Last checked and updated on April 19, 2026What Is New in Keycloak 4.6
Keycloak 4.6 delivers a focused update with significant enhancements for OpenID Connect, user management, and infrastructure. This release tightens security and improves the developer experience for building modern authentication flows.
| Category | Highlights |
|---|---|
| New Features | OIDC Logout Token, Account Console themes, X.509 CN mapping |
| Improvements | Performance for many users, Admin Events, CORS origins handling |
| Bug Fixes | Various fixes across the admin console, authentication, and storage |
| Deprecations | JavaScript adapter, Offline session preloading |
What are the key OpenID Connect enhancements?
The major OIDC update is support for Logout Tokens as defined by the OpenID Connect Back-Channel Logout specification. This allows for more robust and secure session termination across distributed services.
In practice, when a user logs out of one application, the Keycloak server can now send a signed JWT (a Logout Token) to other applications the user is logged into, instructing them to invalidate the local session. This is a cleaner and more reliable mechanism than previous approaches.
How is user management improved?
User lookup and management see a critical performance boost, especially for realms containing hundreds of thousands of users. The underlying queries have been optimized to handle large datasets more efficiently.
For credential handling, you can now map X.509 certificate Common Names (CN) directly to user attributes. This simplifies configurations where certificates are a primary authentication method, removing the need for complex custom mappers.
What changes were made to the Admin Console and events?
The Account Management console now supports custom themes. This means the user-facing account pages can be fully branded to match your application's look and feel, providing a seamless experience.
Admin Events have been enhanced to include more contextual information. This is crucial for auditing and debugging, as you get a clearer picture of what changes were made and by whom.
Are there any important deprecations to know about?
Yes, the legacy JavaScript adapter has been officially deprecated. You should plan to migrate to the newer Keycloak JavaScript adapter, which follows current standards and is actively maintained.
Additionally, the feature to preload offline sessions is now deprecated. This was related to offline tokens and its removal streamlines the token management process, pushing towards more stateless architectures.
FAQ
What exactly is a Logout Token and how do I use it?
A Logout Token is a specially formatted JWT that Keycloak sends to a client's back-channel logout endpoint. It contains claims about the user's session being terminated. To use it, your client application must implement an endpoint to receive and validate this token and then clear the local user session.
Will the X.509 CN mapping break my existing configuration?
No, this is an additive feature. Your existing X.509 configurations will continue to work unchanged. The new mapping provides an alternative, often simpler, way to link a certificate to a user account.
Why was the JavaScript adapter deprecated?
The old adapter relied on outdated patterns and libraries. The new JavaScript adapter offers a more modern, promise-based API, better security practices, and is aligned with current web development standards, making it easier to integrate into new applications.
How significant are the performance improvements for large user bases?
They are substantial for administrative tasks. Operations like listing users, searching, and filtering in the admin console will see noticeably faster response times in realms with a very high number of user entities, reducing management overhead.
Is the Offline session preloading feature being removed entirely?
It is deprecated, meaning it's still available in 4.6 but will likely be removed in a future major release. You should audit your clients to see if they rely on offline tokens and ensure they handle the eventual removal gracefully.