Update Gradle/NPM, dependencies, Keycloak to v26.1.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
keycloak-connect (source)	26.0.7 -> 26.1.0
keycloak-js (source)	26.0.7 -> 26.1.0

---

Release Notes

keycloak/keycloak-nodejs-connect (keycloak-connect)

v26.1.0

Compare Source

v26.0.8

Compare Source

keycloak/keycloak (keycloak-js)

v26.1.0

Compare Source

Highlights

Transport stack jdbc-ping as new default

Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.

Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.

Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak&#​8217;s database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated.

The Keycloak Operator will continue to configure kubernetes as a transport stack.

See the Configuring distributed caches guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools

Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported

In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default.

There were made multiple improvements to the tracing capabilities in Keycloak such as:

• Configuration via Keycloak CR in Keycloak Operator

• Custom spans for:

  • Incoming/outgoing HTTP requests including Identity Providers brokerage

  • Database operations and connections

  • LDAP requests

  • Time-consuming operations (passwords hashing, persistent sessions operations, &#​8230;&#​8203;)

For more information, see the Enabling Tracing guide.

Infinispan default XML configuration location

Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided.

Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels

It is now possible to set category-specific log levels as individual log-level-category options.

For more details, see the Logging guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Francis Pouatcha, Ingrid Kamga, Pascal Knüppel, Thomas Darimont, Ogen Bertrand, Awambeng Rodrick and Takashi Norimatsu.

Minimum ACR Value for the client

The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.

Many thanks to Simon Levermann for the contribution.

Support for prompt=create

Support now exists for the Initiating user registration standard, which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms/<realm>/protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak.

Many thanks to Thomas Darimont for the contribution.

Option to create certificates for generated EC keys

A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.

Many thanks to Pascal Knüppel for the contribution.

Authorization Code Binding to a DPoP Key

Support now exists for Authorization Code Binding to a DPoP Key including support for the DPoP with Pushed Authorization Requests.

Many thanks to Takashi Norimatsu for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.

Many thanks to Manuel Schallar and Patrick Weiner for the contribution.

Network Policy support added to the Keycloak Operator

Note	Preview feature.

To improve the security of your Kubernetes deployment, Network Policies can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators Condition - sub-flow executed and Condition - client scope

The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see Conditions in conditional flows.

Defining dependencies between provider factories

When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme

We&#​8217;ve now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.

If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

darkMode=false

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings.

Metrics on password hashing

There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.

See Keycloak metrics and Concepts for sizing CPU and memory resources for more details.

Sign out all active sessions in admin console now effectively removes all sessions

In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated.

This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter

From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server.

Updates in quickstarts

The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.

The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.

These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file

The robots.txt file, previously included by default, is now removed. The default robots.txt file blocked all crawling, which prevented the noindex/nofollow directives from being followed. The desired default behaviour is for Keycloak pages to not show up in search engine results and this is accomplished by the existing X-Robots-Tag header, which is set to none by default. The value of this header can be overridden per-realm if a different behaviour is needed.

If you previously added a rule in your reverse proxy configuration for this, you can now remove it.

Imported key providers check and passivate keys with an expired cetificate

The key providers that allow to import externally generated keys (rsa and java-keystore factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in Keycloak anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.

The default generated key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.

Admin events might include now additional details about the context when the event is fired

In this release, admin events might hold additional details about the context when the event is fired. When upgrading you should expect the database schema being updated to add a new column DETAILS_JSON to the ADMIN_EVENT_ENTITY table.

OpenShift v3 identity brokering removed

As OpenShift v3 reached end-of-life a while back, support for identity brokering with OpenShift v3 has been removed from Keycloak.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #​24992 Allow more extensive Override of BackchannelAuthenticationCallbackEndpoint core
• #​25006 Use optional realm attribute for authenticationrequest parameter max size/number validation configuration
• #​26178 Support dark mode, at least for the login pages login/ui
• #​26466 Operator support for setting default value of `http-pool-max-threads` operator
• #​27736 Used encrypted JGroups connection by default in Operator deployments operator
• #​29399 JDBC_PING2 as default discovery protocol
• #​32135 Option to specify trusted proxies dist/quarkus
• #​32488 Enabling authorization_details for client grant tokens until RAR is fully implemented
• #​33043 Provide missing user event metrics from aerogear/keycloak-metrics-spi to a keycloak mircometer event listener
• #​34957 Ability to specify log category levels through separate options dist/quarkus
• #​35110 Enhance WebAuthn registration to support custom FIDO2 origin validation
• #​35231 Ability to reject authentication to users without 2FA configured authentication
• #​35639 Allow users to specify the start page of a custom account-console theme account/ui
• #​36081 Authentication flow condition for client scope authentication

Enhancements

• #​10138 Align admin console for client for backchannel and frontchannel logout oidc
• #​10701 AuthenticationRequest add "create" prompt for sign-up oidc
• #​13852 js adapter just sets error to true upon error updateToken adapter/javascript
• #​16545 Additional authorization request parameters shouldn't be limited to 5 and shouldn't be discarded silently oidc
• #​16884 Support to enforce LoA in authentication flow for a client (Step-up) authentication
• #​17014 Allow custom message for brute force temporary lockout authentication
• #​23805 H2 Database should be opt-in and well-documented storage
• #​23881 Prevent "lost replace" in InfinispanAuthenticationSessionProvider storage
• #​26780 Maximum 100 resources with same URI checked when requesting permissions by URI authorization-services
• #​29511 Allow to restrict ProviderConfigProperty input to int values
• #​29570 Generalize or remove stack trace information found in error message exception handling
• #​29859 Keycloak native verification of an SD-JWT based vp_token oid4vc
• #​31764 Run tests with original `keycloak` login theme in nightly
• #​31842 Allow to create certificates for provider-keys authentication
• #​32092 OTEL: Add Keycloak CR support for Tracing options operator
• #​32094 OTEL: Apache HTTP client OpenTelemetry instrumentation
• #​32110 [Documentation] - Configuring trusted certificates - Fully specify truststore path dist/quarkus
• #​32114 OTEL: Instrument parts of Keycloak with OTEL spans
• #​32152 Clarify the behaviour of multiple Operator versions installed in the same cluster operator
• #​32657 Readonly profile attribute profile has unwanted not translated placeholder account/ui
• #​32773 [OID4VCI] Migrate Verifiable Credential Definitions from Client Attributes to Realm Level Attributes oid4vc
• #​33203 Explicitly document that the Operator does not create an Ingress for Admin URL operator
• #​33233 Add ui to override patternfly colors and logo
• #​33275 Better logging when error happens during transaction commit storage
• #​33484 Consolidate the logic for determining a local address core
• #​33492 Remove retry in LoginPage.resetPassword testsuite
• #​33496 Add CopyToClipboardButton to UserID in Admin UI
• #​33498 Expose membership type in the Admin UI for organization members admin/ui
• #​33559 Add an example nginx reverse proxy configuration
• #​33569 Show User Events on dedicated tab on Client-/User-Details
• #​33605 Add a reference to http-enabled in TLS/SSL setup
• #​33646 Upgrade Infinispan to 15.0.10.Final
• #​33651 Utilise `jdbc-ping` TCP based JGroups stack as default for non-operator Keycloak deployments
• #​33678 Make createWebAuthnRegistrationManager protected to allow cutomizations in subclasses authentication/webauthn
• #​33702 Prevent Keycloak from starting with wrong `work` cache configuration
• #​33717 Create a new base login theme
• #​33821 Add switch to disable dark mode
• #​33932 Background SQL statements show without a connected trace dist/quarkus
• #​33939 Enable virtual threads in Infinispan and JGroups by default
• #​34026 Update KEYCLOAK_SESSION cookie to not have sessionId in plain-text authentication
• #​34027 Sign the AUTH_SESSION_ID cookie value authentication
• #​34091 Username Form should support autocomplete login/ui
• #​34137 Standardize error messages from client and server in login theme (keycloak.v2) login/ui
• #​34253 Deprecate other transport stacks (ec2, azure, google)
• #​34265 Add JDBC_PING2 stacks for both TCP and UDP
• #​34284 Keycloak-admin-client should work with the future versions of Keycloak server admin/client-java
• #​34315 Update the Keycloak CPU and Memory sizing guide to reflect the new ec2 workder nodes
• #​34330 Delete Openshift 3.x identity provider
• #​34351 Support for the Croatian language
• #​34380 Remove remaining table USERNAME_LOGIN_FAILURE from the jpa UserSessionProvider times
• #​34382 Make the organization chapter of Server Admin guide available on downstream
• #​34386 Some dynamic imported functions are also statically imported making bundling them in-efficient
• #​34393 Improve build time of the js module
• #​34524 Add ability to enable support for Verifiable Credentials per Realm account/ui
• #​34536 Make cache-remote-host available when feature multi-site or cache-embedded-remote-store is enabled
• #​34570 Make documentation more clear that keycloak javascript adapter and node.js adapter are OIDC docs
• #​34583 Microsoft login - add prompt param configure
• #​34630 Avoid multi-release and java16 specific sources in the core module oidc
• #​34640 Update certain email templates for password recovery to match English translation format
• #​34658 Document network ports for Keycloak clustering
• #​34659 [Operator] Enhance the Keycloak Operator with Network Policies operator
• #​34695 Allow custom OIDCIdentityProvider implementations to specfiy the supported token types identity-brokering
• #​34711 OTEL: Provide Tracing SPI
• #​34755 Disable trim_trailing_whitespace in editorconfig to reduce noise in PRs
• #​34760 Improving the error message when failing to query an LDAP provider ldap
• #​34804 Allow a request object by considering a clock skew for smooth interoperability oidc
• #​34805 Allow a JWT client assertion by considering a clock skew for smooth interoperability oidc
• #​34848 Too many exceptions created when validating user profile
• #​34850 Avoid throwing exceptions when issuing reflection on user model
• #​34855 Add conditional text to Installation Locations
• #​34873 Update Leveraging JaKarta EE in Server Development guide
• #​34880 Feature: Allow disabling XA enforcement introduced with v26 dist/quarkus
• #​34882 Edits to Authorization Services guide
• #​34894 Allow a DPoP Proof by considering a clock skew for smooth interoperability
• #​34916 Addresse QE comments on Server Administration guide
• #​34931 Upgrade to ISPN 15.0.11.Final
• #​34990 Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests oidc
• #​35003 Expose templateName in attributes when rendering freemarker templates login/ui
• #​35077 Upgrade to Quarkus 3.15.2 dist/quarkus
• #​35080 Prefer usage of StandardCharsets.UTF_8 over "UTF-8" charset reference core
• #​35103 [LoginUI] Set HTML lang attribute to "en" when internationalization disabled account/ui
• #​35180 Improve test method signature and gather more info about assertions testsuite
• #​35192 Resolve scopes from authenticated client sessions when selecting attributes
• #​35225 Allow configuring retries for JavaScript tests using environment variable ci
• #​35243 Allow asking for additional scopes when querying the account console root URL
• #​35252 Add WHY issues are important for each PR no matter how small to CONTRIBUTING.md docs
• #​35254 CONTRIBUTING.md has confusing ordered list with two times point 5
• #​35331 Updated tested PostgreSQL version to 17
• #​35333 Updated tested MariaDB version to 11.4
• #​35335 Updated tested MySQL version to 8.4
• #​35402 Consistent use of log.debugf to avoid generating too much GC overhead
• #​35415 Add a page with an index that links to smaller pages (JVM, HTTP, Database, embedded caches, external Infinispan) - we can show example widgets from the dashboards later
• #​35419 OTEL: Enhance traces with spans for each RestEASY resource
• #​35425 OTEL: Show spans in transaction completion at the end of a request
• #​35430 OTEL: Group persistent session work activities in parent span or link them
• #​35457 Avoid creating ObjectMapper but using JsonSerialization utility class when managing event details
• #​35478 Add password validation to update-password
• #​35506 Support for multiple values of some parameters in the grant SPI oidc
• #​35573 Update the Enabling Keycloak Event Metrics guide with the list of possible events and errors
• #​35588 Update release notes for Keycloak 26.1.0 with new community additions docs
• #​35598 [Operator] Network Policy Rules operator
• #​35604 Removing unnecessary configuration from auth servers
• #​35640 Update the sizing guide with an indicator on which user events to use
• #​35676 Reduce debounce time in RealmSelector
• #​35714 Replace `uuid` module with `crypto.randomUUID()`
• #​35758 Set the LDAP connection pooling protocols by default to plain and tls
• #​35775 Document the performance numbers from the ARM based ROSA cluster runs
• #​35807 Add a test that the metrics listed in the docs are available from Keycloak (keep it simple, ignore metrics that don't show up right after the start)
• #​35834 Use MeterProvider as suggested by the Micrometer team to avoid GC overhead
• #​35852 Enable LDAP Connection pooling by default
• #​35856 Release note about node.js adapter and javascript adapter released independently of keycloak server docs
• #​35859 Update upgrading notes with the changes related to core clients docs
• #​35939 Rescue dutch translations from aborted Weblate PR
• #​36015 Update the CA translation translations
• #​36039 Tune caching guide list of stacks for the upcoming release
• #​36047 Align realm name placeholder in the docs docs
• #​36048 Add metric for number of password validations
• #​36059 OTEL: Add tracing for credential validation
• #​36079 Suggestion: Improve Regex for NPM Version Conversion in set-version.sh ci
• #​36087 Allow tracing packets sent to and from LDAP for troubleshooting purposes
• #​36211 Help texts in the admin UI should end with a dot admin/ui
• #​36263 OTEL: merge Operator tracing test cases
• #​36388 Rename `org.keycloak.test.framework` package to `org.keycloak.testframework` test-framework
• #​36389 Rename `org.keycloak.test` package to `org.keycloak.tests` test-framework
• #​36425 Make @​EnableFeature to handle the case with added provider of currently non-used SPI testsuite
• #​36442 Prepare a new guide for Keycloak's own metrics in the observability guide

Bugs

• #​8935 keycloak.js example from the documentation leads to error path adapter/javascript
• #​10233 Locale Setting for Update Password Mail admin/api
• #​10417 Race when creating client protocol mappers (ClientManager#enableServiceAccount) resulting in duplicate entries storage
• #​11008 Incorrect get the members of a group imported from LDAP ldap
• #​12309 IllegalArgumentException on canceled Account Linking oidc
• #​12919 Step-up authentication with existing cookie not working when using `Authentication Flow Overrides` per client authentication
• #​14562 Broken Promise implementation for AuthZ JS adapter/javascript
• #​15058 Backchannel Logout silently not sent, if Frontchannel Logout is enabled as well oidc
• #​15635 oidc - JavaScript-Adapter LocalStorage#clearExpired does not clear all possible items adapter/javascript
• #​16451 Documentation - Expand/Clarify Admin REST API User Search Functionality admin/api
• #​17233 the InfoPage after an ExecuteActionsEmail is not localized based on the user's locale authentication
• #​17433 robots.txt causes indexing authentication/webauthn
• #​17593 Incorrect ldap-group-mapper chosen to sync changes to ActiveDirectory when several mappers with varying group paths used ldap
• #​19101 Uncaught (in promise): QuotaExceededError adapter/javascript
• #​19358 Issue with concurrent user & group delete, unable to cleanup resource server user-policy & group-policy authorization-services
• #​19652 Members are inhereted from LDAP group with the same name ldap
• #​20287 When using `oidcProvider` config url (.well-known) it's not possible to use `silentCheckSsoRedirectUri` adapter/javascript
• #​23732 JavascriptAdapterTest errors when running with strict cookies on Firefox ci
• #​24493 Broken (read-only) database connections not getting removed from connection pool, keycloak claims to be healthy. storage
• #​25085 Inconsistent TypeScript definitions in the module @​keycloak/keycloak-admin-client while compiling admin/client-js
• #​25675 Workflow error: Base IT - RefreshTokenTest#refreshTokenWithDifferentIssuer testsuite
• #​25917 Allow increasing wait time on each failure after the max number of failures is reached authentication
• #​27378 update brute force docs to reflect available lockouts modes (temporary / permanent / mixed) authentication
• #​27856 Social login - Stack Overflow test fails ci
• #​28241 NPE on External OIDC to Internal Token Exchange when Transient Users feature is enabled token-exchange
• #​28328 Declining terms and conditions in account-console results in error account/ui
• #​28978 some GUI validation check missing admin/ui
• #​29289 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createRemoveClient ci
• #​29290 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#createClient ci
• #​30037 Unstable test KerberosStandaloneCrossRealmTrustTest.test03SpnegoLoginWithCorrectKerberosPrincipalRealm ci
• #​30204 When the Delete Credential required action is set to false an authentication application cannot be removed from the account UI core
• #​30364 Make sure it is not possible to run snapshot server against production DB by default core
• #​30453 Event type not set in reset-credential flow under some conditions resulting in an error page authentication
• #​30631 Upgrade to 25 throws: Statement violates GTID consistency core
• #​30832 Organization API not available from OpenAPI documentation admin/api
• #​30994 Workflow failure: WebAuthn IT (firefox) - WebAuthnSigningInTest:navigateBeforeTest ci
• #​31091 Flaky test: org.keycloak.testsuite.admin.concurrency.ConcurrencyTest#testAllConcurrently ci
• #​31180 token exchange: exchange-sequence still fails with `Client session for client '..' not present in user session` when starting on public client token-exchange
• #​31359 Offline sessions are not removed from admin console after sign out all active sessions core
• #​31415 Selection list does not close after outside click admin/ui
• #​31456 Enabling/Disabling user does not work with Microsoft AD LDAP via Admin API/UI ldap
• #​31469 Show account page before login core
• #​31492 Misleading docs and functionality around cache-ispn.xml dist/quarkus
• #​31638 Error when non-admin user accesses admin console admin/fine-grained-permissions
• #​31724 Logout not working after removing Identity Provider of user identity-brokering
• #​31727 KC doesn’t enforce uniqueness of aliases in Authentication flows, but uses them as identifiers (in config export) authentication
• #​31835 Windows builds fail too often due to problems with the download of Node ci
• #​31848 Repeated email verifications while logging in through IDP caused by email case sensitivity authentication
• #​32143 UserId too long to add Security Key WebauthN authentication/webauthn
• #​32266 LDAP Import: KERBEROS_PRINCIPAL not updated when UserPrincipal changes and user already exists ldap
• #​32270 High CPU usage on logout when using remote Infinispan only setup infinispan
• #​32348 none of the enabled features are shown as such in the admin console docs
• #​32356 creating short admin password in BCFIPS approved mode gives "Internal server error" page core
• #​32462 "Cookie not found" in multi-step auth flows / mobile browsers core
• #​32476 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginAgainWithoutRememberMe ci
• #​32550 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginMissingUsername ci
• #​32610 addExecutionFlow endpoint does not return right ID admin/api
• #​32617 Nightly Cypress tests for the Admin Console are failing on Firefox admin/ui
• #​32648 RP-Initiated logout using `POST` method fails in cross-origin setup oidc
• #​32650 Requesting `offline_access` without an established session results in two sessions oidc
• #​32658 Authentication sessions do not handle concurrent writes core
• #​32676 Flaky test: org.keycloak.testsuite.forms.BrowserButtonsTest#appInitiatedRegistrationWithBackButton ci
• #​32677 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginWithRememberMe ci
• #​32767 Flaky test: org.keycloak.testsuite.forms.LoginTest#loginRememberMeExpiredMaxLifespan ci

  ---

  Configuration

  📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

  🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

  ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

  🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  ---

  • If you want to rebase/retry this PR, check this box

  ---

  This PR was generated by Mend Renovate. View the repository job log.