Last checked and updated on April 19, 2026What Is New in Keycloak 23.0
Keycloak 23.0 delivers a major step forward with a new default storage layer, significant admin console updates, and a host of developer-focused improvements. This release focuses on modernizing the architecture and enhancing the user experience.
| Category | Key Changes |
|---|---|
| New Features | New default storage (Map Storage), Declarative User Profile, OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) |
| Improvements | Admin Console UI overhaul, Client Policies enhancements, Performance optimizations for the new store |
| Deprecations & Removals | Legacy store deprecated, Removal of WildFly 26 support, Removal of some outdated account console features |
| Bug Fixes | Numerous fixes across authentication flows, client registration, and the admin console |
What is the new Map Storage and why does it matter?
The new Map Storage is now the default data store, replacing the legacy JPA model. This is a fundamental architectural shift from a relational to a NoSQL-inspired storage API. In practice, this provides a more flexible foundation for future enhancements and can simplify deployments.
This change is mostly internal, but it paves the way for better performance and scalability. You can still use the traditional relational databases; the new layer simply sits on top of them with a different abstraction.
How has the Admin Console changed?
The Admin Console received a significant UI refresh based on the PatternFly 5 design system. The update modernizes the look and feel and improves usability. This is part of an ongoing effort to make managing Keycloak more intuitive.
You will notice changes to the client details pages and a general streamlining of the navigation. The new design also sets the stage for more consistent and accessible user interfaces in future releases.
What is the Declarative User Profile?
The Declarative User Profile feature allows you to define user attribute configurations using a JSON format instead of code. This makes it easier to manage required fields, validation rules, and permissions for user attributes.
You can now configure these settings through the Admin Console or by using a REST API. This is a big win for maintainability, as it moves configuration away from complex Java-based providers.
Is OAuth 2.0 DPoP supported now?
Yes, Keycloak 23.0 adds support for the OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) protocol. DPoP binds access tokens to a client's public key, providing a stronger security guarantee than bearer tokens alone.
This helps prevent token theft and misuse. It is an important step forward for securing high-risk applications and is part of the broader trend toward token binding mechanisms.
What has been deprecated or removed?
The legacy JPA storage system is now deprecated and will be removed in a future release. Support for WildFly 26 has been completely removed. Some older features of the account console, like the Personal Info and Authentication pages, have also been removed as they were replaced in earlier versions.
If you are still using the legacy store, you should start planning your migration to the new Map Storage. The --storage command-line parameter lets you switch back to the old jpa storage for now.
FAQ
Is the new Map Storage faster than the old JPA storage?
The focus of this release was making the new storage the default, not necessarily on raw performance gains. However, the new architecture is designed for better long-term performance and scalability, especially for large deployments.
Do I have to migrate my existing realm to the new storage immediately?
No. The legacy JPA storage is deprecated but still available. You can use the start --storage=jpa command to continue using the old store. However, you should plan to migrate for a future version where the old store will be removed.
Can I still use my custom user storage SPI with the new Map Storage?
Yes. The User Storage SPI remains fully compatible. The change to Map Storage is internal to Keycloak's core data management and does not break existing SPI implementations.
What happens to my client policies configuration from a previous version?
Your existing configurations will continue to work. Version 23.0 enhances client policies by adding new conditions and executors, giving you more granular control without breaking past setups.
Where did the old Account Console pages go?
The old Personal Info and Authentication pages were officially removed. They had been replaced by a new account console in a previous release. Ensure your users are using the updated console URL.