build(deps): bump kcadm to 26.4.0 #1168
Merged
+1
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=80&v=4){kind=small}
Made with ❤️️ by updatecli
github-actions
bot
added
the
dependencies
gionn
approved these changes
Oct 6, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
bump kcadm to 26.4.0
GitHub Releases Update
Update version
change detected: * key "$.runs.steps[0].env.DEFAULT_KEYCLOAK_VERSION" updated from "26.3.5" to "26.4.0", in file ".github/actions/setup-kcadm/action.yml"
26.3.5
26.4.0
<div> <h2>Highlights</h2> <div class="paragraph"> <p>This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:</p> </div> <div class="ulist"> <ul> <li> <p>Passkeys for seamless, passwordless authentication of users.</p> </li> <li> <p>Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.</p> </li> <li> <p>Simplified deployments across multiple availability zones to boost availability.</p> </li> <li> <p>FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.</p> </li> <li> <p>DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.</p> </li> </ul> </div> <div class="paragraph"> <p>Read on to learn more about each new feature. If you are upgrading from a previous release, <a href="https://www.keycloak.org/docs/latest/upgrading/index.html">review also the changes listed in the upgrading guide</a>.</p> </div> <div class="sect2"> <h3 id="_security_and_standards">Security and Standards</h3> <div class="sect3"> <h4 id="_passkeys_integration_supported">Passkeys integration (supported)</h4> <div class="paragraph"> <p>Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to <strong>Authentication</strong>, <strong>Policies</strong>, <strong>Webauthn Passwordless Policy</strong> and switch <strong>Enable Passkeys</strong> to enabled.</p> </div> <div class="paragraph"> <p>For more information, see <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#passkeys_server_administration_guide">Passkeys</a>.</p> </div> </div> <div class="sect3"> <h4 id="_fapi_2_final_supported">FAPI 2 Final (supported)</h4> <div class="paragraph"> <p>Keycloak has support for the latest versions of FAPI 2 specifications. Specifications <strong>FAPI 2.0 Security Profile</strong> and <strong>FAPI 2.0 Message Signing</strong> are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.</p> </div> <div class="paragraph"> <p>Apart from some very minor polishing of existing policies, Keycloak has new client profiles (<code>fapi-2-dpop-security-profile</code> and <code>fapi-2-dpop-message-signing</code>) for the clients that use DPoP and are intended to be FAPI 2 compliant.</p> </div> <div class="paragraph"> <p>Thank you to <a href="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/tnorimat">Takashi Norimatsu</a> for contributing this.</p> </div> <div class="paragraph"> <p>For more details, see the <a href="https://www.keycloak.org/securing-apps/oidc-layers#_fapi-support">Securing applications Guides</a>.</p> </div> </div> <div class="sect3"> <h4 id="_dpop_supported">DPoP (supported)</h4> <div class="paragraph"> <p>Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:</p> </div> <div class="ulist"> <ul> <li> <p>Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.</p> </li> <li> <p>All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.</p> </li> <li> <p>Possibility to require the <code>dpop_jkt</code> parameter in the OIDC authentication request.</p> </li> </ul> </div> <div class="paragraph"> <p>Thanks to <a href="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/tnorimat">Takashi Norimatsu</a> and <a href="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/dteleguin">Dmitry Telegin</a> for their contributions to the DPoP feature.</p> </div> <div class="paragraph"> <p>For more information, see the <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#_dpop-bound-tokens">DPoP section</a> in the documentation.</p> </div> </div> <div class="sect3"> <h4 id="_fips_140_2_mode_now_supports_eddsa">FIPS 140-2 mode now supports EdDSA</h4> <div class="paragraph"> <p>With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.</p> </div> </div> <div class="sect3"> <h4 id="_listing_supported_oauth_standards_on_one_page">Listing supported OAuth standards on one page</h4> <div class="paragraph"> <p>A new guide lists <a href="https://www.keycloak.org/securing-apps/specifications">all implemented OpenID Connect related specifications</a>. Thank you to <a href="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/tnorimat">Takashi Norimatsu</a> for contributing this.</p> </div> </div> </div> <div class="sect2"> <h3 id="_integration">Integration</h3> <div class="sect3"> <h4 id="_federated_client_authentication_preview">Federated client authentication (preview)</h4> <div class="paragraph"> <p>Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.</p> </div> <div class="paragraph"> <p>This feature is currently preview, and expected to become supported in 26.5.</p> </div> </div> <div class="sect3"> <h4 id="_automatic_certificate_management_for_saml_clients">Automatic certificate management for SAML clients</h4> <div class="paragraph"> <p>The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client <strong>Settings</strong> tab, section <strong>Signature and Encryption</strong>, configure the <strong>Metadata descriptor URL</strong> option (the URL where the SP metadata information with the certificates is published) and activate <strong>Use metadata descriptor URL</strong>. The certificates will be automatically downloaded and cached in the <code>public-key-storage</code> SPI from that URL. This also allows for seamless rotation of certificates.</p> </div> <div class="paragraph"> <p>For more information, see <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#_client-saml-configuration">Creating a SAML client</a> in the Server Administration Guide.</p> </div> </div> <div class="sect3"> <h4 id="_serving_as_an_authorization_server_in_mcp">Serving as an authorization server in MCP</h4> <div class="paragraph"> <p>MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.</p> </div> <div class="paragraph"> <p>To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.</p> </div> <div class="paragraph"> <p>The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.</p> </div> </div> </div> <div class="sect2"> <h3 id="_administration">Administration</h3> <div class="sect3"> <h4 id="_update_email_workflow_supported">Update Email Workflow (supported)</h4> <div class="paragraph"> <p>Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.</p> </div> <div class="paragraph"> <p>For more information, see <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#_update-email-workflow">Update Email Workflow</a>.</p> </div> </div> <div class="sect3"> <h4 id="_optional_email_domain_for_organizations">Optional email domain for organizations</h4> <div class="paragraph"> <p>In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to <a href="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/SferaDev">Alexis Rico</a> for contributing this.</p> </div> <div class="paragraph"> <p>When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.</p> </div> </div> <div class="sect3"> <h4 id="_hiding_identity_providers_from_the_account_console">Hiding identity providers from the Account Console</h4> <div class="paragraph"> <p>You can now control which identity providers appear in the Account Console based on different options using the <code>Show in Account console</code> setting. You can choose to show only those linked with a user or hide them completely.</p> </div> <div class="paragraph"> <p>For more information, see <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#_general-idp-config">General configuration</a>.</p> </div> </div> <div class="sect3"> <h4 id="_enforce_recovery_codes_setup_after_setting_up_otp">Enforce recovery codes setup after setting up OTP</h4> <div class="paragraph"> <p>If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to <a href="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/dasniko">Niko Köbler</a> for contributing this.</p> </div> </div> <div class="sect3"> <h4 id="_new_conditional_authenticator">New conditional authenticator</h4> <div class="paragraph"> <p>The <strong>Conditional - credential</strong> is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.</p> </div> <div class="paragraph"> <p>For more information about conditional flows, see <a href="https://www.keycloak.org/docs/26.4.0/server_admin/#conditions-in-conditional-flows">Conditions in conditional flows</a>.</p> </div> </div> <div class="sect3"> <h4 id="_translations_managed_by_weblate">Translations managed by Weblate</h4> <div class="paragraph"> <p>The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in <a href="https://hosted.weblate.org/projects/keycloak/">Weblate</a> to keep them up to date.</p> </div> <div class="paragraph"> <p>If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the <a href="https://github.com/keycloak/keycloak/blob/main/docs/translation.md">translation guidelines</a>.</p> </div> </div> </div> <div class="sect2"> <h3 id="_configuring_and_running">Configuring and Running</h3> <div class="sect3"> <h4 id="_enhancements_for_single_cluster_and_multi_cluster_setups">Enhancements for single-cluster and multi-cluster setups</h4> <div class="paragraph"> <p>This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.</p> </div> <div class="paragraph"> <p>This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.</p> </div> </div> <div class="sect3"> <h4 id="_support_for_additional_databases_and_versions">Support for additional databases and versions</h4> <div class="paragraph"> <p>With this release, we added support for the following new database vendors:</p> </div> <div class="ulist"> <ul> <li> <p>EnterpriseDB (EDB) Advanced 17.6</p> </li> <li> <p>Azure SQL Database and Azure SQL Managed Instance</p> </li> </ul> </div> <div class="paragraph"> <p>Where the previous documentation stated only tested database version, it now states all the supported database versions as well.</p> </div> </div> <div class="sect3"> <h4 id="_expose_management_interface_via_http">Expose management interface via HTTP</h4> <div class="paragraph"> <p>Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.</p> </div> <div class="paragraph"> <p>Set the new option <code>http-management-scheme</code> to <code>http</code> to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface. This allows monitoring those endpoints in environments where no TLS client is available.</p> </div> </div> <div class="sect3"> <h4 id="_expose_health_endpoints_on_the_main_https_port">Expose health endpoints on the main HTTP(S) port</h4> <div class="paragraph"> <p>With <code>health-enabled</code> set to true, you may set the <code>http-management-health-enabled</code> to <code>false</code> to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the management port. When this option is <code>false</code> you should block unwanted external traffic to <code>/health</code> at your proxy.</p> </div> <div class="paragraph"> <p>This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.</p> </div> </div> <div class="sect3"> <h4 id="_specify_a_tlssecret_on_the_keycloak_cr_ingress_spec">Specify a <code>tlsSecret</code> on the Keycloak CR <code>ingress</code> spec</h4> <div class="paragraph"> <p>To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR <code>spec.ingress.tlsSecret</code> field to a TLS Secret name in the namespace.</p> </div> </div> <div class="sect3"> <h4 id="_additional_datasources_configuration_supported">Additional datasources configuration (supported)</h4> <div class="paragraph"> <p>Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.</p> </div> <div class="paragraph"> <p>Read more about it in the <a href="https://www.keycloak.org/server/db#configure-multiple-datasources">Configure multiple datasources</a> guide.</p> </div> </div> </div> <div class="sect2"> <h3 id="_observability">Observability</h3> <div class="sect3"> <h4 id="_operator_creates_a_servicemonitor_automatically">Operator creates a ServiceMonitor automatically</h4> <div class="paragraph"> <p>The Operator now provisions a <code>ServiceMonitor</code> for the management endpoint if metrics are enabled and the <code>monitoring.coreos.com/v1:ServiceMonitor</code> Custom Resource Definition is present on the Kubernetes cluster. The specification of the <code>ServiceMonitor</code> takes into account the various management endpoint configurations, to ensure that metrics can be scraped without any additional configuration. If you do not want a <code>ServiceMonitor</code> to be created, you can disable this by setting <code>spec.serviceMonitor.enabled: false</code>. For more details, see the <a href="https://www.keycloak.org/guides#operator">Operator Guide</a>.</p> </div> </div> <div class="sect3"> <h4 id="_http_access_logging_of_incoming_http_requests">HTTP access logging of incoming HTTP requests</h4> <div class="paragraph"> <p>Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.</p> </div> <div class="paragraph"> <p>For more information, see <a href="https://www.keycloak.org/server/logging">Configuring logging</a>.</p> </div> </div> <div class="sect3"> <h4 id="_showing_context_information_in_log_messages_preview">Showing context information in log messages (preview)</h4> <div class="paragraph"> <p>You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to <a href="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/eicki">Björn Eickvonder</a> for contributing this.</p> </div> <div class="paragraph"> <p>For more details on this opt-in feature, see <a href="https://www.keycloak.org/server/logging">Configuring logging</a>.</p> </div> </div> </div> <h2>Upgrading</h2> <p>Before upgrading refer to <a href="https://www.keycloak.org/docs/latest/upgrading/#migration-changes">the migration guide</a> for a complete list of changes.</p> <h2>All resolved issues</h2> <h3>New features</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/19732">#19732</a> "linked-accounts" endpoint displays all Identity providers <code>account/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40237">#40237</a> Add option "Requires short state parameter" to OIDC IDP <code>authentication</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40696">#40696</a> Wrap deprecated passkeys authenticator behind the feature <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41316">#41316</a> Test suites config for the new test framework <code>test-framework</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41357">#41357</a> Disable tests for specific databases and servers in test framework <code>test-framework</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42313">#42313</a> Experimental SPIFFE identity provider </li> <li><a href="https://github.com/keycloak/keycloak/issues/42742">#42742</a> Supported EnterpriseDB Advanced 17 </li> <li><a href="https://github.com/keycloak/keycloak/issues/42743">#42743</a> Supported Azure SQL </li> </ul> <h3>Enhancements</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/10063">#10063</a> Display transport media for WebAuthn authenticators in Account console <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/14644">#14644</a> External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/17028">#17028</a> SAML: Adapter SP seamless certificate rotation <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/19213">#19213</a> Allow enabling debug and verbose via environment variables <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/21816">#21816</a> Expose Keycloak config errors in the Keycloak CR status field <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/22730">#22730</a> REST API returns different amount of users <code>admin/api</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/23972">#23972</a> Improve handling config options in scripts preventing re-augmentation </li> <li><a href="https://github.com/keycloak/keycloak/issues/25668">#25668</a> Remove duplication of MP config initialization <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26277">#26277</a> DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/26995">#26995</a> Bad performance when requesting events of a user </li> <li><a href="https://github.com/keycloak/keycloak/issues/27025">#27025</a> Move import/export validation to the Property Mappers <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/28846">#28846</a> Allow the target attribute on <a> in the kcSanitize <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/29295">#29295</a> Exact match in users/count </li> <li><a href="https://github.com/keycloak/keycloak/issues/30095">#30095</a> High Availability guides should make distinction between single-site and multi-site deployments <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/31285">#31285</a> Make domains for organisations optional </li> <li><a href="https://github.com/keycloak/keycloak/issues/32129">#32129</a> Automatically create external caches for MULTI_SITE deployments </li> <li><a href="https://github.com/keycloak/keycloak/issues/32569">#32569</a> Verify email when using UPDATE_EMAIL action without depending on realm wide setting </li> <li><a href="https://github.com/keycloak/keycloak/issues/33942">#33942</a> Make sure Keycloak endpoints have DPoP validation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/34114">#34114</a> Operator: Support ConfigMaps for `Keycloak.spec.truststores` </li> <li><a href="https://github.com/keycloak/keycloak/issues/34206">#34206</a> Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `<meta>` tags <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/34244">#34244</a> Enable branding without code changes </li> <li><a href="https://github.com/keycloak/keycloak/issues/34777">#34777</a> [Operator] Use TLS secret for Ingress <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/35441">#35441</a> Add FAPI 2.0 + DPoP security profile as default profile of client policies <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/36160">#36160</a> Default values for User attributes. </li> <li><a href="https://github.com/keycloak/keycloak/issues/36268">#36268</a> Configuration is not available outside of quarkus modules </li> <li><a href="https://github.com/keycloak/keycloak/issues/37363">#37363</a> Allow custom labels on Operator Ingress <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/37600">#37600</a> Experimental support for authenticating clients with Kubernetes Service Accounts </li> <li><a href="https://github.com/keycloak/keycloak/issues/38126">#38126</a> Improve documentation for the HEALTHCHECK Dockerfile directive <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/38897">#38897</a> Add WASM support to the MimeTypeUtil </li> <li><a href="https://github.com/keycloak/keycloak/issues/39293">#39293</a> [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt` <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/39299">#39299</a> Improve docs, and possibly defaults, around ldap pooling </li> <li><a href="https://github.com/keycloak/keycloak/issues/39342">#39342</a> Description for using too many threads / connections is incomplete <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/39658">#39658</a> OpenTelemetry Tracing: Visualize JGroups communication <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/39812">#39812</a> Add filter to include/fill MDC with request specific data for json logging </li> <li><a href="https://github.com/keycloak/keycloak/issues/40061">#40061</a> Redundant null-checks. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40067">#40067</a> Always null field in KeySelectorUtilizingKeyNameHint. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40069">#40069</a> Possible dereference of Null </li> <li><a href="https://github.com/keycloak/keycloak/issues/40226">#40226</a> Review and update the documentation regarding the UPDATE EMAIL feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/40227">#40227</a> Make UPDATE_EMAIL a supported feature </li> <li><a href="https://github.com/keycloak/keycloak/issues/40231">#40231</a> Improve javadoc for admin-client methods with injecting own resteasyClient <code>admin/client-java</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40296">#40296</a> Update docs how to verify that a cluster has formed </li> <li><a href="https://github.com/keycloak/keycloak/issues/40377">#40377</a> Allow to expose IDP custom config values to Keycloak themes </li> <li><a href="https://github.com/keycloak/keycloak/issues/40388">#40388</a> Write documentation for additional datasources <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40406">#40406</a> Create ServiceMonitor via KC Operator </li> <li><a href="https://github.com/keycloak/keycloak/issues/40464">#40464</a> Improve extensibility of custom AccountConsole endpoint handling <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40481">#40481</a> Provide CLI Parameters for jgroups.* options <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40592">#40592</a> Upgrade to the Quarkus 3.24.2 version <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40619">#40619</a> When editing protocol mappers, shows required properties <code>admin/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40629">#40629</a> Signs of fall-through behavior. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40630">#40630</a> Double check when working with multithreading. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40659">#40659</a> Possible Dereference of Null. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40660">#40660</a> Resources leak. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40677">#40677</a> Redundant null checks - operator new. SAST </li> <li><a href="https://github.com/keycloak/keycloak/issues/40683">#40683</a> Remove workaround for handling Syslog counting framing </li> <li><a href="https://github.com/keycloak/keycloak/issues/40687">#40687</a> Remove workaround for PostgreSQL and Liquibase </li> <li><a href="https://github.com/keycloak/keycloak/issues/40739">#40739</a> Avoid floating promises in UI code <code>account/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40761">#40761</a> Change naming for disabling additional datasource </li> <li><a href="https://github.com/keycloak/keycloak/issues/40792">#40792</a> Changing default passwordless webauthn policy to follow recommended values in the documentation <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40851">#40851</a> Upgrade to Infinispan 15.0.16.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/40855">#40855</a> External-internal token exchange independent from FGAP v1 <code>token-exchange/federated</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40858">#40858</a> Check cluster is correctly formed in ClusteredKeycloakServer <code>test-framework</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40874">#40874</a> Update code and documentation for import of a new realm </li> <li><a href="https://github.com/keycloak/keycloak/issues/40875">#40875</a> Improve memory footprint of single file realm import </li> <li><a href="https://github.com/keycloak/keycloak/issues/40923">#40923</a> Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm} <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40926">#40926</a> More secure call of Facebook debug token <code>token-exchange/federated</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40933">#40933</a> Allow configure encryption details for SAML clients <code>saml</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40962">#40962</a> Update limitations of the preview feature rolling updates for patch releases <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/40970">#40970</a> Run clustering compatibility tests on release/x.y branches </li> <li><a href="https://github.com/keycloak/keycloak/issues/41014">#41014</a> Operator auto update hash <code>operator</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41022">#41022</a> Allow Features to declare that they support Rolling upgrades </li> <li><a href="https://github.com/keycloak/keycloak/issues/41034">#41034</a> Improve logging for client sessions load </li> <li><a href="https://github.com/keycloak/keycloak/issues/41045">#41045</a> Update email feature only enabled if the required action is enabled at the realm </li> <li><a href="https://github.com/keycloak/keycloak/issues/41074">#41074</a> Import client sessions into Infinispan concurrently for persistent sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/41119">#41119</a> FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41120">#41120</a> FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41121">#41121</a> FAPI 2.0 Security Profile Final - Documentation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41138">#41138</a> Implement CompatibilityMetadataProvider for Cache CLI args </li> <li><a href="https://github.com/keycloak/keycloak/issues/41151">#41151</a> Update Traditional Chinese locale to latest version </li> <li><a href="https://github.com/keycloak/keycloak/issues/41161">#41161</a> Require setting DB kind for additional datasources <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41172">#41172</a> Upgrade to Quarkus 3.24.3 </li> <li><a href="https://github.com/keycloak/keycloak/issues/41176">#41176</a> Document supported OIDC/OAuth2 standards <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41186">#41186</a> Upgrade to Quarkus 3.25.0 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41192">#41192</a> Improve handling of datasource name specified in `persistence.xml` files <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41208">#41208</a> MDC logging should contain the authentication session and user session ID </li> <li><a href="https://github.com/keycloak/keycloak/issues/41214">#41214</a> Document configuration changes that prevent rolling updates </li> <li><a href="https://github.com/keycloak/keycloak/issues/41219">#41219</a> Document spi-user-sessions--infinispan--use-batches </li> <li><a href="https://github.com/keycloak/keycloak/issues/41222">#41222</a> Provide DB SQL options support for additional datasources <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41229">#41229</a> Remove obsolete code for the Liquibase LogHistoryService <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41239">#41239</a> Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41246">#41246</a> Upgrade to Quarkus 3.24.4 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41257">#41257</a> Upgrade to Infinispan 15.0.18.Final <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41259">#41259</a> Passkeys support in IdpUsernamePasswordForm <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41283">#41283</a> Update ua-parser to 1.6.1 </li> <li><a href="https://github.com/keycloak/keycloak/issues/41293">#41293</a> Remove obsolete Liquibase FK snapshot generator <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41297">#41297</a> Implement CompatibilityMetadataProvider for DB options </li> <li><a href="https://github.com/keycloak/keycloak/issues/41303">#41303</a> Allow for health check on main interface </li> <li><a href="https://github.com/keycloak/keycloak/issues/41312">#41312</a> FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41313">#41313</a> FAPI 2.0 Message Signing Final - Documentation <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41328">#41328</a> Utilise table to display Features </li> <li><a href="https://github.com/keycloak/keycloak/issues/41335">#41335</a> Kerberos "Server Principal" value should automatically trim leading/trailing whitespace </li> <li><a href="https://github.com/keycloak/keycloak/issues/41352">#41352</a> Provide simple HTTP access logs <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41354">#41354</a> Avoid OTP when logging in with passkey </li> <li><a href="https://github.com/keycloak/keycloak/issues/41374">#41374</a> Upgrade to Quarkus 3.24.5 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41405">#41405</a> Add log details about client assertion for client authentication with Client-JWT </li> <li><a href="https://github.com/keycloak/keycloak/issues/41455">#41455</a> Adds TiDB into the database test matrix </li> <li><a href="https://github.com/keycloak/keycloak/issues/41459">#41459</a> Query parameter "claims" not forwarded to external provider <code>identity-brokering</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41551">#41551</a> Support for key size 3072 in rsa-generated key providers </li> <li><a href="https://github.com/keycloak/keycloak/issues/41556">#41556</a> Switch passkeys to supported <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41557">#41557</a> Update passkeys documentation after they are supported <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41558">#41558</a> Ensure cache configuration has correct number of owners </li> <li><a href="https://github.com/keycloak/keycloak/issues/41559">#41559</a> Simplify Cache Configuration file by removing built-in cache configurations </li> <li><a href="https://github.com/keycloak/keycloak/issues/41561">#41561</a> Detect and handle KC split brain clusters </li> <li><a href="https://github.com/keycloak/keycloak/issues/41585">#41585</a> Refactor high-availability guide to include both single and multi cluster architectures </li> <li><a href="https://github.com/keycloak/keycloak/issues/41613">#41613</a> Ability to display 'authenticator provider' of the WebAuthn credential <code>authentication/webauthn</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41625">#41625</a> Login[v2]: "Update email" screen is not polished <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41666">#41666</a> Default to stretched clusters on Kubernetes when possible </li> <li><a href="https://github.com/keycloak/keycloak/issues/41670">#41670</a> Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs </li> <li><a href="https://github.com/keycloak/keycloak/issues/41717">#41717</a> Upgrade to Quarkus 3.25.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41729">#41729</a> Define default topologySpreadConstraints </li> <li><a href="https://github.com/keycloak/keycloak/issues/41765">#41765</a> Add Azerbaijani translations <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41766">#41766</a> Add the ability to set abritrary environment variables in Keycloak CR </li> <li><a href="https://github.com/keycloak/keycloak/issues/41820">#41820</a> Add a warning about provider jars </li> <li><a href="https://github.com/keycloak/keycloak/issues/41831">#41831</a> Improve autocomplete on mobile for OTP field </li> <li><a href="https://github.com/keycloak/keycloak/issues/41836">#41836</a> Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation. </li> <li><a href="https://github.com/keycloak/keycloak/issues/41837">#41837</a> Remove OIDCLoginProtocolService.certsHead() <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41870">#41870</a> Kazakh (kk) locale support with translations <code>translations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41898">#41898</a> Clarify the documentation on automatic database schema downgrades <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/41901">#41901</a> FGAP v2: RESET_PASSWORD capability for USERS </li> <li><a href="https://github.com/keycloak/keycloak/issues/41933">#41933</a> Configure topology information in Infinispan </li> <li><a href="https://github.com/keycloak/keycloak/issues/41934">#41934</a> Infinispan 15.0.19.Final </li> <li><a href="https://github.com/keycloak/keycloak/issues/41950">#41950</a> Log applied cache configurations as part of debug logs </li> <li><a href="https://github.com/keycloak/keycloak/issues/42016">#42016</a> More flexible handling of params, headers and entities for SimpleHTTP </li> <li><a href="https://github.com/keycloak/keycloak/issues/42030">#42030</a> Could the list of supported DPoP algorithms be dynamically retrieved? <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42031">#42031</a> Minor enhancements in the DPoP related codebase <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42032">#42032</a> Switch DPoP feature to supported <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42047">#42047</a> Skip configuring `jdbc-ping` stack in local mode </li> <li><a href="https://github.com/keycloak/keycloak/issues/42094">#42094</a> keycloak oob (out-of-band) copy button <code>login/ui</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42096">#42096</a> Concurrently update the remote caches </li> <li><a href="https://github.com/keycloak/keycloak/issues/42180">#42180</a> Cache UserAgent parsing result </li> <li><a href="https://github.com/keycloak/keycloak/issues/42186">#42186</a> Document network latency requirements for stretched clusters </li> <li><a href="https://github.com/keycloak/keycloak/issues/42191">#42191</a> Document mtls considerations for probes </li> <li><a href="https://github.com/keycloak/keycloak/issues/42203">#42203</a> Upgrade to Quarkus 3.27 LTS </li> <li><a href="https://github.com/keycloak/keycloak/issues/42269">#42269</a> Some 409 API responses are missing from the OpenAPI spec <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42274">#42274</a> Session IDs and auth codes have less than 128 bits of entropy </li> <li><a href="https://github.com/keycloak/keycloak/issues/42283">#42283</a> More efficient secure ID generator </li> <li><a href="https://github.com/keycloak/keycloak/issues/42286">#42286</a> Support EdDSA for DPoP <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42293">#42293</a> Set Liquibase DB type based on the `db` option <code>storage</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42300">#42300</a> Validate wait_timeout parameter on MySQL and MariaDB </li> <li><a href="https://github.com/keycloak/keycloak/issues/42304">#42304</a> Document tested and supported configurations for single-cluster deployments </li> <li><a href="https://github.com/keycloak/keycloak/issues/42305">#42305</a> Document that single-cluster deployments expect all Keycloak instances to serve traffic </li> <li><a href="https://github.com/keycloak/keycloak/issues/42308">#42308</a> Support Aurora PostgreSQL 17.5 in Keycloak's nightly run </li> <li><a href="https://github.com/keycloak/keycloak/issues/42342">#42342</a> Upgrade to Quarkus 3.26.2 <code>dist/quarkus</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42356">#42356</a> Support MariaDB 11.8 LTS </li> <li><a href="https://github.com/keycloak/keycloak/issues/42358">#42358</a> Remove usage of the term "stretched" from single-cluster HA guides </li> <li><a href="https://github.com/keycloak/keycloak/issues/42374">#42374</a> Concurrent update embedded caches and database </li> <li><a href="https://github.com/keycloak/keycloak/issues/42381">#42381</a> [RLM] - Validate actions that support aggregating actions </li> <li><a href="https://github.com/keycloak/keycloak/issues/42382">#42382</a> [RLM] - Immediate policies should not allow setting a time to their actions </li> <li><a href="https://github.com/keycloak/keycloak/issues/42384">#42384</a> [RLM] Allow adding and removing actions to existing policies </li> <li><a href="https://github.com/keycloak/keycloak/issues/42385">#42385</a> [RLM] Scheduled time of actions should be based on the previous action </li> <li><a href="https://github.com/keycloak/keycloak/issues/42389">#42389</a> [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to </li> <li><a href="https://github.com/keycloak/keycloak/issues/42392">#42392</a> Link to quay IO website for the Keycloak image in upstream <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42409">#42409</a> Wrong form to enter username and password for an unknown user <code>organizations</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42499">#42499</a> Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42525">#42525</a> Catch specific expeception and add logging when there is no active request context </li> <li><a href="https://github.com/keycloak/keycloak/issues/42532">#42532</a> Edit Keycloak 26.4 release notes </li> <li><a href="https://github.com/keycloak/keycloak/issues/42547">#42547</a> Replace UUID with composite key for client session cache <code>infinispan</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42564">#42564</a> Edit Keycloak 26.4 Upgrading Guide </li> <li><a href="https://github.com/keycloak/keycloak/issues/42628">#42628</a> Lazy load client sessions </li> <li><a href="https://github.com/keycloak/keycloak/issues/42697">#42697</a> [RLM] - Improve the Workflow JSON schema </li> <li><a href="https://github.com/keycloak/keycloak/issues/42705">#42705</a> Document Caffeine cache metrics </li> <li><a href="https://github.com/keycloak/keycloak/issues/42728">#42728</a> DPoP: documentation update <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42733">#42733</a> Test JDK 25 in CI <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42740">#42740</a> Possibility to enforce authorization code binding to DPoP <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42746">#42746</a> Polishing of client switch on DPoP <code>oidc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42751">#42751</a> Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42755">#42755</a> [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42756">#42756</a> Add missing Swedish translation for login theme </li> <li><a href="https://github.com/keycloak/keycloak/issues/42888">#42888</a> [RLM] - Allow defining steps in a workflow that can run immediate or scheduled </li> <li><a href="https://github.com/keycloak/keycloak/issues/42916">#42916</a> [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps <code>workflows</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42927">#42927</a> Update OID4VCI documentation with new .well-known URL format <code>oid4vc</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/42955">#42955</a> Use JDK 25 Temurin in GHA CI <code>ci</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/43017">#43017</a> OID4VCI in the release notes for 26.4.0 <code>docs</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/43035">#43035</a> Allow setting max age to the update email action </li> </ul> <h3>Bugs</h3> <ul> <li><a href="https://github.com/keycloak/keycloak/issues/26972">#26972</a> NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/35825">#35825</a> Per client session idle time capped by realm level client idle timeout <code>core</code></li> <li><a href="https://github.com/keycloak/keycloak/issues/35932">#35932</a> Importing a realm takes more than 1 minute when multiple others exist. <code>dist/quar...