Last checked and updated on April 19, 2026What Is New in Keycloak 21.0
Keycloak 21.0 brings a host of updates focused on modernizing the admin console, enhancing security, and improving the developer experience. This release introduces a new default theme, expands OpenID Connect capabilities, and addresses numerous bugs.
| Category | Highlights |
|---|---|
| New Features | New default theme, OAuth 2.0 Device Authorization Grant, Client Policies - JavaScript support |
| Enhancements | Admin Console search, OpenID Connect Backchannel Logout, Client Scope mapping |
| Deprecations & Removals | Legacy WildFly distribution, Account Console v1, JavaScript policy support |
| Bug Fixes | Over 150 issues resolved across authentication, authorization, and storage |
What's the big deal with the new theme?
The major change is a completely redesigned user interface. Keycloak 21.0 ships with a new default theme for both the Admin Console and the Account Console, built with PatternFly. This is a significant visual and usability upgrade from the previous version.
In practice, the new theme feels more modern and responsive. It's not just a cosmetic change; the underlying technology stack has been updated, which matters for future maintenance and feature development. The old theme is still available but is now considered legacy.
Which new security features should I know about?
OAuth 2.0 Device Authorization Grant support is now generally available. This is the standard flow for authorizing devices that have limited input capabilities, like smart TVs or CLI tools. You can finally stop rolling your own solution for this common use case.
Client Policies also got more powerful with the ability to use JavaScript for defining conditions and executors. This gives you a lot more flexibility for writing complex security rules tailored to your environment. OpenID Connect Backchannel Logout was enhanced to support the logout_token,
making single logout implementations more robust.
What got better for admins and developers?
Search functionality in the Admin Console has been improved, making it easier to find specific users, clients, or groups in large deployments. Client Scope mapping is now more intuitive, showing effective assigned default and optional scopes directly in the admin UI.
For developers, the biggest quality-of-life improvement is the shift to a new distribution based on Quarkus. This change simplifies the runtime and boosts performance. The legacy WildFly distribution is still available but is deprecated and will be removed in a future release.
What's being deprecated or removed?
The old WildFly-based distribution is now deprecated. You should start planning a migration to the new Quarkus-based distribution. The original Account Console (v1) is also deprecated in favor of the new PatternFly-based version.
Support for using JavaScript policies is now deprecated. The recommendation is to migrate to the new Client Policies feature, which offers a more secure and standardized way to define security rules. This change is about locking down the attack surface and moving towards a more maintainable policy engine.
FAQ
Is the new Quarkus distribution production-ready?
Yes, the Quarkus distribution is now the default and recommended option for production use. It's been thoroughly tested and offers performance benefits over the legacy WildFly distribution, which is now deprecated.
How do I enable the OAuth 2.0 Device Authorization Grant?
You can enable it for a client in the Admin Console. Navigate to your client's settings, and in the 'Capability Config' section, you'll find the option to toggle the Device Authorization Grant.
Can I revert to the old Admin Console theme?
Yes, for now. The legacy theme is still available but is deprecated. You can switch back by setting the `keycloak.theme.default` value to `keycloak` in your server configuration, but you should plan to migrate to the new theme.
What should I use instead of JavaScript policies?
Migrate to Client Policies. This newer feature provides a more secure and declarative way to define security conditions and executors for your clients, replacing the need for custom JavaScript code.
Were there any changes to the database schema?
Yes, this release includes updates to the database schema. If you are performing an upgrade, the database will be automatically migrated. Always remember to back up your database before upgrading.