Change8

26.4.1

📦 keycloakView on GitHub →
1 features🐛 22 fixes🔧 14 symbols

Summary

This release introduces security enhancements, notably disabling Secure Client-Initiated Renegotiation by default in Quarkus distributions, and resolves numerous bugs across authentication, token exchange, UI, and persistence layers.

Migration Steps

  1. Refer to the migration guide for a complete list of changes: https://www.keycloak.org/docs/latest/upgrading/#migration-changes

✨ New Features

  • #43020: Secure Client-Initiated Renegotiation - disable by default in dist/quarkus.

🐛 Bug Fixes

  • #40965: Group permission denies to view user in admin/fine-grained-permissions.
  • #41292: openid-connect flow is missing response type on language change in authentication.
  • #42565: Standard Token Exchange: chain of exchanges eventually fails in token-exchange.
  • #42676: Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) in admin/ui.
  • #42907: Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion in authorization-services.
  • #43042: Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types in core.
  • #43070: Update email page with pending verification email messages prefilled with old email in user-profile.
  • #43096: keycloak-operator 26.4.0 missing clusterrole permissions (docs fix).
  • #43104: Release notes fix for update email (docs fix).
  • #43161: Restarting an user session broken for persistent sessions in infinispan.
  • #43164: Keycloak docs state that only TLSv1.3 is used (docs fix).
  • #43218: Cannot revoke access token generated by Standard Token Exchange in oidc.
  • #43254: Make sure username and email attributes are lower cased when fetching their values from LDAP object in ldap.
  • #43269: Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 in oidc.
  • #43270: Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 in oidc.
  • #43286: Broken links on DB server configuration guide (docs fix).
  • #43304: SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) in saml.
  • #43328: "Remember me" user sessions remain valid after "remember me" realm setting is disabled in authentication.
  • #43335: First JDBC_PING initialization happens in the JTA transaction context in infinispan.
  • #43349: Client session may be lost during session restart in infinispan.
  • #43394: SPIFFE client authentication does not work when JWT SVID includes 'iss' claim.
  • #43459: Invalid YAML in advanced Operator configurations (docs fix).

Affected Symbols

dist/quarkususer-profileJDBC_PINGadmin/fine-grained-permissionsauthenticationtoken-exchangeadmin/uiauthorization-servicescoreinfinispandocsoidcldapsaml