Last checked and updated on April 19, 2026What Is New in Keycloak 26.1
Keycloak 26.1 delivers a focused set of enhancements, primarily improving the developer experience and expanding authentication protocol support. The update introduces new OAuth 2.0 token exchange features, refines the admin UI, and addresses a number of bugs.
| Category | Key Highlights |
|---|---|
| New Features | OAuth 2.0 Token Exchange improvements, new admin UI for managing client scopes. |
| Enhancements | Admin Console UI refinements, better support for OpenID Connect (OIDC) logout. |
| Bug Fixes | Resolved issues with SAML, OIDC, and user session management. |
| Deprecations & Removals | Legacy WildFly distribution is deprecated. |
What are the key OAuth 2.0 Token Exchange improvements?
The core upgrade is the introduction of the requested_issuer parameter for the token exchange grant type. This lets you specify the exact issuer for the exchanged token, giving you more control over the token flow.
In practice, this means your services can now request tokens from a specific identity provider (Identity Broker) in a multi-broker setup. This is a step up from the previous behavior where the broker was chosen automatically, which could lead to unexpected results.
How has the Admin Console UI changed?
The UI for managing client scopes has been completely redesigned. The old tab-based layout is gone, replaced with a more modern and intuitive page that consolidates all the settings.
This matters because it streamlines a common administrative task. You no longer have to jump between tabs to configure mappers, scope, and settings, which reduces the chance of misconfiguration and saves time.
What's new for OpenID Connect logout?
Keycloak 26.1 adds better support for the post_logout_redirect_uri parameter during backchannel logout requests. This ensures the redirect URI is properly validated according to the OIDC specification.
This closes a potential gap where a logout request could specify an unregistered redirect URI. Now, the validation is consistent with front-channel logout flows, making the logout process more secure and predictable.
What important bugs were squashed?
This release tackles several pesky issues. A notable fix prevents a deadlock that could occur when using the max_clients_limit feature, which was a real operational headache.
Other fixes include resolving problems with SAML artifact binding, correcting the acr claim value in OIDC tokens, and ensuring user sessions are properly handled during deletion. These are the kind of stability fixes that make a deployment more robust.
Is the WildFly distribution still supported?
The legacy WildFly distribution is now officially deprecated. The future is the Quarkus-based distribution, which offers faster startup times and a smaller memory footprint.
If you're still on WildFly, start planning your migration. The Quarkus distro is where all the new development and optimization efforts are focused, so you'll want to move to stay current.
FAQ
Does the new `requested_issuer` parameter work with any identity broker?
Yes, the parameter is designed for use in environments with multiple configured identity brokers to precisely control which one performs the token exchange.
I use the old admin UI for client scopes – will it break after upgrading?
No, the upgrade is seamless. The new UI will simply replace the old tabbed interface automatically. Your existing configurations remain intact.
Was the deadlock issue with `max_clients_limit` causing outages?
In severe cases, yes. The deadlock could prevent new client registrations from being processed, effectively causing a partial outage for dynamic client registration endpoints until a restart.
Is the OIDC logout change a breaking change?
It shouldn't be if your clients are following the spec correctly. It enforces stricter validation on the `post_logout_redirect_uri`, so clients using invalid URIs will see errors where they might not have before.
Can I still download the WildFly distribution for 26.1?
Yes, it is still available for download but it is marked as deprecated. For new deployments, you should absolutely use the Quarkus-based distribution instead.