Last checked and updated on April 19, 2026What Is New in Keycloak 13.0
Keycloak 13.0 delivers a solid set of updates focused on the admin experience, security enhancements, and underlying technology upgrades. This release is more about refinement and modernization than flashy new features.
| Category | Key Changes |
|---|---|
| New Features | New Admin UI, OpenID Connect Logout Token, Script Mappings for OIDC Identity Brokering |
| Improvements | Admin Console search, Client Scopes UI, Performance optimizations for user sessions and authentication flows |
| Deprecations & Removals | JavaScript policy support deprecated, Legacy WildFly distribution removed |
| Security | Dependency updates for WildFly, JBoss EAP, and underlying libraries |
| Bug Fixes | Numerous fixes across authentication, authorization, and the admin console |
How does the new Admin UI improve the experience?
The old AngularJS-based admin console has been completely replaced with a new React-based interface. This isn't just a visual refresh; it's a full rewrite that sets the foundation for future enhancements.
In practice, the new UI feels more responsive and modern. The navigation and layout are cleaner, making it easier to find the configuration you need without digging through multiple menus.
What OIDC security features were added?
Keycloak 13.0 adds support for the OpenID Connect Back-Channel Logout Token. This allows for more secure and reliable logout flows, especially in scenarios involving multiple applications and single sign-on.
For identity brokering, you can now use JavaScript mappers. This gives you more flexibility in transforming claims and tokens from external identity providers before they are processed by Keycloak.
What performance improvements should I expect?
This release includes several under-the-hood optimizations. The team focused on reducing the memory footprint and improving the efficiency of user session management and authentication flow processing.
You might notice faster response times, especially in environments with a high number of concurrent users or complex authentication scenarios. These changes make the server more scalable.
What was deprecated or removed?
Support for JavaScript policies has been deprecated. If you're using custom JavaScript code for authorization decisions, you should start migrating to a different policy type.
The legacy WildFly server distribution has been completely removed. You now must use the new Quarkus-based distribution, which is the future of Keycloak and offers significant performance benefits.
FAQ
Is the new Admin UI backward compatible with my existing configuration?
Yes, the new React-based Admin UI provides the same functionality and manages all your existing realms, clients, and users. Your configuration remains intact; only the interface has changed.
How do I handle the deprecation of JavaScript policies?
You need to migrate any custom authorization logic from JavaScript policies to another supported policy type, like JavaScript-based Policy or a custom policy provider. Start planning this migration soon.
What is the immediate benefit of the Quarkus-only distribution?
The Quarkus distribution boots significantly faster and uses less memory than the old WildFly base. This is a major win for containerized deployments and scaling quickly.
Can I use the new OpenID Connect Logout Token with my existing clients?
Yes, but your clients must be updated to support the back-channel logout specification. The feature is available server-side, but client-side integration is required to actually use it.
Where can I find the complete list of bug fixes?
The full, detailed list of resolved issues is available in the official release notes on the Keycloak website or the GitHub release page. It covers fixes for authentication, authorization, and the admin console.