Skip to content

Upgrade of CERN SSO to Keycloak 26

Keycloak, the software behind CERN SSO service (Single Sign-On, at auth.cern.ch), will be upgraded from version 24 to version 26 in June 2025.

The QA instance of CERN SSO (at keycloak-qa.cern.ch) will be upgraded from version 24 to version 26 in May 2025.

If you are impacted by any of the following changes, we strongly encourage you to make sure that the change works for your test application on QA.

Impact to applications

  • keycloak-js is no longer served by upstream Keycloak. The recommended way is via: npm install keycloak-js. We will continue serving the javascript at the current URL (until the end of 2025) to give enough time to application owners to install it directly via a package manager.

  • Change in the client-initiated logout: remove the redirect_uri parameter entirely or replace it with the id_token_hint+post_logout_redirect_uri parameters. In general, old versions of the JS adapter (<18) still depend on this and logout will stop working for clients using them. post_logout_redirect_uri alone can be enough for application owners who ask for it (there is an advanced option in the admin console to make the id_token_hint unnecessary).

In case of major issues, there will be a possibility to roll back the change.