Update version.keycloak to v26 (major) #20

Merged
Denys Konovalov merged 1 commits from renovate/major-version.keycloak into main 2024-10-05 11:46:26 +02:00

This PR contains the following updates:

Package Type Update Change
org.keycloak:keycloak-services (source) provided major 25.0.6 -> 26.0.0
org.keycloak:keycloak-server-spi-private (source) provided major 25.0.6 -> 26.0.0
org.keycloak:keycloak-model-storage (source) provided major 25.0.6 -> 26.0.0
org.keycloak:keycloak-server-spi (source) provided major 25.0.6 -> 26.0.0
org.keycloak:keycloak-core (source) provided major 25.0.6 -> 26.0.0

Release Notes

keycloak/keycloak (org.keycloak:keycloak-services)

v26.0.0

Compare Source

Highlights

Organizations supported

Starting with Keycloak 26, the Organizations feature is fully supported.

Client libraries updates

Dedicated release cycle for the client libraries

From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.

The client libraries are these artifacts:

  • Java admin client - Maven artifact org.keycloak:keycloak-admin-client

  • Java authorization client - Maven artifact org.keycloak:keycloak-authz-client

  • Java policy enforcer - Maven artifact org.keycloak:keycloak-policy-enforcer

It is possible that in the future, some more libraries will be included.

The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.

Compatibility of the client libraries with the server

Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.

For details about supported versions of client libraries with server versions, see the Upgrading Guide.

User sessions persisted by default

Keycloak 25 introduced the feature persistent-user-sessions. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.

It is possible to revert this behavior to the previous state by disabling the feature. Follow the Volatile user sessions section in Configuring distributed caches guide for more details.

For information on how to upgrade, see the Upgrading Guide.

New default login theme

There is now a new version (v2) of the keycloak login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.

The previous version (v1) is now deprecated, and will be removed in a future release.

For all new realms, keycloak.v2 will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to keycloak.v2.

Highly available multi-site deployments

Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:

  • Keycloak deployments are now able to handle user requests simultaneously in both sites.

  • Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.

  • The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.

  • Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.

For information on how to migrate, see the Upgrading Guide.

Admin Bootstrapping and Recovery

In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.

It is now possible to run the start or start-dev commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.

For detailed instructions and more information on this topic, refer to the Admin Bootstrap and Recovery guide.

OpenTelemetry Tracing preview

The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.

For more information, see the Enabling Tracing guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the Francis Pouatcha, Pascal Knüppel, Takashi Norimatsu, Ingrid Kamga, Stefan Wiedemann and Thomas Darimont

DPoP improvements

The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the authorization_code grant type. Support also exists for the DPoP token type on the UserInfo endpoint.

Many thanks to Pascal Knüppel for the contribution.

Removal of GELF logging handler

GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the Logging guide.

Lightweight access tokens for Admin REST API

Lightweight access tokens can now be used on the admin REST API. The security-admin-console and admin-cli clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.

Keycloak JavaScript adapter now standalone

Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.

For a complete breakdown of the changes consult the Upgrading Guide.

Hostname v1 feature removed

The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the Configuring the hostname (v2) and the initial migration guide.

Automatic redirect from root to relative path

User is automatically redirected to the path where Keycloak is hosted when the http-relative-path property is specified. It means when the relative path is set to /auth, and the user access localhost:8080/, the page is redirected to localhost:8080/auth.

The same applies to the management interface when the http-management-relative-path or http-relative-path property is specified.

It improves user experience as users no longer need to set the relative path to the URL explicitly.

Persisting revoked access tokens across restarts

In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.

For information on how to migrate, see the Upgrading Guide.

Client Attribute condition in Client Policies

The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.

Many thanks to Yoshiyuki Tabata for the contribution.

Specify different log levels for log handlers

It is possible to specify log levels for all available log handlers, such as console, file, or syslog. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.

For more information, see the Logging guide.

Proxy option removed

The deprecated proxy option was removed. This option was deprecated in Keycloak 24 and replaced by the proxy-headers option in combination with hostname options as needed. For more details, see using a reverse proxy and the initial migration guide.

Option proxy-trusted-addresses added

The proxy-trusted-addresses can be used when the proxy-headers option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.

Option proxy-protocol-enabled added

The proxy-protocol-enabled option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.

Option to reload trust and key material added

The https-certificates-reload-period option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).

Options to configure cache max-count added

The --cache-embedded-${CACHE_NAME}-max-count= can be set to define an upper bound on the number of cache entries in the specified cache.

The https-trust-store-* options have been undeprecated

Based on the community feedback, we decided to undeprecate https-trust-store-* options to allow better granularity in trusted certificates.

The java-keystore key provider supports more algorithms and vault secrets

The java-keystore key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the vault. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.

For more information about this subject, see Configuring realm keys.

Adding support for ECDH-ES encryption key management algorithms

Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: epk, apu and apv. Currently Keycloak implementation only manages the compulsory epk while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the JSON Web Algorithms (JWA).

Also, a new key provider, ecdh-generated, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.

Many thanks to Justin Tay for the contribution.

Support for multiple instances of a social broker in a realm

It is now possible to have multiple instances of the same social broker in a realm.

Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the organization feature, it should be possible to link different instances of the same social broker to different organizations.

When creating a social broker, you should now provide an Alias and optionally a Display name just like any other broker.

New generalized event types for credentials

There are now generalized events for updating (UPDATE_CREDENTIAL) and removing (REMOVE_CREDENTIAL) a credential. The credential type is described in the credential_type attribute of the events. The new event types are supported by the Email Event Listener.

The following event types are now deprecated and will be removed in a future version: UPDATE_PASSWORD, UPDATE_PASSWORD_ERROR, UPDATE_TOTP, UPDATE_TOTP_ERROR, REMOVE_TOTP, REMOVE_TOTP_ERROR

The template.ftl file in the base/login and the keycloak.v2/login theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.

The new footer.ftl template provides a content macro that is rendered at the bottom of the "login box".

Keycloak CR supports standard scheduling options

The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.

For more details, see the Operator Advanced Configuration.

KeycloakRealmImport CR supports placeholder replacement

The KeycloakRealmImport CR now exposes spec.placeholders to create environment variables for placeholder replacement in the import.

For more details, see the Operator Realm Import.

Configuring the LDAP Connection Pool

In this release, the LDAP connection pool configuration relies solely on system properties.

For more details, see Configuring the connection pool.

Infinispan marshalling changes to Infinispan Protostream

Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.

Warning
JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version.

Infinispan Protostream is based on Protocol Buffers (proto 3), which has the advantage of backwards/forwards compatibility.

Removal of OSGi metadata

Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.

With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the GroupRemovedEvent are no longer fired when removing a realm.

For information on how to migrate, see the Upgrading Guide.

Identity Providers no longer available from the realm representation

As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.

For information on how to migrate, see the Upgrading Guide.

Securing Applications documentation converted into the guide format

The Securing Applications and Services documentation was converted into the new format similar to the Server Installation and Configuration documentation converted in the previous releases. The documentation is now available under Keycloak Guides.

Removal of legacy cookies

Keycloak no longer sends _LEGACY cookies, which where introduced as a work-around to older browsers not supporting the SameSite flag on cookies.

The _LEGACY cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over http outside of localhost. As an alternative to the _LEGACY cookies Keycloak now doesn&#​8217;t set the secure flag and sets SameSite=Lax instead of SameSite=None when it detects an insecure context is used.

Property origin in the UserRepresentation is deprecated

The origin property in the UserRepresentation is deprecated and planned to be removed in future releases.

Instead, prefer using the federationLink property to obtain the provider to which a user is linked with.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

  • #​600 De-couple quickstarts from statically served Keycloak JS quickstarts

New features

  • #​20342 Duplicate groups in the admin console of Keycloak admin/ui
  • #​26178 Support dark mode, at least for the login pages login/ui
  • #​29324 Bootstrapping an admin user using a dedicated command dist/quarkus
  • #​29755 Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider
  • #​30002 Bootstrapping an admin service account using a dedicated command dist/quarkus
  • #​30009 Warnings for temporary admin user and service account core
  • #​30011 Document admin bootstrapping and recovery docs
  • #​30682 Group assignment: Display disabled information from user admin/ui
  • #​30795 Initiate create events if ClientScopes are created
  • #​31421 Add Events for Organization Creation and Member Assignment organizations
  • #​31642 Include organization attributes and information in ID and access tokens organizations
  • #​31643 Implement invitation-only self-registration for realm users organizations
  • #​32030 Retry remote cache operations with back off
  • #​32135 Option to specify trusted proxies dist/quarkus
  • #​32553 Expose Password Policies in FreeMarker Context for Login Themes

Enhancements

  • #​583 Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT quickstarts
  • #​10114 Specific events for webauthn register authentication/webauthn
  • #​10492 Support proxy_protocol
  • #​14073 SAML 2.0 HTTP-Artifact binding
  • #​15769 update or replace base64-js and js-sha256 adapter/javascript
  • #​16750 Google login - add prompt=select_account option core
  • #​19564 response_type none is oidc spec but ignored in the current implementation. oidc
  • #​19750 Use a proper FreeMarker template for the new consoles account/ui
  • #​21072 Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings"
  • #​21261 Identity providers: Pagination in account console (and account REST API)
  • #​21342 Upgrade login theme to PatternFly 5 login/ui
  • #​23179 kcadm should have a command to verify connection admin/cli
  • #​23596 Support generated ECDH realm keys oidc
  • #​23597 Support ECDH-ES JWE algorithms oidc
  • #​23771 Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk dist/quarkus
  • #​24815 Hostname config check on welcome page
  • #​25391 Improve auto behavior with operator and --optimized
  • #​25541 Add an option for a custom welcome page to disable bootstrapping of admin account welcome/ui
  • #​26262 Remove need to update Quarkus tests when profile features change dist/quarkus
  • #​26470 Add a field to the RealmImportSpec to toggle replacing ENV variable placeholders
  • #​27040 [keycloak-js] Expose didInitialize as a public method/property adapter/javascript
  • #​27298 Validate spi options wrt build / run time dist/quarkus
  • #​27432 Document how to specify CPU and memory limits/requests for the Operator operator
  • #​27884 Automatic update of bcfips versions in the docs docs
  • #​27947 Rename Dockerfile to Containerfile in the docs docs
  • #​28017 Un-friendly error message for Fail Import option in keycloak GUI import-export
  • #​28140 External Infinispan as cache - Part 1
  • #​28311 Detect clients which refresh their access tokens too early
  • #​28581 Support OpenTelemetry tracing
  • #​28648 External Infinispan as cache - Part 2
  • #​28754 External Infinispan as cache - Part 3 / login failures cache
  • #​28755 External Infinispan as cache - Part 4 / user + client sessions online + offline
  • #​29200 Clarify import/export usage of options
  • #​29258 Support pod affinity settings in the Keycloak Operator operator
  • #​29303 Active/Active XSite fencing
  • #​29394 Infinispan Protostream
  • #​29480 GET users endpoint is making lots of requests to the database storage
  • #​29665 Please clarify in the docs that the replacement of KC_PROXY=edge is not just KC_PROXY_HEADERS, but one MUST set KC_HTTP_ENABLED=true.
  • #​29698 Improve SAML2 Metadata Validation Exception messages saml
  • #​29725 VC issuance in Authz Code flow with considering “scope” parameter oid4vc
  • #​29974 Add support of RTL UI in login pages login/ui
  • #​29986 private AuthzClient.createPatSupplier
  • #​30003 Bootstrapping an admin user or service account at server startup dist/quarkus
  • #​30004 Bootstrapping an admin user or service account using the Operator operator
  • #​30010 Update the welcome page to create a temporary admin user dist/quarkus
  • #​30094 Do not inherit 'https-client-auth' property for the management interface
  • #​30118 Admin UI - Fixed save buttons on the bottom at the page
  • #​30165 Handle proxy related env vars in the Operator operator
  • #​30243 Protobuf schema compatibility check (maven plugin)
  • #​30267 Protect the disabling of the main keycloak account admin/api
  • #​30286 Add missing translation for oid4vc protocol
  • #​30337 Introduce packages for organization tests organizations
  • #​30338 Refactor organization tests organizations
  • #​30346 Enhance masking around config-keystore dist/quarkus
  • #​30419 Credential Issuer Metadata: Support Optional ```claims``` Object in ```credential_configurations_supported``` in ```openid-credential-issuer``` endpoint oid4vc
  • #​30445 Batch cluster events
  • #​30454 Server crash when using kc.sh with -Dkeycloak.profile=experimental dist/quarkus
  • #​30525 Enhance Verifiable Credential Signing Service Flexibility and Key Rotation oid4vc
  • #​30537 Document how Admin REST API endpoints work with Hostname config docs
  • #​30542 Use correct scope within maven-plugin core
  • #​30623 Make sure not possible to import jakarta classes in admin-client-jee admin/client-java
  • #​30629 Cleanup dependencies of keycloak-client-registration-api to not have dependency on server admin/client-java
  • #​30707 prevent removing the flow when used by client flow overrides authentication
  • #​30743 Make sure users created through a registration link are managed members organizations
  • #​30746 Allow auto-redirect existing users federated from organization broker when using the username organizations
  • #​30747 Support for members joining multiple organizations organizations
  • #​30829 Print keycloak's server response when using keycloak-admin-client admin/client-js
  • #​30855 Make persistent user sessions and external Infinispan co-exist
  • #​30856 Remove inclusive language foreword docs
  • #​30873 Exchange VC Format class for String constantns oid4vc
  • #​30880 Add vault support to JavaKeystoreKeyProvider core
  • #​30907 Implement advanced verification of SD-JWT in Keycloak oid4vc
  • #​30918 VerifiableCredential: Exchange java.util.Date for java.time.Instant oid4vc
  • #​30924 Keycloak Operator should use the port name and not the port number for the ingress operator
  • #​30931 Enable ProtoStream encoding for External Infinispan feature
  • #​30934 Drop `AuthenticatedClientSessionStore` from user sessions
  • #​30995 Document LDAP connection pool configuration
  • #​30999 Make ProofType for CredentialRequest a string instead of enum oid4vc
  • #​31005 Override of begin transaction in AbstractKeycloakTransaction
  • #​31006 Conditionally redirect existing users to a broker based on their credentials organizations
  • #​31029 Refactor HA guide
  • #​31046 ConditionalRemove interface for External Infinispan feature
  • #​31056 Avoid iterating and updating all group policies when removing groups authorization-services
  • #​31064 Add simple cache to cache-local.xml
  • #​31076 Oauth2GrantType.Context requires getter-methods oidc
  • #​31086 Manipulate redirect on OpenID redirect with custom implementation oidc
  • #​31183 Show Display Name (if available) and Realm Id on Realm Dropdown Button admin/ui
  • #​31226 Release notes for JavaKeystoreProvider updates docs
  • #​31343 Can we remove distribution/feature-packs directory? adapter/jee
  • #​31388 [Organizations] Add a count() method to the OrganizationMembersResource core
  • #​31390 Allow custom login themes to define a footer ftl fragment login/ui
  • #​31438 Support for authenticating and issuing tokens in the context of a organization organizations
  • #​31489 Remove keycloak-undertow-adapter-spi adapter/saml
  • #​31491 Add a deprecation warning when old `KEYCLOAK_ADMIN`, `KEYCLOAK_ADMIN_PASSWORD` env vars are used dist/quarkus
  • #​31513 Support lightweight access tokens for Admin REST API oidc
  • #​31514 Allow Embedded Cache sizes to be configured via the CLI
  • #​31547 Use correct error code in error response in token exchange token-exchange
  • #​31548 Add issued_token_type to token-exchange response token-exchange
  • #​31581 Allow optional inclusion of Issue At TIme (iat) and Not Before (nbf) claim to a verifiable credential oid4vc
  • #​31625 import placeholders should be converted to an option
  • #​31648 Change default name of bootstrap service account dist/quarkus
  • #​31670 Make sure the storage provider ID is always available from `UserModel.getFederationLink`
  • #​31676 Upgrade to Quarkus 3.13.2 dist/quarkus
  • #​31681 Add x5c and jwk header to JWSBuilder oidc
  • #​31699 Optimize Remote Infinispan performance on removal of entry
  • #​31701 Optimize CPU cycles for persistent sessions
  • #​31725 Revoked tokens table is missing an index
  • #​31766 Client Policy - Condition : Client - Client Attribute oidc
  • #​31786 The console takes a very long time to display group members with LDAP provider ldap
  • #​31807 Simplify enabling MULTI_SITE setup in KC26
  • #​31816 Class CertificateUtils should support creation of EC certificates oidc
  • #​31845 JavaScript build should not cache Keycloak Java artifacts and should rotate PNPM cache
  • #​31876 Non clustered Keycloak with External Infinispan feature
  • #​31894 Redirect after cancelling a required action should contain kc_action parameter authentication
  • #​31908 Add docs for the OpenTelemetry tracing docs
  • #​31932 Upgrade to next Quarkus LTS dist/quarkus
  • #​31963 Upgrade to Infinispan 15.0.7.Final
  • #​32023 Add ECDH-ES encyption algorithms to the java keystore key provider core
  • #​32033 References to removed artifacts and obsolete properties in root pom.xml
  • #​32056 OTEL: Service name isn't configurable and doesn't comply with conventions
  • #​32095 OTEL: Dynamic service name for tracing in K8s environment operator
  • #​32131 Remove session related caches from external Infinispan in HA guide
  • #​32158 Add an endpoint to the `organizations` endpoint to return the organizations for a given user organizations
  • #​32188 Quarkus IDE Debugging should set JVM options like kc.sh
  • #​32198 error message "Address already in use" should state which address/port in particular
  • #​32231 OTEL: Profile Feature dist/quarkus
  • #​32265 Enable persistent sessions by default
  • #​32273 Optimize Persistent Sessions SQL for session list
  • #​32312 Relocate Quarkus resteasy-reactive dependencies to REST
  • #​32314 Syslog: add necessary options to cover the major usability dist/quarkus
  • #​32328 Upgrade to Infinispan 15.0.8
  • #​32343 Upgrade Keycloak's sizing guide for KC26 and persistent sessions
  • #​32387 Documentation for persistent sessions enabled by default
  • #​32388 Make update IdentityProvider admin REST API more efficient.
  • #​32389 Upgrade to Quarkus 3.13.3 dist/quarkus
  • #​32416 Skip creating sessions cache when Persistent Sessions is enabled
  • #​32428 Performance optimization when checking secure context
  • #​32517 Upgrade to Quarkus 3.14.2 dist/quarkus
  • #​32525 Document Syslog app-name option
  • #​32579 Set autocomplete="one-time-code" in OTP login form login/ui
  • #​32582 Remove tables `user_session`, `user_session_note` and `client_session`
  • #​32583 Review the number indexes for offline session tables
  • #​32586 Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17 dependencies
  • #​32588 Search Identity Providers by alias or display name
  • #​32590 Remove `version()` projection from Ickle Queries
  • #​32596 Rename `remote-cache` Feature
  • #​32619 Possibility to separately specify log levels for log handlers
  • #​32683 Optimize LogoutEndpoint.backchannelLogout endpoint identity-brokering
  • #​32717 Make it explicit which options are needed when using optimized image with the Operator operator
  • #​32745 Review the RTO and RPO in the multi-site docs after the A/A failure and recovery tests
  • #​32746 Add organization id to the organization claim of the access token
  • #​32803 Update the HA guide with fencing lambda taking Infinispan caches offline
  • #​32804 Remove `org.keycloak.utils.ProxyClassLoader`
  • #​32845 Add client side password policy checks
  • #​32852 Prevent deadlocks on concurrent user updates
  • #​32863 Redirect to relative-path from the root path dist/quarkus
  • #​32906 Reduce the cost of updating user attributes in JPA store core
  • #​32968 [OID4VCI] Show OpenID4VCI Credential Issuer Metadata link in admin ui oid4vc
  • #​32970 Upgrade to Quarkus 3.14.4 dist/quarkus
  • #​33010 Bootstrap admin client should use lightweight access tokens dist/quarkus
  • #​33015 FolderThemeProvider should select theme from available themes core
  • #​33040 Provide more information when there is an error to possibly debug
  • #​33143 Add the Troubleshooting and Health checks guide to Keycloak
  • #​33163 Use INFO Log Level for status in Migration Logic in DefaultMigrationManager
  • #​33201 [Organizations] Allow orgs to define the redirect URI after user registers or accepts invitation link organizations
  • #​33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
  • #​33325 Refactor loading resources from themes
  • #​33384 Document supported configurations and limitations for multi-site
  • #​33405 Use feature versions for admin3, account3, and login2
  • #​33426 Minor tweaks in SAML documentation adapter/saml
  • #​33515 Use `crypto.randomUUID()` to generate UUIDs for Keycloak JS adapter/javascript

Bugs

  • #​555 Failures in `ExtendAdminConsoleTest` quickstarts
  • #​565 Build fails in the extension quickstarts
  • #​567 Tests in user-storage-simple quickstart are failing in main branch quickstarts
  • #​572 Action-token quickstarts don't compile with latest Keycloak quickstarts
  • #​574 Incorrect Keycloak version in the main branch of quickstarts quickstarts
  • #​595 Jakarta tests are failing with latest main quickstarts
  • #​607 Workflow failure - JavaScript quickstarts
  • #​10730 realm import: error if ldap groupmapper has a group path set import-export
  • #​13505 locale attribute not set after registration authentication
  • #​17857 New Admin UI does not send e-mails if account-client is disabled core
  • #​19070 authBaseUrl error on different hostname-admin-url, hostname-url admin/ui
  • #​20371 Double form submit in Admin UI possible leading to error mesages admin/ui
  • #​20431 Fine-grained admin permission client manage does not work admin/ui
  • #​23028 Documentation: Authorization Services documentation contains duplicated image authorization-services
  • #​23496 Rename "Realm name" field to "Realm ID" field in realm creation screen admin/ui
  • #​25234 front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( oidc
  • #​25339 "Invalid Username" when "Email as Username" is used and the email contains special characters user-profile
  • #​25440 page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt authentication
  • #​25794 Flaky test: org.keycloak.testsuite.model.DBLockTest#testTwoLocksCurrently storage
  • #​25837 Infinispan Cache(embedded) data is not being updated during mergeView event infinispan
  • #​26042 Issue when start-dev in 23.0.1 dist/quarkus
  • #​26117 Flaky test: org.keycloak.testsuite.oidc.AuthenticationMethodReferenceTest#testAmrPastMaxAge oidc
  • #​26176 Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes authentication
  • #​26435 NullPointerException when using client scope policy for token-exchange token-exchange
  • #​26794 MULTIVALUED_LIST_TYPE not working for client mappers admin/ui
  • #​27506 Readable realm name no longer visible in logs, but realm id is used instead core
  • #​27536 "User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added account/ui
  • #​27677 Translations missing for user events in admin ui translations
  • #​27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
  • #​28020 Firefox Webauthn Registration "SecurityError: The operation is insecure." authentication/webauthn
  • #​28418 SSO Session Idle: session is still active after session idle time expired oidc
  • #​28489 Missing help text on tokens tab admin/ui
  • #​28633 Client roles won't open (Forbidden) with Fine Grained Permission (without view-clients realm-management role) account/ui
  • #​28643 Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally admin/ui
  • #​28865 NullPointerException on RealmCacheSession when upgrading Keycloak 23.0.4 to 24.0.2 infinispan
  • #​28953 Flaky test: org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfileWithoutRemoveCustomAttributes ci
  • #​29098 User profile validation pattern error-message not rendered from messages_en.properties admin/ui
  • #​29211 Network error attempting to view default realm roles without permissions admin/ui
  • #​29271 TrustedHostClientRegistrationPolicyTest#testGithubDomain failing in clean checkout testsuite
  • #​29385 Restart authentication event type is not generated authentication
  • #​29407 Need refresh attributes group translations on Users > Details tab admin/ui
  • #​29413 Realm client unset protocol not preserved admin/ui
  • #​29468 realm_settings_general_tab_test.spec fails randomly admin/ui
  • #​29486 Default theme logs font related console errors on firefox login/ui
  • #​29542 The EmailEventListenerProvider throws an exception on brute force lockout events authentication
  • #​29566 User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm account/ui
  • #​29615 Get effective roles for user needs more privileges than expected admin/api
  • #​29761 bug: disabling all default features no longer works core
  • #​29784 Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups ldap
  • #​29866 Missing Cache-Control header when "response_type" parameter is missing in login request authentication
  • #​29878 Updating a client protocol mappers through Admi CLI (kcadm) resets the client service account roles admin/cli
  • #​29978 Admin UI slow performance loading 600+ realms admin/ui
  • #​30048 Save button is not activated at first modification on "Client scope details" admin/ui
  • #​30111 Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken ci
  • #​30115 Admin v2 theme - theme.properties Custom theme scripts not loading admin/ui
  • #​30143 User in subgroup not synchronized and still appears as not in the subgroup account/ui
  • #​30181 [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP oidc
  • #​30188 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
  • #​30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
  • #​30235 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
  • #​30236 Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent ci
  • #​30240 Custom attributes are removed during UPDATE PROFILE event core
  • #​30271 Client role descriptions are not localized admin/ui
  • #​30276 The "Quarkus development mode" instructions in quarkus/README.md throw a ForkJoinPool error dist/quarkus
  • #​30284 Executor consent-required does not work for client-roles condition oidc
  • #​30300 Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database core
  • #​30302 Methods of SimpleHttp are after change now too much protected core
  • #​30305 Importing organizations failing if there is no broker and members in the representation organizations
  • #​30306 Upgrade to Keycloak 25 - Events bug in UI admin/ui
  • #​30308 Organization resources in keycloak-admin-client-jee have dependencies on jakarta admin/client-java
  • #​30312 Add an alias to organization organizations
  • #​30313 Expose organization to theme templates organizations
  • #​30329 Client secret rotation UI shows wrong rotated secret admin/ui
  • #​30332 Operator fails to patch ingress after update to 25.0.0 operator
  • #​30334 RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update core
  • #​30335 Google login on Social login test is failing ci
  • #​30339 Identity-first login flow should be followed by asking for the user credentials rather than allowing providing the username again organizations
  • #​30351 Migration of sessions in KC25 should run only on migration, not on imports
  • #​30355 New operator failing on health checks operator
  • #​30368 Documentation : label error for persistent-user-sessions feature flag docs
  • #​30380 Incorrect warning log about deprecated options hostname, hostname-debug dist/quarkus
  • #​30383 Account Console (v3) no longer highlights the current page in the nav bar account/ui
  • #​30414 Login / Admin events filter by date under realm Events return incorrect results storage
  • #​30417 Keycloak 25 db guide shows unevaluated "ifeval docs
  • #​30425 Built-in scopes are not translated in the account console "applications" tab account/ui
  • #​30432 keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" admin/ui
  • #​30434 Improvements for ldap test authentication ldap
  • #​30436 Client Roles are not shown when clientId property is set admin/ui
  • #​30440 UI theme bug in KC 25.0.0 admin/ui
  • #​30449 Migration stuck if versions incompatible operator
  • #​30460 The `start` command should automatically re-build when previous run was `start-dev` dist/quarkus
  • #​30476 All user attributes readonly in admin ui and admin API after setting edit mode of one user federation to READ_ONLY core
  • #​30485 Fix LoginFailureEntity protostream encoding infinispan
  • #​30492 partial_import_test fails randomly admin/ui
  • #​30511 Fix AuthenticatedClientSessionEntity protostream encoding infinispan
  • #​30520 Flow steps back when changing locale or refreshing page on "Try another way page" authentication
  • #​30521 "Client Offline Session Max" no longer available admin/ui
  • #​30541 Account UI resources try to load from admin path instead of frontend path account/ui
  • #​30550 [UI] group selection does not update attribute tab admin/ui
  • #​30552 After migrating from 24 to 25, the signature algorithms names do not display in drop down menu admin/ui
  • #​30582 Localization prevents update of user-profile attributes admin/ui
  • #​30591 Invalid character in spanish translation file for Identity Provider Link Template translations
  • #​30599 client-jwt authentication fails on Token Introspection Endpoint oidc
  • #​30604 Network response was not OK. saml
  • #​30614 token exchange: exchange-sequence fails with Client session for client 'client-exchanger' not present in user session token-exchange
  • #​30641 Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
  • #​30652 Default server port is used instead of the management interface port in the guide about running Keycloak in a container
  • #​30662 User policy -> select user shows user id instead of user name. admin/ui
  • #​30663 A theme called `custom` is displayed as `Custom Attribute...` in the admin console admin/ui
  • #​30677 LDAP connection pool params(maxsize, initsize, prefsize) picked up from backend ComponentModel and are not visible in Keycloak admin console ldap
  • #​30678 Require SSL mode "External requests" does not work with IPv6 local addresses dist/quarkus
  • #​30683 Infinite loader on the admin console for non-admin users admin/ui
  • #​30703 Recovery codes missing from account console docs
  • #​30705 Full details of errors not shown in admin and account console account/ui
  • #​30706 Internal error occurs for the removed flow which override by the client authentication
  • #​30712 Remove of Multivalued Attribute due to - Adding translations when a new attribute is created admin/ui
  • #​30717 Broken external links docs
  • #​30730 Cannot explicitly disable KERBEROS feature core
  • #​30758 Docs: server_admin/topics/login-settings/acr-to-loa-mapping.adoc docs
  • #​30761 Protobuf deserialization has a default of an empty String core
  • #​30765 fallback to the no override flow when the flow is missing in client override authentication
  • #​30772 Rendering of granted client scopes in User Consents view broken in Admin UI admin/ui
  • #​30794 Filtering by Client ID in the "User Client Role" mapper does not work anymore admin/ui
  • #​30816 Docs: server_development/topics/themes.adoc docs
  • #​30821 Testing connection to ldap on the settings page does not work in 25.0.1 ldap
  • #​30837 Cannot find requested client with clientId ldap
  • #​30840 Incorrect order when instantiate ClientRemovedEvent infinispan
  • #​30857 Check for being Offline type in refresh token flow must be done based on refresh token request parameter oidc
  • #​30866 admin-cli invalid credentials admin/cli
  • #​30874 DPoP Keycloak JS Adapter docs
  • #​30917 reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" core
  • #​30935 Incorrect version comparison in ModelVersion storage
  • #​30941 Fix docs about User Storage SPI JPA quickstart docs
  • #​30945 Keycloak operator adds proxy by default which is depreacted operator
  • #​30947 Error when trying to edit authentication sub-flow name / description admin/ui
  • #​30967 Keycloak is not working in IBM AIX OS. dist/quarkus
  • #​30969 Brute force protection: Lockout permanently uses parameters configured under lockout temporarily core
  • #​30992 Realm cannot be deleted if there are tons of consents storage
  • #​31001 User Federation settings changing when saving admin/ui
  • #​31014 "Verify Email" may cause other Required Actions to be ignored authentication
  • #​31021 Styling of recovery codes seems wrong login/ui
  • #​31023 Keycloak 25 - protocol_mapper_config stores client_uid in usermodel.clientRoleMapping.clientId instead of client_id admin/ui
  • #​31038 Home URL for account-console / security-admin-console broken in admin-ui admin/ui
  • #​31040 Cannot reorder custom auth flow executions in admin-ui admin/ui
  • #​31045 Users cache clears after creating client scope. infinispan
  • #​31050 Caching docs should name parameter runtime parameters, not build parameters docs
  • #​31062 Updating dynamically registered client's metadata drops `preferred_username` from ID token core
  • #​31070 Search doesn't work for nested groups admin/ui
  • #​31083 Docs: server_admin/topics/admin-console-permissions/fine-grain.adoc authorization-services
  • #​31085 MULTIVALUED_STRING_TYPE not displaying 1 value while more than 1 value is working fine admin/ui
  • #​31107 Not able to remove otp credential of user account/api
  • #​31111 inputOptionLabelsI18nPrefix is take into consideration only for login-ui account/ui
  • #​31115 Review filtering of session returned from the sessions cache core
  • #​31143 KC.ORG user attribute shown - even if the organizations feature for the realm is disabled admin/ui
  • #​31144 "Can not update organization group" error when trying to create organisation from REST API organizations
  • #​31153 Cannot set unmanagedAttributePolicy without profile attributes admin/api
  • #​31161 Keycloak 25: Only first required action is executed core
  • #​31165 Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes admin/ui
  • #​31166 A lot (really!) dropdown/select fields in admin-ui remain open after selecting an action/entry. admin/ui
  • #​31167 After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" admin/ui
  • #​31169 Wrong Sync Mode of newly created external IdentityProvider admin/api
  • #​31171 Single use tokens, like action tokens, has a claim `expiration` core
  • #​31182 Realm export - duplicated elements in browser flow. Organization user must click login button multiple times. import-export
  • #​31187 Recaptcha links changed in the Google Docs docs
  • #​31196 The check for userdn in test ldap should consider that AD proxy user can be in non DN format ldap
  • #​31204 Bruteforce protector does not work when using organizations organizations
  • #​31216 #kc-form-options div not wrapping its content correctly in login-password.ftl login/ui
  • #​31218 Clarify if JGroups thread metrics can be shown with embedded Infinispan
  • #​31219 [Docs] Broken link in Server Admin guide for JWT_Auth wiki docs
  • #​31224 Offline tokens created in Keycloak 9 will not work on Keycloak 25 oidc
  • #​31228 Userprofile/Translation: user attribute cannot be saved because no translation was (even though it is present) admin/ui
  • #​31240 Can't update the user where userName contains uppercase letters core
  • #​31244 IdP redirect URL shows hostname_admin admin/ui
  • #​31246 All pubic brokers are shown during authentication rather than only those associated with the current organization organizations
  • #​31260 Download of Recovery Codes broken. File contains no Recovery Codes. login/ui
  • #​31267 multiple ldap url's not working on one realm ldap
  • #​31276 Account console won't load when using URL having a path as hostname config account/ui
  • #​31291 Incosistent casing of built-in flow descriptions core
  • #​31296 Revoke access tokens for persistent user sessions storage
  • #​31304 Hide save / update buttons in account console for READ_ONLY federated accounts account/ui
  • #​31319 keycloak.v2 broken in main login/ui
  • #​31341 Keycloak URL for Brokerage in Admin UI still suggests "/realms" in the path admin/ui
  • #​31368 logging-pattern failure in token-exchange token-exchange
  • #​31386 Joining group for user doesn't list correct number of groups admin/ui
  • #​31410 call to group-by-path does not return subGroupCount admin/api
  • #​31413 Wrong command in exposing metrics from caches section docs
  • #​31420 Seeing `Client cannot marshall the server's key media type` with external Infinispan after 25 upgrade infinispan
  • #​31444 keycloak Public Client secret are updated frequently admin/api
  • #​31466 Duplicate Key "validatingX509CertsHelp" in admin-ui messages admin/ui
  • #​31480 dynamic MultiValuedListComponent default value not stringified admin/ui
  • #​31515 Export users throws Disabled option: '--users' in v25 import-export
  • #​31519 Admin API extremely slow with service account and fine-grained authorization `view-users` admin/fine-grained-permissions
  • #​31537 Creating client roles with fine grained permissions is not possible admin/fine-grained-permissions
  • #​31545 Event tables have broken aria-labels admin/ui
  • #​31558 MSSQL test container can't start ci
  • #​31563 Link existing account to SSO by email not linking since v23 login/ui
  • #​31575 AdvancedClaimToGroupMapper throws Exception if no claims are configured identity-brokering
  • #​31585 Credential offer endpoint fails with 500 when bearer token has expired oid4vc
  • #​31592 Description field for roles creation could be better instead of ${} values admin/ui
  • #​31595 Misconfiguration of login settings causes login to not be possible admin/api
  • #​31598 CURL commands in build don't check the response code ci
  • #​31603 Can't delete kerberos user storage
  • #​31612 Store Model Tests (jpa+cross-dc-infinispan+persistentsessions) - org.keycloak.testsuite.model.session.SessionTimeoutsTest infinispan
  • #​31614 Endpoint /admin/users Degradation Based on Role admin/fine-grained-permissions
  • #​31633 localization not work with user attribute display name in users add admin/ui
  • #​31640 Admin Console Spins with hostname:v2 using security-admin-console Redirect URIs docs
  • #​31687 "Use metadata descriptor URL" switch is always set to "On" admin/ui
  • #​31704 ID is used as tab name instead of localized string admin/ui
  • #​31712 The OID4VCI cross-device flow should not require the device to have an access token oid4vc
  • #​31718 Documentation for `Delete Credential` action and related changes authentication
  • #​31760 Persist revoke tokens with remote cache feature storage
  • #​31780 SAML IdP configure does not parse IdP metadata.xml correctly saml
  • #​31781 Keycloak 25 SAML IdP has made Single Logout URL mandatory. saml
  • #​31818 Management Interface is turned on even though nothing is exposed on it dist/quarkus
  • #​31823 Ignoring JWK key Missing required field 'use' still happens in keycloak version 25.02 identity-brokering
  • #​31828 EmbeddedInfinispanSplitBrainTest fails with "IllegalState Session not bound to a realm" core
  • #​31829 Deleted authentication sessions should not be re-surrected with an update core
  • #​31858 Custom component persist only some config keys admin/api
  • #​31864 Certificate-Generation with EC signing RSA and vice versa does not work oidc
  • #​31881 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
  • #​31882 Realm roles that do not exist are displayed in "Default roles" when "Hide inherited roles" is not checked admin/ui
  • #​31892 Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. admin/api
  • #​31893 In realm role ellipsis value is null admin/ui
  • #​31918 Network error attempting to view events without permissions admin/ui
  • #​31929 Network error attempting to view user registeration without permissions admin/ui
  • #​31931 Failure to generate Ed448 token authentication
  • #​31941 Cache guide does not properly print `cache-stack` values docs
  • #​31944 Filter organization brokers in the account console organizations
  • #​31947 Fix server guide cross-references for downstream docs docs
  • #​31956 Admin console not usable when instance has a 1000 realms admin/ui
  • #​31972 Unstable test ExternalInfinispanTest testsuite
  • #​32016 `My password` string in `Signing in` page not getting translated in `keycloak.v3 account` theme account/ui
  • #​32025 Not possible to import realm with newest Java admin-client against Keycloak 24 admin/client-java
  • #​32059 Look around window cannot be set to 0 admin/ui
  • #​32084 SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes adapter/saml
  • #​32100 Remember Me with External Infinispan is not works properly infinispan
  • #​32108 [Scalability of IDPs] Follow up: ensure organization aware IdentityProviderModel is used in the infinispan IDPProvider
  • #​32117 Impossible to import RolePolicy with newest admin-client against Keycloak 24 admin/client-java
  • #​32127 Offline session bug on 25.0.2 core
  • #​32136 Missing TypeScript `populateHierarchy` param for keycloak admin client admin/client-js
  • #​32150 Session list doesn't handle non-existing client gracefully core
  • #​32153 Remote Infinispan code must not call JPA code in non-blocking thread core
  • #​32156 SingleSelect-kind readonly attribute is not disabled in account console account/ui
  • #​32176 Bootstrap options missing from help dist/quarkus
  • #​32178 Table names for persistent sessions upgrading guide is wrong docs
  • #​32180 Session list not appearing: SQL Error "The incoming request has too many parameters"
  • #​32182 `show-config` command outputs duplicate options dist/quarkus
  • #​32194 UserRemovedEvent does not contain all user attributes infinispan
  • #​32195 Migration to persistent sessions fails from Keycloak version <22 storage
  • #​32197 Keycloak reuses AUTH_SESSION_ID of logged out sessions login/ui
  • #​32205 Endpoint configurations shows hostname_admin admin/ui
  • #​32238 Brokers associated with organization not filtered when linking brokers with an organization organizations
  • #​32256 Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout ci
  • #​32259 [Keycloak CI] - AuroraDB IT fails to start on EC2 due to lack of entropy regression storage
  • #​32305 Temporary admin account notice logged to org.keycloak.events dist/quarkus
  • #​32333 Legacy `KEYCLOAK_ADMIN` environment variable is not working dist/quarkus
  • #​32368 KeycloakRealmImport not working with Istio service mesh operator
  • #​32392 Validate organization alias for forbidden chars organizations
  • #​32402 Additional datasources do not work dist/quarkus
  • #​32415 Missing translations for required action webauthn-register login/ui
  • #​32419 Joining group with text filter does not show all results even if backend returned them admin/ui
  • #​32425 Duplicate message keys in admin messages_en.properties admin/ui
  • #​32435 Multiple Logout Confirmation Actions Trigger NullPointerExceptions core
  • #​32451 Wildcard search not working for custom user attributes admin/api
  • #​32460 When Organization feature is enabled UserAdapter.getGroupsCount() returns wrong result organizations
  • #​32465 SocialLoginTest failing after switching to the new IDP Provider
  • #​32468 Warning Banner for Temporary Admin User shouldn't be placed under breadcrumbs admin/ui
  • #​32473 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessAndWebAuthnAndWebAuthnPasswordlessLogin ci
  • #​32477 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongSmtp ci
  • #​32478 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithPasswordHistoryPolicy ci
  • #​32481 Drag & drop issue with the step order in the Authentication settings of the Admin Console admin/ui
  • #​32486 Identity Provider secret visible in Organization tab (API request) organizations
  • #​32492 Welcome screen logo is bigger then the one on login welcome/ui
  • #​32498 Flaky test BruteForceTest.testPermanentLockout() core
  • #​32503 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#internalTransport ci
  • #​32510 Login v2 username form login/ui
  • #​32512 [Keycloak CI] - BruteForceTest.testPermanentLockout failures login/ui
  • #​32513 [Keycloak CI] - OrganizationBruteForceTest.testPermanentLockout failures login/ui
  • #​32514 [Keycloak CI] - ResetPasswordTest.resetPasswordExpiredCode failures login/ui
  • #​32515 Invalid client data in /login-actions/authenticate causes an uncaught server error and a HTTP 500 response code authentication
  • #​32531 Cannot invoke "org.keycloak.authentication.RequiredActionFactory.isConfigurable()" because "factory" is null account/ui
  • #​32533 Admin UI messages sometimes miss details, and sometimes refer to details in the logs which are missing admin/ui
  • #​32541 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewTabAndProperRedirectClient ci
  • #​32542 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewBrowserSessionPreserveClient ci
  • #​32544 Multiple bugs in the experimental UiTabProvider / UiTabProviderFactory admin/ui
  • #​32546 "Include Client Audience" field is not mandatory admin/ui
  • #​32547 The set value ‘Default Admin-Initiated Action Lifespan’ has no effect on the ‘Credential Reset’ form admin/ui
  • #​32548 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#required ci
  • #​32554 CRDs for the Operator are generated multiple times during the build operator
  • #​32605 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#nfcTransport ci
  • #​32606 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#bluetoothTransport ci
  • #​32609 Continuous loading screen instead of access denied on account info page account/ui
  • #​32615 Forms IT (chrome) ResetOtpTest fail testsuite
  • #​32622 InvalidDestination Error for IDP-initiated SSO with Keycloak behind a Reverse Proxy saml
  • #​32623 OAuth login error with custom scheme oidc
  • #​32624 "Authentication" Link in Admin Portal Fails with 400 Bad Request After Migrating to Version 25 admin/ui
  • #​32641 Help text under text field admin/ui
  • #​32643 Dots are not allowed in the path in Hostname v2 dist/quarkus
  • #​32678 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordBeforeUserIsDisabled ci
  • #​32689 Unable to import master realm with --import-realm dist/quarkus
  • #​32698 On backchannel logout, a user ID with a dot on the broker side breaks the logout by user core
  • #​32731 KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus admin/client-java
  • #​32736 In the account console when I update the password the referrer dissapears account/ui
  • #​32755 Leftover code in login-passkeys-conditional-authenticate.ftl login/ui
  • #​32758 Keycloak admin console interface is out of screen admin/ui
  • #​32761 The endpoint /admin/realms/{{realm}}/groups/{{group-id}}/members potentially fetch all user in database admin/api
  • #​32764 When forcing re-authentication by passing maxAge value as 0 does not work adapter/javascript
  • #​32770 Adapters backward compatibility tests are failing ci
  • #​32782 `@noble/hashes/sha256` is bundled into Keycloak JS adapter/javascript
  • #​32784 Flaky test: org.keycloak.testsuite.url.HostnameV2Test ci
  • #​32789 CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core
  • #​32798 Custom theme and not existing image: error 500 (No enum constant org.keycloak.theme.Theme.Type.IMG) login/ui
  • #​32799 Realm import fails when client configures default_acr values import-export
  • #​32802 Lightweight access token is not working for bootstrap admin client oidc
  • #​32817 Error when deploying SAML application with the keys in PEM format inside keycloak-saml.xml adapter/saml
  • #​32829 Login V2 theme: Pages specify fewer tabindex entries login/ui
  • #​32830 Login v2 theme: Auto-focus on input fields no longer working and autocomplete changed login/ui
  • #​32833 TOTP QR codes broken when realm display name contains colon character core
  • #​32834 Admin UI does not display admin events expiration admin/ui
  • #​32860 Database index creation isn’t skipped on large data sets in Keycloak 24 storage
  • #​32870 Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream ldap
  • #​32880 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerExistingEmailAllowed ci
  • #​32881 Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy ci
  • #​32891 Exceptions on X509 authentication are logged without a stack trace core
  • #​32892 [Store Model Test] Failed test org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testOnRealmRemoved ci
  • #​32896 Inconsistency of the access token iat after setting the time offset in the test suite authentication
  • #​32915 Administrator username changed in master realm after configuring email address for SMTP connection test for another realm with "Email as username" enabled admin/ui
  • #​32916 Device activity client name translations account/ui
  • #​32923 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#usbTransport ci
  • #​32930 Flaky test: org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testAttributeInputTypes ci
  • #​32939 Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessWithNonResidentCredentialLogin ci
  • #​32942 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled ci
  • #​32984 Application names are not taking realm overrides into account account/ui
  • #​33011 Admin bootstrap client should not have standard flow enabled dist/quarkus
  • #​33023 Documentation CI is failing on broken links docs
  • #​33037 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#discouraged ci
  • #​33044 Next page not working for "Localization --> Realm overrides" admin/ui
  • #​33054 Identity-first login screen has broken IDP icons admin/ui
  • #​33058 Clusterless feature is not tested in Model tests testsuite
  • #​33060 Tests are showing exception while trying to import admin user after organizations were enabled by default testsuite
  • #​33064 Action expired error occurs when accessing regular registration page with Organizations enabled organizations
  • #​33095 The "Valid redirect URIs" field is not displayed when the "Standard flow" is unchecked admin/ui
  • #​33109 Infinite loop when accessing account management console account/ui
  • #​33115 CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect
  • #​33116 CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak
  • #​33156 CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java dist/quarkus
  • #​33172 Deprecation of https-trust-store-* weakens X509 browser authentication authentication
  • #​33207 [Organizations] Preserve org id in exported realms core
  • #​33224 [Keycloak CI] - Quarkus IT - StartCommandDistTest.testStartUsingAutoBuild ci
  • #​33231 [Keycloak CI] - User Federation Tests - LDAPSamlIdPInitiatedVaryingLetterCaseTest ci
  • #​33246 Unable to start Keycloak when metrics are enabled dist/quarkus
  • #​33296 Migrating to a FIPS environment disallows all users from logging in authentication
  • #​33300 Organization UI is overriding the alias with the org name when user navigates to another tab admin/ui
  • #​33307 XA Transaction recovery support is enabled even thoug transaction-xa-enabled is false dist/quarkus
  • #​33330 "somethingWentWrong" when opening Keycloak URL in unsecure context login/ui
  • #​33331 Performance drop in cpuUsageForLoginsTest since 19.09.2024
  • #​33336 Changing locale on passwordless or custom login flow does not work login/ui
  • #​33342 Duplicate entry "duplicate" in Admin UI message properties admin/ui
  • #​33347 Hostname v2 should enforce hostname is a full url if hostname-admin is used dist/quarkus
  • #​33351 Wrong release notes for Login v1 theme deprecation login/ui
  • #​33353 Performance regression when Organisations feature is enabled
  • #​33355 ID token from refresh_token flow does not contain nonce even when using Nonce backwards compatible mapper oidc
  • #​33362 Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#preferredVerificationWrong ci
  • #​33389 Banner is not wrapping properly admin/ui
  • #​33390 Creating clientAttributesCondition in some client policy breaks the login to the realm authentication
  • #​33412 User specific organisation entries shouldn't be placed in the realm cache core
  • #​33415 Organization brokers should be hidden on login pages by default organizations
  • #​33424 Organization data is cached for each user even if realm never enabled organizations organizations
  • #​33439 Avoid caching `RealmModel` in `CachedOrganization` organizations
  • #​33440 Test group_test.spec.ts Duplicate group fails repeatedly testsuite
  • #​33461 AWS Lambda description for HA setup doesn't reflect latest changes for failure policy core
  • #​33467 The "Client Secret" field does not expand to display the entire secret value admin/ui
  • #​33508 Can't load theme resources on Windows core
  • #​33517 Issue when running tests from IDE on embedded undertow ( org.jboss.threads.EnhancedQueueExecutor$Builder.setKeepAliveTime(java.time.Duration) ) testsuite

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.keycloak:keycloak-services](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `25.0.6` -> `26.0.0` | | [org.keycloak:keycloak-server-spi-private](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `25.0.6` -> `26.0.0` | | [org.keycloak:keycloak-model-storage](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `25.0.6` -> `26.0.0` | | [org.keycloak:keycloak-server-spi](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `25.0.6` -> `26.0.0` | | [org.keycloak:keycloak-core](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `25.0.6` -> `26.0.0` | --- ### Release Notes <details> <summary>keycloak/keycloak (org.keycloak:keycloak-services)</summary> ### [`v26.0.0`](https://github.com/keycloak/keycloak/releases/tag/26.0.0) [Compare Source](https://github.com/keycloak/keycloak/compare/25.0.6...26.0.0) <div> <h2>Highlights</h2> <div class="sect2"> <h3 id="_organizations_supported">Organizations supported</h3> <div class="paragraph"> <p>Starting with Keycloak 26, the Organizations feature is fully supported.</p> </div> </div> <div class="sect2"> <h3 id="_client_libraries_updates">Client libraries updates</h3> <div class="sect3"> <h4 id="_dedicated_release_cycle_for_the_client_libraries">Dedicated release cycle for the client libraries</h4> <div class="paragraph"> <p>From this release, some of the Keycloak client libraries will have release cycle independent of the Keycloak server release cycle. The 26.0.0 release may be the last one when the client libraries are released together with the Keycloak server. But from now on, the client libraries may be released at a different time than the Keycloak server.</p> </div> <div class="paragraph"> <p>The client libraries are these artifacts:</p> </div> <div class="ulist"> <ul> <li> <p>Java admin client - Maven artifact <code>org.keycloak:keycloak-admin-client</code></p> </li> <li> <p>Java authorization client - Maven artifact <code>org.keycloak:keycloak-authz-client</code></p> </li> <li> <p>Java policy enforcer - Maven artifact <code>org.keycloak:keycloak-policy-enforcer</code></p> </li> </ul> </div> <div class="paragraph"> <p>It is possible that in the future, some more libraries will be included.</p> </div> <div class="paragraph"> <p>The client libraries are supported with Java 8, so it is possible to use them with the client applications deployed on the older application servers.</p> </div> </div> <div class="sect3"> <h4 id="_compatibility_of_the_client_libraries_with_the_server">Compatibility of the client libraries with the server</h4> <div class="paragraph"> <p>Beginning with this release, we are testing and supporting client libraries with the same server version and a few previous major server versions.</p> </div> <div class="paragraph"> <p>For details about supported versions of client libraries with server versions, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/#_upgrade_client_libraries">Upgrading Guide</a>.</p> </div> </div> </div> <div class="sect2"> <h3 id="_user_sessions_persisted_by_default">User sessions persisted by default</h3> <div class="paragraph"> <p>Keycloak 25 introduced the feature <code>persistent-user-sessions</code>. With this feature enabled all user sessions are persisted in the database as opposed to the previous behavior where only offline sessions were persisted. In Keycloak 26, this feature is enabled by default. This means that all user sessions are persisted in the database by default.</p> </div> <div class="paragraph"> <p>It is possible to revert this behavior to the previous state by disabling the feature. Follow the <code>Volatile user sessions</code> section in <a href="https://www.keycloak.org/server/caching">Configuring distributed caches</a> guide for more details.</p> </div> <div class="paragraph"> <p>For information on how to upgrade, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_new_default_login_theme">New default login theme</h3> <div class="paragraph"> <p>There is now a new version (<code>v2</code>) of the <code>keycloak</code> login theme, which provides an improved look and feel, including support for switching automatically to a dark theme based on user preferences.</p> </div> <div class="paragraph"> <p>The previous version (<code>v1</code>) is now deprecated, and will be removed in a future release.</p> </div> <div class="paragraph"> <p>For all new realms, <code>keycloak.v2</code> will be the default login theme. Also, any existing realm that never explicitly set a login theme will be switched to <code>keycloak.v2</code>.</p> </div> </div> <div class="sect2"> <h3 id="_highly_available_multi_site_deployments">Highly available multi-site deployments</h3> <div class="paragraph"> <p>Keycloak 26 introduces significant improvements to the recommended HA multi-site architecture, most notably:</p> </div> <div class="ulist"> <ul> <li> <p>Keycloak deployments are now able to handle user requests simultaneously in both sites.</p> </li> <li> <p>Active monitoring of the connectivity between the sites is now required to update the replication between the sites in case of a failure.</p> </li> <li> <p>The loadbalancer blueprint has been updated to use the AWS Global Accelerator as this avoids prolonged fail-over times caused by DNS caching by clients.</p> </li> <li> <p>Persistent user sessions are now a requirement of the architecture. Consequently, user sessions will be kept on Keycloak or Infinispan upgrades.</p> </li> </ul> </div> <div class="paragraph"> <p>For information on how to migrate, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_admin_bootstrapping_and_recovery">Admin Bootstrapping and Recovery</h3> <div class="paragraph"> <p>In the past, regaining access to a Keycloak instance when all admin users were locked out was a challenging and complex process. Recognizing these challenges and aiming to significantly enhance the user experience, Keycloak now offers several straightforward methods to bootstrap a temporary admin account and recover lost admin access.</p> </div> <div class="paragraph"> <p>It is now possible to run the <code>start</code> or <code>start-dev</code> commands with specific options to create a temporary admin account. Additionally, a new dedicated command has been introduced, which allows users to regain admin access without hassle.</p> </div> <div class="paragraph"> <p>For detailed instructions and more information on this topic, refer to the <a href="https://www.keycloak.org/server/bootstrap-admin-recovery">Admin Bootstrap and Recovery</a> guide.</p> </div> </div> <div class="sect2"> <h3 id="_opentelemetry_tracing_preview">OpenTelemetry Tracing preview</h3> <div class="paragraph"> <p>The underlying Quarkus support for OpenTelemetry Tracing has been exposed to Keycloak and allows obtaining application traces for better observability. It helps to find performance bottlenecks, determine the cause of application failures, trace a request through the distributed system, and much more. The support is in preview mode, and we would be happy to obtain any feedback.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/server/tracing">Enabling Tracing</a> guide.</p> </div> </div> <div class="sect2"> <h3 id="_openid_for_verifiable_credential_issuance">OpenID for Verifiable Credential Issuance</h3> <div class="paragraph"> <p>The OpenID for Verifiable Credential Issuance (OID4VCI) is still an experimental feature in Keycloak, but it was greatly improved in this release. You will find significant development and discussions in the <a href="https://github.com/keycloak/kc-sig-fapi">Keycloak OAuth SIG</a>. Anyone from the Keycloak community is welcome to join.</p> </div> <div class="paragraph"> <p>Many thanks to all members of the OAuth SIG group for the participation on the development and discussions about this feature. Especially thanks to the <a href="https://github.com/francis-pouatcha">Francis Pouatcha</a>, <a href="https://github.com/Captain-P-Goldfish">Pascal Knüppel</a>, <a href="https://github.com/tnorimat">Takashi Norimatsu</a>, <a href="https://github.com/IngridPuppet">Ingrid Kamga</a>, <a href="https://github.com/wistefan">Stefan Wiedemann</a> and <a href="https://github.com/thomasdarimont">Thomas Darimont</a></p> </div> </div> <div class="sect2"> <h3 id="_dpop_improvements">DPoP improvements</h3> <div class="paragraph"> <p>The DPoP (OAuth 2.0 Demonstrating Proof-of-Possession) preview feature has improvements. The DPoP is now supported for all grant types. With previous releases, this feature was supported only for the <code>authorization_code</code> grant type. Support also exists for the DPoP token type on the UserInfo endpoint.</p> </div> <div class="paragraph"> <p>Many thanks to <a href="https://github.com/Captain-P-Goldfish">Pascal Knüppel</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_removal_of_gelf_logging_handler">Removal of GELF logging handler</h3> <div class="paragraph"> <p>GELF support has been deprecated for a while now, and with this release it has been finally removed from Keycloak. Other log handlers are available and fully supported to be used as a replacement of GELF, for example Syslog. For details see the <a href="https://www.keycloak.org/server/logging">Logging guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_lightweight_access_tokens_for_admin_rest_api">Lightweight access tokens for Admin REST API</h3> <div class="paragraph"> <p>Lightweight access tokens can now be used on the admin REST API. The <code>security-admin-console</code> and <code>admin-cli</code> clients are now using lightweight access tokens by default, so “Always Use Lightweight Access Token” and “Full Scope Allowed” are now enabled on these two clients. However, the behavior in the admin console should effectively remain the same. Be cautious if you have made changes to these two clients and if you are using them for other purposes.</p> </div> </div> <div class="sect2"> <h3 id="_keycloak_javascript_adapter_now_standalone">Keycloak JavaScript adapter now standalone</h3> <div class="paragraph"> <p>Keycloak JavaScript adapter is now a standalone library and is therefore no longer served statically from the Keycloak server. The goal is to de-couple the library from the Keycloak server, so that it can be refactored independently, simplifying the code and making it easier to maintain in the future. Additionally, the library is now free of third-party dependencies, which makes it more lightweight and easier to use in different environments.</p> </div> <div class="paragraph"> <p>For a complete breakdown of the changes consult the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_hostname_v1_feature_removed">Hostname v1 feature removed</h3> <div class="paragraph"> <p>The deprecated hostname v1 feature was removed. This feature was deprecated in Keycloak 25 and replaced by hostname v2. If you are still using this feature, you must migrate to hostname v2. For more details, see the <a href="https://www.keycloak.org/server/hostname">Configuring the hostname (v2)</a> and <a href="https://www.keycloak.org/docs/latest/upgrading/#new-hostname-options">the initial migration guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_automatic_redirect_from_root_to_relative_path">Automatic redirect from root to relative path</h3> <div class="paragraph"> <p>User is automatically redirected to the path where Keycloak is hosted when the <code>http-relative-path</code> property is specified. It means when the relative path is set to <code>/auth</code>, and the user access <code>localhost:8080/</code>, the page is redirected to <code>localhost:8080/auth</code>.</p> </div> <div class="paragraph"> <p>The same applies to the management interface when the <code>http-management-relative-path</code> or <code>http-relative-path</code> property is specified.</p> </div> <div class="paragraph"> <p>It improves user experience as users no longer need to set the relative path to the URL explicitly.</p> </div> </div> <div class="sect2"> <h3 id="_persisting_revoked_access_tokens_across_restarts">Persisting revoked access tokens across restarts</h3> <div class="paragraph"> <p>In this release, revoked access tokens are written to the database and reloaded when the cluster is restarted by default when using the embedded caches.</p> </div> <div class="paragraph"> <p>For information on how to migrate, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_client_attribute_condition_in_client_policies">Client Attribute condition in Client Policies</h3> <div class="paragraph"> <p>The condition based on the client-attribute was added into Client Policies. You can use condition to specify for the clients with the specified client attribute having a specified value. It is possible to use either an AND or OR condition when evaluating this condition as mentioned in the documentation for client policies.</p> </div> <div class="paragraph"> <p>Many thanks to <a href="https://github.com/y-tabata">Yoshiyuki Tabata</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_specify_different_log_levels_for_log_handlers">Specify different log levels for log handlers</h3> <div class="paragraph"> <p>It is possible to specify log levels for all available log handlers, such as <code>console</code>, <code>file</code>, or <code>syslog</code>. The more fine-grained approach provides the ability to control logging over the whole application and be tailored to your needs.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/server/logging">Logging guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_proxy_option_removed">Proxy option removed</h3> <div class="paragraph"> <p>The deprecated <code>proxy</code> option was removed. This option was deprecated in Keycloak 24 and replaced by the <code>proxy-headers</code> option in combination with hostname options as needed. For more details, see <a href="https://www.keycloak.org/server/reverseproxy">using a reverse proxy</a> and <a href="https://www.keycloak.org/docs/latest/upgrading/index.html#deprecated-proxy-option">the initial migration guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_option_proxy_trusted_addresses_added">Option <code>proxy-trusted-addresses</code> added</h3> <div class="paragraph"> <p>The <code>proxy-trusted-addresses</code> can be used when the <code>proxy-headers</code> option is set to specify a allowlist of trusted proxy addresses. If the proxy address for a given request is not trusted, then the respective proxy header values will not be used.</p> </div> </div> <div class="sect2"> <h3 id="_option_proxy_protocol_enabled_added">Option <code>proxy-protocol-enabled</code> added</h3> <div class="paragraph"> <p>The <code>proxy-protocol-enabled</code> option controls whether the server should use the HA PROXY protocol when serving requests from behind a proxy. When set to true, the remote address returned will be the one from the actual connecting client.</p> </div> </div> <div class="sect2"> <h3 id="_option_to_reload_trust_and_key_material_added">Option to reload trust and key material added</h3> <div class="paragraph"> <p>The <code>https-certificates-reload-period</code> option can be set to define the reloading period of key store, trust store, and certificate files referenced by https-* options. Use -1 to disable reloading. Defaults to 1h (one hour).</p> </div> </div> <div class="sect2"> <h3 id="_options_to_configure_cache_max_count_added">Options to configure cache max-count added</h3> <div class="paragraph"> <p>The <code>--cache-embedded-${CACHE_NAME}-max-count=</code> can be set to define an upper bound on the number of cache entries in the specified cache.</p> </div> </div> <div class="sect2"> <h3 id="_the_https_trust_store_options_have_been_undeprecated">The <code>https-trust-store-*</code> options have been undeprecated</h3> <div class="paragraph"> <p>Based on the community feedback, we decided to undeprecate <code>https-trust-store-*</code> options to allow better granularity in trusted certificates.</p> </div> </div> <div class="sect2"> <h3 id="_the_java_keystore_key_provider_supports_more_algorithms_and_vault_secrets">The <code>java-keystore</code> key provider supports more algorithms and vault secrets</h3> <div class="paragraph"> <p>The <code>java-keystore</code> key provider, which allows loading a realm key from an external java keystore file, has been modified to manage all Keycloak algorithms. Besides, the keystore and key secrets, needed to retrieve the actual key from the store, can be configured using the <a href="https://www.keycloak.org/docs/26.0.0/server_admin/#_vault-administration">vault</a>. Therefore a Keycloak realm can externalize any key to the encrypted file without sensitive data stored in the database.</p> </div> <div class="paragraph"> <p>For more information about this subject, see <a href="https://www.keycloak.org/docs/26.0.0/server_admin/#realm_keys">Configuring realm keys</a>.</p> </div> </div> <div class="sect2"> <h3 id="_adding_support_for_ecdh_es_encryption_key_management_algorithms">Adding support for ECDH-ES encryption key management algorithms</h3> <div class="paragraph"> <p>Now Keycloak allows configuring ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW or ECDH-ES+A256KW as the encryption key management algorithm for clients. The Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) specification introduces three new header parameters for the JWT: <code>epk</code>, <code>apu</code> and <code>apv</code>. Currently Keycloak implementation only manages the compulsory <code>epk</code> while the other two (which are optional) are never added to the header. For more information about those algorithms please refer to the <a href="https://datatracker.ietf.org/doc/html/rfc7518#section-4.6">JSON Web Algorithms (JWA)</a>.</p> </div> <div class="paragraph"> <p>Also, a new key provider, <code>ecdh-generated</code>, is available to generate realm keys and support for ECDH algorithms is added into the Java KeyStore provider.</p> </div> <div class="paragraph"> <p>Many thanks to <a href="https://github.com/justin-tay">Justin Tay</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_support_for_multiple_instances_of_a_social_broker_in_a_realm">Support for multiple instances of a social broker in a realm</h3> <div class="paragraph"> <p>It is now possible to have multiple instances of the same social broker in a realm.</p> </div> <div class="paragraph"> <p>Most of the time a realm does not need multiple instances of the same social broker. But due to the introduction of the <code>organization</code> feature, it should be possible to link different instances of the same social broker to different organizations.</p> </div> <div class="paragraph"> <p>When creating a social broker, you should now provide an <code>Alias</code> and optionally a <code>Display name</code> just like any other broker.</p> </div> </div> <div class="sect2"> <h3 id="_new_generalized_event_types_for_credentials">New generalized event types for credentials</h3> <div class="paragraph"> <p>There are now generalized events for updating (<code>UPDATE_CREDENTIAL</code>) and removing (<code>REMOVE_CREDENTIAL</code>) a credential. The credential type is described in the <code>credential_type</code> attribute of the events. The new event types are supported by the Email Event Listener.</p> </div> <div class="paragraph"> <p>The following event types are now deprecated and will be removed in a future version: <code>UPDATE_PASSWORD</code>, <code>UPDATE_PASSWORD_ERROR</code>, <code>UPDATE_TOTP</code>, <code>UPDATE_TOTP_ERROR</code>, <code>REMOVE_TOTP</code>, <code>REMOVE_TOTP_ERROR</code></p> </div> </div> <div class="sect2"> <h3 id="_customizable_footer_in_login_themes">Customizable Footer in login Themes</h3> <div class="paragraph"> <p>The <code>template.ftl</code> file in the <code>base/login</code> and the <code>keycloak.v2/login</code> theme now allows to customize the footer of the login box. This can be used to show common links or include custom scripts at the end of the page.</p> </div> <div class="paragraph"> <p>The new <code>footer.ftl</code> template provides a <code>content</code> macro that is rendered at the bottom of the "login box".</p> </div> </div> <div class="sect2"> <h3 id="_keycloak_cr_supports_standard_scheduling_options">Keycloak CR supports standard scheduling options</h3> <div class="paragraph"> <p>The Keycloak CR now exposes first class properties for controlling the scheduling of your Keycloak Pods.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/operator/advanced-configuration">Operator Advanced Configuration</a>.</p> </div> </div> <div class="sect2"> <h3 id="_keycloakrealmimport_cr_supports_placeholder_replacement">KeycloakRealmImport CR supports placeholder replacement</h3> <div class="paragraph"> <p>The KeycloakRealmImport CR now exposes <code>spec.placeholders</code> to create environment variables for placeholder replacement in the import.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/operator/realm-import">Operator Realm Import</a>.</p> </div> </div> <div class="sect2"> <h3 id="_configuring_the_ldap_connection_pool">Configuring the LDAP Connection Pool</h3> <div class="paragraph"> <p>In this release, the LDAP connection pool configuration relies solely on system properties.</p> </div> <div class="paragraph"> <p>For more details, see <a href="https://www.keycloak.org/docs/26.0.0/server_admin/#_ldap_connection_pool">Configuring the connection pool</a>.</p> </div> </div> <div class="sect2"> <h3 id="_infinispan_marshalling_changes_to_infinispan_protostream">Infinispan marshalling changes to Infinispan Protostream</h3> <div class="paragraph"> <p>Marshalling is the process of converting Java objects into bytes to send them across the network between Keycloak servers. With Keycloak 26, we changed the marshalling format from JBoss Marshalling to Infinispan Protostream.</p> </div> <div class="admonitionblock warning"> <table> <tr> <td class="icon"> <div class="title">Warning</div> </td> <td class="content"> JBoss Marshalling and Infinispan Protostream are not compatible with each other and incorrect usage may lead to data loss. Consequently, all caches are cleared when upgrading to this version. </td> </tr> </table> </div> <div class="paragraph"> <p>Infinispan Protostream is based on <a href="https://protobuf.dev/programming-guides/proto3/">Protocol Buffers</a> (proto 3), which has the advantage of backwards/forwards compatibility.</p> </div> </div> <div class="sect2"> <h3 id="_removal_of_osgi_metadata">Removal of OSGi metadata</h3> <div class="paragraph"> <p>Since all of the Java adapters that used OSGi metadata have been removed we have stopped generating OSGi metadata for our jars.</p> </div> </div> <div class="sect2"> <h3 id="_group_related_events_no_longer_fired_when_removing_a_realm">Group-related events no longer fired when removing a realm</h3> <div class="paragraph"> <p>With the goal of improving the scalability of groups, they are now removed directly from the database when removing a realm. As a consequence, group-related events like the <code>GroupRemovedEvent</code> are no longer fired when removing a realm.</p> </div> <div class="paragraph"> <p>For information on how to migrate, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_identity_providers_no_longer_available_from_the_realm_representation">Identity Providers no longer available from the realm representation</h3> <div class="paragraph"> <p>As part of the improvements around the scalability of realms and organizations when they have many identity providers, the realm representation no longer holds the list of identity providers. However, they are still available from the realm representation when exporting a realm.</p> </div> <div class="paragraph"> <p>For information on how to migrate, see the <a href="https://www.keycloak.org/docs/26.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_securing_applications_documentation_converted_into_the_guide_format">Securing Applications documentation converted into the guide format</h3> <div class="paragraph"> <p>The <em>Securing Applications and Services</em> documentation was converted into the new format similar to the <em>Server Installation and Configuration</em> documentation converted in the previous releases. The documentation is now available under <a href="https://www.keycloak.org/guides">Keycloak Guides</a>.</p> </div> </div> <div class="sect2"> <h3 id="_removal_of_legacy_cookies">Removal of legacy cookies</h3> <div class="paragraph"> <p>Keycloak no longer sends <code>_LEGACY</code> cookies, which where introduced as a work-around to older browsers not supporting the <code>SameSite</code> flag on cookies.</p> </div> <div class="paragraph"> <p>The <code>_LEGACY</code> cookies also served another purpose, which was to allow login from an insecure context. Although, this is not recommended at all in production deployments of Keycloak, it is fairly frequent to access Keycloak over <code>http</code> outside of <code>localhost</code>. As an alternative to the <code>_LEGACY</code> cookies Keycloak now doesn&#&#8203;8217;t set the <code>secure</code> flag and sets <code>SameSite=Lax</code> instead of <code>SameSite=None</code> when it detects an insecure context is used.</p> </div> </div> <div class="sect2"> <h3 id="_property_origin_in_the_userrepresentation_is_deprecated">Property <code>origin</code> in the <code>UserRepresentation</code> is deprecated</h3> <div class="paragraph"> <p>The <code>origin</code> property in the <code>UserRepresentation</code> is deprecated and planned to be removed in future releases.</p> </div> <div class="paragraph"> <p>Instead, prefer using the <code>federationLink</code> property to obtain the provider to which a user is linked with.</p> </div> </div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="file:/home/st/dev/keycloak-web/target/web/docs/latest/upgrading/index.html#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>Deprecated features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/600">#&#8203;600</a> De-couple quickstarts from statically served Keycloak JS <code>quickstarts</code></li> </ul> <h3>New features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/20342">#&#8203;20342</a> Duplicate groups in the admin console of Keycloak <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26178">#&#8203;26178</a> Support dark mode, at least for the login pages <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29324">#&#8203;29324</a> Bootstrapping an admin user using a dedicated command <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29755">#&#8203;29755</a> Support AES and HMAC Key-Imports for the JavaKeystoreKeyProvider </li> <li><a href="https://github.com/keycloak/keycloak/issues/30002">#&#8203;30002</a> Bootstrapping an admin service account using a dedicated command <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30009">#&#8203;30009</a> Warnings for temporary admin user and service account <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30011">#&#8203;30011</a> Document admin bootstrapping and recovery <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30682">#&#8203;30682</a> Group assignment: Display disabled information from user <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30795">#&#8203;30795</a> Initiate create events if ClientScopes are created </li> <li><a href="https://github.com/keycloak/keycloak/issues/31421">#&#8203;31421</a> Add Events for Organization Creation and Member Assignment <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31642">#&#8203;31642</a> Include organization attributes and information in ID and access tokens <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31643">#&#8203;31643</a> Implement invitation-only self-registration for realm users <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32030">#&#8203;32030</a> Retry remote cache operations with back off </li> <li><a href="https://github.com/keycloak/keycloak/issues/32135">#&#8203;32135</a> Option to specify trusted proxies <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32553">#&#8203;32553</a> Expose Password Policies in FreeMarker Context for Login Themes </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/583">#&#8203;583</a> Update dependency on keycloak-client in main branch to 999.0.0-SNAPSHOT <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/10114">#&#8203;10114</a> Specific events for webauthn register <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/10492">#&#8203;10492</a> Support proxy_protocol </li> <li><a href="https://github.com/keycloak/keycloak/issues/14073">#&#8203;14073</a> SAML 2.0 HTTP-Artifact binding </li> <li><a href="https://github.com/keycloak/keycloak/issues/15769">#&#8203;15769</a> update or replace base64-js and js-sha256 <code>adapter/javascript</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16750">#&#8203;16750</a> Google login - add prompt=select_account option <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19564">#&#8203;19564</a> response_type none is oidc spec but ignored in the current implementation. <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19750">#&#8203;19750</a> Use a proper FreeMarker template for the new consoles <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21072">#&#8203;21072</a> Make sure identity providers are not send in realm GET requests and PUT requests used in "Realm settings" </li> <li><a href="https://github.com/keycloak/keycloak/issues/21261">#&#8203;21261</a> Identity providers: Pagination in account console (and account REST API) </li> <li><a href="https://github.com/keycloak/keycloak/issues/21342">#&#8203;21342</a> Upgrade login theme to PatternFly 5 <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23179">#&#8203;23179</a> kcadm should have a command to verify connection <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23596">#&#8203;23596</a> Support generated ECDH realm keys <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23597">#&#8203;23597</a> Support ECDH-ES JWE algorithms <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23771">#&#8203;23771</a> Automatically hot reload TLS certificates when https-certificate-file or https-certificate-key-file changes on disk <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24815">#&#8203;24815</a> Hostname config check on welcome page </li> <li><a href="https://github.com/keycloak/keycloak/issues/25391">#&#8203;25391</a> Improve auto behavior with operator and --optimized </li> <li><a href="https://github.com/keycloak/keycloak/issues/25541">#&#8203;25541</a> Add an option for a custom welcome page to disable bootstrapping of admin account <code>welcome/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26262">#&#8203;26262</a> Remove need to update Quarkus tests when profile features change <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26470">#&#8203;26470</a> Add a field to the RealmImportSpec to toggle replacing ENV variable placeholders </li> <li><a href="https://github.com/keycloak/keycloak/issues/27040">#&#8203;27040</a> [keycloak-js] Expose didInitialize as a public method/property <code>adapter/javascript</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27298">#&#8203;27298</a> Validate spi options wrt build / run time <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27432">#&#8203;27432</a> Document how to specify CPU and memory limits/requests for the Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27884">#&#8203;27884</a> Automatic update of bcfips versions in the docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27947">#&#8203;27947</a> Rename Dockerfile to Containerfile in the docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28017">#&#8203;28017</a> Un-friendly error message for Fail Import option in keycloak GUI <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28140">#&#8203;28140</a> External Infinispan as cache - Part 1 </li> <li><a href="https://github.com/keycloak/keycloak/issues/28311">#&#8203;28311</a> Detect clients which refresh their access tokens too early </li> <li><a href="https://github.com/keycloak/keycloak/issues/28581">#&#8203;28581</a> Support OpenTelemetry tracing </li> <li><a href="https://github.com/keycloak/keycloak/issues/28648">#&#8203;28648</a> External Infinispan as cache - Part 2 </li> <li><a href="https://github.com/keycloak/keycloak/issues/28754">#&#8203;28754</a> External Infinispan as cache - Part 3 / login failures cache </li> <li><a href="https://github.com/keycloak/keycloak/issues/28755">#&#8203;28755</a> External Infinispan as cache - Part 4 / user + client sessions online + offline </li> <li><a href="https://github.com/keycloak/keycloak/issues/29200">#&#8203;29200</a> Clarify import/export usage of options </li> <li><a href="https://github.com/keycloak/keycloak/issues/29258">#&#8203;29258</a> Support pod affinity settings in the Keycloak Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29303">#&#8203;29303</a> Active/Active XSite fencing </li> <li><a href="https://github.com/keycloak/keycloak/issues/29394">#&#8203;29394</a> Infinispan Protostream </li> <li><a href="https://github.com/keycloak/keycloak/issues/29480">#&#8203;29480</a> GET users endpoint is making lots of requests to the database <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29665">#&#8203;29665</a> Please clarify in the docs that the replacement of KC_PROXY=edge is not just KC_PROXY_HEADERS, but one MUST set KC_HTTP_ENABLED=true. </li> <li><a href="https://github.com/keycloak/keycloak/issues/29698">#&#8203;29698</a> Improve SAML2 Metadata Validation Exception messages <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29725">#&#8203;29725</a> VC issuance in Authz Code flow with considering “scope” parameter <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29974">#&#8203;29974</a> Add support of RTL UI in login pages <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29986">#&#8203;29986</a> private AuthzClient.createPatSupplier </li> <li><a href="https://github.com/keycloak/keycloak/issues/30003">#&#8203;30003</a> Bootstrapping an admin user or service account at server startup <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30004">#&#8203;30004</a> Bootstrapping an admin user or service account using the Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30010">#&#8203;30010</a> Update the welcome page to create a temporary admin user <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30094">#&#8203;30094</a> Do not inherit 'https-client-auth' property for the management interface </li> <li><a href="https://github.com/keycloak/keycloak/issues/30118">#&#8203;30118</a> Admin UI - Fixed save buttons on the bottom at the page </li> <li><a href="https://github.com/keycloak/keycloak/issues/30165">#&#8203;30165</a> Handle proxy related env vars in the Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30243">#&#8203;30243</a> Protobuf schema compatibility check (maven plugin) </li> <li><a href="https://github.com/keycloak/keycloak/issues/30267">#&#8203;30267</a> Protect the disabling of the main keycloak account <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30286">#&#8203;30286</a> Add missing translation for oid4vc protocol </li> <li><a href="https://github.com/keycloak/keycloak/issues/30337">#&#8203;30337</a> Introduce packages for organization tests <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30338">#&#8203;30338</a> Refactor organization tests <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30346">#&#8203;30346</a> Enhance masking around config-keystore <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30419">#&#8203;30419</a> Credential Issuer Metadata: Support Optional ```claims``` Object in ```credential_configurations_supported``` in ```openid-credential-issuer``` endpoint <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30445">#&#8203;30445</a> Batch cluster events </li> <li><a href="https://github.com/keycloak/keycloak/issues/30454">#&#8203;30454</a> Server crash when using kc.sh with -Dkeycloak.profile=experimental <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30525">#&#8203;30525</a> Enhance Verifiable Credential Signing Service Flexibility and Key Rotation <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30537">#&#8203;30537</a> Document how Admin REST API endpoints work with Hostname config <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30542">#&#8203;30542</a> Use correct scope within maven-plugin <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30623">#&#8203;30623</a> Make sure not possible to import jakarta classes in admin-client-jee <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30629">#&#8203;30629</a> Cleanup dependencies of keycloak-client-registration-api to not have dependency on server <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30707">#&#8203;30707</a> prevent removing the flow when used by client flow overrides <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30743">#&#8203;30743</a> Make sure users created through a registration link are managed members <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30746">#&#8203;30746</a> Allow auto-redirect existing users federated from organization broker when using the username <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30747">#&#8203;30747</a> Support for members joining multiple organizations <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30829">#&#8203;30829</a> Print keycloak's server response when using keycloak-admin-client <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30855">#&#8203;30855</a> Make persistent user sessions and external Infinispan co-exist </li> <li><a href="https://github.com/keycloak/keycloak/issues/30856">#&#8203;30856</a> Remove inclusive language foreword <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30873">#&#8203;30873</a> Exchange VC Format class for String constantns <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30880">#&#8203;30880</a> Add vault support to JavaKeystoreKeyProvider <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30907">#&#8203;30907</a> Implement advanced verification of SD-JWT in Keycloak <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30918">#&#8203;30918</a> VerifiableCredential: Exchange java.util.Date for java.time.Instant <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30924">#&#8203;30924</a> Keycloak Operator should use the port name and not the port number for the ingress <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30931">#&#8203;30931</a> Enable ProtoStream encoding for External Infinispan feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/30934">#&#8203;30934</a> Drop `AuthenticatedClientSessionStore` from user sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/30995">#&#8203;30995</a> Document LDAP connection pool configuration </li> <li><a href="https://github.com/keycloak/keycloak/issues/30999">#&#8203;30999</a> Make ProofType for CredentialRequest a string instead of enum <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31005">#&#8203;31005</a> Override of begin transaction in AbstractKeycloakTransaction </li> <li><a href="https://github.com/keycloak/keycloak/issues/31006">#&#8203;31006</a> Conditionally redirect existing users to a broker based on their credentials <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31029">#&#8203;31029</a> Refactor HA guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/31046">#&#8203;31046</a> ConditionalRemove interface for External Infinispan feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/31056">#&#8203;31056</a> Avoid iterating and updating all group policies when removing groups <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31064">#&#8203;31064</a> Add simple cache to cache-local.xml </li> <li><a href="https://github.com/keycloak/keycloak/issues/31076">#&#8203;31076</a> Oauth2GrantType.Context requires getter-methods <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31086">#&#8203;31086</a> Manipulate redirect on OpenID redirect with custom implementation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31183">#&#8203;31183</a> Show Display Name (if available) and Realm Id on Realm Dropdown Button <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31226">#&#8203;31226</a> Release notes for JavaKeystoreProvider updates <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31343">#&#8203;31343</a> Can we remove distribution/feature-packs directory? <code>adapter/jee</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31388">#&#8203;31388</a> [Organizations] Add a count() method to the OrganizationMembersResource <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31390">#&#8203;31390</a> Allow custom login themes to define a footer ftl fragment <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31438">#&#8203;31438</a> Support for authenticating and issuing tokens in the context of a organization <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31489">#&#8203;31489</a> Remove keycloak-undertow-adapter-spi <code>adapter/saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31491">#&#8203;31491</a> Add a deprecation warning when old `KEYCLOAK_ADMIN`, `KEYCLOAK_ADMIN_PASSWORD` env vars are used <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31513">#&#8203;31513</a> Support lightweight access tokens for Admin REST API <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31514">#&#8203;31514</a> Allow Embedded Cache sizes to be configured via the CLI </li> <li><a href="https://github.com/keycloak/keycloak/issues/31547">#&#8203;31547</a> Use correct error code in error response in token exchange <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31548">#&#8203;31548</a> Add issued_token_type to token-exchange response <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31581">#&#8203;31581</a> Allow optional inclusion of Issue At TIme (iat) and Not Before (nbf) claim to a verifiable credential <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31625">#&#8203;31625</a> import placeholders should be converted to an option </li> <li><a href="https://github.com/keycloak/keycloak/issues/31648">#&#8203;31648</a> Change default name of bootstrap service account <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31670">#&#8203;31670</a> Make sure the storage provider ID is always available from `UserModel.getFederationLink` </li> <li><a href="https://github.com/keycloak/keycloak/issues/31676">#&#8203;31676</a> Upgrade to Quarkus 3.13.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31681">#&#8203;31681</a> Add x5c and jwk header to JWSBuilder <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31699">#&#8203;31699</a> Optimize Remote Infinispan performance on removal of entry </li> <li><a href="https://github.com/keycloak/keycloak/issues/31701">#&#8203;31701</a> Optimize CPU cycles for persistent sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/31725">#&#8203;31725</a> Revoked tokens table is missing an index </li> <li><a href="https://github.com/keycloak/keycloak/issues/31766">#&#8203;31766</a> Client Policy - Condition : Client - Client Attribute <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31786">#&#8203;31786</a> The console takes a very long time to display group members with LDAP provider <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31807">#&#8203;31807</a> Simplify enabling MULTI_SITE setup in KC26 </li> <li><a href="https://github.com/keycloak/keycloak/issues/31816">#&#8203;31816</a> Class CertificateUtils should support creation of EC certificates <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31845">#&#8203;31845</a> JavaScript build should not cache Keycloak Java artifacts and should rotate PNPM cache </li> <li><a href="https://github.com/keycloak/keycloak/issues/31876">#&#8203;31876</a> Non clustered Keycloak with External Infinispan feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/31894">#&#8203;31894</a> Redirect after cancelling a required action should contain kc_action parameter <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31908">#&#8203;31908</a> Add docs for the OpenTelemetry tracing <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31932">#&#8203;31932</a> Upgrade to next Quarkus LTS <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31963">#&#8203;31963</a> Upgrade to Infinispan 15.0.7.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/32023">#&#8203;32023</a> Add ECDH-ES encyption algorithms to the java keystore key provider <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32033">#&#8203;32033</a> References to removed artifacts and obsolete properties in root pom.xml </li> <li><a href="https://github.com/keycloak/keycloak/issues/32056">#&#8203;32056</a> OTEL: Service name isn't configurable and doesn't comply with conventions </li> <li><a href="https://github.com/keycloak/keycloak/issues/32095">#&#8203;32095</a> OTEL: Dynamic service name for tracing in K8s environment <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32131">#&#8203;32131</a> Remove session related caches from external Infinispan in HA guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/32158">#&#8203;32158</a> Add an endpoint to the `organizations` endpoint to return the organizations for a given user <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32188">#&#8203;32188</a> Quarkus IDE Debugging should set JVM options like kc.sh </li> <li><a href="https://github.com/keycloak/keycloak/issues/32198">#&#8203;32198</a> error message "Address already in use" should state which address/port in particular </li> <li><a href="https://github.com/keycloak/keycloak/issues/32231">#&#8203;32231</a> OTEL: Profile Feature <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32265">#&#8203;32265</a> Enable persistent sessions by default </li> <li><a href="https://github.com/keycloak/keycloak/issues/32273">#&#8203;32273</a> Optimize Persistent Sessions SQL for session list </li> <li><a href="https://github.com/keycloak/keycloak/issues/32312">#&#8203;32312</a> Relocate Quarkus resteasy-reactive dependencies to REST </li> <li><a href="https://github.com/keycloak/keycloak/issues/32314">#&#8203;32314</a> Syslog: add necessary options to cover the major usability <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32328">#&#8203;32328</a> Upgrade to Infinispan 15.0.8 </li> <li><a href="https://github.com/keycloak/keycloak/issues/32343">#&#8203;32343</a> Upgrade Keycloak's sizing guide for KC26 and persistent sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/32387">#&#8203;32387</a> Documentation for persistent sessions enabled by default </li> <li><a href="https://github.com/keycloak/keycloak/issues/32388">#&#8203;32388</a> Make update IdentityProvider admin REST API more efficient. </li> <li><a href="https://github.com/keycloak/keycloak/issues/32389">#&#8203;32389</a> Upgrade to Quarkus 3.13.3 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32416">#&#8203;32416</a> Skip creating sessions cache when Persistent Sessions is enabled </li> <li><a href="https://github.com/keycloak/keycloak/issues/32428">#&#8203;32428</a> Performance optimization when checking secure context </li> <li><a href="https://github.com/keycloak/keycloak/issues/32517">#&#8203;32517</a> Upgrade to Quarkus 3.14.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32525">#&#8203;32525</a> Document Syslog app-name option </li> <li><a href="https://github.com/keycloak/keycloak/issues/32579">#&#8203;32579</a> Set autocomplete="one-time-code" in OTP login form <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32582">#&#8203;32582</a> Remove tables `user_session`, `user_session_note` and `client_session` </li> <li><a href="https://github.com/keycloak/keycloak/issues/32583">#&#8203;32583</a> Review the number indexes for offline session tables </li> <li><a href="https://github.com/keycloak/keycloak/issues/32586">#&#8203;32586</a> Remove keycloak-core and keycloak-crypto-default from SAML galleon feature pack and upgrade them to Java 17 <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32588">#&#8203;32588</a> Search Identity Providers by alias or display name </li> <li><a href="https://github.com/keycloak/keycloak/issues/32590">#&#8203;32590</a> Remove `version()` projection from Ickle Queries </li> <li><a href="https://github.com/keycloak/keycloak/issues/32596">#&#8203;32596</a> Rename `remote-cache` Feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/32619">#&#8203;32619</a> Possibility to separately specify log levels for log handlers </li> <li><a href="https://github.com/keycloak/keycloak/issues/32683">#&#8203;32683</a> Optimize LogoutEndpoint.backchannelLogout endpoint <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32717">#&#8203;32717</a> Make it explicit which options are needed when using optimized image with the Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32745">#&#8203;32745</a> Review the RTO and RPO in the multi-site docs after the A/A failure and recovery tests </li> <li><a href="https://github.com/keycloak/keycloak/issues/32746">#&#8203;32746</a> Add organization id to the organization claim of the access token </li> <li><a href="https://github.com/keycloak/keycloak/issues/32803">#&#8203;32803</a> Update the HA guide with fencing lambda taking Infinispan caches offline </li> <li><a href="https://github.com/keycloak/keycloak/issues/32804">#&#8203;32804</a> Remove `org.keycloak.utils.ProxyClassLoader` </li> <li><a href="https://github.com/keycloak/keycloak/issues/32845">#&#8203;32845</a> Add client side password policy checks </li> <li><a href="https://github.com/keycloak/keycloak/issues/32852">#&#8203;32852</a> Prevent deadlocks on concurrent user updates </li> <li><a href="https://github.com/keycloak/keycloak/issues/32863">#&#8203;32863</a> Redirect to relative-path from the root path <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32906">#&#8203;32906</a> Reduce the cost of updating user attributes in JPA store <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32968">#&#8203;32968</a> [OID4VCI] Show OpenID4VCI Credential Issuer Metadata link in admin ui <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32970">#&#8203;32970</a> Upgrade to Quarkus 3.14.4 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33010">#&#8203;33010</a> Bootstrap admin client should use lightweight access tokens <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33015">#&#8203;33015</a> FolderThemeProvider should select theme from available themes <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33040">#&#8203;33040</a> Provide more information when there is an error to possibly debug </li> <li><a href="https://github.com/keycloak/keycloak/issues/33143">#&#8203;33143</a> Add the Troubleshooting and Health checks guide to Keycloak </li> <li><a href="https://github.com/keycloak/keycloak/issues/33163">#&#8203;33163</a> Use INFO Log Level for status in Migration Logic in DefaultMigrationManager </li> <li><a href="https://github.com/keycloak/keycloak/issues/33201">#&#8203;33201</a> [Organizations] Allow orgs to define the redirect URI after user registers or accepts invitation link <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33203">#&#8203;33203</a> Explicitly document that the Operator does not create an Ingress for Admin URL <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33325">#&#8203;33325</a> Refactor loading resources from themes </li> <li><a href="https://github.com/keycloak/keycloak/issues/33384">#&#8203;33384</a> Document supported configurations and limitations for multi-site </li> <li><a href="https://github.com/keycloak/keycloak/issues/33405">#&#8203;33405</a> Use feature versions for admin3, account3, and login2 </li> <li><a href="https://github.com/keycloak/keycloak/issues/33426">#&#8203;33426</a> Minor tweaks in SAML documentation <code>adapter/saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33515">#&#8203;33515</a> Use `crypto.randomUUID()` to generate UUIDs for Keycloak JS <code>adapter/javascript</code></li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/555">#&#8203;555</a> Failures in `ExtendAdminConsoleTest` <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/565">#&#8203;565</a> Build fails in the extension <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/567">#&#8203;567</a> Tests in user-storage-simple quickstart are failing in main branch <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/572">#&#8203;572</a> Action-token quickstarts don't compile with latest Keycloak <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/574">#&#8203;574</a> Incorrect Keycloak version in the main branch of quickstarts <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/595">#&#8203;595</a> Jakarta tests are failing with latest main <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak-quickstarts/issues/607">#&#8203;607</a> Workflow failure - JavaScript <code>quickstarts</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/10730">#&#8203;10730</a> realm import: error if ldap groupmapper has a group path set <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/13505">#&#8203;13505</a> locale attribute not set after registration <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17857">#&#8203;17857</a> New Admin UI does not send e-mails if account-client is disabled <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19070">#&#8203;19070</a> authBaseUrl error on different hostname-admin-url, hostname-url <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20371">#&#8203;20371</a> Double form submit in Admin UI possible leading to error mesages <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20431">#&#8203;20431</a> Fine-grained admin permission client manage does not work <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23028">#&#8203;23028</a> Documentation: Authorization Services documentation contains duplicated image <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23496">#&#8203;23496</a> Rename "Realm name" field to "Realm ID" field in realm creation screen <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25234">#&#8203;25234</a> front channel logout to clients are not called at Identity Proxy when using front channel logout to Identity Provider( <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25339">#&#8203;25339</a> "Invalid Username" when "Email as Username" is used and the email contains special characters <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25440">#&#8203;25440</a> page-expired error page shown when using browser back-button on forgot-password page after invalid login attempt <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25794">#&#8203;25794</a> Flaky test: org.keycloak.testsuite.model.DBLockTest#testTwoLocksCurrently <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25837">#&#8203;25837</a> Infinispan Cache(embedded) data is not being updated during mergeView event <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26042">#&#8203;26042</a> Issue when start-dev in 23.0.1 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26117">#&#8203;26117</a> Flaky test: org.keycloak.testsuite.oidc.AuthenticationMethodReferenceTest#testAmrPastMaxAge <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26176">#&#8203;26176</a> Flaky test: org.keycloak.testsuite.forms.RecoveryAuthnCodesAuthenticatorTest#test03AuthenticateRecoveryAuthnCodes <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26435">#&#8203;26435</a> NullPointerException when using client scope policy for token-exchange <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26794">#&#8203;26794</a> MULTIVALUED_LIST_TYPE not working for client mappers <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27506">#&#8203;27506</a> Readable realm name no longer visible in logs, but realm id is used instead <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27536">#&#8203;27536</a> "User Profile" attributes not available for Users Attribute search and Attribute selection, if no view or manage realm realm-management role added <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27677">#&#8203;27677</a> Translations missing for user events in admin ui <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27941">#&#8203;27941</a> Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28020">#&#8203;28020</a> Firefox Webauthn Registration "SecurityError: The operation is insecure." <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28418">#&#8203;28418</a> SSO Session Idle: session is still active after session idle time expired <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28489">#&#8203;28489</a> Missing help text on tokens tab <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28633">#&#8203;28633</a> Client roles won't open (Forbidden) with Fine Grained Permission (without view-clients realm-management role) <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28643">#&#8203;28643</a> Encountering `NullPointerException` - `KeycloakIdentity.getUserFromToken()` when running `admin-ui` locally <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28865">#&#8203;28865</a> NullPointerException on RealmCacheSession when upgrading Keycloak 23.0.4 to 24.0.2 <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28953">#&#8203;28953</a> Flaky test: org.keycloak.testsuite.actions.RequiredActionUpdateProfileTest#updateProfileWithoutRemoveCustomAttributes <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29098">#&#8203;29098</a> User profile validation pattern error-message not rendered from messages_en.properties <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29211">#&#8203;29211</a> Network error attempting to view default realm roles without permissions <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29271">#&#8203;29271</a> TrustedHostClientRegistrationPolicyTest#testGithubDomain failing in clean checkout <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29385">#&#8203;29385</a> Restart authentication event type is not generated <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29407">#&#8203;29407</a> Need refresh attributes group translations on Users > Details tab <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29413">#&#8203;29413</a> Realm client unset protocol not preserved <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29468">#&#8203;29468</a> realm_settings_general_tab_test.spec fails randomly <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29486">#&#8203;29486</a> Default theme logs font related console errors on firefox <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29542">#&#8203;29542</a> The EmailEventListenerProvider throws an exception on brute force lockout events <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29566">#&#8203;29566</a> User Profile attributes/groups in Admin UI are not translated using Localization for non-master realm when signed in the master realm <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29615">#&#8203;29615</a> Get effective roles for user needs more privileges than expected <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29761">#&#8203;29761</a> bug: disabling all default features no longer works <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29784">#&#8203;29784</a> Exception while trying to run a LDAP sync with a group importer and a batch size less then the actual number of groups <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29866">#&#8203;29866</a> Missing Cache-Control header when "response_type" parameter is missing in login request <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29878">#&#8203;29878</a> Updating a client protocol mappers through Admi CLI (kcadm) resets the client service account roles <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29978">#&#8203;29978</a> Admin UI slow performance loading 600+ realms <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30048">#&#8203;30048</a> Save button is not activated at first modification on "Client scope details" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30111">#&#8203;30111</a> Flaky test: org.keycloak.testsuite.oauth.TokenIntrospectionTest#testUnsupportedToken <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30115">#&#8203;30115</a> Admin v2 theme - theme.properties Custom theme scripts not loading <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30143">#&#8203;30143</a> User in subgroup not synchronized and still appears as not in the subgroup <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30181">#&#8203;30181</a> [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30188">#&#8203;30188</a> Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30201">#&#8203;30201</a> Keycloak CI - failure in Store IT (aurora-postgres) <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30235">#&#8203;30235</a> Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30236">#&#8203;30236</a> Flaky test: org.keycloak.testsuite.model.user.UserModelTest#testAddRemoveUserConcurrent <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30240">#&#8203;30240</a> Custom attributes are removed during UPDATE PROFILE event <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30271">#&#8203;30271</a> Client role descriptions are not localized <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30276">#&#8203;30276</a> The "Quarkus development mode" instructions in quarkus/README.md throw a ForkJoinPool error <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30284">#&#8203;30284</a> Executor consent-required does not work for client-roles condition <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30300">#&#8203;30300</a> Upgrade to Keycloak 25 - Table 'USER_CONSENT' is specified twice on MySQL/MariaDB database <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30302">#&#8203;30302</a> Methods of SimpleHttp are after change now too much protected <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30305">#&#8203;30305</a> Importing organizations failing if there is no broker and members in the representation <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30306">#&#8203;30306</a> Upgrade to Keycloak 25 - Events bug in UI <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30308">#&#8203;30308</a> Organization resources in keycloak-admin-client-jee have dependencies on jakarta <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30312">#&#8203;30312</a> Add an alias to organization <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30313">#&#8203;30313</a> Expose organization to theme templates <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30329">#&#8203;30329</a> Client secret rotation UI shows wrong rotated secret <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30332">#&#8203;30332</a> Operator fails to patch ingress after update to 25.0.0 <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30334">#&#8203;30334</a> RESTART_AUTHENTICATION_ERROR when login in in private browser window after 25.0.0 update <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30335">#&#8203;30335</a> Google login on Social login test is failing <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30339">#&#8203;30339</a> Identity-first login flow should be followed by asking for the user credentials rather than allowing providing the username again <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30351">#&#8203;30351</a> Migration of sessions in KC25 should run only on migration, not on imports </li> <li><a href="https://github.com/keycloak/keycloak/issues/30355">#&#8203;30355</a> New operator failing on health checks <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30368">#&#8203;30368</a> Documentation : label error for persistent-user-sessions feature flag <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30380">#&#8203;30380</a> Incorrect warning log about deprecated options hostname, hostname-debug <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30383">#&#8203;30383</a> Account Console (v3) no longer highlights the current page in the nav bar <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30414">#&#8203;30414</a> Login / Admin events filter by date under realm Events return incorrect results <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30417">#&#8203;30417</a> Keycloak 25 db guide shows unevaluated "ifeval <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30425">#&#8203;30425</a> Built-in scopes are not translated in the account console "applications" tab <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30432">#&#8203;30432</a> keycloak hostname:v2 /admin used on "hostname" instead of "hostname-admin" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30434">#&#8203;30434</a> Improvements for ldap test authentication <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30436">#&#8203;30436</a> Client Roles are not shown when clientId property is set <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30440">#&#8203;30440</a> UI theme bug in KC 25.0.0 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30449">#&#8203;30449</a> Migration stuck if versions incompatible <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30460">#&#8203;30460</a> The `start` command should automatically re-build when previous run was `start-dev` <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30476">#&#8203;30476</a> All user attributes readonly in admin ui and admin API after setting edit mode of one user federation to READ_ONLY <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30485">#&#8203;30485</a> Fix LoginFailureEntity protostream encoding <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30492">#&#8203;30492</a> partial_import_test fails randomly <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30511">#&#8203;30511</a> Fix AuthenticatedClientSessionEntity protostream encoding <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30520">#&#8203;30520</a> Flow steps back when changing locale or refreshing page on "Try another way page" <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30521">#&#8203;30521</a> "Client Offline Session Max" no longer available <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30541">#&#8203;30541</a> Account UI resources try to load from admin path instead of frontend path <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30550">#&#8203;30550</a> [UI] group selection does not update attribute tab <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30552">#&#8203;30552</a> After migrating from 24 to 25, the signature algorithms names do not display in drop down menu <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30582">#&#8203;30582</a> Localization prevents update of user-profile attributes <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30591">#&#8203;30591</a> Invalid character in spanish translation file for Identity Provider Link Template <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30599">#&#8203;30599</a> client-jwt authentication fails on Token Introspection Endpoint <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30604">#&#8203;30604</a> Network response was not OK. <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30614">#&#8203;30614</a> token exchange: exchange-sequence fails with Client session for client 'client-exchanger' not present in user session <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30641">#&#8203;30641</a> Flaky test: org.keycloak.testsuite.broker.KcSamlBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30652">#&#8203;30652</a> Default server port is used instead of the management interface port in the guide about running Keycloak in a container </li> <li><a href="https://github.com/keycloak/keycloak/issues/30662">#&#8203;30662</a> User policy -> select user shows user id instead of user name. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30663">#&#8203;30663</a> A theme called `custom` is displayed as `Custom Attribute...` in the admin console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30677">#&#8203;30677</a> LDAP connection pool params(maxsize, initsize, prefsize) picked up from backend ComponentModel and are not visible in Keycloak admin console <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30678">#&#8203;30678</a> Require SSL mode "External requests" does not work with IPv6 local addresses <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30683">#&#8203;30683</a> Infinite loader on the admin console for non-admin users <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30703">#&#8203;30703</a> Recovery codes missing from account console <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30705">#&#8203;30705</a> Full details of errors not shown in admin and account console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30706">#&#8203;30706</a> Internal error occurs for the removed flow which override by the client <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30712">#&#8203;30712</a> Remove of Multivalued Attribute due to - Adding translations when a new attribute is created <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30717">#&#8203;30717</a> Broken external links <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30730">#&#8203;30730</a> Cannot explicitly disable KERBEROS feature <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30758">#&#8203;30758</a> Docs: server_admin/topics/login-settings/acr-to-loa-mapping.adoc <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30761">#&#8203;30761</a> Protobuf deserialization has a default of an empty String <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30765">#&#8203;30765</a> fallback to the no override flow when the flow is missing in client override <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30772">#&#8203;30772</a> Rendering of granted client scopes in User Consents view broken in Admin UI <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30794">#&#8203;30794</a> Filtering by Client ID in the "User Client Role" mapper does not work anymore <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30816">#&#8203;30816</a> Docs: server_development/topics/themes.adoc <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30821">#&#8203;30821</a> Testing connection to ldap on the settings page does not work in 25.0.1 <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30837">#&#8203;30837</a> Cannot find requested client with clientId <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30840">#&#8203;30840</a> Incorrect order when instantiate ClientRemovedEvent <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30857">#&#8203;30857</a> Check for being Offline type in refresh token flow must be done based on refresh token request parameter <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30866">#&#8203;30866</a> admin-cli invalid credentials <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30874">#&#8203;30874</a> DPoP Keycloak JS Adapter <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30917">#&#8203;30917</a> reCAPTCHA Enterprise v3 - Unrecognized field "accountDefenderAssessment" <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30935">#&#8203;30935</a> Incorrect version comparison in ModelVersion <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30941">#&#8203;30941</a> Fix docs about User Storage SPI JPA quickstart <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30945">#&#8203;30945</a> Keycloak operator adds proxy by default which is depreacted <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30947">#&#8203;30947</a> Error when trying to edit authentication sub-flow name / description <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30967">#&#8203;30967</a> Keycloak is not working in IBM AIX OS. <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30969">#&#8203;30969</a> Brute force protection: Lockout permanently uses parameters configured under lockout temporarily <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30992">#&#8203;30992</a> Realm cannot be deleted if there are tons of consents <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31001">#&#8203;31001</a> User Federation settings changing when saving <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31014">#&#8203;31014</a> "Verify Email" may cause other Required Actions to be ignored <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31021">#&#8203;31021</a> Styling of recovery codes seems wrong <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31023">#&#8203;31023</a> Keycloak 25 - protocol_mapper_config stores client_uid in usermodel.clientRoleMapping.clientId instead of client_id <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31038">#&#8203;31038</a> Home URL for account-console / security-admin-console broken in admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31040">#&#8203;31040</a> Cannot reorder custom auth flow executions in admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31045">#&#8203;31045</a> Users cache clears after creating client scope. <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31050">#&#8203;31050</a> Caching docs should name parameter runtime parameters, not build parameters <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31062">#&#8203;31062</a> Updating dynamically registered client's metadata drops `preferred_username` from ID token <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31070">#&#8203;31070</a> Search doesn't work for nested groups <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31083">#&#8203;31083</a> Docs: server_admin/topics/admin-console-permissions/fine-grain.adoc <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31085">#&#8203;31085</a> MULTIVALUED_STRING_TYPE not displaying 1 value while more than 1 value is working fine <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31107">#&#8203;31107</a> Not able to remove otp credential of user <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31111">#&#8203;31111</a> inputOptionLabelsI18nPrefix is take into consideration only for login-ui <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31115">#&#8203;31115</a> Review filtering of session returned from the sessions cache <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31143">#&#8203;31143</a> KC.ORG user attribute shown - even if the organizations feature for the realm is disabled <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31144">#&#8203;31144</a> "Can not update organization group" error when trying to create organisation from REST API <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31153">#&#8203;31153</a> Cannot set unmanagedAttributePolicy without profile attributes <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31161">#&#8203;31161</a> Keycloak 25: Only first required action is executed <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31165">#&#8203;31165</a> Re-enabling a temporarily locked user (brute-force) deletes all user properties and attributes <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31166">#&#8203;31166</a> A lot (really!) dropdown/select fields in admin-ui remain open after selecting an action/entry. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31167">#&#8203;31167</a> After creating a new authentication flow and returning to the list, the "Used by" column displays "flow.undefined" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31169">#&#8203;31169</a> Wrong Sync Mode of newly created external IdentityProvider <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31171">#&#8203;31171</a> Single use tokens, like action tokens, has a claim `expiration` <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31182">#&#8203;31182</a> Realm export - duplicated elements in browser flow. Organization user must click login button multiple times. <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31187">#&#8203;31187</a> Recaptcha links changed in the Google Docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31196">#&#8203;31196</a> The check for userdn in test ldap should consider that AD proxy user can be in non DN format <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31204">#&#8203;31204</a> Bruteforce protector does not work when using organizations <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31216">#&#8203;31216</a> #kc-form-options div not wrapping its content correctly in login-password.ftl <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31218">#&#8203;31218</a> Clarify if JGroups thread metrics can be shown with embedded Infinispan </li> <li><a href="https://github.com/keycloak/keycloak/issues/31219">#&#8203;31219</a> [Docs] Broken link in Server Admin guide for JWT_Auth wiki <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31224">#&#8203;31224</a> Offline tokens created in Keycloak 9 will not work on Keycloak 25 <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31228">#&#8203;31228</a> Userprofile/Translation: user attribute cannot be saved because no translation was (even though it is present) <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31240">#&#8203;31240</a> Can't update the user where userName contains uppercase letters <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31244">#&#8203;31244</a> IdP redirect URL shows hostname_admin <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31246">#&#8203;31246</a> All pubic brokers are shown during authentication rather than only those associated with the current organization <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31260">#&#8203;31260</a> Download of Recovery Codes broken. File contains no Recovery Codes. <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31267">#&#8203;31267</a> multiple ldap url's not working on one realm <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31276">#&#8203;31276</a> Account console won't load when using URL having a path as hostname config <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31291">#&#8203;31291</a> Incosistent casing of built-in flow descriptions <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31296">#&#8203;31296</a> Revoke access tokens for persistent user sessions <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31304">#&#8203;31304</a> Hide save / update buttons in account console for READ_ONLY federated accounts <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31319">#&#8203;31319</a> keycloak.v2 broken in main <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31341">#&#8203;31341</a> Keycloak URL for Brokerage in Admin UI still suggests "/realms" in the path <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31368">#&#8203;31368</a> logging-pattern failure in token-exchange <code>token-exchange</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31386">#&#8203;31386</a> Joining group for user doesn't list correct number of groups <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31410">#&#8203;31410</a> call to group-by-path does not return subGroupCount <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31413">#&#8203;31413</a> Wrong command in exposing metrics from caches section <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31420">#&#8203;31420</a> Seeing `Client cannot marshall the server's key media type` with external Infinispan after 25 upgrade <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31444">#&#8203;31444</a> keycloak Public Client secret are updated frequently <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31466">#&#8203;31466</a> Duplicate Key "validatingX509CertsHelp" in admin-ui messages <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31480">#&#8203;31480</a> dynamic MultiValuedListComponent default value not stringified <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31515">#&#8203;31515</a> Export users throws Disabled option: '--users' in v25 <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31519">#&#8203;31519</a> Admin API extremely slow with service account and fine-grained authorization `view-users` <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31537">#&#8203;31537</a> Creating client roles with fine grained permissions is not possible <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31545">#&#8203;31545</a> Event tables have broken aria-labels <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31558">#&#8203;31558</a> MSSQL test container can't start <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31563">#&#8203;31563</a> Link existing account to SSO by email not linking since v23 <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31575">#&#8203;31575</a> AdvancedClaimToGroupMapper throws Exception if no claims are configured <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31585">#&#8203;31585</a> Credential offer endpoint fails with 500 when bearer token has expired <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31592">#&#8203;31592</a> Description field for roles creation could be better instead of ${} values <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31595">#&#8203;31595</a> Misconfiguration of login settings causes login to not be possible <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31598">#&#8203;31598</a> CURL commands in build don't check the response code <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31603">#&#8203;31603</a> Can't delete kerberos user <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31612">#&#8203;31612</a> Store Model Tests (jpa+cross-dc-infinispan+persistentsessions) - org.keycloak.testsuite.model.session.SessionTimeoutsTest <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31614">#&#8203;31614</a> Endpoint /admin/users Degradation Based on Role <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31633">#&#8203;31633</a> localization not work with user attribute display name in users add <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31640">#&#8203;31640</a> Admin Console Spins with hostname:v2 using security-admin-console Redirect URIs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31687">#&#8203;31687</a> "Use metadata descriptor URL" switch is always set to "On" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31704">#&#8203;31704</a> ID is used as tab name instead of localized string <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31712">#&#8203;31712</a> The OID4VCI cross-device flow should not require the device to have an access token <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31718">#&#8203;31718</a> Documentation for `Delete Credential` action and related changes <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31760">#&#8203;31760</a> Persist revoke tokens with remote cache feature <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31780">#&#8203;31780</a> SAML IdP configure does not parse IdP metadata.xml correctly <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31781">#&#8203;31781</a> Keycloak 25 SAML IdP has made Single Logout URL mandatory. <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31818">#&#8203;31818</a> Management Interface is turned on even though nothing is exposed on it <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31823">#&#8203;31823</a> Ignoring JWK key Missing required field 'use' still happens in keycloak version 25.02 <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31828">#&#8203;31828</a> EmbeddedInfinispanSplitBrainTest fails with "IllegalState Session not bound to a realm" <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31829">#&#8203;31829</a> Deleted authentication sessions should not be re-surrected with an update <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31858">#&#8203;31858</a> Custom component persist only some config keys <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31864">#&#8203;31864</a> Certificate-Generation with EC signing RSA and vice versa does not work <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31881">#&#8203;31881</a> Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31882">#&#8203;31882</a> Realm roles that do not exist are displayed in "Default roles" when "Hide inherited roles" is not checked <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31892">#&#8203;31892</a> Client secret is visable in Admin event representation when Credentials Reset action performed for the Client. <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31893">#&#8203;31893</a> In realm role ellipsis value is null <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31918">#&#8203;31918</a> Network error attempting to view events without permissions <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31929">#&#8203;31929</a> Network error attempting to view user registeration without permissions <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31931">#&#8203;31931</a> Failure to generate Ed448 token <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31941">#&#8203;31941</a> Cache guide does not properly print `cache-stack` values <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31944">#&#8203;31944</a> Filter organization brokers in the account console <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31947">#&#8203;31947</a> Fix server guide cross-references for downstream docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31956">#&#8203;31956</a> Admin console not usable when instance has a 1000 realms <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31972">#&#8203;31972</a> Unstable test ExternalInfinispanTest <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32016">#&#8203;32016</a> `My password` string in `Signing in` page not getting translated in `keycloak.v3 account` theme <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32025">#&#8203;32025</a> Not possible to import realm with newest Java admin-client against Keycloak 24 <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32059">#&#8203;32059</a> Look around window cannot be set to 0 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32084">#&#8203;32084</a> SAML adapter IdMapperUpdaterSessionListener not executed when session ID changes <code>adapter/saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32100">#&#8203;32100</a> Remember Me with External Infinispan is not works properly <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32108">#&#8203;32108</a> [Scalability of IDPs] Follow up: ensure organization aware IdentityProviderModel is used in the infinispan IDPProvider </li> <li><a href="https://github.com/keycloak/keycloak/issues/32117">#&#8203;32117</a> Impossible to import RolePolicy with newest admin-client against Keycloak 24 <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32127">#&#8203;32127</a> Offline session bug on 25.0.2 <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32136">#&#8203;32136</a> Missing TypeScript `populateHierarchy` param for keycloak admin client <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32150">#&#8203;32150</a> Session list doesn't handle non-existing client gracefully <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32153">#&#8203;32153</a> Remote Infinispan code must not call JPA code in non-blocking thread <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32156">#&#8203;32156</a> SingleSelect-kind readonly attribute is not disabled in account console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32176">#&#8203;32176</a> Bootstrap options missing from help <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32178">#&#8203;32178</a> Table names for persistent sessions upgrading guide is wrong <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32180">#&#8203;32180</a> Session list not appearing: SQL Error "The incoming request has too many parameters" </li> <li><a href="https://github.com/keycloak/keycloak/issues/32182">#&#8203;32182</a> `show-config` command outputs duplicate options <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32194">#&#8203;32194</a> UserRemovedEvent does not contain all user attributes <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32195">#&#8203;32195</a> Migration to persistent sessions fails from Keycloak version <22 <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32197">#&#8203;32197</a> Keycloak reuses AUTH_SESSION_ID of logged out sessions <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32205">#&#8203;32205</a> Endpoint configurations shows hostname_admin <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32238">#&#8203;32238</a> Brokers associated with organization not filtered when linking brokers with an organization <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32256">#&#8203;32256</a> Flaky test: org.keycloak.testsuite.forms.BruteForceTest#testRaceAttackPermanentLockout <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32259">#&#8203;32259</a> [Keycloak CI] - AuroraDB IT fails to start on EC2 due to lack of entropy regression <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32305">#&#8203;32305</a> Temporary admin account notice logged to org.keycloak.events <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32333">#&#8203;32333</a> Legacy `KEYCLOAK_ADMIN` environment variable is not working <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32368">#&#8203;32368</a> KeycloakRealmImport not working with Istio service mesh <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32392">#&#8203;32392</a> Validate organization alias for forbidden chars <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32402">#&#8203;32402</a> Additional datasources do not work <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32415">#&#8203;32415</a> Missing translations for required action webauthn-register <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32419">#&#8203;32419</a> Joining group with text filter does not show all results even if backend returned them <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32425">#&#8203;32425</a> Duplicate message keys in admin messages_en.properties <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32435">#&#8203;32435</a> Multiple Logout Confirmation Actions Trigger NullPointerExceptions <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32451">#&#8203;32451</a> Wildcard search not working for custom user attributes <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32460">#&#8203;32460</a> When Organization feature is enabled UserAdapter.getGroupsCount() returns wrong result <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32465">#&#8203;32465</a> SocialLoginTest failing after switching to the new IDP Provider </li> <li><a href="https://github.com/keycloak/keycloak/issues/32468">#&#8203;32468</a> Warning Banner for Temporary Admin User shouldn't be placed under breadcrumbs <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32473">#&#8203;32473</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessAndWebAuthnAndWebAuthnPasswordlessLogin <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32477">#&#8203;32477</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWrongSmtp <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32478">#&#8203;32478</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordWithPasswordHistoryPolicy <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32481">#&#8203;32481</a> Drag & drop issue with the step order in the Authentication settings of the Admin Console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32486">#&#8203;32486</a> Identity Provider secret visible in Organization tab (API request) <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32492">#&#8203;32492</a> Welcome screen logo is bigger then the one on login <code>welcome/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32498">#&#8203;32498</a> Flaky test BruteForceTest.testPermanentLockout() <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32503">#&#8203;32503</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#internalTransport <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32510">#&#8203;32510</a> Login v2 username form <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32512">#&#8203;32512</a> [Keycloak CI] - BruteForceTest.testPermanentLockout failures <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32513">#&#8203;32513</a> [Keycloak CI] - OrganizationBruteForceTest.testPermanentLockout failures <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32514">#&#8203;32514</a> [Keycloak CI] - ResetPasswordTest.resetPasswordExpiredCode failures <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32515">#&#8203;32515</a> Invalid client data in /login-actions/authenticate causes an uncaught server error and a HTTP 500 response code <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32531">#&#8203;32531</a> Cannot invoke "org.keycloak.authentication.RequiredActionFactory.isConfigurable()" because "factory" is null <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32533">#&#8203;32533</a> Admin UI messages sometimes miss details, and sometimes refer to details in the logs which are missing <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32541">#&#8203;32541</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewTabAndProperRedirectClient <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32542">#&#8203;32542</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLinkNewBrowserSessionPreserveClient <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32544">#&#8203;32544</a> Multiple bugs in the experimental UiTabProvider / UiTabProviderFactory <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32546">#&#8203;32546</a> "Include Client Audience" field is not mandatory <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32547">#&#8203;32547</a> The set value ‘Default Admin-Initiated Action Lifespan’ has no effect on the ‘Credential Reset’ form <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32548">#&#8203;32548</a> Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#required <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32554">#&#8203;32554</a> CRDs for the Operator are generated multiple times during the build <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32605">#&#8203;32605</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#nfcTransport <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32606">#&#8203;32606</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#bluetoothTransport <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32609">#&#8203;32609</a> Continuous loading screen instead of access denied on account info page <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32615">#&#8203;32615</a> Forms IT (chrome) ResetOtpTest fail <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32622">#&#8203;32622</a> InvalidDestination Error for IDP-initiated SSO with Keycloak behind a Reverse Proxy <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32623">#&#8203;32623</a> OAuth login error with custom scheme <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32624">#&#8203;32624</a> "Authentication" Link in Admin Portal Fails with 400 Bad Request After Migrating to Version 25 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32641">#&#8203;32641</a> Help text under text field <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32643">#&#8203;32643</a> Dots are not allowed in the path in Hostname v2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32678">#&#8203;32678</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordBeforeUserIsDisabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32689">#&#8203;32689</a> Unable to import master realm with --import-realm <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32698">#&#8203;32698</a> On backchannel logout, a user ID with a dot on the broker side breaks the logout by user <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32731">#&#8203;32731</a> KeyCloak Admin Client uses non-standard `@NoCache` annotation which is an issue for Quarkus <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32736">#&#8203;32736</a> In the account console when I update the password the referrer dissapears <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32755">#&#8203;32755</a> Leftover code in login-passkeys-conditional-authenticate.ftl <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32758">#&#8203;32758</a> Keycloak admin console interface is out of screen <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32761">#&#8203;32761</a> The endpoint /admin/realms/{{realm}}/groups/{{group-id}}/members potentially fetch all user in database <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32764">#&#8203;32764</a> When forcing re-authentication by passing maxAge value as 0 does not work <code>adapter/javascript</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32770">#&#8203;32770</a> Adapters backward compatibility tests are failing <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32782">#&#8203;32782</a> `@noble/hashes/sha256` is bundled into Keycloak JS <code>adapter/javascript</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32784">#&#8203;32784</a> Flaky test: org.keycloak.testsuite.url.HostnameV2Test <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32789">#&#8203;32789</a> CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core </li> <li><a href="https://github.com/keycloak/keycloak/issues/32798">#&#8203;32798</a> Custom theme and not existing image: error 500 (No enum constant org.keycloak.theme.Theme.Type.IMG) <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32799">#&#8203;32799</a> Realm import fails when client configures default_acr values <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32802">#&#8203;32802</a> Lightweight access token is not working for bootstrap admin client <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32817">#&#8203;32817</a> Error when deploying SAML application with the keys in PEM format inside keycloak-saml.xml <code>adapter/saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32829">#&#8203;32829</a> Login V2 theme: Pages specify fewer tabindex entries <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32830">#&#8203;32830</a> Login v2 theme: Auto-focus on input fields no longer working and autocomplete changed <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32833">#&#8203;32833</a> TOTP QR codes broken when realm display name contains colon character <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32834">#&#8203;32834</a> Admin UI does not display admin events expiration <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32860">#&#8203;32860</a> Database index creation isn’t skipped on large data sets in Keycloak 24 <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32870">#&#8203;32870</a> Increased DB activity due to changes in LDAPStorageManager.searchForUserByUserAttributeStream <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32880">#&#8203;32880</a> Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerExistingEmailAllowed <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32881">#&#8203;32881</a> Flaky test: org.keycloak.testsuite.forms.RegisterTest#registerUserNotContainsUsernamePasswordPolicy <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32891">#&#8203;32891</a> Exceptions on X509 authentication are logged without a stack trace <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32892">#&#8203;32892</a> [Store Model Test] Failed test org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testOnRealmRemoved <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32896">#&#8203;32896</a> Inconsistency of the access token iat after setting the time offset in the test suite <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32915">#&#8203;32915</a> Administrator username changed in master realm after configuring email address for SMTP connection test for another realm with "Email as username" enabled <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32916">#&#8203;32916</a> Device activity client name translations <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32923">#&#8203;32923</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnTransportsTest#usbTransport <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32930">#&#8203;32930</a> Flaky test: org.keycloak.testsuite.forms.RegisterWithUserProfileTest#testAttributeInputTypes <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32939">#&#8203;32939</a> Flaky test: org.keycloak.testsuite.webauthn.WebAuthnIdlessTest#testWebAuthnIDLessWithNonResidentCredentialLogin <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32942">#&#8203;32942</a> Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP_bruteForceEnabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/32984">#&#8203;32984</a> Application names are not taking realm overrides into account <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33011">#&#8203;33011</a> Admin bootstrap client should not have standard flow enabled <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33023">#&#8203;33023</a> Documentation CI is failing on broken links <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33037">#&#8203;33037</a> Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#discouraged <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33044">#&#8203;33044</a> Next page not working for "Localization --> Realm overrides" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33054">#&#8203;33054</a> Identity-first login screen has broken IDP icons <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33058">#&#8203;33058</a> Clusterless feature is not tested in Model tests <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33060">#&#8203;33060</a> Tests are showing exception while trying to import admin user after organizations were enabled by default <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33064">#&#8203;33064</a> Action expired error occurs when accessing regular registration page with Organizations enabled <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33095">#&#8203;33095</a> The "Valid redirect URIs" field is not displayed when the "Standard flow" is unchecked <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33109">#&#8203;33109</a> Infinite loop when accessing account management console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33115">#&#8203;33115</a> CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect </li> <li><a href="https://github.com/keycloak/keycloak/issues/33116">#&#8203;33116</a> CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak </li> <li><a href="https://github.com/keycloak/keycloak/issues/33156">#&#8203;33156</a> CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33172">#&#8203;33172</a> Deprecation of https-trust-store-* weakens X509 browser authentication <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33207">#&#8203;33207</a> [Organizations] Preserve org id in exported realms <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33224">#&#8203;33224</a> [Keycloak CI] - Quarkus IT - StartCommandDistTest.testStartUsingAutoBuild <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33231">#&#8203;33231</a> [Keycloak CI] - User Federation Tests - LDAPSamlIdPInitiatedVaryingLetterCaseTest <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33246">#&#8203;33246</a> Unable to start Keycloak when metrics are enabled <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33296">#&#8203;33296</a> Migrating to a FIPS environment disallows all users from logging in <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33300">#&#8203;33300</a> Organization UI is overriding the alias with the org name when user navigates to another tab <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33307">#&#8203;33307</a> XA Transaction recovery support is enabled even thoug transaction-xa-enabled is false <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33330">#&#8203;33330</a> "somethingWentWrong" when opening Keycloak URL in unsecure context <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33331">#&#8203;33331</a> Performance drop in cpuUsageForLoginsTest since 19.09.2024 </li> <li><a href="https://github.com/keycloak/keycloak/issues/33336">#&#8203;33336</a> Changing locale on passwordless or custom login flow does not work <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33342">#&#8203;33342</a> Duplicate entry "duplicate" in Admin UI message properties <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33347">#&#8203;33347</a> Hostname v2 should enforce hostname is a full url if hostname-admin is used <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33351">#&#8203;33351</a> Wrong release notes for Login v1 theme deprecation <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33353">#&#8203;33353</a> Performance regression when Organisations feature is enabled </li> <li><a href="https://github.com/keycloak/keycloak/issues/33355">#&#8203;33355</a> ID token from refresh_token flow does not contain nonce even when using Nonce backwards compatible mapper <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33362">#&#8203;33362</a> Flaky test: org.keycloak.testsuite.webauthn.registration.UserVerificationRegisterTest#preferredVerificationWrong <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33389">#&#8203;33389</a> Banner is not wrapping properly <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33390">#&#8203;33390</a> Creating clientAttributesCondition in some client policy breaks the login to the realm <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33412">#&#8203;33412</a> User specific organisation entries shouldn't be placed in the realm cache <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33415">#&#8203;33415</a> Organization brokers should be hidden on login pages by default <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33424">#&#8203;33424</a> Organization data is cached for each user even if realm never enabled organizations <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33439">#&#8203;33439</a> Avoid caching `RealmModel` in `CachedOrganization` <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33440">#&#8203;33440</a> Test group_test.spec.ts Duplicate group fails repeatedly <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33461">#&#8203;33461</a> AWS Lambda description for HA setup doesn't reflect latest changes for failure policy <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33467">#&#8203;33467</a> The "Client Secret" field does not expand to display the entire secret value <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33508">#&#8203;33508</a> Can't load theme resources on Windows <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/33517">#&#8203;33517</a> Issue when running tests from IDE on embedded undertow ( org.jboss.threads.EnhancedQueueExecutor$Builder.setKeepAliveTime(java.time.Duration) ) <code>testsuite</code></li> </ul> </div> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQyMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Renovate Bot (Automatisiert) added 1 commit 2024-10-05 02:05:15 +02:00
Update version.keycloak to v26
All checks were successful
Keycloak mailcow Build / Build und Bereitstellung (pull_request) Successful in 2m29s
638ce50f3e
Denys Konovalov merged commit 0ea00211eb into main 2024-10-05 11:46:26 +02:00
Denys Konovalov deleted branch renovate/major-version.keycloak 2024-10-05 11:46:26 +02:00
Sign in to join this conversation.
No description provided.