diff --git a/compose.yml b/compose.yml
index 28dd077..c0062b6 100644
--- a/compose.yml
+++ b/compose.yml
@@ -3,7 +3,9 @@ version: "3.8"
 
 services:
   app:
-    image: "jboss/keycloak:16.1.1"
+    image: "keycloak/keycloak:20.0.1"
+    entrypoint: >
+      bash -c "KC_DB_PASSWORD=\"$$(cat /run/secrets/db_password)\" /opt/keycloak/bin/kc.sh start"
     networks:
       - proxy
       - internal
@@ -11,15 +13,14 @@ services:
       - admin_password
       - db_password
     environment:
-      - DB_ADDR=db
-      - DB_DATABASE=keycloak
-      - DB_PASSWORD_FILE=/run/secrets/db_password
-      - DB_USER=keycloak
-      - DB_VENDOR=mariadb
-      - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
-      - KEYCLOAK_USER=${ADMIN_USERNAME}
+      - KC_DB=mariadb
+      - KC_DB_URL_DATABASE=keycloak
+      - KC_DB_URL_HOST=db
+      - KC_HOSTNAME=${DOMAIN}
+      - KC_PROXY=edge
+      - KC_SPI_CONNECTIONS_JPA_LEGACY_MIGRATION_STRATEGY=update
+      - KEYCLOAK_ADMIN=${ADMIN_USERNAME}
       - KEYCLOAK_WELCOME_THEME=${WELCOME_THEME}
-      - PROXY_ADDRESS_FORWARDING=true
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
       interval: 30s
@@ -43,7 +44,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
         - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=4.0.1+16.1.1"
+        - "coop-cloud.${STACK_NAME}.version=5.0.0+20.0.1"
 
   db:
     image: "mariadb:10.6"
diff --git a/release/5.0.0+20.0.1 b/release/5.0.0+20.0.1
new file mode 100644
index 0000000..7bb45b6
--- /dev/null
+++ b/release/5.0.0+20.0.1
@@ -0,0 +1,9 @@
+You'll need to remove `/auth/` from your app SSO URLs, e.g.
+
+    https://foo.example.com/auth/realms/foo/protocol/openid-connect/auth
+
+Would become:
+
+    https://foo.example.com/realms/foo/protocol/openid-connect/auth
+
+-- decentral1se @ Autonomic