Update version.keycloak to v25 (major) #8

Merged
Denys Konovalov merged 1 commits from renovate/major-version.keycloak into main 2024-06-15 15:54:20 +02:00

This PR contains the following updates:

Package Type Update Change
org.keycloak:keycloak-services (source) provided major 24.0.5 -> 25.0.0
org.keycloak:keycloak-server-spi-private (source) provided major 24.0.5 -> 25.0.0
org.keycloak:keycloak-server-spi (source) provided major 24.0.5 -> 25.0.0
org.keycloak:keycloak-core (source) provided major 24.0.5 -> 25.0.0

Release Notes

keycloak/keycloak (org.keycloak:keycloak-services)

v25.0.0

Compare Source

Highlights

Account Console v2 theme removed

The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.

Java 21 support

Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.

Java 17 support is deprecated

OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.

Most of Java adapters removed

As stated in the release notes of previous Keycloak version, the most of Java adapters are now removed from the Keycloak codebase and downloads pages.

For OAuth 2.0/OIDC, this includes removal of the Tomcat adapter, WildFly/EAP adapter, Servlet Filter adapter, KeycloakInstalled desktop adapter, the jaxrs-oauth-client adapter, JAAS login modules, Spring adapter and SpringBoot adapters. You can check our older post for the list of some alternatives.

For SAML, this includes removal of the Tomcat adapter and Servlet filter adapter. SAML adapters are still supported with WildFly and JBoss EAP.

The generic Authorization Client library is still supported, and we still plan to support it. It aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries. You can check the quickstarts for some examples where this authorization client library is used together with the 3rd party Java adapters like Elytron OIDC or SpringBoot. You can check the quickstarts also for the example of SAML adapter used with WildFly.

Upgrade to PatternFly 5

In Keycloak 24, the Welcome page is updated to use PatternFly 5, the latest version of the design system that underpins the user interface of Keycloak. In this release, the Admin Console and Account Console are also updated to use PatternFly 5. If you want to extend and customize the Admin Console and Account Console, review the changes in PatternFly 5 and update your customizations accordingly.

Argon2 password hashing

Argon2 is now the default password hashing algorithm used by Keycloak in a non-FIPS environment.

Argon2 was the winner of the 2015 password hashing competition and is the recommended hashing algorithm by OWASP.

In Keycloak 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in Keycloak requires 7MB per-hashing request. To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To support the memory intensive nature of Argon2, we have updated the default GC from ParallelGC to G1GC for a better heap utilization.

New Hostname options

In response to the complexity and lack of intuitiveness experienced with previous hostname configuration settings, we are proud to introduce Hostname v2 options.

We have listened to your feedback, tackled the tricky issues, and created a smoother experience for managing hostname configuration. Be aware that even the behavior behind these options has changed and requires your attention - if you are dealing with custom hostname settings.

Hostname v2 options are supported by default, as the old hostname options are deprecated and will be removed in the following releases. You should migrate to them as soon as possible.

New options are activated by default, so Keycloak will not recognize the old ones.

For information on how to migrate, see the Upgrading Guide.

Persistent user sessions

Previous versions of Keycloak stored only offline user and offline client sessions in the databases. The new feature persistent-user-session stores online user sessions and online client sessions not only in memory, but also in the database. This will allow a user to stay logged in even if all instances of Keycloak are restarted or upgraded.

The feature is a preview feature and disabled by default. To use it, add the following to your build command:

bin/kc.sh build --features=persistent-user-session ...

For more details see the Enabling and disabling features guide. The sizing guide contains a new paragraph describing the updated resource requirements when this feature is enabled.

For information on how to upgrade, see the Upgrading Guide.

Cookies updates

SameSite attribute set for all cookies

The following cookies did not use to set the SameSite attribute, which in recent browser versions results in them defaulting to SameSite=Lax:

  • KC_STATE_CHECKER now sets SameSite=Strict

  • KC_RESTART now sets SameSite=None

  • KEYCLOAK_LOCALE now sets SameSite=None

  • KEYCLOAK_REMEMBER_ME now sets SameSite=None

The default value SameSite=Lax causes issues with POST based bindings, mostly applicable to SAML, but also used in some OpenID Connect / OAuth 2.0 flows.

The cookie KC_AUTH_STATE is removed and it is no longer set by the Keycloak server as this server no longer needs this cookie.

The following APIs for setting custom cookies have been removed:

  • ServerCookie - replaced by NewCookie.Builder

  • LocaleSelectorProvider.KEYCLOAK_LOCALE - replaced by CookieType.LOCALE

  • HttpCookie - replaced by NewCookie.Builder

  • HttpResponse.setCookieIfAbsent(HttpCookie cookie) - replaced by HttpResponse.setCookieIfAbsent(NewCookie cookie)

Addressed 'You are already logged in' for expired authentication sessions

The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, Keycloak is able to redirect back to the client application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more details, see Server Administration Guide authentication sessions.

Lightweight access token to be even more lightweight

In previous releases, the support for lightweight access token was added. In this release, we managed to remove even more built-in claims from the lightweight access token. The claims are added by protocol mappers. Some of them affect even the regular access tokens or ID tokens as they were not strictly required by the OIDC specification.

  • Claims sub and auth_time are added by protocol mappers now, which are configured by default on the new client scope basic, which is added automatically to all the clients. The claims are still added to the ID token and access token as before, but not to lightweight access token.

  • Claim nonce is added only to the ID token now. It is not added to a regular access token or lightweight access token. For backwards compatibility, you can add this claim to an access token by protocol mapper, which needs to be explicitly configured.

  • Claim session_state is not added to any token now. It is still possible to add it by protocol mapper if needed. There is still the other dedicated claim sid supported by the specification, which was available in previous versions as well and which has exactly the same value.

For more details, see the Upgrading Guide..

Support for application/jwt media-type in token introspection endpoint

You can use the HTTP Header Accept: application/jwt when invoking a token introspection endpoint. When enabled for a particular client, it returns a claim jwt from the token introspection endpoint with the full JWT access token, which can be useful especially for the use-cases when the client calling introspection endpoint used lightweight access token. Thanks to Thomas Darimont for the contribution.

Password policy for check if password contains Username

Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.

Required actions improvements

In the Admin Console, you can now configure some required actions in the Required actions tab of a particular realm. Currently, the Update password is the only built-in configurable required action. It supports setting Maximum Age of Authentication, which is the maximum time users can update their password by the kc_action parameter (used for instance when updating password in the Account Console) without re-authentication. The sorting of required actions is also improved. When there are multiple required actions during authentication, all actions are sorted together regardless of whether those are actions set during authentication (for instance by the kc_action parameter) or actions added to the user account manually by an administrator. Thanks to Thomas Darimont and Daniel Fesenmeyer for the contributions.

Passkeys improvements

The support for Passkeys conditional UI was added. When the Passkeys preview feature is enabled, there is a dedicated authenticator available, which means you can select from a list of available passkeys accounts and authenticate a user based on that. Thanks to Takashi Norimatsu for the contribution.

Default client profile for SAML

The default client profile to have secured SAML clients was added. When browsing through client policies of a realm in the Admin Console, you see a new client profile saml-security-profile. When it is used, there are security best practices applied for SAML clients such as signatures are enforced, SAML Redirect binding is disabled, and wildcard redirect URLs are prohibited.

There was new authenticator Confirm override existing link added. This authenticator allows to override linked IDP username for the Keycloak user, which was already linked to different IDP identity before. More details in the Server Administration Guide. Thanks to Lex Cao for the contribution.

OpenID for Verifiable Credential Issuance - experimental support

There is work in progress on the support of OpenID for Verifiable Credential Issuance (OID4VCI). Right now, this is still work in progress, but things are being gradually added. Keycloak can act as an OID4VC Issuer with support of Pre-Authorized code flow. There is support for verifiable credentials in the JWT-VC, SD-JWT-VC and VCDM formats. Thanks to the members of the OAuth SIG groups for the contributions and feedback and especially thanks to Stefan Wiedemann, Francis Pouatcha, Takashi Norimatsu and Yutaka Obuchi.

Searching by user attribute no longer case insensitive

When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using Keycloak&#​8217;s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.

Breaking fix in authorization client library

For users of the keycloak-authz-client library, calling AuthorizationResource.getPermissions(&#​8230;&#​8203;) now correctly returns a List<Permission>.

Previously, it would return a List<Map> at runtime, even though the method declaration advertised List<Permission>.

This fix will break code that relied on casting the List or its contents to List<Map>. If you have used this method in any capacity, you are likely to have done this and be affected.

IDs are no longer set when exporting authorization settings for a client

When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client.

Management port for metrics and health endpoints

Metrics and health checks endpoints are no longer accessible through the standard Keycloak server port. As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port 9000.

It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable.

Keycloak Operator assumes the management interface is turned on by default. For more details, see Configuring the Management Interface.

Syslog for remote logging

Keycloak now supports Syslog protocol for remote logging. It utilizes the protocol defined in RFC 5424. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.

For more information, see the Configuring logging guide.

Change to class EnvironmentDependentProviderFactory

The method EnvironmentDependentProviderFactory.isSupported() was deprecated for several releases and has now been removed.

For more details, see the Upgrading Guide.

All cache options are runtime

It is now possible to specify the cache, cache-stack, and cache-config-file options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them.

For more details, see the Upgrading Guide.

High availability guide enhanced

The high availability guide now contains a guide on how to configure an AWS Lambda to prevent an intended automatic failback from the Backup site to the Primary site.

Removing deprecated methods from AccessToken, IDToken, and JsonWebToken classes

In this release, we are finally removing deprecated methods from the following classes:

  • AccessToken

  • IDToken

  • JsonWebToken

For more details, see the Upgrading Guide.

Method getExp added to SingleUseObjectKeyModel

As a consequence of the removal of deprecated methods from AccessToken, IDToken, and JsonWebToken, the SingleUseObjectKeyModel also changed to keep consistency with the method names related to expiration values.

For more details, see the Upgrading Guide.

Support for PostgreSQL 16

The supported and tested databases now include PostgreSQL 16.

Introducing support for Customer Identity and Access Management (CIAM) and Multi-tenancy

In this release, we are delivering Keycloak Organizations as a technology preview feature.

This feature provides a realm with some core CIAM capabilities, which will serve as the baseline for more capabilities in the future to address Business-to-Business (B2B) and Business-to-Business-to-Customers (B2B2C) use cases.

In terms of functionality, the feature is completed. However, we still have work to do to make it fully supported in the next major release. This remaining work is mainly about preparing the feature for production deployments with a focus on scalability. Also, depending on the feedback we get until the next major release, we might eventually accept additional capabilities and add more value to the feature, without compromising its roadmap.

For more details, see Server Administration Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

  • #​25940 Support Credentials Issuance through the OID4VCI Protocol oid4vc
  • #​25942 Issue Verifiable Credentials in the SD-JWT-VC format oid4vc
  • #​25943 Issue Verifiable Credentials in the VCDM format oid4vc
  • #​25945 Extend Account Console to support Credentials Issuance Self-Service account/ui
  • #​26201 Introduce a new Authenticator to handle duplicate IdP broker links authentication
  • #​27673 Hardcoded SAML metadata URL in admin-v2 admin/ui
  • #​27728 Reflect new hostname v2 options in Keycloak CR operator
  • #​27729 Add documentation for Hostname v2 docs
  • #​27730 Release notes and Migration guide for Hostname v2 docs
  • #​28030 Create Argon2 password hashing provider
  • #​28400 Make RequiredActions configurable
  • #​28608 Allow onboarding organization members through a registration invitation link
  • #​28750 CLI options to disable encryption and authentication to external Infinispan dist/quarkus
  • #​28938 Need inline translation assistance for user profile attribute groups.
  • #​29491 Remove Oracle JDBC driver out of the box docs
  • #​29539 Add CRUD for organizations to admin client
  • #​29627 Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 oid4vc
  • #​29634 Expose JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification oid4vc

Enhancements

  • #​11757 Declarative User Profile: local-date validation and html5-date clash user-profile
  • #​13113 Conditionally enable and disable CLI options dist/quarkus
  • #​16295 JsonSerialization does not load all available modules from the classpath
  • #​17530 Add Portuguese translations
  • #​19334 Support management port for health and metrics in Quarkus 3 dist/quarkus
  • #​20736 uma-ticket returns 403 even though user has access, when User Realm Role isn't present in access Token authorization-services
  • #​20792 Make it clear that `Client Offline Token Max` should not be set when `Offline Session Max Limited` is disabled for realm admin/ui
  • #​20916 DefaultHttpClientFactory should handle the encoding of the response core
  • #​21185 Protocol mapper and client scope for sub claim
  • #​21344 Upgrade account theme to PatternFly 5 account/ui
  • #​21345 Upgrade admin theme to PatternFly 5 admin/ui
  • #​21439 Allow options to support any value in addition to a list of pre-defined values. dist/quarkus
  • #​21562 Make sure admin events are not referencing sensitive data from their representation admin/api
  • #​21961 Allow to provider password to kcadm (keycloak-admin-cli) via environment variable admin/cli
  • #​22436 Query users by 'LDAP_ID' is not working ldap
  • #​22711 Enable theme caches by default in start-dev dist/quarkus
  • #​24192 Refine how ConfigSource names are being used dist/quarkus
  • #​24264 Passkeys: Supporting WebAuthn Conditional UI authentication/webauthn
  • #​24466 Look if checks in IntrospectionEndpoint can be simplified oidc
  • #​25057 Inconsistent behaviour on getting user permissions using authorization authorization-services
  • #​25114 User Profile "Input placeholder" and other annotations - Use Localization keys user-profile
  • #​26162 Optimize query batching and result fetching by tuning Hibernate parameters
  • #​26443 Show an error message when file does not exist for the `config-file` parameter dist/quarkus
  • #​26504 Localization Proposal 2 admin/ui
  • #​26654 Initial client policies integration for SAML saml
  • #​26657 Map Storage Removal: Remove deprecated model/legacy module storage
  • #​26695 Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak ldap
  • #​26713 Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention authentication/webauthn
  • #​27264 Trivy Analysis warnings should be fixed
  • #​27433 Clarify format of keys in `additionalOptions` field in the Keycloak CR docs
  • #​27442 Use browser router for Account Console account/ui
  • #​27481 Edit High Availability guide
  • #​27484 Edit 23.0 changes part of Upgrading Guide
  • #​27494 Use JDK17 functionality in the KC Operator operator
  • #​27508 Use new remote-store options in HA guides
  • #​27509 Upgrade to Aurora Postgres 15.5
  • #​27515 `ClusterProvider` should no longer be deprecated now that "legacy" is the default
  • #​27527 CS and SK localized messages need an update
  • #​27544 Expose quarkus syslog logging now GELF is being deprecated from Keycloak dist/quarkus
  • #​27545 Simplify handling of profile features in test cases
  • #​27549 Make general `cache` options runtime dist/quarkus
  • #​27574 Support for script providers when running in embedded mode testsuite
  • #​27602 Remove offline session preloading
  • #​27614 Remove additional handlers for health and metrics endpoints dist/quarkus
  • #​27632 Integrate downstream Upgrading Guide changes into upstream
  • #​27696 Upgrade to Quarkus 3.8.2 dist/quarkus
  • #​27724 Enable Infinispan metrics by default
  • #​27787 Missing API documentation for /admin/realms/{realm}/groups/{group-id}
  • #​27871 Upgrade to Infinispan 14.0.26 core
  • #​27924 Enable http metrics once Quarkus 3.8.3 is available
  • #​27953 Address feedback to Keycloak Server guide docs
  • #​27976 Persist online sessions to the database
  • #​27997 Make the Language Selector sorted and searchable
  • #​28009 Address edits to the Operator Guide
  • #​28033 Upgrade Infinispan to 14.0.27.Final
  • #​28035 update for messages_de.properties required translations
  • #​28084 Upgrade to Quarkus 3.8.3 dist/quarkus
  • #​28120 Default password hashing algorithm should be set to default password hash provider
  • #​28142 Update HA Guide now that non-XA mode is the default
  • #​28145 Align help output for Quarkus distribution across Windows and Linux dist/quarkus
  • #​28161 Use Argon2 password hashing by default
  • #​28178 Provide histograms for http server metrics
  • #​28256 Prevent duplicate form submission in Create realm dialog in admin ui admin/ui
  • #​28318 Use the same new code for persistent sessions for offline sessions core
  • #​28336 Provide a dedicated way of updating Quarkus classloading indices
  • #​28388 Handle concurrent writes to sessions more gracefullly
  • #​28429 Add details to error messages, especially around refresh tokens
  • #​28436 When LDAP groups synchronization fails, show root cause in admin UI admin/api
  • #​28448 Avoid deprecated `jboss-modules` method usage
  • #​28453 More conventional looking conditional element in authentication diagram admin/ui
  • #​28460 Polishing docs for lightweight tokens oidc
  • #​28477 The concurrency of hashing leads to increased memory usage and CPU throttling
  • #​28501 Batch updates to the database to avoid using too many IOPS
  • #​28517 Java 21 support
  • #​28567 Change user_id value for REFRESH_TOKEN and REFRESH_TOKEN_ERROR events oidc
  • #​28616 Add ui-tab context information into the onCreate
  • #​28650 Improve german translations for admin ui
  • #​28654 Refine the warning produced when a non-cli build-time property is used at runtime dist/quarkus
  • #​28672 For client-credential-grants, there shouldn't be an interaction with the authentication cache
  • #​28729 Emphasize the need for setting container limit docs
  • #​28814 Add missing german translations for user federation in admin UI
  • #​28848 Automatically fill username when authenticating to through a broker
  • #​28861 Improve the performance of the PermissionTicketStore.findGrantedResources method authorization-services
  • #​28862 Improve persistent sessions DB throughput for logins/logouts by batching
  • #​28879 Indicate whether a user is transient or not in user sessions list
  • #​28880 Upgrade to Quarkus 3.8.4 dist/quarkus
  • #​28906 ID fields in SessionWrapper should be immutable
  • #​28926 Store extended error message in events for client credential grants
  • #​28935 Ensure GroupResource.getSubGroups doesn't rely on no-arg version of GroupModel.getSubGroupsStream to avoid prematurely loading all subgroups storage
  • #​28939 OIDC: Backchannel logout token should use "typ":"logout+jwt" oidc
  • #​28974 Replace tooltip for adding a translation to an attribute with a text underneath `Display name`
  • #​29023 Support adding existing users to an organization
  • #​29068 Infinispan 15.0.3.Final
  • #​29073 Use cache.compute() method to improve the replace retry loop
  • #​29118 Conditionally run Quarkus IT in GHA based on code changes testsuite
  • #​29124 Use Java locale translations instead of manually edited translations translations
  • #​29166 Improve details for user error events in OIDC protocol endpoints oidc
  • #​29183 Minor corrections to High Availability Guide docs
  • #​29203 Revisit SessionsResource#realmSessions as it current loads all sessions into memory
  • #​29223 Complete transistion away from Resteasy core
  • #​29280 Update Create Realm in Keycloak 24 Getting Started
  • #​29319 Don't sort persistent sessions when retrieving a list
  • #​29348 Set default role mapping filter in the role mapping modal
  • #​29375 Allow migration of non-persistent sessions to persistent sessions
  • #​29392 Avoid conflicts when writing make store keys
  • #​29431 Make sure organization groups can not be managed but when managing an organization
  • #​29460 Email validation for managed members should only fail if it does not match the domain set to a broker
  • #​29489 Describe how to enable and disable persistent sessions for an installation docs
  • #​29561 Revisit rolling configuration upgrades for persistent-sessions feature
  • #​29639 Enhance documentation for REST API for X.509 Direct Grant Flow usage authentication
  • #​29724 VC issuance in Authz Code flow without considering “scope” parameter
  • #​29743 Infinispan 15.0.4.Final
  • #​29750 Require external Infinispan be of version 15 or greater
  • #​29778 Upgrade Selenium and Arquillian dependencies in testsuite testsuite
  • #​29780 Unify approach for WebAuthn tests testsuite
  • #​29787 Document Failover Lambda for Active/Passive deployments
  • #​29794 Show a message when confirming an invitation link
  • #​29813 Snyk report to identify branches impacted by a CVE ci
  • #​29818 Avoid explicit flush when handling persistent sessions
  • #​29880 Improve documentation for the case when 'basic' client scope already exists storage
  • #​29883 Upgrade old Keycloak version for DB migration tests testsuite
  • #​29919 Avoid IntelliJ to automatically create start imports
  • #​30017 Improve Client Type Integration Tests oidc
  • #​30026 Conditionally execute WebAuthn tests when Account console UI is changed testsuite
  • #​30052 Add periodic synchronisation for Weblate contents
  • #​30104 Release notes for support application/jwt response in token introspection endpoint docs
  • #​30160 Upgrade to Quarkus 3.8.5 dist/quarkus
  • #​30241 Adding ability to get realm attributes in themes

Bugs

  • #​8887 Information not displayed when a logged in user reset his password authentication
  • #​9695 Add `id_token_signed_response_alg` when realm default algorithm is not `RS256` oidc
  • #​12298 Security bug: Timing Oracle @​ Authorization Grant Request , CWE 208 authentication
  • #​12326 AccessTokens generated from RefreshTokens without scope oidc
  • #​12585 False implementation of SAML element EncryptionMethod saml
  • #​12671 Slow user query by attribute storage
  • #​13045 Duplicated user consents storage
  • #​14084 DefaultBruteForceProtector leverages a single thread to write success/failed events authentication
  • #​14122 Refresh token rotation with multiple tabs oidc
  • #​14188 "1403 Killed" after starting a fresh build docs
  • #​14501 Getting failed to initialize js message if consent is rejected by user account/ui
  • #​15403 No email send on TOTP/Authenticator app removal core
  • #​16064 RS256 signed token validation fails oidc
  • #​16345 Unable to delete realm names with invalid URL characters admin/api
  • #​16520 AuthzClient getPermissions() deserializes to List and not List authorization-services
  • #​16873 Required actions execution order (session and user required actions) authentication
  • #​16948 search users by custom attributes admin/client-js
  • #​17154 User locale in server info has language and country switched around admin/api
  • #​17483 MultiVersionClusterTest not working for Quarkus based distribution storage
  • #​17678 Stop using nested components admin/ui
  • #​19671 Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug) oidc
  • #​19853 CRL Verification failing due to client certificate not being in a chain authentication
  • #​20411 Entering a single space in a regex password policy makes admin interface unusable. core
  • #​20490 SAML IDP initiated SSO getting cookie_not_found error saml
  • #​20637 Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow authentication
  • #​20747 Keycloak admin cli creating/updating authention executions not respecting the priority value specified admin/api
  • #​21422 Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink ci
  • #​22617 kc export fails when using User Federation (LDAP) with file-based Vault enabled import-export
  • #​22644 Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow core
  • #​23252 Invalid redirect after logging in using Twitter (X) testsuite
  • #​23528 NullPointerException in SAML IdP Logout request with SessionIndex and without NameID identity-brokering
  • #​23701 Attribute search does not work with federated users with ldap. admin/ui
  • #​23832 New admin console doesn't support automatic logout account/ui
  • #​23833 Account console v2 doesn't support automatic logout account/ui
  • #​23900 Duplicate path in groups claim oidc
  • #​23980 Keycloak Operator fails to install realm authentication flow because "flow is null" import-export
  • #​24201 Cannot disable LDAP-backed user if importEnabled=false ldap
  • #​24414 Container labels inherited from UBI image dist/quarkus
  • #​24462 Remove non-unique `id` attributes from `webauthn-authenticate.ftl` login/ui
  • #​24568 iframe for frontend logout gets blocked if a custom CSP header is used core
  • #​24571 Parallel builds stopped working admin/ui
  • #​24795 Not proper remove for nested sub-flows from DB core
  • #​24878 NoClassDefFoundError for Apache XML and EAP8 adapter/jee-saml
  • #​24936 Negative token expiration when changing client session max lifetime oidc
  • #​25038 ServerRequestFilter / ServerResponseFilter not being picked up extensions
  • #​25219 Restrict the access to 'whoami' endpoint for tokens issued for the admin console client admin/api
  • #​25490 Partial export/import is not mentioned in Keycloak's Server Administration Guide docs
  • #​25514 Errors in Outgoing HTTP requests documentation docs
  • #​25687 A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. admin/api
  • #​25778 Incorrect JSON format returned in case of existing user (with user federation) admin/api
  • #​25807 Space in realm name breaks initial console uris admin/api
  • #​25815 Loosing refresh token with Google Identity Provider identity-brokering
  • #​25975 Failing to import client's authorisation settings through UI authorization-services
  • #​25993 PostgreSQL deadlock causes 400 client error instead of 500 server error storage
  • #​26019 Identity provider sync mode: incorrect selection in case of null admin/ui
  • #​26100 Device verification flow does not require consent under certain circumstances oidc
  • #​26108 Realm improper input sanitization core
  • #​26109 Improper Input Validation and Sanitization Leads to persistent partial Denial of Service admin/api
  • #​26113 Revoked Token may be valid for a short time after expiring oidc
  • #​26364 Duplicate emails is On when Email as username and Login with email are On admin/ui
  • #​26396 How do you update a custom user storage provider jar that includes a version number? dist/quarkus
  • #​26438 Keycloak cannot run on windows machine in dev-mode. Because non-English systems cannot support keycloak's package's. dist/quarkus
  • #​26439 Incorrect position of nonce in OCSP request authentication
  • #​26464 "Test connection" on LDAPS URI does not test TLS handshake admin/api
  • #​26515 Wrong rendering duplicated options in guides docs
  • #​26658 `LogoutEvent` is not fired on required UpdatePassword action core
  • #​26667 Can't access hidden tabs on the left in admin UI admin/ui
  • #​26868 Login via brokerage to identity provider fails with clients having UUID with uppercase letter identity-brokering
  • #​26893 Access tokens includes nonce claim oidc
  • #​26915 Deleting sub-realm roles throw errors (even tho it succeeded) authorization-services
  • #​26981 Workflow failure Quarkus IT - StartCommandDistTest#testWarningWhenOverridingBuildOptionsDuringStart ci
  • #​27021 Workflow failure: Fuse adapter tests ci
  • #​27080 Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists ci
  • #​27180 Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration authorization-services
  • #​27184 Editing built-in client policy profiles are silently reverted oidc
  • #​27201 Missing `exp` claim from Offline tokens when `Offline Session Max Limited` is disabled core
  • #​27228 Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table core
  • #​27245 Account console does not correctly treat link / unlink account account/ui
  • #​27269 mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui admin/ui
  • #​27275 Invalidating offline token is not working from client sessions tab authentication
  • #​27308 Warnings in log during normal startup dist/quarkus
  • #​27349 Google Authenticator now supports SHA256 and SHA512 authentication
  • #​27366 Social login - test failures with unexpected status code testsuite
  • #​27391 Log warning when not using scope `openid` oidc
  • #​27416 Missing feature ID for tech preview feature in docs docs
  • #​27444 type of clients.findRole() in @​keycloak/keycloak-admin-client is wrong admin/client-js
  • #​27483 Authz-client AuthorizationResource.getPermissions() ClassCastException authorization-services
  • #​27499 LdapSyncTest failures running with external Active Directory testsuite
  • #​27504 Cpu and memory sizing typo docs
  • #​27506 Readable realm name no longer visible in logs, but realm id is used instead core
  • #​27512 Getting subgroups does pagination before filtering core
  • #​27514 Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided oidc
  • #​27529 LegacyUserCredentialManager class not found storage
  • #​27538 User tab "Identity Provider Links" is not available when only "view-users" or "manage-users" realm-management role is assigned as in the v1 Keycloak theme account/ui
  • #​27540 URL change for liquibase docs docs
  • #​27548 Custom Browser Flow not working anymore admin/ui
  • #​27558 Client registration policy "Allowed Protocol Mapper Types" prevents clients from self-updating via the client registration api admin/api
  • #​27565 Admin Console tests are failing due to changes in supported authenticators testsuite
  • #​27573 Release notes from 24.0.0 miss that multi-site active-passive deployments are supported docs
  • #​27597 dropping KC_PROXY=edge causes startup error core
  • #​27604 Account console dev environment broken account/ui
  • #​27609 Mixed use of javax and jakarta in org.keycloak.admin.client adapter/jee
  • #​27611 Cannot modify realm email settings since keycloak 24 user-profile
  • #​27620 Incomplete documentation when an email about changed credentials is sent docs
  • #​27622 In the account console, the link "Back to security-admin-console" disappears after the first navigation account/ui
  • #​27628 Only allow a known refferer URI for the Account Console account/ui
  • #​27643 Password policy for not having username in the password authentication
  • #​27646 Account Console REST API for /linked-accounts Returns Multiple Access-Control-Allow-Origin Headers account/api
  • #​27653 Admin tests: Flaky realm_settings_user_profile_enabled test admin/ui
  • #​27683 Quarkus-next build failure: Could not find artifact io.quarkus:quarkus-extension-maven-plugin ci
  • #​27691 Unable to set a newly created flow in First Login Flow override for a SAML identity provider admin/ui
  • #​27701 MTLS Cache options should be runtime options, not build time options dist/quarkus
  • #​27709 Account console does not work with `--http-relative-path` account/ui
  • #​27719 Wrong Welcome page image in the documentation docs
  • #​27745 Registration template in login2 is broken login/ui
  • #​27756 SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY core
  • #​27761 Snyk workflow failure ci
  • #​27779 Broken Migration "MigrateTo24_0_0" core
  • #​27780 Fixing downstream documentation build docs
  • #​27797 User profile fields cannot be set empty once they have a non-empty value (in Login Theme) user-profile
  • #​27798 Performance problem with Amazon JDBC wrapper version 2.3.4
  • #​27820 Account console confusing with WebAuthn account/ui
  • #​27824 Can't register webauthn passwordless key when RS1 signature algorithm is configured in policies authentication/webauthn
  • #​27837 Translation values not loaded for User Profile attributes admin/ui
  • #​27838 User Profile translations - value put in wrong field after search user-profile
  • #​27839 Incorrect Length Validation for Attribute admin/cli
  • #​27840 Race condition loading serverinfo in admin console admin/ui
  • #​27841 ES translation causes FreeMarker rendering issues translations
  • #​27846 Authenticator Example module compilation failure authentication
  • #​27852 VerifyUserProfile invalidates user cache on every login core
  • #​27854 Required action selection is broken admin/ui
  • #​27868 Documentation is referring to deprecated/unmaintained examples docs
  • #​27875 SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor saml
  • #​27877 Get Groups in admin/cli returns all groups and not the groups that meets the condition specified in -q option admin/cli
  • #​27878 Error when executing refresh grant, with scope param, without offline_access scope specified oidc
  • #​27882 Incorrect version of bctls-fips in the docs docs
  • #​27890 Webauthn token stops working on migration to 24 authentication/webauthn
  • #​27892 Truststore handling for the Operator is not documented operator
  • #​27894 Multi datasource configuration does not work in Keycloak 24.0.1 dist/quarkus
  • #​27900 Performance impact in changed hashing measured wrong authentication
  • #​27917 User search field loses focus after first input in realms with user federation admin/ui
  • #​27925 Keycloak docs state that there are http metrics, but they are disabled docs
  • #​27941 Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database core
  • #​27944 Admin tests: Failing realm_settings_events_test test admin/ui
  • #​27954 Hibernate Dialect detection does not work anymore for Oracle DBs storage
  • #​27962 message of groups is wrong in messages_ja.properties admin/ui
  • #​27965 Groups help message is only "Groups" admin/ui
  • #​27966 🍺 instead of dot: Attributes in account UI are not loaded user-profile
  • #​27967 ORA-01450 when updating keycloak 23 -> 24 storage
  • #​27981 User Profile: Inconsistent ordering of attributes between account and login themes user-profile
  • #​27984 Username LDAP attribute other than uid is difficult ldap
  • #​28001 MySQL connector artifact should be ignored dist/quarkus
  • #​28004 JWK key ignored due to missing required field 'use' despite matching KID oidc
  • #​28012 Keycloak CR Truststore should not have a name operator
  • #​28016 User Profile attribute translation saves wrong key to realm overrides admin/ui
  • #​28069 Token setting missing admin/ui
  • #​28079 Group search does not work in user view admin/ui
  • #​28080 Paging issue in groups via user view admin/ui
  • #​28090 kc.sh may leak credentials core
  • #​28100 Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null identity-brokering
  • #​28103 Deleting translations after attribute deletion admin/ui
  • #​28113 WebAuthN registration broken after upgrading to 24.0.1 authentication/webauthn
  • #​28143 Navigation broken on local development account/ui
  • #​28174 HA guide erroneously refers to AWS Global Accelerator docs
  • #​28187 Admin UI drag & drop in flow config seems to delete actions admin/ui
  • #​28201 Locale label missing on login page for Brazilian Portuguese, Greek and Persian translations
  • #​28207 JAVA_OPTS are not set under Windows dist/quarkus
  • #​28215 Inconsistent handling of product vs. community in HA guide table-of-contents docs
  • #​28220 Admin API: User PUT operation clears firstname, lastname email fields admin/api
  • #​28231 username contains invalid characters user-profile
  • #​28248 Update user makes User ID changes when federationLink and LDAP_ID is not set properly admin/api
  • #​28284 scroll bar is missing inn clients view keycloak admin GUI core
  • #​28303 WARN - Event object wasn't available in remote cache after event was received infinispan
  • #​28330 org.keycloak.documentation.test.ExternalLinksTest fails with incorrect status code reported back in the results docs
  • #​28335 The false option of the pkceMethod init parameter for the JavaScript adapter is ignored adapter/javascript
  • #​28341 ConditionalLoaAuthenticator documentation incorrect re: unauthenticated users. authentication
  • #​28370 PodTemplateTest assertions are ignored testsuite
  • #​28374 Syntax highlighting for log example is wrong in downsream dist/quarkus
  • #​28377 Broken lists in import/export server guide docs
  • #​28381 Password denylist Doesn't Work As Expected authentication
  • #​28389 New username-password policy check is reversed user-profile
  • #​28409 Unclosed span bracket in register.ftl login/ui
  • #​28416 Keycloak is not returning proper error message for PUT /users admin API user-profile
  • #​28431 Dedicated client scopes always show up when searching admin/ui
  • #​28443 Declarative User Profile: The use of the "select-radiobuttons" with options validation display is broken user-profile
  • #​28463 Error in refresh flow with scope parameter oidc
  • #​28465 Review cookie attributes and set SameSite for all cookies
  • #​28479 Authentication flow diagram incorrect branching in some flows admin/ui
  • #​28484 inputOptionLabels is truncating text that is not wrapped for localization account/ui
  • #​28486 Help text wrong in key provider admin/ui
  • #​28490 Missing help text for Brute Force Mode admin/ui
  • #​28495 IdP Linking: Usernames sometimes lowercase and sometimes uppercase identity-brokering
  • #​28509 Workflow failure: ManagementDistTest ci
  • #​28514 Message for searchClientRegistration is missing admin/ui
  • #​28519 Cards in IDP and User federation are not shown to be clicable admin/ui
  • #​28523 [LDAPStorageProvider] NPE if user is cached but has been deleted in ldap ldap
  • #​28531 notBefore and setToNow untranslated admin/ui
  • #​28546 LDAP provider add has 3 lines on top of screen admin/ui
  • #​28555 Collision with base testsuite dependency
  • #​28564 UserStorageSyncManager int overflow storage
  • #​28575 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28576 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28577 Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod ci
  • #​28579 Brute force detection fails with read-only LDAP users authentication
  • #​28606 OrganizationTest.testAttributes fails in GHA CI testsuite
  • #​28624 Incorrect user info in the head when using lightweight access token for account-console account/ui
  • #​28628 Invalide objects comparison in Java core
  • #​28638 Missing permission to read configmaps in `keycloak-operator-role` operator
  • #​28640 Unable to see user's inherited role if user has no directly assigned roles admin/ui
  • #​28649 docker-v2 authentication fails with KC-SERVICES0097: Invalid request: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.ClientModel.getClientScopes(boolean)" because "this.client" is null core
  • #​28666 Accessing a transient (lightweight) user through client session fails in admin-api/-ui admin/ui
  • #​28684 "Extend to children" button in authorization group policies is wrongly disabled admin/ui
  • #​28702 Unable to fetch realm names when contains special characters admin/ui
  • #​28704 Remove invalid "this." from keycloak-admin-client README admin/client-js
  • #​28725 Keycloak 24.0.2 - Enlisted connection used without active transaction storage
  • #​28744 Invalid label `validatingX509Certs` in new SAML identity provider screen admin/ui
  • #​28746 Translations missing for recovery codes in KC 24 account/ui
  • #​28747 ID is shown prematurely on Identity Provider Mapper after Save admin/ui
  • #​28748 Webauthn Policy timeout accepts values > 8 hours admin/ui
  • #​28798 `passwordPoliciesHelp.notContainsUsername` missing in admin console admin/ui
  • #​28801 NPE when listing sessions in UI if associated user is gone core
  • #​28818 Child groups filtering returns all groups admin/ui
  • #​28821 Failure reset time is applied to Permanent Lockout authentication
  • #​28824 Inconsistent Group Ordering in Keycloak API Responses For Client Policies Causing Drift Detection Challenges admin/fine-grained-permissions
  • #​28825 Keycloak Operator 24.x - the keycloak custom image tag is being overwritten with nightly pull operator
  • #​28881 socketTimeoutUnits and establishConnectionTimeoutUnits in HttpClientBuilder are not used core
  • #​28896 Master realm can be deleted admin/api
  • #​28911 clients_saml_test.spec.ts fails in main admin/ui
  • #​28915 Possible NPE when exporting user policy authorization-services
  • #​28947 IndexWrapper warnings when starting Keycloak dist/quarkus
  • #​28948 Auto-build shouldn't warn about unavailable runtime options dist/quarkus
  • #​28949 Conditional cache options are not evaluated correctly dist/quarkus
  • #​28964 Compilation error in latest main (conflicting PRs for oid4vc and changes for EnvironmentDependentFactory) core
  • #​28968 Grant urn:ietf:params:oauth:grant-type:pre-authorized_code enabled even if oid4vc_vci feature is disabled oid4vc
  • #​28979 MULTIVALUED_STRING_TYPE does not show in UI if empty admin/ui
  • #​28982 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnsupportedCredential ci
  • #​28983 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriInvalidToken ci
  • #​28984 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredential ci
  • #​28985 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnauthorized ci
  • #​28986 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUnauthorized ci
  • #​28987 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialInvalidToken ci
  • #​28988 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnauthorized ci
  • #​28989 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testCredentialIssuance ci
  • #​28990 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutNonce ci
  • #​28991 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOffer ci
  • #​28992 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithABrokenNote ci
  • #​28993 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferURI ci
  • #​28994 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutAPreparedOffer ci
  • #​28995 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedFormat ci
  • #​28996 Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedCredential ci
  • #​29027 Creating client-scope without protocol causes GUI bug admin/api
  • #​29033 Argon2 password hashing leads to increased Major GC's in Keycloak's JVM during load tests authentication
  • #​29035 Admin console message bundle contains duplicate keys admin/ui
  • #​29039 Preflight request with OPTIONS method for token introspection endpoint not working. authentication
  • #​29057 not able to disable declarative_ui feature
  • #​29072 Startup probe should check for existence of an Admin user before returning 200 dist/quarkus
  • #​29129 JGroups creates log messages as it switched internally to "trace" dist/quarkus
  • #​29132 Documentation cites wrong endpoint for Docker Registry v2 Authentication docs
  • #​29133 DuplicateEmailValidator causes two DB queries on every login if a user has an email address core
  • #​29141 Fix waiting for change to take effect in SessionTimeoutsTest
  • #​29142 LDAP - GroupToGroup Mapper throws "ENTRY_EXISTS" Error ldap
  • #​29147 local user login not possible after LDAP connection problem ldap
  • #​29154 Update docs to distinguish between product names and CR names docs
  • #​29190 JS Admin Client does not support q query parameter on users.count() and clients.find() methods admin/client-js
  • #​29206 LDAP user creation reports error but user is created ldap
  • #​29213 Bad formatting of permissions error in admin console admin/ui
  • #​29233 Broken link in documentation docs
  • #​29235 Tests for persistent sessions are not performed infinispan
  • #​29237 The select for a locale behaves as a multi-select in the admin and account UI when it should be single value admin/ui
  • #​29246 Flaky test: org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType ci
  • #​29247 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled ci
  • #​29248 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange ci
  • #​29249 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation ci
  • #​29250 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed ci
  • #​29251 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount ci
  • #​29252 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation ci
  • #​29253 Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient ci
  • #​29259 `auth-server-feature` does not work for `auth-server-quarkus-embedded` testsuite
  • #​29263 Default value for MULTIVALUED_STRING_TYPE in authenticator config is ignored admin/ui
  • #​29266 Documentation Enhancements Admin Rest API Group to Client Role Mappings docs
  • #​29287 Upgraded docker to 24, now unable to browse "authentication" page in one of my realms. authentication
  • #​29294 Listing of sessions is very slow when we have tens of thousands sessions (+ not able to know the exact number of sessions) admin/ui
  • #​29309 JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT core
  • #​29311 POST /{realm}/clients-initial-access is allowing invalid data like count = -1 and expiration date-time can be set earlier than the creation date-time oidc
  • #​29314 Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" admin/ui
  • #​29336 Unlocking and saving the user's temporary lock will render the user disabled. account/ui
  • #​29352 Fix user-facing typos in error messages core
  • #​29362 Custom user attributes are not shown for service account users in the Admin UI admin/ui
  • #​29376 kc export fails when using User Federation (LDAP) with SSL/TLS import-export
  • #​29385 Restart authentication event type is not generated authentication
  • #​29408 Need to show translation for attributes group on Registration form admin/ui
  • #​29426 Potential bug introduced to JavaKeystoreKeyProvider in #​26936 admin/api
  • #​29429 NPE when Organization feature enabled core
  • #​29440 clients_tests is unstable admin/ui
  • #​29458 Empty CSP header value breaks security filter authentication
  • #​29471 Cypress tests store videos even for passing tests ci
  • #​29495 Fixing realm removal when removing groups and brokers associated with an organization core
  • #​29507 realm_settings_user_profile_enabled fails randomly admin/ui
  • #​29525 Maven clean build doesn't clean admin client generated files ci
  • #​29528 Failure: SessionTimeoutsTest ci
  • #​29551 OAuth 2.0 Device Polling Interval - Setting in Realms settings/Token Plus-Minus to change value not working admin/ui
  • #​29554 Cypress failing on video recording ci
  • #​29579 Increased augmentation time after Quarkus 3.8.4 upgrade dist/quarkus
  • #​29592 Remote caches and other site's caches might get out-of-sync when persistent sessions are used core
  • #​29599 Org domain removal from IDP is not properly propagated to the DB core
  • #​29602 SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29607 CVE-2024-30172 - Infinite loop in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29608 CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29609 CVE-2024-29857 - Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk18on dependencies
  • #​29620 Wrong Media Type / Format of SD JWT VC oid4vc
  • #​29625 Database driver install examples can lead to permission errors in some circumstances docs
  • #​29630 Unable to import realms with organization feature enabled core
  • #​29640 Admin console development fail due to whoami endpoint admin/ui
  • #​29641 Admin Console uses a wrong URL type for auth server admin/ui
  • #​29644 Unmanaged Attributes drop down doesn't reflect the value admin/ui
  • #​29688 client_authorization_test fails admin/ui
  • #​29699 Snyk Report is not preventing duplicates ci
  • #​29738 Broken translations for loa-condition-level and loa-max-age admin/ui
  • #​29756 MigrateTo25_0_0 does not complete within default transaction timeout storage
  • #​29788 OpenAPI: Missing content definition for authentication flow executions GET API admin/api
  • #​29802 Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSession ci
  • #​29805 Supported Credential Type is not evaluated when applying the Protocol Mapper in OID4VCI oid4vc
  • #​29808 LDAP User federation: LDAP: error code 49 - Invalid Credentials ldap
  • #​29814 package com.google.common.hash does not exist when building keycloak-api-docs-dist docs
  • #​29816 Aggregated javadoc generation fix + missing keycloak-operator javadoc dist/quarkus
  • #​29868 Missing Text for x509 translations
  • #​29869 Kubernetes resources point to non-existing Operator image operator
  • #​29875 Upgrade supported PostgreSQL to version 16 ci
  • #​29885 Unable to create an LD-Credentials/VCDM provider for OID4VC oid4vc
  • #​29931 Cannot access the account console account/ui
  • #​29939 Increased GC overhead in the continuous performance tests after G1GC compiler change dist/quarkus
  • #​29948 Reason not logged in event for invalid SAML request saml
  • #​29968 x509 SAN UPN other name is not handled in JDK 21 authentication
  • #​29976 CI for JS not running all the tasks ci
  • #​29981 Enabling and disabling functions are not working properly in KC GUI admin/ui
  • #​29982 Revert editorconfig for properties files as trailing blanks are used ci
  • #​29984 Nightly build for API docs is broken
  • #​30018 SessionTimeoutsTest failing even after retry, probably due to insufficient cleanup testsuite
  • #​30023 Using {application.session.host} in backchannel logout url prevents from saving client admin/api
  • #​30024 Sign out button in the account console has wrong Selenium locator testsuite
  • #​30028 Typo in the upgrading guide for persistent sessions docs
  • #​30049 All roles are populated as inherited roles if a single role is added to a dedicated client scope admin/ui
  • #​30068 Update RFC reference in subject: Likely typo RFC2553 -> RFC2253, Consider RFC4514 admin/ui
  • #​30079 The OID4VC tests break automation account/ui
  • #​30086 Remove sources folder before invoking JakartaTransformer
  • #​30102 Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error admin/ui
  • #​30120 Option `cache-remote-tls-enabled` is missing the default dist/quarkus
  • #​30126 Client scope names not shown in evaluate section in client-scopes tab admin/ui
  • #​30134 Malformed dependency version causing the build failure testsuite
  • #​30196 Test PoC does not run with Quarkus fork join worker
  • #​30201 Keycloak CI - failure in Store IT (aurora-postgres) ci
  • #​30206 Use forkjoin pool factory in testsuite for embedded Quarkus Auth Server testsuite
  • #​30218 Locale dropdowns not working account/ui
  • #​30220 Base theme contains properties without default values login/ui

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.keycloak:keycloak-services](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `24.0.5` -> `25.0.0` | | [org.keycloak:keycloak-server-spi-private](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `24.0.5` -> `25.0.0` | | [org.keycloak:keycloak-server-spi](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `24.0.5` -> `25.0.0` | | [org.keycloak:keycloak-core](http://keycloak.org) ([source](https://github.com/keycloak/keycloak)) | provided | major | `24.0.5` -> `25.0.0` | --- ### Release Notes <details> <summary>keycloak/keycloak (org.keycloak:keycloak-services)</summary> ### [`v25.0.0`](https://github.com/keycloak/keycloak/releases/tag/25.0.0) [Compare Source](https://github.com/keycloak/keycloak/compare/24.0.5...25.0.0) <div> <h2>Highlights</h2> <div class="sect2"> <h3 id="_account_console_v2_theme_removed">Account Console v2 theme removed</h3> <div class="paragraph"> <p>The Account Console v2 theme has been removed from Keycloak. This theme was deprecated in Keycloak 24 and replaced by the Account Console v3 theme. If you are still using this theme, you should migrate to the Account Console v3 theme.</p> </div> </div> <div class="sect2"> <h3 id="_java_21_support">Java 21 support</h3> <div class="paragraph"> <p>Keycloak now supports OpenJDK 21, as we want to stick to the latest LTS OpenJDK versions.</p> </div> </div> <div class="sect2"> <h3 id="_java_17_support_is_deprecated">Java 17 support is deprecated</h3> <div class="paragraph"> <p>OpenJDK 17 support is deprecated in Keycloak, and will be removed in a following release in favor of OpenJDK 21.</p> </div> </div> <div class="sect2"> <h3 id="_most_of_java_adapters_removed">Most of Java adapters removed</h3> <div class="paragraph"> <p>As stated in the release notes of previous Keycloak version, the most of Java adapters are now removed from the Keycloak codebase and downloads pages.</p> </div> <div class="paragraph"> <p>For OAuth 2.0/OIDC, this includes removal of the Tomcat adapter, WildFly/EAP adapter, Servlet Filter adapter, <code>KeycloakInstalled</code> desktop adapter, the <code>jaxrs-oauth-client</code> adapter, JAAS login modules, Spring adapter and SpringBoot adapters. You can check <a href="https://www.keycloak.org/2023/03/adapter-deprecation-update.html">our older post</a> for the list of some alternatives.</p> </div> <div class="paragraph"> <p>For SAML, this includes removal of the Tomcat adapter and Servlet filter adapter. SAML adapters are still supported with WildFly and JBoss EAP.</p> </div> <div class="paragraph"> <p>The generic Authorization Client library is still supported, and we still plan to support it. It aims to be used in combination with any other OAuth 2.0 or OpenID Connect libraries. You can check the <a href="https://github.com/keycloak/keycloak-quickstarts">quickstarts</a> for some examples where this authorization client library is used together with the 3rd party Java adapters like Elytron OIDC or SpringBoot. You can check the quickstarts also for the example of SAML adapter used with WildFly.</p> </div> </div> <div class="sect2"> <h3 id="_upgrade_to_patternfly_5">Upgrade to PatternFly 5</h3> <div class="paragraph"> <p>In Keycloak 24, the Welcome page is updated to use <a href="https://www.patternfly.org/">PatternFly 5</a>, the latest version of the design system that underpins the user interface of Keycloak. In this release, the Admin Console and Account Console are also updated to use PatternFly 5. If you want to extend and customize the Admin Console and Account Console, review <a href="https://www.patternfly.org/get-started/upgrade/">the changes in PatternFly 5</a> and update your customizations accordingly.</p> </div> </div> <div class="sect2"> <h3 id="_argon2_password_hashing">Argon2 password hashing</h3> <div class="paragraph"> <p>Argon2 is now the default password hashing algorithm used by Keycloak in a non-FIPS environment.</p> </div> <div class="paragraph"> <p>Argon2 was the winner of the <a href="https://en.wikipedia.org/wiki/Password_Hashing_Competition">2015 password hashing competition</a> and is the recommended hashing algorithm by <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id">OWASP</a>.</p> </div> <div class="paragraph"> <p>In Keycloak 24 the default hashing iterations for PBKDF2 were increased from 27.5K to 210K, resulting in a more than 10 times increase in the amount of CPU time required to generate a password hash. With Argon2 it is possible to achieve better security, with almost the same CPU time as previous releases of Keycloak. One downside is Argon2 requires more memory, which is a requirement to be resistant against GPU attacks. The defaults for Argon2 in Keycloak requires 7MB per-hashing request. To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To support the memory intensive nature of Argon2, we have updated the default GC from ParallelGC to G1GC for a better heap utilization.</p> </div> </div> <div class="sect2"> <h3 id="_new_hostname_options">New Hostname options</h3> <div class="paragraph"> <p>In response to the complexity and lack of intuitiveness experienced with previous hostname configuration settings, we are proud to introduce Hostname v2 options.</p> </div> <div class="paragraph"> <p>We have listened to your feedback, tackled the tricky issues, and created a smoother experience for managing hostname configuration. Be aware that even the behavior behind these options has changed and requires your attention - if you are dealing with custom hostname settings.</p> </div> <div class="paragraph"> <p>Hostname v2 options are supported by default, as the old hostname options are deprecated and will be removed in the following releases. You should migrate to them as soon as possible.</p> </div> <div class="paragraph"> <p>New options are activated by default, so Keycloak will not recognize the old ones.</p> </div> <div class="paragraph"> <p>For information on how to migrate, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_persistent_user_sessions">Persistent user sessions</h3> <div class="paragraph"> <p>Previous versions of Keycloak stored only offline user and offline client sessions in the databases. The new feature <code>persistent-user-session</code> stores online user sessions and online client sessions not only in memory, but also in the database. This will allow a user to stay logged in even if all instances of Keycloak are restarted or upgraded.</p> </div> <div class="paragraph"> <p>The feature is a preview feature and disabled by default. To use it, add the following to your build command:</p> </div> <div class="listingblock"> <div class="content"> <pre>bin/kc.sh build --features=persistent-user-session ...</pre> </div> </div> <div class="paragraph"> <p>For more details see the <a href="https://www.keycloak.org/server/features">Enabling and disabling features</a> guide. The <a href="https://www.keycloak.org/high-availability/concepts-memory-and-cpu-sizing">sizing guide</a> contains a new paragraph describing the updated resource requirements when this feature is enabled.</p> </div> <div class="paragraph"> <p>For information on how to upgrade, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_cookies_updates">Cookies updates</h3> <div class="sect3"> <h4 id="_samesite_attribute_set_for_all_cookies">SameSite attribute set for all cookies</h4> <div class="paragraph"> <p>The following cookies did not use to set the <code>SameSite</code> attribute, which in recent browser versions results in them defaulting to <code>SameSite=Lax</code>:</p> </div> <div class="ulist"> <ul> <li> <p><code>KC_STATE_CHECKER</code> now sets <code>SameSite=Strict</code></p> </li> <li> <p><code>KC_RESTART</code> now sets <code>SameSite=None</code></p> </li> <li> <p><code>KEYCLOAK_LOCALE</code> now sets <code>SameSite=None</code></p> </li> <li> <p><code>KEYCLOAK_REMEMBER_ME</code> now sets <code>SameSite=None</code></p> </li> </ul> </div> <div class="paragraph"> <p>The default value <code>SameSite=Lax</code> causes issues with POST based bindings, mostly applicable to SAML, but also used in some OpenID Connect / OAuth 2.0 flows.</p> </div> </div> <div class="sect3"> <h4 id="_removing_kc_auth_state_cookie">Removing KC_AUTH_STATE cookie</h4> <div class="paragraph"> <p>The cookie <code>KC_AUTH_STATE</code> is removed and it is no longer set by the Keycloak server as this server no longer needs this cookie.</p> </div> </div> </div> <div class="sect2"> <h3 id="_deprecated_cookie_methods_removed">Deprecated cookie methods removed</h3> <div class="paragraph"> <p>The following APIs for setting custom cookies have been removed:</p> </div> <div class="ulist"> <ul> <li> <p><code>ServerCookie</code> - replaced by <code>NewCookie.Builder</code></p> </li> <li> <p><code>LocaleSelectorProvider.KEYCLOAK_LOCALE</code> - replaced by <code>CookieType.LOCALE</code></p> </li> <li> <p><code>HttpCookie</code> - replaced by <code>NewCookie.Builder</code></p> </li> <li> <p><code>HttpResponse.setCookieIfAbsent(HttpCookie cookie)</code> - replaced by <code>HttpResponse.setCookieIfAbsent(NewCookie cookie)</code></p> </li> </ul> </div> </div> <div class="sect2"> <h3 id="_addressed_you_are_already_logged_in_for_expired_authentication_sessions">Addressed 'You are already logged in' for expired authentication sessions</h3> <div class="paragraph"> <p>The Keycloak 23 release provided improvements for when a user is authenticated in parallel in multiple browser tabs. However, this improvement did not address the case when an authentication session expired. Now for the case when user is already logged-in in one browser tab and an authentication session expired in other browser tabs, Keycloak is able to redirect back to the client application with an OIDC/SAML error, so the client application can immediately retry authentication, which should usually automatically log in the application because of the SSO session. For more details, see <a href="https://www.keycloak.org/docs/25.0.0/server_admin/#_authentication-sessions">Server Administration Guide authentication sessions</a>.</p> </div> </div> <div class="sect2"> <h3 id="_lightweight_access_token_to_be_even_more_lightweight">Lightweight access token to be even more lightweight</h3> <div class="paragraph"> <p>In previous releases, the support for lightweight access token was added. In this release, we managed to remove even more built-in claims from the lightweight access token. The claims are added by protocol mappers. Some of them affect even the regular access tokens or ID tokens as they were not strictly required by the OIDC specification.</p> </div> <div class="ulist"> <ul> <li> <p>Claims <code>sub</code> and <code>auth_time</code> are added by protocol mappers now, which are configured by default on the new client scope <code>basic</code>, which is added automatically to all the clients. The claims are still added to the ID token and access token as before, but not to lightweight access token.</p> </li> <li> <p>Claim <code>nonce</code> is added only to the ID token now. It is not added to a regular access token or lightweight access token. For backwards compatibility, you can add this claim to an access token by protocol mapper, which needs to be explicitly configured.</p> </li> <li> <p>Claim <code>session_state</code> is not added to any token now. It is still possible to add it by protocol mapper if needed. There is still the other dedicated claim <code>sid</code> supported by the specification, which was available in previous versions as well and which has exactly the same value.</p> </li> </ul> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>..</p> </div> </div> <div class="sect2"> <h3 id="_support_for_applicationjwt_media_type_in_token_introspection_endpoint">Support for application/jwt media-type in token introspection endpoint</h3> <div class="paragraph"> <p>You can use the HTTP Header <code>Accept: application/jwt</code> when invoking a token introspection endpoint. When enabled for a particular client, it returns a claim <code>jwt</code> from the token introspection endpoint with the full JWT access token, which can be useful especially for the use-cases when the client calling introspection endpoint used lightweight access token. Thanks to <a href="https://github.com/thomasdarimont">Thomas Darimont</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_password_policy_for_check_if_password_contains_username">Password policy for check if password contains Username</h3> <div class="paragraph"> <p>Keycloak supports a new password policy that allows you to deny user passwords which contains the user username.</p> </div> </div> <div class="sect2"> <h3 id="_required_actions_improvements">Required actions improvements</h3> <div class="paragraph"> <p>In the Admin Console, you can now configure some required actions in the <strong>Required actions</strong> tab of a particular realm. Currently, the <strong>Update password</strong> is the only built-in configurable required action. It supports setting <strong>Maximum Age of Authentication</strong>, which is the maximum time users can update their password by the <code>kc_action</code> parameter (used for instance when updating password in the Account Console) without re-authentication. The sorting of required actions is also improved. When there are multiple required actions during authentication, all actions are sorted together regardless of whether those are actions set during authentication (for instance by the <code>kc_action</code> parameter) or actions added to the user account manually by an administrator. Thanks to <a href="https://github.com/thomasdarimont">Thomas Darimont</a> and <a href="https://github.com/danielFesenmeyer">Daniel Fesenmeyer</a> for the contributions.</p> </div> </div> <div class="sect2"> <h3 id="_passkeys_improvements">Passkeys improvements</h3> <div class="paragraph"> <p>The support for Passkeys conditional UI was added. When the Passkeys preview feature is enabled, there is a dedicated authenticator available, which means you can select from a list of available passkeys accounts and authenticate a user based on that. Thanks to <a href="https://github.com/tnorimat">Takashi Norimatsu</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_default_client_profile_for_saml">Default client profile for SAML</h3> <div class="paragraph"> <p>The default client profile to have secured SAML clients was added. When browsing through client policies of a realm in the Admin Console, you see a new client profile <code>saml-security-profile</code>. When it is used, there are security best practices applied for SAML clients such as signatures are enforced, SAML Redirect binding is disabled, and wildcard redirect URLs are prohibited.</p> </div> </div> <div class="sect2"> <h3 id="_authenticator_for_override_existing_idp_link_during_first_broker_login">Authenticator for override existing IDP link during first-broker-login</h3> <div class="paragraph"> <p>There was new authenticator <code>Confirm override existing link</code> added. This authenticator allows to override linked IDP username for the Keycloak user, which was already linked to different IDP identity before. More details in the <a href="https://www.keycloak.org/docs/25.0.0/server_admin/#_override_existing_broker_link">Server Administration Guide</a>. Thanks to <a href="https://github.com/lexcao">Lex Cao</a> for the contribution.</p> </div> </div> <div class="sect2"> <h3 id="_openid_for_verifiable_credential_issuance_experimental_support">OpenID for Verifiable Credential Issuance - experimental support</h3> <div class="paragraph"> <p>There is work in progress on the support of OpenID for Verifiable Credential Issuance (OID4VCI). Right now, this is still work in progress, but things are being gradually added. Keycloak can act as an OID4VC Issuer with support of Pre-Authorized code flow. There is support for verifiable credentials in the JWT-VC, SD-JWT-VC and VCDM formats. Thanks to the members of the OAuth SIG groups for the contributions and feedback and especially thanks to <a href="https://github.com/wistefan">Stefan Wiedemann</a>, <a href="https://github.com/francis-pouatcha">Francis Pouatcha</a>, <a href="https://github.com/tnorimat">Takashi Norimatsu</a> and <a href="https://github.com/bucchi">Yutaka Obuchi</a>.</p> </div> </div> <div class="sect2"> <h3 id="_searching_by_user_attribute_no_longer_case_insensitive">Searching by user attribute no longer case insensitive</h3> <div class="paragraph"> <p>When searching for users by user attribute, Keycloak no longer searches for user attribute names forcing lower case comparisons. The goal of this change was to speed up searches by using Keycloak&#&#8203;8217;s native index on the user attribute table. If your database collation is case-insensitive, your search results will stay the same. If your database collation is case-sensitive, you might see less search results than before.</p> </div> </div> <div class="sect2"> <h3 id="_breaking_fix_in_authorization_client_library">Breaking fix in authorization client library</h3> <div class="paragraph"> <p>For users of the <code>keycloak-authz-client</code> library, calling <code>AuthorizationResource.getPermissions(&#&#8203;8230;&#&#8203;8203;)</code> now correctly returns a <code>List&lt;Permission&gt;</code>.</p> </div> <div class="paragraph"> <p>Previously, it would return a <code>List&lt;Map&gt;</code> at runtime, even though the method declaration advertised <code>List&lt;Permission&gt;</code>.</p> </div> <div class="paragraph"> <p>This fix will break code that relied on casting the List or its contents to <code>List&lt;Map&gt;</code>. If you have used this method in any capacity, you are likely to have done this and be affected.</p> </div> </div> <div class="sect2"> <h3 id="_ids_are_no_longer_set_when_exporting_authorization_settings_for_a_client">IDs are no longer set when exporting authorization settings for a client</h3> <div class="paragraph"> <p>When exporting the authorization settings for a client, the IDs for resources, scopes, and policies are no longer set. As a result, you can now import the settings from a client to another client.</p> </div> </div> <div class="sect2"> <h3 id="_management_port_for_metrics_and_health_endpoints">Management port for metrics and health endpoints</h3> <div class="paragraph"> <p>Metrics and health checks endpoints are no longer accessible through the standard Keycloak server port. As these endpoints should be hidden from the outside world, they can be accessed on a separate default management port <code>9000</code>.</p> </div> <div class="paragraph"> <p>It allows to not expose it to the users as standard Keycloak endpoints in Kubernetes environments. The new management interface provides a new set of options and is fully configurable.</p> </div> <div class="paragraph"> <p>Keycloak Operator assumes the management interface is turned on by default. For more details, see <a href="https://www.keycloak.org/server/management-interface">Configuring the Management Interface</a>.</p> </div> </div> <div class="sect2"> <h3 id="_syslog_for_remote_logging">Syslog for remote logging</h3> <div class="paragraph"> <p>Keycloak now supports <a href="https://en.wikipedia.org/wiki/Syslog">Syslog</a> protocol for remote logging. It utilizes the protocol defined in <a href="https://datatracker.ietf.org/doc/html/rfc5424">RFC 5424</a>. By default, the syslog handler is disabled, but when enabled, it sends all log events to a remote syslog server.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/server/logging">Configuring logging</a> guide.</p> </div> </div> <div class="sect2"> <h3 id="_change_to_class_environmentdependentproviderfactory">Change to class <code>EnvironmentDependentProviderFactory</code></h3> <div class="paragraph"> <p>The method <code>EnvironmentDependentProviderFactory.isSupported()</code> was deprecated for several releases and has now been removed.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_all_cache_options_are_runtime">All <code>cache</code> options are runtime</h3> <div class="paragraph"> <p>It is now possible to specify the <code>cache</code>, <code>cache-stack</code>, and <code>cache-config-file</code> options during runtime. This eliminates the need to execute the build phase and rebuild your image due to them.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_high_availability_guide_enhanced">High availability guide enhanced</h3> <div class="paragraph"> <p>The high availability guide now contains a guide on how to configure an AWS Lambda to prevent an intended automatic failback from the Backup site to the Primary site.</p> </div> </div> <div class="sect2"> <h3 id="_removing_deprecated_methods_from_accesstoken_idtoken_and_jsonwebtoken_classes">Removing deprecated methods from <code>AccessToken</code>, <code>IDToken</code>, and <code>JsonWebToken</code> classes</h3> <div class="paragraph"> <p>In this release, we are finally removing deprecated methods from the following classes:</p> </div> <div class="ulist"> <ul> <li> <p><code>AccessToken</code></p> </li> <li> <p><code>IDToken</code></p> </li> <li> <p><code>JsonWebToken</code></p> </li> </ul> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_method_getexp_added_to_singleuseobjectkeymodel">Method <code>getExp</code> added to <code>SingleUseObjectKeyModel</code></h3> <div class="paragraph"> <p>As a consequence of the removal of deprecated methods from <code>AccessToken</code>, <code>IDToken</code>, and <code>JsonWebToken</code>, the <code>SingleUseObjectKeyModel</code> also changed to keep consistency with the method names related to expiration values.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/docs/25.0.0/upgrading/">Upgrading Guide</a>.</p> </div> </div> <div class="sect2"> <h3 id="_support_for_postgresql_16">Support for PostgreSQL 16</h3> <div class="paragraph"> <p>The supported and tested databases now include PostgreSQL 16.</p> </div> </div> <div class="sect2"> <h3 id="_introducing_support_for_customer_identity_and_access_management_ciam_and_multi_tenancy">Introducing support for Customer Identity and Access Management (CIAM) and Multi-tenancy</h3> <div class="paragraph"> <p>In this release, we are delivering Keycloak Organizations as a technology preview feature.</p> </div> <div class="paragraph"> <p>This feature provides a realm with some core CIAM capabilities, which will serve as the baseline for more capabilities in the future to address Business-to-Business (B2B) and Business-to-Business-to-Customers (B2B2C) use cases.</p> </div> <div class="paragraph"> <p>In terms of functionality, the feature is completed. However, we still have work to do to make it fully supported in the next major release. This remaining work is mainly about preparing the feature for production deployments with a focus on scalability. Also, depending on the feedback we get until the next major release, we might eventually accept additional capabilities and add more value to the feature, without compromising its roadmap.</p> </div> <div class="paragraph"> <p>For more details, see <a href="https://www.keycloak.org/docs/25.0.0/server_admin/#<em>managing_organizations</em>">Server Administration Guide</a>.</p> </div> </div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="file:/home/runner/work/keycloak-rel/keycloak-rel/target/web/docs/latest/upgrading/index.html#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>New features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/25940">#&#8203;25940</a> Support Credentials Issuance through the OID4VCI Protocol <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25942">#&#8203;25942</a> Issue Verifiable Credentials in the SD-JWT-VC format <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25943">#&#8203;25943</a> Issue Verifiable Credentials in the VCDM format <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25945">#&#8203;25945</a> Extend Account Console to support Credentials Issuance Self-Service <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26201">#&#8203;26201</a> Introduce a new Authenticator to handle duplicate IdP broker links <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27673">#&#8203;27673</a> Hardcoded SAML metadata URL in admin-v2 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27728">#&#8203;27728</a> Reflect new hostname v2 options in Keycloak CR <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27729">#&#8203;27729</a> Add documentation for Hostname v2 <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27730">#&#8203;27730</a> Release notes and Migration guide for Hostname v2 <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28030">#&#8203;28030</a> Create Argon2 password hashing provider </li> <li><a href="https://github.com/keycloak/keycloak/issues/28400">#&#8203;28400</a> Make RequiredActions configurable </li> <li><a href="https://github.com/keycloak/keycloak/issues/28608">#&#8203;28608</a> Allow onboarding organization members through a registration invitation link </li> <li><a href="https://github.com/keycloak/keycloak/issues/28750">#&#8203;28750</a> CLI options to disable encryption and authentication to external Infinispan <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28938">#&#8203;28938</a> Need inline translation assistance for user profile attribute groups. </li> <li><a href="https://github.com/keycloak/keycloak/issues/29491">#&#8203;29491</a> Remove Oracle JDBC driver out of the box <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29539">#&#8203;29539</a> Add CRUD for organizations to admin client </li> <li><a href="https://github.com/keycloak/keycloak/issues/29627">#&#8203;29627</a> Expose Authorization Server Metadata Endpoint under /.well-known/oauth-authorization-server to comply with rfc8414 <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29634">#&#8203;29634</a> Expose JWT VC Issuer Metadata /.well-known/jwt-vc-issuer to comply with SD-JWT VC Specification <code>oid4vc</code></li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/11757">#&#8203;11757</a> Declarative User Profile: local-date validation and html5-date clash <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/13113">#&#8203;13113</a> Conditionally enable and disable CLI options <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16295">#&#8203;16295</a> JsonSerialization does not load all available modules from the classpath </li> <li><a href="https://github.com/keycloak/keycloak/issues/17530">#&#8203;17530</a> Add Portuguese translations </li> <li><a href="https://github.com/keycloak/keycloak/issues/19334">#&#8203;19334</a> Support management port for health and metrics in Quarkus 3 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20736">#&#8203;20736</a> uma-ticket returns 403 even though user has access, when User Realm Role isn't present in access Token <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20792">#&#8203;20792</a> Make it clear that `Client Offline Token Max` should not be set when `Offline Session Max Limited` is disabled for realm <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20916">#&#8203;20916</a> DefaultHttpClientFactory should handle the encoding of the response <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21185">#&#8203;21185</a> Protocol mapper and client scope for sub claim </li> <li><a href="https://github.com/keycloak/keycloak/issues/21344">#&#8203;21344</a> Upgrade account theme to PatternFly 5 <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21345">#&#8203;21345</a> Upgrade admin theme to PatternFly 5 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21439">#&#8203;21439</a> Allow options to support any value in addition to a list of pre-defined values. <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21562">#&#8203;21562</a> Make sure admin events are not referencing sensitive data from their representation <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21961">#&#8203;21961</a> Allow to provider password to kcadm (keycloak-admin-cli) via environment variable <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22436">#&#8203;22436</a> Query users by 'LDAP_ID' is not working <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22711">#&#8203;22711</a> Enable theme caches by default in start-dev <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24192">#&#8203;24192</a> Refine how ConfigSource names are being used <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24264">#&#8203;24264</a> Passkeys: Supporting WebAuthn Conditional UI <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24466">#&#8203;24466</a> Look if checks in IntrospectionEndpoint can be simplified <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25057">#&#8203;25057</a> Inconsistent behaviour on getting user permissions using authorization <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25114">#&#8203;25114</a> User Profile "Input placeholder" and other annotations - Use Localization keys <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26162">#&#8203;26162</a> Optimize query batching and result fetching by tuning Hibernate parameters </li> <li><a href="https://github.com/keycloak/keycloak/issues/26443">#&#8203;26443</a> Show an error message when file does not exist for the `config-file` parameter <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26504">#&#8203;26504</a> Localization Proposal 2 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26654">#&#8203;26654</a> Initial client policies integration for SAML <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26657">#&#8203;26657</a> Map Storage Removal: Remove deprecated model/legacy module <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26695">#&#8203;26695</a> Keycloak and MSAD: enabling account in MSAD does not propagate to Keycloak <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26713">#&#8203;26713</a> Refactoring JavaScript code of WebAuthn's authenticators to follow the current Keycloak's JavaScript coding convention <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27264">#&#8203;27264</a> Trivy Analysis warnings should be fixed </li> <li><a href="https://github.com/keycloak/keycloak/issues/27433">#&#8203;27433</a> Clarify format of keys in `additionalOptions` field in the Keycloak CR <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27442">#&#8203;27442</a> Use browser router for Account Console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27481">#&#8203;27481</a> Edit High Availability guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/27484">#&#8203;27484</a> Edit 23.0 changes part of Upgrading Guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/27494">#&#8203;27494</a> Use JDK17 functionality in the KC Operator <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27508">#&#8203;27508</a> Use new remote-store options in HA guides </li> <li><a href="https://github.com/keycloak/keycloak/issues/27509">#&#8203;27509</a> Upgrade to Aurora Postgres 15.5 </li> <li><a href="https://github.com/keycloak/keycloak/issues/27515">#&#8203;27515</a> `ClusterProvider` should no longer be deprecated now that "legacy" is the default </li> <li><a href="https://github.com/keycloak/keycloak/issues/27527">#&#8203;27527</a> CS and SK localized messages need an update </li> <li><a href="https://github.com/keycloak/keycloak/issues/27544">#&#8203;27544</a> Expose quarkus syslog logging now GELF is being deprecated from Keycloak <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27545">#&#8203;27545</a> Simplify handling of profile features in test cases </li> <li><a href="https://github.com/keycloak/keycloak/issues/27549">#&#8203;27549</a> Make general `cache` options runtime <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27574">#&#8203;27574</a> Support for script providers when running in embedded mode <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27602">#&#8203;27602</a> Remove offline session preloading </li> <li><a href="https://github.com/keycloak/keycloak/issues/27614">#&#8203;27614</a> Remove additional handlers for health and metrics endpoints <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27632">#&#8203;27632</a> Integrate downstream Upgrading Guide changes into upstream </li> <li><a href="https://github.com/keycloak/keycloak/issues/27696">#&#8203;27696</a> Upgrade to Quarkus 3.8.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27724">#&#8203;27724</a> Enable Infinispan metrics by default </li> <li><a href="https://github.com/keycloak/keycloak/issues/27787">#&#8203;27787</a> Missing API documentation for /admin/realms/{realm}/groups/{group-id} </li> <li><a href="https://github.com/keycloak/keycloak/issues/27871">#&#8203;27871</a> Upgrade to Infinispan 14.0.26 <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27924">#&#8203;27924</a> Enable http metrics once Quarkus 3.8.3 is available </li> <li><a href="https://github.com/keycloak/keycloak/issues/27953">#&#8203;27953</a> Address feedback to Keycloak Server guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27976">#&#8203;27976</a> Persist online sessions to the database </li> <li><a href="https://github.com/keycloak/keycloak/issues/27997">#&#8203;27997</a> Make the Language Selector sorted and searchable </li> <li><a href="https://github.com/keycloak/keycloak/issues/28009">#&#8203;28009</a> Address edits to the Operator Guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/28033">#&#8203;28033</a> Upgrade Infinispan to 14.0.27.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/28035">#&#8203;28035</a> update for messages_de.properties required <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28084">#&#8203;28084</a> Upgrade to Quarkus 3.8.3 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28120">#&#8203;28120</a> Default password hashing algorithm should be set to default password hash provider </li> <li><a href="https://github.com/keycloak/keycloak/issues/28142">#&#8203;28142</a> Update HA Guide now that non-XA mode is the default </li> <li><a href="https://github.com/keycloak/keycloak/issues/28145">#&#8203;28145</a> Align help output for Quarkus distribution across Windows and Linux <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28161">#&#8203;28161</a> Use Argon2 password hashing by default </li> <li><a href="https://github.com/keycloak/keycloak/issues/28178">#&#8203;28178</a> Provide histograms for http server metrics </li> <li><a href="https://github.com/keycloak/keycloak/issues/28256">#&#8203;28256</a> Prevent duplicate form submission in Create realm dialog in admin ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28318">#&#8203;28318</a> Use the same new code for persistent sessions for offline sessions <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28336">#&#8203;28336</a> Provide a dedicated way of updating Quarkus classloading indices </li> <li><a href="https://github.com/keycloak/keycloak/issues/28388">#&#8203;28388</a> Handle concurrent writes to sessions more gracefullly </li> <li><a href="https://github.com/keycloak/keycloak/issues/28429">#&#8203;28429</a> Add details to error messages, especially around refresh tokens </li> <li><a href="https://github.com/keycloak/keycloak/issues/28436">#&#8203;28436</a> When LDAP groups synchronization fails, show root cause in admin UI <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28448">#&#8203;28448</a> Avoid deprecated `jboss-modules` method usage </li> <li><a href="https://github.com/keycloak/keycloak/issues/28453">#&#8203;28453</a> More conventional looking conditional element in authentication diagram <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28460">#&#8203;28460</a> Polishing docs for lightweight tokens <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28477">#&#8203;28477</a> The concurrency of hashing leads to increased memory usage and CPU throttling </li> <li><a href="https://github.com/keycloak/keycloak/issues/28501">#&#8203;28501</a> Batch updates to the database to avoid using too many IOPS </li> <li><a href="https://github.com/keycloak/keycloak/issues/28517">#&#8203;28517</a> Java 21 support </li> <li><a href="https://github.com/keycloak/keycloak/issues/28567">#&#8203;28567</a> Change user_id value for REFRESH_TOKEN and REFRESH_TOKEN_ERROR events <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28616">#&#8203;28616</a> Add ui-tab context information into the onCreate </li> <li><a href="https://github.com/keycloak/keycloak/issues/28650">#&#8203;28650</a> Improve german translations for admin ui </li> <li><a href="https://github.com/keycloak/keycloak/issues/28654">#&#8203;28654</a> Refine the warning produced when a non-cli build-time property is used at runtime <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28672">#&#8203;28672</a> For client-credential-grants, there shouldn't be an interaction with the authentication cache </li> <li><a href="https://github.com/keycloak/keycloak/issues/28729">#&#8203;28729</a> Emphasize the need for setting container limit <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28814">#&#8203;28814</a> Add missing german translations for user federation in admin UI </li> <li><a href="https://github.com/keycloak/keycloak/issues/28848">#&#8203;28848</a> Automatically fill username when authenticating to through a broker </li> <li><a href="https://github.com/keycloak/keycloak/issues/28861">#&#8203;28861</a> Improve the performance of the PermissionTicketStore.findGrantedResources method <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28862">#&#8203;28862</a> Improve persistent sessions DB throughput for logins/logouts by batching </li> <li><a href="https://github.com/keycloak/keycloak/issues/28879">#&#8203;28879</a> Indicate whether a user is transient or not in user sessions list </li> <li><a href="https://github.com/keycloak/keycloak/issues/28880">#&#8203;28880</a> Upgrade to Quarkus 3.8.4 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28906">#&#8203;28906</a> ID fields in SessionWrapper should be immutable </li> <li><a href="https://github.com/keycloak/keycloak/issues/28926">#&#8203;28926</a> Store extended error message in events for client credential grants </li> <li><a href="https://github.com/keycloak/keycloak/issues/28935">#&#8203;28935</a> Ensure GroupResource.getSubGroups doesn't rely on no-arg version of GroupModel.getSubGroupsStream to avoid prematurely loading all subgroups <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28939">#&#8203;28939</a> OIDC: Backchannel logout token should use "typ":"logout+jwt" <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28974">#&#8203;28974</a> Replace tooltip for adding a translation to an attribute with a text underneath `Display name` </li> <li><a href="https://github.com/keycloak/keycloak/issues/29023">#&#8203;29023</a> Support adding existing users to an organization </li> <li><a href="https://github.com/keycloak/keycloak/issues/29068">#&#8203;29068</a> Infinispan 15.0.3.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/29073">#&#8203;29073</a> Use cache.compute() method to improve the replace retry loop </li> <li><a href="https://github.com/keycloak/keycloak/issues/29118">#&#8203;29118</a> Conditionally run Quarkus IT in GHA based on code changes <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29124">#&#8203;29124</a> Use Java locale translations instead of manually edited translations <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29166">#&#8203;29166</a> Improve details for user error events in OIDC protocol endpoints <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29183">#&#8203;29183</a> Minor corrections to High Availability Guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29203">#&#8203;29203</a> Revisit SessionsResource#realmSessions as it current loads all sessions into memory </li> <li><a href="https://github.com/keycloak/keycloak/issues/29223">#&#8203;29223</a> Complete transistion away from Resteasy core </li> <li><a href="https://github.com/keycloak/keycloak/issues/29280">#&#8203;29280</a> Update Create Realm in Keycloak 24 Getting Started </li> <li><a href="https://github.com/keycloak/keycloak/issues/29319">#&#8203;29319</a> Don't sort persistent sessions when retrieving a list </li> <li><a href="https://github.com/keycloak/keycloak/issues/29348">#&#8203;29348</a> Set default role mapping filter in the role mapping modal </li> <li><a href="https://github.com/keycloak/keycloak/issues/29375">#&#8203;29375</a> Allow migration of non-persistent sessions to persistent sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/29392">#&#8203;29392</a> Avoid conflicts when writing make store keys </li> <li><a href="https://github.com/keycloak/keycloak/issues/29431">#&#8203;29431</a> Make sure organization groups can not be managed but when managing an organization </li> <li><a href="https://github.com/keycloak/keycloak/issues/29460">#&#8203;29460</a> Email validation for managed members should only fail if it does not match the domain set to a broker </li> <li><a href="https://github.com/keycloak/keycloak/issues/29489">#&#8203;29489</a> Describe how to enable and disable persistent sessions for an installation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29561">#&#8203;29561</a> Revisit rolling configuration upgrades for persistent-sessions feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/29639">#&#8203;29639</a> Enhance documentation for REST API for X.509 Direct Grant Flow usage <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29724">#&#8203;29724</a> VC issuance in Authz Code flow without considering “scope” parameter </li> <li><a href="https://github.com/keycloak/keycloak/issues/29743">#&#8203;29743</a> Infinispan 15.0.4.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/29750">#&#8203;29750</a> Require external Infinispan be of version 15 or greater </li> <li><a href="https://github.com/keycloak/keycloak/issues/29778">#&#8203;29778</a> Upgrade Selenium and Arquillian dependencies in testsuite <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29780">#&#8203;29780</a> Unify approach for WebAuthn tests <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29787">#&#8203;29787</a> Document Failover Lambda for Active/Passive deployments </li> <li><a href="https://github.com/keycloak/keycloak/issues/29794">#&#8203;29794</a> Show a message when confirming an invitation link </li> <li><a href="https://github.com/keycloak/keycloak/issues/29813">#&#8203;29813</a> Snyk report to identify branches impacted by a CVE <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29818">#&#8203;29818</a> Avoid explicit flush when handling persistent sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/29880">#&#8203;29880</a> Improve documentation for the case when 'basic' client scope already exists <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29883">#&#8203;29883</a> Upgrade old Keycloak version for DB migration tests <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29919">#&#8203;29919</a> Avoid IntelliJ to automatically create start imports </li> <li><a href="https://github.com/keycloak/keycloak/issues/30017">#&#8203;30017</a> Improve Client Type Integration Tests <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30026">#&#8203;30026</a> Conditionally execute WebAuthn tests when Account console UI is changed <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30052">#&#8203;30052</a> Add periodic synchronisation for Weblate contents </li> <li><a href="https://github.com/keycloak/keycloak/issues/30104">#&#8203;30104</a> Release notes for support application/jwt response in token introspection endpoint <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30160">#&#8203;30160</a> Upgrade to Quarkus 3.8.5 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30241">#&#8203;30241</a> Adding ability to get realm attributes in themes </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/8887">#&#8203;8887</a> Information not displayed when a logged in user reset his password <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/9695">#&#8203;9695</a> Add `id_token_signed_response_alg` when realm default algorithm is not `RS256` <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/12298">#&#8203;12298</a> Security bug: Timing Oracle @&#8203; Authorization Grant Request , CWE 208 <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/12326">#&#8203;12326</a> AccessTokens generated from RefreshTokens without scope <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/12585">#&#8203;12585</a> False implementation of SAML element EncryptionMethod <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/12671">#&#8203;12671</a> Slow user query by attribute <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/13045">#&#8203;13045</a> Duplicated user consents <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/14084">#&#8203;14084</a> DefaultBruteForceProtector leverages a single thread to write success/failed events <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/14122">#&#8203;14122</a> Refresh token rotation with multiple tabs <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/14188">#&#8203;14188</a> "1403 Killed" after starting a fresh build <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/14501">#&#8203;14501</a> Getting failed to initialize js message if consent is rejected by user <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/15403">#&#8203;15403</a> No email send on TOTP/Authenticator app removal <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16064">#&#8203;16064</a> RS256 signed token validation fails <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16345">#&#8203;16345</a> Unable to delete realm names with invalid URL characters <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16520">#&#8203;16520</a> AuthzClient getPermissions() deserializes to List<LinkedHashSet> and not List<Permission> <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16873">#&#8203;16873</a> Required actions execution order (session and user required actions) <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/16948">#&#8203;16948</a> search users by custom attributes <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17154">#&#8203;17154</a> User locale in server info has language and country switched around <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17483">#&#8203;17483</a> MultiVersionClusterTest not working for Quarkus based distribution <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17678">#&#8203;17678</a> Stop using nested components <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19671">#&#8203;19671</a> Refresh token have a negative exp claim because TokenManager is vulnerable to integer overflow for long lasting sessions (YEAR 2038 bug) <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19853">#&#8203;19853</a> CRL Verification failing due to client certificate not being in a chain <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20411">#&#8203;20411</a> Entering a single space in a regex password policy makes admin interface unusable. <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20490">#&#8203;20490</a> SAML IDP initiated SSO getting cookie_not_found error <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20637">#&#8203;20637</a> Reset password flow fails with "Page has expired" error when Kerberos authentication is enabled in the browser flow <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/20747">#&#8203;20747</a> Keycloak admin cli creating/updating authention executions not respecting the priority value specified <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21422">#&#8203;21422</a> Flaky test: org.keycloak.testsuite.forms.ResetPasswordTest#resetPasswordLink <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22617">#&#8203;22617</a> kc export fails when using User Federation (LDAP) with file-based Vault enabled <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22644">#&#8203;22644</a> Flaky test: org.keycloak.testsuite.forms.BrowserFlowTest#testAlternativeNonInteractiveExecutorInSubflow <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23252">#&#8203;23252</a> Invalid redirect after logging in using Twitter (X) <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23528">#&#8203;23528</a> NullPointerException in SAML IdP Logout request with SessionIndex and without NameID <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23701">#&#8203;23701</a> Attribute search does not work with federated users with ldap. <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23832">#&#8203;23832</a> New admin console doesn't support automatic logout <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23833">#&#8203;23833</a> Account console v2 doesn't support automatic logout <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23900">#&#8203;23900</a> Duplicate path in groups claim <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23980">#&#8203;23980</a> Keycloak Operator fails to install realm authentication flow because "flow is null" <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24201">#&#8203;24201</a> Cannot disable LDAP-backed user if importEnabled=false <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24414">#&#8203;24414</a> Container labels inherited from UBI image <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24462">#&#8203;24462</a> Remove non-unique `id` attributes from `webauthn-authenticate.ftl` <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24568">#&#8203;24568</a> iframe for frontend logout gets blocked if a custom CSP header is used <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24571">#&#8203;24571</a> Parallel builds stopped working <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24795">#&#8203;24795</a> Not proper remove for nested sub-flows from DB <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24878">#&#8203;24878</a> NoClassDefFoundError for Apache XML and EAP8 <code>adapter/jee-saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/24936">#&#8203;24936</a> Negative token expiration when changing client session max lifetime <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25038">#&#8203;25038</a> ServerRequestFilter / ServerResponseFilter not being picked up <code>extensions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25219">#&#8203;25219</a> Restrict the access to 'whoami' endpoint for tokens issued for the admin console client <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25490">#&#8203;25490</a> Partial export/import is not mentioned in Keycloak's Server Administration Guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25514">#&#8203;25514</a> Errors in Outgoing HTTP requests documentation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25687">#&#8203;25687</a> A java.lang.NullPointerException occurs when sending a Multipart/form-data request to any file upload interface. <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25778">#&#8203;25778</a> Incorrect JSON format returned in case of existing user (with user federation) <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25807">#&#8203;25807</a> Space in realm name breaks initial console uris <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25815">#&#8203;25815</a> Loosing refresh token with Google Identity Provider <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25975">#&#8203;25975</a> Failing to import client's authorisation settings through UI <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/25993">#&#8203;25993</a> PostgreSQL deadlock causes 400 client error instead of 500 server error <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26019">#&#8203;26019</a> Identity provider sync mode: incorrect selection in case of null <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26100">#&#8203;26100</a> Device verification flow does not require consent under certain circumstances <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26108">#&#8203;26108</a> Realm improper input sanitization <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26109">#&#8203;26109</a> Improper Input Validation and Sanitization Leads to persistent partial Denial of Service <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26113">#&#8203;26113</a> Revoked Token may be valid for a short time after expiring <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26364">#&#8203;26364</a> Duplicate emails is On when Email as username and Login with email are On <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26396">#&#8203;26396</a> How do you update a custom user storage provider jar that includes a version number? <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26438">#&#8203;26438</a> Keycloak cannot run on windows machine in dev-mode. Because non-English systems cannot support keycloak's package's. <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26439">#&#8203;26439</a> Incorrect position of nonce in OCSP request <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26464">#&#8203;26464</a> "Test connection" on LDAPS URI does not test TLS handshake <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26515">#&#8203;26515</a> Wrong rendering duplicated options in guides <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26658">#&#8203;26658</a> `LogoutEvent` is not fired on required UpdatePassword action <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26667">#&#8203;26667</a> Can't access hidden tabs on the left in admin UI <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26868">#&#8203;26868</a> Login via brokerage to identity provider fails with clients having UUID with uppercase letter <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26893">#&#8203;26893</a> Access tokens includes nonce claim <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26915">#&#8203;26915</a> Deleting sub-realm roles throw errors (even tho it succeeded) <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26981">#&#8203;26981</a> Workflow failure Quarkus IT - StartCommandDistTest#testWarningWhenOverridingBuildOptionsDuringStart <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27021">#&#8203;27021</a> Workflow failure: Fuse adapter tests <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27080">#&#8203;27080</a> Workflow failure: Operator CI - KeycloakTruststoresTests#testTrustroreExists <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27180">#&#8203;27180</a> Grant type "urn:ietf:params:oauth:grant-type:uma-ticket" openid-connect/token service endpoint is returning refresh token with invalid Expiration <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27184">#&#8203;27184</a> Editing built-in client policy profiles are silently reverted <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27201">#&#8203;27201</a> Missing `exp` claim from Offline tokens when `Offline Session Max Limited` is disabled <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27228">#&#8203;27228</a> Lowercased "terms_and_conditions" is not migrated in fed_user_required_action table <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27245">#&#8203;27245</a> Account console does not correctly treat link / unlink account <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27269">#&#8203;27269</a> mvnw clean install -Pdistribution on Windows deletes necessary files during clean of org.keycloak:keycloak-admin-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27275">#&#8203;27275</a> Invalidating offline token is not working from client sessions tab <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27308">#&#8203;27308</a> Warnings in log during normal startup <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27349">#&#8203;27349</a> Google Authenticator now supports SHA256 and SHA512 <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27366">#&#8203;27366</a> Social login - test failures with unexpected status code <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27391">#&#8203;27391</a> Log warning when not using scope `openid` <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27416">#&#8203;27416</a> Missing feature ID for tech preview feature in docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27444">#&#8203;27444</a> type of clients.findRole() in @&#8203;keycloak/keycloak-admin-client is wrong <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27483">#&#8203;27483</a> Authz-client AuthorizationResource.getPermissions() ClassCastException <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27499">#&#8203;27499</a> LdapSyncTest failures running with external Active Directory <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27504">#&#8203;27504</a> Cpu and memory sizing typo <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27506">#&#8203;27506</a> Readable realm name no longer visible in logs, but realm id is used instead <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27512">#&#8203;27512</a> Getting subgroups does pagination before filtering <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27514">#&#8203;27514</a> Uncaught server error: java.lang.IllegalArgumentException: Path parameter not provided <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27529">#&#8203;27529</a> LegacyUserCredentialManager class not found <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27538">#&#8203;27538</a> User tab "Identity Provider Links" is not available when only "view-users" or "manage-users" realm-management role is assigned as in the v1 Keycloak theme <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27540">#&#8203;27540</a> URL change for liquibase docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27548">#&#8203;27548</a> Custom Browser Flow not working anymore <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27558">#&#8203;27558</a> Client registration policy "Allowed Protocol Mapper Types" prevents clients from self-updating via the client registration api <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27565">#&#8203;27565</a> Admin Console tests are failing due to changes in supported authenticators <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27573">#&#8203;27573</a> Release notes from 24.0.0 miss that multi-site active-passive deployments are supported <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27597">#&#8203;27597</a> dropping KC_PROXY=edge causes startup error <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27604">#&#8203;27604</a> Account console dev environment broken <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27609">#&#8203;27609</a> Mixed use of javax and jakarta in org.keycloak.admin.client <code>adapter/jee</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27611">#&#8203;27611</a> Cannot modify realm email settings since keycloak 24 <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27620">#&#8203;27620</a> Incomplete documentation when an email about changed credentials is sent <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27622">#&#8203;27622</a> In the account console, the link "Back to security-admin-console" disappears after the first navigation <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27628">#&#8203;27628</a> Only allow a known refferer URI for the Account Console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27643">#&#8203;27643</a> Password policy for not having username in the password <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27646">#&#8203;27646</a> Account Console REST API for /linked-accounts Returns Multiple Access-Control-Allow-Origin Headers <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27653">#&#8203;27653</a> Admin tests: Flaky realm_settings_user_profile_enabled test <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27683">#&#8203;27683</a> Quarkus-next build failure: Could not find artifact io.quarkus:quarkus-extension-maven-plugin <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27691">#&#8203;27691</a> Unable to set a newly created flow in First Login Flow override for a SAML identity provider <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27701">#&#8203;27701</a> MTLS Cache options should be runtime options, not build time options <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27709">#&#8203;27709</a> Account console does not work with `--http-relative-path` <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27719">#&#8203;27719</a> Wrong Welcome page image in the documentation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27745">#&#8203;27745</a> Registration template in login2 is broken <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27756">#&#8203;27756</a> SMTP email sending fails because of tls certificate verification even with tls-hostname-verifier=ANY <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27761">#&#8203;27761</a> Snyk workflow failure <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27779">#&#8203;27779</a> Broken Migration "MigrateTo24_0_0" <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27780">#&#8203;27780</a> Fixing downstream documentation build <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27797">#&#8203;27797</a> User profile fields cannot be set empty once they have a non-empty value (in Login Theme) <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27798">#&#8203;27798</a> Performance problem with Amazon JDBC wrapper version 2.3.4 </li> <li><a href="https://github.com/keycloak/keycloak/issues/27820">#&#8203;27820</a> Account console confusing with WebAuthn <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27824">#&#8203;27824</a> Can't register webauthn passwordless key when RS1 signature algorithm is configured in policies <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27837">#&#8203;27837</a> Translation values not loaded for User Profile attributes <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27838">#&#8203;27838</a> User Profile translations - value put in wrong field after search <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27839">#&#8203;27839</a> Incorrect Length Validation for Attribute <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27840">#&#8203;27840</a> Race condition loading serverinfo in admin console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27841">#&#8203;27841</a> ES translation causes FreeMarker rendering issues <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27846">#&#8203;27846</a> Authenticator Example module compilation failure <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27852">#&#8203;27852</a> VerifyUserProfile invalidates user cache on every login <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27854">#&#8203;27854</a> Required action selection is broken <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27868">#&#8203;27868</a> Documentation is referring to deprecated/unmaintained examples <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27875">#&#8203;27875</a> SAMLIdentityProvider not honoring SamlAuthenticationPreprocessor <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27877">#&#8203;27877</a> Get Groups in admin/cli returns all groups and not the groups that meets the condition specified in -q option <code>admin/cli</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27878">#&#8203;27878</a> Error when executing refresh grant, with scope param, without offline_access scope specified <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27882">#&#8203;27882</a> Incorrect version of bctls-fips in the docs <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27890">#&#8203;27890</a> Webauthn token stops working on migration to 24 <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27892">#&#8203;27892</a> Truststore handling for the Operator is not documented <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27894">#&#8203;27894</a> Multi datasource configuration does not work in Keycloak 24.0.1 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27900">#&#8203;27900</a> Performance impact in changed hashing measured wrong <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27917">#&#8203;27917</a> User search field loses focus after first input in realms with user federation <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27925">#&#8203;27925</a> Keycloak docs state that there are http metrics, but they are disabled <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27941">#&#8203;27941</a> Entry 999.0.0 in MIGRATION_MODEL prevents future migrations of the database <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27944">#&#8203;27944</a> Admin tests: Failing realm_settings_events_test test <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27954">#&#8203;27954</a> Hibernate Dialect detection does not work anymore for Oracle DBs <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27962">#&#8203;27962</a> message of groups is wrong in messages_ja.properties <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27965">#&#8203;27965</a> Groups help message is only "Groups" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27966">#&#8203;27966</a> 🍺 instead of dot: Attributes in account UI are not loaded <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27967">#&#8203;27967</a> ORA-01450 when updating keycloak 23 -> 24 <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27981">#&#8203;27981</a> User Profile: Inconsistent ordering of attributes between account and login themes <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/27984">#&#8203;27984</a> Username LDAP attribute other than uid is difficult <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28001">#&#8203;28001</a> MySQL connector artifact should be ignored <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28004">#&#8203;28004</a> JWK key ignored due to missing required field 'use' despite matching KID <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28012">#&#8203;28012</a> Keycloak CR Truststore should not have a name <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28016">#&#8203;28016</a> User Profile attribute translation saves wrong key to realm overrides <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28069">#&#8203;28069</a> Token setting missing <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28079">#&#8203;28079</a> Group search does not work in user view <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28080">#&#8203;28080</a> Paging issue in groups via user view <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28090">#&#8203;28090</a> kc.sh may leak credentials <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28100">#&#8203;28100</a> Failed authentication: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.UserModel.getFederationLink()" because "this.delegate" is null <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28103">#&#8203;28103</a> Deleting translations after attribute deletion <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28113">#&#8203;28113</a> WebAuthN registration broken after upgrading to 24.0.1 <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28143">#&#8203;28143</a> Navigation broken on local development <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28174">#&#8203;28174</a> HA guide erroneously refers to AWS Global Accelerator <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28187">#&#8203;28187</a> Admin UI drag & drop in flow config seems to delete actions <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28201">#&#8203;28201</a> Locale label missing on login page for Brazilian Portuguese, Greek and Persian <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28207">#&#8203;28207</a> JAVA_OPTS are not set under Windows <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28215">#&#8203;28215</a> Inconsistent handling of product vs. community in HA guide table-of-contents <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28220">#&#8203;28220</a> Admin API: User PUT operation clears firstname, lastname email fields <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28231">#&#8203;28231</a> username contains invalid characters <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28248">#&#8203;28248</a> Update user makes User ID changes when federationLink and LDAP_ID is not set properly <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28284">#&#8203;28284</a> scroll bar is missing inn clients view keycloak admin GUI <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28303">#&#8203;28303</a> WARN - Event object wasn't available in remote cache after event was received <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28330">#&#8203;28330</a> org.keycloak.documentation.test.ExternalLinksTest fails with incorrect status code reported back in the results <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28335">#&#8203;28335</a> The false option of the pkceMethod init parameter for the JavaScript adapter is ignored <code>adapter/javascript</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28341">#&#8203;28341</a> ConditionalLoaAuthenticator documentation incorrect re: unauthenticated users. <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28370">#&#8203;28370</a> PodTemplateTest assertions are ignored <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28374">#&#8203;28374</a> Syntax highlighting for log example is wrong in downsream <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28377">#&#8203;28377</a> Broken lists in import/export server guide <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28381">#&#8203;28381</a> Password denylist Doesn't Work As Expected <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28389">#&#8203;28389</a> New username-password policy check is reversed <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28409">#&#8203;28409</a> Unclosed span bracket in register.ftl <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28416">#&#8203;28416</a> Keycloak is not returning proper error message for PUT /users admin API <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28431">#&#8203;28431</a> Dedicated client scopes always show up when searching <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28443">#&#8203;28443</a> Declarative User Profile: The use of the "select-radiobuttons" with options validation display is broken <code>user-profile</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28463">#&#8203;28463</a> Error in refresh flow with scope parameter <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28465">#&#8203;28465</a> Review cookie attributes and set SameSite for all cookies </li> <li><a href="https://github.com/keycloak/keycloak/issues/28479">#&#8203;28479</a> Authentication flow diagram incorrect branching in some flows <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28484">#&#8203;28484</a> inputOptionLabels is truncating text that is not wrapped for localization <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28486">#&#8203;28486</a> Help text wrong in key provider <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28490">#&#8203;28490</a> Missing help text for Brute Force Mode <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28495">#&#8203;28495</a> IdP Linking: Usernames sometimes lowercase and sometimes uppercase <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28509">#&#8203;28509</a> Workflow failure: ManagementDistTest <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28514">#&#8203;28514</a> Message for searchClientRegistration is missing <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28519">#&#8203;28519</a> Cards in IDP and User federation are not shown to be clicable <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28523">#&#8203;28523</a> [LDAPStorageProvider] NPE if user is cached but has been deleted in ldap <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28531">#&#8203;28531</a> notBefore and setToNow untranslated <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28546">#&#8203;28546</a> LDAP provider add has 3 lines on top of screen <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28555">#&#8203;28555</a> Collision with base testsuite dependency </li> <li><a href="https://github.com/keycloak/keycloak/issues/28564">#&#8203;28564</a> UserStorageSyncManager int overflow <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28575">#&#8203;28575</a> Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28576">#&#8203;28576</a> Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28577">#&#8203;28577</a> Flaky test: org.keycloak.testsuite.admin.IdentityProviderTest#testSamlImportWithAnyEncryptionMethod <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28579">#&#8203;28579</a> Brute force detection fails with read-only LDAP users <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28606">#&#8203;28606</a> OrganizationTest.testAttributes fails in GHA CI <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28624">#&#8203;28624</a> Incorrect user info in the head when using lightweight access token for account-console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28628">#&#8203;28628</a> Invalide objects comparison in Java <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28638">#&#8203;28638</a> Missing permission to read configmaps in `keycloak-operator-role` <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28640">#&#8203;28640</a> Unable to see user's inherited role if user has no directly assigned roles <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28649">#&#8203;28649</a> docker-v2 authentication fails with KC-SERVICES0097: Invalid request: java.lang.NullPointerException: Cannot invoke "org.keycloak.models.ClientModel.getClientScopes(boolean)" because "this.client" is null <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28666">#&#8203;28666</a> Accessing a transient (lightweight) user through client session fails in admin-api/-ui <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28684">#&#8203;28684</a> "Extend to children" button in authorization group policies is wrongly disabled <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28702">#&#8203;28702</a> Unable to fetch realm names when contains special characters <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28704">#&#8203;28704</a> Remove invalid "this." from keycloak-admin-client README <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28725">#&#8203;28725</a> Keycloak 24.0.2 - Enlisted connection used without active transaction <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28744">#&#8203;28744</a> Invalid label `validatingX509Certs` in new SAML identity provider screen <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28746">#&#8203;28746</a> Translations missing for recovery codes in KC 24 <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28747">#&#8203;28747</a> ID is shown prematurely on Identity Provider Mapper after Save <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28748">#&#8203;28748</a> Webauthn Policy timeout accepts values > 8 hours <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28798">#&#8203;28798</a> `passwordPoliciesHelp.notContainsUsername` missing in admin console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28801">#&#8203;28801</a> NPE when listing sessions in UI if associated user is gone <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28818">#&#8203;28818</a> Child groups filtering returns all groups <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28821">#&#8203;28821</a> Failure reset time is applied to Permanent Lockout <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28824">#&#8203;28824</a> Inconsistent Group Ordering in Keycloak API Responses For Client Policies Causing Drift Detection Challenges <code>admin/fine-grained-permissions</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28825">#&#8203;28825</a> Keycloak Operator 24.x - the keycloak custom image tag is being overwritten with nightly pull <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28881">#&#8203;28881</a> socketTimeoutUnits and establishConnectionTimeoutUnits in HttpClientBuilder are not used <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28896">#&#8203;28896</a> Master realm can be deleted <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28911">#&#8203;28911</a> clients_saml_test.spec.ts fails in main <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28915">#&#8203;28915</a> Possible NPE when exporting user policy <code>authorization-services</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28947">#&#8203;28947</a> IndexWrapper warnings when starting Keycloak <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28948">#&#8203;28948</a> Auto-build shouldn't warn about unavailable runtime options <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28949">#&#8203;28949</a> Conditional cache options are not evaluated correctly <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28964">#&#8203;28964</a> Compilation error in latest main (conflicting PRs for oid4vc and changes for EnvironmentDependentFactory) <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28968">#&#8203;28968</a> Grant urn:ietf:params:oauth:grant-type:pre-authorized_code enabled even if oid4vc_vci feature is disabled <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28979">#&#8203;28979</a> MULTIVALUED_STRING_TYPE does not show in UI if empty <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28982">#&#8203;28982</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnsupportedCredential <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28983">#&#8203;28983</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriInvalidToken <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28984">#&#8203;28984</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredential <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28985">#&#8203;28985</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUriUnauthorized <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28986">#&#8203;28986</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferUnauthorized <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28987">#&#8203;28987</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialInvalidToken <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28988">#&#8203;28988</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnauthorized <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28989">#&#8203;28989</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testCredentialIssuance <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28990">#&#8203;28990</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutNonce <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28991">#&#8203;28991</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOffer <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28992">#&#8203;28992</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithABrokenNote <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28993">#&#8203;28993</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferURI <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28994">#&#8203;28994</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testGetCredentialOfferWithoutAPreparedOffer <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28995">#&#8203;28995</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedFormat <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28996">#&#8203;28996</a> Flaky test: org.keycloak.testsuite.oid4vc.issuance.signing.OID4VCIssuerEndpointTest#testRequestCredentialUnsupportedCredential <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29027">#&#8203;29027</a> Creating client-scope without protocol causes GUI bug <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29033">#&#8203;29033</a> Argon2 password hashing leads to increased Major GC's in Keycloak's JVM during load tests <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29035">#&#8203;29035</a> Admin console message bundle contains duplicate keys <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29039">#&#8203;29039</a> Preflight request with OPTIONS method for token introspection endpoint not working. <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29057">#&#8203;29057</a> not able to disable declarative_ui feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/29072">#&#8203;29072</a> Startup probe should check for existence of an Admin user before returning 200 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29129">#&#8203;29129</a> JGroups creates log messages as it switched internally to "trace" <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29132">#&#8203;29132</a> Documentation cites wrong endpoint for Docker Registry v2 Authentication <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29133">#&#8203;29133</a> DuplicateEmailValidator causes two DB queries on every login if a user has an email address <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29141">#&#8203;29141</a> Fix waiting for change to take effect in SessionTimeoutsTest </li> <li><a href="https://github.com/keycloak/keycloak/issues/29142">#&#8203;29142</a> LDAP - GroupToGroup Mapper throws "ENTRY_EXISTS" Error <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29147">#&#8203;29147</a> local user login not possible after LDAP connection problem <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29154">#&#8203;29154</a> Update docs to distinguish between product names and CR names <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29190">#&#8203;29190</a> JS Admin Client does not support q query parameter on users.count() and clients.find() methods <code>admin/client-js</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29206">#&#8203;29206</a> LDAP user creation reports error but user is created <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29213">#&#8203;29213</a> Bad formatting of permissions error in admin console <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29233">#&#8203;29233</a> Broken link in documentation <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29235">#&#8203;29235</a> Tests for persistent sessions are not performed <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29237">#&#8203;29237</a> The select for a locale behaves as a multi-select in the admin and account UI when it should be single value <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29246">#&#8203;29246</a> Flaky test: org.keycloak.testsuite.client.ClientTypesTest#testUpdateClientWithClientType <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29247">#&#8203;29247</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeWithDynamicScopesEnabled <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29248">#&#8203;29248</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testClientExchange <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29249">#&#8203;29249</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testIntrospectTokenAfterImpersonation <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29250">#&#8203;29250</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testPublicClientNotAllowed <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29251">#&#8203;29251</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testExchangeUsingServiceAccount <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29252">#&#8203;29252</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonation <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29253">#&#8203;29253</a> Flaky test: org.keycloak.testsuite.oauth.ClientTokenExchangeTest#testImpersonationUsingPublicClient <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29259">#&#8203;29259</a> `auth-server-feature` does not work for `auth-server-quarkus-embedded` <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29263">#&#8203;29263</a> Default value for MULTIVALUED_STRING_TYPE in authenticator config is ignored <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29266">#&#8203;29266</a> Documentation Enhancements Admin Rest API Group to Client Role Mappings <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29287">#&#8203;29287</a> Upgraded docker to 24, now unable to browse "authentication" page in one of my realms. <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29294">#&#8203;29294</a> Listing of sessions is very slow when we have tens of thousands sessions (+ not able to know the exact number of sessions) <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29309">#&#8203;29309</a> JWSBuilder when used directly with AsymmetricSignatureSignerContext produces non compliant ECDSA signed JWT <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29311">#&#8203;29311</a> POST /{realm}/clients-initial-access is allowing invalid data like count = -1 and expiration date-time can be set earlier than the creation date-time <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29314">#&#8203;29314</a> Clicking the "save" button multiple times in the Saml IDP configuration page corrupts the value of "AuthnContext ClassRefs" <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29336">#&#8203;29336</a> Unlocking and saving the user's temporary lock will render the user disabled. <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29352">#&#8203;29352</a> Fix user-facing typos in error messages <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29362">#&#8203;29362</a> Custom user attributes are not shown for service account users in the Admin UI <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29376">#&#8203;29376</a> kc export fails when using User Federation (LDAP) with SSL/TLS <code>import-export</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29385">#&#8203;29385</a> Restart authentication event type is not generated <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29408">#&#8203;29408</a> Need to show translation for attributes group on Registration form <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29426">#&#8203;29426</a> Potential bug introduced to JavaKeystoreKeyProvider in #&#8203;26936 <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29429">#&#8203;29429</a> NPE when Organization feature enabled <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29440">#&#8203;29440</a> clients_tests is unstable <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29458">#&#8203;29458</a> Empty CSP header value breaks security filter <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29471">#&#8203;29471</a> Cypress tests store videos even for passing tests <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29495">#&#8203;29495</a> Fixing realm removal when removing groups and brokers associated with an organization <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29507">#&#8203;29507</a> realm_settings_user_profile_enabled fails randomly <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29525">#&#8203;29525</a> Maven clean build doesn't clean admin client generated files <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29528">#&#8203;29528</a> Failure: SessionTimeoutsTest <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29551">#&#8203;29551</a> OAuth 2.0 Device Polling Interval - Setting in Realms settings/Token Plus-Minus to change value not working <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29554">#&#8203;29554</a> Cypress failing on video recording <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29579">#&#8203;29579</a> Increased augmentation time after Quarkus 3.8.4 upgrade <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29592">#&#8203;29592</a> Remote caches and other site's caches might get out-of-sync when persistent sessions are used <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29599">#&#8203;29599</a> Org domain removal from IDP is not properly propagated to the DB <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29602">#&#8203;29602</a> SNYK-JAVA-ORGBOUNCYCASTLE-6277381 - Observable Timing Discrepancy in org.bouncycastle:bcprov-jdk18on <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29607">#&#8203;29607</a> CVE-2024-30172 - Infinite loop in org.bouncycastle:bcprov-jdk18on <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29608">#&#8203;29608</a> CVE-2024-30171 - Observable Discrepancy in org.bouncycastle:bcprov-jdk18on <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29609">#&#8203;29609</a> CVE-2024-29857 - Allocation of Resources Without Limits or Throttling in org.bouncycastle:bcprov-jdk18on <code>dependencies</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29620">#&#8203;29620</a> Wrong Media Type / Format of SD JWT VC <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29625">#&#8203;29625</a> Database driver install examples can lead to permission errors in some circumstances <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29630">#&#8203;29630</a> Unable to import realms with organization feature enabled <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29640">#&#8203;29640</a> Admin console development fail due to whoami endpoint <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29641">#&#8203;29641</a> Admin Console uses a wrong URL type for auth server <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29644">#&#8203;29644</a> Unmanaged Attributes drop down doesn't reflect the value <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29688">#&#8203;29688</a> client_authorization_test fails <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29699">#&#8203;29699</a> Snyk Report is not preventing duplicates <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29738">#&#8203;29738</a> Broken translations for loa-condition-level and loa-max-age <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29756">#&#8203;29756</a> MigrateTo25_0_0 does not complete within default transaction timeout <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29788">#&#8203;29788</a> OpenAPI: Missing content definition for authentication flow executions GET API <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29802">#&#8203;29802</a> Flaky test: org.keycloak.testsuite.model.session.UserSessionPersisterProviderTest#testMigrateSession <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29805">#&#8203;29805</a> Supported Credential Type is not evaluated when applying the Protocol Mapper in OID4VCI <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29808">#&#8203;29808</a> LDAP User federation: LDAP: error code 49 - Invalid Credentials <code>ldap</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29814">#&#8203;29814</a> package com.google.common.hash does not exist when building keycloak-api-docs-dist <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29816">#&#8203;29816</a> Aggregated javadoc generation fix + missing keycloak-operator javadoc <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29868">#&#8203;29868</a> Missing Text for x509 <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29869">#&#8203;29869</a> Kubernetes resources point to non-existing Operator image <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29875">#&#8203;29875</a> Upgrade supported PostgreSQL to version 16 <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29885">#&#8203;29885</a> Unable to create an LD-Credentials/VCDM provider for OID4VC <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29931">#&#8203;29931</a> Cannot access the account console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29939">#&#8203;29939</a> Increased GC overhead in the continuous performance tests after G1GC compiler change <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29948">#&#8203;29948</a> Reason not logged in event for invalid SAML request <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29968">#&#8203;29968</a> x509 SAN UPN other name is not handled in JDK 21 <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29976">#&#8203;29976</a> CI for JS not running all the tasks <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29981">#&#8203;29981</a> Enabling and disabling functions are not working properly in KC GUI <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29982">#&#8203;29982</a> Revert editorconfig for properties files as trailing blanks are used <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29984">#&#8203;29984</a> Nightly build for API docs is broken </li> <li><a href="https://github.com/keycloak/keycloak/issues/30018">#&#8203;30018</a> SessionTimeoutsTest failing even after retry, probably due to insufficient cleanup <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30023">#&#8203;30023</a> Using {application.session.host} in backchannel logout url prevents from saving client <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30024">#&#8203;30024</a> Sign out button in the account console has wrong Selenium locator <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30028">#&#8203;30028</a> Typo in the upgrading guide for persistent sessions <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30049">#&#8203;30049</a> All roles are populated as inherited roles if a single role is added to a dedicated client scope <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30068">#&#8203;30068</a> Update RFC reference in subject: Likely typo RFC2553 -> RFC2253, Consider RFC4514 <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30079">#&#8203;30079</a> The OID4VC tests break automation <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30086">#&#8203;30086</a> Remove sources folder before invoking JakartaTransformer </li> <li><a href="https://github.com/keycloak/keycloak/issues/30102">#&#8203;30102</a> Updating client policies in JSON editor is buggy. Attempt to update global client policies should throw the error <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30120">#&#8203;30120</a> Option `cache-remote-tls-enabled` is missing the default <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30126">#&#8203;30126</a> Client scope names not shown in evaluate section in client-scopes tab <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30134">#&#8203;30134</a> Malformed dependency version causing the build failure <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30196">#&#8203;30196</a> Test PoC does not run with Quarkus fork join worker </li> <li><a href="https://github.com/keycloak/keycloak/issues/30201">#&#8203;30201</a> Keycloak CI - failure in Store IT (aurora-postgres) <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30206">#&#8203;30206</a> Use forkjoin pool factory in testsuite for embedded Quarkus Auth Server <code>testsuite</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30218">#&#8203;30218</a> Locale dropdowns not working <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/30220">#&#8203;30220</a> Base theme contains properties without default values <code>login/ui</code></li> </ul> </div> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MDguMiIsInVwZGF0ZWRJblZlciI6IjM3LjQwOC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Renovate Bot (Automatisiert) added 1 commit 2024-06-15 15:35:54 +02:00
Renovate Bot (Automatisiert) force-pushed renovate/major-version.keycloak from 74401f431d to 1814c77a90 2024-06-15 15:51:28 +02:00 Compare
Renovate Bot (Automatisiert) force-pushed renovate/major-version.keycloak from 1814c77a90 to 529d8b2f64 2024-06-15 15:53:55 +02:00 Compare
Denys Konovalov merged commit f1adc3ce97 into main 2024-06-15 15:54:20 +02:00
Denys Konovalov deleted branch renovate/major-version.keycloak 2024-06-15 15:54:20 +02:00
Sign in to join this conversation.
No description provided.