[keycloak-dev] Client adapters backwards compatibility
Bill Burke
bburke at redhat.com
Thu Mar 2 14:28:07 EST 2017
Add switch IMO. It should have a select box that defaults to "latest".
On 3/2/17 9:44 AM, Marek Posolda wrote:
> It looks that we should support latest Keycloak server with older
> versions of Keycloak adapters.
>
> So for some corner scenarios, I wonder if we should add the switch to
> the ClientModel and admin console like "Adapter version" . This switch
> will be available for both OIDC and SAML clients, but will be useful
> just for the clients, which uses Keycloak adapter. It will be useful to
> specify the version of Keycloak client adapter, which particular client
> application is using. WDYT?
>
> The reason why I felt into this is a reported RHSSO bug.
>
> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
> "isPassive=true", then Keycloak 2.5.4 server returns him the valid error
> response. However 1.9.8 adapter has a bug
> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it
> receives such response.
>
> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
> invalid error response, however 1.9.8 adapter was able to handle this
> invalid response without throwing any exception.
>
>
> By adding the switch to the ClientModel, we defacto allow adapter to
> say: "Please return me broken response, because I am not able to handle
> valid response."
>
> Note that this is bug in adapter, so it will be better to ask customers
> to rather upgrade their SAML adapters to newest version. On the other
> hand, we claim to support backwards compatibility.
>
> So should we add the switch or not? WDYT?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list