Pull Request Explorer

Summary

Unify login UI button layout

Improves user experience by aligning login buttons horizontally, reducing visual clutter and making actions clearer.

Health Assessment

• • Quick review and merge indicate a straightforward UI change with minimal risk.

Summary

Revert Java 25 usage in FIPS CI scripts

Restores Java 25 configuration for FIPS CI to maintain compatibility with release 26.6, ensuring CI stability.

Health Assessment

• • Quick revert with minimal changes, fast review and merge, low risk to production.

Summary

Simplify session context, ensure transaction start

Guarantees that every session begins with a transaction, preventing data consistency issues and improving reliability for Keycloak users.

Health Assessment

• • Fast cycle time and single review indicate smooth integration.

Summary

Login title full width when locale hidden

Ensures the login page title spans full width when the locale selector is hidden, maintaining a consistent user interface and preventing layout shifts. This improves user experience by providing a cleaner, more predictable layout across locales.

Health Assessment

• • Quick approval with minimal changes indicates a straightforward UI tweak.

Summary

Add parameter column to consent tables

This change adds a non‑nullable PARAMETER column to consent tables, enabling dynamic scope support and improving OAuth compliance.

Health Assessment

• • The PR had a long cycle time and required multiple review iterations, indicating moderate complexity and potential integration challenges.

Summary

Add admin email support for credential offers

Enables administrators to send credential offers via email, improving onboarding and verification workflows.

Health Assessment

• • PR had a long review time but minimal back‑and‑forth, indicating a straightforward change that was eventually approved after a single review.

Summary

Typo fix in ClientAdapter.isFrontchannelLogout

Corrects a typo in the ClientAdapter class, ensuring accurate front‑channel logout behavior for clients.

Health Assessment

• • Fast turnaround with minimal changes, merged within hours, indicating low complexity and risk.

Summary

Add startup check for missing database indexes

Adds a startup check to detect missing database indexes, improving production readiness and preventing performance issues.

Health Assessment

• • The PR added a large amount of code and was merged after a single commit, but the review process took over two days, indicating a delay that could impact delivery timelines.

Summary

Simplify session context, ensure transaction start

Guarantees that a transaction is always started during session handling, reducing errors and improving stability for production workloads.

Health Assessment

• • Fast cycle time and single review round indicate a straightforward, low‑risk change with minimal rework.

Summary

Fix POST clients-initial-access to return 201

Ensures API compliance by returning the correct 201 status and Location header, improving client integration and spec adherence.

Health Assessment

• • The PR required over five days to merge, with a single review cycle and moderate changes; the bug fix was straightforward but needed several iterations to satisfy reviewers.

Summary

Fix typo in ClientAdapter.isFrontchannelLogout

Corrects a typo in the client adapter, ensuring accurate front‑channel logout behavior.

Health Assessment

• • Quick fix with minimal changes, merged within an hour, indicating low complexity and high confidence.

Summary

Add Traefik header filtering for reencrypt

Improves security by filtering headers from external IPs at the proxy layer, reducing risk of header injection or leakage.

Health Assessment

• • Quick documentation update with minimal review and fast merge.

Summary

Add briefRepresentation query param to consent endpoint

Provides a lightweight representation for consent data, reducing bandwidth and improving performance for clients that only need brief info.

Health Assessment

• • The PR was reviewed quickly with minimal comments, but the overall cycle time was extended, likely due to integration testing or other dependencies.

Summary

Refactor test utilities for LDAP and cache helpers

Centralizes test helper methods, reducing duplication and improving test maintainability.

Health Assessment

Summary

Backport: Correct UI Customization Cross-Reference Syntax

Ensures documentation uses correct cross-reference syntax, improving clarity for developers.

Health Assessment

• • Quick review and merge, minimal changes, straightforward documentation update.

Summary

Update HaProxySslClientCertificateLookup to load Base64 encoded DER Chain

Adds support for Base64‑encoded DER certificate chains in HAProxy client certificate lookup, improving mTLS compatibility and security for Keycloak deployments behind HAProxy.

Health Assessment

• • The PR required multiple review cycles and extensive changes, indicating complexity and potential risk; it delivered critical mTLS chain support for HAProxy deployments.

Summary

Use appropriate cross-reference syntax in the UI Customization guide

Improves documentation clarity for UI customization, ensuring correct cross-references and reducing user confusion.

Health Assessment

• • The PR had a long cycle time (122 h) and no review events, indicating a low-priority documentation change that was merged after a lengthy wait.

Summary

Avoid log-and-throw for Hibernate's SQL exceptions

This change removes redundant logging when Hibernate throws SQL exceptions, reducing log noise and improving performance for production deployments.

Health Assessment

• • Long review time likely due to scheduling; minimal code changes and quick approval.

Summary

Ensure workflows can't be managed through the Component API

This PR tightens security by preventing workflow management via the Component API, reducing potential attack surface.

Health Assessment

• • Long review and merge times suggest blockers or complexity in understanding the change, despite the small code footprint.
• • The PR had a single commit and was merged after a long cycle, indicating potential review bottlenecks.

Summary

Handle read-only user stores for SSF notify toggles

Prevents login errors for users on read-only LDAP stores, improving reliability and user experience.

Health Assessment

• • PR resolved a critical read-only store issue in a single commit without review, indicating a fast turnaround but limited peer scrutiny.

Summary

Move push timeout settings to Receiver tab

Admins can now configure push connect and socket timeouts earlier, enhancing control over stream delivery settings. This UI improvement reduces configuration errors and stream setup time.

Health Assessment

• • The PR had a long cycle time but a quick review, indicating a straightforward UI change with minimal friction.

Summary

Fix missing realm handling in UserStorageEventListener

Prevents 500 errors when deleting realms by gracefully handling null realm in event listener, improving reliability of admin API.

Health Assessment

• • The PR fixed a regression that caused 500 errors on realm deletion; review was delayed but required minimal changes.

Summary

Fix temporary password persistence for AD federated users

Ensures temporary passwords are correctly stored during update operations, preventing authentication failures for AD federated users.

Health Assessment

• • Quick, single-commit fix with minimal code changes and fast review turnaround, indicating low complexity and low risk.

Summary

Update RFC spec URLs to datatracker.ietf.org

Ensures documentation references point to the correct RFC source, improving accuracy for users during upgrades.

Health Assessment

• • Quick review and merge with minimal changes; no significant risk.

Summary

Use datatracker.ietf.org instead of www.rfc-editor.org for specs

Updates documentation to reference the new datatracker domain for RFC specifications, ensuring accurate links for users.

Health Assessment

• • Quick documentation update with minimal changes and fast review, indicating low risk.

Summary

Fix temporary password persistence for AD federated users

Ensures temporary passwords are correctly stored and applied for Active Directory federated users, improving account security and user experience.

Health Assessment

• • Long review delay indicates potential bottleneck in review process; small scope and low risk.

Summary

Enhance regex to block encoded path traversal

This update tightens the regex used for validating redirect URIs, blocking encoded path traversal terminators and reducing the risk of open redirect attacks.

Health Assessment

• • Fast review and merge, minimal code changes, promptly addressing a security vulnerability.

Summary

Use datatracker.ietf.org instead of www.rfc-editor.org for specs

Updates documentation to point to the correct RFC source, preventing link errors.

Health Assessment

• • Quick documentation update with minimal changes, merged within a day.

Summary

Upgrade pnpm to 11.x

This PR updates the pnpm package manager to the latest 11.x series, ensuring compatibility with the build system and addressing known issues with the Maven plugin.

Health Assessment

• • The PR took over 12 days to merge with a slow review process, but involved only a small configuration change and no code modifications, indicating low technical risk.

Summary

Fix SCIM resource URL duplication

Corrects SCIM endpoint URLs to prevent duplicate IDs, improving API consistency and reducing client errors.

Health Assessment

• • Long review cycle indicates low priority or complexity; minimal code changes but delayed review.

Summary

Revert to Java 25 for FIPS CI scripts

Reverts FIPS CI scripts to use Java 25, restoring compatibility and preventing build failures.

Health Assessment

• • Quick revert with minimal changes, fast review and merge.

Summary

Disable the Account UI when the ACCOUNT feature is disabled

The change removes the Account UI when the ACCOUNT feature is turned off, preventing users from accessing unavailable functionality and maintaining a consistent feature‑gating experience.

Health Assessment

• • Fast cycle time and a single review round indicate a straightforward, low‑risk feature addition.

Summary

Fix quick theme export to contain variables for both modes

This PR fixes a bug in the admin UI theme export, ensuring that both light and dark mode variables are correctly included, preventing undefined keys in the theme JSON.

Health Assessment

• • Quick turnaround with minimal changes, low complexity, no blockers.

Summary

Upgrade Playwright to prevent CI hangs

This PR updates the Playwright dependency to resolve intermittent CI failures, ensuring reliable automated testing for the Keycloak UI applications.

Health Assessment

• • The issue was addressed in a single commit within 14 hours, demonstrating efficient collaboration and minimal impact on the codebase.

Summary

Add revoke endpoint to issued credentials APIs

Adds an API endpoint that allows administrators to revoke issued verifiable credentials, enhancing security and compliance by enabling immediate credential invalidation.

Health Assessment

• • Fast cycle time and minimal review rounds indicate a straightforward, low‑risk change.

Summary

Add stricter validation for Admin API client

Enforces tighter data constraints on client resources, reducing misconfiguration and improving security for administrators.

Health Assessment

• • PR required over 12 days to merge, with a slow first review and multiple review rounds, indicating significant complexity and potential risk to production.

Summary

Add issued VC tracking and admin REST endpoint

Adds database schema and admin REST API for tracking issued verifiable credentials, enabling credential revocation and management.

Health Assessment

• • The PR introduced a substantial new feature with a large codebase change, taking over 4 days to merge and involving multiple review rounds, indicating moderate to high complexity and potential integration risk.

Summary

Upgrade Playwright to avoid CI hangs

Updated Playwright to the latest version, eliminating hangs in JavaScript CI jobs and improving test reliability.

Health Assessment

• • Fast turnaround with minimal changes; resolved a CI stability issue.

Summary

Add beanparam for client listing options

Enables flexible client listing with a builder pattern, reducing parameter clutter and improving API usability.

Health Assessment

• • The PR had a moderate review cycle with a single comment and approval, indicating straightforward changes with minimal friction.

Summary

Prevent service account name in multi-namespace mode

Fixes a bug that incorrectly set service account names when Keycloak is deployed across multiple namespaces, ensuring correct isolation and preventing potential security issues.

Health Assessment

• • The PR was reviewed quickly and required minimal changes, indicating a straightforward bug fix with low complexity.

Summary

Show/update credential user attributes in admin and account console

Adds UI to view and update credential attributes for users in the admin console, and view attributes in the account console, improving visibility and management of verifiable credentials.

Health Assessment

• • Fast review and single commit indicate a straightforward UI enhancement with minimal risk.

Summary

Fix Themes cross-reference

Corrects documentation cross-references for themes, ensuring accurate guidance for users.

Health Assessment

• • Documentation fix merged quickly with a single approval, indicating minimal impact and straightforward review process.

Summary

Enhance path traversal regex to block encoded terminators

Improves security by preventing encoded path traversal attacks, ensuring safer redirect handling.

Health Assessment

• • The PR addressed a security vulnerability but required a review and a follow-up commit, resulting in a slow cycle time and high review friction.

Summary

Remove shutdown-timeouts config from proxy examples

Simplifies proxy configuration by eliminating unnecessary shutdown timeout setting, improving clarity and reducing potential misconfiguration.

Health Assessment

• • Quick review and merge with minimal changes indicates a straightforward documentation update.

Summary

Block Admin API access from external IPs via HAProxy

This change restricts external IPs from accessing the Keycloak Admin API when using HAProxy, enhancing security by ensuring only internal traffic can reach admin endpoints.

Health Assessment

• • Quick documentation update with a single review, minimal changes, and low risk to production.

Summary

Prevent wildcard hostnames in redirect URLs

Ensures security by disallowing wildcard hostnames in redirect URLs, preventing open redirect vulnerabilities.

Health Assessment

• • The change was small and straightforward, merged within 19 hours with no rework, indicating low complexity and minimal risk.

Summary

Disallow wildcards in redirect hostnames

Prevents wildcard hostnames from being accepted as valid redirect URIs, tightening security for OAuth/OIDC flows.

Health Assessment

• • Merged within 20 hours with no rework, indicating a straightforward security fix.

Summary

Reorder X509 validation to check revocation after trust

Reorders X509 validation to perform revocation checks after trust verification, ensuring revocation is only checked for certificates that pass other checks.

Health Assessment

• • Quick fix with minimal changes, fast review and merge, low risk.

Summary

Account API: Ignore userManagedAccessAllowed setting

Fixes resource sharing endpoints to correctly respect realm-level userManagedAccessAllowed configuration, improving security and consistency.

Health Assessment

• • PR addressed a configuration bug with minimal changes and quick resolution.

Summary

Fix account sharing recipient resolution

Ensures account sharing correctly resolves recipients by email before username, preventing accidental access to the wrong user.

Health Assessment

• • PR took ~2 days to merge with a single review after a long review wait, indicating moderate review friction but minimal code changes.