Skip to content

chore(deps): update quay.io/keycloak/keycloak docker tag to v26.5.0 #458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cbcoutinho merged 1 commit into from
Jan 7, 2026
Merged

chore(deps): update quay.io/keycloak/keycloak docker tag to v26.5.0 #458

cbcoutinho merged 1 commit into from
Jan 7, 2026
+1 −1

Conversation

@renovate-bot-cbcoutinho
Copy link
Contributor

@renovate-bot-cbcoutinho renovate-bot-cbcoutinho bot commented Jan 6, 2026

This PR contains the following updates:

Package Update Change
quay.io/keycloak/keycloak minor 26.4.726.5.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@claude
Copy link

claude bot commented Jan 6, 2026

Pull Request Review: Keycloak 26.5.0 Update

Summary

This PR updates the Keycloak Docker image from version 26.4.7 to 26.5.0 in the docker-compose.yml configuration. This is a minor version update managed by Renovate Bot.

Review Findings

Code Quality - APPROVED

  • Clean change: Single-line update with proper SHA256 digest pinning
  • Secure image reference: Uses digest-based pinning (@sha256:...) for reproducible builds
  • Follows conventions: Aligns with the project's Docker image management practices

Testing Requirements - VERIFIED

The project has comprehensive Keycloak test coverage:

  • Keycloak integration tests marked with pytest.mark.keycloak:
    • tests/server/oauth/test_keycloak_external_idp.py - External IdP integration (ADR-002)
    • tests/server/oauth/test_keycloak_dcr.py - Dynamic Client Registration
    • tests/integration/auth/test_token_exchange_standard_v2.py - RFC 8693 Standard V2
    • tests/integration/auth/test_token_exchange_legacy_v1.py - Legacy V1 impersonation
    • tests/integration/test_keycloak_token_exchange.py - Token exchange flows

Recommendation: CI/CD will automatically run the full test suite including Keycloak-specific tests. The integration tests should validate compatibility with 26.5.0.

Security - APPROVED

  • SHA256 pinning: Image digest ensures immutable reference
  • Minor version bump: Lower risk than major version updates
  • OAuth/OIDC compatibility: Keycloak 26.x series maintains stable OAuth2/OIDC endpoints

⚠️ Compatibility Considerations

Based on the codebase analysis:

  1. Keycloak Features Used:

    • --features=preview flag enables Legacy V1 token exchange (docker-compose.yml:221)
    • Realm import with custom configuration (keycloak/realm-export.json)
    • OIDC discovery endpoint for external IdP mode
    • Authorization Services for token exchange
    • Standard V2 (RFC 8693) and Legacy V1 token exchange support

  2. Previously Tested Version:

    • Documentation mentions testing with Keycloak 26.4.2 (docs/ADR-002-vector-sync-authentication.md:197)
    • Current update: 26.4.7 → 26.5.0 (minor version increment)

  3. Potential Breaking Changes:

    • ⚠️ Minor versions should be backward compatible, but Keycloak preview features can change
    • ⚠️ Token exchange is an experimental feature that may have behavior changes

📋 Recommendations

Before Merging:

  1. ✅ Wait for CI/CD tests to complete successfully
  2. ✅ Verify Keycloak integration tests pass (marked with @pytest.mark.keycloak)
  3. ⚠️ Manual validation recommended for token exchange flows due to preview feature usage

Testing Commands (if manual validation needed):

# Rebuild Keycloak container with new version
docker-compose up --build -d keycloak mcp-keycloak

# Run Keycloak-specific integration tests
uv run pytest -m keycloak -v

# Verify Keycloak health
curl http://localhost:8888/realms/nextcloud-mcp/.well-known/openid-configuration

Post-Merge Monitoring:

  • Monitor OAuth token exchange flows (both Standard V2 and Legacy V1)
  • Check for any deprecation warnings in Keycloak logs
  • Verify external IdP integration continues to function

Verdict: APPROVED ✅ (Conditional on CI/CD passing)

This is a low-risk dependency update with appropriate security practices (SHA pinning). The comprehensive test suite should catch any regressions. The primary concern is the experimental token exchange feature, but the minor version bump (26.4.7 → 26.5.0) suggests low likelihood of breaking changes.

Action: Approve and merge once CI/CD tests pass successfully.

Review generated by Claude Code following project conventions in CLAUDE.md

@cbcoutinho cbcoutinho merged commit a2c410e into master Jan 7, 2026
3 checks passed
@renovate-bot-cbcoutinho renovate-bot-cbcoutinho bot deleted the renovate/quay.io-keycloak-keycloak-26.x branch January 7, 2026 11:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbcoutinho