Keycloak 26.0.0: What’s New and Key Migration Steps

Alright! Keycloak 26.0.0 is here, and with it comes a host of new features that improve usability, security, and scalability. Whether you’re managing a large-scale deployment or a smaller setup (on-premise or in Skycloak 😉), this latest release is designed to simplify some identity management tasks and enhance the overall Keycloak experience.

In this post, we’ll explore the key new features in Keycloak 26.0.0 and walk you through the important steps for migrating, ensuring a smooth transition for your environment.

TLDR – Give me something that will help me now! Ok! This blog post was brought to you by our GPT that will help you migrate from version X to Y.

What’s New in Keycloak 26.0.0?

1. Organizations Support

One of the most requested features is now fully available: Organizations. This functionality allows administrators to create and manage organizational structures, helping to segregate users, roles, and permissions within specific groups or departments. For businesses that operate across multiple teams, this feature simplifies the management of access controls. Don’t get too excited tough, make sure that the features are the ones you expected. There is an issue in github that tracks the changes. Go take a look.

2. Persistent User Sessions by Default

Starting with version 26.0.0, all user sessions are now persisted in the database by default. This change improves session handling, especially in multi-instance setups, by ensuring that session data remains consistent across instances, improving high availability and reducing failover issues.

3. New Login Theme (v2)

A refreshed login theme (v2) has been introduced with a cleaner design and dark mode support. The theme automatically adjusts based on user preferences, offering a modern, responsive user experience. If you’re using the default theme, your instances will automatically switch to this new version.

4. Improved Multi-Site Deployment

Keycloak 26.0.0 improves high-availability (HA) setups, especially for multi-site deployments. With the new update, Keycloak can handle user requests simultaneously across multiple sites, reducing downtime and improving overall reliability during failover scenarios.

5. Simplified Admin Recovery

Keycloak now offers a simplified process for recovering admin access if all admin accounts become locked out. This is done by bootstrapping a temporary admin account, which can be easily managed via new environment variables. This feature is crucial for avoiding downtime in critical situations.

Important Migration Steps to Keycloak 26.0.0

Migrating to Keycloak 26.0.0 involves several important changes that you should be aware of to ensure a seamless upgrade. Here’s a quick guide to the key migration steps (check out our GPT to help you upgrade):

1. Cache Handling Due to Infinispan Marshalling Changes

Keycloak 26 introduces changes to the marshalling library, moving from JBoss Marshalling to Infinispan Protostream. ❗Important: If you’re upgrading from a version prior to Keycloak 25, you must first upgrade to version 25 and enable persistent sessions. This ensures that no session data is lost during the upgrade. When upgrading to 26, all caches will be cleared due to these incompatible libraries.

For detailed migration instructions, see the Keycloak 26.0.0 Migration Guide.

2. Persistent User Sessions by Default

Persistent sessions are now enabled by default, which ensures that user session data remains available across Keycloak restarts and failover events. If you do not need persistent sessions, you can disable this feature through the configuration settings.

For more details, visit the Keycloak Session Management Guide.

3. Operator Changes: Proxy Defaults Updated

The Keycloak Operator no longer defaults to proxy=passthrough. If you’re using hostname v2 for deployments, the operator now supports this without needing additional settings. Ensure your proxy configurations are updated accordingly.

For more on the operator updates, check the Keycloak Operator Guide.

4. Theme Updates

If your realm is using the default login theme, Keycloak will automatically apply the new v2 theme. For custom themes, make sure you update the paths for third-party libraries and resources, as some have changed in this release.

For further information on customizing themes, visit the Keycloak Theme Customization Guide.

5. Admin Recovery with New Bootstrapping Options

If all admin accounts become locked out, Keycloak 26 makes it easy to recover access by allowing you to bootstrap a temporary admin account using the new KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD environment variables. This avoids the need for complex database recovery procedures.

Learn more in the Admin Recovery Guide.

Using The Keycloak Upgrade Assistant

You can also use out assistant GPT to figure out what was discussed in this blog post. See an example below:

Look at this answer 👌. I wish more keycloak devs had this to help themselves!

Conclusion

Keycloak 26.0.0 brings valuable improvements to organizations using it as their identity management solution, with key enhancements in session handling, multi-site deployment, and admin recovery. Whether you are managing a small setup or large-scale infrastructure, this release ensures smoother operations, better security, and improved failover management.

To learn more about this version and ensure a smooth migration, refer to the official Keycloak 26.0.0 Migration Guide.

To use our GPT to help yourself upgrade, check it out HERE.

Leave a Comment