Pull Request Explorer

Summary

Add stricter validation for Admin API client

Enforces tighter data constraints on client resources, reducing misconfiguration and improving security for administrators.

Health Assessment

• • PR required over 12 days to merge, with a slow first review and multiple review rounds, indicating significant complexity and potential risk to production.

Summary

Add issued VC tracking and admin REST endpoint

Adds database schema and admin REST API for tracking issued verifiable credentials, enabling credential revocation and management.

Health Assessment

• • The PR introduced a substantial new feature with a large codebase change, taking over 4 days to merge and involving multiple review rounds, indicating moderate to high complexity and potential integration risk.

Summary

Upgrade Playwright to avoid CI hangs

Updated Playwright to the latest version, eliminating hangs in JavaScript CI jobs and improving test reliability.

Health Assessment

• • Fast turnaround with minimal changes; resolved a CI stability issue.

Summary

Add beanparam for client listing options

Enables flexible client listing with a builder pattern, reducing parameter clutter and improving API usability.

Health Assessment

• • The PR had a moderate review cycle with a single comment and approval, indicating straightforward changes with minimal friction.

Summary

Prevent service account name in multi-namespace mode

Fixes a bug that incorrectly set service account names when Keycloak is deployed across multiple namespaces, ensuring correct isolation and preventing potential security issues.

Health Assessment

• • The PR was reviewed quickly and required minimal changes, indicating a straightforward bug fix with low complexity.

Summary

Show/update credential user attributes in admin and account console

Adds UI to view and update credential attributes for users in the admin console, and view attributes in the account console, improving visibility and management of verifiable credentials.

Health Assessment

• • Fast review and single commit indicate a straightforward UI enhancement with minimal risk.

Summary

Fix Themes cross-reference

Corrects documentation cross-references for themes, ensuring accurate guidance for users.

Health Assessment

• • Documentation fix merged quickly with a single approval, indicating minimal impact and straightforward review process.

Summary

Enhance path traversal regex to block encoded terminators

Improves security by preventing encoded path traversal attacks, ensuring safer redirect handling.

Health Assessment

• • The PR addressed a security vulnerability but required a review and a follow-up commit, resulting in a slow cycle time and high review friction.

Summary

Remove shutdown-timeouts config from proxy examples

Simplifies proxy configuration by eliminating unnecessary shutdown timeout setting, improving clarity and reducing potential misconfiguration.

Health Assessment

• • Quick review and merge with minimal changes indicates a straightforward documentation update.

Summary

Block Admin API access from external IPs via HAProxy

This change restricts external IPs from accessing the Keycloak Admin API when using HAProxy, enhancing security by ensuring only internal traffic can reach admin endpoints.

Health Assessment

• • Quick documentation update with a single review, minimal changes, and low risk to production.

Summary

Prevent wildcard hostnames in redirect URLs

Ensures security by disallowing wildcard hostnames in redirect URLs, preventing open redirect vulnerabilities.

Health Assessment

• • The change was small and straightforward, merged within 19 hours with no rework, indicating low complexity and minimal risk.

Summary

Disallow wildcards in redirect hostnames

Prevents wildcard hostnames from being accepted as valid redirect URIs, tightening security for OAuth/OIDC flows.

Health Assessment

• • Merged within 20 hours with no rework, indicating a straightforward security fix.

Summary

Reorder X509 validation to check revocation after trust

Reorders X509 validation to perform revocation checks after trust verification, ensuring revocation is only checked for certificates that pass other checks.

Health Assessment

• • Quick fix with minimal changes, fast review and merge, low risk.

Summary

Account API: Ignore userManagedAccessAllowed setting

Fixes resource sharing endpoints to correctly respect realm-level userManagedAccessAllowed configuration, improving security and consistency.

Health Assessment

• • PR addressed a configuration bug with minimal changes and quick resolution.

Summary

Fix account sharing recipient resolution

Ensures account sharing correctly resolves recipients by email before username, preventing accidental access to the wrong user.

Health Assessment

• • PR took ~2 days to merge with a single review after a long review wait, indicating moderate review friction but minimal code changes.

Summary

Adds missing tests to TokenIntrospectionTest

Adds comprehensive unit tests for token introspection, strengthening security and reliability of OAuth flows.

Health Assessment

• • Quick turnaround with minimal changes indicates straightforward test addition.

Summary

Update Traefik reencrypt docs

Adds updated documentation for Traefik reencrypt configuration, improving clarity for users.

Health Assessment

• • Documentation update with minimal code changes, quick review and approval.

Summary

Fix offboarding revoke-role role list format

Corrects documentation example to use multivalued role names, improving clarity for administrators.

Health Assessment

• • Quick documentation fix with minimal changes and fast review, indicating efficient process.

Summary

Backport JGroups fixes and improvements

Enhances cluster communication reliability and performance by applying JGroups fixes and improvements, ensuring more stable distributed deployments.

Health Assessment

• • PR was reviewed and merged within a day, indicating efficient review process and minimal rework.

Summary

Add SPI option to disable FD_SOCK2 failure detection

Adds a configuration option to disable FD_SOCK2 failure detection in JGroups, enhancing cluster stability for production deployments.

Health Assessment

• • PR was reviewed and merged quickly with minimal changes, indicating a straightforward enhancement.

Summary

Refactor ExportImportResource in legacy test suite

Improves stability and maintainability of the test suite for export/import functionality, reducing flaky tests and speeding up CI.

Health Assessment

• • The PR took almost 8 days to merge, but the review was quick and only one round of changes was needed, indicating a straightforward refactor with minimal impact on production.

Summary

Simplify JpaUserProvider.updateVerifiableCredential for OID4VCI

Simplifies the update of verifiable credentials, improving performance and reliability for OID4VCI integration.

Health Assessment

• • Quick approval with minimal changes indicates low complexity and high confidence.

Summary

Add migration util test for runOnServer

Provides unit tests to validate migration of runOnServer functionality, ensuring compatibility with StandardTokenExchangeV2Test and LoginTest.

Health Assessment

• • Quick turnaround with a single commit and no review iterations indicates a straightforward test addition.

Summary

Add runOnServerMaster to LightWeightAccessTokenTest

Ensures LightWeightAccessTokenTest runs on server master, improving test reliability.

Health Assessment

• • Quick fix with minimal changes, fast review and merge.

Summary

Revisit ABCA with fapi-2-dpop-security-profile

Adds support for HTTP localhost requests and updates ABCA executor to align with the new security profile, improving compatibility for OIDC4VCI tests.

Health Assessment

• • PR merged in ~40h with only one commit after review, indicating a smooth process and clear implementation.

Summary

Add user attribute snapshot support for verifiable credentials

This PR adds support for capturing and storing a snapshot of user attributes in verifiable credentials, allowing administrators to refresh the snapshot via an update endpoint, enhancing auditability and consistency.

Health Assessment

• • The PR had a moderate cycle time of ~2.7 days, with a single review round and minimal comments, indicating a smooth review process. The change adds a substantial amount of code (~246 lines) across 15 files, reflecting a significant backend enhancement.

Summary

Add access check for user resolution in client scope

This change enforces an access check when resolving users during client scope evaluation, tightening security and preventing potential privilege escalation. It ensures that only authorized users are considered, reducing risk of unauthorized data exposure.

Health Assessment

• • The PR took almost two days to review, indicating moderate review friction, but the change was small and straightforward, resulting in a quick merge.
• • The single commit and lack of rework suggest a smooth process.

Summary

Fix offboarding example role list format

Corrects documentation to reflect that revoke-role expects a list of roles, preventing misconfiguration for administrators.

Health Assessment

• • Documentation update required a lengthy review but involved only a few lines of change and poses no risk to production.

Summary

Backport fix for not before validation

Fixes a validation issue in OIDC token handling, ensuring correct token issuance and improved security compliance.

Health Assessment

• • Quick backport with minimal changes, fast review and merge, indicating low complexity and high confidence in the fix.

Summary

Backport fix not before validation

Fixes a validation issue in OIDC token handling, ensuring correct behavior for clients.

Health Assessment

• • Quick review and merge indicate low complexity and high confidence in the change.

Summary

Validate audience claim in token introspection

Adds security validation to reject lightweight access tokens lacking audience claim, preventing potential misuse of the UserInfo endpoint.

Health Assessment

• • Security enhancement with minimal review friction; large code changes but quick approval.

Summary

Add blank lines for correct rendering

Updates documentation formatting to ensure content displays properly.

Health Assessment

• • Quick review and merge with minimal changes, indicating straightforward documentation update.

Summary

Add SPI option to disable FD_SOCK2 failure detection

Adds a configuration option to disable failure detection for FD_SOCK2 in JGroups, improving cluster stability in specific environments.

Health Assessment

• • Quick approval with minimal changes indicates low complexity and low risk.

Summary

Downgrade Java to 21 for FIPS jobs

Downgrades Java to version 21 for FIPS jobs to maintain compatibility with RHEL 9 until the Java 25 devel package is restored. This prevents build failures and ensures continuous integration stability.

Health Assessment

• • Quick fix with minimal changes, resolved in a single commit after a single review, indicating low complexity and high confidence.

Summary

Add permission checks to organization invitation endpoints

Ensures only authorized users can invite members to organizations, improving security and compliance.

Health Assessment

• • The PR addressed a security issue but had a long review cycle, indicating potential communication gaps.

Summary

Integrate verifiable credentials with Keycloak endpoints

Adds support for OIDC4VCI, enabling users to issue verifiable credentials via Keycloak's credential endpoints, enhancing identity verification capabilities.

Health Assessment

• • PR took over two days to review but required no additional commits, indicating a thorough initial review.

Summary

Enable JGroups message stats

Adds support for collecting and exposing JGroups message statistics, improving cluster monitoring and troubleshooting.

Health Assessment

• • Quick review and merge indicate a straightforward change with minimal risk and impact.

Summary

Disable single thread sender in JGroups

Disables single-threaded sender in JGroups to improve concurrency and performance in Keycloak's Infinispan integration.

Health Assessment

• • Quick turnaround with minimal changes, indicating a straightforward bug fix with low risk.

Summary

Treat attestation-based clients as confidential

This change ensures that clients authenticated via attestation are treated as confidential, improving security for OIDC/OID4VC flows.

Health Assessment

• • PR merged within 2.6 hours with a single approval, indicating a straightforward change with minimal friction.

Summary

Update tests and downgrade Java for FIPS

Enhances test reliability by applying EventAssertion and ensures FIPS compliance by downgrading Java to 21, reducing build failures.

Health Assessment

• • Fast cycle time and single review round indicate a straightforward, low-risk change with minimal rework.

Summary

Simplify Quarkus Integration Test Annotations

Refactor Quarkus integration tests to simplify annotations and improve test lifecycle management.

Health Assessment

• • The PR had a large scope with 20 files changed, but the review process was relatively smooth with two approvals.
• • The cycle time was 161.1 hours, which is relatively long, but the time to first review was only 4.8 hours.

Summary

Add bottom padding on Authorization Evaluate results page

Adds bottom padding to the Authorization Evaluate results page, ensuring the last resource row remains visible above the fixed action bar, improving usability for administrators.

Health Assessment

• • Single commit with minimal changes, quick review, low risk.

Summary

Prevent access to user info if not the owner or requested of a resource

Prevents unauthorized access to user information by ensuring only resource owners or explicitly requested users can view sensitive data, enhancing security compliance.

Health Assessment

• • The PR was reviewed and merged within a day, indicating a straightforward security fix with minimal friction.

Summary

Wildcards should not be allowed if authority cannot be parsed

Fixes a security vulnerability by preventing wildcard usage when the authority cannot be parsed, closing CVE-2026-7504.

Health Assessment

• • The PR was reviewed and merged within 14 hours, indicating efficient review and low complexity.

Summary

Refactor AssertEvents to use EventAssertion

Improves test framework consistency and maintainability by replacing legacy assertion methods with modern EventAssertion equivalents, reducing test fragility. This change enhances reliability of event-based tests across the Keycloak codebase.

Health Assessment

• • The PR required a long review period and involved extensive refactoring across many test files, indicating significant effort and potential for integration issues.

Summary

Enforce owner checks on resource set service

Adds security validation to ensure only resource owners can invoke the resource set service, strengthening access control.

Health Assessment

• • Quick turnaround with a single commit and no review iterations indicates a straightforward, low‑risk change.

Summary

Improve authSessionCookie validation in SessionCodeChecks

Fixes a security vulnerability by enhancing session cookie checks, reducing risk of unauthorized access.

Health Assessment

• • Quick resolution of a security issue with minimal changes and fast review.

Summary

Filtering out headers from external IP addresses

Adds documentation guidance for filtering headers from external IP addresses, enhancing security posture for Keycloak deployments.

Health Assessment

• • The PR experienced a long review delay (155h) with minimal code changes, indicating low priority or backlog.
• • Documentation-only change with small scope poses minimal risk to production.

Summary

Make all required actions one time action by default

Configures all required actions to be one‑time by default, tightening security and improving user experience.

Health Assessment

• • Fast cycle time and minimal changes indicate a straightforward security fix with low complexity.

Summary

Reject invalid CORS origins before endpoint logic

Prevents processing of requests with invalid CORS origins, improving security and reducing unnecessary load.

Health Assessment

• • Long review time indicates potential blocker or complexity; single commit suggests straightforward change but delayed review.