Change8

26.4.4

📦 keycloakView on GitHub →
3 features🐛 24 fixes🔧 14 symbols

Summary

This release introduces several enhancements, including workflow role authorization and email verification rate limiting, alongside numerous bug fixes addressing issues in UI, LDAP handling, session management, and fine-grained permissions (FGAP).

Migration Steps

  1. Refer to the migration guide for a complete list of changes: https://www.keycloak.org/docs/latest/upgrading/#migration-changes

✨ New Features

  • Allow hiding client scopes from scopes_supported in the discovery endpoint.
  • Add rate limiter for sending verification emails during email update context.
  • Implement role authorization for workflows in admin/api.

🐛 Bug Fixes

  • Fixed issue where new attribute groups could not be saved in admin/ui.
  • Resolved error when changing user profile attributes repeatedly in admin/ui.
  • Fixed ExternalLinksTest broken due to missing path parameters in docs.
  • Removed duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login screen.
  • Fixed regression in DEBUG_PORT handling since 26.4.0 where host binding (*:port / 0.0.0.0:port) stopped working in dist/quarkus.
  • Addressed FGAP/UI issue where reset-password succeeded but UI showed 403 without Users:manage permission.
  • Improved DPoP proof replay check to correctly consider clock skew in oidc.
  • Fixed slow deletion and failure when deleting a Client with many existing client sessions in core.
  • Resolved issue where 'admin' client role now incorrectly requires a server admin user in admin/api.
  • Fixed 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP being disabled (regression in 26.4.0+).
  • Fixed FGAP issue where users could no longer open the account management page due to a reset-password issue.
  • Resolved issue where version 26.4.1 breaks existing LDAP users with capital letters in username.
  • Addressed database deadlocks observed when syncing roles.
  • Fixed Role Mapper updating the user on every login in identity-brokering.
  • Ensured only the 'none' verifier is added when attestation conveyance preference is none (or default) in authentication/webauthn.
  • Fixed refresh token being allowed for offline sessions even when the related scope was removed.
  • Resolved FGAP V2 issue causing reset-password scope error when viewing users with only Group permissions in core.
  • Fixed memory leak due to leaking KeycloakSession instances in admin/api.
  • Resolved QuarkusKeycloakSession not being garbage collected when running Liquibase in dist/quarkus.
  • Fixed QuarkusKeycloakSession being kept in memory for each timer in core.
  • Fixed service monitor check using the wrong namespace under OLMv1 in operator.
  • Resolved QuarkusKeycloakSession leak in DeclarativeUserProfileProvider in user-profile.
  • Ensured the logout endpoint removes the authentication session in oidc.
  • Fixed JS CI failing after normalization in testsuite.

Affected Symbols

admin/apiadmin/uidocslogin/uidist/quarkusadmin/fine-grained-permissionsoidccoreldapidentity-brokeringauthentication/webauthnoperatoruser-profiletestsuite