IDPTrust
IDPTrust Blog
blog.idptrust.com
Keycloak 26.6.0 — Five features graduate to supported

Keycloak 26.6.0 — Five features graduate to supported

· News · IDPTrust

Keycloak 26.6.0 was released on April 8, 2026. Unlike the previous patch release — which was almost entirely security fixes — this is a feature release. Five capabilities that have been in preview for several versions are now fully supported.

Here is what changed and why it matters for teams running Keycloak in production.

Five features graduate from preview to supported

JWT Authorization Grant (RFC 7523)

External-to-internal token exchange using signed JWT assertions.

A client can present an externally signed JWT assertion — issued by a trusted external authority — and obtain an OAuth 2.0 access token from Keycloak without a separate client secret. This is particularly relevant for service-to-service authentication across trust domains, where sharing secrets is impractical or where an external issuer (another IdP, a Kubernetes cluster, a cloud provider) is the natural source of identity.

Federated client authentication

Clients authenticate using existing trust relationships — no more per-client secrets.

Clients can now authenticate to Keycloak using an existing trust relationship with an external issuer, including OIDC identity providers and Kubernetes Service Accounts. In environments where dozens of microservices each hold their own client secret, this eliminates both the management overhead and the rotation risk.

Note: OAuth SPIFFE Client Authentication remains in preview as the spec is still in draft.

Workflows

IGA capabilities — natively in Keycloak, defined in YAML.

Workflows allow administrators to automate realm administrative tasks using YAML-defined pipelines triggered by events, conditions, or schedules. Supported operations include user and client lifecycle management — provisioning, deprovisioning, and state transitions.

This is the most significant feature of this release for regulated environments. It brings Identity Governance and Administration (IGA) capabilities natively into Keycloak, reducing the need for external tooling to automate identity processes such as joiner/mover/leaver flows.

Zero-downtime patch releases

Rolling upgrades within the same major.minor stream — enabled by default.

Rolling updates within the same major.minor stream are now supported without service interruption. This is enabled by default. On Kubernetes with the Keycloak Operator, set the update strategy to Auto to benefit automatically.

Important: this applies to patch version upgrades only (e.g. 26.5.5 → 26.5.7). Minor version upgrades (26.5 → 26.6) still require a planned maintenance window.

Keycloak Test Framework

JUnit 6 — replaces Arquillian + JUnit 4.

The new framework handles the lifecycle of Keycloak, the database, and injected resources transparently. Relevant for teams building custom SPIs or extensions.

Other changes worth noting

  • Java 25 support — Keycloak now runs on OpenJDK 25. The container image continues to use OpenJDK 21 for FIPS compatibility.
  • KCRAW_ env var prefix — Values containing $ characters injected via Kubernetes secrets were silently mangled by SmallRye expression evaluation. KCRAW_ preserves the value exactly as provided.
  • LDAP forced password change — Keycloak now respects the LDAP server's "must change password" control. Previously users were let through without being prompted.
  • Graceful HTTP shutdown — Connection draining during shutdown before terminating, reducing error responses during rolling restarts.
  • MCP authorization server (experimental) — Keycloak can now act as authorization server for Model Context Protocol version 2025-11-25+.
  • Token Exchange V1 deprecated — Plan your migration to V2.

Should you upgrade?

Yes, and there is no urgency — this is not a security release. Plan the upgrade within your normal maintenance window.

If you are running Keycloak on Kubernetes with the Operator, zero-downtime patch updates are now enabled by default, which simplifies future upgrades within the 26.x stream.

Full release notes: keycloak.org/2026/04/keycloak-2660-released

At IDPTrust we specialize in Keycloak in production. If you need help assessing this release or planning an upgrade, get in touch.