Keycloak 21.1.0 released

Release notes

Monorepo

In the past Keycloak was maintained across multiple GitHub repositories:

Having multiple repositories introduced a lot of complexity and toil. For example frequently multiple pull requests had to be sent to different repositories for a single change.

To simplify things we have now migrated everything into the main repository.

FIPS 140-2 support

FIPS 140-2 support in Keycloak, which was preview in the previous release, is now promoted to be officially supported.

Experimental Account Console version 3

The Account Console version 3 is now available as an experimental feature in Keycloak. This version supports custom fields created with the 'User Profile' feature. If you are looking to try it out and provide us with some early feedback you can enable it as follows:

bin/kc.sh start-dev --features=account3

Changes to Keycloak Authorization Services support in Keycloak Java-based Adapters

As part of the removal of the deprecated adapters, the Keycloak Policy Enforcer was extracted from the adapters code base into a separate dependency:

<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-policy-enforcer</artifactId>
    <version>21.1.0</version>
</dependency>

By providing this dependency, we expect making it possible to integrate the policy enforcer with the Java stack of your preference.

It also provides built-in support for enabling the policy enforcer to Jakarta applications protected with Wildfly Elytron.

For now, this dependency is not yet GA as we are still working on the quickstarts and documentation.

This work should not impact existing applications using the deprecated adapters. = Javascript engine available by default

In the previous version, when Keycloak was used on Java 17 with Javascript providers it was needed to add the Nashorn javascript engine to the distribution. This is no longer needed as Nashorn javascript engine is available in Keycloak server by default.

Migration from 21.0

Before you upgrade remember to backup your database. If you are not on the previous release refer to the documentation for a complete list of migration changes.

Javascript engine available by default on the classpath

In the previous version, when Keycloak was used on Java 17 with Javascript providers (Script authenticator, Javascript authorization policy or Script protocol mappers for OIDC and SAML clients), it was needed to copy javascript engine to the distribution. This is no longer needed as Nashorn javascript engine is available in Keycloak server by default. When you deploy script providers, it is recommended to not copy the nashorn script engine and it’s dependencies into the Keycloak distribution.

Change of the default Client ID mapper of Service Account Client

Default Client ID mapper of Service Account Client has been changed. Token Claim Name field value has been changed from clientId to client_id. client_id claim is compliant with OAuth2 specifications:

clientId userSession note still exists.

Keycloak JS adapter must be instanciated with the `new` operator

Historically it has been possible to create an instance of the Keycloak JS adapter by calling the Keycloak() function directly:

const keycloak = Keycloak();

To align this with modern conventions in the JavaScript world it has been possible to use the new operator to create an instance instead:

const keycloak = new Keycloak();

The function-style constructor has been deprecated for a while, but starting this version we will actively log a deprecation message when it used. This style of constructor will be removed in a future version so make sure to migrate your code to use the new operator.

All resolved issues

New features

#10733 Keycloak to fire an event upon realm creation/deletion keycloak

#12363 Provide a Galleon feature pack to install the Keycloak Elytron SAML adapter keycloak

#19524 Build Account Console v3 as Maven artifact and include it as a theme keycloak account/ui

Enhancements

#391 Update javascript quickstarts to not copy nashorn keycloak-quickstarts

#11580 Proxy EDGE is not being reflected in the post_logout_redirect_uri - Admin Console Logut button keycloak oidc

#15251 Add mapping UserSessionNoteMapper into UserInfo claims keycloak oidc

#16573 Avoid resolving expressions twice but rely on MP config expression support keycloak dist/quarkus

#17139 Try to use SimpleHttp to execute SOAP calls instead default HttpURLConnection keycloak saml

#17353 Decouple the policy enforcer from adapters and provide a separate library keycloak

#19540 Policy Enforcer built-in support for Elytron and Jakarta keycloak authorization-services

#19560 Switch to quarkus-extension-maven-plugin keycloak dist/quarkus

Bugs

#8849 service-account leaking in get users API with "exact" query parameter set keycloak admin/api

#9564 Authentication Flow ID not imported keycloak core

#9896 Override of SSO Session Max for client does not work keycloak oidc

#9959 Unexpected invalid_grant error on offline session refresh when maximum number of offline sessions is configured keycloak storage

#10164 id_token_hint for external IDP not sent after token expiry keycloak oidc

#10412 Token contains old DB values with "Always Read Value From LDAP" mapper setting keycloak ldap

#11330 Theme can auto-select rememberMe even if disabled in a realm keycloak authentication

#11340 authentication checks cause 'Cookie not found' error keycloak authentication

#11517 POST /{realm}/users/{id}/role-mappings/realm is returning 500 keycloak core

#11730 LDAP user attribute is not updated in local database keycloak ldap

#12048 Items in dropdown menu for sharing resources are not visible keycloak account/ui

#12738 Revoking consent breaks for certain client IDs keycloak account/ui

#13835 Remove `ClearExpiredUserSessions` from services module keycloak storage

#14280 Subject's common name user identity extractor doesn't work with some certificate with RDN multi-valued keycloak authentication

#14613 414 Request-URI Too Long keycloak dist/quarkus

#14650 ciba authentication policy not found in keycloak 19 keycloak oidc

#14932 Default 'first broker login' default first login flow for identity providers ignores realm user registration settings keycloak docs

#14933 jwks endpoint for X/Y coordinates in EC keypair can return less bytes than expected keycloak oidc

#15098 IDENTITY_PROVIDER_FIRST_LOGIN is never triggered keycloak identity-brokering

#15476 NPE on welcome page if setting spi-theme-default and not providing theme keycloak core

#15624 UserInfo: Role name mapper is not respected for user info endpoint keycloak core

#16329 Service Accounts Client must create the Client ID mapper with Token Claim Name as client_id keycloak oidc

#16448 Failed to obtain JDBC connection with built-in H2 in start-dev keycloak storage

#16484 When hitting the account client with the referrer parameter ,the AccountConsole doesn't support the relative Client URLs keycloak account/api

#16587 Regression related to redirect url with port 80 keycloak oidc

#16844 Get UserInfo return 401 Unauthorized keycloak oidc

#16848 New user from identity provider not having attribute mapped to user federation (LDAP) keycloak ldap

#16851 v20.0.2 attempts to URL decode same string up to 5 times for unclear reasons keycloak core

#16888 Getting notification with unknown error when trying to create duplicated sub group. keycloak admin/api

#16965 direct naked impersonation documentation is wrong keycloak token-exchange

#17187 Docker auth: IllegalArgumentException on multiple resource scopes keycloak authentication

#17242 Typo in Outgoing HTTP requests documentation keycloak docs

#17253 Container image from FIPS docs doesn't work keycloak core

#17322 Disabling features with disabled dependencies fails "Feature account2 depends on disabled feature account-api" keycloak core

#17359 Connection string for ldap user federation with multiple hosts no longer supported keycloak core

#17374 User session limit make account console crash and logout the user keycloak authentication

#17403 Keycloak 21.0.1 - Paging and filtering not working in "Assign roles" popup" keycloak admin/ui

#17439 [User Profile Enabled] Email/Password fields disappear from registration when Email as Username is on keycloak user-profile

#17441 Redirect loop with authentication success but access denied at default identity provider keycloak identity-brokering

#17456 Bug in SAML Redirect Binding with 2 validating certificates keycloak saml

#17539 Stepup issue on "remember_me" authentication : alreadyLoggedIn keycloak authentication

#17549 SAML Signature metadata loses certificate info keycloak saml

#17561 group don't have any clickable link even though it have the access right permission on UI keycloak admin/ui

#17569 Theme resource common path is always /keycloak/common keycloak core

#17587 User with "view-clients" role cannot view credentials in Admin Console, but can still use the API to fetch them. keycloak admin/ui

#17588 admin-ui: authz unable to access child group when using fine grained auth keycloak admin/ui

#17591 Username field when creating user when email is set as username keycloak admin/ui

#17592 Admin console doesn't work in case realm name changed to name with space keycloak admin/ui

#17620 /users/count endpoint with search field has different behavior than /users query endpoint keycloak storage

#17635 Error creating realm keycloak admin/ui

#17671 docker image 21.0.1 lacks a Javascript engine keycloak core

#17686 Invalid Frontend URL leads to NullPointerException in OIDC Endpoints keycloak oidc

#17808 "SAML signature key name" attribute is not well forged keycloak admin/ui

#17811 Identity Provider hard coded role mapper does not allow selection of all roles keycloak admin/ui

#17850 New Admin Console does not import X509 Certificate from metadata keycloak admin/ui

#17933 Error! Failed to send email, and Error 400 API keycloak admin/ui

#19057 Experimental configuration options included in the documentation keycloak docs

#19083 [Keycloak 21.0.1] Identity provider JWKS public key is not editable via UI keycloak admin/ui

#19094 Unable to use SAML entity descriptor with transient NameIDFormat keycloak admin/ui

#19122 Read Only Attributes - Outdated configuration guide keycloak docs

#19126 Authentication flows first paragraph seems incomplete keycloak docs

#19128 UserFederationMapperFactory does not seem to exist anymore keycloak docs

#19134 client credentials tab not visible with "view-clients" role keycloak docs

#19145 Cannot produce an access token for the admin console keycloak docs

#19162 Entity collections in Hibernate 6 can't be replaced keycloak storage

#19254 Admin-UI does not show all custom attributes of Authorization Resource keycloak admin/ui

#19261 Flaky test: PhotozExampleLazyLoadPathsAdapterTest keycloak authorization-services

#19273 Adapters tests are failing for EAP and wildfly keycloak testsuite

#19321 Hibernate 6: UnsupportedOperationException: compare() not implemented for EntityType keycloak storage

#19324 Profile is created twice when resolving ignored artifacts keycloak core

#19335 Custom implemention of OIDC Login Protocol doesn't get executed keycloak oidc

#19346 Sending 'application/jwt' Accept header to GET userinfo endpoint returns a 406 error keycloak oidc

#19363 Incorrect documentation around password policies keycloak docs

#19396 memory leak when using ldap user federations keycloak ldap

#19397 Fix SSSDTest keycloak testsuite

#19404 Inconsistent use of Enum storage in legacy store keycloak storage

#19444 Client policies tab crashes in admin console. keycloak admin/ui

#19515 Remove access not working in new account v2 app keycloak account/ui

#19662 Invalid parameter redirect_uri when using an invalid client_id keycloak oidc