Last checked and updated on April 19, 2026What Is New in Keycloak 19.0
Keycloak 19.0 delivers a streamlined login experience, foundational updates for future releases, and a host of incremental improvements. The focus is on user experience and preparing the codebase for significant upcoming changes.
| Category | Key Changes |
|---|---|
| New Features | New Login UI, Support for PKCE in Direct Access Grants, Client Policies for OIDC, Preview of new Account Console. |
| Improvements | Performance enhancements for admin console, Better handling of SAML 2.0 identity providers, Client Scope mappings in Admin API. |
| Deprecations | JavaScript adapter deprecated in favor of new JS library, Legacy account console marked for removal. |
| Bug Fixes | Numerous fixes across authentication flows, admin console, and storage providers. |
Why is the new login page a big deal?
The new login page is a complete visual and technical overhaul. It's built with PatternFly 4, which modernizes the look and feel while improving accessibility and mobile responsiveness.
In practice, this means a more professional and user-friendly authentication experience out of the box. The update also paves the way for easier customization, as the new design system is more consistent and well-documented.
What changed with the JavaScript adapter?
The legacy JavaScript adapter is now officially deprecated. It's being replaced by the newer keycloak-js library, which offers a more modern API and better security practices.
You should start migrating your applications to use keycloak-js immediately. The old adapter will likely be removed in a future major release, so this is a proactive move to avoid breaking changes down the line.
How does PKCE improve Direct Access Grants?
PKCE (Proof Key for Code Exchange) support has been added to the Direct Access Grant flow. This is a significant security enhancement for public clients that use this flow, like mobile and single-page applications.
It effectively mitigates authorization code interception attacks. Now, even if a code is intercepted, it cannot be used without the code verifier that was initially generated by the client.
What are Client Policies for OIDC?
Client Policies provide a centralized way to define and enforce security and configuration rules for OpenID Connect clients. You can create policies that mandate specific settings, like requiring PKCE or enforcing redirect URI patterns.
This is a game-changer for admins managing many clients. It ensures consistency and strengthens security posture by automatically applying best practices across all your OIDC integrations.
Is the legacy account console going away?
Yes, the old account management console has been deprecated. A preview of the new, modernized account console is included in this release, built with React and PatternFly.
While the old console is still available for now, you should begin testing and providing feedback on the new one. The legacy console will be removed in a future version, so planning for this transition is advised.
FAQ
Is the new login page backwards compatible with my custom themes?
Your existing theme properties will still work, but you may need to make adjustments due to the complete HTML restructuring. It's best to test your custom themes thoroughly against the new design.
How do I migrate from the deprecated JavaScript adapter to keycloak-js?
The migration involves updating your import and initializing the new library. The API is different but more intuitive. Check the official migration guide for specific code examples and changes.
Why was PKCE added to the Direct Grant flow?
This addition closes a security gap for public clients that cannot keep a client secret confidential, such as native mobile apps, making the Direct Grant flow more secure against certain types of attacks.
When will the legacy account console be removed?
It is deprecated but not removed in 19.0. It will remain available for at least one more major release cycle to give administrators time to migrate to the new account console.
Are Client Policies replacing Client Profiles?
Client Policies are a more flexible and powerful evolution of the concept. They allow you to combine multiple conditions and rules to dynamically apply configurations to your OIDC clients.