Last checked and updated on April 19, 2026What Is New in Keycloak 4.3
This release introduces a significant update to the admin console, major dependency upgrades, and a host of new features aimed at improving developer experience and security.
| Category | Key Highlights |
|---|---|
| New Features | New Admin Console UI, OpenShift Token Review authenticator, Client Scopes UI, X509 client authentication |
| Improvements | Upgraded to WildFly 13, Node.js policy enforcer, JavaScript adapter refactoring, Account console updates |
| Bug Fixes | Numerous fixes across authentication flows, SAML, OIDC, and social identity providers |
| Deprecations & Removals | Old account console and admin console UIs deprecated |
What is the new Admin Console like?
The new Admin Console is a complete rewrite using PatternFly 4, offering a modern and more responsive user experience. This is a major step forward from the older GWT-based interface, providing a cleaner and more intuitive way to manage your realm settings.
In practice, navigation feels smoother and the layout is more consistent. The old admin console has been deprecated, so it's a good time to start getting familiar with the new one.
Which dependencies got upgraded in 4.3?
Keycloak 4.3 ships on WildFly 13, which is a substantial jump from previous versions. This upgrade brings along all the performance and security benefits of the newer application server.
Other critical upgrades include Hibernate 5.3, Infinispan 9.3, and Jackson 2.9. These updates matter because they improve stability, fix vulnerabilities in the underlying layers, and ensure better compatibility with modern libraries.
Are there new ways to authenticate clients?
Yes, this release adds support for X509 client certificate authentication. This allows for a more secure machine-to-machine authentication method where clients can be validated using certificates instead of (or in addition to) secrets.
For OpenShift environments, there's a new OpenShift Token Review authenticator. This lets you authenticate users based on their OpenShift service account tokens, which is huge for integrating with Kubernetes and OpenShift platforms.
What improvements were made for developers?
The JavaScript adapter has been refactored to use a promises-based API, making async code much cleaner and easier to work with than the old callback-style code. The Node.js adapter also now supports a policy enforcer for easier resource server setup.
Client Scopes finally have a dedicated UI in the admin console. This makes it significantly easier to manage and assign default and optional scopes to clients, a task that was previously more cumbersome.
FAQ
Is the old Admin Console completely gone?
No, the old GWT-based admin console is still available but is now deprecated. You can access it by appending /legacy to the admin URL. However, you should start migrating to the new console as the old one will be removed in a future release.
Does the WildFly 13 upgrade require any changes on my end?
For most users, the upgrade should be transparent. However, if you have custom WildFly extensions or deeply customized standalone.xml configurations, you should test thoroughly as there might be breaking changes in the application server itself.
How do I use the new X509 client authentication?
You need to configure your client to support X509_JWT or X509 as a client authentication method. The client must then present a valid certificate during the token request. The documentation has the specific details on the required setup.
What's the benefit of the promises-based JavaScript adapter?
It modernizes the codebase and allows you to use async/await or .then() for handling authentication flows. This leads to more readable and maintainable code compared to nested callbacks, especially for complex login sequences.
Were there any changes to the account management console?
Yes, the account console received various updates and now includes the ability to view and manage applications that a user has logged into. Like the old admin console, the original account console is now deprecated in favor of the new version.