KC 26.3.x: new `webAuthnPolicyPasswordlessPasskeysEnabled`/`verifiableCredentialsEnabled`/`adminPermissionsEnabled` fields

[shadow1runner]

Problem Statement

• Set up Keycloak v26.3.0, which has improved support for passkeys and make sure to enable the passkeys experimental feature:

  The Passkeys feature is still in preview. Follow the Enabling and disabling features guide to enable it.

• create a new realm

• in the new realm, head over to Authentication > Policies > Webauthn Passwordless Policy and turn On the Enable Passkeys, hit Save

• export the created realm, it now includes:

+ "webAuthnPolicyPasswordlessPasskeysEnabled": true,
+ "verifiableCredentialsEnabled": false,
+ "adminPermissionsEnabled": false,

• try to import the exported realm via keycloak-config-cli and observe the error, e.g. for webAuthnPolicyPasswordlessPasskeysEnabled:

d.a.k.config.KeycloakConfigRunner : Error Response: java.lang.IllegalArgumentException: Unrecognized field "webAuthnPolicyPasswordlessPasskeysEnabled
at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])

Proposed Solution

• add support for webAuthnPolicyPasswordlessPasskeysEnabled
• add support for verifiableCredentialsEnabled
• add support for adminPermissionsEnabled

Environment

• Keycloak Version: 26.3.0
• keycloak-config-cli Version: [e.g. 5.11.1]
• Java Version: 21.0.7

Additional information

Full log:

d.a.k.config.KeycloakConfigRunner        : Error during Keycloak import: Unable to parse file 'file:/config/realm.json': Unrecognized field "web
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])

de.adorsys.keycloak.config.exception.InvalidImportException: Unable to parse file 'file:/config/realm.json': Unrecognized field "webAuthnPolicyPasswordlessPasskeysEnabled" (class de.adorsys.keycloak.
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])
    at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readRealmImportFromImportResource(KeycloakImportProvider.java:214)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
    at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
    at java.base/java.util.ArrayList.forEach(Unknown Source)
    at java.base/java.util.stream.SortedOps$RefSortingSink.end(Unknown Source)
    at java.base/java.util.stream.Sink$ChainedReference.end(Unknown Source)
    at java.base/java.util.stream.Sink$ChainedReference.end(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
    at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
    at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
    at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readFromLocations(KeycloakImportProvider.java:128)
    at de.adorsys.keycloak.config.KeycloakConfigRunner.run(KeycloakConfigRunner.java:81)
    at org.springframework.boot.SpringApplication.lambda$callRunner$5(SpringApplication.java:790)
    at org.springframework.util.function.ThrowingConsumer$1.acceptWithException(ThrowingConsumer.java:83)
    at org.springframework.util.function.ThrowingConsumer.accept(ThrowingConsumer.java:60)
    at org.springframework.util.function.ThrowingConsumer$1.accept(ThrowingConsumer.java:88)
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:798)
    at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:789)
    at org.springframework.boot.SpringApplication.lambda$callRunners$3(SpringApplication.java:774)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(Unknown Source)
    at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
    at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(Unknown Source)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(Unknown Source)
    at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
    at java.base/java.util.stream.ReferencePipeline.forEach(Unknown Source)
    at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:774)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:342)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1363)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1352)
    at de.adorsys.keycloak.config.KeycloakConfigApplication.main(KeycloakConfigApplication.java:34)
    at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
    at java.base/java.lang.reflect.Method.invoke(Unknown Source)
    at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102)
    at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
    at org.springframework.boot.loader.launch.PropertiesLauncher.main(PropertiesLauncher.java:580)
Caused by: java.lang.IllegalArgumentException: Unrecognized field "webAuthnPolicyPasswordlessPasskeysEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties:
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])
    at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4624)
    at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4555)
    at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readContent(KeycloakImportProvider.java:231)
    at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readRealmImportFromImportResource(KeycloakImportProvider.java:212)
    ... 38 common frames omitted
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "webAuthnPolicyPasswordlessPasskeysEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ign
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])
    at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
    at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1153)
    at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2241)
    at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1793)
    at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1771)
    at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:316)
    at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
    at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4619)
    ... 41 common frames omitted

2025-07-03T21:18:16.243Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Error Response: java.lang.IllegalArgumentException: Unrecognized field "webAuthnPolicyPasswordlessPasskeysEnabled
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["webAuthnPolicyPasswordlessPasskeysEnabled"])
2025-07-03T21:18:16.244Z  INFO 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : keycloak-config-cli ran in 00:01.037.

Acceptance Criteria

No response

[octavian2204]

Same here: java.lang.IllegalArgumentException: Unrecognized field "verifiableCredentialsEnabled"

docker.io/bitnami/keycloak-config-cli: 6.4.0-debian-12-r8
docker.io/bitnami/keycloak: 26.2.5-debian-12-r3

2025-07-10T16:04:41.428Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Error during Keycloak import: Unable to parse file 'file:/config/marketplace-realm.json': Unrecognized field "verifiableCredentialsEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["verifiableCredentialsEnabled"])
de.adorsys.keycloak.config.exception.InvalidImportException: Unable to parse file 'file:/config/marketplace-realm.json': Unrecognized field "verifiableCredentialsEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["verifiableCredentialsEnabled"])
	at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readRealmImportFromImportResource(KeycloakImportProvider.java:214)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(Unknown Source)
	at java.base/java.util.ArrayList.forEach(Unknown Source)
	at java.base/java.util.stream.SortedOps$RefSortingSink.end(Unknown Source)
	at java.base/java.util.stream.Sink$ChainedReference.end(Unknown Source)
	at java.base/java.util.stream.Sink$ChainedReference.end(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline.collect(Unknown Source)
	at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readFromLocations(KeycloakImportProvider.java:128)
	at de.adorsys.keycloak.config.KeycloakConfigRunner.run(KeycloakConfigRunner.java:81)
	at org.springframework.boot.SpringApplication.lambda$callRunner$5(SpringApplication.java:790)
	at org.springframework.util.function.ThrowingConsumer$1.acceptWithException(ThrowingConsumer.java:83)
	at org.springframework.util.function.ThrowingConsumer.accept(ThrowingConsumer.java:60)
	at org.springframework.util.function.ThrowingConsumer$1.accept(ThrowingConsumer.java:88)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:798)
	at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:789)
	at org.springframework.boot.SpringApplication.lambda$callRunners$3(SpringApplication.java:774)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(Unknown Source)
	at java.base/java.util.stream.SortedOps$SizedRefSortingSink.end(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source)
	at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(Unknown Source)
	at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source)
	at java.base/java.util.stream.ReferencePipeline.forEach(Unknown Source)
	at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:774)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:342)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1363)
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1352)
	at de.adorsys.keycloak.config.KeycloakConfigApplication.main(KeycloakConfigApplication.java:34)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102)
	at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
	at org.springframework.boot.loader.launch.PropertiesLauncher.main(PropertiesLauncher.java:580)
Caused by: java.lang.IllegalArgumentException: Unrecognized field "verifiableCredentialsEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["verifiableCredentialsEnabled"])
	at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4624)
	at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4555)
	at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readContent(KeycloakImportProvider.java:231)
	at de.adorsys.keycloak.config.provider.KeycloakImportProvider.readRealmImportFromImportResource(KeycloakImportProvider.java:212)
	... 38 common frames omitted
Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "verifiableCredentialsEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["verifiableCredentialsEnabled"])
	at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
	at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1153)
	at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2241)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1793)
	at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1771)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:316)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:177)
	at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4619)
	... 41 common frames omitted
2025-07-10T16:04:41.430Z ERROR 1 --- [           main] d.a.k.config.KeycloakConfigRunner        : Error Response: java.lang.IllegalArgumentException: Unrecognized field "verifiableCredentialsEnabled" (class de.adorsys.keycloak.config.model.RealmImport), not marked as ignorable (146 known properties: "userFederationMappers", "rememberMe", "duplicateEmailsAllowed", "adminEventsDetailsEnabled", "users", "clientOfflineSessionMaxLifespan", "webAuthnPolicyRequireResidentKey", "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister", "components", "otpPolicyType", "accessCodeLifespanUserAction", "id", "webAuthnPolicyAttestationConveyancePreference", "enabledEventTypes", "applications", "webAuthnPolicyPasswordlessSignatureAlgorithms", "eventsListeners", "ssoSessionMaxLifespanRememberMe", "defaultDefaultClientScopes", "webAuthnPolicyPasswordlessCreateTimeout", "clientOfflineSessionIdleTimeout", "notBefore", "publicKey", "smtpServer", "clientPolicies", "resetPasswordAllowed", "webAuthnPolicyAvoidSameAuthenticatorRegister", "accessTokenLifespanForImplicitFlow", "webAuthnPolicyPasswordlessUserVerificationRequirement", "clientScopes", "internationalizationEnabled", "defaultRole", "accessTokenLifespan", "passwordCredentialGrantAllowed", "federatedUsers", "applicationScopeMappings" [truncated]])
 at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: de.adorsys.keycloak.config.model.RealmImport["verifiableCredentialsEnabled"])

[antikalk]

With adminPermissionsEnabled, it would also be great to have the ability to configure the newly build-in admin permissions (FGAP v2) with config-cli.