[keycloak-dev] Client adapters backwards compatibility

Bill Burke bburke at redhat.com
Fri Mar 3 14:11:20 EST 2017

On 3/3/17 10:29 AM, Stan Silvert wrote:
> Versioning is always a pain.  But it's much better for us to manage the
> pain than leave it up to customers.
> On 3/3/2017 9:35 AM, Bill Burke wrote:
>> I agree with you in principle stan, but there are other issues:
>> * For OIDC it is a get request with simple query parameters. There is no
>> request object you can hide the version information in and you'd have to
>> add another query param.
> I don't think you need to hide the version.  Just add another query
> param.  Then if version is not present, you at least know it's an old
> client.
>> * As Hynek said, for SAML IDP initiated SSO, there is no client
>> request.  User logs in then assertion is sent to client.
> Would it make sense to send client version as part of the login?
> At some point, the client has to send a message to the server.  You can
> always piggyback the version onto whatever message is sent.

Untrue.  With SAML IDP initiated SSO, the client does not have to send a 
message to the server, ever.  Also, this isn't a communication protocol, 
its an authentication protocol, so once the protocol is finished, 
there's no more piggybacking that can be done.

>> * Keycloak 1.x and 2.x are already out the door and don't submit a
>> version.  2.5.x fixes the problem of the OP, 1.x doesn't so there is no
>> way to tell the difference.
> Yea, I raised this issue in Brno last year.  It's not too late to fix
> the problem going forward though.
We can and should propagate version, but it still doesn't solve the 
problem of a 1.9.x adapter talking to Keycoak 2.5.x, nor does it solve 
idp initiated SSO issues.


More information about the keycloak-dev mailing list