Project post by Alexander Schwartz, Keycloak Maintainer

Keycloak brings scalable and customizable authentication to your environment! The team is thrilled to announce the release of Keycloak 26 which again improves its authentication features for its growing community. It also simplifies an admin’s activities to customize, run, and upgrade Keycloak deployments. Keycloak continues to be a cornerstone of self-hosted security stacks and integrates well with other components by supporting open standards. 

Celebrate this release with us at KubeCon North America! Join Keycloak team members to discuss all things Keycloak at the Project pavilion on November 13-15, 2024 (open during the afternoons). For those interested in highly available architectures, come see our talk on Running a Highly Available Identity and Access Management with Keycloak by Ryan Emerson and Kamesh Akella on Friday 4:55pm MST.

Keycloak has four feature releases a year. Read on what’s new in the latest release 26, published in October this year.  

Simplified running and upgrading of Keycloak

With Keycloak being a security product, it is essential to keep it up-to-date and simple to operate. This release minimizes downtimes, reduces memory footprint, and improves on tooling for troubleshooting. 

In this release we added the following features: 

This release is also the first of a series of minor releases which will ship all potentially breaking changes as opt-in. This allows administrators a seamless fast upgrade to stay on par with security fixes, with the option to enable new features or migrate configurations at a later time.

Managing authentication across organizations

When you host an application, you often want to scale it beyond the users in your organization. This becomes even more important when you want to offer your application as a software-as-a-service to the employees of other companies or organizations. 

The good news is that all those other employees already have credentials they use every day, issued by their organizations. So how do you use these credentials to authenticate those users when they want to use your application? For many years, Keycloak offered Identity Brokerage, so you could leverage a SAML or OpenID Connect service to authenticate those users. 

With Keycloak 26, we simplified this setup and ensured that it scales even better than before. By introducing organizations as their own entity, you can now associate email domains with identity providers and the users of that organization. Admins can create, disable, and remove organizations and invite users. Users can log in with their email address, authenticate with the Identity Provider of their company, and are then forwarded to the application they want to access. Applications know which organizations a user belongs to, and can adjust which data they provide access to. 

This simplifies business-to-business (B2B) and business-to-business-to-customer (B2B2C) setups with Keycloak, and enables Customer Identity and Access Management (CIAM) and multi-tenancy. Onboard new organizations in minutes, independent of the number of users in that organization. 

Updated Passkeys authentication features

Keycloak offers password-based and password-less authentications. In addition to the classic username and password, it offers second factor authentication using time-based tokens. For password-less authentication, it offers Kerberos, X.509 certificates (for example smart cards), and WebAuthn. 

In Keycloak 26, we again updated the Passkeys features of Keycloak. Passkeys is the modern standard for passwordless authentication which is based on WebAuthn technologies. Keycloak continues to implement features of this evolving standard, and includes it as a preview feature. A recent addition is the conditional flow which improves the user experience as a browser prompts the user for the right credential to authenticate with. 

Evolving OpenID Connect Functionality 

While OpenID Connect is a standard, it continues to evolve to cover more requirements of different industries, ranging from ecommerce to banking. 

This release of Keycloak includes improvements in the following areas:

A big thank-you to everyone who contributed to this, especially in the Keycloak OAuth Special Interest Group! Join their channel #keycloak-oauth-sig on the CNCF slack to hear the latest news and contribute to their efforts. 

Fast-forward to the next releases

Work for the next feature release, which is scheduled for January 2025, is already underway. Some enhancements like simplified node discovery for cloud and non-cloud environments are already available in our nightly release. Try them out in a development environment and provide us with feedback on our mailing list! The work on our 2025 road map is under way, and we hope to publish it soon.