Migration from older versions To upgrade to a new version of Keycloak first download and install the new version of Keycloak. You then have to migrate the database, keycloak-server.json, providers, themes and applications from the old version.
Migrate database Keycloak provides automatic migration of the database. It's highly recommended that you backup your database prior to upgrading Keycloak. To enable automatic upgrading of the database if you're using a relational database make sure databaseSchema is set to update for connectionsJpa: "connectionsJpa": { "default": { ... "databaseSchema": "update" } } For MongoDB do the same, but for connectionsMongo: "connectionsMongo": { "default": { ... "databaseSchema": "update" } } When you start the server with this setting your database will automatically be migrated if the database schema has changed in the new version.
Migrate keycloak-server.json You should copy standalone/configuration/keycloak-server.json from the old version to make sure any configuration changes you've done are added to the new installation. The version specific section below will list any changes done to this file that you have to do when upgrading from one version to another.
Migrate providers If you have implemented any SPI providers you need to copy them to the new server. The version specific section below will mention if any of the SPI's have changed. If they have you may have to update your code accordingly.
Migrate themes If you have created a custom theme you need to copy them to the new server. The version specific section below will mention if changes have been made to themes. If there is you may have to update your themes accordingly.
Migrate application If you deploy applications directly to the Keycloak server you should copy them to the new server. For any applications including those not deployed directly to the Keycloak server you should upgrade the adapter. The version specific section below will mention if any changes are required to applications.
Version specific migration
Migrating from 1.1.Beta1 to 1.1.Beta2 The tomcat adapter valve has moved to a different package. From org.keycloak.adapters.tomcat7.KeycloakAuthenticatorValve to org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve From the 'tomcat7' package to just 'tomcat'. JavaScript adapter now has idToken and idTokenParsed properties. If you use idToken to retrieve first name, email, etc. you need to change this to idTokenParsed. The as7-eap-subsystem and keycloak-wildfly-subsystem have been merged into one keycloak-subsystem. If you have an existing standalone.xml or domain.xml, you will need edit near the top of the file and change the extension module name to org.keycloak.keycloak-subsystem
Migrating from 1.0.x.Final to 1.1.Beta1 RealmModel JPA and Mongo storage schema has changed UserSessionModel JPA and Mongo storage schema has changed as these interfaces have been refactored Upgrade your adapters, old adapters are not compatible with Keycloak 1.1. We interpreted JSON Web Token and OIDC ID Token specification incorrectly. 'aud' claim must be the client id, we were storing the realm name in there and validating it.
Migrating from 1.0 RC-1 to RC-2 A lot of info level logging has been changed to debug. Also, a realm no longer has the jboss-logging audit listener by default. If you want log output when users login, logout, change passwords, etc. enable the jboss-logging audit listener through the admin console.
Migrating from 1.0 Beta 4 to RC-1 logout REST API has been refactored. The GET request on the logout URI does not take a session_state parameter anymore. You must be logged in in order to log out the session. You can also POST to the logout REST URI. This action requires a valid refresh token to perform the logout. The signature is the same as refresh token minus the grant type form parameter. See documentation for details.
Migrating from 1.0 Beta 1 to Beta 4 LDAP/AD configuration is changed. It is no longer under the "Settings" page. It is now under Users->Federation. Add Provider will show you an "ldap" option. Authentication SPI has been removed and rewritten. The new SPI is UserFederationProvider and is more flexible. ssl-not-required property in adapter config has been removed. Replaced with ssl-required, valid values are all (require SSL for all requests), external (require SSL only for external request) and none (SSL not required). DB Schema has changed again. Created applications now have a full scope by default. This means that you don't have to configure the scope of an application if you don't want to. Format of JSON file for importing realm data was changed. Now role mappings is available under the JSON record of particular user.
Migrating from 1.0 Alpha 4 to Beta 1 DB Schema has changed. We have added export of the database to Beta 1, but not the ability to import the database from older versions. This will be supported in future releases. For all clients except bearer-only applications, you must specify at least one redirect uri. Keycloak will not allow you to log in unless you have specified a valid redirect uri for that application. Resource Owner Password Credentials flow is now disabled by default. It can be enabled by setting the toggle for Direct Grant API ON under realm config in the admin console. Configuration is now done through standalone/configuration/keycloak-server.json. This should mainly affect those that use MongoDB. JavaScript adapter has been refactored. See the JavaScript adapter section for more details. The "Central Login Lifespan" setting no longer exists. Please see the Session Timeout section for me details.
Migrating from 1.0 Alpha 2 to Alpha 3 SkeletonKeyToken, SkeletonKeyScope, SkeletonKeyPrincipal, and SkeletonKeySession have been renamed to: AccessToken, AccessScope, KeycloakPrincipal, and KeycloakAuthenticatedSession respectively. ServleOAuthClient.getBearerToken() method signature has changed. It now returns an AccessTokenResponse so that you can obtain a refresh token too. Adapters now check the access token expiration with every request. If the token is expired, they will attempt to invoke a refresh on the auth server using a saved refresh token. Subject in AccessToken has been changed to the User ID.
Migrating from 1.0 Alpha 1 to Alpha 2 DB Schema has changed. We don't have any data migration utilities yet as of Alpha 2. JBoss and Wildfly adapters are now installed via a JBoss/Wildfly subsystem. Please review the adapter installation documentation. Edits to standalone.xml are now required. There is a new credential type "secret". Unlike other credential types, it is stored in plain text in the database and can be viewed in the admin console. There is no longer required Application or OAuth Client credentials. These client types are now hard coded to use the "secret" credential type. Because of the "secret" credential change to Application and OAuth Client, you'll have to update your keycloak.json configuration files and regenarate a secret within the Application or OAuth Client credentials tab in the administration console.