Last checked and updated on April 23, 2026What Is New in Keycloak 22.0
Keycloak 22.0 delivers a major step forward with its new Quarkus distribution, enhanced security features, and significant developer experience improvements. This release focuses on modernizing the platform's foundation while introducing powerful new capabilities for managing identities.
| Category | Key Highlights |
|---|---|
| New Features | Client Policies with JavaScript, OAuth 2.0 Device Authorization Grant, CIBA Ping Mode |
| Platform & Core | Quarkus becomes the default distribution, New storage system (HotRod) |
| Security | Passkey (WebAuthn) support, Enhanced client authentication options |
| Deprecations & Removals | WildFly distribution deprecated, Legacy auth-server-standalone configuration removed |
| Improvements | Admin Console search, Performance optimizations, Updated libraries |
Why is Quarkus now the default and what does it mean for me?
The Quarkus distribution is now the default for Keycloak 22.0, marking a complete transition from the legacy WildFly server. This is a foundational change that impacts how you run and operate Keycloak.
In practice, this means faster startup times, a reduced memory footprint, and a more modern, container-native architecture. The WildFly distribution is now deprecated, so all new deployments should use Quarkus. Existing WildFly installations will need to plan a migration.
This shift also brings a new configuration approach. The old auth-server-standalone XML files are gone, replaced by a single conf/keycloak.conf file and environment variables, which is much simpler for cloud-native setups.
What new security features should I implement first?
Passkey support via WebAuthn and enhanced Client Policies are the standout security features to explore. Passkeys allow for passwordless authentication, providing a more secure and user-friendly login experience by using biometrics or security keys.
Client Policies now support JavaScript conditions, giving you incredibly fine-grained control over how clients can be configured and used. You can write complex logic to enforce security rules tailored to your specific environment, which is a huge step up from static JSON rules.
For server-to-server scenarios, the OAuth 2.0 Device Authorization Grant and CIBA (OpenID Connect Client Initiated Backchannel Authentication) Ping Mode are now generally available, expanding your options for authenticating devices and decoupled applications.
How does the new storage layer improve performance?
Version 22.0 introduces a new HotRod storage implementation, which is a significant backend overhaul. This new system is designed for better performance and scalability, particularly in clustered environments.
The HotRod protocol is more efficient for remote cache operations compared to the previous Infinispan REST API. This translates to lower latency for database operations and improved overall responsiveness of your Keycloak instance, especially under heavy load.
While the legacy storage system is still available, the HotRod implementation is the future. You'll need an Infinispan server that supports the HotRod protocol if you want to leverage these performance gains in a remote store setup.
What has been removed that might break my current setup?
The most impactful removal is the legacy auth-server-standalone configuration directory and its XML files. If you have scripts or automation that directly modify these files, they will need to be updated to use the new conf/keycloak.conf file or environment variables.
Support for the `X509` client authentication method has been dropped in favor of the more standard `tls_client_auth` and `self_signed_tls_client_auth` methods. Any clients using the old method must be reconfigured.
Additionally, the WildFly distribution is now deprecated. While it's still available in this release, it's on a path to being completely removed, so starting a migration to the Quarkus distribution is strongly recommended to avoid future upgrade issues.
FAQ
Is the WildFly version of Keycloak completely gone in 22.0?
No, but it's deprecated. The download page now defaults to the Quarkus distribution. The WildFly variant is still available but will be removed in a future release. You should start migrating existing deployments to Quarkus.
How do I configure Keycloak now that the standalone XML files are removed?
Configuration is now primarily done through a single conf/keycloak.conf file using a properties format or via environment variables. This is a much simpler and more cloud-friendly approach than the complex XML hierarchy.
Can I use WebAuthn/Passkeys for administrative logins to the Admin Console?
Yes, that's one of the main use cases. You can configure a WebAuthn authenticator in the browser flow and assign it to the admin console client, allowing passwordless authentication for administrators.
What is the practical benefit of JavaScript conditions in Client Policies?
It allows dynamic policy enforcement. Instead of static rules, you can write JS code to make decisions based on complex logic, such as the client's IP address, time of day, or other context from the authentication request.
Do I have to migrate to the new HotRod storage immediately?
No, the legacy storage system is still present. However, the HotRod implementation is the future and offers performance benefits. You can migrate at your own pace, but new features will likely be built for the new storage layer.