Project post by Alexander Schwartz, Keycloak Maintainer
Keycloak brings scalable and customizable authentication to your environment! The team is thrilled to announce the release of Keycloak 26 which again improves its authentication features for its growing community. It also simplifies an admin’s activities to customize, run, and upgrade Keycloak deployments. Keycloak continues to be a cornerstone of self-hosted security stacks and integrates well with other components by supporting open standards.
Celebrate this release with us at KubeCon North America! Join Keycloak team members to discuss all things Keycloak at the Project pavilion on November 13-15, 2024 (open during the afternoons). For those interested in highly available architectures, come see our talk on Running a Highly Available Identity and Access Management with Keycloak by Ryan Emerson and Kamesh Akella on Friday 4:55pm MST.
Keycloak has four feature releases a year. Read on what’s new in the latest release 26, published in October this year.
Simplified running and upgrading of Keycloak
With Keycloak being a security product, it is essential to keep it up-to-date and simple to operate. This release minimizes downtimes, reduces memory footprint, and improves on tooling for troubleshooting.
In this release we added the following features:
- Certificate hot-reloading for TLS server certificates: This removes the need for rolling restarts and increasing uptimes.
- Persisting information about logged in users to the database: This enables millions of long-running sessions that survive restarts and upgrades of Keycloak and reduces the memory usage.
- Standardized bootstrapping of admin users: Even when previous admin credentials were lost, this provides a safe and secure way to regain access to your Keycloak instance.
- Advanced high-availability concepts: We now support serving traffic from multiple availability zones in a region which will boost the availability of your deployments. This comes with extensive blueprints and operational guides for switch-over and failbacks.
- OpenTelemetry tracing: This is now built-in to Keycloak as a preview feature and helps you find root causes for slow and failing requests. This is invaluable for investigating incidents and optimizing your production environment.
This release is also the first of a series of minor releases which will ship all potentially breaking changes as opt-in. This allows administrators a seamless fast upgrade to stay on par with security fixes, with the option to enable new features or migrate configurations at a later time.
Managing authentication across organizations
When you host an application, you often want to scale it beyond the users in your organization. This becomes even more important when you want to offer your application as a software-as-a-service to the employees of other companies or organizations.
The good news is that all those other employees already have credentials they use every day, issued by their organizations. So how do you use these credentials to authenticate those users when they want to use your application? For many years, Keycloak offered Identity Brokerage, so you could leverage a SAML or OpenID Connect service to authenticate those users.
With Keycloak 26, we simplified this setup and ensured that it scales even better than before. By introducing organizations as their own entity, you can now associate email domains with identity providers and the users of that organization. Admins can create, disable, and remove organizations and invite users. Users can log in with their email address, authenticate with the Identity Provider of their company, and are then forwarded to the application they want to access. Applications know which organizations a user belongs to, and can adjust which data they provide access to.
This simplifies business-to-business (B2B) and business-to-business-to-customer (B2B2C) setups with Keycloak, and enables Customer Identity and Access Management (CIAM) and multi-tenancy. Onboard new organizations in minutes, independent of the number of users in that organization.
Updated Passkeys authentication features
Keycloak offers password-based and password-less authentications. In addition to the classic username and password, it offers second factor authentication using time-based tokens. For password-less authentication, it offers Kerberos, X.509 certificates (for example smart cards), and WebAuthn.
In Keycloak 26, we again updated the Passkeys features of Keycloak. Passkeys is the modern standard for passwordless authentication which is based on WebAuthn technologies. Keycloak continues to implement features of this evolving standard, and includes it as a preview feature. A recent addition is the conditional flow which improves the user experience as a browser prompts the user for the right credential to authenticate with.
Evolving OpenID Connect Functionality
While OpenID Connect is a standard, it continues to evolve to cover more requirements of different industries, ranging from ecommerce to banking.
This release of Keycloak includes improvements in the following areas:
- Elastic curve cryptography: Survive the post-quantum cryptography apocalypse, as this release adds Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) headers to tokens.
- Demonstrating Proof-of-Possession (DPoP): Allow clients to present tokens that can’t be spoofed and used outside of the current client’s session. This is a significant improvement compared to standard bearer tokens. It is now supported on all grant types and the user info endpoint, and continues to be a preview feature.
A big thank-you to everyone who contributed to this, especially in the Keycloak OAuth Special Interest Group! Join their channel #keycloak-oauth-sig on the CNCF slack to hear the latest news and contribute to their efforts.
Fast-forward to the next releases
Work for the next feature release, which is scheduled for January 2025, is already underway. Some enhancements like simplified node discovery for cloud and non-cloud environments are already available in our nightly release. Try them out in a development environment and provide us with feedback on our mailing list! The work on our 2025 road map is under way, and we hope to publish it soon.