Last checked and updated on April 19, 2026What Is New in Keycloak 4.0
Keycloak 4.0 delivers a major upgrade with a new admin console, significant performance improvements, and a host of new features for developers. This release focuses on modernizing the user experience and enhancing security protocols.
| Category | Key Changes |
|---|---|
| New Features | New Admin Console, OpenShift 3 Integration, WebAuthn Support Preview |
| Improvements | Performance Optimizations, Infinispan Upgrades, JavaScript Adapter Updates |
| Deprecations | Old Admin Console, Legacy JavaScript Adapter, Old Account Console |
| Bug Fixes | Numerous fixes across authentication, authorization, and user management |
What's the big deal with the new admin console?
The new admin console is a complete rewrite using PatternFly, replacing the older AngularJS interface. This isn't just a visual refresh; it's a more performant and maintainable foundation for future development. In practice, admins will notice a snappier, more modern interface for managing realms, clients, and users.
The old admin console is now deprecated and scheduled for removal in a future release. This change matters because it aligns Keycloak's tooling with contemporary web standards and frameworks.
How does WebAuthn support change authentication?
Keycloak 4.0 introduces a technical preview of WebAuthn, the web standard for passwordless authentication. This allows you to start experimenting with FIDO2 security keys and biometrics as a second factor or even for passwordless login flows.
Since it's a preview, the feature is not enabled by default and the API might change. This is a foundational step towards phasing out older two-factor methods like OTP in favor of more secure and user-friendly options.
What performance improvements should I expect?
This release includes significant optimizations, particularly for scenarios with a high number of roles. The team reduced memory consumption and improved the efficiency of role loading, which directly impacts login times and overall system responsiveness under heavy load.
Upgrading the embedded Infinispan cache to version 9.2 also contributes to better cluster performance and stability. You'll see the most benefit in large-scale deployments where caching is critical.
Is the JavaScript adapter changing?
Yes, the legacy JavaScript adapter has been deprecated. The new recommended approach is to use the Keycloak JavaScript adapter available via npm. This modernizes how you integrate Keycloak into single-page applications.
You should plan to migrate your apps to use the new adapter package. The old one will eventually be removed, so switching now ensures future compatibility and access to the latest features.
FAQ
Is the old admin console still available in 4.0?
Yes, the old AngularJS admin console is still present but is now deprecated. You can access it, but you should start migrating to the new PatternFly-based console as the old one will be removed in a future release.
How do I enable the WebAuthn preview?
WebAuthn is not enabled by default. You must start the server with the `-Dkeycloak.profile.preview=true` flag to activate this and other preview features for testing.
What version of Infinispan is used now?
Keycloak 4.0 upgrades its embedded Infinispan cache from version 8.x to 9.2.0.Final. This brings performance improvements and better cluster management for distributed deployments.
Are there any changes to OpenID Connect compliance?
Yes, the release adds better compliance for OAuth 2.0 Device Authorization Grant and improves overall OpenID Connect certification, ensuring better interoperability with other certified providers.
What happened to the old account management console?
The old account console has been removed entirely in version 4.0. It was previously deprecated, and users are now directed to use the new account console that was introduced in earlier versions.