diff --git a/net/keycloak/Makefile b/net/keycloak/Makefile
index 38e1a169195d..580df24307a8 100644
--- a/net/keycloak/Makefile
+++ b/net/keycloak/Makefile
@@ -1,81 +1,80 @@
 PORTNAME=	keycloak
 DISTVERSION=	26.5.7
+PORTREVISION=	1
 CATEGORIES=	net java
 MASTER_SITES=	https://github.com/${PORTNAME}/${PORTNAME}/releases/download/${DISTVERSION}/
 
 MAINTAINER=	freebsd@rheinwolf.de
 COMMENT=	Identity and access management solution
 WWW=		https://www.keycloak.org/
 
 LICENSE=	APACHE20
 LICENSE_FILE=	${WRKSRC}/LICENSE.txt
 
 USES=		cpe java shebangfix
 CPE_VENDOR=	redhat
 JAVA_VERSION=	21+
 JAVA_OS=	native
 JAVA_VENDOR=	openjdk
 
-USE_RC_SUBR=	keycloak
+USE_RC_SUBR=	${PORTNAME}
 
 SHEBANG_FILES=	bin/kc.sh \
 		bin/kcadm.sh \
 		bin/kcreg.sh
 
+EXTRACT_AFTER_ARGS=	--exclude '*.bat' \
+			--no-same-owner --no-same-permissions
+
 VAR_DIR?=	/var
 LOG_DIR?=	${VAR_DIR}/log/${PORTNAME}
 RUN_DIR?=	${VAR_DIR}/run/${PORTNAME}
 
 NO_ARCH=	yes
 NO_BUILD=	yes
 
-SUB_FILES+=	pkg-message
-SUB_LIST+=	JAVA=${JAVA} \
+SUB_FILES=	pkg-message
+SUB_LIST=	JAVA=${JAVA} \
 		JAVA_HOME=${JAVA_HOME} \
 		LOG_DIR=${LOG_DIR} \
 		PORTNAME=${PORTNAME} \
 		RUN_DIR=${RUN_DIR} \
 		USER=${KEYCLOAK_USER} \
 		GROUP=${KEYCLOAK_GROUP}
 
 KEYCLOAK_USER=	${PORTNAME}
 KEYCLOAK_GROUP=	${PORTNAME}
 USERS=		${KEYCLOAK_USER}
-GROUPS=		${USERS}
+GROUPS=		${KEYCLOAK_GROUP}
 
 PLIST_SUB=	VERSION=${DISTVERSION} \
 		USER=${KEYCLOAK_USER} \
 		GROUP=${KEYCLOAK_GROUP}
 
 OPTIONS_DEFINE=	DOCS EXAMPLES
 
 CONFIG_FILES=	conf/cache-ispn.xml \
 		conf/keycloak.conf \
 		lib/quarkus/build-system.properties
 
-post-patch:
-.for f in ${CONFIG_FILES}
-	${MV} ${WRKSRC}/${f} ${WRKSRC}/${f}.sample
-.endfor
-	${RM} ${WRKSRC}/bin/kc.bat
-	${RM} ${WRKSRC}/bin/kcadm.bat
-	${RM} ${WRKSRC}/bin/kcreg.bat
-
 do-install:
 	${MKDIR} ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/bin \
 		 ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/data \
 		 ${STAGEDIR}${LOG_DIR} \
 		 ${STAGEDIR}${RUN_DIR}
 
 	# Install files in bin
 	${INSTALL_SCRIPT} ${WRKSRC}/bin/*.sh ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/bin
 	(cd ${WRKSRC}/bin && ${COPYTREE_SHARE} client ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/bin)
 
 	# Install jar files, configuration and everything else
+.for f in ${CONFIG_FILES}
+	${MV} ${WRKSRC}/${f} ${WRKSRC}/${f}.sample
+.endfor
 	(cd ${WRKSRC} && ${COPYTREE_SHARE} "conf lib providers themes" ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME})
 
 	# Create links for kc* binaries
-	${LN} -sf ../share/java/${PORTNAME}/bin/kcadm.sh ${STAGEDIR}${PREFIX}/bin/kcadm
-	${LN} -sf ../share/java/${PORTNAME}/bin/kcreg.sh ${STAGEDIR}${PREFIX}/bin/kcreg
+	${RLN} ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/bin/kcadm.sh ${STAGEDIR}${PREFIX}/bin/kcadm
+	${RLN} ${STAGEDIR}${JAVASHAREDIR}/${PORTNAME}/bin/kcreg.sh ${STAGEDIR}${PREFIX}/bin/kcreg
 
 .include <bsd.port.mk>
diff --git a/net/keycloak/files/keycloak.in b/net/keycloak/files/keycloak.in
index 80a6187ea7cf..9bad9fdd1ccb 100644
--- a/net/keycloak/files/keycloak.in
+++ b/net/keycloak/files/keycloak.in
@@ -1,87 +1,90 @@
 #!/bin/sh
 
 # $FreeBSD$
 #
 # PROVIDE: %%PORTNAME%%
 # REQUIRE: NETWORKING SERVERS
 # KEYWORD: shutdown
 #
 # Add these following line to /etc/rc.conf.local or /etc/rc.conf
 # to enable this service:
 #
-# %%PORTNAME%%_enable (bool):         Set it to YES to enable keycloak on startup.
-#                                 Default: NO
-# %%PORTNAME%%_user (string):         User account to run with.
-#                                 Default: www
-# %%PORTNAME%%_flags (string):        Additional flags for the startup script.
-#                                 Default: start
+# %%PORTNAME%%_enable (bool):	Set it to YES to enable keycloak on startup.
+#				Default: NO
+# %%PORTNAME%%_user (string):	User account to run with.
+#				Default: %%USER%%
+# %%PORTNAME%%_group (string):	Group for %%LOG_DIR%% and %%RUN_DIR%%.
+#				Default: %%GROUP%%
+# %%PORTNAME%%_flags (string):	Additional flags for the startup script.
+#				Default: start
+# %%PORTNAME%%_java_home (string):	JAVA_HOME to run with.
+#				Default: %%JAVA_HOME%%
 #
 
 . /etc/rc.subr
 
 name=%%PORTNAME%%
 rcvar=%%PORTNAME%%_enable
 desc="Identity and access management solution"
 
 load_rc_config $name
 
-: ${%%PORTNAME%%_enable:=NO}
-: ${%%PORTNAME%%_user:=%%USER%%}
-: ${%%PORTNAME%%_group:=%%GROUP%%}
+: ${%%PORTNAME%%_enable:="NO"}
+: ${%%PORTNAME%%_user:="%%USER%%"}
+: ${%%PORTNAME%%_group:="%%GROUP%%"}
 : ${%%PORTNAME%%_flags="start"}
 : ${%%PORTNAME%%_java_home="%%JAVA_HOME%%"}
+%%PORTNAME%%_env="${%%PORTNAME%%_env} JAVA_HOME=${%%PORTNAME%%_java_home}"
 
 pidfile=%%RUN_DIR%%/%%PORTNAME%%.pid
 command=/usr/sbin/daemon
 command_args="-u ${%%PORTNAME%%_user} -o %%LOG_DIR%%/%%PORTNAME%%.out -t %%PORTNAME%% -R 60 -P ${pidfile}"
 
 start_cmd="%%PORTNAME%%_start"
 stop_cmd="%%PORTNAME%%_stop"
 build_cmd="%%PORTNAME%%_build"
 
-export JAVA_HOME=${%%PORTNAME%%_java_home}
-
 %%PORTNAME%%_start()
 {
 	if [ ! -d "%%LOG_DIR%%" ]; then
-		install -d -o ${%%PORTNAME%%_user} %%LOG_DIR%%
+		install -d -o ${%%PORTNAME%%_user} -g ${%%PORTNAME%%_group} %%LOG_DIR%%
 	fi
 	if [ ! -d "%%RUN_DIR%%" ]; then
-		install -d -o ${%%PORTNAME%%_user} %%RUN_DIR%%
+		install -d -o ${%%PORTNAME%%_user} -g ${%%PORTNAME%%_group} %%RUN_DIR%%
 	fi
 
-	chown -R ${%%PORTNAME%%_user} %%LOG_DIR%%
+	chown -R ${%%PORTNAME%%_user}:${%%PORTNAME%%_group} %%LOG_DIR%% %%RUN_DIR%%
 
 	echo "Starting %%PORTNAME%%."
         ${command} ${command_args} \
                 %%JAVASHAREDIR%%/%%PORTNAME%%/bin/kc.sh \
                 ${%%PORTNAME%%_flags}
 }
 
 %%PORTNAME%%_stop()
 {
     local pid_daemon
     local pid_child
 
     echo "Stopping %%PORTNAME%%."
 
     pid_daemon=$(check_pidfile ${pidfile} ${command})
     if [ ! -z "${pid_daemon}" ]; then
         kill -TERM ${pid_daemon}
     fi
 
     pid_child=$(pgrep -U ${%%PORTNAME%%_user} -f %%JAVASHAREDIR%%/%%PORTNAME%%/)
     if [ ! -z "${pid_child}" ]; then
         kill -TERM ${pid_child}
     fi
 
     wait_for_pids ${pid_daemon} ${pid_child}
 }
 
 %%PORTNAME%%_build()
 {
     su -m ${%%PORTNAME%%_user} -c "%%JAVASHAREDIR%%/%%PORTNAME%%/bin/kc.sh build"
 }
 
 extra_commands="build"
 run_rc_command "$1"
diff --git a/net/keycloak/files/patch-bin_kc.sh b/net/keycloak/files/patch-bin_kc.sh
new file mode 100644
index 000000000000..ef9f8883e6d1
--- /dev/null
+++ b/net/keycloak/files/patch-bin_kc.sh
@@ -0,0 +1,11 @@
+--- bin/kc.sh.orig	2026-04-07 11:28:05 UTC
++++ bin/kc.sh
+@@ -113,7 +113,7 @@ if [ -z "$JAVA_ADD_OPENS" ]; then
+ 
+ # See also https://github.com/wildfly/wildfly-core/blob/7e5624cf92ebe4b64a4793a8c0b2a340c0d6d363/core-feature-pack/common/src/main/resources/content/bin/common.sh#L57-L60
+ if [ -z "$JAVA_ADD_OPENS" ]; then
+-   JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED"
++   JAVA_ADD_OPENS="--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --enable-native-access=ALL-UNNAMED"
+ else
+    echo "JAVA_ADD_OPENS already set in environment; overriding default settings"
+ fi