Last checked and updated on April 19, 2026What Is New in Keycloak 16.0
This release focuses on major internal refactoring, new features, and a significant number of bug fixes. The table below summarizes the key changes.
| Category | Description |
|---|---|
| New Features | New admin console, declarative user profiles, and early access OpenID Connect (OIDC) identity broker. |
| Improvements | Major refactoring of JavaScript adapters, Java 11 baseline, and removal of legacy features. |
| Deprecations & Removals | Legacy JavaScript adapter and alwaysDisplayInConsole client scope are removed. |
| Bug Fixes | Over 150 issues resolved across authentication, authorization, and administration. |
What's the deal with the new admin console?
Keycloak 16.0 introduces a brand new admin console built with React. This isn't just a visual refresh; it's a complete rewrite that replaces the old PatternFly-based interface.
In practice, this means a more modern and responsive user experience for managing your realm, clients, and users. The old console is still available for now but is considered deprecated and will be removed in a future release.
How do declarative user profiles change configuration?
Declarative user profiles allow you to define user attribute configuration (like which are required or read-only) in a static JSON file instead of through the admin console. This is a game-changer for infrastructure-as-code setups.
You can now version control your user profile schema and deploy it consistently across environments. This replaces the old, more fragile way of configuring these settings at runtime.
What happened to the JavaScript adapter?
The legacy JavaScript adapter has been removed. It's been replaced by the newer keycloak-js adapter, which has been the recommended library for a while.
If you're still using the old adapter, you need to migrate your applications to use keycloak-js v16 or higher. This new version is a major refactor that provides better compatibility with modern JavaScript frameworks.
Is there a new way to handle identity brokering?
Yes, there's an early access implementation of an OIDC identity broker. This new broker is built on top of the existing identity brokering system but uses a more standardized OIDC flow.
This is an experimental feature, so it's not recommended for production yet. However, it lays the groundwork for a more flexible and standards-compliant brokering system in future releases.
What are the major breaking changes?
Keycloak now requires Java 11 as the minimum runtime. Support for Java 8 has been completely dropped, so you must upgrade your JDK before deploying this version.
The alwaysDisplayInConsole client scope was also removed. If you were using this, you'll need to adjust your client configurations accordingly after upgrading.
FAQ
Do I have to migrate to the new admin console immediately?
No, the old admin console is still available under a feature flag. However, it's deprecated, so you should start testing and migrating your workflows to the new React-based console soon.
How do I start using declarative user profiles?
You need to create a user-profile.json file and place it in your theme. This file defines your user attribute configuration. The old runtime configuration will be ignored if this file is present.
My app uses the old JavaScript adapter, what should I do?
You must update your application's dependencies to use the new keycloak-js package. The API is different, so some code changes will be required. Check the migration guide for specifics.
Is the new OIDC identity broker production-ready?
No, it's marked as an early access feature. It's intended for experimentation and feedback. Stick with the existing identity brokers for production workloads for now.
Why was Java 8 support dropped?
This move allows the Keycloak team to use newer Java features and APIs, simplifying maintenance and enabling future improvements. Java 11 has been a Long-Term Support (LTS) release for years, making it a stable new baseline.