Last checked and updated on April 19, 2026What Is New in Keycloak 26.6
This release introduces significant enhancements across the board, from new client policies to improved admin tools and foundational upgrades.
| Category | Key Highlights |
|---|---|
| New Features | Client Policies for OIDC, Admin Events Search, New Account Console |
| Improvements | Admin UI Search, Client Scopes, Performance Optimizations |
| Bug Fixes | Fixes for Authentication Flows, User Sessions, and SAML |
| Security | Dependency Upgrades (Jackson, Nimbus JOSE+JWT) |
| Deprecations | Legacy Account Console, Old Admin Events Provider |
What are the new client policies for OpenID Connect?
Keycloak 26.6 adds a new client registration policy for OpenID Connect, allowing you to enforce specific client settings directly from the admin console. This lets you mandate that dynamically registered clients must be public clients, giving you more control over security defaults. In practice, this is a big step towards better governance for multi-tenant scenarios where you don't want confidential clients created automatically.
How is searching for admin events better now?
You can now search the admin event log by multiple resource paths simultaneously. This is a huge time-saver when you're troubleshooting and need to filter events for specific resources, like a user and a client, at the same time. The search is more powerful and gets you the audit information you need faster.
What's the deal with the new Account Console?
The legacy Account Console is now deprecated, and the new one is the default. The new console is built with PatternFly and offers a more modern and consistent user experience for your end-users to manage their accounts. This matters because it's the final step in the admin UI modernization effort that started a few versions back.
What admin UI search improvements were made?
Searching for clients and client scopes in the admin UI is now case-insensitive. You no longer have to worry about the exact casing of your search terms, which makes navigating large lists of clients significantly less frustrating. It's a simple but highly effective quality-of-life improvement for daily administration.
Were there any important dependency upgrades?
Yes, the core libraries Jackson and Nimbus JOSE+JWT were upgraded. These are critical for JSON processing and JWT handling throughout Keycloak. Keeping these dependencies current is essential for incorporating security patches and maintaining compatibility with the broader Java ecosystem.
Upgraded Libraries
- Jackson to version 2.17.2
- Nimbus JOSE+JWT to version 9.37.3
FAQ
Is the legacy Account Console completely gone in 26.6?
No, it is still available but is now officially deprecated. The new Account Console is the default. You should start migrating any customizations to the new version.
Does the new OIDC client policy break existing dynamic client registration?
No, it only applies to new client registrations. Existing clients are unaffected. The policy is an enforcement mechanism for new registrations going forward.
Why should I care about the Jackson library upgrade?
Jackson is fundamental for all JSON serialization/deserialization. This upgrade includes bug fixes and security patches that improve the overall stability and security of your Keycloak instance.
Can I still use the old admin events provider?
The old `jpa` admin events provider is deprecated. It's recommended to use the new `store` provider, which offers the new multi-path search capabilities and is the future-proof option.
Were there any performance fixes in this release?
Yes, several performance optimizations were included, such as fixes for authentication flow executions and user session loading, which help reduce latency under heavy load.