Last checked and updated on April 19, 2026What Is New in Keycloak 11.0
Keycloak 11.0 delivers a significant update focused on modernizing the admin console and enhancing security protocols. This release introduces a new React-based admin UI, stricter defaults for client registration policies, and a host of other improvements.
| Category | Key Changes |
|---|---|
| New Features | New Admin Console (React), OpenShift Token Review API, Client Registration Policies |
| Improvements | LDAPv3 Paged Results, Performance Optimizations, Updated Dependencies |
| Bug Fixes | Numerous fixes across authentication, authorization, and user federation |
| Security | Stricter default client scopes, Removal of legacy algorithms |
| Deprecated | WildFly application server, Legacy admin console |
What's the big deal with the new admin console?
The major change is a complete rewrite of the admin console using React, replacing the older AngularJS implementation. This new UI is faster and provides a more modern developer experience. The legacy console is still available but is now deprecated and will be removed in a future release.
In practice, this means the interface is more responsive and easier to extend. The move to React aligns the admin UI with modern frontend development practices, making it more approachable for contributions.
How have security defaults been tightened?
Security has been enhanced with stricter defaults for Dynamic Client Registration. The trusted_hosts registration policy now defaults to an empty list, meaning no hosts are trusted by default. This prevents unauthorized clients from being registered unless explicitly configured.
This is a significant shift that forces explicit configuration for security. It prevents a common misconfiguration where a loosely set default could accidentally expose the registration endpoint.
What performance improvements were made?
Key performance enhancements include support for the LDAPv3 Paged Results control, which improves the efficiency of loading large sets of users from LDAP. Various other optimizations reduce memory footprint and improve response times across the board.
For deployments with large user directories, the LDAP paging fix is a big deal. It prevents timeouts and memory issues when syncing thousands of users from an external LDAP store.
What's new for OpenShift and Kubernetes?
Integration with OpenShift is improved through the new Token Review API support. This allows Keycloak to validate service account tokens issued by OpenShift, streamlining authentication workflows within the Kubernetes ecosystem.
This makes it much smoother to secure applications running on OpenShift. You can now use native OpenShift tokens alongside standard Keycloak authentication methods.
What has been deprecated?
The WildFly application server is now deprecated in favor of Quarkus, marking a major shift in the underlying platform. The legacy AngularJS admin console is also deprecated alongside the removal of some older cryptographic algorithms.
This signals the future direction of Keycloak towards a more lightweight, cloud-native architecture based on Quarkus. You should start planning your migration off of WildFly.
FAQ
Is the old admin console going away immediately?
No, the legacy AngularJS admin console is still available in 11.0 but is deprecated. It will be removed in a future major release, so you should start testing the new React-based console now.
Why is the trusted_hosts policy now empty by default?
This change forces explicit configuration for client registration, significantly improving security out-of-the-box. It prevents accidental exposure of the registration endpoint to untrusted networks.
What does LDAPv3 Paged Results support fix?
It resolves issues with loading large user sets from LDAP directories by breaking the results into manageable pages. This prevents timeouts and high memory consumption during user synchronization.
Should I be concerned about the WildFly deprecation?
You should start planning a migration, but it's not urgent for 11.0. WildFly is still supported in this release, but future versions will be based on Quarkus which offers better performance and a smaller footprint.
How does the OpenShift Token Review API work?
It allows Keycloak to call the OpenShift API to validate service account tokens. This creates a seamless integration where OpenShift tokens can be used for authentication against Keycloak-protected resources.