I'm not convinced about that approach. We'll end up having to test and maintain this in the long run.

How about a staged approach instead:

* Keycloak 2.1 & RH-SSO 7.0.1 - add scope=openid, also add mention in release not and migration guide that the ID token will soon not be included anymore

* Keycloak 2.3 & RH-SSO 7.1 - stop sending ID token if scope is not included

On 30 June 2016 at 16:00, Marek Posolda <mposolda@redhat.com> wrote:

I am thinking whether to add configuration switch in admin console per
client, where you can define what is the adapter version the particular
client is using. In that case, some behaviour can be different/backwards
compatible.

Example: For new clients, we will include IDToken just if they use
"scope=openid" . However for clients with adapter "1.9" or older, the
IDToken will be included even if "scope=openid" is not used.

WDYT?
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev