fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.smallrye:smallrye-open-api-maven-plugin (source)	4.0.5 -> 4.0.8
org.apache.maven.plugins:maven-compiler-plugin	3.13.0 -> 3.14.0
com.github.dasniko:testcontainers-keycloak	3.5.1 -> 3.6.0
org.testcontainers:junit-jupiter (source)	1.20.4 -> 1.20.6
org.assertj:assertj-core (source)	3.27.2 -> 3.27.3
org.junit.jupiter:junit-jupiter (source)	5.11.4 -> 5.12.0
com.microsoft.playwright:playwright	1.49.0 -> 1.50.0
io.smallrye:smallrye-open-api-jaxrs (source)	4.0.5 -> 4.0.8
org.keycloak:keycloak-admin-client (source)	26.0.3 -> 26.0.4
org.keycloak:keycloak-model-jpa (source)	26.0.7 -> 26.1.3
org.keycloak:keycloak-services (source)	26.0.7 -> 26.1.3
org.keycloak:keycloak-server-spi-private (source)	26.0.7 -> 26.1.3
org.keycloak:keycloak-server-spi (source)	26.0.7 -> 26.1.3

---

Release Notes

smallrye/smallrye-open-api (io.smallrye:smallrye-open-api-maven-plugin)

v4.0.8

Compare Source

• #​2185 Release 4.0.8
• #​2183 fix: use UTF-8 for InputStreamReaders relying on platform encoding (4.0.x)

v4.0.7

Compare Source

• #​2171 Release 4.0.7
• #​2169 Add support for managed JAX-RS subresource locators
• #​2167 fix: improve handling of nullable parameters
• #​2164 build(deps): Bump org.assertj:assertj-core from 3.27.2 to 3.27.3 in /tools/gradle-plugin
• #​2161 Create properties for record accessors
• #​2160 build(deps): Bump the quarkus group with 4 updates
• #​2159 fix: save parent field information to type resolver's target queue
• #​2156 Permit Callback.pathItemRef to be any JSON path
• #​2152 Fix OpenAPI 3.0 output of nullable references
• #​2150 build(deps): Bump org.jboss.arquillian:arquillian-bom from 1.9.2.Final to 1.9.3.Final
• #​2143 fix: prevent binding OAS parameter to unrelated resource method argument
• #​2141 build(deps): Bump org.springframework:spring-webmvc from 6.1.13 to 6.1.14 in /extension-spring
• #​2140 fix handling of array types as generic type parameters
• #​2138 Spring clean up, remove use of deprecated methods
• #​2136 fix: remove default version from Maven Mojo, resolve deprecations
• #​2134 build(deps): Bump the quarkus group with 4 updates

v4.0.6

Compare Source

• #​2133 Release 4.0.6
• #​2132 Add support for external plugins
• #​2130 Bump org.assertj:assertj-core from 3.27.1 to 3.27.2 in /tools/gradle-plugin
• #​2128 fix: use more accurate formats for byte, short, and char types
• #​2127 Bump org.jboss.arquillian:arquillian-bom from 1.9.1.Final to 1.9.2.Final
• #​2123 Bump org.assertj:assertj-core from 3.27.0 to 3.27.1 in /tools/gradle-plugin
• #​2122 fix: Add support for multiple paths
• #​2121 Vert.x clean up, move non-general methods from test base class
• #​2120 Bump org.assertj:assertj-core from 3.26.3 to 3.27.0 in /tools/gradle-plugin
• #​2119 Bump the quarkus group with 4 updates
• #​2117 Skip IO of fields added in OpenAPI 3.1 when reading or writing OpenAPI 3.0 documents
• #​2115 fix: include interface generic type parameters in resolution stack
• #​2114 Bump org.springframework.security:spring-security-core from 6.4.1 to 6.4.2
• #​2111 Bump org.jboss.shrinkwrap.resolver:shrinkwrap-resolver-bom from 3.3.2 to 3.3.3
• #​2108 Bump the quarkus group with 4 updates
• #​2107 Handle Kotlin Flow as a wrapper type
• #​2104 Bump nanoid from 3.2.0 to 3.3.8 in /ui/open-api-ui-forms

dasniko/testcontainers-keycloak (com.github.dasniko:testcontainers-keycloak)

v3.6.0

Compare Source

What's Changed

• Add configuration to disable bootstrap of admin account by @​marioschlipf in https://github.com/dasniko/testcontainers-keycloak/pull/165

New Contributors

• @​marioschlipf made their first contribution in https://github.com/dasniko/testcontainers-keycloak/pull/165

Full Changelog: dasniko/testcontainers-keycloak@3.5.1...3.6.0

testcontainers/testcontainers-java (org.testcontainers:junit-jupiter)

v1.20.6

Compare Source

What's Changed

• Bump confluentinc/cp-kcat from 7.4.1 to 7.9.0 (#​10000) @​julianladisch
• Update testcontainers version to ${GITHUB_REF##*/} (#​9996) @​github-actions
• Update docs version to ${GITHUB_REF##*/} (#​9995) @​github-actions

v1.20.5

Compare Source

What's Changed

• Add ServiceBusEmulatorContainer to Azure module (#​9795) @​nagyesta
• Add EventHubsEmulatorContainer to Azure module (#​9665) @​nagyesta
• Add AzuriteContainer to Azure module (#​9661) @​nagyesta
• Add ldap module (#​9987) @​eddumelendez
• Add scylladb module (#​8002) @​mkorolyov
• Add pinecone module (#​9911) @​eddumelendez

🚀 Features & Enhancements

• Set RABBITMQ_DEFAULT_USER env var with withAdminUser (#​9571) @​eddumelendez
• Move ollama port to a constant and provide new getPort method (#​9623) @​edeandrea

🐛 Bug Fixes

• Fix reuse support for CouchbaseContainer (#​9957) @​albihnf
• Fix SolrContainer start parameters for version >= 9.7.0 (#​9926) @​mkr
• Fix clickhouse authentication (#​9942) @​livk-cloud
• Fix cluster creation with ConfluentKafkaContainer and KafkaContainer (#​9910) @​eddumelendez

📖 Documentation

• Fix typos (#​9783) @​NathanBaulch
• Added Dash0 as Adoptor (#​9630) @​CodingFabian
• Improve Docker Compose docs (#​9461) @​etrandafir93

🧹 Housekeeping

• Use docker/setup-docker-action (#​9625) @​eddumelendez
• Declare Java action in windows workflow (#​9604) @​eddumelendez
• Test against multiple Java versions (#​8988) @​eddumelendez
• Don't extend configuration compileOnly and testCompile from shaded (#​9579) @​patrick-dedication
• Remove specific Java version for testing in gradle files (#​9626) @​eddumelendez
• Drop references to vectorized/redpanda image (#​9624) @​eddumelendez
• Polish AbstractPulsar test (#​9600) @​eddumelendez
• Polish BigtableEmulatorContainer test (#​9599) @​eddumelendez
• Fix typo in SolrContainer (#​9572) @​dajudge

📦 Dependency updates

• Update docker-java version to 3.4.1 (#​9627) @​eddumelendez
• Adjust shadow gradle plugin coordinates (#​9577) @​patrick-dedication

microsoft/playwright-java (com.microsoft.playwright:playwright)

v1.50.0

Compare Source

Miscellaneous

• Added method assertThat(locator).hasAccessibleErrorMessage() to assert the Locator points to an element with a given aria errormessage.

UI updates

• New button in Codegen for picking elements to produce aria snapshots.
• Additional details (such as keys pressed) are now displayed alongside action API calls in traces.
• Display of canvas content in traces is error-prone. Display is now disabled by default, and can be enabled via the Display canvas content UI setting.
• Call and Network panels now display additional time information.

Breaking

• assertThat(locator).isEditable() and locator.isEditable() now throw if the target element is not <input>, <select>, or a number of other editable elements.

Browser Versions

• Chromium 133.0.6943.16
• Mozilla Firefox 134.0
• WebKit 18.2

This version was also tested against the following stable channels:

• Google Chrome 132
• Microsoft Edge 132

keycloak/keycloak (org.keycloak:keycloak-model-jpa)

v26.1.3

Compare Source

Highlights

Send Reset Email force login again for federated users after reset credentials

In version 26.1.1 a new configuration option was added to the reset-credential-email (Send Reset Email) authenticator to allow changing the default behavior after the reset credentials flow. Now the option force-login (Force login after reset) is adding a third configuration value only-federated, which means that the force login is true for federated users and false for the internal database users. The new behavior is now the default. This way all users managed by user federation providers, whose implementation can be not so tightly integrated with Keycloak, are forced to login again after the reset credentials flow to avoid any issue. This change in behavior is due to the secure by default policy.

For more information, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

• #​32535 Invalid migration export for empty database core
• #​36405 Redirect after linking account account/ui
• #​36527 Viewing user events requires `view-realm`-role admin/ui
• #​36585 Keycloak user attribute key broken in Keycloak 26.1.0 admin/ui
• #​36703 When linking IDP to an organization hide on login sets as off admin/ui
• #​36709 SAML2 Client Signing Keys Config does not accept PEM import admin/ui
• #​36842 Comboxes do not display selected option after reset admin/ui
• #​36927 MeterFilter is configured after a Meter has been registered dist/quarkus
• #​36965 CVE-2025-0736 Error during JGroups channel creation may reveal secure information
• #​36985 Admin console: unable to edit user profile attribute either on the form or the JSON editor. admin/ui
• #​37029 CI fails with "Problem creating zip: Execution exception: Java heap space" ci
• #​37066 Error on import of a public key (pem) authentication
• #​37128 Customized quarkus.properties for MySQL cause "Unable to find the JDBC driver (org.h2.Driver)"，The server fails to start. storage
• #​37169 Wrong organization claim assignment in JWT access token organizations
• #​37207 Change default value for force-login option in reset-credential-email authentication
• #​37229 Login form can be used to determine which email addresses / usernames are in the system login/ui
• #​37268 Problems changing pre-defined user profile attributes admin/ui
• #​37285 Upgrade to latest JGroups patch version
• #​37360 CVE-2024-47072 - XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
• #​37431 Password policies like NoUsername consider case-sensitivity authentication
• #​37434 External Link Test failing docs
• #​37577 Property Name Casing Mismatch in ProtocolMapperUtils saml

v26.1.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Deprecated features

• #​525 Drop support for end-of-life versions of Node.js

Enhancements

• #​573 Convert tests to standard modules to upgrade dependencies
• #​576 Upgrade `@keycloak/keycloak-admin-client` to latest version dependencies

Bugs

• #​567 Connections with an error code are not terminated
• #​571 CI status badge in README is incorrect
• #​36858 JDBC Ping with Docker infinispan
• #​36919 Latency issue after Keycloak version upgrade core
• #​36926 Invoking dynamic client registration with lightweight access token results in a 404 oidc
• #​37162 Pods become unresponsive after upgrade to 26.1.0 infinispan

v26.1.1

Compare Source

Highlights

New option in X.509 authenticator to abort authentication if CRL is outdated

The X.509 authenticator has a new option x509-cert-auth-crl-abort-if-non-updated (CRL abort if non updated in the Admin Console) to abort the login if a CRL is configured to validate the certificate and the CRL is not updated in the time specified in the next update field. The new option defaults to true in the Admin Console. For more details about the CRL next update field, see RFC5280, Section-5.1.2.5.

The value false is maintained for compatibility with the previous behavior. Note that existing configurations will not have the new option and will act as if this option was set to false, but the Admin Console will add the default value true on edit.

New option in Send Reset Email to force a login after reset credentials

The reset-credential-email (Send Reset Email) is the authenticator used in the reset credentials flow (forgot password feature) for sending the email to the user with the reset credentials token link. This authenticator now has a new option force-login (Force login after reset). When this option is set to true, the authenticator terminates the session and forces a new login.

For more details about this new option, see Enable forgot password.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #​552 Clean up old release code from Node.js adapter repo
• #​34275 Organizations: Allow Organization Selection organizations
• #​34343 CreatedResponseUtil.getCreatedId should expose the actual error message from the server admin/client-java
• #​36440 Remove Node.js adapter documentation from main repo docs
• #​36456 Clarify IPv6 JGroups requirements in Keycloak documenation
• #​36798 Add detail on dependencyManagement section for POM files

Bugs

• #​558 The draft nightly untagged release is created by "Release nightly" GH action
• #​562 Incorrectly resolved {project_versionNpm} expression in the documentation
• #​32766 Translation error in messages_fr.properties translations
• #​33477 LDAP groups not showing members in Groups when using memberOf attribute ldap
• #​36159 Realm not found while exists and works if entered directly in the URL admin/ui
• #​36460 Deployment artifacts for Quarkus extensions are not in deployment dir dist/quarkus
• #​36483 Wrong link for tracing in 26.1.0 release notes docs
• #​36514 The organization claim does not appear if the Organization Membership Mapper is added through a custom client scope organizations
• #​36531 WebAuthN and dark mode: device icons are hardly readable login/ui
• #​36559 keycloak.v2 forms are too small for mobile view login/ui
• #​36629 All IDPs shown when reloading login page login/ui
• #​36649 When organizations feature is turned on, login_hint doesn't prefill identity-first login's page email field organizations
• #​36669 --spi-connections-liquibase-default-index-creation-threshold does not work core
• #​36675 Links error for https://jwt.io in documentation docs
• #​36728 Logging errors on DB transaction retries core
• #​36745 Conflict when Keycloak uses an OpenShift cluster ingress certificate operator
• #​36781 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnTransportLocaleTest#localizationTransportInternal ci
• #​36782 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnSigningInTest#multipleSecurityKeys ci
• #​36844 Provide an option to force login after reset credentials authentication
• #​36887 Outdated documentation about how to use reCAPTCHA in development with localhost docs
• #​36902 Flaky test: org.keycloak.testsuite.webauthn.account.WebAuthnErrorTest#errorPageWithTimeout ci
• #​36945 Bad escape apostrophe character in messages_fr.properties login/ui
• #​36988 Typos in English email message templates translations
• #​36998 UI tests failing admin/ui

v26.1.0

Compare Source

Highlights

Transport stack jdbc-ping as new default

Keycloak now uses by default its database to discover other nodes of the same cluster, which removes the need of additional network related configurations especially for cloud providers. It is also a default that will work out-of-the-box in cloud environments.

Previous versions of Keycloak used as a default UDP multicast to discover other nodes to form a cluster and to synchronize the replicated caches of Keycloak. This required multicast to be available and to be configured correctly, which is usually not the case in cloud environments.

Starting with this version, the default changes to the jdbc-ping configuration which uses Keycloak&#​8217;s database to discover other nodes. As this removes the need for multicast network capabilities and UDP and no longer using dynamic ports for the TCP-based failure detection, this is a simplification and a drop-in replacement for environments which used the previous default. To enable the previous behavior, choose the transport stack udp which is now deprecated.

The Keycloak Operator will continue to configure kubernetes as a transport stack.

See the Configuring distributed caches guide for more information.

Virtual Threads enabled for Infinispan and JGroups thread pools

Starting from this release, Keycloak automatically enables the virtual thread pool support in both the embedded Infinispan and JGroups when running on OpenJDK 21. This removes the need to configure the JGroups thread pool, the need to align the JGroups thread pool with the HTTP worker thread pool, and reduces the overall memory footprint.

OpenTelemetry Tracing supported

In the previous release, the OpenTelemetry Tracing feature was preview and is fully supported now. It means the opentelemetry feature is enabled by default.

There were made multiple improvements to the tracing capabilities in Keycloak such as:

• Configuration via Keycloak CR in Keycloak Operator

• Custom spans for:

  • Incoming/outgoing HTTP requests including Identity Providers brokerage

  • Database operations and connections

  • LDAP requests

  • Time-consuming operations (passwords hashing, persistent sessions operations, &#​8230;&#​8203;)

For more information, see the Enabling Tracing guide.

Infinispan default XML configuration location

Previous releases ignored any change to conf/cache-ispn.xml if the --cache-config-file option was not provided.

Starting from this release, when --cache-config-file is not set, the default Infinispan XML configuration file is conf/cache-ispn.xml as this is both the expected behavior and the implied behavior given the docs of the current and previous releases.

Individual options for category-specific log levels

It is now possible to set category-specific log levels as individual log-level-category options.

For more details, see the Logging guide.

OpenID for Verifiable Credential Issuance

The OpenID for Verifiable Credential Issuance (OID4VCI) remains an experimental feature in Keycloak, but it has great improvements in this release. This feature benefits from much polishing of the existing configuration and making the feature more dynamic and customizable.

You will find significant development and discussions in the Keycloak OAuth SIG. Anyone from the Keycloak community is welcome to join.

Many thanks to all members of the OAuth SIG group for the participation in the development and discussions about this feature. Especially thanks to Francis Pouatcha, Ingrid Kamga, Pascal Knüppel, Thomas Darimont, Ogen Bertrand, Awambeng Rodrick and Takashi Norimatsu.

Minimum ACR Value for the client

The option Minimum ACR value is added as a configuration option on the realm OIDC clients. This addition is an enhancement related to step-up authentication, which makes it possible to enforce minimum ACR level when logging in to the particular client.

Many thanks to Simon Levermann for the contribution.

Support for prompt=create

Support now exists for the Initiating user registration standard, which allows OIDC clients to initiate the login request with the parameter prompt=create to notify Keycloak that a new user should be registered rather than an existing user authenticated. Initiating user registration was already supported in Keycloak with the use of dedicated endpoint /realms/<realm>/protocol/openid-connect/registrations. However, this endpoint is now deprecated in favor of the standard way as it was a proprietary solution specific to Keycloak.

Many thanks to Thomas Darimont for the contribution.

Option to create certificates for generated EC keys

A new option, Generate certificate, exists for EC-DSA and Ed-DSA key providers. When the generated key is created by a realm administrator, a certificate might be generated for this key. The certificate information is available in the Admin Console and in the JWK representation of this key, which is available from JWKS endpoint with the realm keys.

Many thanks to Pascal Knüppel for the contribution.

Authorization Code Binding to a DPoP Key

Support now exists for Authorization Code Binding to a DPoP Key including support for the DPoP with Pushed Authorization Requests.

Many thanks to Takashi Norimatsu for the contribution.

Maximum count and length for additional parameters sent to OIDC authentication request

The OIDC authentication request supports a limited number of additional custom parameters of maximum length. The additional parameters can be used for custom purposes (for example, adding the claims into the token with the use of the protocol mappers). In the previous versions, the maximum count of the parameters was hardcoded to 5 and the maximum length of the parameters was hardcoded to 2000. Now both values are configurable. Additionally it can be possible to configure if additional parameters cause a request to fail or if parameters are ignored.

Many thanks to Manuel Schallar and Patrick Weiner for the contribution.

Network Policy support added to the Keycloak Operator

Note	Preview feature.

To improve the security of your Kubernetes deployment, Network Policies can be specified in your Keycloak CR. The Keycloak Operator accepts the ingress rules, which define from where the traffic is allowed to come from, and automatically creates the necessary Network Policies.

LDAP users are created as enabled by default when using Microsoft Active Directory

If you are using Microsoft AD and creating users through the administrative interfaces, the user will be created as enabled by default.

In previous versions, it was only possible to update the user status after setting a (non-temporary) password to the user. This behavior was not consistent with other built-in user storages as well as not consistent with other LDAP vendors supported by the LDAP provider.

New conditional authenticators Condition - sub-flow executed and Condition - client scope

The Condition - sub-flow executed and Condition - client scope are new conditional authenticators in Keycloak. The condition Condition - sub-flow executed checks if a previous sub-flow was executed (or not executed) successfully during the authentication flow execution. The condition Condition - client scope checks if a configured client scope is present as a client scope of the client requesting authentication. For more details, see Conditions in conditional flows.

Defining dependencies between provider factories

When developing extensions for Keycloak, developers can now specify dependencies between provider factories classes by implementing the method dependsOn() in the ProviderFactory interface. See the Javadoc for a detailed description.

Dark mode enabled for the welcome theme

We&#​8217;ve now enabled dark mode support for all the keycloak themes. This feature was previously present in the admin console, account console and login, and is now also available on the welcome page. If a user indicates their preference through an operating system setting (e.g. light or dark mode) or a user agent setting, the theme will automatically follow these preferences.

If you are using a custom theme that extends any of the keycloak themes and are not yet ready to support dark mode, or have styling conflicts that prevent you from implementing dark mode, you can disable support by adding the following property to your theme:

darkMode=false

Alternatively, you can disable dark mode support for the built-in Keycloak themes on a per-realm basis by turning off the Dark mode setting under the Theme tab in the realm settings.

Metrics on password hashing

There is a new metric available counting how many password validations were performed by Keycloak. This allows you to better assess where CPU resources are used, and can feed into your sizing calculations.

See Keycloak metrics and Concepts for sizing CPU and memory resources for more details.

Sign out all active sessions in admin console now effectively removes all sessions

In previous versions, clicking on Sign out all active sessions in the admin console resulted in the removal of regular sessions only. Offline sessions would still be displayed despite being effectively invalidated.

This has been changed. Now all sessions, regular and offline, are removed when signing out of all active sessions.

Dedicated release cycle for the Node.js adapter and JavaScript adapter

From this release onwards, the Keycloak JavaScript adapter and Keycloak Node.js adapter will have a release cycle independent of the Keycloak server release cycle. The 26.1.0 release may be the last one where these adapters are released together with the Keycloak server, but from now on, these adapters may be released at a different time than the Keycloak server.

Updates in quickstarts

The Keycloak quickstarts are now using main as the base branch. The latest branch, used previously, is removed. The main branch depends on the last released version of the Keycloak server, Keycloak client libraries, and adapters. As a result, contributions to the quickstarts are immediately visible to quickstart consumers with no need to wait for the next Keycloak server release.

Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie

The format of KEYCLOAK_SESSION cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was realmName/userId/userSessionId. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.

The format of AUTH_SESSION_ID cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is base64(auth_session_id.auth_session_id_signature). With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.

These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.

Removal of robots.txt file

config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.