[keycloak-dev] Client adapters backwards compatibility

Marek Posolda mposolda at redhat.com
Fri Mar 3 06:56:19 EST 2017

Ah yes. I was thinking about the client message vs. switch, but it seems 
that switch be cleaner then.

Thanks all for the feedback!

On 03/03/17 09:15, Hynek Mlnarik wrote:
> Determination of client version from client message would not work for
> IdP-initiated SSO (there is no client message to determine version
> from), so +1.
> On Thu, Mar 2, 2017 at 8:28 PM, Bill Burke <bburke at redhat.com> wrote:
>> Add switch IMO.  It should have a select box that defaults to "latest".
>> On 3/2/17 9:44 AM, Marek Posolda wrote:
>>> It looks that we should support latest Keycloak server with older
>>> versions of Keycloak adapters.
>>> So for some corner scenarios, I wonder if we should add the switch to
>>> the ClientModel and admin console like "Adapter version" . This switch
>>> will be available for both OIDC and SAML clients, but will be useful
>>> just for the clients, which uses Keycloak adapter. It will be useful to
>>> specify the version of Keycloak client adapter, which particular client
>>> application is using. WDYT?
>>> The reason why I felt into this is a reported RHSSO bug.
>>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
>>> "isPassive=true", then Keycloak 2.5.4 server returns him the valid error
>>> response. However 1.9.8 adapter has a bug
>>> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when it
>>> receives such response.
>>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
>>> invalid error response, however 1.9.8 adapter was able to handle this
>>> invalid response without throwing any exception.
>>> By adding the switch to the ClientModel, we defacto allow adapter to
>>> say: "Please return me broken response, because I am not able to handle
>>> valid response."
>>> Note that this is bug in adapter, so it will be better to ask customers
>>> to rather upgrade their SAML adapters to newest version. On the other
>>> hand, we claim to support backwards compatibility.
>>> So should we add the switch or not? WDYT?
>>> Marek
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list