6:23 a.m.
By the way, how many previous adapter versions do we need to support (i.e.
test)?
I thought only the previous major release (like now - 1.9.8 adapter with
2.5.x server).
So, do we really need to have this switch permanently? Who knows, maybe
with the next major SSO version the current 2.5.x adapters will work
flawlessly. :)
V.
On Fri, Mar 3, 2017 at 12:56 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Ah yes. I was thinking about the client message vs. switch, but it
seems
that switch be cleaner then.
Thanks all for the feedback!
Marek
On 03/03/17 09:15, Hynek Mlnarik wrote:
> Determination of client version from client message would not work for
> IdP-initiated SSO (there is no client message to determine version
> from), so +1.
>
> On Thu, Mar 2, 2017 at 8:28 PM, Bill Burke <bburke(a)redhat.com> wrote:
>> Add switch IMO. It should have a select box that defaults to
"latest".
>>
>>
>> On 3/2/17 9:44 AM, Marek Posolda wrote:
>>> It looks that we should support latest Keycloak server with older
>>> versions of Keycloak adapters.
>>>
>>> So for some corner scenarios, I wonder if we should add the switch to
>>> the ClientModel and admin console like "Adapter version" . This
switch
>>> will be available for both OIDC and SAML clients, but will be useful
>>> just for the clients, which uses Keycloak adapter. It will be useful to
>>> specify the version of Keycloak client adapter, which particular client
>>> application is using. WDYT?
>>>
>>> The reason why I felt into this is a reported RHSSO bug.
>>>
>>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
>>> "isPassive=true", then Keycloak 2.5.4 server returns him the
valid
error
>>> response. However 1.9.8 adapter has a bug
>>> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when
it
>>> receives such response.
>>>
>>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
>>> invalid error response, however 1.9.8 adapter was able to handle this
>>> invalid response without throwing any exception.
>>>
>>>
>>> By adding the switch to the ClientModel, we defacto allow adapter to
>>> say: "Please return me broken response, because I am not able to
handle
>>> valid response."
>>>
>>> Note that this is bug in adapter, so it will be better to ask customers
>>> to rather upgrade their SAML adapters to newest version. On the other
>>> hand, we claim to support backwards compatibility.
>>>
>>> So should we add the switch or not? WDYT?
>>>
>>> Marek
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Václav Muzikář
Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.