Last checked and updated on April 19, 2026What Is New in Keycloak 9.0
Keycloak 9.0 is a significant maintenance release focused on dependency upgrades, security patches, and foundational improvements. It sets the stage for future features rather than introducing a long list of user-facing changes.
| Category | Summary |
|---|---|
| Dependency Upgrades | Major updates to WildFly 18, Hibernate 5.4, and Infinispan 10. |
| Security | Patches for several vulnerabilities, including a critical OpenID Connect logout flaw. |
| Deprecations | Legacy account management console and JavaScript adapter are now deprecated. |
| Improvements | Enhancements to the new account console, performance, and internal architecture. |
| Bug Fixes | A number of issues resolved across authentication, authorization, and client registration. |
Why did Keycloak upgrade its core dependencies?
The primary driver was to keep the platform secure, stable, and aligned with modern Java ecosystem standards. Upgrading WildFly to version 18 and Infinispan to version 10 provides critical security patches, performance optimizations, and bug fixes from those upstream projects.
In practice, this means your Keycloak 9.0 instance runs on a more robust and secure application server foundation. The Hibernate 5.4 upgrade also brings improvements in database interaction efficiency and compatibility.
What security vulnerabilities were addressed?
This release patches multiple security issues. The most critical one is related to the OpenID Connect RP-Initiated Logout mechanism, which could potentially be exploited under specific conditions.
Other fixes include patches for open redirects and other flaws that required prior authentication. Always review the security advisories for your specific deployment to understand the full impact and necessary actions.
Is the old account console going away?
Yes, the legacy account management console is now officially deprecated. The focus has completely shifted to the new account console that was introduced in earlier versions.
You should start migrating any customizations to the new console. The legacy one will be removed in a future release, so this is a heads-up to update your workflows and scripts.
Should I still use the JavaScript adapter?
No, the legacy JavaScript adapter (keycloak.js) is deprecated. The team recommends using the newer JavaScript adapter (keycloak-js) available via npm.
The new library is more actively maintained, follows modern standards, and receives regular updates. If you're starting a new project or maintaining an existing one, switch to the keycloak-js package.
FAQ
Is Keycloak 9.0 a feature-heavy release?
No, it's primarily a maintenance and security release. The main changes are under-the-hood dependency upgrades and security patches, making it a crucial update for stability rather than one packed with new functionalities.
What is the impact of the WildFly 18 upgrade?
You get all the benefits of a newer application server, including security fixes, performance tweaks, and better support for newer JDK versions. It's a foundational upgrade that improves the overall platform your Keycloak server runs on.
How urgent is the logout vulnerability patch?
If you are using OpenID Connect RP-Initiated Logout, applying this update should be a priority. The advisory rates it as critical, so upgrading mitigates a potential security risk in your authentication flow.
Can I still use the deprecated account console?
Yes, for now. It's still present in 9.0 but marked for removal. You should begin testing and transitioning to the new account console to avoid disruptions when the legacy one is eventually removed.
Where do I get the new JavaScript adapter?
The modern keycloak-js adapter is available on npm. You can install it using npm install keycloak-js or include it via a CDN, which is the recommended approach for new client applications.