fix(deps): update keycloakclientversion to v26 (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.keycloak:keycloak-core (source)	25.0.6 -> 26.4.0
org.keycloak:keycloak-admin-client (source)	25.0.6 -> 26.0.7

---

Release Notes

keycloak/keycloak (org.keycloak:keycloak-core)

v26.4.0

Compare Source

Highlights

This release features new capabilities focused on security enhancements, deeper integration, and improved server administration. The highlights of this release are:

• Passkeys for seamless, passwordless authentication of users.

• Federated Client Authentication to use SPIFFE or Kubernetes service account tokens for client authentication.

• Simplified deployments across multiple availability zones to boost availability.

• FAPI 2 Final: Keycloak now supports the final specifications of FAPI 2.0 Security Profile and FAPI 2.0 Message Signing.

• DPoP: The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) is now fully supported. Improvements include the ability to bind only refresh tokens for public clients, and securing all Keycloak endpoints with DPoP tokens.

Read on to learn more about each new feature. If you are upgrading from a previous release, review also the changes listed in the upgrading guide.

Security and Standards

Passkeys integration (supported)

Passkeys are now seamlessly integrated in the Keycloak login forms using both conditional and modal UIs. To activate the integration in the realm, go to Authentication, Policies, Webauthn Passwordless Policy and switch Enable Passkeys to enabled.

For more information, see Passkeys.

FAPI 2 Final (supported)

Keycloak has support for the latest versions of FAPI 2 specifications. Specifications FAPI 2.0 Security Profile and FAPI 2.0 Message Signing are already promoted to Final and Keycloak supports them. Keycloak client policies support the final versions and corresponding client profiles for FAPI 2 are passing the FAPI conformance test suite.

Apart from some very minor polishing of existing policies, Keycloak has new client profiles (fapi-2-dpop-security-profile and fapi-2-dpop-message-signing) for the clients that use DPoP and are intended to be FAPI 2 compliant.

Thank you to Takashi Norimatsu for contributing this.

For more details, see the Securing applications Guides.

DPoP (supported)

Keycloak has support for OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP), which was a preview feature since Keycloak 23. Also, the supported version includes some improvements and minor capabilities of the DPoP feature such as the following:

• Possibility to make only refresh tokens of a public client to be DPoP bound and omit the binding of an access token.

• All Keycloak endpoints that are secured by bearer token can now handle DPoP tokens. This includes, for example, the Admin REST API and Account REST API.

• Possibility to require the dpop_jkt parameter in the OIDC authentication request.

Thanks to Takashi Norimatsu and Dmitry Telegin for their contributions to the DPoP feature.

For more information, see the DPoP section in the documentation.

FIPS 140-2 mode now supports EdDSA

With the upgrade to Bouncy Castle 2.1.x, the algorithm EdDSA can now be used.

Listing supported OAuth standards on one page

A new guide lists all implemented OpenID Connect related specifications. Thank you to Takashi Norimatsu for contributing this.

Integration

Federated client authentication (preview)

Identity providers are now able to federate client authentication. This allows clients to authenticate with SPIFFE JWT SVIDs, Kubernetes service account tokens, or tokens issued by an OpenID Connect identity provider.

This feature is currently preview, and expected to become supported in 26.5.

Automatic certificate management for SAML clients

The SAML clients can now be configured to automatically download the signing and encrypting certificates from the SP entity metadata descriptor endpoint. In order to use this new feature, in the client Settings tab, section Signature and Encryption, configure the Metadata descriptor URL option (the URL where the SP metadata information with the certificates is published) and activate Use metadata descriptor URL. The certificates will be automatically downloaded and cached in the public-key-storage SPI from that URL. This also allows for seamless rotation of certificates.

For more information, see Creating a SAML client in the Server Administration Guide.

Serving as an authorization server in MCP

MCP (Model Context Protocol) is an open-source standard for connecting AI applications to external systems. Using MCP, AI applications can connect to data sources, tools and workflows enabling them to access key information and perform tasks.

To comply with MCP specification, this version provides its OAuth 2.0 Server Metadata via a well-known URI whose format complies with RFC 8414 OAuth 2.0 Authorization Server Metadata specification. Therefore, Keycloak users can now use Keycloak as an authorization server for MCP.

The latest MCP specification 2025-06-18 additionally requires support for resource indicators which are currently not implemented in Keycloak.

Administration

Update Email Workflow (supported)

Users can now update their email addresses in a more secure and consistent flow. Accounts are forced to both re-authenticate and verify their emails before any account updates.

For more information, see Update Email Workflow.

Optional email domain for organizations

In earlier versions, each organization required at least one email domain, which was a limitation for some scenarios. Starting with this release, an email domain is optional. Thank you to Alexis Rico for contributing this.

When no domain is specified, organization members will not be validated against domain restrictions during authentication and profile validation.

Hiding identity providers from the Account Console

You can now control which identity providers appear in the Account Console based on different options using the Show in Account console setting. You can choose to show only those linked with a user or hide them completely.

For more information, see General configuration.

Enforce recovery codes setup after setting up OTP

If you have enabled OTPs and recovery codes as a second factor for authentication, you can configure the OTP required action to ask users to set up recovery codes once they set up an OTP. Thank you to Niko Köbler for contributing this.

New conditional authenticator

The Conditional - credential is a new authenticator that checks if a specific credential type has been used (or not used) during the authentication process. This condition is related to the Passkeys feature. It is added by Keycloak to the default browser flow to skip 2FA in case a passkey was used to log in as the primary credential.

For more information about conditional flows, see Conditions in conditional flows.

Translations managed by Weblate

The Keycloak distribution now includes 35 community translations, with Kazakh, Azerbaijani and Slovenian added in this release. Community volunteers now maintain some of the translations in Weblate to keep them up to date.

If you want to volunteer to maintain an existing or a new translation via Weblate, you can find the necessary steps in the translation guidelines.

Configuring and Running

Enhancements for single-cluster and multi-cluster setups

This release renamed multi-site to multi-cluster. The updated documentation describes how Keycloak clusters can be optionally distributed across multiple availability-zones within a region for increased availability. The Keycloak Operator now deploys Keycloak across multiple availability zones within a Kubernetes cluster by default. Keycloak also detects split-brains within a cluster.

This change should provide better availability for users who are running Keycloak in Kubernetes clusters that span multiple availability zones.

Support for additional databases and versions

With this release, we added support for the following new database vendors:

• EnterpriseDB (EDB) Advanced 17.6

• Azure SQL Database and Azure SQL Managed Instance

Where the previous documentation stated only tested database version, it now states all the supported database versions as well.

Expose management interface via HTTP

Previous versions exposed the management endpoint only via HTTPS when the main interface was using HTTPS.

Set the new option http-management-scheme to http to have the management interface use HTTP rather than inheriting the HTTPS settings of the main interface. This allows monitoring those endpoints in environments where no TLS client is available.

Expose health endpoints on the main HTTP(S) port

With health-enabled set to true, you may set the http-management-health-enabled to false to indicate that health endpoints should be exposed on the main HTTP(s) port instead of the management port. When this option is false you should block unwanted external traffic to /health at your proxy.

This allows using the health endpoints in environments where the load balancer might need access to those ports to direct traffic to the correct nodes.

Specify a tlsSecret on the Keycloak CR ingress spec

To support basic TLS termination (edge) deployments by the operator, you may now set the Keycloak CR spec.ingress.tlsSecret field to a TLS Secret name in the namespace.

Additional datasources configuration (supported)

Some Keycloak use cases like User Federation might require connecting to additional databases. This was possible only through specifying unsupported raw Quarkus properties in previous Keycloak versions. In this release, there are now dedicated server options for additional datasources. This allows users to leverage additional databases in their extensions in a supported and user-friendly way.

Read more about it in the Configure multiple datasources guide.

Observability

Operator creates a ServiceMonitor automatically

The Operator now provisions a ServiceMonitor for the management endpoint if metrics are enabled and the monitoring.coreos.com/v1:ServiceMonitor Custom Resource Definition is present on the Kubernetes cluster. The specification of the ServiceMonitor takes into account the various management endpoint configurations, to ensure that metrics can be scraped without any additional configuration. If you do not want a ServiceMonitor to be created, you can disable this by setting spec.serviceMonitor.enabled: false. For more details, see the Operator Guide.

HTTP access logging of incoming HTTP requests

Keycloak supports HTTP access logging to record details of incoming HTTP requests. While access logs are often used for debugging and traffic analysis, they are also important for security auditing and compliance monitoring.

For more information, see Configuring logging.

Showing context information in log messages (preview)

You can now add context information via the mapped diagnostic context (MDC) to each log message like the realm or the client that initiated the request. This helps you to track down a warning or error message in the log to a specific caller or environment Thank you to Björn Eickvonder for contributing this.

For more details on this opt-in feature, see Configuring logging.

Upgrading

Before upgrading refer to the migration guide for a complete list of changes.

All resolved issues

New features

• #​19732 "linked-accounts" endpoint displays all Identity providers account/api
• #​40237 Add option "Requires short state parameter" to OIDC IDP authentication
• #​40696 Wrap deprecated passkeys authenticator behind the feature authentication/webauthn
• #​41316 Test suites config for the new test framework test-framework
• #​41357 Disable tests for specific databases and servers in test framework test-framework
• #​42313 Experimental SPIFFE identity provider
• #​42742 Supported EnterpriseDB Advanced 17
• #​42743 Supported Azure SQL

Enhancements

• #​10063 Display transport media for WebAuthn authenticators in Account console account/ui
• #​14644 External IDP tokens are not refreshed automatically for OAuth2 & OIDC IDPs when retrieving the external token identity-brokering
• #​17028 SAML: Adapter SP seamless certificate rotation saml
• #​19213 Allow enabling debug and verbose via environment variables dist/quarkus
• #​21816 Expose Keycloak config errors in the Keycloak CR status field operator
• #​22730 REST API returns different amount of users admin/api
• #​23972 Improve handling config options in scripts preventing re-augmentation
• #​25668 Remove duplication of MP config initialization dist/quarkus
• #​26277 DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer oidc
• #​26995 Bad performance when requesting events of a user
• #​27025 Move import/export validation to the Property Mappers dist/quarkus
• #​28846 Allow the target attribute on in the kcSanitize core
• #​29295 Exact match in users/count
• #​30095 High Availability guides should make distinction between single-site and multi-site deployments docs
• #​31285 Make domains for organisations optional
• #​32129 Automatically create external caches for MULTI_SITE deployments
• #​32569 Verify email when using UPDATE_EMAIL action without depending on realm wide setting
• #​33942 Make sure Keycloak endpoints have DPoP validation oidc
• #​34114 Operator: Support ConfigMaps for `Keycloak.spec.truststores`
• #​34206 Move to single approach for setting `Robots` specifications: prefer `X-Robots-Tag` header to `` tags core
• #​34244 Enable branding without code changes
• #​34777 [Operator] Use TLS secret for Ingress operator
• #​35441 Add FAPI 2.0 + DPoP security profile as default profile of client policies oidc
• #​36160 Default values for User attributes.
• #​36268 Configuration is not available outside of quarkus modules
• #​37363 Allow custom labels on Operator Ingress operator
• #​37600 Experimental support for authenticating clients with Kubernetes Service Accounts
• #​38126 Improve documentation for the HEALTHCHECK Dockerfile directive docs
• #​38897 Add WASM support to the MimeTypeUtil
• #​39293 [OID4VCI] Update credential format identifier of SD-JWT VCs from `vc+sd-jwt` to `dc+sd-jwt` oid4vc
• #​39299 Improve docs, and possibly defaults, around ldap pooling
• #​39342 Description for using too many threads / connections is incomplete core
• #​39658 OpenTelemetry Tracing: Visualize JGroups communication infinispan
• #​39812 Add filter to include/fill MDC with request specific data for json logging
• #​40061 Redundant null-checks. SAST
• #​40067 Always null field in KeySelectorUtilizingKeyNameHint. SAST
• #​40069 Possible dereference of Null
• #​40226 Review and update the documentation regarding the UPDATE EMAIL feature
• #​40227 Make UPDATE_EMAIL a supported feature
• #​40231 Improve javadoc for admin-client methods with injecting own resteasyClient admin/client-java
• #​40296 Update docs how to verify that a cluster has formed
• #​40377 Allow to expose IDP custom config values to Keycloak themes
• #​40388 Write documentation for additional datasources docs
• #​40406 Create ServiceMonitor via KC Operator
• #​40464 Improve extensibility of custom AccountConsole endpoint handling account/ui
• #​40481 Provide CLI Parameters for jgroups.* options infinispan
• #​40592 Upgrade to the Quarkus 3.24.2 version dist/quarkus
• #​40619 When editing protocol mappers, shows required properties admin/ui
• #​40629 Signs of fall-through behavior. SAST
• #​40630 Double check when working with multithreading. SAST
• #​40659 Possible Dereference of Null. SAST
• #​40660 Resources leak. SAST
• #​40677 Redundant null checks - operator new. SAST
• #​40683 Remove workaround for handling Syslog counting framing
• #​40687 Remove workaround for PostgreSQL and Liquibase
• #​40739 Avoid floating promises in UI code account/ui
• #​40761 Change naming for disabling additional datasource
• #​40792 Changing default passwordless webauthn policy to follow recommended values in the documentation authentication/webauthn
• #​40851 Upgrade to Infinispan 15.0.16.Final
• #​40855 External-internal token exchange independent from FGAP v1 token-exchange/federated
• #​40858 Check cluster is correctly formed in ClusteredKeycloakServer test-framework
• #​40874 Update code and documentation for import of a new realm
• #​40875 Improve memory footprint of single file realm import
• #​40923 Compliant with RFC8414, return server metadata at /.well-known/oauth-authorization-server/realms/{realm} core
• #​40926 More secure call of Facebook debug token token-exchange/federated
• #​40933 Allow configure encryption details for SAML clients saml
• #​40962 Update limitations of the preview feature rolling updates for patch releases infinispan
• #​40970 Run clustering compatibility tests on release/x.y branches
• #​41014 Operator auto update hash operator
• #​41022 Allow Features to declare that they support Rolling upgrades
• #​41034 Improve logging for client sessions load
• #​41045 Update email feature only enabled if the required action is enabled at the realm
• #​41074 Import client sessions into Infinispan concurrently for persistent sessions
• #​41119 FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions oidc
• #​41120 FAPI 2.0 Security Profile Final - Add FAPI 2.0 Final security profile as default profile of client policies oidc
• #​41121 FAPI 2.0 Security Profile Final - Documentation oidc
• #​41138 Implement CompatibilityMetadataProvider for Cache CLI args
• #​41151 Update Traditional Chinese locale to latest version
• #​41161 Require setting DB kind for additional datasources dist/quarkus
• #​41172 Upgrade to Quarkus 3.24.3
• #​41176 Document supported OIDC/OAuth2 standards oidc
• #​41186 Upgrade to Quarkus 3.25.0 dist/quarkus
• #​41192 Improve handling of datasource name specified in `persistence.xml` files dist/quarkus
• #​41208 MDC logging should contain the authentication session and user session ID
• #​41214 Document configuration changes that prevent rolling updates
• #​41219 Document spi-user-sessions--infinispan--use-batches
• #​41222 Provide DB SQL options support for additional datasources dist/quarkus
• #​41229 Remove obsolete code for the Liquibase LogHistoryService core
• #​41239 Migrate to zh-Hans / zh-Hant for simplified and traditional Chinese translations
• #​41246 Upgrade to Quarkus 3.24.4 dist/quarkus
• #​41257 Upgrade to Infinispan 15.0.18.Final infinispan
• #​41259 Passkeys support in IdpUsernamePasswordForm authentication/webauthn
• #​41283 Update ua-parser to 1.6.1
• #​41293 Remove obsolete Liquibase FK snapshot generator storage
• #​41297 Implement CompatibilityMetadataProvider for DB options
• #​41303 Allow for health check on main interface
• #​41312 FAPI 2.0 Message Signing Final - Add FAPI 2.0 Final message singning as default profile of client policies oidc
• #​41313 FAPI 2.0 Message Signing Final - Documentation oidc
• #​41328 Utilise table to display Features
• #​41335 Kerberos "Server Principal" value should automatically trim leading/trailing whitespace
• #​41352 Provide simple HTTP access logs dist/quarkus
• #​41354 Avoid OTP when logging in with passkey
• #​41374 Upgrade to Quarkus 3.24.5 dist/quarkus
• #​41405 Add log details about client assertion for client authentication with Client-JWT
• #​41455 Adds TiDB into the database test matrix
• #​41459 Query parameter "claims" not forwarded to external provider identity-brokering
• #​41551 Support for key size 3072 in rsa-generated key providers
• #​41556 Switch passkeys to supported authentication/webauthn
• #​41557 Update passkeys documentation after they are supported docs
• #​41558 Ensure cache configuration has correct number of owners
• #​41559 Simplify Cache Configuration file by removing built-in cache configurations
• #​41561 Detect and handle KC split brain clusters
• #​41585 Refactor high-availability guide to include both single and multi cluster architectures
• #​41613 Ability to display 'authenticator provider' of the WebAuthn credential authentication/webauthn
• #​41625 Login[v2]: "Update email" screen is not polished login/ui
• #​41666 Default to stretched clusters on Kubernetes when possible
• #​41670 Allow forwarding the `claims` parameter from the initial authorization request to brokered OPs
• #​41717 Upgrade to Quarkus 3.25.2 dist/quarkus
• #​41729 Define default topologySpreadConstraints
• #​41765 Add Azerbaijani translations translations
• #​41766 Add the ability to set abritrary environment variables in Keycloak CR
• #​41820 Add a warning about provider jars
• #​41831 Improve autocomplete on mobile for OTP field
• #​41836 Add config option to Configure OTP action to automatically add RecoveryCodes action upon OTP creation.
• #​41837 Remove OIDCLoginProtocolService.certsHead() oidc
• #​41870 Kazakh (kk) locale support with translations translations
• #​41898 Clarify the documentation on automatic database schema downgrades core
• #​41901 FGAP v2: RESET_PASSWORD capability for USERS
• #​41933 Configure topology information in Infinispan
• #​41934 Infinispan 15.0.19.Final
• #​41950 Log applied cache configurations as part of debug logs
• #​42016 More flexible handling of params, headers and entities for SimpleHTTP
• #​42030 Could the list of supported DPoP algorithms be dynamically retrieved? oidc
• #​42031 Minor enhancements in the DPoP related codebase oidc
• #​42032 Switch DPoP feature to supported oidc
• #​42047 Skip configuring `jdbc-ping` stack in local mode
• #​42094 keycloak oob (out-of-band) copy button login/ui
• #​42096 Concurrently update the remote caches
• #​42180 Cache UserAgent parsing result
• #​42186 Document network latency requirements for stretched clusters
• #​42191 Document mtls considerations for probes
• #​42203 Upgrade to Quarkus 3.27 LTS
• #​42269 Some 409 API responses are missing from the OpenAPI spec core
• #​42274 Session IDs and auth codes have less than 128 bits of entropy
• #​42283 More efficient secure ID generator
• #​42286 Support EdDSA for DPoP oidc
• #​42293 Set Liquibase DB type based on the `db` option storage
• #​42300 Validate wait_timeout parameter on MySQL and MariaDB
• #​42304 Document tested and supported configurations for single-cluster deployments
• #​42305 Document that single-cluster deployments expect all Keycloak instances to serve traffic
• #​42308 Support Aurora PostgreSQL 17.5 in Keycloak's nightly run
• #​42342 Upgrade to Quarkus 3.26.2 dist/quarkus
• #​42356 Support MariaDB 11.8 LTS
• #​42358 Remove usage of the term "stretched" from single-cluster HA guides
• #​42374 Concurrent update embedded caches and database
• #​42381 [RLM] - Validate actions that support aggregating actions
• #​42382 [RLM] - Immediate policies should not allow setting a time to their actions
• #​42384 [RLM] Allow adding and removing actions to existing policies
• #​42385 [RLM] Scheduled time of actions should be based on the previous action
• #​42389 [RLM] Review the available event names to makre more explicit the resource type and the operation they are related to
• #​42392 Link to quay IO website for the Keycloak image in upstream docs
• #​42409 Wrong form to enter username and password for an unknown user organizations
• #​42499 Follow-up: FAPI 2.0 Message Signing final version support - updating the link to the final spec oidc
• #​42525 Catch specific expeception and add logging when there is no active request context
• #​42532 Edit Keycloak 26.4 release notes
• #​42547 Replace UUID with composite key for client session cache infinispan
• #​42564 Edit Keycloak 26.4 Upgrading Guide
• #​42628 Lazy load client sessions
• #​42697 [RLM] - Improve the Workflow JSON schema
• #​42705 Document Caffeine cache metrics
• #​42728 DPoP: documentation update oidc
• #​42733 Test JDK 25 in CI ci
• #​42740 Possibility to enforce authorization code binding to DPoP oidc
• #​42746 Polishing of client switch on DPoP oidc
• #​42751 Allow EdDSA keys in the JWTClientCredentialsProvider to authenticate clients core
• #​42755 [OID4VCI] Filter supported_enc_algorithms to only include asymmetric algorithms oid4vc
• #​42756 Add missing Swedish translation for login theme
• #​42888 [RLM] - Allow defining steps in a workflow that can run immediate or scheduled
• #​42916 [RLM] - Dot not allow updates to workflow properties that impact the scheduled steps workflows
• #​42927 Update OID4VCI documentation with new .well-known URL format oid4vc
• #​42955 Use JDK 25 Temurin in GHA CI ci
• #​43017 OID4VCI in the release notes for 26.4.0 docs
• #​43035 Allow setting max age to the update email action

Bugs

• #​26972 NginxProxySslClientCertificateLookupFactory unable to work with custom trust stores core
• #​35825 Per client session idle time capped by realm level client idle timeout core
• #​35932 Importing a realm takes more than 1 minute when multiple others exist. dist/quarkus
• #​36716 invalid_request when authenticating using PAR (Pushed Authorization Request) while Kerberos is enabled authentication
• #​38016 User session limit exceeded for both realm and client removes the wrong session core
• #​38556 Consistent behaviour for User API getUsers and count admin/api
• #​38924 `--debug` does not work with docker container version of Keycloak core
• #​38928 Can't install Keycloak Operator on OpenShift via OperatorHub on ARM operator
• #​39079 AuthenticationFlowException when a user tries a password grant using a service account authentication
• #​39091 Flaky test: org.keycloak.testsuite.cluster.JGroupsCertificateRotationClusterTest#testCoordinatorHasScheduleTask ci
• #​39122 Export fails with an unexpected error if the realm does not exist core
• #​39608 Getting Keycloak exception with request 500 status code on /account with semicolon in URL dist/quarkus
• #​39609 Users searchAttributes broken for empty value admin/client-java
• #​39766 [Keycloak Operator CI] - Test local apiserver - Kube API Server did not start properly ci
• #​39854 Flaky test: org.keycloak.testsuite.cluster.PermissionTicketInvalidationClusterTest#crudWithFailover ci
• #​39864 IdP redirect fails when user belongs to multiple organizations with organization:* scope organizations
• #​40160 Action Tokens Copy Nonce Into JTI core
• #​40192 REST Admin API - ClientsResource response with 200 OK even needed roles are missing admin/api
• #​40368 NPE during loading user groups with concurrent deletion storage
• #​40374 Random but frequent duplicate key value violates unique constraint \"constraint_offl_us_ses_pk2\" errors authentication
• #​40383 KC should connect to a writer instance of PostgreSQL automatically dist/quarkus
• #​40398 ModelDuplicateException on next login after deleting an account and back-channel logout authentication
• #​40463 Login to Account Console produces two consecutive LOGIN events account/ui
• #​40557 Uploading JSON import in UI causes extreme lag or entirely unresponsive page since 26.1 admin/ui
• #​40680 Inconsistency between UserModel.isMemberOf and RoleUtils.isMember (with LDAP involved) authentication
• #​40713 Unable to configure TLS reloading in Keycloak version 26.2.0 or later account/api
• #​40754 UserSession Offline removed from DB if not in cache infinispan
• #​40782 Flaky test: org.keycloak.testsuite.cluster.RealmInvalidationClusterTest#crudWithFailover ci
• #​40784 Default jdbc-ping cluster setup for distributed caches fails in Oracle infinispan
• #​40786 Typo in Consent Scope Representation account/api
• #​40788 Custom scope display name not shown in Account UI account/ui
• #​40818 Identity provider links list is limited to 100 entries for a user in the admin UI admin/ui
• #​40838 Mark options for additional datasources as preview dist/quarkus
• #​40857 Unbounded login_hint Parameter Can Corrupt KC_RESTART Cookie and Break Login Flow oidc
• #​40890 Keycloak Operator 26.3.0 fails to update to 26.3.0 operator
• #​40903 Proxy detection needs tweaked for insecure context warning dist/quarkus
• #​40930 Docs: server_development/topics/themes.adoc docs
• #​40932 [Operator] UpdateTest.testImageChange throws TimeoutException operator
• #​40935 NPE thrown when encoding a token without having a client se

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.