[keycloak-dev] Client adapters backwards compatibility

Vaclav Muzikar vmuzikar at redhat.com
Fri Mar 3 07:23:42 EST 2017


By the way, how many previous adapter versions do we need to support (i.e.
test)?
I thought only the previous major release (like now - 1.9.8 adapter with
2.5.x server).

So, do we really need to have this switch permanently? Who knows, maybe
with the next major SSO version the current 2.5.x adapters will work
flawlessly. :)

V.

On Fri, Mar 3, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Ah yes. I was thinking about the client message vs. switch, but it seems
> that switch be cleaner then.
>
> Thanks all for the feedback!
> Marek
>
> On 03/03/17 09:15, Hynek Mlnarik wrote:
> > Determination of client version from client message would not work for
> > IdP-initiated SSO (there is no client message to determine version
> > from), so +1.
> >
> > On Thu, Mar 2, 2017 at 8:28 PM, Bill Burke <bburke at redhat.com> wrote:
> >> Add switch IMO.  It should have a select box that defaults to "latest".
> >>
> >>
> >> On 3/2/17 9:44 AM, Marek Posolda wrote:
> >>> It looks that we should support latest Keycloak server with older
> >>> versions of Keycloak adapters.
> >>>
> >>> So for some corner scenarios, I wonder if we should add the switch to
> >>> the ClientModel and admin console like "Adapter version" . This switch
> >>> will be available for both OIDC and SAML clients, but will be useful
> >>> just for the clients, which uses Keycloak adapter. It will be useful to
> >>> specify the version of Keycloak client adapter, which particular client
> >>> application is using. WDYT?
> >>>
> >>> The reason why I felt into this is a reported RHSSO bug.
> >>>
> >>> Long-story short: When Keycloak SAML 1.9.8 adapter is used with
> >>> "isPassive=true", then Keycloak 2.5.4 server returns him the valid
> error
> >>> response. However 1.9.8 adapter has a bug
> >>> https://issues.jboss.org/browse/KEYCLOAK-4264 and it throws NPE when
> it
> >>> receives such response.
> >>>
> >>> With SAML 1.9.8 adapter + 1.9.8 server, the Keycloak server returned
> >>> invalid error response, however 1.9.8 adapter was able to handle this
> >>> invalid response without throwing any exception.
> >>>
> >>>
> >>> By adding the switch to the ClientModel, we defacto allow adapter to
> >>> say: "Please return me broken response, because I am not able to handle
> >>> valid response."
> >>>
> >>> Note that this is bug in adapter, so it will be better to ask customers
> >>> to rather upgrade their SAML adapters to newest version. On the other
> >>> hand, we claim to support backwards compatibility.
> >>>
> >>> So should we add the switch or not? WDYT?
> >>>
> >>> Marek
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 
Václav Muzikář
Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.


More information about the keycloak-dev mailing list