KEYCLOAK-6286 Added docs for OIDC Compatibility Modes to the Upgrade guide

upgrading/topics/keycloak/changes.adoc

@@ -1,5 +1,22 @@
 == Migration Changes
 
+=== Migrating to 3.4.2
+
+==== Added session_state parameter to OpenID Connect Authentication Response
+
+The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response.
+
+In past releases, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.
+
+However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters, may have issues with this new parameter.
+
+For example, the parameter will be always present in the browser URL after successful authentication to the client application.
+In these cases, it may be useful to disable adding the `session_state` parameter to the authentication response. This can be done
+for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
+described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch,
+which can be turned on to prevent adding the `session_state` parameter to the Authentication Response.
+
+
 === Migrating to 3.2.0
 
 ==== New Password Hashing algorithms

upgrading/topics/rhsso/changes-72.adoc

@@ -32,3 +32,17 @@ Microsoft JDBC Driver 6.0 requires additional dependency added to the JDBC drive
 ----
 <module name="javax.xml.bind.api"/>
 ----
+
+=== Added session_state parameter to OpenID Connect Authentication Response
+
+The OpenID Connect Session Management specification requires that the parameter `session_state` is present in the OpenID Connect Authentication Response.
+
+In RH-SSO 7.1, we did not have this parameter, but now {project_name} adds this parameter by default, as required by the specification.
+
+However, some OpenID Connect / OAuth2 adapters, and especially older {project_name} adapters (such as RH-SSO 7.1 and older), may have issues with this new parameter.
+
+For example, the parameter will be always present in the browser URL after successful authentication to the client application.
+If you use RH-SSO 7.1 or a legacy OAuth2 / OpenID Connect adapter, it may be useful to disable adding the `session_state` parameter to the authentication response.
+This can be done for the particular client in the {project_name} admin console, in client details in the section with `OpenID Connect Compatibility Modes`,
+described in <<_compatibility_with_older_adapters>>. There is the `Exclude Session State From Authentication Response` switch,
+which can be turned on to prevent adding the `session_state` parameter to the Authentication Response.

upgrading/topics/upgrade_adapters.adoc

@@ -4,6 +4,18 @@ It is important that you upgrade {project_name} server first, and then upgrade t
 adapter might work with later versions of {project_name} server, but earlier versions of {project_name} server might not
 work with later versions of the adapter.
 
+[[_compatibility_with_older_adapters]]
+== Compatibility with older adapters
+
+As mentioned above, we try to support newer release versions of {project_name} server working with older release versions of the adapters.
+However, in some cases we need to include fixes on the {project_name} server side which may break compatibility with older versions
+of the adapters. For example, when we implement new aspects of the OpenID Connect specification, which older client adapter versions
+were not aware of.
+
+In those cases, we added Compatibility modes. For OpenId Connect clients, there is a section named `OpenID Connect Compatibility Modes`
+in the {project_name} admin console, on the page with client details. Here, you can disable some new aspects of the {project_name} server
+to preserve compatibility with older client adapters. More details are available in the tool tips of individual switches.
+
 
 [[_upgrade_eap_adapter]]
 == Upgrading the EAP Adapter