Last checked and updated on April 19, 2026What Is New in Keycloak 18.0
Keycloak 18.0 delivers a set of focused updates, including a major admin console redesign, new account console features, and several enhancements for developers.
| Category | Key Highlights |
|---|---|
| New Features | New Admin UI, Account Console device activity, OAuth 2.0 Device Authorization Grant |
| Improvements | Client Policies JavaScript support, Client Scope mapping, Performance optimizations |
| Deprecations | JavaScript-based authentication executions, WildFly 23, Legacy account console |
| Bug Fixes | Numerous fixes across the board |
What's the big deal with the new Admin UI?
The Admin UI has been completely rebuilt from the ground up. This isn't just a visual refresh; it's a modernized architecture using React and PatternFly 4. In practice, this means a more responsive and consistent user experience for managing your realms, clients, and users.
The redesign also lays the foundation for future enhancements. You'll find that common tasks feel smoother, and the overall navigation is more intuitive compared to the older interface.
How does the new Account Console help my users?
User self-service gets a boost with the new device activity view in the Account Console. Users can now see a list of devices that have accessed their account and have the ability to sign out from remote sessions. This gives users more visibility and control over their account security.
This feature addresses a common user concern about unknown active sessions. It’s a straightforward but effective addition for improving trust and transparency.
What developer-focused features were added?
For developers, the headline is the official support for the OAuth 2.0 Device Authorization Grant (RFC 8628). This is crucial for authenticating devices that have limited input capabilities, like smart TVs or CLI tools. You can now configure this flow directly for clients that need it.
Client Policies JavaScript Support
Client policies are now more powerful. You can use JavaScript conditions to create complex, dynamic rules for governing client configurations. This moves beyond simple JSON configuration and allows for logic-based decisions.
// Example condition structure
var context = {
client: client,
clientScope: clientScope
};
// Your custom logic here
What has been deprecated that I need to know about?
A few significant items have been marked for deprecation. The most notable is the support for JavaScript providers for authentication executions. The recommendation is to migrate to the new JavaScript-based Script Authenticator, which offers a more streamlined approach.
Additionally, support for WildFly 23 is deprecated. The legacy account console (/auth/account) is also now deprecated in favor of the new account console (/realms/{realm}/account). It's time to start planning these migrations.
Were there any under-the-hood improvements?
Yes, this release includes various performance optimizations and bug fixes. While not always flashy, these changes improve the overall stability and efficiency of the server. You should experience better responsiveness, especially in deployments under heavy load.
There were also updates to client scope mapping and fixes to ensure better compliance with OAuth 2.0 and OpenID Connect specifications, which is always important for interoperability.
FAQ
Is the new Admin UI a breaking change?
No, the new Admin UI is a replacement for the old one but does not introduce breaking changes to the underlying REST API. Your existing automation and scripts should continue to work without modification.
How do I enable the OAuth 2.0 Device Authorization Grant?
You can enable it in the admin console under your client's settings. Look for the "Device Authorization Grant" capability toggle and ensure the appropriate flow is configured for your device clients.
What should I use instead of deprecated JavaScript authentication executions?
You should migrate to the Script Authenticator. This new method provides a more integrated and supported way to execute custom JavaScript logic within your authentication flows.
Is the legacy Account Console going away immediately?
No, it is currently deprecated but still available. However, you should start transitioning users and any customizations to the new Account Console URL (/realms/{realm}/account) as it will likely be removed in a future release.
Does the device activity feature require any special client-side setup?
No, the device activity and remote session sign-out functionality is built directly into the new Account Console. It works automatically for sessions that are established using Keycloak.