Ah yes. I was thinking about the client message vs. switch, but it seems
that switch be cleaner then.
Thanks all for the feedback!
Marek
On 03/03/17 09:15, Hynek Mlnarik wrote:
Determination of client version from client message would not work
for
IdP-initiated SSO (there is no client message to determine version
from), so +1.
On Thu, Mar 2, 2017 at 8:28 PM, Bill Burke <bburke(a)redhat.com> wrote:
> Add switch IMO. It should have a select box that defaults to "latest".
>
>
> On 3/2/17 9:44 AM, Marek Posolda wrote:
>> It looks that we should support latest Keycloak server with older
>> versions of Keycloak adapters.
>>
>> So for some corner scenarios, I wonder if we should add the switch to
>> the ClientModel and admin console like "Adapter version" . This switch
>> will be available for both OIDC and SAML clients, but will be useful
>> just for the clients, which uses Keycloak adapter. It will be useful to
>> specify the version of Keycloak client adapter, which particular client
>> application is using. WDYT?
>>
>> The reason why I felt into this is a reported RHSSO bug.
>>
>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
>> "isPassive=true", then Keycloak 2.5.4 server returns him the valid
error
>> response. However 1.9.8 adapter has a bug
>>
https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it
>> receives such response.
>>
>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
>> invalid error response, however 1.9.8 adapter was able to handle this
>> invalid response without throwing any exception.
>>
>>
>> By adding the switch to the ClientModel, we defacto allow adapter to
>> say: "Please return me broken response, because I am not able to handle
>> valid response."
>>
>> Note that this is bug in adapter, so it will be better to ask customers
>> to rather upgrade their SAML adapters to newest version. On the other
>> hand, we claim to support backwards compatibility.
>>
>> So should we add the switch or not? WDYT?
>>
>> Marek
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev