Last checked and updated on April 19, 2026What Is New in Keycloak 26.4
Keycloak 26.4 delivers a mix of new features, enhancements, and critical fixes. This release focuses on improving the developer experience for authentication flows and solidifying the new admin console.
| Category | Key Highlights |
|---|---|
| New Features | Conditional UI for WebAuthn, Script Mapper for OIDC Identity Broker, New Admin Console UI for Authentication |
| Improvements | Performance optimizations for user session queries, Client Policies JavaScript bindings |
| Bug Fixes | Fixes for SAML, OIDC, and user session management |
| Deprecations & Removals | Legacy Admin Console UI deprecated |
What's the deal with the new WebAuthn Conditional UI?
Keycloak 26.4 introduces support for WebAuthn Conditional UI. This feature allows users to select a passkey directly from an autofill menu on an HTML input field, streamlining the login process.
In practice, this means a smoother user experience where users don't have to click a separate "Sign in with a passkey" button. The browser's native autofill UI handles the prompt. This is a significant step towards passwordless authentication becoming the default.
How does the new Script Mapper for Identity Brokers work?
A new Script Mapper type is now available for OpenID Connect Identity Brokers. This lets you use JavaScript to customize how user attributes and claims are mapped from an external identity provider into Keycloak.
This is a game-changer for complex integrations. Instead of being limited to built-in mappers, you can write custom logic to handle any quirky payload from an external IdP, giving you full control over the attribute flow during federation.
// Example: A simple script mapper logic
exports = function(user, context, claims) {
user.setAttribute("custom_role", claims.external_privileges);
return user;
};What authentication changes are in the new admin console?
The new admin console now includes the UI for managing authentication flows, executions, and bindings. This completes the major functional migration from the old console to the new React-based one.
With this update, the legacy admin console is now officially deprecated. It's time to start moving all your daily admin tasks over to the new interface, as the old one will be removed in a future release.
Were there any performance improvements?
Yes, this release includes optimizations for queries that load user sessions. The changes reduce the memory footprint and improve the performance of these operations, which is crucial for large-scale deployments with millions of active sessions.
This matters because session management is a core function, and any slowdown there can become a bottleneck. These optimizations help ensure Keycloak remains responsive under heavy load.
What got fixed for Client Policies?
The JavaScript bindings for Client Policies have been updated. The client variable is now correctly exposed within the policy script execution context, allowing your scripts to properly evaluate and interact with the client object.
Before this fix, trying to access client properties in a policy script might have failed silently or returned undefined, breaking custom policy logic. Now your scripts can reliably make decisions based on the client configuration.
FAQ
Is the legacy admin console completely gone in 26.4?
No, it is still present but is now officially deprecated. You can access it by appending /legacy to your admin URL, but you should start migrating to the new console immediately.
Does Conditional UI work with all browsers?
It works in browsers that support the WebAuthn Conditional UI specification, which includes recent versions of Chrome, Edge, and Safari. Always check the specific browser's documentation for support.
Can I use the new Script Mapper for SAML brokers?
No, the new Script Mapper feature is specifically for OpenID Connect Identity Brokers. SAML brokers use a different mapping system.
Were there any security fixes in this release?
The release notes do not highlight any specific CVEs or security advisories for 26.4.0. It is always recommended to review the official release notes for the most accurate information.
How do I enable the new authentication UI in the admin console?
There is no separate enable step. If you are using the new admin console (the default), the authentication management sections will automatically be available under the Configure menu.