Keycloak 21.0.0 released
February 23 2023
To download the release go to Keycloak downloads.
Release notes
Old Admin Console removed
In Keycloak 19 the new admin console was graduated to the new default admin console, and the old admin console was
deprecated. In this release the old admin console has been removed completely.
Keycloak uses Micrometer for metrics
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format.
In this release the implementation to provide this data switched from SmallRye to Micrometer.
Due to this change, metrics have been renamed.
See the migration guide for details.
Java 11 support for Keycloak server deprecated
Running the Keycloak server with Java 11 is now deprecated, and planned to be removed in Keycloak 22.
Adapters remain supported on Java 8, Java 11, and Java 17. However, we are planning to remove support for Java 8 in the
not too distant future.
Hashicop Vault no longer supported
We removed the out-of-box support for Hashicorp vault in this release.
Prior to this release, SAML SP metadata contained the same key for both
signing and encryption use. Starting with this version of Keycloak,
we include only encryption intended realm keys for encryption use
in SP metadata. For each encryption key descriptor we also specify
the algorithm that it is supposed to be used with. The following table shows
the supported XML-Enc algorithms with the mapping to Keycloak realm keys.
See the Upgrading Guide for more details.
Deprecated methods from user session provider were removed
Several deprecated methods were removed from user session provider. If not done already,
their usage needs to be replaced with the corresponding replacement documented in Javadoc
of Keycloak 20 release. See Upgrading Guide for more details.
New storage: IS_CLIENT_ROLE searchable field was deprecated
The IS_CLIENT_ROLE searchable field from the RoleModel was deprecated. It
should be replaced with the CLIENT_ID searchable field used with the operators
EXISTS or NOT_EXISTS. See JavaDoc of Keycloak 21 for more details.
FIPS 140-2 preview support
FIPS 140-2 support in Keycloak, which was experimental in the previous release, is now promoted to preview. There were many fixes and improvements to create this preview version.
For the details, see the FIPS documentation. Feedback is welcome!
Support for the standard Forwarded header when running behind a reverse proxy
In addition to recognize the non-standard X-Forwarded-* to fetch information
added by proxies that would otherwise be altered or lost when proxy servers are involved in the path of the request, Keycloak
can now leverage the standard Forwarded header for the same purpose.
Please, make sure your proxy is also overriding the Forwarded header when making requests to Keycloak nodes.
The container image is now based on ubi9-micro
To enhance security, the Keycloak Container Image has been modified in two ways: First, it is now based on UBI9, rather than UBI8. Second, we have switched to -micro, whereas -minimal was used before.
The change to UBI9 will not have any impact on most users. In rare cases the glibc error CPU does not support x86-64-v2 may appear. x86-64-v2 has been available from processors since 2009. You’re most likely to encounter this issue when your virtualization environment is misconfigured.
The change from -minimal to -micro has more potential impact. Users making simple customizations to the image won’t notice any difference, however any user that installs RPMs will need to change how they do that. The Running Keycloak in a container guide has been updated to show you how.
As a result of these changes, there has been an 82% reduction in known CVEs affecting the Keycloak Container Image!
Migration from 21.0
Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.
Keycloak uses Micrometer for metrics
Keycloak provides an optional a metrics endpoint which exports metrics in the Prometheus format.
In this release the implementation to provide this data switched from SmallRye to Micrometer, which is the recommended metrics library for Quarkus.
Due to this change, metrics have been renamed.
The following table shows some examples.
Before upgrading it is recommended to review all metrics returned from the endpoint before and after the change, and update their usage in dashboards and alerts.
Table 1. Examples of changed metrics names
| Old metric name |
New metric name |
base_gc_total
|
jvm_gc_pause_seconds_count
|
base_gc_time_total_seconds
|
jvm_gc_pause_seconds_sum
|
base_thread_count
|
jvm_threads_live_threads
|
vendor_agroal_*
|
agroal_*
|
Deprecated RSA_SHA1 and DSA_SHA1 algorithms for SAML
Algorithms RSA_SHA1 and DSA_SHA1, which can be configured as Signature algorithms on SAML adapters, clients and identity providers are deprecated. We recommend to use safer
alternatives based on SHA256 or SHA512. Also, verifying signatures on signed SAML documents or assertions with these
algorithms do not work on Java 17 or higher. If you use this algorithm and the other party consuming your SAML documents is running on Java 17 or higher, verifying signatures will not work.
The possible workaround is to remove algorithms such as http://www.w3.org/2000/09/xmldsig#rsa-sha1 or http://www.w3.org/2000/09/xmldsig#dsa-sha1 from the list
of "disallowed algorithms" configured on property jdk.xml.dsig.secureValidationPolicy in the file $JAVA_HOME/conf/security/java.security.
In this version, Keycloak will refuse to decrypt assertions encrypted using
a realm key generated for signing purpose. This change means all encrypted
communication from IDP to SP (where Keycloak acts as the SP) will stop working.
There are two ways to make this work:
-
either update the IDP configuration with the metadata generated by a newer
version of Keycloak,
-
or run Keycloak in backward compatibility mode that will make Keycloak
work with the metadata generated by older Keycloak versions. This mode can be
enabled using -Dkeycloak.saml.deprecated.encryption=true flag. Note this
backward compatibility mode is planned to be removed in Keycloak 24.
Deprecated methods from user session provider were removed
In Keycloak 13 there was introduced UserLoginFailureProvider and some methods from
UserSessionProvider were moved there. The methods in UserSessionProvider were deprecated
and now has been removed. Javadoc of these methods contained a corresponding replacement
(see Javadoc of Keycloak 20 release).
Custom themes using old admin console won’t work
The old admin console, which was deprecated in previous versions, was finally removed. This also means that your custom themes, which were using it as parent theme or importing from it, won’t work.
It is highly recommended to not deploy such themes at all as extending old admin console is not applicable anymore and there can be issues in Keycloak (at least warnings or errors in the logs) with
such themes deployed.
Curl has been removed from the container
The Keycloak Container Image has been modified to enhance security. As a result, curl and other CLI tools have been removed, which you may have been using in your customized image. See the updated container guide for information on how to handle this change.
All resolved issues
New features
- #11698 Add an option allowing to disable client registration access token rotation keycloak
- #15271 Add support for Microsoft Authenticator keycloak
- #16107 Short verification_uri for Device Authorization Request keycloak
- #16787 support multi hosted-domain in `GoogleIdentityProvider` keycloak
- #17037 Allow configuring of redirectUri for the cordova adapter keycloak adapter/javascript
Enhancements
- #1738 Deprecate SHA1 based algorithms for SAML signatures keycloak-documentation
- #1743 Documentation of some options of SAML IDP is not up-to-date keycloak-documentation
- #8820 Official Support for Microsoft mobile authenticator app keycloak
- #8982 Blacklist false positive rate could be set a lot lower. keycloak
- #9008 Update client with registration access token gained by client registration keycloak authorization-services
- #9017 Pre-authorization hook for client policies keycloak
- #9144 Remove Hashicorp Support keycloak dist/quarkus
- #9388 Global lock interface keycloak storage
- #9420 Use bulk deletes in HotRod store keycloak storage
- #9699 Include list of possible option values in help messages. keycloak dist/quarkus
- #10018 JPA Map Storage: leverage function-based indexes (Postgresql) keycloak storage
- #10090 Remove workaround in HotRodUtils#paginateQuery keycloak storage
- #10376 Add MapKeycloakTransaction.exists(id) method keycloak storage
- #10988 Remove doubled field from HotRod entities keycloak storage
- #11744 Remove `session.area().getById(id)` from Map provider methods keycloak storage
- #12067 Investigate a way to update indexes in no-downtime way for HotRod store keycloak storage
- #12068 Leverage Infinispan lifespan for ExpirableEntities in HotRod storage keycloak storage
- #12950 Implement "advanced claim to group" mapping for SAML keycloak
- #13219 Followup: JPA Map store wants to use `hibernate.integrator_provider` in Quarkus keycloak
- #13222 Followup: Revisit JTA vs. RESOURCE_LOCAL for JPA map storage for Quarkus and other Setups keycloak storage
- #13346 Cannot save profile on User Management Console while CJK characters in username keycloak user-profile
- #13544 Quarkus testsuite should use storage=chm by default where it makes sense keycloak testsuite
- #13606 Keycloak uses incorrect encryption keys as SAML identity brokers in SPSSODescriptor keycloak
- #13632 File map storage: Basic storage keycloak storage
- #13725 Make GHA Map-JPA base testsuite running with Quarkus keycloak storage
- #14503 Allow to configure firstname and lastname to be optional during registration keycloak user-profile
- #14504 Ability to add fields in job template for KeycloakRealmImport CR keycloak
- #14583 Provide partial import of realms for the map storage, ideally without needing a representation keycloak storage
- #14686 Add missing german translation for emailInstructionUsername keycloak
- #14739 Improve readability and manageability of deployment configuration for operator keycloak operator
- #14915 Cleanup setting of Hibernate version twice in root pom and Quarkus pom keycloak dist/quarkus
- #15026 Declarative user profile should allow to mark the email attribute as non required keycloak
- #15053 Remove deprecated methods from `login-failure` area from `user-session` interface keycloak storage
- #15223 Make sure the KeycloakSession is not closed more than once keycloak core
- #15234 Switch to micrometer metrics keycloak
- #15256 Expose attribute metadata from the User API keycloak user-profile
- #15374 Remove dependencies on Resteasy API and rely on JAX-RS API as much as possible keycloak
- #15450 Remove unnecessary injection points from JAX-RS (sub)resources keycloak
- #15507 JPA Map Storage: leverage function-based indexes (CockroachDB) keycloak storage
- #15525 Remove unnecessary injection points from our JAX-RS resources keycloak
- #15576 Enable Oracle DB drivers for KeycloakServer in the testsuite utils keycloak
- #15602 Remove injection points for Resteasy contextual data and use the Keycloak context instead keycloak
- #15603 Keycloak distribution contains testing libraries keycloak dist/quarkus
- #15605 Avoid creating proxies at runtime for Rest-based SPIs keycloak
- #15612 Client registration service must not check client protocol for Bearer token keycloak
- #15644 Review `set-quarkus-version.sh` keycloak dist/quarkus
- #15666 Update to latest version of Keycloak Actionbot keycloak
- #15677 Enumerate fields in autogenerated class descriptor keycloak storage
- #15706 Create model-map-file module with empty implementations keycloak storage
- #15740 ./kc.sh does not pickups conf/quarkus.properties keycloak docs
- #15749 Add logging to KeycloakModelUtils.runJobInRetriableTransaction keycloak storage
- #15810 Remove dependency on Resteasy Multipart Provider keycloak
- #15811 Make sure JAX-RS resource methods are advertizing the media type they support keycloak
- #15812 ConcurrentModificationException in DeclarativeUserProfileProvider keycloak user-profile
- #15846 Support autogeneration of camel case field names keycloak storage
- #15885 Add write ability to file store keycloak storage
- #15890 Introduce tests for pessimistic locking usecases keycloak storage
- #15901 Enable Infinispan Metrics keycloak
- #15946 User Attribute Policy keycloak
- #15977 Upgrade to Infinispan 14.0.4.Final keycloak storage
- #16008 Update to JBoss Parent 39 keycloak
- #16020 Adding CRDB into GHA for the new store keycloak storage
- #16089 Normalize memory usage in tests and OOM behavior keycloak storage
- #16091 Cache Maven Wrapper JAR in GitHub actions keycloak ci
- #16139 The search does not work if only partial information is entered keycloak
- #16220 Clarify using of `--optimized` flag with DBs keycloak docs
- #16224 Incrementally cache consents on a per client basis keycloak infinispan
- #16248 Keycloak operator. Add labels to keycloak PODs keycloak
- #16281 Keep consistency when importing realms at startup when they are exported via the `export` command keycloak
- #16308 Compatibility with Maven4 build cache and parallel builds keycloak ci
- #16320 Single client export bug keycloak
- #16373 Remove invalid property from Operator properties keycloak dist/quarkus
- #16420 Support runnning tests using an embedded distribution keycloak
- #16529 Move Admin UI custom REST endpoints to main repository keycloak
- #16616 Make lockTimeout better configurable in JpaMapStorageProviderFactory keycloak storage
- #16676 Create basic read-only file store keycloak storage
- #16690 Make LockAcquiringTimeoutException a runtime exception keycloak storage
- #16751 Do not enable caching metrics by default and provide a guide keycloak
- #16807 KeycloakIngress (controller) should configure edge TLS when back-end protocol is HTTP keycloak operator
- #16892 Update proxy guide with information about session stickness keycloak docs
- #16900 Documentation for handling errors keycloak admin/client-js
- #16921 Recovery codes input error not displayed in the standardized way keycloak
- #16962 Make it possible to run the embedded distribution in FIPS mode keycloak
- #17133 Apply documentation standards to Getting Started Guides keycloak
- #17134 Create an SPI for DeviceActivityManager keycloak
- #17865 Add "Encryption algorithm" option of SAML IDP keycloak admin/ui
- #17935 Update message for 'Valid Post Logout Redirect URIs' client option keycloak admin/ui
- #18080 Testing running on release branches keycloak admin/ui
Bugs
- #8833 Performing an external-to-internal token exchange with an ID token with provider mappers enabled results in `unknown_error`. keycloak token-exchange
- #8958 NullPointerException when editing a sub flow without a description keycloak authentication
- #9003 Documentation Error: User Storage SPI: CredentialInputValidator keycloak core
- #9345 Can't join a node under certain conditions keycloak admin/api
- #9771 Hard-coded signature algorithm in token verification keycloak oidc
- #9991 required action terms_and_conditions is not imported keycloak import-export
- #10668 Kerberos User Federation creates a user that does not exist keycloak ldap
- #10672 Kerberos User Federation creates a user that does not exist when username including "//" keycloak ldap
- #10755 Replace operation set wrong lifespan in remote infinispan database and leads to session eviction keycloak storage
- #10958 Client ID in LDAP Mappers User Federation doesn't align with Rename Client ID keycloak ldap
- #11608 Realm password policy regex does not work keycloak authentication
- #11627 New cluster joiners hang while trying to preload remote sessions (not offline) keycloak storage
- #11726 Conflicting data returned for /users/id and /users endpoints when user is temporarily locked keycloak admin/api
- #11783 Timeout when waiting for 3rd party check iframe message. keycloak adapter/javascript
- #12039 Account console doesn't show the currently logged in user keycloak account/ui
- #12053 [SAML Broker] BadPaddingException because Keycloak uses signing key pair for decryption keycloak saml
- #12523 DELETE user api uses inefficient SQL queries while deleting data from OFFLINE_CLIENT_SESSION keycloak storage
- #12567 SQLGrammarException would occur if a user doesn't belong to any groups keycloak storage
- #12618 Role name containing ";"(semicolon) leads "Resource not found..." error in the admin console keycloak admin/api
- #12649 GET /{realm}/users/{id}/groups ignores 'search' query parameter keycloak admin/api
- #12819 Inconsistent behavior of group attribute caching keycloak storage
- #12913 Keycloak 18.0.2 mixed content issue. keycloak dist/quarkus
- #12970 Public URL autodetection from request does not work when using reverse proxy on non standard ports keycloak dist/quarkus
- #12979 Admin console infinite redirect loop before password prompt keycloak dist/quarkus
- #13063 Setting hostname-admin=localhost redirects to keycloak.example.com keycloak dist/quarkus
- #13089 Infinispan/TCPPING does not span the cluster over all specified nodes keycloak dist/quarkus
- #13114 Reencrypt proxy ignored with new operator keycloak operator
- #13122 Deleting Users in Keycloak Cluster with 3 or more Nodes is not possible keycloak dist/quarkus
- #13148 keycloak(behind nginx) .well-known/openid-configuration path not return correct token or jwt url(custom port loss) keycloak dist/quarkus
- #13157 Response_mode not setup on request when using keycloak Java client keycloak authorization-services
- #13210 JPA Map Storage with CRDB: ConcurrentLoginTest failures keycloak storage
- #13236 Username is removed when updating service account with empty/null email when declarative user profile and registrationEmailAsUsername is enabled keycloak user-profile
- #13340 Performance Issues with many offline sessions keycloak storage
- #13354 LDAP integration doesn't map emails keycloak ldap
- #13656 I get these [com.arjuna.ats.arjuna] warnings and right after the readiness probe dies keycloak storage
- #13988 19 - update-email feature - email change does not affect the username when "Email as username" option is checked keycloak authentication
- #14035 User/User Profile API inconsistent behaviour : partial PUT clear all user fields when user profile enabled keycloak user-profile
- #14071 Keycloak docker container default theme environment variable not working keycloak dist/quarkus
- #14173 IDP Provider is hidden from the login form after the back button is pressed keycloak authentication
- #14197 Configurable session limits bug on chrome & edge keycloak authentication
- #14234 SigningInPage has wrong icon keycloak account/ui
- #14323 Unexpected error when authenticating client: java.lang.RuntimeException: Illegal base64url string! keycloak oidc
- #14433 customized ingress resource is deleted as soon as a Keycloak pod is killed keycloak operator
- #14537 400 for /token endpoint for Multiple Keycloak Servers keycloak dist/quarkus
- #14610 Default Build Failing Due to Test Failures keycloak core
- #14638 Keycloak 19.0.1 can not atrt with mariaDB 10.8.4 keycloak dist/quarkus
- #14657 Keycloak 18.0.0 - Upgrade to 19.0.2 - ISPN Cache error keycloak dist/quarkus
- #14689 User Session Count Limiter not working for some users keycloak authentication
- #14703 Email field that is not required still renders with an asterisk in registration form keycloak authentication
- #14772 Paging for "Users in role" is not guaranteed to work with JPA keycloak storage
- #14794 Error when using similar keys with different algorithms in a jwks for identity provider signature validation keycloak oidc
- #14843 User password is visible on admin events tab keycloak authentication
- #14884 Weird export/re-import behaviour regarding `post.logout.redirect.uris` keycloak oidc
- #15008 Configure custom user provider results in RuntimeException: Failed to find provider map for user keycloak dist/quarkus
- #15021 Unable to create idp role mapper (oidc / saml) with old admin UI keycloak admin/ui
- #15060 Transaction deadlock with Microsoft SQL if "sendStringParametersAsUnicode=false" not set in db url properties keycloak storage
- #15083 Status 500 when trying to retrieve non-existing external IDP token keycloak oidc
- #15093 JPA Map Storage: JpaRootAuthenticationSessionEntity constructor missing version parameter keycloak storage
- #15116 Old admin console theme still visible for selection even though the corresponding feature is disabled keycloak admin/ui
- #15118 Build Timeouts on integration tests keycloak ci
- #15231 Groups beyond first 10 are not accessible keycloak admin/ui
- #15236 Cannot convert undefined or null to object keycloak admin/ui
- #15252 Conditional Authentication flow - Deny Access Error Message - custom property not loaded keycloak authentication
- #15269 User Profile removes all user attributes keycloak admin/api
- #15278 KeycloakErrorHandler throws NPE if session is missing keycloak core
- #15295 AdminV2 not loading through reverse proxy (reencrypt) keycloak admin/ui
- #15324 KC_HTTP_RELATIVE_PATH --http-relative-path ingress or nginx not work keycloak admin/ui
- #15326 Multipod (kubernetes) upgrade from v19 to v20 fails keycloak infinispan
- #15346 Error when loading public keys keycloak oidc
- #15361 user_info not working after upgrading from 19.0.3 to 20.0.0 keycloak oidc
- #15394 Admin account user name is forcibly changed keycloak dist/quarkus
- #15412 All configurations documentation lists database vendor as a build configuration keycloak docs
- #15422 Keycloak User Federation Provider LDAP connection with Azure Active Directory connection is unsuccessful. keycloak ldap
- #15429 NPE in userinfo endpoint keycloak oidc
- #15431 User Profile Attributes not showing up in Admincp User view and User account management view keycloak
- #15432 Startup Fails with NullPointerException in Kubernetes with Keycloakx Helm chart keycloak core
- #15449 Not able to create user with non english character in Keycloak 14 environment keycloak admin/ui
- #15482 User Federation: getReadable() can throw a NPR for a federated user if the user has no attributes keycloak storage
- #15485 12.0.4 - User names fields accept special characters keycloak admin/ui
- #15487 Flaky test: Model Tests DBLockTest keycloak testsuite
- #15493 make nginx certificate-lookup thread safe keycloak authentication
- #15497 Unknown bind DN using LDAP anonymous bind aka bind type none keycloak ldap
- #15503 Flaky tests: Connection timed out to repo.maven keycloak testsuite
- #15538 Custom admin theme not working keycloak admin/ui
- #15539 Invalid redirect uri / keycloak authentication
- #15558 UserSessionProviderTest#testOnClientRemoved fails on CockroachDB keycloak storage
- #15564 Flaky test: RequiredActionTotpSetupTest.setupTotpExistingReusableCodeDisabled keycloak testsuite
- #15566 Failed to generate javadoc keycloak
- #15571 Keycloak 20.0 - Build Configurations not applied? KC_FEATURES=token-exchange keycloak
- #15607 JDK 17 InaccessibleObjectException with infinispan keycloak storage
- #15608 Keycloak wrongly assumes that the default datasource is the first one keycloak dist/quarkus
- #15614 Fix update of group mappers on certain changes of the group path keycloak
- #15656 Password change sometimes triggers error keycloak core
- #15668 User Profile: Editing the username attribute adds empty permissions keycloak user-profile
- #15685 Search by group attributes might break on OracleDB keycloak storage
- #15687 IdentityProviderModel from third party packages are ignored keycloak identity-brokering
- #15699 Unique constraints should use attribute value hash instead of the value itself keycloak storage
- #15701 Unable to run map-storage-jpa tests with custom Postgres image keycloak testsuite
- #15712 Keycloak won't start due to Unsupported database file version or invalid file header in file "/var/lib/keycloak/data/h2/keycloakdb.mv.db" [90048-214] keycloak core
- #15718 Flaky test: RefreshTokenTest.tokenRefreshRequest_ClientES512_RealmRS256 keycloak testsuite
- #15738 ERROR: Failed to start server in (production) mode after update from 19.0.3 quarkus to 20.0.1 keycloak core
- #15739 Device Authorization Grant fails with valid S256 code challenge keycloak core
- #15744 CORS error from token endpoint keycloak authentication
- #15761 Flaky test: JavascriptAdapterTest.implicitFlowOnTokenExpireTest keycloak testsuite
- #15767 Make KeycloakDeploymentBuilder initialize CryptoIntegration keycloak core
- #15777 Can't change 'Restart login' keycloak account/ui
- #15781 kc 19.0.3 with oracle 11g: realm export with users leads SQL Error: 1000, SQLState: 72000 (maximum open cursors exceeded) keycloak storage
- #15801 Multiple failures in Model Tests keycloak testsuite
- #15803 Keycloak upgrade fails: relation databasechangeloglock already exists keycloak core
- #15806 Console not login since Keycloak 19+ keycloak authentication
- #15807 fix typo in kcWebAuthnKeyIcon keycloak account/api
- #15817 Get opentid token server error keycloak account/api
- #15823 Overriding email template provider according to guide fails keycloak core
- #15824 Failed to find Liquibase implementation when using Postgres DB keycloak core
- #15849 JPA Map Storage: Add transaction retry logic to LoginActionsService.authenticate keycloak storage
- #15869 Upload Script error keycloak account/api
- #15886 After changing URL, admin console load old URL keycloak admin/ui
- #15889 Keycloak 20.0.1 on Oracle Database - ORA-00932: inconsistent datatypes: expected - got NCLOB keycloak core
- #15894 Sign in to your account with SAML integration resulting in "Unexpected error when authenticating with identity provider" and no error found on logs. keycloak saml
- #15904 Flaky test: HostnameDistTest keycloak testsuite
- #15916 Java 17 support not given keycloak dist/quarkus
- #15921 Can not set Context path on Keycloak 20 keycloak dist/quarkus
- #15925 JAVA_OPTS_APPEND does not allow overriding the ipv4/ipv6 setting keycloak dist/quarkus
- #15944 API call to get user profile config should allow any admin role. keycloak admin/api
- #15952 export client saml key JKS from realm ui admin theme keycloakv2 give invalid JKS keycloak admin/ui
- #16002 Health Check failure when KC_HTTP_RELATIVE_PATH set on 20.0.0 keycloak core
- #16030 Better error handling on startup keycloak dist/quarkus
- #16046 GHA are not running HotRod tests because of config error keycloak storage
- #16047 NPE while trying to access the list of users in the admin console keycloak admin/api
- #16048 Flaky test: OfflineServletsAdapterTest keycloak ci
- #16053 `FieldsGenerator` doesn't generate `getMapKeyClass()` and `getMapValueClass()` for `Map config` fields keycloak storage
- #16067 Title/header of Admin REST API page incorrectly shows placeholder keycloak docs
- #16069 Stuck at Loading the admin console keycloak admin/cli
- #16078 Flaky test: UserSessionConcurrencyTest.testConcurrentNotesChange keycloak storage
- #16079 Flaky test: UserSessionExpirationTest>KeycloakModelTest.createEnvironment keycloak storage
- #16099 Keycloak admin page is not loading keycloak dist/quarkus
- #16108 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoLoginTest keycloak ci
- #16109 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#validatePasswordPolicyTest keycloak ci
- #16110 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#testClientOverrideFlowUsingBrowserHttpChallenge keycloak ci
- #16111 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#writableEditModeTest keycloak ci
- #16112 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoCaseInsensitiveTest keycloak ci
- #16113 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#usernamePasswordLoginTest keycloak ci
- #16114 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#credentialDelegationTest keycloak ci
- #16115 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoLoginWithRequiredKerberosAuthExecutionTest keycloak ci
- #16116 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoNotAvailableTest keycloak ci
- #16117 Flaky test: org.keycloak.testsuite.federation.kerberos.KerberosLdapTest#spnegoWithInvalidTokenTest keycloak ci
- #16125 Warning printed in Keycloak CI jobs keycloak ci
- #16130 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testOldCookieWithNodeInValue keycloak ci
- #16131 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testMultipleCookies keycloak ci
- #16132 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testOldCookieWithWrongPath keycloak ci
- #16133 Flaky test: org.keycloak.testsuite.cookies.CookiesPathTest#testCookiesPath keycloak ci
- #16143 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithoutForcePasswordChangePolicy keycloak ci
- #16174 Username is not updated if email was changed keycloak user-profile
- #16191 Keycloak 20.0.1 quarkus Distro is failing with MSSqlServer on second time restart keycloak core
- #16202 LinkageError for FipsMode during startup keycloak core
- #16211 AccountConsole leaks translated messages into cached theme keycloak account/ui
- #16216 Some authorization adapter test failing on Java 17 keycloak testsuite
- #16222 operator doesn't watch other namespaces keycloak operator
- #16232 Flaky test: org.keycloak.testsuite.admin.UserTest.sendResetPasswordEmailWithCustomLifespan keycloak ci
- #16240 SAMLServletAdapterTest and SAMLFilterServletAdapterTest failing on Java 17 keycloak testsuite
- #16255 Field generator: `getCollectionElementClass` method not generated when no addElement method is present in interface keycloak storage
- #16261 io.quarkus.builder.BuildException caused by java.lang.OutOfMemoryError: unable to create native thread keycloak dist/quarkus
- #16263 Do not show username field when updating profile if UPDATE_EMAIL feature is enabled and email as username is enabled keycloak user-profile
- #16274 Read-only user attributes error from Keycloak Admin API keycloak admin/api
- #16283 No data stored in external database (MariaDB) keycloak storage
- #16290 Migrating from keycloak 15 to keycloak 20.0.1: If we pass wrong username then getting Internal Server Error keycloak core
- #16297 NPE if user not exists in PolicyEvaluationRequest keycloak admin/api
- #16306 Role/Group based authentication not working for users authenticated by External IdPs (Azure AD, GitHub etc) keycloak authorization-services
- #16313 In CI, new-store-integration-tests for CRDB is sometimes cancelled after 70 minutes keycloak storage
- #16317 EntityField `mapPut` and `collectionAdd` default methods doesn't insert an element when `get(e)` returns `null` keycloak storage
- #16330 Hibernate 6 upgrade: native query registration keycloak storage
- #16332 Hibernate 6 upgrade: unable to extract query parameter name in QueryCacheKey keycloak storage
- #16333 Email theme is not working after update to 20.0.2 keycloak translations
- #16334 Hibernate 6 upgrade: API changes in JpaAutoFlushListener keycloak storage
- #16335 Hibernate 6 upgrade: valueType in `JsonbType` is no longer set keycloak storage
- #16336 Hibernate 6 upgrade: JSON functions need to be registered using new APIs keycloak storage
- #16337 Hibernate 6 upgrade: Entity -> id mapping no longer automatically done keycloak storage
- #16347 Priority order of protocol mappers keycloak oidc
- #16401 Clients secret with % for clients (access type : confidential) have to be encoded keycloak authorization-services
- #16403 Keycloak - Missing data in the userinfo response keycloak core
- #16443 Keycloak 19.0.1 search from UI bug keycloak admin/ui
- #16465 ElytronSessionTokenStore#logoutHttpSessions() does not work as expected due to UNDERTOW-2159 keycloak adapter/jee
- #16467 The user could not be deleted unknown_error keycloak account/api
- #16502 Hibernate 6 upgrade: Warning about missing Bean Validation provider keycloak storage
- #16513 Wrong property for events in map-storage-hot-rod on Undertow keycloak storage
- #16514 Flaky tests: DateTimeParse failures in New Account Console tests keycloak ci
- #16538 Quarkus 3: Model tests fail to finish keycloak testsuite
- #16552 JpaClientModelCriteriaBuilder doesn't work correctly with H6 keycloak storage
- #16584 Userinfo Endpoint Gives 500 (nullpointerexception) on POST request keycloak account/api
- #16586 Upgrading from keycloak 20.0.1-20.0.2+ breaks app logout keycloak oidc
- #16592 Memory leak when running the embedded server keycloak core
- #16605 http-relative-path is not working keycloak core
- #16622 Snyk workflow failing when running the checks against the Operator keycloak ci
- #16634 Hibernate Error performing load command with JDK 17 keycloak storage
- #16642 Database migrations are not transactional keycloak storage
- #16649 Fixing OfflineSessionPersistenceTest in Quarkus3 branch keycloak storage
- #16657 Flaky test: org.keycloak.common.ProfileTest#enablePreviewWithPropertiesFile & #configWithPropertiesFile keycloak ci
- #16658 Label for "Review Profile config" modal is not displayed properly in new admin console keycloak admin/api
- #16669 Flaky test: org.keycloak.testsuite.ui.account2.WelcomeScreenTest#resourcesTest keycloak ci
- #16679 Update Email Action does not properly update username if username=email is active keycloak authentication
- #16684 cannot open admin console after upgrade to 20.0.3 keycloak admin/ui
- #16693 Hibernate 6 referencing m:n association from both entities with both `joinColumns` and `inverseJoinColumns` causes interference keycloak storage
- #16705 Snyk Workflow failing due to the usage of the same category on multiple sections keycloak ci
- #16711 SAML tests in quarkus3 branch failing due to missing SAAJ factory keycloak testsuite
- #16721 Failing tests due to outdated X509Certificate request attribute name keycloak testsuite
- #16727 Keycloak 20.0.3 container does not support Java 17 keycloak dist/quarkus
- #16743 ArtifactBindingTest fails on quarkus 3 branch with ClassNotFoundException keycloak testsuite
- #16745 ISPN000559: Cannot marshall 'class org.infinispan.marshall.protostream.impl.MarshallableUserObject': java.io.NotSerializableException: org.keycloak.models.cache.infinispan.entities.NonExistentItem keycloak dist/quarkus
- #16775 Operator ignores DB vendor when using custom image. Forces h2 instead of chosen vendor. keycloak operator
- #16797 Make sure PBKDF2 providers are using the expect size for derived keys keycloak authentication
- #16801 Log message about leaked statement in JPA map storage keycloak storage
- #16804 Connection Refused on Quarkus Tests keycloak dist/quarkus
- #16818 Any tests using PhantomJS failing in some newer linux environments keycloak testsuite
- #16857 Fix `Overwriting value of clientRole field` log message keycloak storage
- #16880 Keycloak LDAPS does not find valid certification path to requested target in Production keycloak ldap
- #16899 [typing] user.listGroups typing seems incorrect keycloak admin/client-js
- #16901 Can't update user groups keycloak admin/client-js
- #16974 Trivy Workflow failing with context deadline exceeded keycloak ci
- #16988 application/x-unknown-content-type when loading admin console JS and CSS keycloak admin/ui
- #17010 Changing realm id will not update relative URLs in `account-console` client keycloak account/ui
- #17022 lastSync value into COMPONENT_CONFIG is always updated keycloak core
- #17029 File store path traversal keycloak storage
- #17141 Exception in log: Response already committed, can't be changed keycloak storage
- #17162 build failed with pom can not import keycloak ci
- #17197 Discovery document is missing mandatory fields keycloak account/api
- #17216 Link "Sign out" incorrectly hardcoded to localhost in the authz example applications keycloak testsuite
- #17833 Paging doesn't work on filtered tables keycloak admin/ui
- #17870 User profile - Button email verified doesn't appear keycloak admin/ui
- #17874 Client assertion signature configuration of identity broker is missing on new security admin console keycloak admin/ui
- #17887 User profile - Validation Options not working keycloak admin/ui
- #17914 Client Advanced Settings: Access Token Lifespan displayed as "Never expires" when realm value is used (default 1h) keycloak admin/ui
- #17919 Federation Link no longer visible for Users keycloak admin/ui
- #17920 User profile - firstName not showing keycloak admin/ui
- #17921 [Keycloak 20.0.1 ] JWKS url can't be configured keycloak admin/ui
- #17925 New admin console missing action that allows synchronizing LDAP groups to Keycloak keycloak admin/ui
- #17937 Custom User Provider SPI: MULTIVALUED_STRING_TYPE setting not being shown on ui (but saved and retrieved) keycloak admin/ui
- #17968 Azure AD Error: AADSTS90023: Unsupported 'prompt' value keycloak admin/ui
- #17974 Align user profile UI with the behavior from the old admin console keycloak user-profile
Upgrading
Before you upgrade remember to backup your database and check the upgrade guide for anything that may have changed.