancement: Password denylist file changes should not require server restart
- #47187](https://github.com/href="https://github.com/keycloak/keycloak/issues/47187">/issues/47187) Asynchronous server initialization
- #47229](https://github.com/href="https://github.com/keycloak/keycloak/issues/47229">/issues/47229) Identity Provider redirection via kc_idp_hint in Pushed Authorization Request
oidc - #47416](https://github.com/href="https://github.com/keycloak/keycloak/issues/47416">/issues/47416) Async startup doesn't be enabled when the health check is not enabled
- #47535](https://github.com/href="https://github.com/keycloak/keycloak/issues/47535">/issues/47535) Polishing CNPG installation docs
- #47667](https://github.com/href="https://github.com/keycloak/keycloak/issues/47667">/issues/47667) Update release-notes for CIMD
Bugs
- #22569](https://github.com/href="https://github.com/keycloak/keycloak/issues/22569">/issues/22569) Provide descriptions for default realm-management roles
admin/ui - #26946](https://github.com/href="https://github.com/keycloak/keycloak/issues/26946">/issues/26946) Multiple protocolMappers with the same name.
admin/api - #28970](https://github.com/href="https://github.com/keycloak/keycloak/issues/28970">/issues/28970) Documention about the default db-schema is ambiguous
docs - #36593](https://github.com/href="https://github.com/keycloak/keycloak/issues/36593">/issues/36593) Built-in authentication flows are not updated for KC 26
organizations - #37231](https://github.com/href="https://github.com/keycloak/keycloak/issues/37231">/issues/37231) Set New Password Multiple Times via Password Reset Function
login/ui - #38991](https://github.com/href="https://github.com/keycloak/keycloak/issues/38991">/issues/38991) [Test framework] Embedded server -> dependency download error when no version is specified
test-framework - #39127](https://github.com/href="https://github.com/keycloak/keycloak/issues/39127">/issues/39127) Incorrect return code with JWT algorithm set to none
authentication - #40510](https://github.com/href="https://github.com/keycloak/keycloak/issues/40510">/issues/40510) Organization flow do not redirect when credentials exist
organizations - #40753](https://github.com/href="https://github.com/keycloak/keycloak/issues/40753">/issues/40753) Resource leak: FileInputStream in Util.readProperties(File) is never closed .SAST
core - #40921](https://github.com/href="https://github.com/keycloak/keycloak/issues/40921">/issues/40921) Reject invalid resource IDs in permission creation
- #41165](https://github.com/href="https://github.com/keycloak/keycloak/issues/41165">/issues/41165) Feishu login has been continuously failing as an identity provider
identity-brokering - #41630](https://github.com/href="https://github.com/keycloak/keycloak/issues/41630">/issues/41630) Warning log message SRCFG01008: The value default has been converted by a Boolean Converter to "false"
dist/quarkus - #41924](https://github.com/href="https://github.com/keycloak/keycloak/issues/41924">/issues/41924) Internal server error after changing Admin UI theme to "base" - An old, persisted problem
admin/ui - #42222](https://github.com/href="https://github.com/keycloak/keycloak/issues/42222">/issues/42222) Federation Cache Policy details not shown when editing provider in Keycloak 26.3+
admin/ui - #42836](https://github.com/href="https://github.com/keycloak/keycloak/issues/42836">/issues/42836) Organization selection changes after token refresh
organizations - #42839](https://github.com/href="https://github.com/keycloak/keycloak/issues/42839">/issues/42839) UserInfo endpoint returns incorrect organization claim
organizations - #43198](https://github.com/href="https://github.com/keycloak/keycloak/issues/43198">/issues/43198) Operator status patching of keycloak failed
operator - #43201](https://github.com/href="https://github.com/keycloak/keycloak/issues/43201">/issues/43201) entity mappings not working on 26.4
core - #43356](https://github.com/href="https://github.com/keycloak/keycloak/issues/43356">/issues/43356) Keycloak tests framework - issue to identify distribution directory inside ZIP file when version string uses suffix
test-framework - #43613](https://github.com/href="https://github.com/keycloak/keycloak/issues/43613">/issues/43613) case insensitive match on organization identity provider domain - In case 'ANY' option is chosen
organizations - #43726](https://github.com/href="https://github.com/keycloak/keycloak/issues/43726">/issues/43726) Slow evaluation of client roles with dots for role mapper and others
identity-brokering - #43757](https://github.com/href="https://github.com/keycloak/keycloak/issues/43757">/issues/43757) Code Examples in Authentication SPI Documentation Don't Match Quickstarts Repository
authentication - #43854](https://github.com/href="https://github.com/keycloak/keycloak/issues/43854">/issues/43854) OID4VCI credentials have invalid subject id value
oid4vc - #43949](https://github.com/href="https://github.com/keycloak/keycloak/issues/43949">/issues/43949) MultivaluedString in mappers is not saved to backend with shown default value
admin/ui - #43991](https://github.com/href="https://github.com/keycloak/keycloak/issues/43991">/issues/43991) Keycloak operator - Reconciliation failure
operator - #44099](https://github.com/href="https://github.com/keycloak/keycloak/issues/44099">/issues/44099) Out of memory after 3-4 restarts of embedded server
testsuite - #44100](https://github.com/href="https://github.com/keycloak/keycloak/issues/44100">/issues/44100) Issue with starting server results in connection refused exception in test
testsuite - #44132](https://github.com/href="https://github.com/keycloak/keycloak/issues/44132">/issues/44132) Bug -> Keycloak preview feature "scripts" is enabled by default
authentication - #44283](https://github.com/href="https://github.com/keycloak/keycloak/issues/44283">/issues/44283) Flaky test: org.keycloak.testsuite.federation.ldap.LDAPGroupMapperTest#test06_addingUserToNewKeycloakGroup
ci - #44403](https://github.com/href="https://github.com/keycloak/keycloak/issues/44403">/issues/44403) DCR endpoint ignores client's requested token_endpoint_auth_method
oidc - #44425](https://github.com/href="https://github.com/keycloak/keycloak/issues/44425">/issues/44425) [Keycloak JS CI] Admin UI E2E Firefox failure
ci - #44498](https://github.com/href="https://github.com/keycloak/keycloak/issues/44498">/issues/44498) [quick-theme] Logo and Favicon problem
login/ui - #44574](https://github.com/href="https://github.com/keycloak/keycloak/issues/44574">/issues/44574) Unable to find contextual data of type: org.keycloak.models.KeycloakSession
testsuite - #44598](https://github.com/href="https://github.com/keycloak/keycloak/issues/44598">/issues/44598) SAML user created with null username when mapped attribute missing
saml - #44622](https://github.com/href="https://github.com/keycloak/keycloak/issues/44622">/issues/44622) OID4VCI functionality should be disabled for the realm when "Verified Credentials" switch is disabled
oid4vc - #44637](https://github.com/href="https://github.com/keycloak/keycloak/issues/44637">/issues/44637) Fail to import the realm with OID4VCI enabled
import-export - #44670](https://github.com/href="https://github.com/keycloak/keycloak/issues/44670">/issues/44670) CredentialEndpoint can be invoked with incorrect access token
oid4vc - #44678](https://github.com/href="https://github.com/keycloak/keycloak/issues/44678">/issues/44678) Inconsistent search when using wildcards
admin/api - #44699](https://github.com/href="https://github.com/keycloak/keycloak/issues/44699">/issues/44699) Not able to find key for credential signature if client scope was saved from admin console
admin/ui - #44737](https://github.com/href="https://github.com/keycloak/keycloak/issues/44737">/issues/44737) CredentialRequest requires that client scope is assigned as 'Optional'
oid4vc - #44784](https://github.com/href="https://github.com/keycloak/keycloak/issues/44784">/issues/44784) link to reset-credentials ignores default locale AND ui_locales
login/ui - #44803](https://github.com/href="https://github.com/keycloak/keycloak/issues/44803">/issues/44803) Unhandled IllegalArgumentException in SAMLRequestParser
saml - #44807](https://github.com/href="https://github.com/keycloak/keycloak/issues/44807">/issues/44807) [OID4VCI] Default values are not set for ClientScope
core - #44819](https://github.com/href="https://github.com/keycloak/keycloak/issues/44819">/issues/44819) Missing validation error label on UI when editing a user
user-profile - #44824](https://github.com/href="https://github.com/keycloak/keycloak/issues/44824">/issues/44824) Keycloak retains mapped firstName value and does not nullify it when upstream identity provider stops sending the claim
identity-brokering - #44875](https://github.com/href="https://github.com/keycloak/keycloak/issues/44875">/issues/44875) [OID4VCI] CredentialSignerException: Proof Type null is not supported for format ldp_vc
oid4vc - #44905](https://github.com/href="https://github.com/keycloak/keycloak/issues/44905">/issues/44905) Email is not updated based on upstream IdP email
identity-brokering - #44961](https://github.com/href="https://github.com/keycloak/keycloak/issues/44961">/issues/44961) Authorization_details added to token-response even when should not be
oid4vc - #45005](https://github.com/href="https://github.com/keycloak/keycloak/issues/45005">/issues/45005) [OID4VCI] Revisit and fix /credential_offer_uri endpoint
oid4vc - #45058](https://github.com/href="https://github.com/keycloak/keycloak/issues/45058">/issues/45058) Base theme: "user properties" and "register" required mark is missing the required class
login/ui - #45069](https://github.com/href="https://github.com/keycloak/keycloak/issues/45069">/issues/45069) Base theme: `login-config-totp`, `label`s have hardcoded `control-label` instead of `${properties.kcLabelClass!}`
login/ui - #45160](https://github.com/href="https://github.com/keycloak/keycloak/issues/45160">/issues/45160) NullPointer when using JwsHeader.builder().withx5c(certificate)
oidc - #45162](https://github.com/href="https://github.com/keycloak/keycloak/issues/45162">/issues/45162) Missing icons in v2 keycloak login theme
login/ui - #45163](https://github.com/href="https://github.com/keycloak/keycloak/issues/45163">/issues/45163) Guide refers to no longer existing Docker Registry
oidc - #45164](https://github.com/href="https://github.com/keycloak/keycloak/issues/45164">/issues/45164) Base theme: `login-config-totp`, buttons are not wrapped in a `kcFormGroupClass`
login/ui - #45209](https://github.com/href="https://github.com/keycloak/keycloak/issues/45209">/issues/45209) [OID4VCI] Issuer metadata contains unwanted 'id' for credential_configurations_supported
oid4vc - #45219](https://github.com/href="https://github.com/keycloak/keycloak/issues/45219">/issues/45219) User REST Admin API - count and search returns different amount of users
account/api - #45227](https://github.com/href="https://github.com/keycloak/keycloak/issues/45227">/issues/45227) Accessibility: Improve authenticator selector for screen readers and keyboard navigation
login/ui - #45252](https://github.com/href="https://github.com/keycloak/keycloak/issues/45252">/issues/45252) `.env.test` overrides values from environment
testsuite - #45272](https://github.com/href="https://github.com/keycloak/keycloak/issues/45272">/issues/45272) EventOptionsTest failing due to missing verifiable_credential options
testsuite - #45324](https://github.com/href="https://github.com/keycloak/keycloak/issues/45324">/issues/45324) Affirmative Aggregated Policies do not evaluate correctly for admin console
admin/fine-grained-permissions - #45385](https://github.com/href="https://github.com/keycloak/keycloak/issues/45385">/issues/45385) [OID4VCI] No key for id ... and algorithm ... available
oid4vc - #45406](https://github.com/href="https://github.com/keycloak/keycloak/issues/45406">/issues/45406) SearchDropdown clear button doesn't reset form fields, URI search broken
authorization-services - #45422](https://github.com/href="https://github.com/keycloak/keycloak/issues/45422">/issues/45422) Organizations login leaks IdP aliases when no Organization is resolved (IdP/tenant enumeration)
organizations - #45425](https://github.com/href="https://github.com/keycloak/keycloak/issues/45425">/issues/45425) OpenApiDistTest fails in CI
ci - #45428](https://github.com/href="https://github.com/keycloak/keycloak/issues/45428">/issues/45428) Admin UI: Wrong redirect for permissions accessed via resource details
authorization-services - #45446](https://github.com/href="https://github.com/keycloak/keycloak/issues/45446">/issues/45446) [OID4VCI] Default value for vc.credential_build_config.hash_algorithm causes _sd_alg to be invalid due to case sensitivity
oid4vc - #45485](https://github.com/href="https://github.com/keycloak/keycloak/issues/45485">/issues/45485) [OID4VCI] Inconsistencies in well-known OID4VC metadata (Same metadata for all formats)
oid4vc - #45488](https://github.com/href="https://github.com/keycloak/keycloak/issues/45488">/issues/45488) Filename not being displayed during imports
admin/ui - #45501](https://github.com/href="https://github.com/keycloak/keycloak/issues/45501">/issues/45501) ConcurrentModificationException in KeycloakProcessor#configureProfile
dist/quarkus - #45519](https://github.com/href="https://github.com/keycloak/keycloak/issues/45519">/issues/45519) User profile Attribute multiselect inputType not working since 26.4.0
user-profile - #45522](https://github.com/href="https://github.com/keycloak/keycloak/issues/45522">/issues/45522) LoggingDistTest.httpAccessLogNotNamedPattern is not stable
dist/quarkus - #45539](https://github.com/href="https://github.com/keycloak/keycloak/issues/45539">/issues/45539) Avoid using some blacklist/whitelist wording in UI and docs
admin/ui - #45561](https://github.com/href="https://github.com/keycloak/keycloak/issues/45561">/issues/45561) NPE in Authorization Evaluation when parentPolicy is null during concurrent authz deletes
authorization-services - #45564](https://github.com/href="https://github.com/keycloak/keycloak/issues/45564">/issues/45564) Wrong nesting of semaphore release handling in Argon2 hashing
core - #45586](https://github.com/href="https://github.com/keycloak/keycloak/issues/45586">/issues/45586) Missing help text in Admin UI for adding client policy conditions
admin/ui - #45587](https://github.com/href="https://github.com/keycloak/keycloak/issues/45587">/issues/45587) SecureClientUrisExecutor doesn't allow for "+" weborigin
oidc - #45606](https://github.com/href="https://github.com/keycloak/keycloak/issues/45606">/issues/45606) Document back channel request limitations
docs - #45669](https://github.com/href="https://github.com/keycloak/keycloak/issues/45669">/issues/45669) Unable to resolve current project as a dependency to test framework server config
testsuite - #45694](https://github.com/href="https://github.com/keycloak/keycloak/issues/45694">/issues/45694) Unvalidated URL Construction in ResourceAdminManager via Matrix Parameter Injection
core - #45724](https://github.com/href="https://github.com/keycloak/keycloak/issues/45724">/issues/45724) [OID4VCI] Inconsistencies in OID4VCI metadata related to cryptographic bindings and proofs
oid4vc - #45727](https://github.com/href="https://github.com/keycloak/keycloak/issues/45727">/issues/45727) Refactor `SessionsResource` for better memory usage and performance
infinispan - #45733](https://github.com/href="https://github.com/keycloak/keycloak/issues/45733">/issues/45733) Admin UI theme logo not displaying from theme properties
admin/ui - #45738](https://github.com/href="https://github.com/keycloak/keycloak/issues/45738">/issues/45738) clients-registrations/default GET endpoint does not rotate Registration Access Token as documented
oidc - #45740](https://github.com/href="https://github.com/keycloak/keycloak/issues/45740">/issues/45740) `client-access-type` condition in Client Policy does not trigger for token request events
core - #45747](https://github.com/href="https://github.com/keycloak/keycloak/issues/45747">/issues/45747) Confusing admin behavior when multiple IDPs in a realm have the same issuer URL
core - #45748](https://github.com/href="https://github.com/keycloak/keycloak/issues/45748">/issues/45748) [OID4VCI] OpenID4VCI User Attribute Mapper does not support nested claims
oid4vc - #45750](https://github.com/href="https://github.com/keycloak/keycloak/issues/45750">/issues/45750) Test framework doesn't stop running Keycloak instance if reuse is turned off
testsuite - #45760](https://github.com/href="https://github.com/keycloak/keycloak/issues/45760">/issues/45760) Disabled organisation should not execute invitations
organizations - #45812](https://github.com/href="https://github.com/keycloak/keycloak/issues/45812">/issues/45812) ROPC: invalid_grant Error Response not RFC Compliant
oidc - #45818](https://github.com/href="https://github.com/keycloak/keycloak/issues/45818">/issues/45818) There is no save button on the TokenTab
admin/ui - #45829](https://github.com/href="https://github.com/keycloak/keycloak/issues/45829">/issues/45829) Useless warning logged when querying credentials for a user in a realm with password history enabled
authentication - #45859](https://github.com/href="https://github.com/keycloak/keycloak/issues/45859">/issues/45859) [OID4VCI] Duplicate processing of authorization_details from AuthorizationDetailsProcessorManager
oid4vc - #45875](https://github.com/href="https://github.com/keycloak/keycloak/issues/45875">/issues/45875) Workflows execution bypasses admin permission boundaries (manage-realm -> realm-admin)
workflows - #45877](https://github.com/href="https://github.com/keycloak/keycloak/issues/45877">/issues/45877) UiPageProvider components not filtered by implementation in the Admin UI
admin/api - #45881](https://github.com/href="https://github.com/keycloak/keycloak/issues/45881">/issues/45881) Flaky test: org.keycloak.testsuite.oauth.OfflineTokenTest#offlineTokenBrowserFlow
ci - #45888](https://github.com/href="https://github.com/keycloak/keycloak/issues/45888">/issues/45888) ServiceMonitor is not created due to missing fields
docs - #45917](https://github.com/href="https://github.com/keycloak/keycloak/issues/45917">/issues/45917) LDAP mapper of type "group-ldap-mapper" does not expose "objectGUID" for group in GUID format
ldap - #45921](https://github.com/href="https://github.com/keycloak/keycloak/issues/45921">/issues/45921) `Config should not be initialized until profile is determined` throw from Maven using embedded Keycloak
dist/quarkus - #45922](https://github.com/href="https://github.com/keycloak/keycloak/issues/45922">/issues/45922) Flaky test: org.keycloak.testsuite.forms.LevelOfAssuranceFlowTest#optionalClaimNotReachedSucceeds
ci - #45924](https://github.com/href="https://github.com/keycloak/keycloak/issues/45924">/issues/45924) Make sure disabled organization is ignored when re-authenticating
organizations - #45947](https://github.com/href="https://github.com/keycloak/keycloak/issues/45947">/issues/45947) Selecting condition type when creating a client policy is too wide
core - #45971](https://github.com/href="https://github.com/keycloak/keycloak/issues/45971">/issues/45971) Paths with spaces are not decoded when trying to discover providers JAR file
dist/quarkus - #45986](https://github.com/href="https://github.com/keycloak/keycloak/issues/45986">/issues/45986) [KEYCLOAK CI] - AuroraDB IT - Run Aurora new database tests on EC2
ci - #45993](https://github.com/href="https://github.com/keycloak/keycloak/issues/45993">/issues/45993) [quarkus-next] Fix build failure due to missing build step ordering constraints
dist/quarkus - #46006](https://github.com/href="https://github.com/keycloak/keycloak/issues/46006">/issues/46006) JpaOrganizationProvider.searchGroupsByName ignores search parameter
organizations - #46009](https://github.com/href="https://github.com/keycloak/keycloak/issues/46009">/issues/46009) Client sessions pagination does not work
admin/ui - #46010](https://github.com/href="https://github.com/keycloak/keycloak/issues/46010">/issues/46010) Missing anti-ID phishing check for getting client
admin/api - #46015](https://github.com/href="https://github.com/keycloak/keycloak/issues/46015">/issues/46015) Duplicate `{client-uuid}` path parameter in OpenAPI spec
admin/api - #46040](https://github.com/href="https://github.com/keycloak/keycloak/issues/46040">/issues/46040) Assign realm users to organization
organizations - #46050](https://github.com/href="https://github.com/keycloak/keycloak/issues/46050">/issues/46050) AuthorizationServices should prevent org group ids for group policies
organizations - #46051](https://github.com/href="https://github.com/keycloak/keycloak/issues/46051">/issues/46051) [OIDC4VCI] - Types in JWT_VC
oid4vc - #46075](https://github.com/href="https://github.com/keycloak/keycloak/issues/46075">/issues/46075) [quarkus-next] Tests fail due to missing build step ordering constraint on disableHealthCheckBean
dist/quarkus - #46081](https://github.com/href="https://github.com/keycloak/keycloak/issues/46081">/issues/46081) [Keycloak JS CI] `fetchWithError` throwing `NetworkError`
ci - #46084](https://github.com/href="https://github.com/keycloak/keycloak/issues/46084">/issues/46084) [quarkus-next] DatasourcesDistTest fails due to Quarkus stdout/stderr capture changes
dist/quarkus - #46089](https://github.com/href="https://github.com/keycloak/keycloak/issues/46089">/issues/46089) Deleting a resource on page 2 shows "No resources found" empty state while resources still exist in Authorization Resources tab
authorization-services - #46095](https://github.com/href="https://github.com/keycloak/keycloak/issues/46095">/issues/46095) [quarkus-next] configureResteasy() missing Quarkus build step dependency
dist/quarkus - #46110](https://github.com/href="https://github.com/keycloak/keycloak/issues/46110">/issues/46110) Distribution server sometimes uses wrong pid for started Keycloak server
test-framework - #46121](https://github.com/href="https://github.com/keycloak/keycloak/issues/46121">/issues/46121) Unable to initialize 'jakarta.el.ExpressionFactory' when starting the server in Quarkus' development mode
dist/quarkus - #46159](https://github.com/href="https://github.com/keycloak/keycloak/issues/46159">/issues/46159) Docs: authorization_services/topics/resource-server-default-config.adoc
authorization-services - #46160](https://github.com/href="https://github.com/keycloak/keycloak/issues/46160">/issues/46160) Keycloak from `quarkus/tests/junit5` doesn't throw exception when there's a startup failure
dist/quarkus - #46175](https://github.com/href="https://github.com/keycloak/keycloak/issues/46175">/issues/46175) AdminClient in MANAGED_REALM mode has bugs
test-framework - #46187](https://github.com/href="https://github.com/keycloak/keycloak/issues/46187">/issues/46187) [quarkus-next] Update error message for invalid duration in certificate reload test
dist/quarkus - #46192](https://github.com/href="https://github.com/keycloak/keycloak/issues/46192">/issues/46192) Checking non-converted FROM address when sending emails
core - #46193](https://github.com/href="https://github.com/keycloak/keycloak/issues/46193">/issues/46193) [UI Bug] Microsoft/OIDC IdP "Prompt" dropdown saves human-readable label instead of technical value
admin/ui - #46235](https://github.com/href="https://github.com/keycloak/keycloak/issues/46235">/issues/46235) Welcome screen URL is not correct with hostname set to url
admin/ui - #46297](https://github.com/href="https://github.com/keycloak/keycloak/issues/46297">/issues/46297) [OID4VCI] Attribute did should be added to user profile just if OID4VCI is enabled for the realm
- #46314](https://github.com/href="https://github.com/keycloak/keycloak/issues/46314">/issues/46314) Bundle issue in account-ui
account/ui - #46321](https://github.com/href="https://github.com/keycloak/keycloak/issues/46321">/issues/46321) [Keycloak CI] Azure and Aurora Migration tests failing
ci - #46322](https://github.com/href="https://github.com/keycloak/keycloak/issues/46322">/issues/46322) [Keycloak CI] New database tests fail on Aurora and Azure
ci - #46350](https://github.com/href="https://github.com/keycloak/keycloak/issues/46350">/issues/46350) The RestartLoginCookie does not allow for key rotation as it always uses the active key for verification
login/ui - #46366](https://github.com/href="https://github.com/keycloak/keycloak/issues/46366">/issues/46366) Missing `parentId` in the GroupRepresentation of @keycloak/keycloak-admin-client
admin/client-js - #46374](https://github.com/href="https://github.com/keycloak/keycloak/issues/46374">/issues/46374) [quick-theme] Background is not hot redeployed
admin/ui - #46384](https://github.com/href="https://github.com/keycloak/keycloak/issues/46384">/issues/46384) Resource selection not displayed in scope-based permission creation when resource is not in initial results
admin/ui - #46403](https://github.com/href="https://github.com/keycloak/keycloak/issues/46403">/issues/46403) Caching or role parsing should be realm specific
infinispan - #46413](https://github.com/href="https://github.com/keycloak/keycloak/issues/46413">/issues/46413) [Admin UI] User's organizations list is delayed/empty until an N+1 cascade of API calls completes
admin/ui - #46445](https://github.com/href="https://github.com/keycloak/keycloak/issues/46445">/issues/46445) Org Groups API does not return subGroupCount
organizations - #46454](https://github.com/href="https://github.com/keycloak/keycloak/issues/46454">/issues/46454) Organization groups not included in user's groups query.
organizations - #46455](https://github.com/href="https://github.com/keycloak/keycloak/issues/46455">/issues/46455) REST API doesn't allow moving org group to root
organizations - #46493](https://github.com/href="https://github.com/keycloak/keycloak/issues/46493">/issues/46493) show-config contains log related entries with null values
dist/quarkus - #46503](https://github.com/href="https://github.com/keycloak/keycloak/issues/46503">/issues/46503) Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportUSB
ci - #46512](https://github.com/href="https://github.com/keycloak/keycloak/issues/46512">/issues/46512) Identity provider display names are not localized in Account Console
account/ui - #46517](https://github.com/href="https://github.com/keycloak/keycloak/issues/46517">/issues/46517) Inconsistent authentication error ordering
core - #46542](https://github.com/href="https://github.com/keycloak/keycloak/issues/46542">/issues/46542) Update dynamic client scope timeout
admin/api - #46571](https://github.com/href="https://github.com/keycloak/keycloak/issues/46571">/issues/46571) NPE when finding an org group by path when Organization feature disabled
organizations - #46579](https://github.com/href="https://github.com/keycloak/keycloak/issues/46579">/issues/46579) The PR not including arquillian integration tests does not pass GHA Testsuite Deprecation Check
testsuite - #46606](https://github.com/href="https://github.com/keycloak/keycloak/issues/46606">/issues/46606) Admin Console Admin associated roles is not usable for a large number of realms
admin/ui - #46614](https://github.com/href="https://github.com/keycloak/keycloak/issues/46614">/issues/46614) Base theme template uses inline styles in delete-account-confirm.ftl
login/ui - #46628](https://github.com/href="https://github.com/keycloak/keycloak/issues/46628">/issues/46628) When renaming the ClientPolicy, added conditions and profiles shouldn't disappear.
oidc - #46639](https://github.com/href="https://github.com/keycloak/keycloak/issues/46639">/issues/46639) [OID4VCI] Broken issuance due to errnoeous credential_identifier check
oid4vc - #46644](https://github.com/href="https://github.com/keycloak/keycloak/issues/46644">/issues/46644) Kiota fails silently when generation fails
admin/client-js - #46647](https://github.com/href="https://github.com/keycloak/keycloak/issues/46647">/issues/46647) Rfc9440 cert lookup should not treat exceeding the cert length as an error
core - #46658](https://github.com/href="https://github.com/keycloak/keycloak/issues/46658">/issues/46658) SCIM PUT endpoint allows resource modification via body ID override (IDOR)
core - #46667](https://github.com/href="https://github.com/keycloak/keycloak/issues/46667">/issues/46667) IntegrationTest sub class @TestSetup called before super class
testsuite - #46673](https://github.com/href="https://github.com/keycloak/keycloak/issues/46673">/issues/46673) Raise minimum maximum number of `poolMaxSize` as value 3 shown in Keycloak example leads to acquisition timeout after switch to JDBC Ping
docs - #46695](https://github.com/href="https://github.com/keycloak/keycloak/issues/46695">/issues/46695) CIMD - Config Description Corrections: wildcard instead of regex
oidc - #46697](https://github.com/href="https://github.com/keycloak/keycloak/issues/46697">/issues/46697) CIMD - typos in comment lines
oidc - #46716](https://github.com/href="https://github.com/keycloak/keycloak/issues/46716">/issues/46716) UMA permission grant accepts expired ID token claim_token and issues RPT
core - #46717](https://github.com/href="https://github.com/keycloak/keycloak/issues/46717">/issues/46717) UMA permission grant accepts ID token issued to a different client
core - #46718](https://github.com/href="https://github.com/keycloak/keycloak/issues/46718">/issues/46718) UnsupportedOperationException in V1 Token Exchange Audience Validation (FGAPv2 Incompatibility)
token-exchange - #46738](https://github.com/href="https://github.com/keycloak/keycloak/issues/46738">/issues/46738) NullPointerException Crash in SessionCodeChecks When Client is Disabled During Authentication Flow
authentication - #46745](https://github.com/href="https://github.com/keycloak/keycloak/issues/46745">/issues/46745) Enhance network validation for SAML metadata descriptor URLs
saml - #46750](https://github.com/href="https://github.com/keycloak/keycloak/issues/46750">/issues/46750) OIDC error responses do not have no-cache headers set (at least not for the userinfo endpoint)
oidc - #46774](https://github.com/href="https://github.com/keycloak/keycloak/issues/46774">/issues/46774) Drawer splitter does not extend full page height in organization groups
admin/ui - #46775](https://github.com/href="https://github.com/keycloak/keycloak/issues/46775">/issues/46775) "Duplicate" function does not work correctly for organization groups
admin/ui - #46776](https://github.com/href="https://github.com/keycloak/keycloak/issues/46776">/issues/46776) Cannot select a group from search results in "Move to" dialog
admin/ui - #46777](https://github.com/href="https://github.com/keycloak/keycloak/issues/46777">/issues/46777) Organization group tree does not show expand toggles for groups with children
admin/ui - #46778](https://github.com/href="https://github.com/keycloak/keycloak/issues/46778">/issues/46778) Stale search results persist after clearing search in organization group tree
admin/ui - #46780](https://github.com/href="https://github.com/keycloak/keycloak/issues/46780">/issues/46780) Organization group tree search returns flat results instead of hierarchy
organizations - #46792](https://github.com/href="https://github.com/keycloak/keycloak/issues/46792">/issues/46792) Delete operation does not fire admin event v2
admin/api - #46808](https://github.com/href="https://github.com/keycloak/keycloak/issues/46808">/issues/46808) Mute noisy "Unable to decode token, payload not found." log
adapter/javascript - #46819](https://github.com/href="https://github.com/keycloak/keycloak/issues/46819">/issues/46819) ArrayIndexOutOfBoundsException in ArtifactBindingUtils when SAMLart parameter is too short
- #46848](https://github.com/href="https://github.com/keycloak/keycloak/issues/46848">/issues/46848) NullPointerException in DPoPUtil
oidc - #46857](https://github.com/href="https://github.com/keycloak/keycloak/issues/46857">/issues/46857) Identity Provider mapper edit form loses ID and Name field values on save
admin/ui - #46860](https://github.com/href="https://github.com/keycloak/keycloak/issues/46860">/issues/46860) Cannot run /testsuite anymore - value of org.keycloak.common.Profile.getInstance() is null
testsuite - #46861](https://github.com/href="https://github.com/keycloak/keycloak/issues/46861">/issues/46861) Metadata check: cacheEmbedded.configFile always incompatible because of path
infinispan - #46883](https://github.com/href="https://github.com/keycloak/keycloak/issues/46883">/issues/46883) Flaky test: org.keycloak.testsuite.model.infinispan.EmbeddedInfinispanSplitBrainTest#testLocalCacheClearedOnMergeEvent
ci - #46933](https://github.com/href="https://github.com/keycloak/keycloak/issues/46933">/issues/46933) Client-scopes client policy condition not triggered during resource-owner-password-credentials grant request
oidc - #46969](https://github.com/href="https://github.com/keycloak/keycloak/issues/46969">/issues/46969) Authentication Failure with Mixed-Case Email Domain in Organizations
organizations - #46997](https://github.com/href="https://github.com/keycloak/keycloak/issues/46997">/issues/46997) Privilege Escalation via silent group resolution fallback in Identity Provider mappers when linked to Organizations
organizations - #47002](https://github.com/href="https://github.com/keycloak/keycloak/issues/47002">/issues/47002) [quarkus-next] Prometheus rejects user event metrics with inconsistent tag keys
dist/quarkus - #47025](https://github.com/href="https://github.com/keycloak/keycloak/issues/47025">/issues/47025) createCurlContainer method implicitly depends on DockerHub
testsuite - #47043](https://github.com/href="https://github.com/keycloak/keycloak/issues/47043">/issues/47043) Searching for organization groups with `populateHierarchy=true` exposes internal org group
organizations - #47045](https://github.com/href="https://github.com/keycloak/keycloak/issues/47045">/issues/47045) [OID4VCI] Credential definition must not contain `@context` when not using JSON-LD
oid4vc - #47047](https://github.com/href="https://github.com/keycloak/keycloak/issues/47047">/issues/47047) Unused message keys from console based logins
login/ui - #47051](https://github.com/href="https://github.com/keycloak/keycloak/issues/47051">/issues/47051) Search for organization group membership ignores search param
organizations - #47055](https://github.com/href="https://github.com/keycloak/keycloak/issues/47055">/issues/47055) `Include sub-group users` button does not work for org groups
organizations - #47063](https://github.com/href="https://github.com/keycloak/keycloak/issues/47063">/issues/47063) NPE when regenerating client secret when client policy with client-updater-context exists
oidc - #47080](https://github.com/href="https://github.com/keycloak/keycloak/issues/47080">/issues/47080) Do not allow managing invitations if not an invitation of the current organization
organizations - #47084](https://github.com/href="https://github.com/keycloak/keycloak/issues/47084">/issues/47084) Missing output encoding for organization name in login error messages
organizations - #47085](https://github.com/href="https://github.com/keycloak/keycloak/issues/47085">/issues/47085) Pin actions/checkout by commit SHA in translation-notify.yml
ci - #47108](https://github.com/href="https://github.com/keycloak/keycloak/issues/47108">/issues/47108) Org Groups children API does not return subGroupCount
organizations - #47110](https://github.com/href="https://github.com/keycloak/keycloak/issues/47110">/issues/47110) LDAP federation configuratation vendor dependent default values not visible in form
ldap - #47114](https://github.com/href="https://github.com/keycloak/keycloak/issues/47114">/issues/47114) ImmutableAttributeValidator doesn't lowercase emails when checking for changes
ldap - #47137](https://github.com/href="https://github.com/keycloak/keycloak/issues/47137">/issues/47137) Ensure org group membership checks the org the user is member of
organizations - #47139](https://github.com/href="https://github.com/keycloak/keycloak/issues/47139">/issues/47139) Performance regression when editing authentication flows after cherry-picking [#46654] (realm invalidation triggers expensive role reload)
core - #47157](https://github.com/href="https://github.com/keycloak/keycloak/issues/47157">/issues/47157) Composite client role mappings endpoint is slow and degrades under concurrency with many client roles
admin/api - #47162](https://github.com/href="https://github.com/keycloak/keycloak/issues/47162">/issues/47162) Impersonation via Token Exchange fails after upgrade to KC 26.5 (form 26.3): java.lang.UnsupportedOperationException: Not supported in V2 at org.keycloak.services.resources.admin.fgap.ClientPermissionsV2.canExchangeTo(
token-exchange - #47164](https://github.com/href="https://github.com/keycloak/keycloak/issues/47164">/issues/47164) New test framework DisabledForServers annotation does not work
testsuite - #47201](https://github.com/href="https://github.com/keycloak/keycloak/issues/47201">/issues/47201) Env var default gets cut of at {} replacement
login/ui - #47203](https://github.com/href="https://github.com/keycloak/keycloak/issues/47203">/issues/47203) [OID4VCI] Small inconsistencies in some events
oid4vc - #47221](https://github.com/href="https://github.com/keycloak/keycloak/issues/47221">/issues/47221) Kiota generate client in calls github
admin/client-js - #47251](https://github.com/href="https://github.com/keycloak/keycloak/issues/47251">/issues/47251) [OID4VCI] Reduce log volume in CredentialScopeModelUtils
oid4vc - #47271](https://github.com/href="https://github.com/keycloak/keycloak/issues/47271">/issues/47271) Use of java.util.Random / Math.random() in OID4VC Nonce and Time Claim Generation
oid4vc - #47321](https://github.com/href="https://github.com/keycloak/keycloak/issues/47321">/issues/47321) [KEYCLOAK CI] - Account UI - unknown_error thrown by NetworkError
account/ui - #47332](https://github.com/href="https://github.com/keycloak/keycloak/issues/47332">/issues/47332) Missing release notes entry for OpenTelemetry span attributes location change
observability - #47379](https://github.com/href="https://github.com/keycloak/keycloak/issues/47379">/issues/47379) RetryConfig is ignored
core - #47398](https://github.com/href="https://github.com/keycloak/keycloak/issues/47398">/issues/47398) When adding a ClientProfile the Save button functionality is inconsistent
admin/ui - #47412](https://github.com/href="https://github.com/keycloak/keycloak/issues/47412">/issues/47412) Typos in docs: OpenTelementry
docs - #47418](https://github.com/href="https://github.com/keycloak/keycloak/issues/47418">/issues/47418) Agroal: Login timeout should be smaller than acquisition timeout
dist/quarkus - #47427](https://github.com/href="https://github.com/keycloak/keycloak/issues/47427">/issues/47427) New link error in documentation to facebook
docs - #47444](https://github.com/href="https://github.com/keycloak/keycloak/issues/47444">/issues/47444) Inaccuracies in client federation documentation and tooltips
oidc - #47452](https://github.com/href="https://github.com/keycloak/keycloak/issues/47452">/issues/47452) Deployed Javascript policy description not displayed in the Keycloak console
authorization-services - #47454](https://github.com/href="https://github.com/keycloak/keycloak/issues/47454">/issues/47454) Workflows editor uses proportional font instead of monospace
admin/ui - #47473](https://github.com/href="https://github.com/keycloak/keycloak/issues/47473">/issues/47473) [quarkus-next] Fix operator controller stalling after JOSDK 5.3.0 event filtering upgrade
operator - #47495](https://github.com/href="https://github.com/keycloak/keycloak/issues/47495">/issues/47495) JavaKeystoreKeyProvider generates a new random KID for symmetric keys (HMAC) on every restart or config change
authorization-services - #47536](https://github.com/href="https://github.com/keycloak/keycloak/issues/47536">/issues/47536) SCIM Authorization Bypass in User Group Management
core - #47544](https://github.com/href="https://github.com/keycloak/keycloak/issues/47544">/issues/47544) NullPointerException in OID4VCMapper when mapper configuration is missing or empty
oid4vc - #47572](https://github.com/href="https://github.com/keycloak/keycloak/issues/47572">/issues/47572) Possible NPE in DefaultKeycloakSession.getComponentProvider()
core - #47587](https://github.com/href="https://github.com/keycloak/keycloak/issues/47587">/issues/47587) [Operator CI] - Test remote - Waiting for more replicas timeout
- #47646](https://github.com/href="https://github.com/keycloak/keycloak/issues/47646">/issues/47646) Both Clusterless and Volatile-Session suites contains reference to removed test file.
testsuite - #47675](https://github.com/href="https://github.com/keycloak/keycloak/issues/47675">/issues/47675) LDAP Federation: time of the password change is not being read correctly for "389 DS/RHDS" ldap backend
ldap - #47685](https://github.com/href="https://github.com/keycloak/keycloak/issues/47685">/issues/47685) NPE when using HttpClient and enabled tracing
observability - #47708](https://github.com/href="https://github.com/keycloak/keycloak/issues/47708">/issues/47708) Failing test testNoConfigNoServerShowsV2Hint on Windows
admin/api - #47720](https://github.com/href="https://github.com/keycloak/keycloak/issues/47720">/issues/47720) Release nightly build for API docs is broken
ci - #47753](https://github.com/href="https://github.com/keycloak/keycloak/issues/47753">/issues/47753) Decorating LDAP user profile throws NPE preventing login
ldap
