Last checked and updated on April 19, 2026What Is New in Keycloak 16.1
Keycloak 16.1 is a maintenance release packed with incremental improvements, major dependency upgrades, and crucial bug fixes. It focuses on modernizing the codebase and refining the user experience.
| Category | Key Highlights |
|---|---|
| New Features | New Account Console, Client Scopes support for OIDC Identity Providers. |
| Enhancements | Upgraded to PatternFly 4, improved WebAuthn user verification, better SAML logout. |
| Dependency Upgrades | Major updates to WildFly, Hibernate, Infinispan, and Jetty. |
| Bug Fixes | Numerous fixes across themes, authentication flows, and admin console. |
| Deprecations & Removals | Legacy account console and old JavaScript adapters are now removed. |
How does the new Account Console improve the user experience?
The old account console has been completely replaced with a new React-based implementation. This isn't just a visual refresh; it's a full rewrite that provides a more modern and maintainable foundation for user profile management.
In practice, this means a smoother, more responsive interface for end-users to manage their credentials, sessions, and personal details. For developers, it signals a move towards more contemporary frontend technologies within the Keycloak ecosystem.
What are the major backend upgrades in this release?
Keycloak 16.1 ships with significant underlying dependency updates that enhance stability and performance. The most notable upgrade is the move to WildFly 24, which forms the core application server.
Other critical upgrades include Hibernate 5.6, Infinispan 13, and Jetty 10. These updates bring bug fixes, security patches, and performance improvements from the respective projects, making the entire Keycloak stack more robust and up-to-date.
How is OIDC identity provider support enhanced?
This release adds the ability to specify client scopes when configuring an OpenID Connect Identity Provider. Previously, you could only map individual claims from the external provider.
Now, you can map entire client scopes, which simplifies the configuration when you need to import a standard set of claims. This is a quality-of-life improvement that reduces manual setup for common integration scenarios with external OIDC providers like Google or Auth0.
What changes were made to WebAuthn and authentication flows?
The WebAuthn authenticator now supports specifying user verification requirements. You can configure it to require user verification (like a PIN or biometrics) or discourage it, giving more granular control over the security level of passwordless authentication.
Additionally, the authentication flow execution's requirement setting now defaults to 'Disabled' for new executions. This prevents accidentally breaking your flow by adding a new authenticator that is suddenly required. You now have to explicitly change it to 'Required' or 'Alternative'.
What has been removed and what should I migrate?
The legacy account console is finally gone. If you were using any customizations on the old account console, they need to be ported over to the new React-based version. The old JavaScript adapter has also been removed from the server distribution.
You should now use the Keycloak JavaScript adapter available via npm. This change aligns with modern development practices and ensures you get the latest updates and security fixes for the client-side library.
FAQ
Is the new Account Console backwards compatible with my themes?
No, the new React-based Account Console is a complete rewrite. Customizations made for the old GWT-based console will not work and need to be re-implemented for the new UI.
Why was the WildFly upgrade to version 24 significant?
WildFly 24 is based on Jakarta EE 8, which represents a major namespace change from javax.* to jakarta.*. This upgrade future-proofs Keycloak and is a necessary step for supporting modern Java EE standards.
How do I specify client scopes for an OIDC identity provider?
In the identity provider configuration, you can now add client scopes in the 'Client Scopes' tab. This allows you to map a predefined set of claims from the external provider instead of configuring each claim individually.
Where can I find the new JavaScript adapter?
The old adapter included in the server's `bin` directory is removed. You must now install the official `keycloak-js` package from npm (`npm install keycloak-js`) to use the JavaScript adapter in your applications.
What is the default requirement for new authenticators in a flow?
Newly added authenticator executions now default to 'Disabled' instead of 'Required'. This prevents accidentally locking users out of your application when experimenting with or adding new steps to an authentication flow.