Last checked and updated on April 19, 2026What Is New in Keycloak 21.1
This release focuses on enhancing the admin experience and expanding OpenID Connect capabilities. Here's a quick summary of the key changes.
| Category | Key Updates |
|---|---|
| New Features | Admin Console search, OIDC Client Policies, Declarative User Profiles, Early Access OIDC SDK |
| Improvements | Account Console updates, Client Scopes UI, Performance metrics |
| Deprecations & Removals | JavaScript adapter deprecated, Legacy account management console removed |
| Bug Fixes | Numerous fixes across authentication, authorization, and the admin UI |
What search capabilities were added to the Admin Console?
A new global search bar is now available in the Admin Console header. This lets you quickly find realms, clients, groups, and users without navigating through specific sections.
In practice, this is a huge time-saver for administrators managing large deployments. You can just type a name and jump directly to the entity's configuration page.
How does the new OIDC Client Policies feature work?
Keycloak 21.1 introduces a framework for defining and enforcing policies on OIDC clients. You can create rules that clients must adhere to, like requiring specific authentication methods or restricting token settings.
This matters because it provides a centralized way to enforce security and compliance rules across all your client applications, reducing configuration drift and manual oversight.
What are Declarative User Profiles and why use them?
This feature allows you to define user profile attributes (like first name, email) and their validation rules declaratively, moving away from the older programmatic approach. Configuration is now done via the Admin Console or a JSON file.
It simplifies managing required fields and validation, making the system more configurable and less reliant on custom code for basic profile management.
What was deprecated in this release?
The legacy JavaScript adapter has been officially deprecated. You should migrate to the new Keycloak JS adapter instead.
Additionally, the old account management console has been completely removed. All account management functionality is now handled exclusively by the modern Account Console.
What improvements were made to the Account Console?
The Account Console received visual and functional updates for managing linked accounts and applications. The user experience for viewing and managing signed-in sessions was also enhanced.
These are incremental but welcome changes that make the end-user facing part of Keycloak more polished and easier to use.
FAQ
Is the new search feature in the Admin Console real-time?
Yes, the global search functionality provides real-time filtering as you type, allowing for quick discovery of realms, clients, users, and groups.
Do I have to use the new Declarative User Profiles immediately?
No, the legacy programmatic method is still available. However, the new declarative method is the recommended path forward for defining user attributes and validation.
What should I use instead of the deprecated JavaScript adapter?
You should migrate your applications to use the newer Keycloak JS adapter, which is actively maintained and offers improved functionality.
Can I still enforce client settings without OIDC Client Policies?
Yes, but it would require manual checks and custom scripts. The new policies provide a built-in, centralized, and enforceable way to manage client configurations.
Where can I find the Early Access OIDC SDK?
The early access version of the OIDC SDK is available for developers who want to test and provide feedback. It's a separate download from the main distribution.