<div dir="ltr">I'm not convinced about that approach. We'll end up having to test and maintain this in the long run.<div><br></div><div>How about a staged approach instead:</div><div><br></div><div>* Keycloak 2.1 & RH-SSO 7.0.1 - add scope=openid, also add mention in release not and migration guide that the ID token will soon not be included anymore</div><div>* Keycloak 2.3 & RH-SSO 7.1 - stop sending ID token if scope is not included<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 30 June 2016 at 16:00, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am thinking whether to add configuration switch in admin console per<br>
client, where you can define what is the adapter version the particular<br>
client is using. In that case, some behaviour can be different/backwards<br>
compatible.<br>
<br>
Example: For new clients, we will include IDToken just if they use<br>
"scope=openid" . However for clients with adapter "1.9" or older, the<br>
IDToken will be included even if "scope=openid" is not used.<br>
<br>
WDYT?<br>
Marek<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>