[keycloak-dev] Client adapters backwards compatibility

Bill Burke bburke at redhat.com
Thu Mar 2 14:29:13 EST 2017

Yeah, stan is right, but 2.5.x does not have this switch, so you 
wouldn't be able to tell the different between 1.9.8 and 2.5.x.

On 3/2/17 1:12 PM, Stan Silvert wrote:
> The way a protocol usually implements this is not for the server to keep
> track of versions.  Rather, the client simply transmits his version as
> part of the protocol.  Then the server knows what he is dealing with and
> acts accordingly.
> Also, this has the advantage of allowing automatic auditing of client
> versions without manually setting things up from the server side.
> On 3/2/2017 9:44 AM, Marek Posolda wrote:
>> It looks that we should support latest Keycloak server with older
>> versions of Keycloak adapters.
>> So for some corner scenarios, I wonder if we should add the switch to
>> the ClientModel and admin console like "Adapter version" . This switch
>> will be available for both OIDC and SAML clients, but will be useful
>> just for the clients, which uses Keycloak adapter. It will be useful to
>> specify the version of Keycloak client adapter, which particular client
>> application is using. WDYT?
>> The reason why I felt into this is a reported RHSSO bug.
>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
>> "isPassive=true", then Keycloak 2.5.4 server returns him the valid error
>> response. However 1.9.8 adapter has a bug
>> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it
>> receives such response.
>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
>> invalid error response, however 1.9.8 adapter was able to handle this
>> invalid response without throwing any exception.
>> By adding the switch to the ClientModel, we defacto allow adapter to
>> say: "Please return me broken response, because I am not able to handle
>> valid response."
>> Note that this is bug in adapter, so it will be better to ask customers
>> to rather upgrade their SAML adapters to newest version. On the other
>> hand, we claim to support backwards compatibility.
>> So should we add the switch or not? WDYT?
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list