Last checked and updated on April 19, 2026What Is New in Keycloak 4.4
This release brings a host of new features, significant upgrades to the underlying platform, and a long list of bug fixes. The focus is on enhancing the admin experience and keeping the core dependencies modern.
| Category | Highlights |
|---|---|
| New Features | Admin Events for User Storage SPI, X.509 Authenticator Config, Script-based Authentication, Brokered User ID |
| Improvements | Upgraded to WildFly 14, New Account Console, Client Registration Policies, Performance Optimizations |
| Bug Fixes | Over 150 issues resolved across authentication, authorization, client registration, and social login |
| Deprecations | Old Account Management Console |
What are the major new features in the admin interface?
The biggest admin-facing change is the introduction of Admin Events for the User Storage SPI. This means actions performed by a custom user storage provider, like creating or updating a user, now generate proper admin events that appear in the admin console and can be listened to by your event listeners. In practice, this closes a major visibility gap for custom user integrations.
We also got more granular control for the X.509 authenticator. You can now configure it on a per-client basis instead of just at the realm level, which is huge for microservices architectures where each service might have different certificate requirements.
How did the authentication flow get better?
Authenticator executions can now be configured with JavaScript. This allows for highly dynamic authentication logic without needing to write and deploy a full Java-based Authenticator. You just drop a script into the execution.
For identity brokering, there's a new option to use the broker's internal user ID instead of the username for the first broker login flow. This matters because it prevents issues if the broker's username happens to already exist in your Keycloak realm.
What underlying platform changes should I be aware of?
The core server was upgraded from WildFly 11 to WildFly 14. This is a significant jump that brings newer versions of Infinispan, Hibernate, and the overall Java EE stack. You'll get performance improvements and better compatibility with modern JDKs.
A new version of the account management console was introduced. The old one is still there but is now deprecated, so start planning your transition to the new UI.
Were there any changes to client registration?
Yes, the client registration policies were expanded. You can now define policies that are scoped to a specific client scope, giving you more fine-grained control over which attributes a client is allowed to have during dynamic registration.
FAQ
Is the WildFly 14 upgrade a breaking change?
It can be. While the goal is backward compatibility, any custom code that relied on internal APIs from the older WildFly 11 stack should be thoroughly tested. Check your custom providers and themes.
How do I start using the new account console?
The new console is available alongside the old one. You can enable it under the Themes tab in your realm settings by selecting "keycloak.v2" for the Account Theme. The old "keycloak" theme is now deprecated.
What's the benefit of Admin Events for User Storage SPI?
It finally provides audit trails for actions taken by your custom user storage providers. Before this, if your custom provider created a user, it was invisible to Keycloak's admin event system. Now you can see and log those actions.
Can I use the new script-based authenticator for production?
Technically yes, but use it for simpler logic. For complex, performance-critical authentication steps, a compiled Java authenticator is still the way to go. The scripting is great for prototyping and simple conditional checks.
Were there any security fixes in this release?
The release notes do not highlight any specific Common Vulnerabilities and Exposures (CVEs), but it always includes general security improvements and fixes. Upgrading is recommended to stay on a supported and updated path.