Last checked and updated on April 19, 2026What Is New in Keycloak 7.0
Keycloak 7.0 delivers a significant update focused on modernizing the admin console and enhancing security protocols. This release streamlines user management and introduces stricter defaults for a more secure out-of-the-box experience.
| Category | Key Changes |
|---|---|
| New Features | New Admin UI, OpenShift Token Review API, Client Policies (Tech Preview) |
| Improvements | Updated account console, Node.js adapter updates, Infinispan cache improvements |
| Security | Default TLS v1.2+, removal of disabled cipher suites, secure session cookie flags |
| Deprecations & Removals | Old admin console, WildFly 14 support, some social identity providers |
| Bug Fixes | Numerous fixes across authentication, authorization, and user federation |
What is the new Keycloak 7.0 admin console?
The old AngularJS-based admin console has been completely replaced with a new React-based one. This is the most visible change in 7.0, offering a modern and more responsive user interface for managing your realm.
In practice, the navigation and layout are significantly improved, making it easier to find settings. The old console is still accessible but is now deprecated and will be removed in a future release.
How did Keycloak 7.0 improve security?
This release tightens security defaults significantly. The most critical change is that TLS v1.2 is now the minimum required version, disabling older, insecure protocols by default.
They also removed a set of disabled cipher suites to prevent any potential misconfiguration from enabling them. Session cookies are now more secure with the SameSite attribute being set. This matters because it provides a much stronger security baseline right after installation.
What was deprecated or removed in version 7.0?
Keycloak 7.0 cleans up the codebase by removing several outdated features. Support for WildFly 14 has been dropped, and the platform now requires WildFly 16 or later.
Specific social identity providers like StackOverflow, LinkedIn, Microsoft Graph, and PayPal were removed due to API changes or lack of usage. The message bundle for the old admin console is also gone.
What are the new Client Policies in Keycloak 7?
Client Policies have been introduced as a tech preview feature. This allows administrators to define global rules that enforce specific security settings on client applications, such as requiring certain authentication methods.
Since it's a preview, it's not recommended for production yet, but it lays the groundwork for more centralized and automated client security management. This is a step beyond per-client configuration.
Did the Node.js adapter get any updates?
Yes, the Node.js adapter received important improvements. It now supports the verify-token-audience setting, which is crucial for properly validating access tokens.
They also fixed an issue with the always-refresh-token functionality. For developers using Keycloak with Node.js, these updates make the adapter more reliable and secure.
FAQ
Is the old admin console completely gone in Keycloak 7.0?
No, it's not gone yet but it is deprecated. You can still access it by appending /legacy to the admin console URL. However, you should start migrating to the new React-based console as the old one will be removed in a future version.
Why did Keycloak remove support for TLS v1.1?
TLS v1.1 is considered obsolete and has known security vulnerabilities. Removing it as a default option enforces a more modern and secure cryptographic protocol (TLS v1.2 or higher) for all connections, improving the default security posture immediately after setup.
The LinkedIn social identity provider was removed due to changes in its API. You will need to implement a custom OpenID Connect or SAML 2.0 identity provider to reconnect to LinkedIn's service after upgrading.
What is the OpenShift Token Review API feature used for?
This new feature allows Keycloak to validate service account tokens issued by OpenShift. This is primarily useful in Kubernetes environments where you need to integrate Keycloak's authentication with OpenShift's internal token system.
Are Client Policies ready for production use?
No, Client Policies are marked as a tech preview in Keycloak 7.0. This means they are available for testing and evaluation, but you should not rely on them for production environments until the feature is declared stable in a future release.