[keycloak-dev] Client adapters backwards compatibility

Hynek Mlnarik hmlnarik at redhat.com
Fri Mar 3 03:15:15 EST 2017


Determination of client version from client message would not work for
IdP-initiated SSO (there is no client message to determine version
from), so +1.

On Thu, Mar 2, 2017 at 8:28 PM, Bill Burke <bburke at redhat.com> wrote:
> Add switch IMO.  It should have a select box that defaults to "latest".
>
>
> On 3/2/17 9:44 AM, Marek Posolda wrote:
>> It looks that we should support latest Keycloak server with older
>> versions of Keycloak adapters.
>>
>> So for some corner scenarios, I wonder if we should add the switch to
>> the ClientModel and admin console like "Adapter version" . This switch
>> will be available for both OIDC and SAML clients, but will be useful
>> just for the clients, which uses Keycloak adapter. It will be useful to
>> specify the version of Keycloak client adapter, which particular client
>> application is using. WDYT?
>>
>> The reason why I felt into this is a reported RHSSO bug.
>>
>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
>> "isPassive=true", then Keycloak 2.5.4 server returns him the valid error
>> response. However 1.9.8 adapter has a bug
>> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it
>> receives such response.
>>
>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
>> invalid error response, however 1.9.8 adapter was able to handle this
>> invalid response without throwing any exception.
>>
>>
>> By adding the switch to the ClientModel, we defacto allow adapter to
>> say: "Please return me broken response, because I am not able to handle
>> valid response."
>>
>> Note that this is bug in adapter, so it will be better to ask customers
>> to rather upgrade their SAML adapters to newest version. On the other
>> hand, we claim to support backwards compatibility.
>>
>> So should we add the switch or not? WDYT?
>>
>> Marek
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 

--Hynek


More information about the keycloak-dev mailing list