Skip to content

fix(deps): update dependency @keycloak/keycloak-admin-client to v26.7.0#9735

Open
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/keycloak-keycloak-admin-client-26.x
Open

fix(deps): update dependency @keycloak/keycloak-admin-client to v26.7.0#9735
backstage-goalie[bot] wants to merge 1 commit into
mainfrom
renovate/keycloak-keycloak-admin-client-26.x

Conversation

@backstage-goalie

@backstage-goalie backstage-goalie Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@keycloak/keycloak-admin-client (source) 26.6.326.7.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

keycloak/keycloak (@​keycloak/keycloak-admin-client)

v26.7.0

Compare Source

Highlights

This release features new capabilities for users and administrators of Keycloak. The highlights of this release are:

  • Automate user provisioning with the SCIM API (preview)

  • Simplified multi-cluster high availability without external caches (preview)

  • Enhanced reverse proxy guides with blueprints for HAProxy and Traefik

  • Step-up authentication for SAML clients

Read on to learn more about each new feature. If you are upgrading from a previous release, also review the changes listed in the upgrading guide.

Security and Standards

Stronger security for the Identity Brokering API

The Identity Brokering API allows applications to retrieve tokens obtained from external identity providers during federated login. Version 2 of this API replaces the legacy V1 with a more secure and standards-compliant design:

  • Client-level authorization — access to external tokens is controlled per client using dedicated settings (Allow retrieve external tokens and an identity provider allow list) instead of assigning broker roles to individual users.

  • Confidential clients only — public clients are rejected, ensuring that only authenticated clients can retrieve external tokens.

  • OAuth 2.0 compliant — the endpoint uses POST and returns standard JSON responses with access_token, error, and error_description fields.

  • Session-based token storage — a new Store token in session option keeps tokens in the user session for faster access, with automatic cleanup on session expiry. Database storage remains available for persistence across sessions.

V2 is now supported but disabled by default. V1 is deprecated but still enabled by default for backward compatibility. In a future release, V1 will be removed and V2 will become the default.

For more information, see the Identity Brokering APIs chapter in the Server Developer Guide.

Progress on Verifiable Credentials (OID4VCI) (experimental)

Verifiable Credentials (OID4VCI) allow organizations to issue tamper-proof, cryptographically signed credentials — such as employee badges, academic diplomas, or professional certifications — that users can store in a digital wallet and present to third parties without involving the issuer.

OID4VCI remains an experimental feature in Keycloak, but this release brings substantial improvements from both the core team and the community:

  • Polishing of existing functionality and improving configuration. Everything is now configurable in the admin UI in addition to the admin REST API.

  • Lots of bugs fixed. Improved specification compliance.

  • Conformance with the OpenID4VC High Assurance Interoperability Profile (HAIP). This work involves the introduction of the dedicated Keycloak experimental feature client-auth-abca for Attestation based client authentication (ABCA).

  • Management of verifiable credentials for individual users. This involves the ability for an administrator to create a verifiable credential for a user to indicate that this user can retrieve a verifiable credential, as well as the ability for users to start issuance of a verifiable credential from the Keycloak account console.

  • Pre-authorized code grant support is still experimental and was moved to the dedicated experimental feature oid4vc-vci-preauth-code

  • Support for credential refresh interval. Administrators can now configure a separate refresh interval (vc.refresh_interval_in_seconds) in the client scope settings that controls how often wallets must refresh the credential, independent of the credential lifetime. When not explicitly set, defaults to 7 days or the credential lifetime, whichever is smaller. This enables regular credential rotation for enhanced security while maintaining user convenience through automatic refresh using the refresh token. For more information, see the Create Client Scopes with Mappers section in the OID4VCI configuration guide.

  • Documentation updated and improved

Cross-domain token exchange with Identity Assertion JWT Grant (experimental)

When two organizations each run their own authorization server, users often need to re-authenticate when crossing between them — even though their identity was already verified. The Identity Assertion JWT Authorization Grant (ID-JAG) solves this by allowing one authorization server to present a signed identity assertion to another, which then issues an access token without requiring the user to log in again.

Keycloak provides partial experimental support for the Identity Assertion JWT Authorization Grant. It currently implements only the receiving authorization server role, accepting ID-JAG assertions at the token endpoint and issuing access tokens in return. Other parts of the ID-JAG specification are not yet implemented, so the complete flow is not currently supported.

To try it out, start Keycloak with the feature identity-assertion-jwt enabled.

Many thanks to Yutaka Obuchi for the contribution of this feature!

Automate user provisioning with the SCIM API (preview)

SCIM (System for Cross-domain Identity Management) is a standard protocol for reading and writing identity resources such as users and groups across multiple systems. It enables organizations to automate user provisioning and deprovisioning using widely available tooling — for example, integrating with identity governance platforms, HR systems, or other identity providers.

Keycloak has SCIM APIs for managing users and groups within a realm. The implementation covers full CRUD and PATCH operations, filtering and pagination, schema extensions including the Enterprise User extension, and schema discovery endpoints.

In this release, the SCIM API is being promoted to a preview feature. In the default profile it is disabled by default; to try it out, enable the scim-api feature.

For more details, see the Managing users and groups through SCIM documentation.

Real-time security signals to downstream applications (experimental)

When a user logs out, changes credentials, or gets disabled in Keycloak, downstream applications typically don&#​8217;t learn about it until the next token refresh — leaving a window where stale sessions remain active. The OpenID Shared Signals Framework (SSF) closes this gap by letting identity providers push security events to relying parties in near real time.

Keycloak can now act as an SSF Transmitter, delivering signed Security Event Tokens (SETs) to registered receivers. It supports CAEP 1.0 and RISC 1.0 event profiles with both push (RFC 8935) and poll (RFC 8936) delivery methods. Events are persisted to a durable outbox so that no signal is lost across restarts, and a cluster-aware background drainer handles retries and exponential backoff. Each realm can opt in individually, and streams, subjects, and event types are managed through the admin console and REST API.

To enable SSF, start Keycloak with the feature ssf enabled.

For more details, see the Shared Signals Framework guide.

Standardized authorization decisions with AuthZen (experimental)

Applications that need fine-grained authorization typically call Keycloak&#​8217;s proprietary authorization API, coupling them to its internal model. The OpenID AuthZEN Authorization API 1.0 defines a vendor-neutral protocol between Policy Decision Points (PDPs) and Policy Enforcement Points (PEPs), enabling applications to request authorization decisions through a standard interface.

Keycloak now implements the AuthZEN Evaluation API as a PDP. Applications send evaluation requests describing a subject, resource, and action, and Keycloak returns a permit or deny decision based on its configured authorization policies. Both single and batch evaluation endpoints are available.

To enable AuthZen, start Keycloak with the feature authzen enabled.

For more details, see the AuthZen Authorization guide.

Authorize AI tools and MCP servers

The Model Context Protocol (MCP) is becoming the standard way for AI applications to connect to external tools and data sources. As MCP adoption grows, securing these connections with proper OAuth 2.0 authorization is critical.

Keycloak continues to improve its MCP authorization server capabilities. This release adds integration documentation for Claude Code as an MCP client, alongside the existing Visual Studio Code integration. Both use OAuth Client ID Metadata Document (CIMD) for dynamic client registration with PKCE-secured public client flows and localhost callbacks.

For setup instructions, see the Integrating with Model Context Protocol (MCP) guide.

Delegate access across services with Token Exchange Delegation (experimental)

In multi-service architectures, a backend service sometimes needs to act on behalf of a user at another service — for example, when a gateway delegates work to a downstream API. Standard Token Exchange handles client-to-client token swaps, but verifying that the requester is authorized to impersonate a specific user requires additional checks.

Keycloak introduces token exchange delegation as an experimental feature. It adds a new delegation parameterized scope type that validates whether the requesting user is authorized to act on behalf of the target user before the exchange is granted. The delegation scope requires user consent and is automatically reassessed on token refresh, so revoked impersonation rights take effect immediately.

To enable token exchange delegation, start Keycloak with the feature token-exchange-delegation enabled.

Step-up authentication for SAML clients

Step-up authentication allows applications to require a stronger level of authentication for sensitive operations. Previously, this capability was only available for OpenID Connect clients.

Keycloak now extends step-up authentication to the SAML protocol, enabling SAML service providers to request a specific authentication context class in their authentication requests. The feature step-up-authentication-saml has been promoted from preview to supported in this release.

For more information, see the Server Administration Guide.

Administration

Declarative client management with Admin API v2 (experimental)

Keycloak introduces a new REST API for managing OIDC and SAML clients. The new API provides strict validation, support for declarative configuration, and an accurate OpenAPI specification that enables reliable client generation. This addresses long-standing limitations of the original Admin REST API. This is the first resource in the Admin API v2, with additional resources to follow in future releases.

The API can be consumed through a Java client, an auto-generated JavaScript client, and a CLI. The Keycloak Operator uses it to manage clients declaratively via KeycloakOIDCClient and KeycloakSAMLClient custom resources.

Enabling this feature also enables the OpenAPI specification endpoint on the management interface, which the CLI uses to adapt its commands to the connected server version.

To try it out, enable the client-admin-api:v2 feature.

For more details, see the Admin API v2 guide and the Managing Keycloak Clients operator guide. Feedback is welcome in the Client Admin API v2 GitHub Discussion.

Thanks to Robin Meese for contributing the OpenAPI endpoint on the management interface and the Java admin client, and to Sebastian Schuster for his participation in the Admin API working group and the Go client analysis.

Fine-grained delegation for organization administration

Managing organizations in Keycloak previously required the manage-realm role — a high-privilege role that grants far more access than most organization administrators need. This release introduces dedicated admin roles and Fine-Grained Admin Permissions for organizations, allowing administrators to delegate organization management without over-provisioning access.

New realm admin roles provide coarse-grained delegation:

  • manage-organizations — grants full read and write access to organizations, including creating, updating, and deleting organizations and their members.

  • view-organizations — grants read-only access to organizations and their members (also requires view-users or Fine-Grained Admin Permissions for user visibility).

  • query-organizations — grants the ability to search and list organizations without full view access, consistent with the query-users / query-clients / query-groups pattern.

The manage-realm role continues to implicitly grant full organization management access for backward compatibility.

For per-organization granularity, organizations are now a first-class resource type in Fine-Grained Admin Permissions. Administrators can create permissions to control which specific organizations a delegated administrator can view or manage — for example, granting access to manage one organization without giving access to all organizations in the realm. When Fine-Grained Admin Permissions is enabled, organization member queries also respect user-level permissions, returning only members the administrator is permitted to view.

Automatic role inheritance through organization groups

Assigning roles to individual organization members does not scale well when an organization has hundreds of users who all need the same permissions. Organization groups now support realm and client role assignments, so administrators can assign a role once to the organization group and have it automatically appear in realm_access and resource_access token claims for all group members.

Additionally, the Organization Group Membership protocol mapper (OIDC and SAML) can include these roles within the organization claim, organized per organization, by enabling the Add group role mappings configuration option.

For more details, see the Managing organization groups guide.

Better passkey compatibility with new WebAuthn policy options

Passkeys let users sign in with biometrics or a security key instead of a password. To work correctly, the server must tell the browser whether it prefers a discoverable credential (a passkey stored on the device) or not — and the previous Yes/No option could not express the increasingly common preferred value.

The WebAuthn Policy and WebAuthn Passwordless Policy now provide a Discoverable credential option that follows the current WebAuthn specification, supporting required, preferred, and discouraged values. This improves compatibility with passkey providers such as iCloud Keychain, Google Password Manager, and 1Password. The previous Require Discoverable Credential option is now deprecated and planned for removal in a future release.

Administrators often give realms short technical names (like acme-prod) but set a human-readable display name (like Acme Corporation). Previously, the admin console search only matched against the technical realm name, making it harder to find realms in large multi-tenant deployments.

Realm search now matches against the display name in addition to the realm name, so administrators can find realms by whichever name they remember.

Type-safe validation for parameterized scopes (experimental)

Parameterized scopes allow OAuth clients to request context-specific access — for example, project:12345 to request access to a particular project, or account:savings to scope a token to a specific bank account. Previously, the parameter value was validated only by an optional regex, making it easy to pass invalid or unexpected values.

Parameterized scopes can now define a parameter type that validates the captured value at request time. Built-in types include string, integer, boolean, username, and custom (validated against an admin-defined regex). The type is required when creating parameterized scopes with the feature enabled, ensuring that tokens always carry well-formed scope parameters.

For more details, see the Upgrading Guide.

Additional datasources may be excluded from health checks

When using multiple datasources, a failing non-critical datasource can cause the health check endpoint to report the entire deployment as unhealthy. Individual datasources can now be excluded from health checks, so optional or secondary datasources do not trigger unnecessary alerts or affect load balancer routing.

Read more about it in the Configure multiple datasources guide.

Configuring and Running

Enhanced reverse proxy guides with blueprints for HAProxy and Traefik

Running Keycloak in production requires a reverse proxy, but configuring TLS termination, certificate forwarding, and admin API security correctly across different proxies is error-prone.

The reverse proxy documentation has been significantly expanded with dedicated step-by-step guides for HAProxy and Traefik covering both TLS passthrough and re-encrypt modes, and also explain the concepts so they can be applied for other proxies as well.

For more details, see the Using a reverse proxy guide.

Simplified multi-cluster high availability without external caches (preview)

The existing multi-cluster setup for Keycloak requires deploying and managing an external Infinispan cluster for cross-site session replication, along with vendor-specific fencing infrastructure for automated failover. This adds significant operational complexity and limits deployments to specific environments.

Multi-cluster v2 removes the external Infinispan requirement entirely. Keycloak instances connect directly to each other using embedded Infinispan caches and rely on the synchronously replicated database as the single source of truth. Cache invalidation across sites is handled through a database-backed outbox pattern. The load balancer can detect the downtime of a site without requiring external fencing infrastructure.

To enable this setup, start Keycloak with the feature stateless. For architecture details and a deployment blueprint, see the Multi-cluster deployments (v2) guide.

Keycloak Operator kustomize installation

Installing the Keycloak Operator on vanilla Kubernetes clusters previously required downloading and applying individual manifest files, making upgrades and customization harder to manage. The Operator can now be installed using kustomize, providing a declarative and reproducible installation method.

For installation instructions, see the Operator Guide.

Cluster-wide install mode for the Keycloak Operator (preview)

Organizations running multiple Keycloak instances across different Kubernetes namespaces previously needed to install a separate Operator in each namespace. The Keycloak Operator now exposes AllNamespaces as a supported OLM install mode, allowing a single Operator instance to reconcile Keycloak custom resources across all namespaces in the cluster. For non-OLM installations, cluster-wide deployment is available through the cluster-wide kustomization overlay.

Cluster-wide installation is in preview. For installation instructions and limitations, see the Operator Guide.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Security fixes

Weaknesses

  • #​48717 SAML Identity Provider settings in the Admin UI are not asking for signatures by default identity-brokering
  • #​49137 Welcome page admin bootstrap bypasses local-only check when behind a same-host proxy without forwarding headers admin/api
  • #​49215 JWT Authorization Grant: namespace jti cache keys and reorder signature verification oidc
  • #​49312 Organization group members endpoint does not check Users permission organizations
  • #​49605 Member's organizations endpoint missing per-org FGAP filtering organizations
  • #​49660 OID4VCI: Missing disabled-client check in PreAuthorizedCodeGrantType oid4vc
  • #​49838 SD-JWT: Array index shifting in SdJwtVerificationContext leaves undisclosed placeholders in verified payload oid4vc
  • #​49920 WebAuthn: sign counter updated to stored+1 instead of assertion value authentication/webauthn
  • #​49921 WebAuthn: challenge not consumed after assertion validation authentication/webauthn
  • #​49922 FreeMarker: deprecated no-arg Configuration constructor pins engine to legacy 2.3.0 defaults admin/ui
  • #​49961 Themes: FolderTheme.getTemplate() missing path-containment check account/ui
  • #​50074 SSF admin endpoint: missing client-level authorization check exposes push delivery secret ssf
  • #​50316 Use constant-time comparison when validating OTP codes authentication
  • #​50460 SSF push URL allow-list bypass via authority-attached wildcard ssf
  • #​50464 SAML Step-Up: Over-achieved LoA collapses AuthnContextClassRef to AC_UNSPECIFIED on SSO re-entry saml
  • #​50466 SAML Step-Up: Three robustness issues in LoA mapping and classRef selection saml
  • #​50481 Cacheless: JpaSingleUseObjectProvider.putIfAbsent() missing lifespan validation present in put()
  • #​50482 Cacheless: Root authentication session lookup uses assert-only realm check — no-op in production
  • #​50483 Cacheless: LoginFailureExpirationAction compares milliseconds vs seconds — rows never reaped
  • #​50488 HAProxy guide: Missing unconditional del-header for Client-Cert before conditional set-header
  • #​50491 Client API v2: Operator secretRef resolves arbitrary Secrets without ownership validation admin/api-v2
  • #​50494 Client API v2: Operator prefers HTTP over HTTPS when both are enabled admin/api-v2
  • #​50534 Identity Broker v2: Internal exception message reflected in /token error response oidc

Removed features

  • #​44013 Deprecate the Twitter IDP implementation due to old twitter4j library identity-brokering
  • #​48104 Remove support for token-exchange-external-internal:v2 token-exchange/federated
  • #​49270 Remove the batching option for the persistent sessions

New features

  • #​9686 Store the Dynamic Scope parameter to avoid showing the Consent Screen every time there's an authentication
  • #​20128 Add support for `reencrypt` OpenShift Routes to the Operator operator
  • #​22042 More flexible imports in custom theme (i.e. CSS media queries) account/ui
  • #​35650 Compatibility profiles
  • #​44317 [OID4VCI] Add a client policy to require a credential offer
  • #​46543 Step-up authentication for SAML - supported authentication
  • #​48623 Make the admin client, from the admin-ui more easy to use

Enhancements

  • #​9915 Make the consent screen text for dynamic scopes customizable with a reference to the dynamic scope parameter
  • #​10696 Improve WebAuthn tests documentation testsuite
  • #​12223 Dynamic scopes: requested scopes get mixed up between token requests oidc
  • #​17758 [UX Review] Optimize the number box in the Time-policy creation page of client Authorization admin/ui
  • #​17762 [UX Review] Optimize the initial page of Keys in OIDC client admin/ui
  • #​17770 Remove unnecessary conditions from code admin/ui
  • #​17771 Caught errors should have the correct type associated with them admin/ui
  • #​22229 UI should prevent admins from defining a dynamic client scope with type Default oidc
  • #​24436 Account API - "/applications/{clientId}/consent" : Provide option to get enhanced ConsentScopeRepresentation account/api
  • #​24823 Adding client_id as prefix in client roles mapper core
  • #​26602 Allow user search by direct lookup via username and email
  • #​26699 Nested group members from Active Directory are not showing in Keycloak groups ldap
  • #​29558 Best practices for detecting support for Passkeys - support for isUserVerifyingPlatformAuthenticatorAvailable() authentication/webauthn
  • #​30328 Add ability to inspect generated SAML response for SAML Clients with client scope mappings saml
  • #​31641 Implement organization-specific admin roles with limited permissions organizations
  • #​32527 Provide default krb5.conf in Docker image or extend migration docs docs
  • #​34104 Improve robustness of backchannel logout with client sessions
  • #​38632 README.md Other Keycloak Projects
  • #​40026 Support subdomain matching for Organizations in IdP redirect logic
  • #​41164 Redirection Endpoint should be validated not to include a hash in the URL oidc
  • #​42513 Set residentKey instead of requireResidentKey in Webauthn creation request authentication/webauthn
  • #​42883 FIX multiple LDAP failover & document the possibility of having multiple LDAP URLs in LDAP provider
  • #​43955 Cluster-wide Operator MVP
  • #​45104 Add native "Remember Me" support to WebAuthn/Passkey Authentication Flows login/ui
  • #​45292 Search realms by "Display name" in the "Manage realms" view admin/ui
  • #​45295 Improve client authentication flows authentication
  • #​45497 Introduce granular roles for Organization management (manage-organizations, view-organizations) organizations
  • #​45866 Customize SAML service provider metadata
  • #​45900 Support multiple organization scopes in OIDC token requests organizations
  • #​46435 Good database instructions for a production ready Keycloak setup
  • #​46740 Prevent ASCII control characters in query parameters
  • #​46903 A User belonging to multiple organization should be allowed to change his organization choice during login organizations
  • #​46959 Enhance WebAuthn Conditional UI to auto-trigger passkey modal on page load authentication/webauthn
  • #​46981 Support experimental cluster-wide operator installation by using kubectl operator
  • #​47174 MySQL/TiDB: Configure DB socket timeouts on the fly during connection creation phase dist/quarkus
  • #​47284 Introduce ORGANIZATIONS resource type in Fine-Grained Admin Permissions admin/fine-grained-permissions
  • #​47314 Token Exchange with sender constrained tokens missing cnf claim oidc
  • #​47327 Support mapping existing Realm and Client roles to Organization Groups organizations
  • #​47330 Document provided ProtocolMapper implementations docs
  • #​47356 Enhancement: Improve the performance of loading large password blacklists
  • #​47383 Add example for health check when using HTTPS
  • #​47431 Organization feature will only show linked IDPs if the user has already one linked organizations
  • #​47542 Use client-side Streaming for admin api v2 in the Java client
  • #​47762 Enhance quick-theme .jar generation. admin/ui
  • #​47851 OrganizationGroupMembershipMapper should support configurable token claim name organizations
  • #​47951 Add Vietnamese (vi) as a translation translations
  • #​47960 Add CLI options for mTLS database connections
  • #​47963 Update tested configurations for single- and multi-cluster to the recent OpenShift version
  • #​48053 Allow db-connect-timeout to be used for all datasources dist/quarkus
  • #​48059 Safeguard against wrong PID in containers dist/quarkus
  • #​48088 When a group is granted a role, it should not read all existing role mappings from the database core
  • #​48098 Expose hidden management options
  • #​48338 Add details to AdminEvent in UserResource.removeCredential core
  • #​48393 [CIMD] Document the existing query-string defense on the MCP Authorization Server docs page
  • #​48420 Upgrade `webauthn4j` to 0.30.3 authentication/webauthn
  • #​48445 Enable passkeys configuration does not follow best UX authentication/webauthn
  • #​48539 Update WebAuthn Metadata service data authentication/webauthn
  • #​48540 Support icons for Passkeys credentials authentication/webauthn
  • #​48557 Show Groups tab in the account console when user is part of any group account/ui
  • #​48588 Fine Grained Authorization v2 : does not work PUT https://i/admin/realms//admin-permissions/groups/ admin/fine-grained-permissions
  • #​48730 DB documentation doesn't state on how to check the transaction isolation for MSSQL
  • #​48755 User deletion latency grows with Infinispan session-cache fill level / size infinispan
  • #​48863 Include kid in details of CLIENT_LOGIN event of Signed JWT Client Authentication
  • #​48892 SSF: Track if stream was created by Keycloak or ssfReceiver ssf
  • #​48893 SSF: Remove "audience" field from create stream form ssf
  • #​48962 Add suggestions when features are incorrectly specified dist/quarkus
  • #​49037 Expose multi-namespace install modes
  • #​49040 Make `AbstractJWTClientValidator` / `FederatedJWTClientValidator` methods `protected` for extensibility
  • #​49177 Remove explicit --shutdown-timeouts configuration from proxy example configurations
  • #​49235 SSF: Move Push timeout settings to SSF Receiver tab ssf
  • #​49248 Consider additional datasources in health checks
  • #​49348 Ensure proper management of thread-bound resources.
  • #​49372 Unify buttons in horizontal layout for Login UI login/ui
  • #​49378 Login page title should use full width when locale selector is hidden login/ui
  • #​49424 Include subject to email template attributes
  • #​49453 Persistent sessions should be written as part of the original main transaction where possible infinispan
  • #​49469 Stateless mode: store volatile session data in the database
  • #​49491 Full user representation when querying organization members organizations
  • #​49573 Attribute for clients scopes to always require consent token-exchange/subject-impersonation
  • #​49608 Correct themes README
  • #​49645 Organization member read endpoints should document parent-gated org-level authorization contract organizations
  • #​49711 [Login UI] Improve credential selector layout login/ui
  • #​49757 Reverse proxy docs: should not proxy master realm docs
  • #​49873 How to thread dump with and without virtual threads observability
  • #​49947 Add OIDF conformance tests to CI oidc
  • #​49988 Docs should describe on how to detect if a graceful shutdown was successful docs
  • #​50050 SSF: Handle disabled SSF Receiver client ssf
  • #​50087 Generate queryable fields documentation from code docs
  • #​50134 Refresh client data after invalidating rotated secret in Credentials tab
  • #​50261 MCP Documentation for 26.7
  • #​50327 Improve OAuth Identity and Authorization Chaining Across Domains guide
  • #​50369 Composite-role expansion does an N+1 of `getChildRoles` queries (each with an auto-flush) that dominates Keycloak CPU on the cache-miss path core
  • #​50467 Prevent DoS when using complex filter conditions workflows
  • #​50476 Retarget quarkus-next to Quarkus 3.x branch after main switched to 4.0

Bugs

  • #​12142 IdP backchannel logout does not work with session id in logout oidc
  • #​20649 "Not username" and "Not email" options when creating/changing a password, should ignore letter case when comparing password to email or to username authentication
  • #​27431 New clients have a JavaScript default policy configured which causes problems on export/import authorization-services
  • #​32124 Backchannel logout notification client for Update_Password AIA is not having all the session ids authentication
  • #​33204 Identity Providers are missing from the login page if I request a reset password for an existing user login/ui
  • #​35104 Timestamp overflow in client secret rotation feature leads to next refresh time being set to the past core
  • #​37355 Web Crypto API not available in `login-status-iframe.html` when using admin console from insecure context oidc
  • #​38124 High values for client secret expiration result in expiration dates in the past core
  • #​40603 Account UI reports "Something went wrong" if user doesn't have permissions to view applications account/ui
  • #​44591 Terms and Conditions Accepted Timestamp user-profile
  • #​44620 Possible data loss when scaling Keycloak StatefulSet down (on Kubernetes) infinispan
  • #​44741 Device activity does not recognize iOS 26 correct account/ui
  • #​45420 [OID4VCI] Wrong typ value for SD-JWT VC oid4vc
  • #​45494 ScrollForm navigation does not update active section on click or scroll admin/ui
  • #​45568 Pending auth flow waiting for email verification succeeds even after password reset - providing room for pre-account takeover attacks authentication
  • #​45716 Problem with Standard Token Exchange with Dynamic Scopes feature enabled (Wrong default scopes) token-exchange
  • Mend Renovate.

Copilot AI review requested due to automatic review settings July 3, 2026 00:35
@backstage-goalie backstage-goalie Bot added the dependencies Pull requests that update a dependency file label Jul 3, 2026
@backstage-goalie
backstage-goalie Bot requested a review from hopehadfield July 3, 2026 00:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-goalie

backstage-goalie Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage-community/plugin-catalog-backend-module-keycloak workspaces/keycloak/plugins/catalog-backend-module-keycloak patch v3.21.0

@backstage-service
backstage-service force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from d599002 to 5c5ff95 Compare July 3, 2026 00:36
Copilot AI review requested due to automatic review settings July 3, 2026 07:19
@backstage-goalie
backstage-goalie Bot force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 5c5ff95 to 4bd3796 Compare July 3, 2026 07:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-service
backstage-service force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 4bd3796 to 42dd2eb Compare July 3, 2026 07:20
@backstage-goalie
backstage-goalie Bot force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 42dd2eb to 5dba162 Compare July 3, 2026 12:03
Copilot AI review requested due to automatic review settings July 3, 2026 12:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-service
backstage-service force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 5dba162 to 1d30005 Compare July 3, 2026 12:03
@backstage-goalie
backstage-goalie Bot force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 1d30005 to 2ffe089 Compare July 3, 2026 13:50
Copilot AI review requested due to automatic review settings July 3, 2026 13:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-service
backstage-service force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from 2ffe089 to e2aced2 Compare July 3, 2026 13:51
@backstage-goalie
backstage-goalie Bot force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from e2aced2 to c85d6a3 Compare July 3, 2026 17:37
Copilot AI review requested due to automatic review settings July 3, 2026 17:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@backstage-service
backstage-service force-pushed the renovate/keycloak-keycloak-admin-client-26.x branch from c85d6a3 to ea2cc06 Compare July 3, 2026 17:38
Copilot AI review requested due to automatic review settings July 3, 2026 18:36

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.

Signed-off-by: Renovate Bot <bot@renovateapp.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file force-merge workspace/keycloak

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants