Last checked and updated on April 19, 2026What Is New in Keycloak 26.5
Keycloak 26.5 delivers a mix of new features, significant improvements, and essential fixes. This release focuses on enhancing the developer experience and expanding authentication capabilities.
| Category | Description |
|---|---|
| New Features | Passkey authentication, OAuth 2.0 Device Authorization Grant, and new client policies. |
| Improvements | Enhanced Admin UI, better client scopes management, and performance optimizations. |
| Bug Fixes | Resolved issues across the Admin Console, user federation, and event listeners. |
| Deprecations | Legacy client registration endpoints and older JavaScript adapter. |
What new authentication methods were added?
This release introduces two major authentication protocols. The OAuth 2.0 Device Authorization Grant is now fully supported, enabling secure login flows for devices with limited input capabilities like smart TVs.
Passkey authentication is another key addition, allowing users to leverage passwordless sign-in using biometrics or security keys. This modernizes the login experience and moves towards a passwordless future.
How is client policy management improved?
Client policies have been significantly enhanced for finer-grained control. You can now define more complex conditions and executor configurations to enforce security rules across your applications.
In practice, this means you can create policies that are dynamically applied based on a client's attributes, giving admins much more power to automate security compliance without manual intervention.
What Admin UI enhancements should I know about?
The Admin Console received usability upgrades, particularly in how client scopes are managed. The interface for assigning default and optional scopes to clients has been refined for clarity.
These tweaks might seem small, but they reduce the cognitive load when configuring complex clients, making the process faster and less error-prone for daily operations.
Were there any notable performance fixes?
Yes, several under-the-hood optimizations were included. The team addressed issues that could cause performance degradation under specific high-load scenarios, particularly around token validation and user session management.
For large deployments, these fixes help maintain stable response times and prevent bottlenecks that could impact user experience during peak traffic.
What has been deprecated in this version?
The legacy client registration endpoints and the older JavaScript adapter are now formally deprecated. You should start migrating to the newer keycloak-js adapter and the current registration API.
This is a clear signal from the team to modernize your integration code. The deprecated features will likely be removed in a future major release, so planning the migration now avoids future breaking changes.
FAQ
How do I enable the OAuth 2.0 Device Authorization Grant for my client?
Navigate to your client's settings in the Admin UI. Under the "Capability Config" section, you will find the option to enable "OAuth 2.0 Device Authorization Grant". Once enabled, you can use the device authorization endpoint.
Is Passkey support ready for production use?
Yes, the Passkey authentication support is a fully implemented feature. You can configure it in the authentication flows, typically by adding the "WebAuthn Register Authenticator" and "WebAuthn Authenticator" executions to a flow.
What should I use instead of the deprecated JavaScript adapter?
You must migrate to the newer keycloak-js package. The API is different, so you will need to update your initialization and method calls. Check the official migration guide for specifics.
Were there any security fixes in this release?
While no CVEs were announced with this release, it includes various bug fixes that improve overall stability. Always review the specific bug fix list for your deployment to understand the impact.
Can I define a client policy that only applies to clients with a specific attribute?
Yes, the enhanced client policies allow you to use conditions based on client attributes. This lets you create targeted policies for different types of applications, like mobile vs. web clients.