Enabling and disabling features

Keycloak has packed some functionality in features, including some disabled features, such as Technology Preview and deprecated features. Other features are enabled by default, but you can disable them if they do not apply to your use of Keycloak.

Enabling features

Some supported features, and all preview features, are disabled by default. To enable a feature, enter this command:

bin/kc.[sh|bat] build --features=<name>[,<name>]

For example, to enable docker and token-exchange, enter this command:

bin/kc.[sh|bat] build --features=docker,token-exchange

To enable all preview features, enter this command:

bin/kc.[sh|bat] build --features=preview

Disabling features

To disable a feature that is enabled by default, enter this command:

bin/kc.[sh|bat] build --features-disabled=<name>[,<name>]

For example to disable impersonation, enter this command:

bin/kc.[sh|bat] build --features-disabled=impersonation

You can disable all default features by entering this command:

bin/kc.[sh|bat] build --features-disabled=default

This command can be used in combination with features to explicitly set what features should be available. If a feature is added both to the features-disabled list and the features list, it will be enabled.

Supported features

The following list contains supported features that are enabled by default, and can be disabled if not needed.

account-api

Account Management REST API

account2

New Account Management Console

admin-api

Admin API

admin2

New Admin Console

authorization

Authorization Service

ciba

OpenID Connect Client Initiated Backchannel Authentication (CIBA)

client-policies

Client configuration policies

impersonation

Ability for admins to impersonate users

par

OAuth 2.0 Pushed Authorization Requests (PAR)

step-up-authentication

Step-up Authentication

web-authn

W3C Web Authentication (WebAuthn)

Disabled by default

The following list contains supported features that are disabled by default, and can be enabled if needed.

docker

Docker Registry protocol

Preview features

Preview features are disabled by default and are not recommended for use in production. These features may change or be removed at a future release.

admin-fine-grained-authz

Fine-Grained Admin Permissions

client-secret-rotation

Client Secret Rotation

declarative-user-profile

Configure user profiles using a declarative style

openshift-integration

Extension to enable securing OpenShift

recovery-codes

Recovery codes

scripts

Write custom authenticators using JavaScript

token-exchange

Token Exchange Service

update-email

Update Email Action

Deprecated features

The following list contains deprecated features that will be removed in a future release. These features are disabled by default.

admin

Legacy Admin Console

Relevant options

Type Default

features

Enables a set of one or more features.

CLI: --features

Env: KC_FEATURES

authorization, account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, update-email, preview

features-disabled

Disables a set of one or more features.

CLI: --features-disabled

Env: KC_FEATURES_DISABLED

authorization, account2, account-api, admin-fine-grained-authz, admin-api, admin, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, update-email, preview