Last checked and updated on April 19, 2026What Is New in Keycloak 4.8
This release delivers a mix of new features, significant improvements, and essential fixes. The focus is on enhancing the admin experience, expanding protocol support, and refining core functionality.
| Category | Key Highlights |
|---|---|
| New Features | Partial import, LDAPv3 password modify extension, OAuth 2.0 Device Authorization Grant. |
| Improvements | Admin Console UI refresh, performance upgrades, and enhanced client registration policies. |
| Bug Fixes | Over 100 issues resolved across authentication, authorization, and identity brokering. |
| Deprecations | JavaScript adapter is now deprecated. |
What are the major admin UI changes?
The Admin Console received a visual overhaul for a more modern and usable experience. This update streamlines navigation and improves the overall look and feel for managing realms, clients, and users.
In practice, this makes daily administrative tasks smoother. The refreshed interface is part of an ongoing effort to modernize the Keycloak management tools.
How does the partial import feature work?
You can now perform a partial import of a realm configuration JSON file. This allows you to selectively bring in users, clients, and other entities without replacing the entire realm.
This is a game-changer for scripting and automating specific configurations. Instead of a full overwrite, you can surgically add new clients or identity providers to an existing realm.
What protocol updates should I know about?
Keycloak 4.8 adds support for the OAuth 2.0 Device Authorization Grant (RFC 8628). This protocol is essential for authorizing devices with limited input capabilities, like smart TVs or CLI tools.
For LDAP integrations, the LDAPv3 Password Modify Extended Operation is now supported. This provides a more standardized method for password changes against an LDAP server compared to the older method of using a regular LDAP modify operation.
What performance improvements were made?
This release includes several under-the-hood optimizations. A notable change is the removal of the double-checked locking initialization for HTTP client connections, which improves startup time and resource handling.
Client registration policies were also enhanced for better performance and flexibility when dynamically registering new clients. These tweaks help Keycloak handle larger loads more efficiently.
Is the JavaScript adapter still supported?
The legacy JavaScript adapter has been officially deprecated in this release. The recommendation is to migrate to the newer Keycloak JavaScript adapter, which is better maintained and offers improved security and features.
You should plan to update your client-side integration code. The new library provides a more robust and future-proof way to secure your JavaScript applications.
FAQ
We use the old JavaScript adapter. What should we do?
Start planning a migration to the new Keycloak JavaScript adapter. The old one is now deprecated, meaning it will not receive new features and will eventually be removed. The new adapter provides a better foundation for secure applications.
How do we implement a device flow login (like on a Smart TV)?
Use the newly supported OAuth 2.0 Device Authorization Grant. This allows a device to display a code for the user to enter on a separate device (like their phone) to complete the authentication flow, perfect for input-constrained environments.
Can we add new clients to a realm without a full import?
Yes, the new partial import feature is designed for this exact scenario. You can create a JSON file with just the new client definitions and import it, leaving the rest of your realm configuration intact.
Did anything change with LDAP password updates?
Yes, if your LDAP server supports it, you can now use the standard LDAPv3 Password Modify Extended Operation for changing passwords. This is a more reliable method than the previous approach and is supported by servers like Active Directory.
Were there any fixes for identity brokering?
Absolutely. Several bugs related to identity brokering were squashed, including issues with first broker login flows and user attribute mapping. This improves the reliability of integrating with external identity providers like Google or Facebook.