With versions 26.4, 26.5, and 26.6, Keycloak has evolved significantly in a short period of time. The focus has been less on individual “killer features” and more on consistent development toward greater security, improved automatability, and more stable operation in cloud and container environments.
This article outlines the most important new features and highlights their technical and practical relevance.
Overview
With versions 26.4 through 26.6, Keycloak has made significant strides toward enterprise readiness, security, and operational scalability. The focus was less on new user interface features and more on stable, strategically important enhancements for production IAM environments.
Key new features include native support for passkeys, enhanced OAuth and OpenID Connect security mechanisms (including FAPI 2, DPoP, and JWT Authorization Grant), as well as zero-downtime updates, which simplify secure operations—particularly in Kubernetes and cloud environments. This is complemented by new automation and governance features, such as workflows and enhanced client policies.
For businesses, this means:
- greater security without additional proprietary components
- lower operational risk associated with updates and patches
- better scalability for growing platforms and multi-site setups
Overall, Releases 26.4–26.6 clearly position Keycloak as a future-proof IAM platform for business-critical applications, particularly in regulated or high-availability environments.
Keycloak 26.4: Security and Platform Maturity
Passkeys and WebAuthn Conditional UI
With Keycloak 26.4, support for passkeys has been expanded in production. In addition to traditional WebAuthn, the new Conditional UI allows passkeys to be offered directly via the browser’s native autocomplete feature, without requiring separate UI flows in the login process.
Technically, this is still based on WebAuthn, but it is integrated in a much more user-friendly way.
Added Value & Business Relevance:
Passkeys reduce password-related security risks and lower long-term support costs (password resets, phishing incidents). For organizations with many external users or CIAM scenarios, this is a concrete step toward more secure yet user-friendly authentication.
FAPI 2 and DPoP (Demonstration of Proof of Ownership)
Keycloak 26.4 now supports the final specifications for FAPI 2.0 as well as a full implementation of DPoP. This allows tokens to be more tightly bound to the calling client, thereby reducing the risk of stolen access tokens.
Added Value & Business Relevance:
These features are particularly relevant for regulated industries (e.g., financial services, public administration). They facilitate compliance with external security requirements and audits without the need for proprietary extensions.
Simplified multi-AZ and multi-site deployments
In version 26.4, support for distributed deployments was significantly improved. This includes split-brain detection, latency optimizations between data centers, and better integration with the Keycloak Operator.
Added Value & Business Relevance:
Operators can run Keycloak more reliably across multiple availability zones. This improves reliability and simplifies the operation of global platforms without the need for complex in-house solutions for cluster management.
Keycloak 26.5: User-Friendliness and New OAuth Flows
OAuth 2.0 Device Authorization Grant
Keycloak 26.5 introduces native support for the Device Authorization Grant. This enables the implementation of authentication flows for devices without traditional input capabilities (e.g., smart TVs, industrial terminals).
Added Value & Business Relevance:
For companies with IoT or device ecosystems, Keycloak becomes a much more attractive option as a central IAM component, since a separate authentication service is no longer necessary.
Further Development of Client Policies
The client policy features have been expanded to allow for more granular conditions and actions for OIDC clients. This enables security policies to be enforced more consistently and centrally.
Added Value & Business Relevance:
In larger environments with many teams and applications, governance capabilities are enhanced. Security standards can be defined centrally without having to review each application individually.
Admin UI Improvements
Even though it may seem unremarkable at first glance, improvements to the admin UI—particularly when it comes to managing client scopes—reduce errors and speed up daily administrative tasks.
Keycloak 26.6: Operations, Automation, and Zero Downtime
Zero‑Downtime Patch Releases
One of the most significant operational improvements in version 26.6 is the ability to roll out patch releases within a minor version without causing downtime. In Kubernetes environments, all that is required is an appropriate update strategy in the operator.
Added Value & Business Relevance:
Security updates can be deployed more quickly and with less risk. This is particularly relevant for mission-critical platforms and organizations with strict availability requirements.
Workflows for administrative processes
Workflows can be used to automate recurring administrative tasks—such as those related to user or client lifecycles. This feature has graduated from preview status in version 26.6.
Added Value & Business Relevance:
IAM operations become more scalable: fewer manual interventions, reduced error rates, and improved traceability of administrative processes.
JWT Authorization Grant & Federated Client Authentication
Der JWT Authorization Grant (RFC 7523) erlaubt den kontrollierten Austausch externer JWTs gegen interne Access Tokens. Ergänzend wurde die Federated Client Authentication produktiv, womit Client‑Secrets in Keycloak häufig entfallen können.
Added Value & Business Relevance:
This combination significantly simplifies integrations into existing trust landscapes—for example, in platform-to-platform communication or in Kubernetes environments using service accounts.
Conclusion: Substantial consolidation rather than showcase features
Versions 26.4 through 26.6 mark not so much a major functional overhaul as a period of maturation for Keycloak.
Passkeys, zero-downtime updates, stronger OAuth security mechanisms, and automation address precisely the issues that are critical in the long term for production IAM operations: security, stability, and scalability.
For existing Keycloak installations, these versions provide compelling reasons to upgrade. For new projects, Keycloak is increasingly proving itself to be a robust, cloud-ready IAM platform that can hold its own even in demanding enterprise and CIAM scenarios.
