Another big feature release for Keycloak.  As usual, go to to find documentation and download links.  Here are the highlights of Alpha 3:

  • Minimal support for OpenID Connect.  Claims like email, full name, etc. can now be transmitted and viewed with IDToken passed after login.
  • Configurable allowed claims.  What identity claims are made in id and access tokens can be configured per application or oauth client within the admin console
  • Remote logout and session stats available from management console
  • Refresh token support
  • Not before revocation policy.  You can set it per realm, oauth client, or application.  Policies are pushed to applications that have an admin url
  • Fine grain admin console permissions and roles.  You can now specify which realms a master user is allowed to create, view, or edit.  An awesome side effect of this is that if you enable registration in the master admin realm and set a default global role of create only, keycloak can become a SaaS for SSO.
  • Installed Application feature to support non-browser applications that want to use Keycloak
  • You can now add social network links through account management

What’s next?

Our next release will be Beta-1 and will be our last big feature release.  One of the features we want to add is support for using an existing LDAP/Active Directory server.  We’re going to take a look at Picketlink IDM API for this.  We also need more fine grain support for importing and exporting various pieces of the keycloak database.  That’s minimally what we want to get in.  We’re looking at a May timeframe for this release as in April many of us will be busy with Red Hat Summit.