Change8

26.1.0

📦 keycloakView on GitHub →
11 features🐛 1 fixes1 deprecations🔧 14 symbols

Summary

This release defaults cluster discovery to the more cloud-friendly \`jdbc-ping\` transport stack and fully supports OpenTelemetry Tracing. It also introduces Virtual Threads support on OpenJDK 21 and adds OIDC standard support for initiating user registration via \`prompt=create\`.

Migration Steps

  1. If you relied on UDP multicast for cluster discovery, no action is required as \`jdbc-ping\` is the new default and should work out-of-the-box.
  2. If you need to revert to the previous UDP multicast behavior for cluster discovery, configure the transport stack to use \`udp\` (note: \`udp\` is now deprecated).
  3. If running on OpenJDK 21, you can remove any manual configuration related to aligning JGroups thread pools.

✨ New Features

  • Transport stack now defaults to \`jdbc-ping\` for cluster node discovery, removing reliance on UDP multicast.
  • Virtual thread pool support is automatically enabled for Infinispan and JGroups when running on OpenJDK 21.
  • OpenTelemetry Tracing is now fully supported and enabled by default.
  • OpenTelemetry Tracing now supports custom spans for HTTP requests (incoming/outgoing, including IdP brokerage), database operations, LDAP requests, and time-consuming operations (e.g., password hashing).
  • OpenTelemetry Tracing configuration is now supported via Keycloak CR in Keycloak Operator.
  • Ability to set category-specific log levels using individual \`log-level-category\` options.
  • OID4VCI (OpenID for Verifiable Credential Issuance) feature has received significant improvements in dynamism and customizability.
  • Added support for Minimum ACR value configuration on OIDC realm clients to enforce step-up authentication levels.
  • Support for the OIDC standard parameter \`prompt=create\` to initiate user registration.
  • New option \`Generate certificate\` for EC-DSA and Ed-DSA key providers to generate a certificate when a realm administrator creates the key.
  • Support for binding Authorization Code to a DPoP Key.

🐛 Bug Fixes

  • When \`--cache-config-file\` is not set, the default Infinispan XML configuration file is now correctly set to \`conf\/cache-ispn.xml\`.

Affected Symbols

jdbc-pingudpkubernetesInfinispanJGroupsopentelemetryKeycloak CRlog-level-categoryOID4VCIprompt=create\/realms\/<realm>\/protocol\/openid-connect\/registrationsEC-DSA key providersEd-DSA key providersDPoP Key

⚡ Deprecations

  • The dedicated endpoint \/realms\/<realm>\/protocol\/openid-connect\/registrations for initiating user registration is deprecated in favor of using the standard OIDC parameter prompt=create.