[keycloak-user] Backward compatibility of keycloak adapters

Jitendra Chouhan jitendrachouhan03 at gmail.com
Mon Nov 14 00:56:29 EST 2016


We have sample apps those are integrated with Keycloak-2.2.1, now we are
migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
points regarding backward compatibility of keycloak adapters.

We have Angular JS app and back-end app which uses keycloak JS and
keycloak-spring-security adapter respectively. These apps are working fine
with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
listed actions has been performed.

1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
3. We kept same keycloak.json file since we imported working configuration
from 2.2.1 into 2.3.0.(verified all configurations are same)

Upon verification found applications are working fine with 2.3.0 till key
is not rotated. After key rotation applications are not working. But if
download applications keycloak.json from 2.3.0 instance for apps,
everything works fine.

Does this means adapter is not backward compatible? As we know key rotation
feature has been introduced in 2.3.0, in reference documentation stated
likely adapter will query/refer public key and certificate from keycloak
server instance.

Our point, since we imported configuration from previous keycloak
version(key is same), If applications are upgraded their adapters to 2.3.0
and even kept old keycloak.json files in respective apps it should work(as
per expectation adapter should refer keys/certs from keycloak server).

Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
public-key defined in application keycloak.json file and always refer from
keycloak server. In this way application migration will be easier from one
to another version of keycloak?

Please do let me know if further information is needed.

Jitendra Chouhan

More information about the keycloak-user mailing list