Keycloak
26.6.0SecurityKeycloak 26.6.0 graduates several preview features to fully supported — JWT Authorization Grant, Federated Client Auth, Workflows, and zero-downtime patch releases — while fixing a notable set of security bugs across UMA, SCIM, and Organizations.
securityPatch SCIM and UMA vulnerabilities immediately
Two separate SCIM bugs allowed IDOR-style resource modification and authorization bypass in group management. UMA permission grant accepted expired ID tokens and tokens issued to other clients. These are fixed in 26.6.0. If you use SCIM or UMA, upgrade now — no config change needed, but verify your SCIM plugin/extension is compatible with the new validation.
breakingSwitch to KCRAW_ prefix if secrets contain $ characters
If you inject passwords or secrets via environment variables and they contain $ characters (e.g., from a secrets manager), the KC_ prefix silently mangles them via SmallRye expression evaluation. Use KCRAW_<KEY> instead of KC_<KEY> to preserve literal values. Audit your current env var injection before upgrading — any secrets with ${ or $$ patterns may have been silently broken in prior versions.
enhancementEnable zero-downtime rolling updates in your Operator deployments
Zero-downtime patch releases are now on by default. If you run Keycloak via the Operator, explicitly set the update strategy to Auto to benefit. Also review the new graceful HTTP shutdown defaults (1s delay, 1s timeout) — adjust these upward if your reverse proxy takes longer to drain connections, especially in non-Kubernetes setups with longer-lived connections.
主な変更 (7)
- JWT Authorization Grant (RFC 7523) and Federated Client Authentication are now GA, enabling external-to-internal token exchange without managing per-client secrets
- Zero-downtime patch releases are now enabled by default; Operator users should set update strategy to Auto
- New KCRAW_ environment variable prefix prevents SmallRye from mangling passwords containing $ characters — addresses a silent data-corruption bug
- UMA permission grant now rejects expired ID tokens and tokens issued to different clients (security fixes #46716, #46717)
- SCIM IDOR bug fixed: PUT endpoint no longer allows resource modification via body ID override (#46658); SCIM authorization bypass in group management also patched (#47536)
- OTP and password brute-force protection separated by default to prevent OTP bypass attacks (#46164)
- Keycloak and KeycloakRealmImport CRDs promoted to v2beta1