26.4.0
📦 keycloakView on GitHub →
✨ 9 features🔧 6 symbols
Summary
This release introduces significant security and standards enhancements, including Passkeys, full DPoP support, and FAPI 2 Final compliance. It also adds integration improvements like Federated Client Authentication (preview) and automatic certificate management for SAML clients.
Migration Steps
- If you are upgrading from a previous release, review the changes listed in the upgrading guide: https://www.keycloak.org/docs/latest/upgrading/index.html
✨ New Features
- Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs.
- Federated Client Authentication allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider (currently preview).
- Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.
- Full support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), including binding only refresh tokens for public clients and securing all Keycloak endpoints with DPoP tokens.
- FIPS 140-2 mode now supports the EdDSA algorithm due to the upgrade to Bouncy Castle 2.1.x.
- A new guide lists all implemented OpenID Connect related specifications.
- SAML clients can now be configured to automatically download signing and encrypting certificates from the SP entity metadata descriptor endpoint.
- Keycloak provides its OAuth 2.0 Server Metadata via a well-known URI compliant with RFC 8414, allowing Keycloak to serve as an authorization server for MCP.
- Users can now update their email addresses in a more secure and consistent flow requiring re-authentication and email verification.