Keycloak 26.6 brings zero-downtime updates and workflows
The open-source IAM system Keycloak 26.6 promotes five features to production status – including federated client authentication and zero-downtime updates.
(Image: HAKINMHAN / Shutterstock.com)
The Keycloak project has released version 26.6.0 of its open-source identity provider. The focus is on five features that are leaving preview status and are now considered fully supported. For companies operating Keycloak in Kubernetes environments, zero-downtime patch releases and federated client authentication will be particularly relevant.
Arguably the most practically relevant innovation according to the announcement: Patch releases can henceforth be installed as rolling updates within a minor release stream without interrupting service. Together with the also improved Graceful HTTP Shutdown, which prevents error messages when shutting down individual nodes, the development team is addressing a central requirement of containerized deployments. According to the release notes, to benefit from the zero-downtime patch releases, it is sufficient to set the update strategy for the Keycloak Operator to “Auto”.
The CLC Conference, specializing in Developer Experience (DX) and Platform Engineering, will take place in Mannheim from November 11 to 12, 2026. The Call for Proposals is seeking suggestions for workshops and talks until April 21 – especially practical reports.
In addition, the project has promoted Federated Client Authentication to production status. The feature allows clients to use existing credentials from an external issuer once a trust relationship is established. This eliminates the need for individual client secrets in Keycloak. It supports client assertions from external OpenID Connect identity providers as well as Kubernetes Service Accounts. Organizations with multiple identity providers can thus significantly reduce the administrative overhead for secrets. However, OAuth SPIFFE Client Authentication remains in preview status as the underlying specification is not yet finalized.
Videos by heise
Workflows and JWT Authorization Grant
With the now supported workflows, Keycloak brings central functions from the Identity Governance and Administration (IGA) area. Administrators can define realm tasks such as user and client lifecycle management in YAML files and have them executed automatically based on events, conditions, or schedules. The release also includes new built-in steps, a troubleshooting guide, and various improvements to the workflow engine.
The JWT Authorization Grant according to RFC 7523 is also now considered production-ready. It enables the exchange of external JWT assertions for OAuth 2.0 access tokens, thus helping in use cases where external tokens need to be converted into internal ones. Rounding out the quintet is the new Keycloak Test Framework, which replaces the previous Arquillian-based approach.
Experimental MCP Support and Java 25
Beyond the five main features, the release delivers further innovations. Keycloak now experimentally supports the OAuth Client ID Metadata Document (CIMD) – an emerging standard for describing OAuth 2.0 client metadata. Since the Model Context Protocol (MCP) requires CIMD from version 2025-11-25 onwards, Keycloak can be used as an authorization server for MCP scenarios in the future.
Also appearing in preview are the Identity Brokering APIs V2, which are intended to replace the Legacy Token Exchange V1, and Step-up Authentication for the SAML protocol. Organizations also benefit from isolated group hierarchies per organization, which avoid naming conflicts within a realm.
On the infrastructure side, Keycloak now supports OpenJDK 25. However, the container image still relies on Java 21 to ensure FIPS compatibility – for companies in regulated environments, everything remains as it was. Existing deployments with Java 21 should continue to function unchanged. Further refinements concern automatic truststore initialization on Kubernetes and OpenShift, new client certificate lookup providers for Traefik and Envoy, and revised HTTP access logs that filter out sensitive information such as tokens and cookies.
Upgrade Notes
Before updating to Keycloak 26.6.0, administrators should check the breaking changes in the Upgrading Guide. JavaScript-based policies now require an enabled Scripts feature. Client URIs must use HTTPS, and the issuer configuration for JWT Authorization Grant and Client Assertions must uniquely identify a provider.
(map)
