Red Hat build of Keycloak Supported Configurations

Every Red Hat® build of Keycloak (RHBK) release is tested, verified and supported on a variety of Red Hat® OpenShift platforms, Operating Systems, Java™ Virtual Machines (JVMs), and Databases combination. Red Hat provides both production and development support for supported configurations and tested integrations according to your subscription agreement in both physical and virtual environments. [1]

---

• Red Hat build of Keycloak 26.0.x
• Red Hat build of Keycloak 24.0.x
• Red Hat build of Keycloak 22.0.x

---

Red Hat build of Keycloak 26.0.x

Red Hat build of Keycloak 26.0.x Server Supported Configurations

Red Hat tests and supports the Red Hat build of Keycloak 26.0.x running in one of the following OpenShift, Operating Systems and JVMs platforms.

RHBK Server for OpenShift:

Support for Red Hat build of Keycloak on OpenShift is under the guidelines as defined in the knowledge article for Support of Red Hat Middleware products and components on Red Hat OpenShift. Also refer to the Red Hat OpenShift Container Platform Life Cycle Policy for details about the life cycle of each OpenShift release version.

RHBK Server	OpenShift Container Platform [2]	Chipset Architecture	Container Image / JVM
26.0.x	4.17, 4.16, 4.15, 4.14, 4.13, 4.12 [3]	x86_64, s390x [4], ppc64le [4]	ubi9/openjdk-17

RHBK Server for RHEL, Windows (and other OS):

RHBK Server	Operating System [5]	Chipset Architecture	Java Virtual Machine
26.0.x	Red Hat Enterprise Linux (RHEL) 9, 8	x86_64	Red Hat OpenJDK 21 & 17, Eclipse Adoptium Temurin 21 & 17
26.0.x	Windows Server 2022, 2019	x86_64	Red Hat OpenJDK 21 & 17, Eclipse Adoptium Temurin 21 & 17

RHBK Server for 3rd-party container environments (e.g other Kubernetes/xKS, Docker, etc.):

Red Hat does not, cannot test Red Hat build of Keycloak on every public cloud provider Kubernetes platform. Red Hat build of Keycloak Support on 3rd-party containerized/kubernetes environments is covered under this KBase article.

Red Hat build of Keycloak 26.0.x Server Tested and Supported Integrations

Tested Integrations are a defined set of specifically tested integrating technologies that represent the most common combinations that Red Hat customers are using. For these integrations, Red Hat has directly, or through certified partners, exercised a full range of platform tests as part of the product release process. Issues identified as part of this testing process are highlighted in release notes for each Red Hat build of Keycloak release.

Databases [6]:

The following databases and jdbc drivers are tested and certified as part of the latest release update version of Red Hat build of Keycloak 26.0.x (currently 26.0.5):

Databases	Tested Versions (JDBC Drivers Versions)	Supported Versions
PostgreSQL	16.4 (PostgreSQL Driver v42.6.0)	16.x, 15.x, 14.x, 13.x
MySQL	8.0.39 (MySQL Connector/J 8.0.33)	8.0 (LTS), 8.4 (LTS)
MariaDB	10.11 (MariaDB Connector/J 3.1.4)	10.11 (LTS), 10.6 (LTS)
Microsoft SQLServer	2022 (JDBC Driver 12.2 for SQL Server/12.2.0.jre11)	2022, 2019
Oracle	19c (19.3.0) (Oracle JDBC Driver v23.2.0.0)	19.3.0 (Note: Oracle RAC is also supported if using the same database engine version, aka 19.3.0)
Amazon Aurora PostgreSQL	16.1 (AWS JDBC driver wrapper)	16.x, 15.x

Multi-Site [7]:

The following are the tested and certified integrated components for Multi-Site High Availability support:

Component	Tested Versions	Supported Versions
Red Hat Data Grid	8.5.1	8.5.x
AWS Aurora PostgreSQL	16.1 (with AWS JDBC Driver Wrapper)	16.1+, 15.5+ (Note: Aurora PostgreSQL is the only tested, certified, and supported database for HA Multi-Site feature deployment for now.)

Refer to the KBase Article Multi-Site Support in Red Hat build of Keycloak - Frequently Asked Questions for more information on the Multi-Site support scope and further guidance.

User Federation / LDAP - Kerberos - SSSD:

User Federation has been tested with following directory providers:

Directory provider	Tested Versions	Supported Versions
Red Hat Directory Server (RHDS)	12	12, 11
Microsoft Active Directory	2019	2019, 2022
Microsoft Active Directory with Kerberos	2019	2019, 2022
Red Hat Enterprise Linux IdM	IdM RHEL 9	IdM RHEL 9, 8, 7
SSSD	FreeIPA/IdM RHEL 9	IdM RHEL 9, 8, 7

Web Browsers:

Red Hat build of Keycloak 26.0.x Administration Console has been tested with Google Chrome and Firefox, but supported with the following list of browsers:

Browser	Version
Chrome	latest
Firefox	latest
Edge	latest
Safari	latest

Red Hat build of Keycloak 26.0.x Client Adapters Tested and Supported Configurations

The OpenID Connect (OIDC) protocol is now widely supported across the Java Ecosystem and other popular frameworks. A much better interoperability and support is achieved by using the capabilities available from the technology stack of your applications platforms, such as your application server or framework. For example, Red Hat JBoss EAP version 8.x has a native built-in support for OIDC. This means that some of the Keycloak Client Adapters are now deprecated and no longer released starting with the Red Hat build of Keycloak 22.0 release version.
Red Hat build of Keycloak produces and supports the following Client Adapters for both OIDC and SAML based client applications, while maintaining full compatibility with the legacy RH-SSO 7.6 client adapters for their remaining life cycle.

RHBK 26.0.x Server Compatibility with RHBK OIDC Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
Node.js	RHBK 26.0 Node.js OIDC Adapter	Node.js 20 (LTS), Node.js 18 (LTS), 16 (LTS)
Node.js	RHBK 24.0 Node.js OIDC Adapter	Node.js 20 (LTS), Node.js 18 (LTS), 16 (LTS)
JavaScript	RHBK 26.0 Client-side JavaScript Adapter	All major web browsers
JavaScript	RHBK 24.0 Client-side JavaScript Adapter	All major web browsers

Notes:
* For JBoss EAP 8.x, it is recommended to use the EAP Native OIDC support (i.e. Elytron OIDC) with the RHBK 26 AuthZ client.
* For Spring Boot 3.x, it is recommended to use the Spring Security native OIDC support, with the RHBK 26 AuthZ client.

RHBK 26.0.x Server Compatibility with RHBK SAML Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
JBoss EAP 8.x	RHBK 26.0 SAML Client Adapter	EAP 8.x
JBoss EAP 8.x	RHBK 24.0 SAML Client Adapter	EAP 8.x

RHBK 26.0.x Server Compatibility with RH-SSO 7.6 Client-side Adapters:

Component/Framework	Client Adapter	Component/Framework Version	Client-side JVM
JBoss EAP 7.x	RH-SSO 7.6 OIDC Client Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss EAP 7.x	RH-SSO 7.6 SAML Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss Fuse 7.x	RH-SSO 7.6 OIDC Client Adapter for Fuse 7	Fuse 7.12+	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Spring Boot 2.x	RH-SSO 7.6 OIDC Client Adapter for Spring Boot 2	SpringBoot 2.7	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Servlet Filter	RH-SSO 7.6 Client Adapter for Servlet Filters	Any Java Servlet AppServer platform	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8

---

Red Hat build of Keycloak 24.0.x

Red Hat build of Keycloak 24.0.x Server Supported Configurations

Red Hat tests and supports the Red Hat build of Keycloak 24.0.x running in one of the following OpenShift, Operating Systems and JVMs platforms.

RHBK Server for OpenShift:

Support for Red Hat build of Keycloak on OpenShift is under the guidelines as defined in the knowledge article for Support of Red Hat Middleware products and components on Red Hat OpenShift. Also refer to the Red Hat OpenShift Container Platform Life Cycle Policy for details about the life cycle of each OpenShift release version.

RHBK Server	OpenShift Container Platform [2]	Chipset Architecture	Container Image / JVM
24.0.x	4.17, 4.16, 4.15, 4.14, 4.13, 4.12 [3]	x86_64, s390x [4], ppc64le [4]	ubi9/openjdk-17

RHBK Server for RHEL, Windows (and other OS):

RHBK Server	Operating System [5]	Chipset Architecture	Java Virtual Machine
24.0.x	Red Hat Enterprise Linux (RHEL) 9, 8	x86_64	Red Hat OpenJDK 17, Eclipse Adoptium Temurin 17
24.0.x	Windows Server 2022, 2019	x86_64	Red Hat OpenJDK 17, Eclipse Adoptium Temurin 17

RHBK Server for 3rd-party container environments (e.g other Kubernetes/xKS, Docker, etc.):

Red Hat does not, cannot test Red Hat build of Keycloak on every public cloud provider Kubernetes platform. Red Hat build of Keycloak Support on 3rd-party containerized/kubernetes environments is covered under this KBase article.

Red Hat build of Keycloak 24.0.x Server Tested and Supported Integrations

Tested Integrations are a defined set of specifically tested integrating technologies that represent the most common combinations that Red Hat customers are using. For these integrations, Red Hat has directly, or through certified partners, exercised a full range of platform tests as part of the product release process. Issues identified as part of this testing process are highlighted in release notes for each Red Hat build of Keycloak release.

Databases [6]:

The following databases and jdbc drivers are tested and certified as part of the latest release update version of Red Hat build of Keycloak 24.0.x (currently 24.0.8):

Databases	Tested Versions (JDBC Drivers Versions)	Supported Versions
PostgreSQL	16.4 (PostgreSQL Driver v42.6.0)	16.x, 15.x, 14.x, 13.x
MySQL	8.0.39 (MySQL Connector/J 8.0.33)	8.0 (LTS), 8.4 (LTS)
MariaDB	10.11 (MariaDB Connector/J 3.1.4)	10.11 (LTS), 10.6 (LTS)
Microsoft SQLServer	2022 (JDBC Driver 12.2 for SQL Server/12.2.0.jre11)	2022, 2019
Oracle	19c (19.3.0) (Oracle JDBC Driver v23.2.0.0)	19.3.0 (Note: Oracle RAC is also supported if using the same database engine version, aka 19.3.0)
Amazon Aurora PostgreSQL	16.1 (AWS JDBC driver wrapper)	16.x, 15.x

Multi-Site [7]:

The following are the tested and certified integrated components for Multi-Site High Availability Active/Passive support:

Component	Tested Versions	Supported Versions
Red Hat Data Grid	8.4.7	8.4.7+
AWS Aurora PostgreSQL	16.1 (with AWS JDBC Driver Wrapper)	16.1+, 15.5+ (Note: Aurora PostgreSQL is the only tested, certified, and supported database for Multi-Site deployment for now.)

Refer to this KBase article for more information on the Multi-Site support scope with Frequently Asked Questions.

User Federation / LDAP - Kerberos - SSSD:

User Federation has been tested with following directory providers:

Directory provider	Tested Versions	Supported Versions
Red Hat Directory Server (RHDS)	12	12, 11
Microsoft Active Directory	2019	2019, 2022
Microsoft Active Directory with Kerberos	2019	2019, 2022
Red Hat Enterprise Linux IdM	IdM RHEL 9	IdM RHEL 9, 8, 7
SSSD	FreeIPA/IdM RHEL 9	IdM RHEL 9, 8, 7

Web Browsers:

Red Hat build of Keycloak 24.0.x Administration Console has been tested with Google Chrome and Firefox, but supported with the following list of browsers:

Browser	Version
Chrome	latest
Firefox	latest
Edge	latest
Safari	latest

Red Hat build of Keycloak 24.0.x Client Adapters Tested and Supported Configurations

The OpenID Connect (OIDC) protocol is now widely supported across the Java Ecosystem and other popular frameworks. A much better interoperability and support is achieved by using the capabilities available from the technology stack of your applications platforms, such as your application server or framework. For example, Red Hat JBoss EAP version 8.x has a native built-in support for OIDC. This means that some of the Keycloak Client Adapters are now deprecated and no longer released starting with the Red Hat build of Keycloak 22.0 release version.
Red Hat build of Keycloak produces and supports the following Client Adapters for both OIDC and SAML based client applications, while maintaining full compatibility with the legacy RH-SSO 7.6 client adapters for their remaining life cycle.

RHBK 24.0.x Server Compatibility with RHBK OIDC Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
Node.js	RHBK 24.0 Node.js OIDC Adapter	Node.js 16 (LTS), 18 (LTS)
Node.js	RHBK 22.0 Node.js OIDC Adapter	Node.js 16 (LTS), 18 (LTS)
JavaScript	RHBK 24.0 Client-side JavaScript Adapter	All major web browsers
JavaScript	RHBK 22.0 Client-side JavaScript Adapter	All major web browsers

Notes:
* For JBoss EAP 8.x, it is recommended to use the EAP Native OIDC support (i.e. Elytron OIDC) with the RHBK 24 AuthZ client.
* For Spring Boot 3.x, it is recommended to use the Spring Security native OIDC support, with the RHBK 24 AuthZ client.

RHBK 24.0.x Server Compatibility with RHBK SAML Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
JBoss EAP 8.x	RHBK 24.0 SAML Client Adapter	EAP 8.x
JBoss EAP 8.x	RHBK 22.0 SAML Client Adapter	EAP 8.x

RHBK 24.0.x Server Compatibility with RH-SSO 7.6 Client-side Adapters:

Component/Framework	Client Adapter	Component/Framework Version	Client-side JVM
JBoss EAP 7.x	RH-SSO 7.6 OIDC Client Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss EAP 7.x	RH-SSO 7.6 SAML Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss Fuse 7.x	RH-SSO 7.6 OIDC Client Adapter for Fuse 7	Fuse 7.12+	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Spring Boot 2.x	RH-SSO 7.6 OIDC Client Adapter for Spring Boot 2	SpringBoot 2.7	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Servlet Filter	RH-SSO 7.6 Client Adapter for Servlet Filters	Any Java Servlet AppServer platform	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8

---

Red Hat build of Keycloak 22.0.x

Red Hat build of Keycloak 22.0.x Server Supported Configurations

Red Hat tests and supports the Red Hat build of Keycloak 22.0.x running in one of the following OpenShift, Operating Systems and JVMs platforms.

RHBK Server for OpenShift:

Support for Red Hat build of Keycloak on OpenShift is under the guidelines as defined in the knowledge article for Support of Red Hat Middleware products and components on Red Hat OpenShift. Also refer to the Red Hat OpenShift Container Platform Life Cycle Policy for details about the life cycle of each OpenShift release version.

RHBK Server	OpenShift Container Platform [2]	Chipset Architecture	Container Image / JVM
22.0.x	4.17, 4.16, 4.15, 4.14, 4.13, 4.12 [3]	x86_64, s390x [4], ppc64le [4]	ubi9/openjdk-17

RHBK Server for RHEL, Windows (and other OS):

RHBK Server	Operating System [5]	Chipset Architecture	Java Virtual Machine
22.0.x	Red Hat Enterprise Linux (RHEL) 9, 8	x86_64	Red Hat OpenJDK 17, Eclipse Adoptium Temurin 17
22.0.x	Windows Server 2022, 2019	x86_64	Red Hat OpenJDK 17, Eclipse Adoptium Temurin 17

RHBK Server for 3rd-party container environments (e.g other Kubernetes/xKS, Docker, etc.):

Red Hat does not, cannot test Red Hat build of Keycloak on every public cloud provider Kubernetes platform. Red Hat build of Keycloak Support on 3rd-party containerized/kubernetes environments is covered under this KBase article.

Red Hat build of Keycloak 22.0.x Server Tested and Supported Integrations

Tested Integrations are a defined set of specifically tested integrating technologies that represent the most common combinations that Red Hat customers are using. For these integrations, Red Hat has directly, or through certified partners, exercised a full range of platform tests as part of the product release process. Issues identified as part of this testing process are highlighted in release notes for each Red Hat build of Keycloak release.

Databases [6]:

The following databases and jdbc drivers are tested and certified as part of the latest release update version of Red Hat build of Keycloak 22.0.x (currently 22.0.13):

Databases	Tested Versions (JDBC Drivers Versions)	Supported Versions
PostgreSQL	15.8 (PostgreSQL Driver v42.6.0)	16.x, 15.x, 14.x, 13.x
MySQL	8.0.39 (MySQL Connector/J 8.0.33)	8.0 (LTS), 8.4 (LTS)
MariaDB	10.11 (MariaDB Connector/J 3.1.4)	10.11 (LTS), 10.6 (LTS)
Microsoft SQLServer	2022 (JDBC Driver 12.2 for SQL Server/12.2.0.jre11)	2022, 2019
Oracle	19c (19.3.0) (Oracle JDBC Driver v23.2.0.0)	19.3.0 (Note: Oracle RAC is also supported if using the same database engine version, aka 19.3.0)

User Federation / LDAP - Kerberos - SSSD:

User Federation has been tested with following directory providers:

Directory provider	Tested Versions	Supported Versions
Red Hat Directory Server (RHDS)	11	11, 12
Microsoft Active Directory	2019	2019, 2022
Microsoft Active Directory with Kerberos	2019	2019, 2022
Red Hat Enterprise Linux IdM	IdM RHEL 7	IdM RHEL 7, 8, 9
SSSD	FreeIPA/IdM RHEL 9	IdM RHEL 7, 8, 9

Web Browsers:

Red Hat build of Keycloak 22.0.x Administration Console has been tested with Google Chrome and Firefox, but supported with the following list of browsers:

Browser	Version
Chrome	latest
Firefox	latest
Edge	latest
Safari	latest

Red Hat build of Keycloak 22.0.x Client Adapters Tested and Supported Configurations

The OpenID Connect (OIDC) protocol is now widely supported across the Java Ecosystem and other popular frameworks. A much better interoperability and support is achieved by using the capabilities available from the technology stack of your applications platforms, such as your application server or framework. For example, Red Hat JBoss EAP version 8.x has a native built-in support for OIDC. This means that some of the Keycloak Client Adapters are now deprecated and no longer released starting with the Red Hat build of Keycloak 22.0 release version.
Red Hat build of Keycloak produces and supports the following Client Adapters for both OIDC and SAML based client applications, while maintaining full compatibility with the legacy RH-SSO 7.6 client adapters for their remaining life cycle.

RHBK 22.0.x Server Compatibility with RHBK OIDC Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
Node.js	RHBK 22.0 Node.js OIDC Adapter	Node.js 16 (LTS), 18 (LTS)
JavaScript	RHBK 22.0 Client-side JavaScript Adapter	All major web browsers

Notes:
* For JBoss EAP 8.x, it is recommended to use the EAP Native OIDC support (i.e. Elytron OIDC) with the RHBK 22 AuthZ client.
* For Spring Boot 3.x, it is recommended to use the Spring Security native OIDC support, with the RHBK 22 AuthZ client.

RHBK 22.0.x Server Compatibility with RHBK SAML Client Adapters:

Component/Framework	Client Adapter	Component/Framework Version
JBoss EAP 8.x	RHBK 22.0 SAML Client Adapter	EAP 8.x

RHBK 22.0.x Server Compatibility with RH-SSO 7.6 Client-side Adapters:

Component/Framework	Client Adapter	Component/Framework Version	Client-side JVM
JBoss EAP 7.x	RH-SSO 7.6 OIDC Client Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss EAP 7.x	RH-SSO 7.6 SAML Adapter for JBoss EAP 7	EAP 7.4	Oracle JDK 1.8, 11 ; IBM JDK 1.8 ; Red Hat OpenJDK 1.8, 11, 17
JBoss Fuse 7.x	RH-SSO 7.6 OIDC Client Adapter for Fuse 7	Fuse 7.12+	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Spring Boot 2.x	RH-SSO 7.6 OIDC Client Adapter for Spring Boot 2	SpringBoot 2.7	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8
Servlet Filter	RH-SSO 7.6 Client Adapter for Servlet Filters	Any Java Servlet AppServer platform	Red Hat OpenJDK 1.8, 11 ; Oracle JDK 1.8, 11 ; IBM JDK 1.8

---

[1] Red Hat expects that customers will remain on a supported environment. In the event that a JVM, Operating System, Database, Database Driver, etc., or its version is not supported by its vendor, Red Hat may be limited in its ability to provide support and may require you to reproduce the issue in a tested and supported environment for continued assistance.

[2] Red Hat build of Keycloak is tested/certified on OpenShift Container Platform (OCP) and Red Hat OpenShift Service on AWS (ROSA, both Classic and HCP). But it is also supported to run on OpenShift Platform Plus (OPP), Microsoft Azure Red Hat OpenShift (ARO), Red Hat OpenShift Dedicated (OSD), and OpenShift Kubernetes Engine (OKE), though OKE users are not entitled to Red Hat build of Keycloak (refer to KBase article - Subscriptions or Entitlements Requirements for Red Hat build of Keycloak).

[3] Any Red Hat build of Keycloak release version is tested on the latest current and previous OCP 4.x minor updates that are available at the time of that given release. Older versions of OCP 4.x are also supported as long as they are under active support according to the OpenShift life cycle. However customers are highly encouraged to always use the most recently available version of Red Hat OpenShift to take advantage of the latest features, capabilities, and security improvements. Due to potential incompatibility issues or known limitations (e.g changes in Kubernetes APIs, unsupported features, etc.), customers may be required to upgrade to the tested/certified versions of OCP 4.x in order to continue receiving support.

[4] Red Hat build of Keycloak support for Systems Z and Power is limited to Red Hat OpenShift Container Platform.

[5] Microsoft Windows Server is a supported platform for the Red Hat build of Keycloak 22.0.9 release version and later. Other Linux distributions (other than RHEL) are not certified and supported platforms for Red Hat build of Keycloak. Some features (e.g. FIPS 140-2) may only work when Red Hat build of Keycloak runs in a RHEL-based environment (RHEL 8, 9).

[6] Red Hat supports the mentioned list of Databases that are tested and certified by QE. As an exception to this list of supported databases and their versions, a commercially reasonable support is available to customers running with AWS RDS PostgreSQL database. Refer to KBase article https://access.redhat.com/solutions/7044253 for more details.

[7] Refer to KBase article https://access.redhat.com/articles/7068127 or more information on the Multi-Site support scope with Frequently Asked Questions.