Last checked and updated on April 19, 2026What Is New in Keycloak 12.0
Keycloak 12.0 is a significant release focusing on modernization, security hardening, and developer experience. It introduces a new Quarkus-based distribution, enhances OpenID Connect capabilities, and deprecates older features to streamline the future roadmap.
| Category | Key Changes |
|---|---|
| New Features | Quarkus distribution preview, OIDC Identity Provider Intent, Client Policies (Tech Preview) |
| Improvements | JavaScript adapter modernization, Admin Console UI updates, Performance enhancements |
| Deprecations | WildFly distribution, JavaScript adapter, Offline sessions preview feature |
| Security | Removal of the 'master' realm, Updates to default security headers |
| Bug Fixes | Numerous fixes across authentication flows, user federation, and the Admin Console |
Why is the Quarkus distribution a big deal?
The new distribution built on Quarkus is the future of Keycloak, offering a smaller footprint and faster startup times. This is a preview, meaning it's not yet production-ready but is the recommended option for development and testing to prepare for the eventual migration. In practice, this shift will make containerized deployments and cloud-native scaling much more efficient.
Key Details
- It's a technology preview; the traditional WildFly server remains the production-ready option for now.
- Expect significantly reduced memory usage and boot times compared to the WildFly base.
- The goal is to eventually replace the WildFly distribution entirely.
What OIDC improvements should I know about?
Keycloak 12.0 enhances its OpenID Connect support with new features focused on flexibility and security. The introduction of the 'kc_idp_hint' parameter and formal Client Policies gives developers more control over authentication flows and client management.
OIDC Identity Provider Intent
This new parameter allows you to force a redirect to a specific identity provider right from the initial authorization request. This cleans up URLs and makes integration with third-party IDPs smoother.
Client Policies (Tech Preview)
This feature provides a centralized way to define and enforce security policies for OIDC clients. You can control settings like acceptable certificate formats and client authentication methods globally.
What's being deprecated and removed?
This release starts the sunset process for several older features to pave the way for a more modern architecture. The most notable change is the removal of the default 'master' realm, which forces a more secure deployment practice from the start.
- WildFly Distribution: The traditional server is now deprecated. Start testing with the new Quarkus distribution.
- JavaScript Adapter: Deprecated in favor of the more modern JavaScript libraries available from the Keycloak project.
- 'master' Realm: Completely removed. You must now create a custom initial admin realm during setup.
- Offline Sessions Preview: The old offline sessions implementation has been removed.
How is the developer experience improved?
Beyond the big architectural shifts, Keycloak 12.0 includes numerous quality-of-life improvements for developers. Updates to the Admin Console UI and the modernization of adapters make daily management and integration work more intuitive.
The Admin Console received visual refinements for a cleaner look and better usability. For developers coding against Keycloak, the emphasis is on using the newer JavaScript libraries, which offer a more standard and maintainable approach than the old adapter.
FAQ
Is Keycloak 12.0's Quarkus distribution production-ready?
No, it is currently a technology preview. It is intended for development and testing to prepare for the future. For production deployments, you should continue using the WildFly-based distribution for now.
What should I use instead of the deprecated JavaScript adapter?
You should migrate to the newer Keycloak JavaScript libraries available from the project. These provide a more modern and supported way to integrate JavaScript applications with Keycloak.
What happens to my existing 'master' realm after upgrading?
The upgrade process will not remove your existing 'master' realm. However, the ability to create a new 'master' realm has been removed. This change only affects new installations.
Are Client Policies ready to use?
Client Policies are available as a tech preview. This means the feature is functional and you can experiment with it, but the API may change before it is considered stable and production-ready.
How do I force a redirect to a specific identity provider now?
You can use the new 'kc_idp_hint' parameter in your authorization request. For example: &kidp_hint=my_idp_alias. This replaces older, less standardized methods.