fix(deps): update keycloakclientversion to v26 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.keycloak:keycloak-core (source)	25.0.6 -> 26.4.5
org.keycloak:keycloak-admin-client (source)	25.0.6 -> 26.0.7

---

Release Notes

keycloak/keycloak (org.keycloak:keycloak-core)

v26.4.5

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Bugs

• #​42601 Flaky test: org.keycloak.testsuite.broker.KcOidcBrokerTest#testPostBrokerLoginFlowWithOTP ci
• #​43212 Document missing artifact dependency for UserStoragePrivateUtil docs
• #​43564 Invalid liquibase check sum for jpa-changelog-2.5.0.xml core
• #​43718 Email Not Persisted During Registration When "Email as Username" is Enabled and User Edit Permission is Disabled user-profile
• #​43793 import does not seem to run db migration import-export
• #​43883 Creating group policy on a client uses "manage-clients" role if FGAP V1 is disabled authorization-services
• #​44010 Ordering attributes will unset the unmanaged attribute policy user-profile
• #​44031 Can't build keycloak 26.4.4 with quarkus.launch.rebuild=true dist/quarkus
• #​44056 Allow only normalized URLs in requests caused a regression in view authz permission details in Admin Consol admin/ui
• #​44117 DockerClientTest failure testsuite

v26.4.4

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #​10388 Allow to hide client scopes from scopes_supported in discovery endpoint
• #​43076 Add rate limiter for sending verification emails in context of update email
• #​43509 Role authorization for workflows. admin/api

Bugs

• #​41270 Cannot save new attribute group admin/ui
• #​41271 Changing user profile attribute results in an error everytime admin/ui
• #​43082 ExternalLinksTest is broken due to missing path parameters docs
• #​43091 Duplicate Email Fields on Temporarily Locked Out Sign In With Organization Identity-First Login login/ui
• #​43160 Regression in DEBUG_PORT handling since 26.4.0 – host binding (*:port / 0.0.0.0:port) no longer works dist/quarkus
• #​43460 FGAP/UI: `reset-password` succeeds but UI shows 403 without Users:manage admin/fine-grained-permissions
• #​43505 DPoP proof replay check doesn't consider clock skew oidc
• #​43516 Deleting Client is slow and fails when a lot of client sessions exist core
• #​43578 "admin" client role now requires server admin user admin/api
• #​43579 403 Forbidden when assigning realm-management client roles with realm-admin despite FGAP disabled (regression in 26.4.0+) admin/fine-grained-permissions
• #​43596 FGAP: user can no longer open account management page, broken by `reset-password` admin/fine-grained-permissions
• #​43621 Version 26.4.1 breaks existing ldap users with capital letters in username ldap
• #​43682 When syncing roles, the database layer can see deadlocks
• #​43698 Role Mapper is updating the user every time on login identity-brokering
• #​43723 Only add the none verifier when attestation conveyance preference is none (or default) authentication/webauthn
• #​43734 Refresh token allowed for offline session even the related scope is removed
• #​43736 FGAP V2: reset-password scope error when viewing users with Group permissions only core
• #​43744 Increased memory usage due to leaking KeycloakSession instances admin/api
• #​43759 QuarkusKeycloakSession not garbage collected when running Liquibase dist/quarkus
• #​43761 QuarkusKeycloakSession kept in memory for each timer core
• #​43763 Normalizing of Keycloak URLs not documented dist/quarkus
• #​43774 Under OLMv1 service monitor check uses wrong namespace operator
• #​43785 QuarkusKeycloakSession leak in DeclarativeUserProfileProvider user-profile
• #​43853 Ensure the logout endpoint removes the authentication session oidc
• #​43863 JS CI failing after normalization testsuite

v26.4.3

Compare Source

v26.4.2

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

Enhancements

• #​42991 Final review and update for UPDATE_EMAIL documentation docs
• #​43351 Make pending email verification attribute removable by admin user-profile
• #​43650 SPIFFE should support OIDC JWK endpoint

Bugs

• #​26374 Workflow failure: Quarkus IT - FipsDistTest#testUnsupportedHttpsPkcs12KeyStoreInStrictMode ci
• #​30939 Vulnerability in brute force detection settings authentication
• #​43022 Incorrect Basic Auth encoding for OIDC IDentity Provider when Client ID contains colon identity-brokering
• #​43191 Upgrade guide for 26.4.0 should mention new minimal PostgreSQL server version 13 requirement docs
• #​43244 UI crash on admin `/users/add-user` since 26.4.0 admin/ui
• #​43544 Intra-document links not rendered in downstream docs
• #​43561 Server does not shutdown gracefully when started with --optimized core

v26.4.1

Compare Source

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #​43020 Secure Client-Initiated Renegotiation - disable by default dist/quarkus

Enhancements

• #​42990 Hide read-only email attribute in update profile context with update email enabled user-profile
• #​43357 JDBC_PING should publish its physical address on startup

Bugs

• #​40965 Group permission denies to view user admin/fine-grained-permissions
• #​41292 openid-connect flow is missing response type on language change authentication
• #​42565 Standard Token Exchange: chain of exchanges eventually fails token-exchange
• #​42676 Security Defenses realm settings lost when switching between Headers and Brute Force Detection tabs (v25+) admin/ui
• #​42907 Race condition in authorization service leads to NullPointerException when evaluating permissions during concurrent resource deletion authorization-services
• #​43042 Avoid NPE in FederatedJWTClientAuthenticator when checking for supported assertion types core
• #​43070 Update email page with pending verification email messages prefilled with old email user-profile
• #​43096 keycloak-operator 26.4.0 missing clusterrole permissions docs
• #​43104 Release notes fix for update email docs
• #​43161 Restarting an user session broken for persistent sessions infinispan
• #​43164 Keycloak docs state that only TLSv1.3 is used docs
• #​43218 Cannot revoke access token generated by Standard Token Exchange oidc
• #​43254 Make sure username and email attributes are lower cased when fetching their values from LDAP object ldap
• #​43269 Keycloak 26.4 returns a different error response on a token request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
• #​43270 Keycloak 26.4 returns a different error response on a CIBA backchannel authentication request without Client Assertion (private_key_jwt client authentication) from Keycloak 26.3 does oidc
• #​43286 Broken links on DB server configuration guide docs
• #​43304 SAML Client - Encrypt assertions toggle shows wrong dialog text (Client signature required) saml
• #​43328 "Remember me" user sessions remain valid after "remember me" realm setting is disabled authentication
• #​43335 First JDBC_PING initialization happens in the JTA transaction context infinispan
• #​43349 Client session may be lost during session restart infinispan
• #​43394 SPIFFE client authentication does not work when JWT SVID includes `iss` claim
• #​43459 Invalid YAML in advanced Operator configurations docs

v26.4.0

Compare Source

Highlights

This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:

• Passkeys for seamless, passwordless authentication of users.

• Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.

• Simplified deployments across multiple availability zones to boost availability.

• FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.

• DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

Passkeys integration (supported)

Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.

For more information, see Passkeys.

FAPI 2 Final (supported)

Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.

Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.

Thank you to Takashi Norimatsu for contributing this.

For more details, see the Securing applications Guides.

DPoP (supported)

Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:

• Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.

• All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.

• Possibility to require the dpop_jkt parameter in the OIDC authentication request.

Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.

For more information, see the DPoP section in the documentation.

FIPS 140-2 mode now supports EdDSA

With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.

Listing supported OAuth standards on one page

A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.

Integration

Federated client authentication (preview)

Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.

This feature is currently preview, and expected to become supported in 26.5.

Automatic certificate management for SAML clients

The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL. This also allows for seamless rotation of certificates.

For more information, see Creating a SAML client in the Server Administration Guide.

Serving as an authorization server in MCP

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.

To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.

The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.

Administration

Update Email Workflow (supported)

Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.

For more information, see Update Email Workflow.

Optional email domain for organizations

In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.

When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.

Hiding identity providers from the Account Console

You can now control which identity providers appear in the Account Console based on different options using the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.

For more information, see General configuration.

Enforce recovery codes setup after setting up OTP

If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.

New conditional authenticator

The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.

For more information about conditional flows, see Conditions in conditional flows.

Translations managed by Weblate

The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.

If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.

Configuring and Running

Enhancements for single-cluster and multi-cluster setups

This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.

This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.

Support for additional databases and versions

With this release, we added support for the following new database vendors:

• EnterpriseDB (EDB) Advanced 17.6

• Azure SQL Database and Azure SQL Managed Instance

Where the previous documentation stated only tested database version, it now states all the supported database versions as well.

Expose management interface via HTTP

Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.

Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface. This allows monitoring those endpoints in environments where no TLS client is available.

Expose health endpoints on the main HTTP(S) port

With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the management port. When this option is false you should block unwanted external traffic to /health at your proxy.

This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.

Specify a tlsSecret on the Keycloak CR ingress spec

To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.

Additional datasources configuration (supported)

Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.

Read more about it in the Configure multiple datasources guide.

Observability

Operator creates a ServiceMonitor automatically

The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.

HTTP access logging of incoming HTTP requests

Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.

For more information, see Configuring logging.

Showing context information in log messages (preview)

You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.

For more details on this opt-in feature, see Configuring logging.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #​19732 "linked-accounts" endpoint displays all Identity providers account/api
• #​40237 Add option "Requires short state parameter" to OIDC IDP authentication
• #​40696 Wrap deprecated passkeys authenticator behind the feature authentication/webauthn
• #​41316 Test suites config for the new test framework test-framework
• #​41357 Disable tests for specific databases and servers in test framework test-framework
• #​42313 Experimental SPIFFE identity provider
• #​42742 Supported EnterpriseDB Advanced 17
• #​42743 Supported Azure SQL

Enhancements

• #​10063 Display transport media for WebAuthn authenticators in Account console account/ui
• #​14644 External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token identity-brokering
• #​17028 SAML: Adapter SP seamless certificate rotation saml
• #​19213 Allow enabling debug and verbose via environment variables dist/quarkus
• #​21816 Expose Keycloak config errors in the Keycloak CR status field operator
• #​22730 REST API returns different amount of users admin/api
• #​23972 Improve handling config options in scripts preventing re-augmentation
• #​25668 Remove duplication of MP config initialization dist/quarkus
• #​26277 DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer oidc
• #​26995 Bad performance when requesting events of a user
• #​27025 Move import/export validation to the Property Mappers dist/quarkus
• #​28846 Allow the target attribute on in the kcSanitize core
• #​29295 Exact match in users/count
• #​30095 High Availability guides should make distinction between single-site and multi-site deployments docs
• #​31285 Make domains for organisations optional
• #​32129 Automatically create external caches for MULTI_SITE deployments
• #​32569 Verify email when using UPDATE_EMAIL action without depending on realm wide setting
• #​33942 Make sure Keycloak endpoints have DPoP validation oidc
• #​34114 Operator: Support ConfigMaps for `Keycloak.spec.truststores`
• #​34206 Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `` tags core
• #​34244 Enable branding without code changes
• #​34777 [Operator] Use TLS secret for Ingress operator
• #​35441 Add FAPI 2.0 + DPoP security profile as default profile of client policies oidc
• #​36160 Default values for User attributes.
• #​36268 Configuration is not available outside of quarkus modules
• #​37363 Allow custom labels on Operator Ingress operator
• #​37600 Experimental support for authenticating clients with Kubernetes Service Accounts
• #​38126 Improve documentation for the HEALTHCHECK Dockerfile directive docs
• #​38897 Add WASM support to the MimeTypeUtil
• #​39293 [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt` oid4vc
• #​39299 Improve docs, and possibly defaults, around ldap pooling
• #​39342 Description for using too many threads / connections is incomplete core
• #​39658 OpenTelemetry Tracing: Visualize JGroups communication infinispan
• #​39812 Add filter to include/fill MDC with request specific data for json logging
• #​40061 Redundant null-checks. SAST
• #​40067 Always null field in KeySelectorUtilizingKeyNameHint. SAST
• #​40069 Possible dereference of Null
• #​40226 Review and update the documentation regarding the UPDATE EMAIL feature
• #​40227 Make UPDATE_EMAIL a supported feature
• #​40231 Improve javadoc for admin-client methods with injecting own resteasyClient admin/client-java
• #​40296 Update docs how to verify that a cluster has formed
• #​40377 Allow to expose IDP custom config values to Keycloak themes
• #​40388 Write documentation for additional datasources docs
• #​40406 Create ServiceMonitor via KC Operator
• #​40464 Improve extensibility of custom AccountConsole endpoint handling account/ui
• #​40481 Provide CLI Parameters for jgroups.* options infinispan
• #​40592 Upgrade to the Quarkus 3.24.2 version dist/quarkus
• #​40619 When editing protocol mappers, shows required properties admin/ui
• #​40629 Signs of fall-through behavior. SAST
• #​40630 Double check when working with multithreading. SAST
• #​40659 Possible Dereference of Null. SAST
• #​40660 Resources leak. SAST
• #​40677 Redundant null checks - operator new. SAST
• #​40683 Remove workaround for handling Syslog counting framing
• #​40687 Remove workaround for PostgreSQL and Liquibase
• #​40739 Avoid floating promises in UI code account/ui
• #​40761 Change naming for disabling additional datasource
• #​40792 Changing default passwordless webauthn policy to follow recommended values in the documentation authentication/webauthn
• #​40851 Upgrade to Infinispan 15.0.16.Final
• #​40855 External-internal token exchange independent from FGAP v1 token-exchange/federated
• #​40858 Check cluster is correctly formed in ClusteredKeycloakServer test-framework
• #​40874 Update code and documentation for import of a new realm
• #​40875 Improve memory footprint of single file realm import
• #​40923 Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm} core
• #​40926 More secure call of Facebook debug token token-exchange/federated
• #​40933 Allow configure encryption details for SAML clients saml
• #​40962 Update limitations of the preview feature rolling updates for patch releases infinispan
• #​40970 Run clustering compatibility tests on release/x.y branches
• #​41014 Operator auto update hash operator
• #​41022 Allow Features to declare that they support Rolling upgrades
• #​41034 Improve logging for client sessions load
• #​41045 Update email feature only enabled if the required action is enabled at the realm
• #​41074 Import client sessions into Infinispan concurrently for persistent sessions
• #​41119 FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions oidc
• #​41120 FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies oidc
• #​41121 FAPI 2.0 Security Profile Final - Documentation oidc
• #​41138 Implement CompatibilityMetadataProvider for Cache CLI args
• #​41151 Update Traditional Chinese locale to latest version
• #​41161 Require setting DB kind for additional datasources dist/quarkus
• #​41172 Upgrade to Quarkus 3.24.3
• #​41176 Document supported OIDC/OAuth2 standards oidc
• #​41186 Upgrade to Quarkus 3.25.0 dist/quarkus
• #​41192 Improve handling of datasource name specified in `persistence.xml` files dist/quarkus
• #​41208 MDC logging should contain the authentication session and user session ID
• #​41214 Document configuration changes that prevent rolling updates
• #​41219 Document spi-user-sessions--infinispan--use-batches
• #​41222 Provide DB SQL options support for additional datasources dist/quarkus
• #​41229 Remove obsolete code for the Liquibase LogHistoryService core
• #​41239 Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese translations
• #​41246 Upgrade to Quarkus 3.24.4 dist/quarkus
• #​41257 Upgrade to Infinispan 15.0.18.Final infinispan
• #​41259 Passkeys support in IdpUsernamePasswordForm authentication/webauthn
• #​41283 Update ua-parser to 1.6.1
• #​41293 Remove obsolete Liquibase FK snapshot generator storage
• #​41297 Implement CompatibilityMetadataProvider for DB options
• #​41303 Allow for health check on main interface
• #​41312 FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies oidc
• #​41313 FAPI 2.0 Message Signing Final - Documentation oidc
• #​41328 Utilise table to display Features
• #​41335 Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
• #​41352 Provide simple HTTP access logs dist/quarkus
• #​41354 Avoid OTP when logging in with passkey
• #​41374 Upgrade to Quarkus 3.24.5 dist/quarkus
• #​41405 Add log details about client assertion for client authentication with Client-JWT
• #​41455 Adds TiDB into the database test matrix
• #​41459 Query parameter "claims" not forwarded to external provider identity-brokering
• #​41551 Support for key size 3072 in rsa-generated key providers
• #​41556 Switch passkeys to supported authentication/webauthn
• #​41557 Update passkeys documentation after they are supported docs
• #​41558 Ensure cache configuration has correct number of owners
• #​41559 Simplify Cache Configuration file by removing built-in cache configurations
• #​41561 Detect and handle KC split brain clusters
• #​41585 Refactor high-availability guide to include both single and multi cluster architectures
• #​41613 Ability to display 'authenticator provider' of the WebAuthn credential authentication/webauthn
• #​41625 Login[v2]: "Update email" screen is not polished login/ui
• #​41666 Default to stretched clusters on Kubernetes when possible
• #​41670 Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
• #​41717 Upgrade to Quarkus 3.25.2 dist/quarkus
• #​41729 Define default topologySpreadConstraints
• #​41765 Add Azerbaijani translations translations
• #​41766 Add the ability to set abritrary environment variables in Keycloak CR
• #​41820 Add a warning about provider jars
• #​41831 Improve autocomplete on mobile for OTP field
• #​41836 Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
• #​41837 Remove OIDCLoginProtocolService.certsHead() oidc
• #​41870 Kazakh (kk) locale support with translations translations
• #​41898 Clarify the documentation on automatic database schema downgrades core
• #​41901 FGAP v2: RESET_PASSWORD capability for USERS
• #​41933 Configure topology information in Infinispan
• #​41934 Infinispan 15.0.19.Final
• Mend Renovate. View the repository job log.