Keycloak 25 Released: New Features and Enhancements

The latest release of Keycloak, version 25, introduces a range of new features, enhancements, and important changes designed to improve security, performance, and usability. Here’s a comprehensive overview of what’s new in this version:

Key Highlights

Account Console v2 Theme Removed:

    • The outdated Account Console v2 theme has been removed. Users are encouraged to migrate to the Account Console v3 theme, which offers improved features and security.

    Java 21 Support:

      • Keycloak now supports OpenJDK 21, ensuring compatibility with the latest Long-Term Support (LTS) versions of Java.
      • Concurrently, support for OpenJDK 17 has been deprecated and will be removed in a future release.

      Removal of Most Java Adapters:

        • As previously announced, several Java adapters have been removed, including those for Tomcat, WildFly/EAP, Servlet Filter, and others. Users are encouraged to use alternative libraries like Elytron OIDC or SpringBoot.

        Upgrade to PatternFly 5:

          • The Admin Console and Account Console now use PatternFly 5, the latest version of the design system, providing a more modern and consistent user interface.

          Argon2 Password Hashing:

            • Argon2 is now the default password hashing algorithm in non-FIPS environments, offering better security with efficient CPU and memory usage.

            New and Enhanced Features

            Hostname v2 Options:

              • Simplified and more intuitive hostname configuration settings, replacing the old options which are now deprecated.

              Persistent User Sessions:

                • New feature to store online user and client sessions in the database, allowing users to stay logged in even after Keycloak restarts. This feature is in preview and disabled by default.

                Cookies Updates:

                  • SameSite attribute is now set for all cookies, enhancing security and compatibility with recent browser changes.
                  • Removal of the KC_AUTH_STATE cookie and deprecated cookie methods.

                  Lightweight Access Tokens:

                    • Further reduction of built-in claims from lightweight access tokens, improving efficiency and adherence to OIDC specifications.

                    Application/JWT Media-Type for Token Introspection:

                      • New support for the application/jwt media-type in the token introspection endpoint, returning the full JWT access token.

                      Password Policy Enhancements:

                        • New policy to deny passwords containing the username, improving security.

                        Required Actions Improvements:

                          • Configuration options for required actions, such as setting the maximum age for password updates.

                          Passkeys Improvements:

                            • Enhanced support for passkeys, allowing selection from a list of available passkey accounts for user authentication.

                            SAML Client Profile:

                              • New default client profile for secured SAML clients, enforcing best practices for security.

                              OID4VCI Experimental Support:

                              • Work in progress for OpenID for Verifiable Credential Issuance, with initial support for pre-authorized code flow.

                                Preview Features

                                OID4VCI (OpenID for Verifiable Credential Issuance):

                                  • Initial experimental support for pre-authorized code flow in OID4VCI, laying the groundwork for verifiable credentials.

                                  Persistent User Sessions:

                                    • This feature is currently in preview and allows for storing user sessions in the database, ensuring persistence across Keycloak restarts.

                                    New HTTP Configuration Options:

                                      • Improved and streamlined HTTP-related configuration options for better security and performance.

                                      Granular Access Controls:

                                        • Experimental features to provide more granular access controls within Keycloak, offering greater flexibility and security.

                                        Multi-Tenancy (Organizations):

                                          • Introducing multi-tenancy support as a preview feature, enabling organizations to manage multiple tenants within a single Keycloak instance. This is particularly interesting for enterprises looking to consolidate identity management across various departments or subsidiaries while maintaining isolated environments for each tenant. This feature enhances scalability and simplifies the administration of user identities in complex organizational structures.

                                          Upgrading and Migration

                                          Before upgrading, users should refer to the migration guide for a comprehensive list of changes and instructions. Ensuring a smooth transition is critical to taking full advantage of the new features and enhancements in Keycloak 25.

                                          For a detailed list of all resolved issues, new features, and enhancements, you can visit the Keycloak release notes.

                                          Leave a Comment