Why is there a single hard-coded version of keycloak-js dependency? Would it be possible to make it a peer dependency so everyone can use whatever version they have on the server?
Or do new versions of keycloak-js work properly with older versions of Keycloak server?
Hi @livthomas,
The keycloak-js is a dependency to ensure that:
However it would be good to have this kind of freedom, because it may support more people.
Regarding
Or do new versions of keycloak-js work properly with older versions of Keycloak server?
Usually the keycloak team always release a pair version, for example: keycloak server 3.4.2 comes with a keycloak-js 3.4.2 corresponding version. It's not true to say that the current version will work on the older versions.
We need to study the impacts of doing this change on the library and maybe include a version compatibility range.
IMO, Including keycloak.js from another source instead of the keycloak server is a security risk. We should declare compatibiliy in the release file instead of including an unofficial one.
Hello @duydao,
Agree with you that is not a good idea to use an unofficial keycloak-js version, but I understood that @livthomas was talking about using the official version, but not force the app to use a fixed version of keycloak-js.
Probably the best option for this situation is really to declare the keycloak and RedHat SSO compability list, because removing this dependency could also bring some installation issues.
Hi @livthomas,
I've made some research about this topic and the keycloak-js will be maintained as a dependency to ensure that the library will work as desired.
From version 2.0.0 on, we will release a list of keycloak servers compatible with this library.
Thank you!
Most helpful comment
Hi @livthomas,
I've made some research about this topic and the keycloak-js will be maintained as a dependency to ensure that the library will work as desired.
From version 2.0.0 on, we will release a list of keycloak servers compatible with this library.
Thank you!