Last checked and updated on April 19, 2026What Is New in Keycloak 20.0
Keycloak 20.0 delivers a major update focused on modernizing the admin experience and enhancing security protocols. This release introduces a new admin UI, stricter security defaults, and significant underlying improvements.
| Category | Key Changes |
|---|---|
| New Features | New Admin UI, Support for OpenID Connect (OIDC) Identity Assurance, Client Policies - JSON based configuration |
| Enhancements | Improved performance of user session management, Better support for dark mode |
| Security | New secure defaults for OIDC, PKCE enforced for public clients, Redirect URIs wildcards disabled by default |
| Deprecations & Removals | Legacy admin console (keycloak.x), Legacy store, Account console (v2 removed) |
| Bug Fixes | Numerous fixes across authentication flows, client registration, and SAML support |
Why is the new admin UI a big deal?
The new admin UI is a complete redesign built with React, replacing the older PatternFly-based console. This isn't just a visual refresh; it's a more responsive and maintainable foundation for future development.
In practice, the navigation feels snappier and the overall user experience is more intuitive. This change matters because it aligns the admin interface with modern web standards, making it easier to extend and manage.
What are the new security defaults?
Keycloak 20.0 tightens security by changing several default behaviors. Proof Key for Code Exchange (PKCE) is now enforced for all public clients, which is a major step for preventing authorization code interception attacks.
Additionally, the use of wildcards in redirect URIs is now disabled by default. This forces more explicit and secure configuration, reducing the risk of open redirect vulnerabilities in client setups.
What was removed or deprecated?
The legacy admin console (keycloak.x) and the legacy store have been removed. The Account Console v2 was also removed, leaving v3 as the standard. These removals clean up the codebase and eliminate outdated, less secure components.
If you were still using the legacy store, you'll need to complete your migration to the new store before upgrading. This is a breaking change that requires planning.
How does session management performance improve?
This release includes optimizations for how user sessions are managed, particularly in scenarios with a high number of concurrent sessions. The changes reduce database load and improve response times for session-related operations.
For large deployments, this can translate to better stability and lower latency during peak authentication traffic. It's a backend improvement that users will feel through increased reliability.
FAQ
Is PKCE now mandatory for all clients?
PKCE is now mandatory for public clients. Confidential clients are not required to use PKCE. This change enhances security for single-page applications and native mobile apps.
I use wildcards in my redirect URIs, will my setup break?
Yes, if you upgrade without reconfiguring. The default behavior now rejects wildcards. You must explicitly enable the 'Allow Regex Pattern Comparison' policy in your realm settings to continue using them.
What happened to the Account Console v2?
Account Console v2 has been completely removed. You should be using v3, which has been the standard. Ensure your themes and customizations are compatible with v3.
Can I still use the old admin UI?
No, the legacy admin console (keycloak.x) has been removed. You must use the new React-based admin UI introduced in this version.
Are there any changes to SAML support?
Yes, several bugs related to SAML authentication flows and client registration were fixed. The core functionality remains the same, but the implementation is more stable.