Upgrading
Before upgrading refer to the migration guide for a complete list of changes.
All resolved issues
New features
- #23155 [WebAuthn] origin validation not support for non-Web platforms
core
Enhancements
- #505 Quickstarts - Wildfly upgrade and README cleanup
quickstarts
- #9318 User profile configuration API is incorrectly typed
docs
- #10128 Improve failed test behaviour
operator
- #10620 Internationalized Domain Names in email address
user-profile
- #10713 Update the server to use RESTEasy Reactive
- #11668 Declarative User Profile: weird behaviour in Account Management Console
user-profile
- #12406 Remove "You are already logged-in" during authentication
authentication
- #14009 CreatedTimestamp on REST import not used
- #14165 Cannot refresh RPT tokens
authorization-services
- #14400 Add proxy options to Keycloak CR
operator
- #15018 Enhancements around proxy and hostname configuration
- #15072 Allow setting a help text to an attribute
user-profile
- #15109 Refactor patch-sources.sh used by the Operator
operator
- #17258 Data too long for column 'DETAILS_JSON'
storage
- #20343 message bundles are not included in the realm export
import-export
- #20584 FAPI 2.0 security profile - supporting RFC 9207 OAuth 2.0 Authorization Server Issuer Identification
- #20695 Add support for single-tenant in Microsoft Identity Provider
- #20794 Can we simplify TokenManager.getRefreshExpiration() and TokenManager.getOfflineExpiration()?
oidc
- #20884 [Admin Console v2] Policy creation at Permissions screen missing
admin/ui
- #21073 Identity providers: pagination in admin REST API
- #21154 Allow existing mappers for Custom Identity Providers
identity-brokering
- #21181 Add FAPI 2.0 security profile as default profile of client policies
- #21182 Enhancing Pluggable Features of Token Manager
- #21183 More flexibility for Introspection endpoint
oidc
- #21200 DPoP support 1st phase
- #21444 Set `client_id` when using `private_key_jwt` with OIDC IdP
identity-brokering
- #21945 Release notes for FAPI 2
- #22034 Keycloak, javascript lib to not use the escape() function
adapter/javascript
- #22215 DPoP verification in UserInfo endpoint
oidc
- #22318 Allow overriding Account Console resources for full control and backwards compatibility
- #22372 Expand Group providers to allow for paginated lookup of subgroups
storage
- #22725 Do not initialize barrier build items for deployment
dist/quarkus
- #22868 Clarification on the tooltip of option "Validate Password Policy" of LDAP provider
admin/ui
- #23194 Add regex support in 'Condition - User attribute' execution
authentication
- #23527 Better usability when disabling user profile and loosing the previous cofiguration
user-profile
- #23891 Add feature flag for OAuth 2.0 device authorization grant flow
oidc
- #24024 User profile tweaks in registration forms
user-profile
- #24072 Lots of parameters related to identity brokering uses `providerId` when they expect `providerAlias`
identity-brokering
- #24273 Add a property to the User Profile Email Validator for max length of the local part
user-profile
- #24278 Transient users: documentation
core
- #24387 Move some UserProfile and Validation classes into keycloak-server-spi
user-profile
- #24494 Transient users: Consents
core
- #24535 Moving UPConfig and related classes from keycloak-services
user-profile
Bugs
- #468 Cant build it
quickstarts
- #8939 PAR fails to authenticate for public client
oidc
- #9004 Access Token claims not imported using OpenID Connect v1.0 Identity Provider Attribute Importer Mappers
oidc
- #10710 Rollup.js complains about the use of eval in one of keycloak.js's dependencies
adapter/javascript
- #11699 Under heavy load, DefaultBruteForceProtector blocks the whole system
authentication
- #12062 Declarative User Profile export
user-profile
- #12171 Inconsistent authorization behavior when exporting data from a realm
authorization-services
- #14134 [keycloak 18] cannot import users with correct ID in partial import
admin/api
- #16379 Inconsistent handling of parenthesis in auth flow name
admin/api
- #16526 Token introspection response does not follow RFC6479 "scope" parameter format
oidc
- #19093 The create new user page requires the admin user to be given the "Manage-Realm" role in order to see the user profile attributes in the create new user page
admin/api
- #19125 kcadm do not update defaultGroups
docs
- #19154 Non working API docs link
docs
- #19555 When update-email feature is enabled, changing emails two times in a row causes unintuitive behaviour
authentication
- #20135 Searching for multiple types in the Events section gives an error
admin/client-js
- #20218 Role mappers must return a single value when they are not multivalued
oidc
- #20316 Email pattern is not compliant
account/api
- #20453 Admin UI incredibly slow with 300 realms
admin/api
- #20537 [Declarative User Profile] OIDCAttributeMapperHelper throws NumberFormatException for optional user attributes
user-profile
- #20763 Flaky test: org.keycloak.testsuite.admin.authentication.FlowTest#testAddRemoveFlow
ci
- #20830 Token-exchange is not working for OpenID Connect v1.0 provider in KC 21.1.1
token-exchange
- #20852 [Declarative User Profile] Attributes are created as required by default but switch is set to "not required"
user-profile
- #20885 Key length is limited to 4000 characters
storage
- #21010 Cannot display 'Authentication Flows' screen when a realm contains more than ~4000 clients
storage
- #21123 NPE in getDefaultRequiredActionCaseInsensitively
admin/api
- #21236 Keycloak Event clientId is null when ever a logout event is fired.
core
- #21555 Listing realms due to realm drop-down
admin/ui
- #21660 Wrong convert timestamp to date
account/ui
- #21779 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldWorkWithScriptAuthenticator
authentication
- #21780 Flaky test: org.keycloak.testsuite.script.DeployedScriptAuthenticatorTest#loginShouldFailWithScriptAuthenticator
authentication
- #21797 DN with RDN that contains trailing backslash is imported incorrectly into Keycloak
ldap
- #21805 Missing labels account console
account/ui
- #21818 DN with RDN that contains trailing space is imported incorrectly into Keycloak
ldap
- #21830 Operator doesn't pass on system property 'jgroups.dns.query' to Keycloak but an env variable, leading to a warning in the log
operator
- #22143 WatchedSecretsTest.testSecretChangesArePropagated error in OCP
ci
- #22177 Missing client_id validation match when authenticating client with JWT
- #22191 Verification of iss at refresh token request
oidc
- #22332 Selecting resource on resource based permission gives error
admin/ui
- #22337 kc.sh errors if using characters like semicolon inside the arguments
docs
- #22375 Possible NullPointerException
core
- #22395 Email sending fails when SPI truststore is configured and hostnameVerification set to 'ANY'
core
- #22432 inputOptionLabels is not used by Admin UI
admin/ui
- #22583 Fine grained permissions not rendering
account/ui
- #22638 SAML AdvancedAttributeToRoleMapper does not allow predicate evaluation on same Array Attribute
saml
- #22814 user search with "q" parameter ignores keys of length 1 and returns all users
admin/api
- #22818 inputOptionLabels is not used by Account UI v3
account/ui
- #22890 Keycloak 22.0.1: NPE in Edit Identity Provider Mapper on second Save
admin/api
- #22937 ProviderConfigProperty.MULTIVALUED_LIST_TYPE not working in FormAction
admin/ui
- #22988 Cache stampede after realm cache invalidation
infinispan
- #23044 Docs: server_admin/topics/sessions/transient.adoc
authentication
- #23128 Regex defect in federation script federation-sssd-setup.sh
dist/quarkus
- #23173 crypto/elytron package has several bugs
core
- #23180 TypeError in user profile admin-ui
admin/ui
- #23253 CLI args not recognized when running Quarkus dev mode
dist/quarkus
- #23255 Several help text messages missing in saml identity provider
admin/ui
- #23444 After the recent switch to resteasy-reactive we are unable to use resteasy-classic or jersey jax-rs clients.
dependencies
- #23582 Join group screen does not show child groups without filters
admin/ui
- #23616 invalid tag in .ftl file
user-profile
- #23692 Genetated access token exception then $ sign in client name
core
- #23733 OpenAPI spec doesn't match the admin API
admin/api
- #23753 Insufficient guard against path traversal GzipResourceEncodingProvider
core
- #23789 Can not create attribute group before setting/removing an annotation
user-profile
- #23795 Spelling errors in TokenManager.java
oidc
- #23970 Keycloak does not export/import userprofile data when exporting the realm
user-profile
- #24032 Group attributes are not saved if there are two attributes with the same key
admin/ui
- #24035 Admin UI: Group details page is not updated by group list dropdown actions
admin/ui
- #24067 Duplicate attribute groups show in list in UserProfile in admin ui
admin/ui
- #24077 Internal server error when no firstName and lastName added on the user with User Profile Disabled and Verify Profile Enabled
user-profile
- #24096 Document or avoid breaking change in UserSessionModel
core
- #24183 Username now shown when creating a user and edit username is not allowed
user-profile
- #24187 Admin UI group view shows attributes of previously viewed group
admin/ui
- #24293 b.map is not a function error when LDAP server is offline
core
- #24420 User profile behaves different in keycloak 22.0.5
user-profile
- #24453 Email-verified checkbox not visible anymore when user profile is enabled
admin/ui
- #24455 NPE when logging in with TransientUser
storage
- #24458 Unfriendly error message when user-storage provider not available
admin/ui
- #24487 show/hide password in clear text button visible for hiden field in "forgot password" flow
login/ui
- #24547 DPoP advertised on OIDC Well Known Endpoint even though DPoP feature is not enabled (preview feature)
oidc
- #24697 User cannot update profile when some invalid attribute invisible to him is present on his profile
user-profile