Pull Request Explorer

Summary

Fix auto logic for missing pod

Prevents infinite job recreation when a pod is missing, stabilizing deployment operations.

Health Assessment

• • Long review cycle indicates slow process; single file change suggests low complexity.

Summary

Refine startup and log async start error

Fixes startup issues and adds logging for async start errors, improving reliability and observability.

Health Assessment

• • Single review with no change requests and a quick commit indicates a straightforward bug fix with minimal friction.

Summary

Fix not before validation

Corrects token validation logic to enforce 'not before' timestamps, enhancing security by preventing premature token acceptance.

Health Assessment

• • Single commit, quick approval, and minimal changes indicate a low-risk, straightforward bug fix.

Summary

Set only redirect_uri from client_data during restart

This change restricts the redirect URI to be the sole client data retained during a restart, enhancing security by preventing unintended data leakage.

Health Assessment

• • Quick turnaround with a single review and minimal changes indicates low complexity and high confidence.

Summary

Fix parsing SAML11 incorrect requests

Addresses a parsing bug that could allow malformed SAML 1.1 requests to bypass validation, mitigating a critical security vulnerability (CVE-2026-7307).

Health Assessment

• • Quick turnaround with minimal changes; review and merge completed within 3 hours, indicating an efficient process.

Summary

Exclude transitive Quarkus dependency kotlinx-metadata-jvm

Removes an unnecessary transitive dependency to improve build performance and reduce potential conflicts in Keycloak 2.26 release.

Health Assessment

• • PR took almost 6 days to merge, but only one commit and minimal changes, indicating a straightforward fix with moderate review time.

Summary

Fix NPE for alg:none JWT in Bearer Auth

Prevents null pointer exceptions when processing JWTs with no algorithm, improving authentication reliability.

Health Assessment

• • Long review delay indicates a bottleneck; the change is small in scope but critical for authentication security.

Summary

Fix MSSQL queries for case sensitive collations

Ensures Keycloak’s MSSQL integration works correctly with case‑sensitive collations, preventing authentication and data consistency issues for users on such databases.

Health Assessment

• • The PR took over 11 days to merge, indicating a slow review process, but the change was small and straightforward, suggesting no major blockers.

Summary

Improper Access Control on Keycloak Server

Fixes a critical access control vulnerability in Keycloak's account API, ensuring secure handling of account data.

Health Assessment

• • The PR resolved a CVE with minimal changes and a single review comment, but the long cycle time suggests scheduling delays.

Summary

Add IDX_IDP_FOR_LOGIN index for MSSQL deployments

Ensures MSSQL server deployments have the necessary index created, resolving a known issue.

Health Assessment

• • The PR was merged after a relatively long cycle time, but the changes are straightforward and focused on resolving a specific issue.

Summary

Fix virtual thread check

Ensures virtual threads are only enabled when CPU count is at least 4, preventing potential performance issues on low‑CPU environments.

Health Assessment

• • Quick review and merge after a single commit; minimal changes indicate low risk.

Summary

Remove form data from registerNode methods

Simplifies node registration API by eliminating form data, reducing payload size and improving clarity.

Health Assessment

• • The PR took over 13 days to merge with a long first review delay, indicating potential bottlenecks in the review process.
• • The change involved a moderate number of lines across several backend files, suggesting a focused refactor.

Summary

Remove form data from registerNode methods

Simplifies node registration API by eliminating form data, improving clarity and reducing payload size.

Health Assessment

• • The PR had a long cycle time and review period but required only a single commit, indicating a straightforward change with minimal rework.

Summary

Fix Improper Access Control on Keycloak Server

Removes a security vulnerability that allowed unauthorized access to account APIs when the feature is disabled, protecting user data.

Health Assessment

• • Security fix required extended review and testing, resulting in a 12‑day cycle.

Summary

Ignore oasis-open.org in ExternalLinksTest

This change prevents false positives in documentation link tests by ignoring the oasis-open.org domain, improving test reliability and reducing maintenance overhead.

Health Assessment

• • The PR was a small backport to a release branch, with quick review but long cycle due to release schedule.

Summary

Document AuthZEN experimental support

Adds comprehensive documentation for experimental AuthZEN support, enabling developers to integrate the feature more efficiently and reducing onboarding friction.

Health Assessment

• • The PR required over 4 days to merge, but involved only documentation changes and a single review, indicating a low-risk, low-complexity update.

Summary

Revert OpenTelemetry Metrics feature in community build

Reverts the addition of OpenTelemetry metrics visibility in community builds, restoring previous behavior to allow downstream projects to hide metrics.

Health Assessment

• • Revert was straightforward, approved after a single review with minimal changes, indicating low complexity and risk.

Summary

Drop unknown Maven plugin parameter

Eliminates an unsupported configuration option from the build, preventing potential build failures and improving build stability.

Health Assessment

• • Quick fix with minimal changes, resolved in under 9 hours with no back‑and‑forth.

Summary

Removing approval test workaround

Fixes test reliability by removing a workaround in approval tests, improving CI stability.

Health Assessment

• • Quick review and merge, minimal changes, low risk.

Summary

Fix embedded Resteasy server initialization

Restores functionality of the embedded Resteasy server used in tests, ensuring reliable test execution. This reduces flaky test failures and improves CI stability.

Health Assessment

• • Quick fix with minimal changes, approved in a single review, indicating low complexity and risk.

Summary

Support IdP backchannel logout via sid claim

Enables Keycloak to correctly process backchannel logout requests from identity providers that include a sid claim, ensuring user sessions are terminated and preventing orphaned sessions.

Health Assessment

• • Long cycle time due to flaky test; review process was quick after initial review; minimal rework.

Summary

Add suggestions when features are incorrectly specified

Enhances CLI usability by suggesting correct feature names when users input incorrect ones, reducing configuration errors and support overhead.

Health Assessment

• • The PR had a single round of changes requested followed by approvals, indicating moderate review friction. The moderate scope and quick first review suggest a healthy process.

Summary

Translations update from Hosted Weblate

Adds updated translations for multiple languages, enhancing internationalization for Keycloak's UI.

Health Assessment

• • The PR required over 12 days to merge, with a single review after 1.5 days and a large number of translation changes, indicating a slow but straightforward process.

Summary

HAProxy re-encrypt documentation

Adds comprehensive guidance on HAProxy re-encrypt configuration. Enables administrators to securely set up HAProxy, improving deployment reliability.

Health Assessment

• • The PR had a slow cycle time of nearly 5 days but the review was quick and only required a single change request. The documentation update is straightforward and low risk.

Summary

Add Enter key search trigger to SearchInputComponent

Improves user experience by allowing quick search via Enter key, reducing clicks for organization-related searches.

Health Assessment

• • Single small change with long review time, likely due to review backlog or low priority.

Summary

Prevent admins from setting default dynamic client scopes

Ensures administrators cannot create dynamic client scopes with the Default type, improving security and preventing misconfiguration.

Health Assessment

• • PR had moderate review friction with multiple review rounds but was merged within 5 days; large scope across frontend and backend; no AI involvement.

Summary

Add explicit client reference to RAR scope parsing

Ensures RAR scope parsing correctly handles client references, improving robustness and reducing maintenance overhead.

Health Assessment

• • PR took over 4 days to merge, but initial review was quick. The change involved moderate code churn across 12 files, with a single round of comments before approval.

Summary

Add time offset migration test

This PR adds a test for migrating time offset in Keycloak.

Health Assessment

• • The PR was merged after a long cycle time of 110.8 hours, indicating potential delays in the review process.

Summary

Fix MailServerRewrite in Migration Tests

Ensures migration tool correctly rewrites mail server configurations during tests, improving reliability of migration process.

Health Assessment

• • Quick review and merge, minimal changes, low risk.

Summary

Add AssertEvents Rewrite to Migration Tool

Enhances migration testing by adding AssertEvents rewrite, improving test reliability.

Health Assessment

• • Quick review and single commit indicate straightforward test addition.

Summary

Remove Quarkus Reactive Routes extension

Eliminates unused Quarkus Reactive Routes extension from Keycloak build, reducing complexity and potential security surface.

Health Assessment

• • Quick approval and merge indicates straightforward change with minimal risk.

Summary

Fix introspection error for invalid client authentication

Corrects the OIDC token introspection endpoint to return an invalid_client error with HTTP 401 when confidential client authentication fails, aligning with RFC 7662 and improving OAuth 2.0 compliance.

Health Assessment

• • PR was merged quickly with minimal rework, indicating a straightforward bug fix with low complexity and risk.

Summary

Enable OTel Metrics in community build

Adds OpenTelemetry metrics visibility for community builds while allowing downstream projects to hide the feature, improving observability without impacting custom deployments.

Health Assessment

• • Fast cycle time and minimal rework indicate a smooth review process.

Summary

Enable dynamic parameterization of client scope consent text

This PR allows administrators to include dynamic parameters in consent messages for client scopes, improving flexibility and localization.

Health Assessment

• • The PR took almost 6 days to merge with a single review cycle, indicating a slow review process but no significant rework.

Summary

Fix NPE in OrganizationGroupMembershipMapper

Prevents authentication failures for clients without organization scope, ensuring reliable login flows for users in realms with Organizations enabled.

Health Assessment

• • The PR addressed a critical NPE that caused authentication failures, but the review and merge cycle took over 6 days, indicating a slow process despite the small scope.

Summary

Override PostgreSQL dependency version

Ensures Keycloak uses a specific PostgreSQL driver version, improving compatibility and security.

Health Assessment

• • Quick resolution with minimal changes and fast review, indicating low complexity and high confidence in the fix.

Summary

Remove transitive Quarkus dependency kotlinx-metadata-jvm

Eliminates unnecessary transitive dependency in Quarkus deployment, improving build performance and reducing potential conflicts.

Health Assessment

• • Fast approval with minimal changes, indicating low complexity and risk.

Summary

Add AOT compilation to Quarkus tests

Enables ahead‑of‑time compilation for Quarkus tests, improving test performance and reliability.

Health Assessment

• • The PR had a moderate review time and a few iterations, but overall small to medium scope and a quick cycle time.

Summary

Fix dynamic scope mix-up in token requests

Corrects a bug where dynamic scopes were incorrectly shared across token requests, ensuring each request receives the intended scopes and preventing unintended scope leakage.

Health Assessment

• • Fast cycle time and single review indicate a straightforward bug fix with minimal risk.

Summary

Refine startup and add async start error log

Improves Keycloak startup by refining the process and adding logging for async start errors, addressing issue #48438.

Health Assessment

• • The PR had a relatively fast review time and was approved after a thorough discussion, indicating a well-structured and maintainable code change.

Summary

verifiable credential in account console

Adds verifiable credential management to the account console, allowing users to view, delete, and issue credentials directly from their account interface. This enhances user control over credentials and supports wallet integration.

Health Assessment

• • The PR introduced a substantial feature adding verifiable credential support, requiring moderate review effort and a single rework commit, indicating a complex but well‑managed change.

Summary

Add tests for client validation in OID4VC

Improves reliability by ensuring invalid or disabled clients are caught early, reducing token issuance errors.

Health Assessment

• • PR addressed client validation bugs with minimal changes and quick approval, indicating a straightforward fix.

Summary

Fix lint issues in the admin console

Fixes lint errors that caused CI failures, improving build stability.

Health Assessment

• • Quick fix with no review needed, merged within 0.8 hours.

Summary

Refactor legacy test suite TimeOffset

Simplifies the test suite by removing legacy time offset logic, improving maintainability and reducing potential test flakiness.

Health Assessment

• • The PR involved extensive refactoring of the test suite, resulting in a long cycle time and many changes, but the review was quick, indicating an efficient review process.

Summary

Fix test framework server startup not configurable

Allows test framework servers to be configured at startup, improving test reliability and reducing manual setup.

Health Assessment

• • Fast review and merge within 12 hours, minimal changes, low risk.

Summary

Ignore dynamic scopes when feature is not enabled

Ensures that disabling the dynamic scopes feature does not cause previously dynamic scopes to be treated as dynamic, maintaining correct scope behavior.

Health Assessment

• • Quick review and single commit indicate a straightforward bug fix with minimal impact.

Summary

Add missing locale keys for organization membership

Adds missing translation keys to the admin UI, ensuring users see correct labels for organization membership features.

Health Assessment

• • Quick fix with minimal changes, resolved within 12 hours, indicating efficient review and low complexity.

Summary

Migrate OrganizationTest

Refactors the OrganizationTest to support new organization admin functionality, improving test reliability.

Health Assessment

• • Quick turnaround with a single commit and review, indicating a straightforward refactor of test code.

Summary

Migrate OID4VC JWT Issuer Endpoint Tests

Updates test suite to reflect new endpoint behavior, ensuring compatibility with OID4VC JWT issuer functionality.

Health Assessment

• • Quick merge with minimal changes indicates straightforward test migration.

Summary

Migrate JWT and SD-JWT Credential Signer Tests

Updates credential signer tests to align with new OID4VCI implementation, ensuring accurate signing behavior.

Health Assessment

• • The PR had a prolonged review cycle of over 6 days, with a single review after a single commit, indicating potential bottlenecks in the review process.
• • Large test refactor added ~637 lines, but no functional changes, so risk is moderate.