[keycloak-dev] Client adapters backwards compatibility

Marek Posolda mposolda at redhat.com
Thu Mar 2 09:44:24 EST 2017

It looks that we should support latest Keycloak server with older 
versions of Keycloak adapters.

So for some corner scenarios, I wonder if we should add the switch to 
the ClientModel and admin console like "Adapter version" . This switch 
will be available for both OIDC and SAML clients, but will be useful 
just for the clients, which uses Keycloak adapter. It will be useful to 
specify the version of Keycloak client adapter, which particular client 
application is using. WDYT?

The reason why I felt into this is a reported RHSSO bug.

Long-story short: When Keycloak SAML 1.9.8 adapter is used with 
"isPassive=true", then Keycloak 2.5.4 server returns him the valid error 
response. However 1.9.8 adapter has a bug 
https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it 
receives such response.

With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned 
invalid error response, however 1.9.8 adapter was able to handle this 
invalid response without throwing any exception.

By adding the switch to the ClientModel, we defacto allow adapter to 
say: "Please return me broken response, because I am not able to handle 
valid response."

Note that this is bug in adapter, so it will be better to ask customers 
to rather upgrade their SAML adapters to newest version. On the other 
hand, we claim to support backwards compatibility.

So should we add the switch or not? WDYT?


More information about the keycloak-dev mailing list