11:56 p.m.
Hi,
We have sample apps those are integrated with Keycloak-2.2.1, now we are
migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
points regarding backward compatibility of keycloak adapters.
We have Angular JS app and back-end app which uses keycloak JS and
keycloak-spring-security adapter respectively. These apps are working fine
with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
listed actions has been performed.
1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
keycloak.
3. We kept same keycloak.json file since we imported working configuration
from 2.2.1 into 2.3.0.(verified all configurations are same)
Upon verification found applications are working fine with 2.3.0 till key
is not rotated. After key rotation applications are not working. But if
download applications keycloak.json from 2.3.0 instance for apps,
everything works fine.
Does this means adapter is not backward compatible? As we know key rotation
feature has been introduced in 2.3.0, in reference documentation stated
likely adapter will query/refer public key and certificate from keycloak
server instance.
Our point, since we imported configuration from previous keycloak
version(key is same), If applications are upgraded their adapters to 2.3.0
and even kept old keycloak.json files in respective apps it should work(as
per expectation adapter should refer keys/certs from keycloak server).
Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
public-key defined in application keycloak.json file and always refer from
keycloak server. In this way application migration will be easier from one
to another version of keycloak?
Please do let me know if further information is needed.
Thanks,
Jitendra Chouhan
1:52 a.m.
Support for multiple keys and seamless retrieving new keys where added to
adapters in 2.3 so you need to update to get this. The old adapters work,
but they either require static keys in config or will dl key at startup.
Upgrade the server first, then adapters and remove keys from config at the
same time. Simple.
If we ignored keys in config that would have actually broken backwards
compatibility.
On 14 Nov 2016 06:58, "Jitendra Chouhan" <jitendrachouhan03(a)gmail.com>
wrote:
Hi,
We have sample apps those are integrated with Keycloak-2.2.1, now we are
migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
points regarding backward compatibility of keycloak adapters.
We have Angular JS app and back-end app which uses keycloak JS and
keycloak-spring-security adapter respectively. These apps are working fine
with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
listed actions has been performed.
1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
keycloak.
3. We kept same keycloak.json file since we imported working configuration
from 2.2.1 into 2.3.0.(verified all configurations are same)
Upon verification found applications are working fine with 2.3.0 till key
is not rotated. After key rotation applications are not working. But if
download applications keycloak.json from 2.3.0 instance for apps,
everything works fine.
Does this means adapter is not backward compatible? As we know key rotation
feature has been introduced in 2.3.0, in reference documentation stated
likely adapter will query/refer public key and certificate from keycloak
server instance.
Our point, since we imported configuration from previous keycloak
version(key is same), If applications are upgraded their adapters to 2.3.0
and even kept old keycloak.json files in respective apps it should work(as
per expectation adapter should refer keys/certs from keycloak server).
Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
public-key defined in application keycloak.json file and always refer from
keycloak server. In this way application migration will be easier from one
to another version of keycloak?
Please do let me know if further information is needed.
Thanks,
Jitendra Chouhan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3293
days inactive
3293
days old
1 comments
2 participants
participants (2)
-
Jitendra Chouhan -
Stian Thorgersen