[keycloak-user] Backward compatibility of keycloak adapters
sthorger at redhat.com
Mon Nov 14 02:52:47 EST 2016
Support for multiple keys and seamless retrieving new keys where added to
adapters in 2.3 so you need to update to get this. The old adapters work,
but they either require static keys in config or will dl key at startup.
Upgrade the server first, then adapters and remove keys from config at the
same time. Simple.
If we ignored keys in config that would have actually broken backwards
On 14 Nov 2016 06:58, "Jitendra Chouhan" <jitendrachouhan03 at gmail.com>
> We have sample apps those are integrated with Keycloak-2.2.1, now we are
> migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
> points regarding backward compatibility of keycloak adapters.
> We have Angular JS app and back-end app which uses keycloak JS and
> keycloak-spring-security adapter respectively. These apps are working fine
> with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
> listed actions has been performed.
> 1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
> 2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
> 3. We kept same keycloak.json file since we imported working configuration
> from 2.2.1 into 2.3.0.(verified all configurations are same)
> Upon verification found applications are working fine with 2.3.0 till key
> is not rotated. After key rotation applications are not working. But if
> download applications keycloak.json from 2.3.0 instance for apps,
> everything works fine.
> Does this means adapter is not backward compatible? As we know key rotation
> feature has been introduced in 2.3.0, in reference documentation stated
> likely adapter will query/refer public key and certificate from keycloak
> server instance.
> Our point, since we imported configuration from previous keycloak
> version(key is same), If applications are upgraded their adapters to 2.3.0
> and even kept old keycloak.json files in respective apps it should work(as
> per expectation adapter should refer keys/certs from keycloak server).
> Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
> public-key defined in application keycloak.json file and always refer from
> keycloak server. In this way application migration will be easier from one
> to another version of keycloak?
> Please do let me know if further information is needed.
> Jitendra Chouhan
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user