Chapter 11. Enabling and disabling features


Red Hat build of Keycloak has packed some functionality in features, including some disabled features, such as Technology Preview and deprecated features. Other features are enabled by default, but you can disable them if they do not apply to your use of Red Hat build of Keycloak.

11.1. Enabling features

Some supported features, and all preview features, are disabled by default. To enable a feature, enter this command:

bin/kc.[sh|bat] build --features="<name>[,<name>]"

For example, to enable docker and token-exchange, enter this command:

bin/kc.[sh|bat] build --features="docker,token-exchange"

To enable all preview features, enter this command:

bin/kc.[sh|bat] build --features="preview"

Enabled feature may be versioned, or unversioned. If you use a versioned feature name, e.g. feature:v1, that exact feature version will be enabled as long as it still exists in the runtime. If you instead use an unversioned name, e.g. just feature, the selection of the particular supported feature version may change from release to release according to the following precedence:

  1. The highest default supported version
  2. The highest non-default supported version
  3. The highest deprecated version
  4. The highest preview version
  5. The highest experimental version

11.2. Disabling features

To disable a feature that is enabled by default, enter this command:

bin/kc.[sh|bat] build --features-disabled="<name>[,<name>]"

For example to disable impersonation, enter this command:

bin/kc.[sh|bat] build --features-disabled="impersonation"

It is not allowed to have a feature in both the features-disabled list and the features list.

When a feature is disabled all versions of that feature are disabled.

11.3. Supported features

The following list contains supported features that are enabled by default, and can be disabled if not needed.

account-api
Account Management REST API
account3
Account Console version 3
admin-api
Admin API
admin2
New Admin Console
authorization
Authorization Service
ciba
OpenID Connect Client Initiated Backchannel Authentication (CIBA)
client-policies
Client configuration policies
device-flow
OAuth 2.0 Device Authorization Grant
hostname-v1
Hostname Options V1
impersonation
Ability for admins to impersonate users
js-adapter
Host keycloak.js and keycloak-authz.js through the Keycloak server
kerberos
Kerberos
par
OAuth 2.0 Pushed Authorization Requests (PAR)
step-up-authentication
Step-up Authentication
web-authn
W3C Web Authentication (WebAuthn)

11.3.1. Disabled by default

The following list contains supported features that are disabled by default, and can be enabled if needed.

docker
Docker Registry protocol
fips
FIPS 140-2 mode
multi-site
Multi-site support

11.4. Preview features

Preview features are disabled by default and are not recommended for use in production. These features may change or be removed at a future release.

admin-fine-grained-authz
Fine-Grained Admin Permissions
client-secret-rotation
Client Secret Rotation
dpop
OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
recovery-codes
Recovery codes
scripts
Write custom authenticators using JavaScript
token-exchange
Token Exchange Service
update-email
Update Email Action

11.5. Deprecated features

The following list contains deprecated features that will be removed in a future release. These features are disabled by default.

account2
Account Console version 2
linkedin-oauth
LinkedIn Social Identity Provider based on OAuth
offline-session-preloading
Offline session preloading

11.6. Relevant options

 Value

features 🛠

Enables a set of one or more features.

CLI: --features
Env: KC_FEATURES

account-api[:v1], account2[:v1], account3[:v1], admin-api[:v1], admin-fine-grained-authz[:v1], admin2[:v1], authorization[:v1], ciba[:v1], client-policies[:v1], client-secret-rotation[:v1], client-types[:v1], declarative-ui[:v1], device-flow[:v1], docker[:v1], dpop[:v1], dynamic-scopes[:v1], fips[:v1], hostname[:v1], impersonation[:v1], js-adapter[:v1], kerberos[:v1], linkedin-oauth[:v1], login2[:v1], multi-site[:v1], offline-session-preloading[:v1], oid4vc-vci[:v1], par[:v1], preview, recovery-codes[:v1], scripts[:v1], step-up-authentication[:v1], token-exchange[:v1], transient-users[:v1], update-email[:v1], web-authn[:v1]

features-disabled 🛠

Disables a set of one or more features.

CLI: --features-disabled
Env: KC_FEATURES_DISABLED

account-api, account2, account3, admin-api, admin-fine-grained-authz, admin2, authorization, ciba, client-policies, client-secret-rotation, client-types, declarative-ui, device-flow, docker, dpop, dynamic-scopes, fips, impersonation, js-adapter, kerberos, linkedin-oauth, login2, multi-site, offline-session-preloading, oid4vc-vci, par, preview, recovery-codes, scripts, step-up-authentication, token-exchange, transient-users, update-email, web-authn

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.