Last checked and updated on 03 Jun 2026
How Does Red Hat Build of Keycloak Handle Version Support and Lifecycle?
Red Hat Build of Keycloak follows a major-version-based evergreen support model with two clear phases: Full Support and Maintenance Support.
In the Full Support phase, you receive bug fixes, security patches including moderate CVEs, new features, enhancements, and platform certifications. This phase lasts a minimum of 2 years for the first major version in the series or 3 years for subsequent ones, ending when the next major version becomes available.
Once Full Support ends, the version moves to Maintenance Support for at least six months (often longer if the next major release is delayed). Maintenance includes critical and important security fixes, selected important bug fixes, and moderate CVE patches at Red Hat's discretion, but drops new features and certifications.
Minor versions arrive roughly every six months, based on even-numbered upstream Keycloak releases with additional hardening. Each minor gets about 12 months of maintenance updates. In practice, most teams upgrade to the latest major version during the Maintenance window of the previous one to keep access to the full set of fixes and improvements.
| Life-Cycle Phase | Full Support | Maintenance Support |
|---|---|---|
| Patch releases and qualified fixes | Yes (all qualified) | Yes (periodic micro updates) |
| Critical and important security fixes | Yes | Yes |
| Moderate CVE fixes | Yes | At Red Hat's discretion |
| New features and enhancements | Yes | No |
| New platform certifications | Yes | No |
Details are available in the official Red Hat Build of Keycloak Life Cycle and Support Policies.
What Are the Real Risks of Running an Outdated Red Hat Build of Keycloak?
Running a version past its Full Support phase means you lose access to new features, enhancements, and proactive platform certifications that keep your identity infrastructure aligned with modern runtimes and databases.
In Maintenance phase you still get critical security patches, but moderate CVEs and many important bug fixes become discretionary. For an identity and access management system like Keycloak, this can expose authentication flows, token handling, or realm configurations to issues that upstream or newer builds have already addressed.
Most teams notice increasing friction when integrating with newer client libraries, OpenShift versions, or external identity providers because deprecated components and APIs receive limited attention. In large deployments handling thousands of realms or high-throughput OIDC/OAuth flows, even small compatibility gaps in caching, clustering, or database interactions can lead to outages or degraded performance.
Another common issue is slower response to newly discovered vulnerabilities in dependent components, since the release cadence for patches slows down. In identity systems, a single missed security fix can have broad impact across all applications relying on the server.
What Actually Changes When Support for a Keycloak Major Version Ends?
When Full Support for a major version ends, Red Hat stops delivering new features, enhancements, and new certifications for that stream. The version enters Maintenance Support, where the focus shifts to security and selected stability fixes only.
You continue receiving critical and important security patches along with periodic micro updates, but moderate CVE handling and non-critical bug fixes happen at Red Hat's discretion and less frequently. Access to knowledgebase, downloads, and support tools remains available during the guaranteed Maintenance window of at least six months.
After the Maintenance period concludes, the version receives no further updates. In production identity environments this usually forces teams to plan and execute an upgrade to the current major version, because continuing without patches leaves authentication and authorization services exposed.
Many organizations use the Maintenance phase as the practical upgrade window, testing migration paths while still having some level of official support available if issues arise.
How Do You Check the Current Version of Your Red Hat Build of Keycloak?
The quickest way to see the exact version running on your server is through the admin console or the server info endpoint.
Log into the Keycloak Administration Console, navigate to the bottom of any page, or go to Server Info in the sidebar. You will see the full version string along with build details.
From the command line, you can run the following in your Keycloak installation directory:
bin/kc.sh --version
Or for containerized deployments, check the image tag or execute the version command inside the running pod:
kubectl exec -it <pod-name> -- /opt/keycloak/bin/kc.sh --versionCompare the major version you see against the current stable version shown in the release table above to understand which support phase your deployment is in.
FAQ
Q1: Does Red Hat Build of Keycloak have a traditional LTS version?
No. Instead of a single long-term support branch, each major version receives Full Support for 2-3 years followed by a Maintenance phase. This gives you a predictable but rolling support window rather than one frozen LTS release.
Q2: How long do I have to upgrade after a new major version is released?
The previous major version moves to Maintenance Support for at least six months when the new major becomes available. Most teams complete the upgrade within that window while still receiving security patches.
Q3: Are minor versions of Red Hat Build of Keycloak backward compatible?
Yes, within the same major version. Minor releases aim for backward compatibility, with any breaking changes introduced as opt-in features. This makes rolling upgrades inside a major stream relatively safe.
Q4: What happens to deprecated features in a supported major version?
Deprecated features and components stay fully supported and tested throughout the current major version's lifecycle. They are usually removed or changed only in the next major release.
Q5: Can I run Red Hat Build of Keycloak without a Red Hat subscription?
You can run the software, but you will not receive official patches, security advisories, or support. Production identity systems almost always benefit from the subscription for timely CVE backports and certified configurations.