upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-06-09 09:04:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 16
keycloak/docs/documentation/release_notes/topics/26_4_0.adoc
Alexander Schwartz 665f4140da
Adding missing docs for 26.4 release notes 
Closes #42252

Signed-off-by: Alexander Schwartz <alexander.schwartz@gmx.net>
Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
Co-authored-by: Vinod Anandan <vinod@owasp.org>
2025-09-02 17:47:12 -03:00

99 lines
6.5 KiB
Text
Raw Permalink Blame History

// Release notes should contain only headline-worthy new features,
// assuming that people who migrate will read the upgrading guide anyway.
Read on to learn more about each new feature, and https://www.keycloak.org/docs/latest/upgrading/index.html[find additional details in the upgrading guide] if you are upgrading from a previous release of {project_name}.
= Supported Update Email Workflow
The Update Email Workflow is now a supported feature. The feature provides a more secure and consistent flow to update user emails
because they will be forced to re-authenticate as well as verify their emails before any update to their account.
For more information, see the link:{adminguide_link}#_update-email-workflow[Update Email Workflow] chapter in the {adminguide_name}.
= Option to force management interface to use HTTP.
There's a new option `http-management-scheme` that may be set to `http` to force the management interface to use HTTP rather than inheriting the HTTPS settings of the main interface.
= Option to expose health endpoints on the main HTTP(S) ports
With `health-enabled` set to true, you may set the `http-management-health-enabled` to `false` to indicate that health endpoints should be exposed on the main HTTP(s) ports instead of the
management port. When this option is `false` you should block unwanted external traffic to `/health` at your proxy.
= Additional context information for log messages (preview)
You can now add context information to each log message like the realm or the client that initiated the request.
This helps you to track down a warning or error message in the log to a specific caller or environment
For more details on this opt-in feature, see the https://www.keycloak.org/server/logging[Logging guide].
= Ability to specify a `tlsSecret` on the Keycloak CR `ingress` spec
In order to support basic TLS termination (edge) deployments via the operator, you may now set the Keycloak CR `spec.ingress.tlsSecret` field to a TLS Secret name in the namespace.
= HTTP Access logging
{project_name} supports HTTP access logging to record details of incoming HTTP requests.
While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.
For more information, see the https://www.keycloak.org/server/logging[Logging guide].
= Supported passkeys
*Passkeys* integration is now a supported feature. This feature integrates passkeys seamlessly in the {project_name} forms using both conditional and modal UI. Although supported, *passkeys* are disabled by default. To activate the integration in the realm, the option *Enable Passkeys* in the *WebAuthn Passwordless Policy* (*Authentication* → *Policies* → *Webauthn Passwordless Policy*) needs to be enabled.
For more information, see the link:{adminguide_link}#passkeys_server_administration_guide[Passkeys] chapter in the {adminguide_name}.
= New conditional authenticator `Conditional - credential`
The *Conditional - credential* is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the *Passkeys* feature. It is added by {project_name} to the default *browser* flow to skip 2FA in case a passkey was used to log in as the primary credential.
For more information about conditional flows, see the link:{adminguide_link}#conditions-in-conditional-flows[Conditions in conditional flows] chapter in the {adminguide_name}.
= Possibility to hide identity providers from the account console
It is now possible to change which identity providers are shown in the account console based on different options using
the `Show in Account console` setting. You can choose to show only those linked with a user or not show them at all.
For more information, please see link:{adminguide_link}#_general-idp-config[General configuration] section in the {adminguide_name}.
= Email domain for organizations is now optional
In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios.
Starting with this release, an email domain is optional.
Thank you to https://github.com/SferaDev[@SferaDev] for contributing this.
When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.
= Enhancements for single-cluster and multi-cluster setups
This release renamed multi-az to multi-cluster.
It adds a separate guide for single-cluster setups, which includes details of how {project_name} clusters can be optionally "stretched" across multiple availability-zones for increased availability.
The {project_name} Operator now deploys {project_name} across multiple availability zones within a Kubernetes cluster by default. {project_name} also detects split-brains within a cluster.
This should provide better availability for users who are running {project_name} in Kubernetes clusters that span multiple availability zones.
= Translations managed via Weblate
The {project_name} distribution now includes 35 community translations. With Kazakh, Azerbaijani and Slovenian added in this release.
Community volunteers now maintain some of the translations in https://hosted.weblate.org/projects/keycloak/[Weblate] to keep them up to date.
If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the https://github.com/keycloak/keycloak/blob/main/docs/translation.md[translation guide].
= Setting up OTP can enfore set up of recovery codes
If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP.
Thank you to https://github.com/dasniko[@dasniko] for contributing this.
= MDC logging to correlate messages with realms and clients
As a new preview feature, you can include in all log messages in the mapped diagnostic context (MDC) of each message realm name, client ID and other information.
This helps you to correlate error messages to a specific realm or client.
Thank you to https://github.com/eicki[@eicki] for contributing this.
See the https://www.keycloak.org/server/logging[Logging guide] for more information.
= Supported OAuth standards listed on one page
There is now a new guide listing https://www.keycloak.org/securing-apps/specifications[all implemented OpenID Connect related specifications].
Thank you to https://github.com/tnorimat[@tnorimat] for contributing this.
Reference in a new issue View git blame Copy permalink