Last checked and updated on April 19, 2026What Is New in Keycloak 8.0
Keycloak 8.0 is a major release focused on modernizing the platform, with significant updates to its architecture, security, and developer experience. The main changes include a shift to a new default distribution and foundational upgrades to its core libraries.
| Category | Key Changes |
|---|---|
| New Features | New default distribution, WildFly 17, Hibernate 5.4, Infinispan 10. |
| Improvements | JavaScript policy support, client registration policies, OpenShift template updates. |
| Deprecations | Legacy WildFly distribution, offline session preloading, some JavaScript policies. |
| Bug Fixes | Numerous fixes across authentication, authorization, and the admin console. |
Why did Keycloak change its default distribution?
The biggest change in 8.0 is the new default distribution, which is now based on WildFly 17. This replaces the older WildFly 10-based distro that was the previous default. The legacy distribution is still available but is now deprecated.
In practice, this means all new deployments will automatically use the more modern and performant foundation. This upgrade brings along newer versions of Hibernate (5.4) and Infinispan (10), which improve overall stability and capabilities.
What JavaScript policy enhancements were made?
Authorization policies written in JavaScript now have access to the entire authentication context, not just the permission request. This is a powerful upgrade for developers building complex rules.
You can now use the identity, realm, and client objects within your scripts. This matters because it allows for much more granular and context-aware access decisions without needing custom policy providers.
How have client registration policies improved?
The Trusted Hosts client registration policy now supports CIDR notation for defining allowed IP address ranges. This is a more flexible and secure way to whitelist infrastructure compared to simple wildcards.
For example, you can now specify a range like 192.168.1.0/24 instead of listing individual IPs. This simplifies configuration management for dynamic environments, especially in cloud deployments.
What about OpenShift and Operator support?
The OpenShift v4 template and documentation have been officially updated. This signals better support for running Keycloak in modern, containerized OpenShift environments.
While the core Keycloak Operator is still a separate project, these template updates make it easier to get a standard deployment running smoothly on the platform. It aligns with the community's push towards Kubernetes-native deployments.
FAQ
Is the legacy WildFly distribution being removed in Keycloak 8.0?
No, it is not removed, but it is now deprecated. The legacy distribution (based on WildFly 10) is still available for download, but the new default is based on WildFly 17. You should start migrating to the new default for future-proofing.
What are the breaking changes when upgrading to Keycloak 8.0?
The main breaking change involves JavaScript policies. The $evaluation variable and methods like grant() have been deprecated and replaced with a simpler context.grant() method. You will need to update any custom scripts.
Does the new distribution improve performance?
Yes, indirectly. The move to WildFly 17, Hibernate 5.4, and Infinispan 10 includes numerous under-the-hood performance optimizations and bug fixes from those projects, which should result in a more stable and efficient server.
Can I still use the offline session preloading feature?
This feature has been deprecated in 8.0. The release notes recommend using alternative approaches, as this feature will likely be removed in a future version. You should plan to refactor any dependency on it.
Where can I find the complete list of bug fixes?
The release notes on the official Keycloak website and GitHub release page contain the full, detailed list of over 100 bug fixes and improvements. They cover everything from admin console UI tweaks to core authentication flows.