Skip to content

Releases: keycloak/keycloak-js

nightly

06 Feb 11:39
@github-actions github-actions
nightly
9ba038f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
nightly Pre-release
Pre-release 
Bump @types/node from 25.2.0 to 25.2.1 (#261)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 25.2.0 to 25.2.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.2.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Loading

26.2.3

04 Feb 15:13
@github-actions github-actions
26.2.3
290138f

Choose a tag to compare

View all tags
26.2.3 Latest
Latest

Highlights

This release of Keycloak JS addresses a regression that was introduced in version 26.2.2 affecting applications that use hash-based routing in combination with the fragment response mode.

Bug Fixes

URL hash fragments are now preserved correctly with 'fragment' response mode

A regression was introduced in version 26.2.2 that caused URL fragments with path-style routing (e.g., #/admin/maintenance/scripts) to be URL-encoded after the OAuth callback, breaking applications that use hash-based routing. This issue affected Angular, React, and other applications that rely on the hash portion of the URL for client-side routing.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Assets 4
Loading

26.2.2

11 Dec 15:43
@github-actions github-actions
26.2.2
176bccb

Choose a tag to compare

View all tags
26.2.2

Highlights

This release of Keycloak JS focuses on addressing several regressions that were introduced by accident. We apologize for any inconvenience these issues may have caused and thank our community for reporting them quickly and helping to verify the fixes.

Bug Fixes

Destructuring public methods now works correctly

A regression was introduced that caused an error when destructuring public methods from a Keycloak instance. This pattern is commonly used in applications:

const { login, logout } = keycloak;
login(); // Previously failed with "Cannot read properties of undefined"

This issue has been resolved by binding all public methods to the class instance using arrow functions, ensuring that this is always correctly scoped regardless of how the method is called.

Hash fragments are now preserved in redirect URIs

A regression caused hash fragments in URLs to be stripped from redirect URIs, which broke navigation in applications that rely on fragment-based routing. For example, when logging in to the Keycloak Admin Console with a URL like http://localhost:8080/admin/master/console/#/demo/users/add-user, the user would be redirected to the default page instead of the intended fragment after authentication.

This also caused issues where redirect URIs would have a trailing slash added unexpectedly, breaking login flows for OIDC servers that perform strict URI matching.

The next major of Keycloak JS will start re-enforcing this constraint, as it is not allowed to pass fragments according to the specification.

Redirect URLs on different domains now work correctly

A regression prevented redirect URLs from being on a different domain than the application origin the navigation to fail with a security error. This affected users who use redirect services that forward authentication requests from an intermediate domain back to the application.

This behavior is likely to be changed in the future to only allow redirect URLs that are on the same origin as where Keycloak JS is initialized, in order to prevent possible open redirects. If this issue affects you please join the discussion.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Loading

26.2.1

09 Oct 11:58
@github-actions github-actions
26.2.1
2150578

Choose a tag to compare

View all tags
26.2.1

Highlights

This release of Keycloak JS is the first release after our initial announcement to split it off from the main project release cycle. This release is the result of a large internal refactor to make the code more maintainable and make use of modern JavaScript language features, as well as to introduce a new test suite with more comprehensive test coverage. Even though much has changed under the hood, this is a patch releases, and there should be no breaking changes for users, only bugfixes and small enhancements.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Loading

26.2.0

20 Feb 10:13
@github-actions github-actions
26.2.0
e4cc789

Choose a tag to compare

View all tags
26.2.0

Highlights

Today marks a significant milestone in the evolution of Keycloak JS with the release of version 26.2.0. This new version represents a shift in how the JavaScript adapter develops and evolves alongside the Keycloak ecosystem. Although this new version introduces no functional changes to the adapter, it does include several organizational changes.

The most notable change is that Keycloak JS now breaks free from the main Keycloak project’s release cycle. As announced earlier this year, the JavaScript adapter will follow its own independent development path. The separation from the main project allows for more frequent releases of features, bug fixes, and improved responsiveness to community feedback. The JavaScript adapter will continue to be backwards compatible with all actively supported releases of the Keycloak server, and deviation from this will be considered a breaking change.

The choice to use a higher version than the main project itself was made intentionally in order to signal to users the departure from Keycloak’s release cycle. We will however continue to commit to using Semantic Versioning, only bumping major versions if backwards incompatible changes are made, as is customary in the NPM ecosystem. Maintenance updates will continue to land in the 26.1.x series, as it is tied to the current stable release of the Keycloak server, but we encourage users to upgrade to new versions as needed.

Another significant change is the relocation of the codebase to its own dedicated repository. This structural adjustment is not just administrative—it represents a strategic move toward better maintainability. By separating the JavaScript adapter from the main Keycloak repository, the development team gains greater flexibility in managing the codebase and processing community contributions. If you are looking to provide contributions, or are reporting issues, please redirect your efforts here.

Looking ahead, we will be focussing on what is next for Keycloak JS. When it was originally released, only a few OpenID Connect adapters existed for client-side JavaScript, so we needed to make our own adapter. However, this landscape looks very different now, and there are many mature solutions available. The code for Keycloak JS requires modernization and has become challenging to maintain due to the growing complexity. We will continue to evaluate if it makes sense to keep refactoring Keycloak JS, incorporate some mature third-party libraries we can collaborate on, or even replace it with a well-established community solution.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

Loading