Last checked and updated on April 19, 2026What Is New in Keycloak 25.0
| Category | Key Highlights |
|---|---|
| New Features | Organization API, OAuth 2.0 Device Authorization Grant, Dynamic Client Scopes |
| Improvements | Client Policies, CIBA, OpenID Connect Logout, Admin Console UI |
| Deprecations & Removals | Legacy Store, JavaScript Adapters, Legacy Features |
| Bug Fixes | Numerous fixes across authentication flows, user management, and client registration |
What new API capabilities were introduced?
The Organization API is the standout feature, providing a full CRUD interface for managing organizations and their memberships. This is a programmatic alternative to the admin console's organization management, which is huge for automation.
We also got the OAuth 2.0 Device Authorization Grant, perfect for apps on limited-input devices like smart TVs. It lets a user authorize a device by entering a code on a separate browser.
Dynamic Client Scopes
Dynamic Client Scopes let you define client scopes that are dynamically assigned during authentication based on context, like the client or user. This is way more flexible than the old static assignment model.
How have client policies and CIBA been enhanced?
Client Policies now support more granular conditions and actions. You can create policies that apply based on specific client attributes, not just broad types. This gives admins finer control over security requirements for different clients.
For CIBA (Client Initiated Backchannel Authentication), the ping and poll modes are now fully supported. This completes the CIBA implementation, making it production-ready for scenarios where you can't use front-channel redirects.
What's changed for logout and the admin UI?
OpenID Connect Back-Channel Logout is now fully compliant with the spec. It properly handles session management and logout tokens, ensuring a cleaner sign-out across all relying parties.
The Admin Console got a visual refresh for the client creation and editing screens. The new UI groups settings more logically, which cuts down the time it takes to configure a new client correctly.
What has been deprecated or removed?
The legacy store is finally gone. You must be on the new store, which has been the default for a while. This removes a lot of technical debt and simplifies the codebase.
All JavaScript adapters are now deprecated. The advice is to use the standard OIDC client libraries instead. The old keycloak.json setup for JavaScript apps should be migrated.
Several legacy features like the original account console and the FreeMarker theme are also on the deprecation path. Start planning to use the new account console and React-based themes.
FAQ
Is the Organization API stable and ready for production use?
Yes, the Organization API is a fully supported feature in 25.0. It provides a stable, versioned endpoint for automating the management of organizations and their members.
I use JavaScript adapters, what should I do?
You should begin migrating to a standard OIDC client library. The JavaScript adapters are deprecated and will be removed in a future release. The console now shows warnings for this.
You enable it per client in the admin console. Navigate to your client's settings and enable the "OAuth 2.0 Device Authorization Grant" capability. The user code generation and validation endpoints are then available.
What is the immediate impact of the legacy store removal?
If you upgraded from a very old version and never migrated to the new store, your upgrade will fail. You must have already completed the migration to the new store to upgrade to 25.0.
Are the new Dynamic Client Scopes backwards compatible?
Yes, they are an additive feature. Your existing static client scope assignments will continue to work exactly as before. You can adopt dynamic scopes for new use cases at your own pace.