From matzew at apache.org Fri Aug 1 02:46:35 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Fri, 1 Aug 2014 08:46:35 +0200 Subject: [keycloak-dev] release timelines In-Reply-To: <53DAC608.9060600@redhat.com> References: <53DAC608.9060600@redhat.com> Message-ID: +1 thanks for sharing! -Matthias On Fri, Aug 1, 2014 at 12:41 AM, Bill Burke wrote: > I set up the release timelines. IMO, the dates are set with no moving > of them unless there is a blocker bug. > > Beta-4: August 6th. This can't be delayed. Whatever is not done by > EOD Monday is deferred. > > 1.0-RC-1: August 21st. > > 1.0.0.Final: September 9th. > > > We have 34 outstanding issues. > > There should only be bug fixes, example/docs, and minor look and feel > changes after RC1. The week before the final release, I'll be updating > all the screencasts so there should be no visual changes please! > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140801/4d1434cb/attachment.html From stian at redhat.com Fri Aug 1 04:18:22 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 04:18:22 -0400 (EDT) Subject: [keycloak-dev] delete users on federation removal? In-Reply-To: <53DABCA8.7000107@redhat.com> References: <53DA4D2B.5090404@redhat.com> <327201677.21432840.1406815786960.JavaMail.zimbra@redhat.com> <53DA936C.6090609@redhat.com> <53DABCA8.7000107@redhat.com> Message-ID: <663479046.21922121.1406881102501.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 11:01:12 PM > Subject: Re: [keycloak-dev] delete users on federation removal? > > Ya, this is quite hairy. You'll have to set the REQUIRED ACTION to > reset all credentials handled by the federation provider. > > Unfortunately, you can now only set one required action per user :( You can still set multiple. The user has a Set and we even have a test that checks users with multiple actions RequiredActionMultipleActionsTest. > > On 7/31/2014 3:05 PM, Marek Posolda wrote: > > +1 for having it optional. > > > > However if you remove LDAP UserFederationProvider, the users from LDAP > > won't be able to login with their passwords until admin change them... > > > > Marek > > > > On 31.7.2014 16:09, Stian Thorgersen wrote: > >> I think it should be optional. > >> > >> Someone may for example migrate from LDAP to using Keycloak. Once they've > >> migrated all apps they'll want to decommission the LDAP server, but they > >> would still want to keep the users. > >> > >> ----- Original Message ----- > >>> From: "Bill Burke" > >>> To: keycloak-dev at lists.jboss.org > >>> Sent: Thursday, 31 July, 2014 3:05:31 PM > >>> Subject: [keycloak-dev] delete users on federation removal? > >>> > >>> I'm assuming that if a UserFederationProvider is removed from a realm, > >>> then all users imported from that provider should be deleted? > >>> > >>> -- > >>> Bill Burke > >>> JBoss, a division of Red Hat > >>> http://bill.burkecentral.com > >>> _______________________________________________ > >>> keycloak-dev mailing list > >>> keycloak-dev at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Fri Aug 1 04:19:29 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 04:19:29 -0400 (EDT) Subject: [keycloak-dev] delete users on federation removal? In-Reply-To: <53DAC8BD.5020207@redhat.com> References: <53DA4D2B.5090404@redhat.com> <327201677.21432840.1406815786960.JavaMail.zimbra@redhat.com> <53DA936C.6090609@redhat.com> <53DABCA8.7000107@redhat.com> <53DAC02F.1090806@redhat.com> <53DAC8BD.5020207@redhat.com> Message-ID: <20909132.21922681.1406881169548.JavaMail.zimbra@redhat.com> I'm happy with deferring this to later, but we should at some point add it to make it easy for folks to decommission their old "crap". ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 11:52:45 PM > Subject: Re: [keycloak-dev] delete users on federation removal? > > HOnestly I think we should just delete all users that have the link and > deferr the rest until after 1.1. This will take a lot of work and there > is a lot of little things that need to be done. > > On 7/31/2014 6:16 PM, Bill Burke wrote: > > Even more hairy, you can't reset a password without knowing (and > > verifying) the old one. > > > > > > > > On 7/31/2014 6:01 PM, Bill Burke wrote: > >> Ya, this is quite hairy. You'll have to set the REQUIRED ACTION to > >> reset all credentials handled by the federation provider. > >> > >> Unfortunately, you can now only set one required action per user :( > >> > >> On 7/31/2014 3:05 PM, Marek Posolda wrote: > >>> +1 for having it optional. > >>> > >>> However if you remove LDAP UserFederationProvider, the users from LDAP > >>> won't be able to login with their passwords until admin change them... > >>> > >>> Marek > >>> > >>> On 31.7.2014 16:09, Stian Thorgersen wrote: > >>>> I think it should be optional. > >>>> > >>>> Someone may for example migrate from LDAP to using Keycloak. Once > >>>> they've migrated all apps they'll want to decommission the LDAP server, > >>>> but they would still want to keep the users. > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Bill Burke" > >>>>> To: keycloak-dev at lists.jboss.org > >>>>> Sent: Thursday, 31 July, 2014 3:05:31 PM > >>>>> Subject: [keycloak-dev] delete users on federation removal? > >>>>> > >>>>> I'm assuming that if a UserFederationProvider is removed from a realm, > >>>>> then all users imported from that provider should be deleted? > >>>>> > >>>>> -- > >>>>> Bill Burke > >>>>> JBoss, a division of Red Hat > >>>>> http://bill.burkecentral.com > >>>>> _______________________________________________ > >>>>> keycloak-dev mailing list > >>>>> keycloak-dev at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>>>> > >>>> _______________________________________________ > >>>> keycloak-dev mailing list > >>>> keycloak-dev at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > >>> _______________________________________________ > >>> keycloak-dev mailing list > >>> keycloak-dev at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > >> > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Fri Aug 1 04:20:48 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 04:20:48 -0400 (EDT) Subject: [keycloak-dev] need multiple required actions In-Reply-To: <53DABD25.6030001@redhat.com> References: <53DABD25.6030001@redhat.com> Message-ID: <1636579074.21923122.1406881248433.JavaMail.zimbra@redhat.com> ? A user can have multiple actions, we even have a test for it RequiredActionMultipleActionsTest ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 11:03:17 PM > Subject: [keycloak-dev] need multiple required actions > > admin may want to force the user to reset *ALL* credentials. Currently > can only force the user to reset one at a time. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Fri Aug 1 04:31:53 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 04:31:53 -0400 (EDT) Subject: [keycloak-dev] Remaining work for beta-4 In-Reply-To: <53DA9606.60704@redhat.com> References: <1881643549.21352506.1406813095491.JavaMail.zimbra@redhat.com> <53DA49B0.3000002@redhat.com> <53DA9606.60704@redhat.com> Message-ID: <928545509.21925741.1406881913544.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Marek Posolda" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 8:16:22 PM > Subject: Re: [keycloak-dev] Remaining work for beta-4 > > On 31.7.2014 15:50, Bill Burke wrote: > > We MUST release by Wednesday. All commits after Friday need to be done > > very carefully. This means that you've run a full build and tested the > > distribution and demos. Aerogear and Stan (among others) need a release... > > > > On 7/31/2014 9:24 AM, Stian Thorgersen wrote: > >> Outstanding work for beta-4: > >> > >> * User federation - what's the status? > > Still working on UI and small issues. Should be done Friday. > > > >> * Turn off cookie cache for all http clients (KEYCLOAK-537) - not sure I > >> understand this issue? isn't sticky sessions something that's configured > >> by the load balancer? > > Push this to 1.0.Final release. The Apache HTTP Client instance is > > shared by the Adapter. Cookie caching is on by default. IIRC, sticky > > sessions by mod-jk are done via a cookie. Thus accessCodeToToken > > requests will not be load balanced. > > > >> * RealmModel should have a link to realm admin app (KEYCLOAK-486) - I > >> don't think the admin console should refer to the app by name, instead it > >> should either have a link or at least the id of the app associated with > >> the realm > > Can be pushed to 1.0.Final release, IMO. > > > >> * Issue with deploying on AS7 (KEYCLOAK-572) - should be fixed with new PL > >> release, but do we really care about supporting AS7? > >> > > Yes we care about AS7. We need a release from Picketlink on Monday so > > we can test on Tuesday. We will have to make sure that picketlink > > modules are excluded in jboss-deployment-structure.xml and we include > > the picketlink modules directly. Patching picketlink modules directly > > is not an option. > > > >> Issues I propose we push to beta-5: > >> > > I don't think we'll have a beta-5. Next release will be 1.0.Final, ASAP > > after beta-4. > > > >> * LDAP sync - should this go into beta-5? or even wait until after final? > > +1 Marek is close, but should wait until after beta-4 is out. > +1, Pedro is releasing picketlink today, but I am on PTO tomorrow. I can > finish sync on Monday though, but looks that it's too late for the > release... We need updated PL for beta-4. I'll ping Pedro and try to upgrade it today. > > > >> * Stress tests (KEYCLOAK-514) - we still haven't tested with a large > >> amount of users > I've tested with max 3000 users so far. I think I will need to setup > jenkins job for add big amount of users into DB and then test them. > > Marek > >> * DB optimizations (KEYCLOAK-515) - maybe push this to after final? > >> * "Transaction not active" while performing a shutdown (KEYCLOAK-470) - I > >> can't replicate this, do we close or just set to no fix version? > > close. I coudln't replicate either. > > > > > > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Fri Aug 1 04:36:20 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 04:36:20 -0400 (EDT) Subject: [keycloak-dev] Sync + federation In-Reply-To: <53DAA956.6040303@redhat.com> References: <53DA298F.7020901@redhat.com> <53DA4557.2090307@redhat.com> <53DA9249.70408@redhat.com> <53DAA08B.9010808@redhat.com> <53DAA956.6040303@redhat.com> Message-ID: <1365722251.21927891.1406882180568.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Marek Posolda" > To: "Bill Burke" , keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 9:38:46 PM > Subject: Re: [keycloak-dev] Sync + federation > > On 31.7.2014 22:01, Bill Burke wrote: > > > > > > On 7/31/2014 3:00 PM, Marek Posolda wrote: > >>>> boolean enablePagination; > >>>> int pageSize; > >>> Why would these ever need to be configured. Either the provider > >>> supports pagination or it doesn't. > >> It's tricky to rely just on implementation though. For example LDAP > >> implementation generally supports pagination, but some LDAP servers > >> support it, some are not. But you will use same implementation (aka > >> LDAPFederationProvider) for both. So I believe that it should be a way > >> to disable pagination if you are for example on ApacheDS. Also > >> configuring pageSize might be useful too according to environment? And > >> for unit test, you usually want to test with small pageSize just to > >> verify that it works;-) I think we should have separate implementations based on a abstract class if there are differences between LDAP implementations. Or maybe something similar to Hibernate dialects. > >> > >> Right now, I already have configurable pageSize and each "page" from > >> LDAP is synced into Keycloak DB in separate transaction. > > > > I just don't want the general SPI polluted with implementation details > > of one adapter. > Ok, it can be part of the LDAP FederationProvider configuration then. > > > >>> > >>> > >>> > >>>> long fullSyncPeriod; // -1 if periodic fullSync should be > >>>> disabled > >>>> long partialSyncPeriod; // -1 if perodic partialSync should be > >>>> disabled > >>>> > >>> Another option is to let the UserFederationProviderFactory handle > >>> synchronization and be configured through keycloak-server.json. Then > >>> there is no UI to do and no changes to the SPIs. > >>> > >>> Keycloak would have a generic Job scheduler (does it already?) and in > >>> the UserFederationProviderFactory.init() method it would just schedule > >>> the appropriate jobs. > >> Do we want to support the usecase, when you have 2 realms and you want > >> sync from LDAP on "realm1" each 1 hour and on "realm2" each 5 hours? > >> Also you may want to use different pageSize for each LDAP server (or you > >> may have ActiveDirectory on "realm1" which supports pagination and > >> "ApacheDS" on "realm2" which doesn't etc). In this case generic > >> configuration in keycloak-server.json won't work though? > >> > > > > It was just an idea... > > > >>> > >>> > >>>> And for Admin console UI, we can have some common template, which > >>>> can be > >>>> added into page of particular Federation Provider. For example on > >>>> federated-ldap.html or federated-generic.html there can be checkbox on > >>>> the bottom of the page like "enable synchronization of users" and when > >>>> people check it, it will display other settings (pagination, period > >>>> for > >>>> full/partial sync, button for trigger sync directly from admin > >>>> console etc). > >>>> > >>>> Also not sure how to properly incorporate it into > >>>> UserFederationProvider > >>>> API... Actually UserFederationProvider is supposed to be per-session > >>>> component whenever Sync process may actually use more > >>>> session/transaction lifecycles. So adding methods for sync directly > >>>> into > >>>> UserFederationProvider may not work though... I wonder if we can have > >>>> method on UserFederationProviderFactory: > >>>> > >>>> UserSyncProvider getInstance(KeycloakSessionFactory sessionFactory, > >>>> UserFederationProviderModel model); > >>>> > >>>> And UserSyncProvider being something like this: > >>>> > >>>> public interface UserSyncProvider { > >>>> void syncAllUsers(KeycloakSessionFactory sessionFactory, > >>>> UserFederationProviderFactory fedFactory, String realmId, > >>>> UserFederationProviderModel fedModel) > >>>> void syncChangedUsers(KeycloakSessionFactory sessionFactory, > >>>> UserFederationProviderFactory fedFactory, String realmId, > >>>> UserFederationProviderModel fedModel, Date lastSync); > >>>> } > >>> > >>> What is the difference between syncAllUsers() and syncChangedUsers()? > >>> Is syncAllUsers() an import/sync from LDAP to Keycloak of all users in > >>> LDAP store? > >> yes. And likely also checking all "local" users with federation link, > >> that link is still valid (ie. user wasn't deleted in LDAP, basically > >> what UserFederationProvider.isValid is doing) and delete if not. > >> > >>> Is synchChangedUsers() only a synchronization from LDAP to > >>> Keycloak of only users that are currently imported into Keycloak? > >> It will leverage changelogs and sync just those "remote" users, which > >> were added/updated (or removed if supported, but it's tricky for LDAP as > >> I mentioned) remotely from the last sync. > > > > Ya, those separate methods soound good. > > > >> > >>> > >>> > >>> > >>> Depending on the answers to above questions, maybe > >>> UserFederationProviderFactory would have the appropriate sync methods > >>> instead? Then there would be one less interface that needs to be > >>> implemented. > >>> > >>> UserFederationProviderFactory { > >>> > >>> void sync(KeycloakSessionFactory sessionFactory, String realmId, > >>> UserFederationProviderModel model); > >>> > >>> } > >> I am fine with adding the methods directly on the factory. Was also > >> thinking about it, but wasn't sure if having methods on "factory" class > >> is not a workaround though;-) > >> > > > > I say put them on factory. > > > > > Great, will do. > > Marek > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Fri Aug 1 08:55:01 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 08:55:01 -0400 (EDT) Subject: [keycloak-dev] Enable SSL by default In-Reply-To: <1193209595.21486920.1406819740132.JavaMail.zimbra@redhat.com> References: <1346103619.21178655.1406799631863.JavaMail.zimbra@redhat.com> <53DA3C5C.2070507@redhat.com> <60163932.21324605.1406811887582.JavaMail.zimbra@redhat.com> <1193209595.21486920.1406819740132.JavaMail.zimbra@redhat.com> Message-ID: <831471097.22050538.1406897701472.JavaMail.zimbra@redhat.com> Added, ssl-not-required has been replaced with ssl-required with valid options: * all - requires SSL for all requests * external - requires SSL for external requests (default) * none - don't require SSL at all Both the server and adapters have been updated. ----- Original Message ----- > From: "Stian Thorgersen" > To: "Bill Burke" > Cc: keycloak-dev at lists.jboss.org > Sent: Thursday, 31 July, 2014 4:15:40 PM > Subject: Re: [keycloak-dev] Enable SSL by default > > This is pretty tricky if we want a nice error page. Especially as we need to > know the realm to know the login theme. > > I'm dropping this, and instead adding > RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be > false, while isSslNotRequiredLocalRequest will be true. > > ----- Original Message ----- > > From: "Stian Thorgersen" > > To: "Bill Burke" > > Cc: keycloak-dev at lists.jboss.org > > Sent: Thursday, 31 July, 2014 2:04:47 PM > > Subject: Re: [keycloak-dev] Enable SSL by default > > > > I propose we remove the SSL required switch on the Realm. Instead we have > > an > > option to configure SSL requirement in keycloak-server.json, which also > > allows excluding IP addresses. > > > > Default config would be: > > > > { > > "https": { > > "required" : true, > > "exclude": [ "localhost", "127.0.0.1" ] > > } > > } > > > > If someone wants to allow local network traffic without https they could > > change it to: > > > > { > > "https": { > > "required" : true, > > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > > } > > } > > > > And of course if someone really wants to they can disable it altogether > > with: > > > > { > > "https": { > > "required" : false, > > "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > > } > > } > > > > If no config is specified I think it should default to required: true, with > > empty exclude. > > > > ----- Original Message ----- > > > From: "Bill Burke" > > > To: keycloak-dev at lists.jboss.org > > > Sent: Thursday, 31 July, 2014 1:53:48 PM > > > Subject: Re: [keycloak-dev] Enable SSL by default > > > > > > So hardcode the localhost requirement? That would work. The switch > > > would be "require ssl" or "non-encrypted localhost only" > > > > > > On 7/31/2014 5:40 AM, Stian Thorgersen wrote: > > > > To make sure no-one goes of and uses Keycloak in production without > > > > HTTPS > > > > we should require SSL by default. To still allow developers to play > > > > with > > > > Keycloak without having to configure HTTPS first we should allow > > > > non-HTTPS > > > > if accessed via localhost only. > > > > _______________________________________________ > > > > keycloak-dev mailing list > > > > keycloak-dev at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > > > > > > -- > > > Bill Burke > > > JBoss, a division of Red Hat > > > http://bill.burkecentral.com > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Fri Aug 1 09:23:39 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 Aug 2014 09:23:39 -0400 Subject: [keycloak-dev] delete users on federation removal? In-Reply-To: <663479046.21922121.1406881102501.JavaMail.zimbra@redhat.com> References: <53DA4D2B.5090404@redhat.com> <327201677.21432840.1406815786960.JavaMail.zimbra@redhat.com> <53DA936C.6090609@redhat.com> <53DABCA8.7000107@redhat.com> <663479046.21922121.1406881102501.JavaMail.zimbra@redhat.com> Message-ID: <53DB94DB.6010408@redhat.com> On 8/1/2014 4:18 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Thursday, 31 July, 2014 11:01:12 PM >> Subject: Re: [keycloak-dev] delete users on federation removal? >> >> Ya, this is quite hairy. You'll have to set the REQUIRED ACTION to >> reset all credentials handled by the federation provider. >> >> Unfortunately, you can now only set one required action per user :( > > You can still set multiple. The user has a Set and we even have a test that checks users with multiple actions RequiredActionMultipleActionsTest. > Ugh, I'm really sorry. I think I remembered you saying you were going to switch it to one action, looked at the code quickly and missed the Set method on UserModel...I AM LOSING MY MIND!!!! Still not sure what to do about credentials though. We can't have open accounts that can be reset without specifying old password. We could send out an email maybe. Must be deferred to post 1.0.final. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Aug 1 09:25:38 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 Aug 2014 09:25:38 -0400 Subject: [keycloak-dev] Enable SSL by default In-Reply-To: <831471097.22050538.1406897701472.JavaMail.zimbra@redhat.com> References: <1346103619.21178655.1406799631863.JavaMail.zimbra@redhat.com> <53DA3C5C.2070507@redhat.com> <60163932.21324605.1406811887582.JavaMail.zimbra@redhat.com> <1193209595.21486920.1406819740132.JavaMail.zimbra@redhat.com> <831471097.22050538.1406897701472.JavaMail.zimbra@redhat.com> Message-ID: <53DB9552.6050805@redhat.com> As usual, great stuff. On 8/1/2014 8:55 AM, Stian Thorgersen wrote: > Added, ssl-not-required has been replaced with ssl-required with valid options: > > * all - requires SSL for all requests > * external - requires SSL for external requests (default) > * none - don't require SSL at all > > Both the server and adapters have been updated. > > ----- Original Message ----- >> From: "Stian Thorgersen" >> To: "Bill Burke" >> Cc: keycloak-dev at lists.jboss.org >> Sent: Thursday, 31 July, 2014 4:15:40 PM >> Subject: Re: [keycloak-dev] Enable SSL by default >> >> This is pretty tricky if we want a nice error page. Especially as we need to >> know the realm to know the login theme. >> >> I'm dropping this, and instead adding >> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be >> false, while isSslNotRequiredLocalRequest will be true. >> >> ----- Original Message ----- >>> From: "Stian Thorgersen" >>> To: "Bill Burke" >>> Cc: keycloak-dev at lists.jboss.org >>> Sent: Thursday, 31 July, 2014 2:04:47 PM >>> Subject: Re: [keycloak-dev] Enable SSL by default >>> >>> I propose we remove the SSL required switch on the Realm. Instead we have >>> an >>> option to configure SSL requirement in keycloak-server.json, which also >>> allows excluding IP addresses. >>> >>> Default config would be: >>> >>> { >>> "https": { >>> "required" : true, >>> "exclude": [ "localhost", "127.0.0.1" ] >>> } >>> } >>> >>> If someone wants to allow local network traffic without https they could >>> change it to: >>> >>> { >>> "https": { >>> "required" : true, >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >>> } >>> } >>> >>> And of course if someone really wants to they can disable it altogether >>> with: >>> >>> { >>> "https": { >>> "required" : false, >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] >>> } >>> } >>> >>> If no config is specified I think it should default to required: true, with >>> empty exclude. >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-dev at lists.jboss.org >>>> Sent: Thursday, 31 July, 2014 1:53:48 PM >>>> Subject: Re: [keycloak-dev] Enable SSL by default >>>> >>>> So hardcode the localhost requirement? That would work. The switch >>>> would be "require ssl" or "non-encrypted localhost only" >>>> >>>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote: >>>>> To make sure no-one goes of and uses Keycloak in production without >>>>> HTTPS >>>>> we should require SSL by default. To still allow developers to play >>>>> with >>>>> Keycloak without having to configure HTTPS first we should allow >>>>> non-HTTPS >>>>> if accessed via localhost only. >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>> >>>> -- >>>> Bill Burke >>>> JBoss, a division of Red Hat >>>> http://bill.burkecentral.com >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Fri Aug 1 09:34:46 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 09:34:46 -0400 (EDT) Subject: [keycloak-dev] delete users on federation removal? In-Reply-To: <53DB94DB.6010408@redhat.com> References: <53DA4D2B.5090404@redhat.com> <327201677.21432840.1406815786960.JavaMail.zimbra@redhat.com> <53DA936C.6090609@redhat.com> <53DABCA8.7000107@redhat.com> <663479046.21922121.1406881102501.JavaMail.zimbra@redhat.com> <53DB94DB.6010408@redhat.com> Message-ID: <280783465.22079126.1406900086490.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev at lists.jboss.org > Sent: Friday, 1 August, 2014 2:23:39 PM > Subject: Re: [keycloak-dev] delete users on federation removal? > > > > On 8/1/2014 4:18 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-dev at lists.jboss.org > >> Sent: Thursday, 31 July, 2014 11:01:12 PM > >> Subject: Re: [keycloak-dev] delete users on federation removal? > >> > >> Ya, this is quite hairy. You'll have to set the REQUIRED ACTION to > >> reset all credentials handled by the federation provider. > >> > >> Unfortunately, you can now only set one required action per user :( > > > > You can still set multiple. The user has a Set and we even > > have a test that checks users with multiple actions > > RequiredActionMultipleActionsTest. > > > > Ugh, I'm really sorry. I think I remembered you saying you were going > to switch it to one action, looked at the code quickly and missed the > Set method on UserModel...I AM LOSING MY MIND!!!! Honest mistake, I switched the authorization code so it's only valid for one action at a time. So if a user has multiple required actions, the code will be set to the first one, then the user redirect to that action page, then the code will be updated with the new action + timestamp refreshed, redirected to next action page, etc.. Keeping the spirit of code is a one-time-thing alive ;) > > Still not sure what to do about credentials though. We can't have open > accounts that can be reset without specifying old password. We could > send out an email maybe. > > Must be deferred to post 1.0.final. +1 To deferre it One related thing I think we'll need is the ability to do batch updates to users. For example an admin may want to: * Require a group of users to update their password * Disable a group of users * Add a role to a group of users Not sure how the admin would specify the group though, maybe by role? > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From stian at redhat.com Fri Aug 1 09:46:09 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 09:46:09 -0400 (EDT) Subject: [keycloak-dev] Enable SSL by default In-Reply-To: <53DB9552.6050805@redhat.com> References: <1346103619.21178655.1406799631863.JavaMail.zimbra@redhat.com> <53DA3C5C.2070507@redhat.com> <60163932.21324605.1406811887582.JavaMail.zimbra@redhat.com> <1193209595.21486920.1406819740132.JavaMail.zimbra@redhat.com> <831471097.22050538.1406897701472.JavaMail.zimbra@redhat.com> <53DB9552.6050805@redhat.com> Message-ID: <345942631.22087544.1406900769041.JavaMail.zimbra@redhat.com> Damn, forgot about Docker :/ Current implementation works great for local devs and OpenShift (as https is always on there). But, with Docker, KVM or anyone using multiple machines to do development they won't be using localhost. I'm going to also permit private addresses (http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses). ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev at lists.jboss.org > Sent: Friday, 1 August, 2014 2:25:38 PM > Subject: Re: [keycloak-dev] Enable SSL by default > > As usual, great stuff. > > On 8/1/2014 8:55 AM, Stian Thorgersen wrote: > > Added, ssl-not-required has been replaced with ssl-required with valid > > options: > > > > * all - requires SSL for all requests > > * external - requires SSL for external requests (default) > > * none - don't require SSL at all > > > > Both the server and adapters have been updated. > > > > ----- Original Message ----- > >> From: "Stian Thorgersen" > >> To: "Bill Burke" > >> Cc: keycloak-dev at lists.jboss.org > >> Sent: Thursday, 31 July, 2014 4:15:40 PM > >> Subject: Re: [keycloak-dev] Enable SSL by default > >> > >> This is pretty tricky if we want a nice error page. Especially as we need > >> to > >> know the realm to know the login theme. > >> > >> I'm dropping this, and instead adding > >> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will > >> be > >> false, while isSslNotRequiredLocalRequest will be true. > >> > >> ----- Original Message ----- > >>> From: "Stian Thorgersen" > >>> To: "Bill Burke" > >>> Cc: keycloak-dev at lists.jboss.org > >>> Sent: Thursday, 31 July, 2014 2:04:47 PM > >>> Subject: Re: [keycloak-dev] Enable SSL by default > >>> > >>> I propose we remove the SSL required switch on the Realm. Instead we have > >>> an > >>> option to configure SSL requirement in keycloak-server.json, which also > >>> allows excluding IP addresses. > >>> > >>> Default config would be: > >>> > >>> { > >>> "https": { > >>> "required" : true, > >>> "exclude": [ "localhost", "127.0.0.1" ] > >>> } > >>> } > >>> > >>> If someone wants to allow local network traffic without https they could > >>> change it to: > >>> > >>> { > >>> "https": { > >>> "required" : true, > >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > >>> } > >>> } > >>> > >>> And of course if someone really wants to they can disable it altogether > >>> with: > >>> > >>> { > >>> "https": { > >>> "required" : false, > >>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ] > >>> } > >>> } > >>> > >>> If no config is specified I think it should default to required: true, > >>> with > >>> empty exclude. > >>> > >>> ----- Original Message ----- > >>>> From: "Bill Burke" > >>>> To: keycloak-dev at lists.jboss.org > >>>> Sent: Thursday, 31 July, 2014 1:53:48 PM > >>>> Subject: Re: [keycloak-dev] Enable SSL by default > >>>> > >>>> So hardcode the localhost requirement? That would work. The switch > >>>> would be "require ssl" or "non-encrypted localhost only" > >>>> > >>>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote: > >>>>> To make sure no-one goes of and uses Keycloak in production without > >>>>> HTTPS > >>>>> we should require SSL by default. To still allow developers to play > >>>>> with > >>>>> Keycloak without having to configure HTTPS first we should allow > >>>>> non-HTTPS > >>>>> if accessed via localhost only. > >>>>> _______________________________________________ > >>>>> keycloak-dev mailing list > >>>>> keycloak-dev at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>>>> > >>>> > >>>> -- > >>>> Bill Burke > >>>> JBoss, a division of Red Hat > >>>> http://bill.burkecentral.com > >>>> _______________________________________________ > >>>> keycloak-dev mailing list > >>>> keycloak-dev at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>>> > >>> _______________________________________________ > >>> keycloak-dev mailing list > >>> keycloak-dev at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From stian at redhat.com Fri Aug 1 10:11:06 2014 From: stian at redhat.com (Stian Thorgersen) Date: Fri, 1 Aug 2014 10:11:06 -0400 (EDT) Subject: [keycloak-dev] Remaining work for beta-4 In-Reply-To: <928545509.21925741.1406881913544.JavaMail.zimbra@redhat.com> References: <1881643549.21352506.1406813095491.JavaMail.zimbra@redhat.com> <53DA49B0.3000002@redhat.com> <53DA9606.60704@redhat.com> <928545509.21925741.1406881913544.JavaMail.zimbra@redhat.com> Message-ID: <1328034261.22107377.1406902266427.JavaMail.zimbra@redhat.com> Simply updating PL version didn't work as there's API changes. Marek: can you update PL first thing on Monday morning? Bill: we'll need to wait for Marek to update PL if we want AS7 to work with beta-4 ----- Original Message ----- > From: "Stian Thorgersen" > To: "Marek Posolda" > Cc: keycloak-dev at lists.jboss.org > Sent: Friday, 1 August, 2014 9:31:53 AM > Subject: Re: [keycloak-dev] Remaining work for beta-4 > > > > ----- Original Message ----- > > From: "Marek Posolda" > > To: keycloak-dev at lists.jboss.org > > Sent: Thursday, 31 July, 2014 8:16:22 PM > > Subject: Re: [keycloak-dev] Remaining work for beta-4 > > > > On 31.7.2014 15:50, Bill Burke wrote: > > > We MUST release by Wednesday. All commits after Friday need to be done > > > very carefully. This means that you've run a full build and tested the > > > distribution and demos. Aerogear and Stan (among others) need a > > > release... > > > > > > On 7/31/2014 9:24 AM, Stian Thorgersen wrote: > > >> Outstanding work for beta-4: > > >> > > >> * User federation - what's the status? > > > Still working on UI and small issues. Should be done Friday. > > > > > >> * Turn off cookie cache for all http clients (KEYCLOAK-537) - not sure I > > >> understand this issue? isn't sticky sessions something that's configured > > >> by the load balancer? > > > Push this to 1.0.Final release. The Apache HTTP Client instance is > > > shared by the Adapter. Cookie caching is on by default. IIRC, sticky > > > sessions by mod-jk are done via a cookie. Thus accessCodeToToken > > > requests will not be load balanced. > > > > > >> * RealmModel should have a link to realm admin app (KEYCLOAK-486) - I > > >> don't think the admin console should refer to the app by name, instead > > >> it > > >> should either have a link or at least the id of the app associated with > > >> the realm > > > Can be pushed to 1.0.Final release, IMO. > > > > > >> * Issue with deploying on AS7 (KEYCLOAK-572) - should be fixed with new > > >> PL > > >> release, but do we really care about supporting AS7? > > >> > > > Yes we care about AS7. We need a release from Picketlink on Monday so > > > we can test on Tuesday. We will have to make sure that picketlink > > > modules are excluded in jboss-deployment-structure.xml and we include > > > the picketlink modules directly. Patching picketlink modules directly > > > is not an option. > > > > > >> Issues I propose we push to beta-5: > > >> > > > I don't think we'll have a beta-5. Next release will be 1.0.Final, ASAP > > > after beta-4. > > > > > >> * LDAP sync - should this go into beta-5? or even wait until after > > >> final? > > > +1 Marek is close, but should wait until after beta-4 is out. > > +1, Pedro is releasing picketlink today, but I am on PTO tomorrow. I can > > finish sync on Monday though, but looks that it's too late for the > > release... > > We need updated PL for beta-4. I'll ping Pedro and try to upgrade it today. > > > > > > >> * Stress tests (KEYCLOAK-514) - we still haven't tested with a large > > >> amount of users > > I've tested with max 3000 users so far. I think I will need to setup > > jenkins job for add big amount of users into DB and then test them. > > > > Marek > > >> * DB optimizations (KEYCLOAK-515) - maybe push this to after final? > > >> * "Transaction not active" while performing a shutdown (KEYCLOAK-470) - > > >> I > > >> can't replicate this, do we close or just set to no fix version? > > > close. I coudln't replicate either. > > > > > > > > > > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From vivsriva at cisco.com Fri Aug 1 14:13:53 2014 From: vivsriva at cisco.com (Vivek Srivastav (vivsriva)) Date: Fri, 1 Aug 2014 18:13:53 +0000 Subject: [keycloak-dev] Postpone TOTP SPI to after 1.0.final Message-ID: A general authentication plugin SPI for clients is what we are interested in. Any pointers on it, viz. which which classes should I look into would greatly help. Kind Regards, Vivek On 7/30/14, 4:53 AM, "Stian Thorgersen" wrote: >A general authentication plugin SPI for clients should be relatively >straightforward, not sure about users though. > >Credentials for users requires changes to the login flow as well as >account management pages, so could be tricky to do it in a generic way. > >Worth a try though! So let's wait until after 1.0.final with the TOTP >work. > >----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Tuesday, 29 July, 2014 10:36:50 PM >> Subject: Re: [keycloak-dev] Postpone TOTP SPI to after 1.0.final >> >> By authentication plugin SPI, I actually mean a credential type plugin >> SPI. Have a user requesting that they be able to plug in their own >> client-cert verification mechanism. >> >> On 7/29/2014 5:33 PM, Bill Burke wrote: >> > Could this TOTP SPI turn into a general authentication plugin SPI? >>Just >> > had an inquiry for that type of SPI. >> > >> > On 7/29/2014 8:51 AM, Stian Thorgersen wrote: >> >> Due to there being quite a lot of work to do the required updates to >> >> properly do a TOTP SPI I propose we post-pone this to 1.1.0. >> >> >> >> The work would include: >> >> >> >> * A TOTP SPI >> >> * Account management needs to support multiple TOTPs >> >> * Select TOTP provider to configure if required to setup TOTP on >>login >> >> * Select TOTP provider to use at login if user has multiple >> >> * Configure what TOTP are permitted for a realm >> >> * Remember TOTP option (don't ask for TOTP in 30 days on this >>machine) >> >> * Email implementation (send a OTP through email) >> >> * SMS implementation (use an example SMS cloud service to send OTP) >>- this >> >> would also require additional fields to registration >> >> * At least one other TOTP implementation (FreeOTP and Yubikey) >> >> * ... >> >> _______________________________________________ >> >> keycloak-dev mailing list >> >> keycloak-dev at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> >> > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >_______________________________________________ >keycloak-dev mailing list >keycloak-dev at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-dev From bburke at redhat.com Fri Aug 1 14:32:10 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 Aug 2014 14:32:10 -0400 Subject: [keycloak-dev] Postpone TOTP SPI to after 1.0.final In-Reply-To: References: Message-ID: <53DBDD2A.8000103@redhat.com> The backend might be pretty straightforward, but we would require some refactoring of the login page. For example, some credentials (password, totp) are entered in after displaying a login page. Some credentials (client cert and cookie) you never even see the login page. On 8/1/2014 2:13 PM, Vivek Srivastav (vivsriva) wrote: > A general authentication plugin SPI for clients is what we are interested > in. > Any pointers on it, viz. which which classes should I look into would > greatly help. > Kind Regards, > Vivek > > On 7/30/14, 4:53 AM, "Stian Thorgersen" wrote: > >> A general authentication plugin SPI for clients should be relatively >> straightforward, not sure about users though. >> >> Credentials for users requires changes to the login flow as well as >> account management pages, so could be tricky to do it in a generic way. >> >> Worth a try though! So let's wait until after 1.0.final with the TOTP >> work. >> >> ----- Original Message ----- >>> From: "Bill Burke" >>> To: keycloak-dev at lists.jboss.org >>> Sent: Tuesday, 29 July, 2014 10:36:50 PM >>> Subject: Re: [keycloak-dev] Postpone TOTP SPI to after 1.0.final >>> >>> By authentication plugin SPI, I actually mean a credential type plugin >>> SPI. Have a user requesting that they be able to plug in their own >>> client-cert verification mechanism. >>> >>> On 7/29/2014 5:33 PM, Bill Burke wrote: >>>> Could this TOTP SPI turn into a general authentication plugin SPI? >>> Just >>>> had an inquiry for that type of SPI. >>>> >>>> On 7/29/2014 8:51 AM, Stian Thorgersen wrote: >>>>> Due to there being quite a lot of work to do the required updates to >>>>> properly do a TOTP SPI I propose we post-pone this to 1.1.0. >>>>> >>>>> The work would include: >>>>> >>>>> * A TOTP SPI >>>>> * Account management needs to support multiple TOTPs >>>>> * Select TOTP provider to configure if required to setup TOTP on >>> login >>>>> * Select TOTP provider to use at login if user has multiple >>>>> * Configure what TOTP are permitted for a realm >>>>> * Remember TOTP option (don't ask for TOTP in 30 days on this >>> machine) >>>>> * Email implementation (send a OTP through email) >>>>> * SMS implementation (use an example SMS cloud service to send OTP) >>> - this >>>>> would also require additional fields to registration >>>>> * At least one other TOTP implementation (FreeOTP and Yubikey) >>>>> * ... >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Aug 1 18:09:03 2014 From: bburke at redhat.com (Bill Burke) Date: Fri, 01 Aug 2014 18:09:03 -0400 Subject: [keycloak-dev] AuthenticationProvider/Link removed Message-ID: <53DC0FFF.60806@redhat.com> Removed everything associated with it and the authentication/ module too. I also removed RealmModel.getLdapConfig() and representation stuff around that. Finally, i had to disable the keycloak-picketlink-realm project as it depended in RealmModel.getLdapConfig(). -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Mon Aug 4 08:43:30 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Mon, 4 Aug 2014 14:43:30 +0200 Subject: [keycloak-dev] Keycloak Admin Console UI - a little guide Message-ID: Hello, as part of the UPS release we are improving our own 'user guide' for the UPS. Current status is visible here: http://staging.aerogear.org/docs/unifiedpush/ups_userguide/ In this guide, there is a section that is called "Administration of the UnifiedPush Server", which should be explaining the Keycloak's Admin Console UI features (see [1]). The doc would contain a bunch of screenshots and little sentences to explain the reason of these different screens, similar to: http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/ However, before starting too early on this document, I was wondering about a few things :-) * there is no such 'Console UI guide' from the Keycloak team, atm - right ? If so, that's totally fine and I am happy to create one for UPS. Hopefully some of its conent can be reused by the KC team. Would be cool if we can work on improving that document together * are you guys planning significant changes to the Admin Console UI, after the beta4 has been released? I've seen some PRs around "UI federation" (I am not familiar w/ the details around that), but that seems to be done once we have the beta4 release available. Thanks, Matthias [1] https://issues.jboss.org/browse/AGPUSH-877 -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140804/d57264b8/attachment-0001.html From bburke at redhat.com Mon Aug 4 10:44:12 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 Aug 2014 10:44:12 -0400 Subject: [keycloak-dev] coverage Message-ID: <53DF9C3C.3020806@redhat.com> FYI our automated test coverage according to Intellij is +/- 50%. Some of this is due to the fact that I didn't run coverage tests with all of our backends. Class, % Method, % Line, % 58.6% (403/ 688) 51.2% (3024/ 5908) 48.6% (10408/ 21422) -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Aug 4 10:48:56 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 Aug 2014 10:48:56 -0400 Subject: [keycloak-dev] Keycloak Admin Console UI - a little guide In-Reply-To: References: Message-ID: <53DF9D58.8040204@redhat.com> On 8/4/2014 8:43 AM, Matthias Wessendorf wrote: > Hello, > > as part of the UPS release we are improving our own 'user guide' for the > UPS. Current status is visible here: > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/ > > In this guide, there is a section that is called "Administration of the > UnifiedPush Server", which should be explaining the Keycloak's Admin > Console UI features (see [1]). The doc would contain a bunch of > screenshots and little sentences to explain the reason of these > different screens, similar to: > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/ > > However, before starting too early on this document, I was wondering > about a few things :-) > > * there is no such 'Console UI guide' from the Keycloak team, atm - > right ? If so, that's totally fine and I am happy to create one for UPS. > Hopefully some of its conent can be reused by the KC team. Would be cool > if we can work on improving that document together > Our console guide is pretty much mixed in with our normal docs. We wouldn't have a separate guide I don't think. There's really not much of an API to document and it is all config files, and admin UI. What we need to do is add screen shots and stuff. > * are you guys planning significant changes to the Admin Console UI, > after the beta4 has been released? I've seen some PRs around "UI > federation" (I am not familiar w/ the details around that), but that > seems to be done once we have the beta4 release available. > Federation stuff is already in (last week). Some UI changes that might come in: * Scope pages for application/oauth client will have option to allow any role. * I'm thinking of combining oauth client and application together. need to get feedback from Stian and Marek though before I do this. Other than that, there will only be minor cosmetic changes. Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Aug 4 12:30:05 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 Aug 2014 12:30:05 -0400 Subject: [keycloak-dev] code freeze at end of day today Message-ID: <53DFB50D.9030002@redhat.com> Only merge of emergency/critical/blocker fixes please! I'm finishing up one last JIRA then I'll start testing for a release tomorrow Tuesday if there are no problems. Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Mon Aug 4 12:31:02 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Mon, 4 Aug 2014 18:31:02 +0200 Subject: [keycloak-dev] Keycloak Admin Console UI - a little guide In-Reply-To: <53DF9D58.8040204@redhat.com> References: <53DF9D58.8040204@redhat.com> Message-ID: On Mon, Aug 4, 2014 at 4:48 PM, Bill Burke wrote: > > > On 8/4/2014 8:43 AM, Matthias Wessendorf wrote: > > Hello, > > > > as part of the UPS release we are improving our own 'user guide' for the > > UPS. Current status is visible here: > > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/ > > > > In this guide, there is a section that is called "Administration of the > > UnifiedPush Server", which should be explaining the Keycloak's Admin > > Console UI features (see [1]). The doc would contain a bunch of > > screenshots and little sentences to explain the reason of these > > different screens, similar to: > > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/ > > > > However, before starting too early on this document, I was wondering > > about a few things :-) > > > > * there is no such 'Console UI guide' from the Keycloak team, atm - > > right ? If so, that's totally fine and I am happy to create one for UPS. > > Hopefully some of its conent can be reused by the KC team. Would be cool > > if we can work on improving that document together > > > > Our console guide is pretty much mixed in with our normal docs. We > wouldn't have a separate guide I don't think. There's really not much > of an API to document and it is all config files, and admin UI. What we > need to do is add screen shots and stuff. > between our own Beta2 and 1.0.0.Final, I will get started on that "screenshot doc" for UPS. Perhaps there is some content in, that could be (easily) reused by the KC team > > > * are you guys planning significant changes to the Admin Console UI, > > after the beta4 has been released? I've seen some PRs around "UI > > federation" (I am not familiar w/ the details around that), but that > > seems to be done once we have the beta4 release available. > > > > Federation stuff is already in (last week). > > Some UI changes that might come in: > > * Scope pages for application/oauth client will have option to allow any > role. > * I'm thinking of combining oauth client and application together. need > to get feedback from Stian and Marek though before I do this. > > Other than that, there will only be minor cosmetic changes. > sounds very good. Thanks! Matthias > > Bill > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140804/2ae26a00/attachment.html From mposolda at redhat.com Mon Aug 4 16:01:49 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 04 Aug 2014 22:01:49 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53DFB50D.9030002@redhat.com> References: <53DFB50D.9030002@redhat.com> Message-ID: <53DFE6AD.30809@redhat.com> I've finished testing with AD and added one more commit (support registration of new users into some Active Directory deployments). Tomorrow, I plan to update docs for export/import but no more commits from me (unless I found something critical and I will ping you in that case). btv. some more feedback and questions from LDAP testing: * During import of realm, do we want to add users just to local store or also to federation providers? Example: I've exported users from my realm and some are mapped to LDAP. Now I want to import them into different (clean) database, but during import, they are added into both local database and into LDAP where they already exists -> error. I wonder if we should skip adding users into FederationProviders at all (or at least have it configurable) wdyt? * The small disadvantage of proxy objects are multiple calls to LDAP during single user registration. For example calling to: user.setFirstName(formData.getFirst("firstName")); user.setLastName(formData.getFirst("lastName")); user.setEmail(email); will actually perform 6 network calls to LDAP (each method call to WritableLDAPUserModelDelegate first checks if user exists and then doing full update of user). Do we care about this? LDAP is primarily designed for reading, so maybe writing from Keycloak won't be often anyway? I am not sure... * The semantics of "searchForUser" is a bit different for FederationProviders and our model implementations. For example, if you have user "John Doe" and you search for "ohn Do" in admin console, then both JPA and Mongo local providers will return you "John Doe" as they add % at the beginning/end. However federation providers are looking exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists in LDAP, he won't be returned. Marek On 4.8.2014 18:30, Bill Burke wrote: > Only merge of emergency/critical/blocker fixes please! I'm finishing up > one last JIRA then I'll start testing for a release tomorrow Tuesday if > there are no problems. > > Bill > From bburke at redhat.com Mon Aug 4 16:09:13 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 Aug 2014 16:09:13 -0400 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53DFE6AD.30809@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> Message-ID: <53DFE869.40004@redhat.com> On 8/4/2014 4:01 PM, Marek Posolda wrote: > I've finished testing with AD and added one more commit (support > registration of new users into some Active Directory deployments). > Tomorrow, I plan to update docs for export/import but no more commits > from me (unless I found something critical and I will ping you in that > case). > > btv. some more feedback and questions from LDAP testing: > > * During import of realm, do we want to add users just to local store or > also to federation providers? Example: I've exported users from my realm > and some are mapped to LDAP. Now I want to import them into different > (clean) database, but during import, they are added into both local > database and into LDAP where they already exists -> error. > I wonder if we should skip adding users into FederationProviders at all > (or at least have it configurable) wdyt? > IMO, Users shouldn't be registered with Federation Provider on an import. > > * The small disadvantage of proxy objects are multiple calls to LDAP > during single user registration. For example calling to: > > user.setFirstName(formData.getFirst("firstName")); > user.setLastName(formData.getFirst("lastName")); > user.setEmail(email); > > will actually perform 6 network calls to LDAP (each method call to > WritableLDAPUserModelDelegate first checks if user exists and then doing > full update of user). Do we care about this? LDAP is primarily designed > for reading, so maybe writing from Keycloak won't be often anyway? I am > not sure... > Fix for after beta-4. We can add a addUser(Map attriutes) method? > > * The semantics of "searchForUser" is a bit different for > FederationProviders and our model implementations. For example, if you > have user "John Doe" and you search for "ohn Do" in admin console, then > both JPA and Mongo local providers will return you "John Doe" as they > add % at the beginning/end. However federation providers are looking > exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists > in LDAP, he won't be returned. > Can we do anything about that? Does LDAP have a "like"? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Mon Aug 4 16:11:39 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 04 Aug 2014 22:11:39 +0200 Subject: [keycloak-dev] delete users on federation removal? In-Reply-To: <280783465.22079126.1406900086490.JavaMail.zimbra@redhat.com> References: <53DA4D2B.5090404@redhat.com> <327201677.21432840.1406815786960.JavaMail.zimbra@redhat.com> <53DA936C.6090609@redhat.com> <53DABCA8.7000107@redhat.com> <663479046.21922121.1406881102501.JavaMail.zimbra@redhat.com> <53DB94DB.6010408@redhat.com> <280783465.22079126.1406900086490.JavaMail.zimbra@redhat.com> Message-ID: <53DFE8FB.8020303@redhat.com> Admin user can reset the password of any user without knowing the old password though? It's also possible to reset password directly with model API. So I wonder if we can have configuration option, which will allow to specify what to do when federation provider is removed. The options might be: * Delete all linked users * Reset password of linked users and add required action for change passwords Maybe the most flexible solution is to add method like "onRemove" to UserFederationProvider interface? This will allow implementors to define what exactly to do with linked users (For LDAP I can imagine either delete or reset password according to boolean config option mentioned above) Marek On 1.8.2014 15:34, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bill Burke" >> To: "Stian Thorgersen" >> Cc: keycloak-dev at lists.jboss.org >> Sent: Friday, 1 August, 2014 2:23:39 PM >> Subject: Re: [keycloak-dev] delete users on federation removal? >> >> >> >> On 8/1/2014 4:18 AM, Stian Thorgersen wrote: >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-dev at lists.jboss.org >>>> Sent: Thursday, 31 July, 2014 11:01:12 PM >>>> Subject: Re: [keycloak-dev] delete users on federation removal? >>>> >>>> Ya, this is quite hairy. You'll have to set the REQUIRED ACTION to >>>> reset all credentials handled by the federation provider. >>>> >>>> Unfortunately, you can now only set one required action per user :( >>> You can still set multiple. The user has a Set and we even >>> have a test that checks users with multiple actions >>> RequiredActionMultipleActionsTest. >>> >> Ugh, I'm really sorry. I think I remembered you saying you were going >> to switch it to one action, looked at the code quickly and missed the >> Set method on UserModel...I AM LOSING MY MIND!!!! > Honest mistake, I switched the authorization code so it's only valid for one action at a time. So if a user has multiple required actions, the code will be set to the first one, then the user redirect to that action page, then the code will be updated with the new action + timestamp refreshed, redirected to next action page, etc.. Keeping the spirit of code is a one-time-thing alive ;) > >> Still not sure what to do about credentials though. We can't have open >> accounts that can be reset without specifying old password. We could >> send out an email maybe. >> >> Must be deferred to post 1.0.final. > +1 To deferre it > > One related thing I think we'll need is the ability to do batch updates to users. For example an admin may want to: > > * Require a group of users to update their password > * Disable a group of users > * Add a role to a group of users > > Not sure how the admin would specify the group though, maybe by role? > >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bburke at redhat.com Mon Aug 4 16:24:57 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 04 Aug 2014 16:24:57 -0400 Subject: [keycloak-dev] full scope allowed Message-ID: <53DFEC19.7000704@redhat.com> Applications, by default, have a full scope of all realm and all applications' roles. This is a flag stored in "fullScopeAllowed" in the Client model. It is a switch called "Full Scope Allowed". I don't know if there is a better name for it or not. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Aug 5 07:04:45 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 13:04:45 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53DFE869.40004@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> Message-ID: <53E0BA4D.9050408@redhat.com> On 4.8.2014 22:09, Bill Burke wrote: > > On 8/4/2014 4:01 PM, Marek Posolda wrote: >> I've finished testing with AD and added one more commit (support >> registration of new users into some Active Directory deployments). >> Tomorrow, I plan to update docs for export/import but no more commits >> from me (unless I found something critical and I will ping you in that >> case). >> >> btv. some more feedback and questions from LDAP testing: >> >> * During import of realm, do we want to add users just to local store or >> also to federation providers? Example: I've exported users from my realm >> and some are mapped to LDAP. Now I want to import them into different >> (clean) database, but during import, they are added into both local >> database and into LDAP where they already exists -> error. >> I wonder if we should skip adding users into FederationProviders at all >> (or at least have it configurable) wdyt? >> > IMO, Users shouldn't be registered with Federation Provider on an import. great, created KEYCLOAK-600 . I have a fix already, but will push after beta-4. > >> * The small disadvantage of proxy objects are multiple calls to LDAP >> during single user registration. For example calling to: >> >> user.setFirstName(formData.getFirst("firstName")); >> user.setLastName(formData.getFirst("lastName")); >> user.setEmail(email); >> >> will actually perform 6 network calls to LDAP (each method call to >> WritableLDAPUserModelDelegate first checks if user exists and then doing >> full update of user). Do we care about this? LDAP is primarily designed >> for reading, so maybe writing from Keycloak won't be often anyway? I am >> not sure... >> > Fix for after beta-4. We can add a addUser(Map > attriutes) method? +1, I've created https://issues.jboss.org/browse/KEYCLOAK-601 . Hopefully it will help to reduce also number of SQL calls during user registration. Because actually call to UserProvider.addUser(RealmModel realm, String username) will insert user, but then there are additional update call for setFirstName,setLastName, setEmail etc. Hopefully this can be improved as well. > > > >> * The semantics of "searchForUser" is a bit different for >> FederationProviders and our model implementations. For example, if you >> have user "John Doe" and you search for "ohn Do" in admin console, then >> both JPA and Mongo local providers will return you "John Doe" as they >> add % at the beginning/end. However federation providers are looking >> exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists >> in LDAP, he won't be returned. >> > Can we do anything about that? Does LDAP have a "like"? yes, LDAP has * . Workaround, which works for me is to put directly search string like: *ohn Do* into admin console, but this is not pretty and is LDAP specific though. Marek From mposolda at redhat.com Tue Aug 5 07:33:29 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 13:33:29 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0BA4D.9050408@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> Message-ID: <53E0C109.7020700@redhat.com> On 5.8.2014 13:04, Marek Posolda wrote: >>> * The semantics of "searchForUser" is a bit different for >>> >>FederationProviders and our model implementations. For example, if you >>> >>have user "John Doe" and you search for "ohn Do" in admin console, then >>> >>both JPA and Mongo local providers will return you "John Doe" as they >>> >>add % at the beginning/end. However federation providers are looking >>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists >>> >>in LDAP, he won't be returned. >>> >> >> >Can we do anything about that? Does LDAP have a "like"? > yes, LDAP has * . Workaround, which works for me is to put directly > search string like:*ohn Do* into admin console, but this is not pretty > and is LDAP specific though. btv. Found a typo when test ldap searching. Not sure if it's ok to commit at this stage, so just send PR for that https://github.com/keycloak/keycloak/pull/590 . Marek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140805/965c762d/attachment.html From matzew at apache.org Tue Aug 5 07:57:10 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Tue, 5 Aug 2014 13:57:10 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53DFB50D.9030002@redhat.com> References: <53DFB50D.9030002@redhat.com> Message-ID: Hello, I found a little bug when deploying to EAP 6.3.Beta and MySQL: https://issues.jboss.org/browse/KEYCLOAK-602 This works fine with MySQL and JBossAS 7.1.1 I have also tested Postgres, and EAP 6.3.Beta - this works fine as well -Matthias On Mon, Aug 4, 2014 at 6:30 PM, Bill Burke wrote: > Only merge of emergency/critical/blocker fixes please! I'm finishing up > one last JIRA then I'll start testing for a release tomorrow Tuesday if > there are no problems. > > Bill > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140805/0f593aef/attachment.html From mposolda at redhat.com Tue Aug 5 08:43:03 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 14:43:03 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0C109.7020700@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> Message-ID: <53E0D157.50209@redhat.com> Added another commit for deleting of users on mongo . Both are one liners and I hope they are quite safe to be included though. Marek On 5.8.2014 13:33, Marek Posolda wrote: > On 5.8.2014 13:04, Marek Posolda wrote: >>>> * The semantics of "searchForUser" is a bit different for >>>> >>FederationProviders and our model implementations. For example, if you >>>> >>have user "John Doe" and you search for "ohn Do" in admin console, then >>>> >>both JPA and Mongo local providers will return you "John Doe" as they >>>> >>add % at the beginning/end. However federation providers are looking >>>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists >>>> >>in LDAP, he won't be returned. >>>> >> >>> >Can we do anything about that? Does LDAP have a "like"? >> yes, LDAP has * . Workaround, which works for me is to put directly >> search string like:*ohn Do* into admin console, but this is not pretty >> and is LDAP specific though. > btv. Found a typo when test ldap searching. Not sure if it's ok to > commit at this stage, so just send PR for that > https://github.com/keycloak/keycloak/pull/590 . > > Marek > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140805/48728859/attachment.html From bburke at redhat.com Tue Aug 5 09:02:52 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 05 Aug 2014 09:02:52 -0400 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0D157.50209@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> Message-ID: <53E0D5FC.9030302@redhat.com> YOu find bugs, typos, etc. Fix them, you have until lunch my time (eastern USA). On 8/5/2014 8:43 AM, Marek Posolda wrote: > Added another commit for deleting of users on mongo . Both are one > liners and I hope they are quite safe to be included though. > > Marek > > On 5.8.2014 13:33, Marek Posolda wrote: >> On 5.8.2014 13:04, Marek Posolda wrote: >>>>> * The semantics of "searchForUser" is a bit different for >>>>> >>FederationProviders and our model implementations. For example, if you >>>>> >>have user "John Doe" and you search for "ohn Do" in admin console, then >>>>> >>both JPA and Mongo local providers will return you "John Doe" as they >>>>> >>add % at the beginning/end. However federation providers are looking >>>>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" exists >>>>> >>in LDAP, he won't be returned. >>>>> >> >>>> >Can we do anything about that? Does LDAP have a "like"? >>> yes, LDAP has * . Workaround, which works for me is to put directly >>> search string like:*ohn Do* into admin console, but this is not pretty >>> and is LDAP specific though. >> btv. Found a typo when test ldap searching. Not sure if it's ok to >> commit at this stage, so just send PR for that >> https://github.com/keycloak/keycloak/pull/590 . >> >> Marek >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Aug 5 09:09:30 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 15:09:30 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0D5FC.9030302@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> Message-ID: <53E0D78A.5070702@redhat.com> ok, merged. Found that oracle and mssql are broken, so looking at those now:-( I seem to have fix for oracle already, need to test a bit more and then look at mssql... On 5.8.2014 15:02, Bill Burke wrote: > YOu find bugs, typos, etc. Fix them, you have until lunch my time > (eastern USA). > > On 8/5/2014 8:43 AM, Marek Posolda wrote: >> Added another commit for deleting of users on mongo . Both are one >> liners and I hope they are quite safe to be included though. >> >> Marek >> >> On 5.8.2014 13:33, Marek Posolda wrote: >>> On 5.8.2014 13:04, Marek Posolda wrote: >>>>>> * The semantics of "searchForUser" is a bit different for >>>>>> >>FederationProviders and our model implementations. For example, >>>>>> if you >>>>>> >>have user "John Doe" and you search for "ohn Do" in admin >>>>>> console, then >>>>>> >>both JPA and Mongo local providers will return you "John Doe" >>>>>> as they >>>>>> >>add % at the beginning/end. However federation providers are >>>>>> looking >>>>>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" >>>>>> exists >>>>>> >>in LDAP, he won't be returned. >>>>>> >> >>>>> >Can we do anything about that? Does LDAP have a "like"? >>>> yes, LDAP has * . Workaround, which works for me is to put directly >>>> search string like:*ohn Do* into admin console, but this is not >>>> pretty >>>> and is LDAP specific though. >>> btv. Found a typo when test ldap searching. Not sure if it's ok to >>> commit at this stage, so just send PR for that >>> https://github.com/keycloak/keycloak/pull/590 . >>> >>> Marek >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > From bburke at redhat.com Tue Aug 5 10:09:33 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 05 Aug 2014 10:09:33 -0400 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0D78A.5070702@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> <53E0D78A.5070702@redhat.com> Message-ID: <53E0E59D.7090705@redhat.com> Thank god or you...I absolutely hate doing testing on different databases (and LDAP servers for that matter). Do you have an easy way to set up testing environments for these different dbs? On 8/5/2014 9:09 AM, Marek Posolda wrote: > ok, merged. Found that oracle and mssql are broken, so looking at those > now:-( > > I seem to have fix for oracle already, need to test a bit more and then > look at mssql... > > On 5.8.2014 15:02, Bill Burke wrote: >> YOu find bugs, typos, etc. Fix them, you have until lunch my time >> (eastern USA). >> >> On 8/5/2014 8:43 AM, Marek Posolda wrote: >>> Added another commit for deleting of users on mongo . Both are one >>> liners and I hope they are quite safe to be included though. >>> >>> Marek >>> >>> On 5.8.2014 13:33, Marek Posolda wrote: >>>> On 5.8.2014 13:04, Marek Posolda wrote: >>>>>>> * The semantics of "searchForUser" is a bit different for >>>>>>> >>FederationProviders and our model implementations. For example, >>>>>>> if you >>>>>>> >>have user "John Doe" and you search for "ohn Do" in admin >>>>>>> console, then >>>>>>> >>both JPA and Mongo local providers will return you "John Doe" >>>>>>> as they >>>>>>> >>add % at the beginning/end. However federation providers are >>>>>>> looking >>>>>>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" >>>>>>> exists >>>>>>> >>in LDAP, he won't be returned. >>>>>>> >> >>>>>> >Can we do anything about that? Does LDAP have a "like"? >>>>> yes, LDAP has * . Workaround, which works for me is to put directly >>>>> search string like:*ohn Do* into admin console, but this is not >>>>> pretty >>>>> and is LDAP specific though. >>>> btv. Found a typo when test ldap searching. Not sure if it's ok to >>>> commit at this stage, so just send PR for that >>>> https://github.com/keycloak/keycloak/pull/590 . >>>> >>>> Marek >>>> >>>> >>>> _______________________________________________ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Aug 5 12:33:34 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 18:33:34 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E0E59D.7090705@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> <53E0D78A.5070702@redhat.com> <53E0E59D.7090705@redhat.com> Message-ID: <53E1075E.7000101@redhat.com> So finally I seems to have a fix for MSSSQL and commited it. It complained about Integer.MAX_VALUE in the query limit:-) Oracle is fixed as well, it complained again about too long identifier (there is limit for tableName, columnName and indexName to be max 30 characters). I am also not enjoying testing with databases much. I am using jenkins QA lab to access various databases and LDAP servers and I am able to debug it locally with being connected to remote DB in QA lab, but connection is quite slow and running single unit test took couple of minutes. So it's a bit painfull... For LDAP, I would need to update the automated tests for changes related to FederationProvider vs. AuthenticationProviders and also fix some stuff to setup automated test for Active Directory, which doesn't work correctly ATM, so I am testing it manually. I've tried to reproduce issue KEYCLOAK-602 reported by aerogear guys, but wasn't successful. For me Keycloak WAR distribution deployed on EAP 6.3.0.Beta worked with MySQL 5.5. I will try to update docs later in the evening (won't do more commits to sources). Besides that there are some portal blockers, I am supposed to look at, so not sure how I would be able to help you more with release testing tomorrow:-( Marek On 5.8.2014 16:09, Bill Burke wrote: > Thank god or you...I absolutely hate doing testing on different > databases (and LDAP servers for that matter). Do you have an easy way > to set up testing environments for these different dbs? > > On 8/5/2014 9:09 AM, Marek Posolda wrote: >> ok, merged. Found that oracle and mssql are broken, so looking at those >> now:-( >> >> I seem to have fix for oracle already, need to test a bit more and then >> look at mssql... >> >> On 5.8.2014 15:02, Bill Burke wrote: >>> YOu find bugs, typos, etc. Fix them, you have until lunch my time >>> (eastern USA). >>> >>> On 8/5/2014 8:43 AM, Marek Posolda wrote: >>>> Added another commit for deleting of users on mongo . Both are one >>>> liners and I hope they are quite safe to be included though. >>>> >>>> Marek >>>> >>>> On 5.8.2014 13:33, Marek Posolda wrote: >>>>> On 5.8.2014 13:04, Marek Posolda wrote: >>>>>>>> * The semantics of "searchForUser" is a bit different for >>>>>>>> >>FederationProviders and our model implementations. For example, >>>>>>>> if you >>>>>>>> >>have user "John Doe" and you search for "ohn Do" in admin >>>>>>>> console, then >>>>>>>> >>both JPA and Mongo local providers will return you "John Doe" >>>>>>>> as they >>>>>>>> >>add % at the beginning/end. However federation providers are >>>>>>>> looking >>>>>>>> >>exactly for FirstName: "ohn" , LastName: "Do", so if "John Doe" >>>>>>>> exists >>>>>>>> >>in LDAP, he won't be returned. >>>>>>>> >> >>>>>>> >Can we do anything about that? Does LDAP have a "like"? >>>>>> yes, LDAP has * . Workaround, which works for me is to put directly >>>>>> search string like:*ohn Do* into admin console, but this is not >>>>>> pretty package org.keycloak.models; >>>>>> >>>>>> and is LDAP specific though. >>>>> btv. Found a typo when test ldap searching. Not sure if it's ok to >>>>> commit at this stage, so just send PR for that >>>>> https://github.com/keycloak/keycloak/pull/590 . >>>>> >>>>> Marek >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >> > From bburke at redhat.com Tue Aug 5 12:42:39 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 05 Aug 2014 12:42:39 -0400 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E1075E.7000101@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> <53E0D78A.5070702@redhat.com> <53E0E59D.7090705@redhat.com> <53E1075E.7000101@redhat.com> Message-ID: <53E1097F.2040007@redhat.com> On 8/5/2014 12:33 PM, Marek Posolda wrote: > So finally I seems to have a fix for MSSSQL and commited it. It > complained about Integer.MAX_VALUE in the query limit:-) > > Oracle is fixed as well, it complained again about too long identifier > (there is limit for tableName, columnName and indexName to be max 30 > characters). > > I am also not enjoying testing with databases much. I am using jenkins > QA lab to access various databases and LDAP servers and I am able to > debug it locally with being connected to remote DB in QA lab, but > connection is quite slow and running single unit test took couple of > minutes. So it's a bit painfull... > > For LDAP, I would need to update the automated tests for changes related > to FederationProvider vs. AuthenticationProviders and also fix some > stuff to setup automated test for Active Directory, which doesn't work > correctly ATM, so I am testing it manually. > > I've tried to reproduce issue KEYCLOAK-602 reported by aerogear guys, > but wasn't successful. For me Keycloak WAR distribution deployed on EAP > 6.3.0.Beta worked with MySQL 5.5. > > I will try to update docs later in the evening (won't do more commits to > sources). Besides that there are some portal blockers, I am supposed to > look at, so not sure how I would be able to help you more with release > testing tomorrow:-( I'll be releasing tonight. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Aug 5 12:49:13 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 18:49:13 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E1097F.2040007@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> <53E0D78A.5070702@redhat.com> <53E0E59D.7090705@redhat.com> <53E1075E.7000101@redhat.com> <53E1097F.2040007@redhat.com> Message-ID: <53E10B09.1050900@redhat.com> Ok, will update docs asap. On 5.8.2014 18:42, Bill Burke wrote: > I'll be releasing tonight. From mposolda at redhat.com Tue Aug 5 14:32:12 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 05 Aug 2014 20:32:12 +0200 Subject: [keycloak-dev] code freeze at end of day today In-Reply-To: <53E10B09.1050900@redhat.com> References: <53DFB50D.9030002@redhat.com> <53DFE6AD.30809@redhat.com> <53DFE869.40004@redhat.com> <53E0BA4D.9050408@redhat.com> <53E0C109.7020700@redhat.com> <53E0D157.50209@redhat.com> <53E0D5FC.9030302@redhat.com> <53E0D78A.5070702@redhat.com> <53E0E59D.7090705@redhat.com> <53E1075E.7000101@redhat.com> <53E1097F.2040007@redhat.com> <53E10B09.1050900@redhat.com> Message-ID: <53E1232C.6000000@redhat.com> Docs updated, that's finally all from me. Marek On 5.8.2014 18:49, Marek Posolda wrote: > Ok, will update docs asap. > > On 5.8.2014 18:42, Bill Burke wrote: >> I'll be releasing tonight. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bburke at redhat.com Tue Aug 5 23:02:28 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 05 Aug 2014 23:02:28 -0400 Subject: [keycloak-dev] Beta 4 released Message-ID: <53E19AC4.7040602@redhat.com> Hope everything is good with it. Let me know if you find any show stoppers. http://bill.burkecentral.com/2014/08/06/keycloak-beta-4-released/ -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Wed Aug 6 00:25:52 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Wed, 6 Aug 2014 06:25:52 +0200 Subject: [keycloak-dev] Beta 4 released In-Reply-To: <53E19AC4.7040602@redhat.com> References: <53E19AC4.7040602@redhat.com> Message-ID: Awesome! Congrats on the release! On Wednesday, August 6, 2014, Bill Burke wrote: > Hope everything is good with it. Let me know if you find any show > stoppers. > > http://bill.burkecentral.com/2014/08/06/keycloak-beta-4-released/ > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Sent from Gmail Mobile -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140806/ba4d1e51/attachment.html From bruno at abstractj.org Wed Aug 6 07:27:42 2014 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 6 Aug 2014 08:27:42 -0300 Subject: [keycloak-dev] Beta 4 released In-Reply-To: <53E19AC4.7040602@redhat.com> References: <53E19AC4.7040602@redhat.com> Message-ID: <20140806112742.GA77340@abstractj.org> Good morning Bill, I would like to thank you, Stian and Marek for all the hard and outstanding work. I've already sent a pull request to our Push server. On 2014-08-05, Bill Burke wrote: > Hope everything is good with it. Let me know if you find any show stoppers. > > http://bill.burkecentral.com/2014/08/06/keycloak-beta-4-released/ > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev -- abstractj PGP: 0x84DC9914 From matzew at apache.org Sun Aug 10 08:11:53 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Sun, 10 Aug 2014 14:11:53 +0200 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) Message-ID: Hello, for the UPS guide, I added a little section that walks the UPS user through the UI of the "Keycloak Admin Console" (focused on AeroGear's need (E.g. no talk on social login or Federation). It would be nice if you could take a look on the PR: https://github.com/aerogear/aerogear.org/pull/349 The document, can be read here as well: https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc Thanks! Greetings, Matthias -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140810/9d457b51/attachment-0001.html From bburke at redhat.com Sun Aug 10 10:47:24 2014 From: bburke at redhat.com (Bill Burke) Date: Sun, 10 Aug 2014 10:47:24 -0400 Subject: [keycloak-dev] logout behavior changed Message-ID: <53E785FC.9080601@redhat.com> I changed how logout works. It bothered me that there was no authentication and that anybody could just push any guessed session_id to /logout. So, it is now split up into to forms of Logout: * GET /realms/{realm}/tokens/logout?redirect_uri={} I removed the session_state parameter. This is a browser-based logout and requires the user to be logged in. I still need to verify that the redirect_uri is a valid URI. * POST /realms/{realm}/tokens/logout Same form parameters and authentication required as a refresh token request. A valid refresh token is required to be able to logout the session. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Sun Aug 10 11:38:00 2014 From: bburke at redhat.com (Bill Burke) Date: Sun, 10 Aug 2014 11:38:00 -0400 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: References: Message-ID: <53E791D8.5080500@redhat.com> Looks nice. I need to do something similar. On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: > Hello, > > for the UPS guide, I added a little section that walks the UPS user > through the UI of the "Keycloak Admin Console" (focused on AeroGear's > need (E.g. no talk on social login or Federation). > > It would be nice if you could take a look on the PR: > https://github.com/aerogear/aerogear.org/pull/349 > > The document, can be read here as well: > https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc > > Thanks! > > Greetings, > Matthias > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Sun Aug 10 18:09:28 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 00:09:28 +0200 Subject: [keycloak-dev] Sync commited Message-ID: <53E7ED98.3000901@redhat.com> Hi, I've pushed support for bulk sync of users from external store (like LDAP) to local store. Some summary of changes: - Added 2 new methods to UserFederationProviderFactory. Method syncAllUsers (For sync all users from external store to local store) and syncChangedUsers (sync just users, which were changed. Needs that external store has support for changelogs) - Implementation for LDAP which allows both "full" and "changed" sync. It's possible to track users, which were created or updated on LDAP server since some specified time. Unfortunately not easily possible to track removed LDAP users - Support for periodic sync. You can specify period for each FederationProvider how often it should do syncAllUsers and how often syncChangedUsers. It's possible to specify different period for each UserFederationProviderModel so for example realm1 can sync from Active Directory once per day where realm2 can sync from OpenDS LDAP just one per week etc. Also if you update or delete UserFederationProviderModel, sync task will be updated/cancelled as well (I've added to BasicTimer support for cancelling of previously scheduled tasks) Remaining work: * Support in admin console. I plan to add buttons, which will allow admin to trigger either syncAllUsers or syncChangedUsers from admin console. Also new options to specify periods for fullSync and "changedSync" . For LDAP, I will need to add option for batch size (Number of LDAP users to be downloaded per each batch (page). Each batch is processed in separate transaction) . * For now, I've added just sync from external store to Keycloak. Do we need 2 ways sync? For example if people have WRITABLE mode for their Federation Provider, then changes to particular user done by Keycloak are immediatelly written to 3rd party store anyway? * As I mentioned the syncChangedUsers for LDAP is able to track created and updated LDAP users but not removed. I wonder if it's good idea that during full sync, Keycloak will check if all local users with LDAP links are still valid and delete those, which are not? Or is it ok to just rely on FederationProvider to handle this? * Sync/Federation of roles? Right now both FederationProvider and Sync is doing just syncing of users, but not roles or role mappings. I wonder that maybe people probably also want to sync their LDAP roles into Keycloak and also role mappings too. This might be quite tricky though as Federation just deals with UserProvider, but syncing roles from LDAP will require some updates to RealmProvider too. Probably not doable for 1.0.Final though... Marek From mposolda at redhat.com Sun Aug 10 18:14:51 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 00:14:51 +0200 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E791D8.5080500@redhat.com> References: <53E791D8.5080500@redhat.com> Message-ID: <53E7EEDB.2000005@redhat.com> Maybe it's not directly related, but I wonder if we may have support for tooltips/hints in admin console? Basically if someone has displayed some screen in admin console and he put his mouse over label of some option, it will display some tooltip message like "This option is very useful to do blah and you can configure blah with this" etc. This might help that admin console UI will be quite "self documenting" and in some cases, people may not even need to open any other docs to figure what option XY really means. I am not usability expert, maybe it's dumb idea. Just something which came to my mind:-) Marek On 10.8.2014 17:38, Bill Burke wrote: > Looks nice. I need to do something similar. > > On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: >> Hello, >> >> for the UPS guide, I added a little section that walks the UPS user >> through the UI of the "Keycloak Admin Console" (focused on AeroGear's >> need (E.g. no talk on social login or Federation). >> >> It would be nice if you could take a look on the PR: >> https://github.com/aerogear/aerogear.org/pull/349 >> >> The document, can be read here as well: >> https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc >> >> Thanks! >> >> Greetings, >> Matthias >> >> -- >> Matthias Wessendorf >> >> blog: http://matthiaswessendorf.wordpress.com/ >> sessions: http://www.slideshare.net/mwessendorf >> twitter: http://twitter.com/mwessendorf >> >> >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From stian at redhat.com Mon Aug 11 06:19:22 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 06:19:22 -0400 (EDT) Subject: [keycloak-dev] full scope allowed In-Reply-To: <53DFEC19.7000704@redhat.com> References: <53DFEC19.7000704@redhat.com> Message-ID: <1937778698.27648751.1407752362044.JavaMail.zimbra@redhat.com> Is "Permit All Roles" any better? I'd like us to add a (?) next to all flags, and anything else where it makes sense. When the user clicks on it a small popover would display with a brief description. ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 4 August, 2014 9:24:57 PM > Subject: [keycloak-dev] full scope allowed > > Applications, by default, have a full scope of all realm and all > applications' roles. This is a flag stored in "fullScopeAllowed" in the > Client model. > > It is a switch called "Full Scope Allowed". I don't know if there is a > better name for it or not. > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Mon Aug 11 06:21:31 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 06:21:31 -0400 (EDT) Subject: [keycloak-dev] coverage In-Reply-To: <53DF9C3C.3020806@redhat.com> References: <53DF9C3C.3020806@redhat.com> Message-ID: <1890153728.27651905.1407752491344.JavaMail.zimbra@redhat.com> We don't cover to many corner cases, nor do we cover much of malicious behaviour. For example login with realm disabled, user disabled, client disabled, etc..... IMO we need to expand on the testsuite for this things prior to releasing final. ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 4 August, 2014 3:44:12 PM > Subject: [keycloak-dev] coverage > > FYI our automated test coverage according to Intellij is +/- 50%. Some > of this is due to the fact that I didn't run coverage tests with all of > our backends. > > > > Class, % Method, % Line, % > 58.6% (403/ 688) 51.2% (3024/ 5908) 48.6% (10408/ 21422) > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Mon Aug 11 06:57:29 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 06:57:29 -0400 (EDT) Subject: [keycloak-dev] Keycloak Admin Console UI - a little guide In-Reply-To: <53DF9D58.8040204@redhat.com> References: <53DF9D58.8040204@redhat.com> Message-ID: <963178935.27750138.1407754649605.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 4 August, 2014 3:48:56 PM > Subject: Re: [keycloak-dev] Keycloak Admin Console UI - a little guide > > > > On 8/4/2014 8:43 AM, Matthias Wessendorf wrote: > > Hello, > > > > as part of the UPS release we are improving our own 'user guide' for the > > UPS. Current status is visible here: > > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/ > > > > In this guide, there is a section that is called "Administration of the > > UnifiedPush Server", which should be explaining the Keycloak's Admin > > Console UI features (see [1]). The doc would contain a bunch of > > screenshots and little sentences to explain the reason of these > > different screens, similar to: > > http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/ > > > > However, before starting too early on this document, I was wondering > > about a few things :-) > > > > * there is no such 'Console UI guide' from the Keycloak team, atm - > > right ? If so, that's totally fine and I am happy to create one for UPS. > > Hopefully some of its conent can be reused by the KC team. Would be cool > > if we can work on improving that document together > > > > Our console guide is pretty much mixed in with our normal docs. We > wouldn't have a separate guide I don't think. There's really not much > of an API to document and it is all config files, and admin UI. What we > need to do is add screen shots and stuff. > > > * are you guys planning significant changes to the Admin Console UI, > > after the beta4 has been released? I've seen some PRs around "UI > > federation" (I am not familiar w/ the details around that), but that > > seems to be done once we have the beta4 release available. > > > > Federation stuff is already in (last week). > > Some UI changes that might come in: > > * Scope pages for application/oauth client will have option to allow any > role. > * I'm thinking of combining oauth client and application together. need > to get feedback from Stian and Marek though before I do this. +1 To combining these - I'd even say we should combine these in the model as well. > > Other than that, there will only be minor cosmetic changes. > > Bill > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From mposolda at redhat.com Mon Aug 11 08:00:50 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 14:00:50 +0200 Subject: [keycloak-dev] full scope allowed In-Reply-To: <1937778698.27648751.1407752362044.JavaMail.zimbra@redhat.com> References: <53DFEC19.7000704@redhat.com> <1937778698.27648751.1407752362044.JavaMail.zimbra@redhat.com> Message-ID: <53E8B072.7010908@redhat.com> +1, it seems to be better regarding usability then tooltips on labels I've proposed in different mail. Marek On 11.8.2014 12:19, Stian Thorgersen wrote: > I'd like us to add a (?) next to all flags, and anything else where it makes sense. When the user clicks on it a small popover would display with a brief description. From mposolda at redhat.com Mon Aug 11 08:02:48 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 14:02:48 +0200 Subject: [keycloak-dev] Keycloak Admin Console UI - a little guide In-Reply-To: <963178935.27750138.1407754649605.JavaMail.zimbra@redhat.com> References: <53DF9D58.8040204@redhat.com> <963178935.27750138.1407754649605.JavaMail.zimbra@redhat.com> Message-ID: <53E8B0E8.2060407@redhat.com> On 11.8.2014 12:57, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Monday, 4 August, 2014 3:48:56 PM >> Subject: Re: [keycloak-dev] Keycloak Admin Console UI - a little guide >> >> >> >> On 8/4/2014 8:43 AM, Matthias Wessendorf wrote: >>> Hello, >>> >>> as part of the UPS release we are improving our own 'user guide' for the >>> UPS. Current status is visible here: >>> http://staging.aerogear.org/docs/unifiedpush/ups_userguide/ >>> >>> In this guide, there is a section that is called "Administration of the >>> UnifiedPush Server", which should be explaining the Keycloak's Admin >>> Console UI features (see [1]). The doc would contain a bunch of >>> screenshots and little sentences to explain the reason of these >>> different screens, similar to: >>> http://staging.aerogear.org/docs/unifiedpush/ups_userguide/admin-ui/ >>> >>> However, before starting too early on this document, I was wondering >>> about a few things :-) >>> >>> * there is no such 'Console UI guide' from the Keycloak team, atm - >>> right ? If so, that's totally fine and I am happy to create one for UPS. >>> Hopefully some of its conent can be reused by the KC team. Would be cool >>> if we can work on improving that document together >>> >> Our console guide is pretty much mixed in with our normal docs. We >> wouldn't have a separate guide I don't think. There's really not much >> of an API to document and it is all config files, and admin UI. What we >> need to do is add screen shots and stuff. >> >>> * are you guys planning significant changes to the Admin Console UI, >>> after the beta4 has been released? I've seen some PRs around "UI >>> federation" (I am not familiar w/ the details around that), but that >>> seems to be done once we have the beta4 release available. >>> >> Federation stuff is already in (last week). >> >> Some UI changes that might come in: >> >> * Scope pages for application/oauth client will have option to allow any >> role. >> * I'm thinking of combining oauth client and application together. need >> to get feedback from Stian and Marek though before I do this. > +1 To combining these - I'd even say we should combine these in the model as well. +1, I belive that adding just a flag to ClientModel should be sufficient. We can add something to admin console, that if flag is selected than some settings (for example Roles tabs) will be hidden. Similarly like when you select that application is "public" it automatically hides Credentials tabs. > >> Other than that, there will only be minor cosmetic changes. >> >> Bill >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From mposolda at redhat.com Mon Aug 11 08:04:46 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 14:04:46 +0200 Subject: [keycloak-dev] Transaction active Message-ID: <53E8B15E.7080909@redhat.com> I believe that when tx.commit() or tx.rollback() is called, then transaction shouldn't be in the active state anymore, right? Actually JPA works this way, but our other transaction implementations (TransactionManager, cache, mongo) are not. Should we change that? Marek From ssilvert at redhat.com Mon Aug 11 08:19:03 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 11 Aug 2014 08:19:03 -0400 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E7EEDB.2000005@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> Message-ID: <53E8B4B7.30007@redhat.com> On 8/10/2014 6:14 PM, Marek Posolda wrote: > Maybe it's not directly related, but I wonder if we may have support for > tooltips/hints in admin console? Basically if someone has displayed some > screen in admin console and he put his mouse over label of some option, > it will display some tooltip message like "This option is very useful to > do blah and you can configure blah with this" etc. This might help that > admin console UI will be quite "self documenting" and in some cases, > people may not even need to open any other docs to figure what option XY > really means. > > I am not usability expert, maybe it's dumb idea. Just something which > came to my mind:-) Not a dumb idea at all. Tooltips or something similar would be quite helpful. I suspect that there are no objections and that all we need is someone with the time to implement it. > > Marek > > > On 10.8.2014 17:38, Bill Burke wrote: >> Looks nice. I need to do something similar. >> >> On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: >>> Hello, >>> >>> for the UPS guide, I added a little section that walks the UPS user >>> through the UI of the "Keycloak Admin Console" (focused on AeroGear's >>> need (E.g. no talk on social login or Federation). >>> >>> It would be nice if you could take a look on the PR: >>> https://github.com/aerogear/aerogear.org/pull/349 >>> >>> The document, can be read here as well: >>> https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc >>> >>> Thanks! >>> >>> Greetings, >>> Matthias >>> >>> -- >>> Matthias Wessendorf >>> >>> blog: http://matthiaswessendorf.wordpress.com/ >>> sessions: http://www.slideshare.net/mwessendorf >>> twitter: http://twitter.com/mwessendorf >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From stian at redhat.com Mon Aug 11 08:24:14 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 08:24:14 -0400 (EDT) Subject: [keycloak-dev] Transaction active In-Reply-To: <53E8B15E.7080909@redhat.com> References: <53E8B15E.7080909@redhat.com> Message-ID: <213200361.27840794.1407759854713.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Marek Posolda" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 1:04:46 PM > Subject: [keycloak-dev] Transaction active > > I believe that when tx.commit() or tx.rollback() is called, then > transaction shouldn't be in the active state anymore, right? Actually > JPA works this way, but our other transaction implementations > (TransactionManager, cache, mongo) are not. Should we change that? We should. It should also be possible to call begin() again to start a new transaction, not sure if that works either. > > Marek > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Mon Aug 11 08:25:58 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 08:25:58 -0400 (EDT) Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E7EEDB.2000005@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> Message-ID: <1572217425.27841766.1407759958009.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Marek Posolda" > To: keycloak-dev at lists.jboss.org > Sent: Sunday, 10 August, 2014 11:14:51 PM > Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > > Maybe it's not directly related, but I wonder if we may have support for > tooltips/hints in admin console? Basically if someone has displayed some > screen in admin console and he put his mouse over label of some option, > it will display some tooltip message like "This option is very useful to > do blah and you can configure blah with this" etc. This might help that > admin console UI will be quite "self documenting" and in some cases, > people may not even need to open any other docs to figure what option XY > really means. +1 Shouldn't take to much time to add either > > I am not usability expert, maybe it's dumb idea. Just something which > came to my mind:-) > > Marek > > > On 10.8.2014 17:38, Bill Burke wrote: > > Looks nice. I need to do something similar. > > > > On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: > >> Hello, > >> > >> for the UPS guide, I added a little section that walks the UPS user > >> through the UI of the "Keycloak Admin Console" (focused on AeroGear's > >> need (E.g. no talk on social login or Federation). > >> > >> It would be nice if you could take a look on the PR: > >> https://github.com/aerogear/aerogear.org/pull/349 > >> > >> The document, can be read here as well: > >> https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc > >> > >> Thanks! > >> > >> Greetings, > >> Matthias > >> > >> -- > >> Matthias Wessendorf > >> > >> blog: http://matthiaswessendorf.wordpress.com/ > >> sessions: http://www.slideshare.net/mwessendorf > >> twitter: http://twitter.com/mwessendorf > >> > >> > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From mposolda at redhat.com Mon Aug 11 08:30:10 2014 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Aug 2014 14:30:10 +0200 Subject: [keycloak-dev] Transaction active In-Reply-To: <213200361.27840794.1407759854713.JavaMail.zimbra@redhat.com> References: <53E8B15E.7080909@redhat.com> <213200361.27840794.1407759854713.JavaMail.zimbra@redhat.com> Message-ID: <53E8B752.3010101@redhat.com> On 11.8.2014 14:24, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Marek Posolda" >> To: keycloak-dev at lists.jboss.org >> Sent: Monday, 11 August, 2014 1:04:46 PM >> Subject: [keycloak-dev] Transaction active >> >> I believe that when tx.commit() or tx.rollback() is called, then >> transaction shouldn't be in the active state anymore, right? Actually >> JPA works this way, but our other transaction implementations >> (TransactionManager, cache, mongo) are not. Should we change that? > We should. It should also be possible to call begin() again to start a new transaction, not sure if that works either. At least JPA supports more transactions inside single entityManager AFAIK. Not sure if it's good practice to use it this way and but it works. Our other implementations doesn't support this ATM as begin method will throw exception if transaction is already active and commit,rollback doesn't restart activeflag. I can change it so commit,rollback will set active=false in our transaction impls? Should be quite easy change though. Marek > >> Marek >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From bburke at redhat.com Mon Aug 11 10:13:26 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 10:13:26 -0400 Subject: [keycloak-dev] full scope allowed In-Reply-To: <1937778698.27648751.1407752362044.JavaMail.zimbra@redhat.com> References: <53DFEC19.7000704@redhat.com> <1937778698.27648751.1407752362044.JavaMail.zimbra@redhat.com> Message-ID: <53E8CF86.7040006@redhat.com> Ya, if we have time to do it. On 8/11/2014 6:19 AM, Stian Thorgersen wrote: > Is "Permit All Roles" any better? > > I'd like us to add a (?) next to all flags, and anything else where it makes sense. When the user clicks on it a small popover would display with a brief description. > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Monday, 4 August, 2014 9:24:57 PM >> Subject: [keycloak-dev] full scope allowed >> >> Applications, by default, have a full scope of all realm and all >> applications' roles. This is a flag stored in "fullScopeAllowed" in the >> Client model. >> >> It is a switch called "Full Scope Allowed". I don't know if there is a >> better name for it or not. >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Aug 11 10:26:27 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 10:26:27 -0400 Subject: [keycloak-dev] Sync commited In-Reply-To: <53E7ED98.3000901@redhat.com> References: <53E7ED98.3000901@redhat.com> Message-ID: <53E8D293.1030202@redhat.com> Great stuff. On 8/10/2014 6:09 PM, Marek Posolda wrote: > Hi, > > I've pushed support for bulk sync of users from external store (like > LDAP) to local store. Some summary of changes: > - Added 2 new methods to UserFederationProviderFactory. Method > syncAllUsers (For sync all users from external store to local store) and > syncChangedUsers (sync just users, which were changed. Needs that > external store has support for changelogs) > > - Implementation for LDAP which allows both "full" and "changed" sync. > It's possible to track users, which were created or updated on LDAP > server since some specified time. Unfortunately not easily possible to > track removed LDAP users > > - Support for periodic sync. You can specify period for each > FederationProvider how often it should do syncAllUsers and how often > syncChangedUsers. It's possible to specify different period for each > UserFederationProviderModel so for example realm1 can sync from Active > Directory once per day where realm2 can sync from OpenDS LDAP just one > per week etc. Also if you update or delete UserFederationProviderModel, > sync task will be updated/cancelled as well (I've added to BasicTimer > support for cancelling of previously scheduled tasks) > > > Remaining work: > * Support in admin console. I plan to add buttons, which will allow > admin to trigger either syncAllUsers or syncChangedUsers from admin > console. Also new options to specify periods for fullSync and > "changedSync" . For LDAP, I will need to add option for batch size > (Number of LDAP users to be downloaded per each batch (page). Each batch > is processed in separate transaction) . > > * For now, I've added just sync from external store to Keycloak. Do we > need 2 ways sync? For example if people have WRITABLE mode for their > Federation Provider, then changes to particular user done by Keycloak > are immediatelly written to 3rd party store anyway? > > * As I mentioned the syncChangedUsers for LDAP is able to track created > and updated LDAP users but not removed. I wonder if it's good idea that > during full sync, Keycloak will check if all local users with LDAP links > are still valid and delete those, which are not? Or is it ok to just > rely on FederationProvider to handle this? > > * Sync/Federation of roles? Right now both FederationProvider and Sync > is doing just syncing of users, but not roles or role mappings. I wonder > that maybe people probably also want to sync their LDAP roles into > Keycloak and also role mappings too. This might be quite tricky though > as Federation just deals with UserProvider, but syncing roles from LDAP > will require some updates to RealmProvider too. Probably not doable for > 1.0.Final though... > Just create tasks for stuff for 1.1. We'll wait for feedback on these LDAP features from community. We need to start closing out our JIRAs for RC-1 and 1.0.Final. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Aug 11 10:27:21 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 10:27:21 -0400 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E7EEDB.2000005@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> Message-ID: <53E8D2C9.30304@redhat.com> I would like that a lot. Just is there time to do it before 1.0.Final? I don't have time to look into it. On 8/10/2014 6:14 PM, Marek Posolda wrote: > Maybe it's not directly related, but I wonder if we may have support for > tooltips/hints in admin console? Basically if someone has displayed some > screen in admin console and he put his mouse over label of some option, > it will display some tooltip message like "This option is very useful to > do blah and you can configure blah with this" etc. This might help that > admin console UI will be quite "self documenting" and in some cases, > people may not even need to open any other docs to figure what option XY > really means. > > I am not usability expert, maybe it's dumb idea. Just something which > came to my mind:-) > > Marek > > > On 10.8.2014 17:38, Bill Burke wrote: >> Looks nice. I need to do something similar. >> >> On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: >>> Hello, >>> >>> for the UPS guide, I added a little section that walks the UPS user >>> through the UI of the "Keycloak Admin Console" (focused on AeroGear's >>> need (E.g. no talk on social login or Federation). >>> >>> It would be nice if you could take a look on the PR: >>> https://github.com/aerogear/aerogear.org/pull/349 >>> >>> The document, can be read here as well: >>> https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc >>> >>> Thanks! >>> >>> Greetings, >>> Matthias >>> >>> -- >>> Matthias Wessendorf >>> >>> blog: http://matthiaswessendorf.wordpress.com/ >>> sessions: http://www.slideshare.net/mwessendorf >>> twitter: http://twitter.com/mwessendorf >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Aug 11 10:48:05 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 10:48:05 -0400 (EDT) Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E8D2C9.30304@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> <53E8D2C9.30304@redhat.com> Message-ID: <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 3:27:21 PM > Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > > I would like that a lot. Just is there time to do it before 1.0.Final? > I don't have time to look into it. I can probably spend a couple hours adding some when I get back to PTO. Would be after RC1 though, but I don't think that's a big prob? > > On 8/10/2014 6:14 PM, Marek Posolda wrote: > > Maybe it's not directly related, but I wonder if we may have support for > > tooltips/hints in admin console? Basically if someone has displayed some > > screen in admin console and he put his mouse over label of some option, > > it will display some tooltip message like "This option is very useful to > > do blah and you can configure blah with this" etc. This might help that > > admin console UI will be quite "self documenting" and in some cases, > > people may not even need to open any other docs to figure what option XY > > really means. > > > > I am not usability expert, maybe it's dumb idea. Just something which > > came to my mind:-) > > > > Marek > > > > > > On 10.8.2014 17:38, Bill Burke wrote: > >> Looks nice. I need to do something similar. > >> > >> On 8/10/2014 8:11 AM, Matthias Wessendorf wrote: > >>> Hello, > >>> > >>> for the UPS guide, I added a little section that walks the UPS user > >>> through the UI of the "Keycloak Admin Console" (focused on AeroGear's > >>> need (E.g. no talk on social login or Federation). > >>> > >>> It would be nice if you could take a look on the PR: > >>> https://github.com/aerogear/aerogear.org/pull/349 > >>> > >>> The document, can be read here as well: > >>> https://github.com/matzew/aerogear.org/blob/KC_Admin_Console/docs/unifiedpush/ups_userguide/server-administration.asciidoc > >>> > >>> Thanks! > >>> > >>> Greetings, > >>> Matthias > >>> > >>> -- > >>> Matthias Wessendorf > >>> > >>> blog: http://matthiaswessendorf.wordpress.com/ > >>> sessions: http://www.slideshare.net/mwessendorf > >>> twitter: http://twitter.com/mwessendorf > >>> > >>> > >>> _______________________________________________ > >>> keycloak-dev mailing list > >>> keycloak-dev at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Mon Aug 11 10:55:48 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 10:55:48 -0400 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> <53E8D2C9.30304@redhat.com> <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> Message-ID: <53E8D974.1040907@redhat.com> On 8/11/2014 10:48 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Monday, 11 August, 2014 3:27:21 PM >> Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) >> >> I would like that a lot. Just is there time to do it before 1.0.Final? >> I don't have time to look into it. > > I can probably spend a couple hours adding some when I get back to PTO. Would be after RC1 though, but I don't think that's a big prob? > I would do it too, I just don't know how to. Do we have any examples anywhere? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Aug 11 10:59:30 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 10:59:30 -0400 (EDT) Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E8D974.1040907@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> <53E8D2C9.30304@redhat.com> <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> <53E8D974.1040907@redhat.com> Message-ID: <104585726.27981180.1407769170545.JavaMail.zimbra@redhat.com> I can add one tomorrow ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 3:55:48 PM > Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > > > > On 8/11/2014 10:48 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-dev at lists.jboss.org > >> Sent: Monday, 11 August, 2014 3:27:21 PM > >> Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > >> > >> I would like that a lot. Just is there time to do it before 1.0.Final? > >> I don't have time to look into it. > > > > I can probably spend a couple hours adding some when I get back to PTO. > > Would be after RC1 though, but I don't think that's a big prob? > > > > I would do it too, I just don't know how to. Do we have any examples > anywhere? > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From stian at redhat.com Mon Aug 11 11:14:46 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 11:14:46 -0400 (EDT) Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <53E8D974.1040907@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> <53E8D2C9.30304@redhat.com> <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> <53E8D974.1040907@redhat.com> Message-ID: <6362420.27998352.1407770086071.JavaMail.zimbra@redhat.com> Added an example for realm enabled: https://github.com/keycloak/keycloak/commit/7f96770089ed35e81133aeba73a66b198c1002cc#diff-d41d8cd98f00b204e9800998ecf8427e ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 3:55:48 PM > Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > > > > On 8/11/2014 10:48 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-dev at lists.jboss.org > >> Sent: Monday, 11 August, 2014 3:27:21 PM > >> Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) > >> > >> I would like that a lot. Just is there time to do it before 1.0.Final? > >> I don't have time to look into it. > > > > I can probably spend a couple hours adding some when I get back to PTO. > > Would be after RC1 though, but I don't think that's a big prob? > > > > I would do it too, I just don't know how to. Do we have any examples > anywhere? > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From bburke at redhat.com Mon Aug 11 11:19:26 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 11:19:26 -0400 Subject: [keycloak-dev] security headers/realm attributes Message-ID: <53E8DEFE.2030800@redhat.com> I'm going to add realm attributes to JPA model and move some stuff there (brute force settings for example) Also, I'm going to add a new menu item "Attack Prevention" (if you can think of a better name, let me know). Under this I'll move "Brute Force Protection". Eventually we'll probably put IP Filtering there. Also, will add a "Security Headers". Under this will allow you to manually set these headers: https://www.owasp.org/index.php/List_of_useful_HTTP_headers By default, iframe will use a same origin policy. Some of these headers are quite complex (Content-Security-Policy), so it might be easiest to just allow the user to set the header manually. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From stian at redhat.com Mon Aug 11 11:33:33 2014 From: stian at redhat.com (Stian Thorgersen) Date: Mon, 11 Aug 2014 11:33:33 -0400 (EDT) Subject: [keycloak-dev] security headers/realm attributes In-Reply-To: <53E8DEFE.2030800@redhat.com> References: <53E8DEFE.2030800@redhat.com> Message-ID: <270818024.28011836.1407771213883.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 4:19:26 PM > Subject: [keycloak-dev] security headers/realm attributes > > I'm going to add realm attributes to JPA model and move some stuff there > (brute force settings for example) > > Also, I'm going to add a new menu item "Attack Prevention" (if you can > think of a better name, let me know). Under this I'll move "Brute Force > Protection". Eventually we'll probably put IP Filtering there. Also, > will add a "Security Headers". Under this will allow you to manually > set these headers: "Intrusion prevention"? BTW the number of tabs on realm settings makes it span multiple rows if social is enabled > > https://www.owasp.org/index.php/List_of_useful_HTTP_headers > > By default, iframe will use a same origin policy. > > Some of these headers are quite complex (Content-Security-Policy), so it > might be easiest to just allow the user to set the header manually. For 1.0.final that's probably best, but for the future I think we should figure this out so users doesn't have to ;) > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From bburke at redhat.com Mon Aug 11 11:50:41 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 11:50:41 -0400 Subject: [keycloak-dev] security headers/realm attributes In-Reply-To: <270818024.28011836.1407771213883.JavaMail.zimbra@redhat.com> References: <53E8DEFE.2030800@redhat.com> <270818024.28011836.1407771213883.JavaMail.zimbra@redhat.com> Message-ID: <53E8E651.5050506@redhat.com> On 8/11/2014 11:33 AM, Stian Thorgersen wrote: > > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Monday, 11 August, 2014 4:19:26 PM >> Subject: [keycloak-dev] security headers/realm attributes >> >> I'm going to add realm attributes to JPA model and move some stuff there >> (brute force settings for example) >> >> Also, I'm going to add a new menu item "Attack Prevention" (if you can >> think of a better name, let me know). Under this I'll move "Brute Force >> Protection". Eventually we'll probably put IP Filtering there. Also, >> will add a "Security Headers". Under this will allow you to manually >> set these headers: > > "Intrusion prevention"? > > BTW the number of tabs on realm settings makes it span multiple rows if social is enabled > I didn't see this problem on Firefox unless you seriously minimized your browser screen. I added more submenus because the Settings page was scrolling off the page and you might not know some things exist. I can break out roles/default roles into a new menu item? >> >> https://www.owasp.org/index.php/List_of_useful_HTTP_headers >> >> By default, iframe will use a same origin policy. >> >> Some of these headers are quite complex (Content-Security-Policy), so it >> might be easiest to just allow the user to set the header manually. > > For 1.0.final that's probably best, but for the future I think we should figure this out so users doesn't have to ;) > I originally toyed with the idea of having a simple drop down list for options, but when you look at Content-Security-Policy, it is quite complex and I didn't want to create this huge UI for it. We can set up some good defaults though. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Mon Aug 11 12:52:36 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 12:52:36 -0400 Subject: [keycloak-dev] tooltip doesn't match patternfly Message-ID: <53E8F4D4.4040609@redhat.com> I don't see "?" tooltips in patternfly. Should we do the tooltips over the labels instead without the '?' icon? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Mon Aug 11 13:22:21 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 11 Aug 2014 13:22:21 -0400 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: <53E8F4D4.4040609@redhat.com> References: <53E8F4D4.4040609@redhat.com> Message-ID: <53E8FBCD.7040607@redhat.com> On 8/11/2014 12:52 PM, Bill Burke wrote: > I don't see "?" tooltips in patternfly. Should we do the tooltips over > the labels instead without the '?' icon? > I'd ask the patternfly people if they have a standard for it. From bburke at redhat.com Mon Aug 11 13:52:34 2014 From: bburke at redhat.com (Bill Burke) Date: Mon, 11 Aug 2014 13:52:34 -0400 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: <53E8FBCD.7040607@redhat.com> References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> Message-ID: <53E902E2.6010909@redhat.com> They have a tooltip standard, but dont' use a '?' icon. On 8/11/2014 1:22 PM, Stan Silvert wrote: > On 8/11/2014 12:52 PM, Bill Burke wrote: >> I don't see "?" tooltips in patternfly. Should we do the tooltips over >> the labels instead without the '?' icon? >> > I'd ask the patternfly people if they have a standard for it. > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From gcardoso at redhat.com Mon Aug 11 18:11:07 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Mon, 11 Aug 2014 19:11:07 -0300 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: <53E902E2.6010909@redhat.com> References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> <53E902E2.6010909@redhat.com> Message-ID: <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> They are still working on the forms pattern. It is more user friendly to put the tooltip in the ? or info (i) icon rather than the label. We have something like that in LiveOak. Gabriel On Aug 11, 2014, at 2:52 PM, Bill Burke wrote: > They have a tooltip standard, but dont' use a '?' icon. > > On 8/11/2014 1:22 PM, Stan Silvert wrote: >> On 8/11/2014 12:52 PM, Bill Burke wrote: >>> I don't see "?" tooltips in patternfly. Should we do the tooltips over >>> the labels instead without the '?' icon? >>> >> I'd ask the patternfly people if they have a standard for it. >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140811/fbe4d65b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2014-08-11 at 7.09.57 PM.png Type: image/png Size: 32878 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140811/fbe4d65b/attachment-0001.png From stian at redhat.com Tue Aug 12 04:50:36 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 12 Aug 2014 04:50:36 -0400 (EDT) Subject: [keycloak-dev] security headers/realm attributes In-Reply-To: <53E8E651.5050506@redhat.com> References: <53E8DEFE.2030800@redhat.com> <270818024.28011836.1407771213883.JavaMail.zimbra@redhat.com> <53E8E651.5050506@redhat.com> Message-ID: <1264123623.28659660.1407833436984.JavaMail.zimbra@redhat.com> ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev at lists.jboss.org > Sent: Monday, 11 August, 2014 4:50:41 PM > Subject: Re: [keycloak-dev] security headers/realm attributes > > > > On 8/11/2014 11:33 AM, Stian Thorgersen wrote: > > > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-dev at lists.jboss.org > >> Sent: Monday, 11 August, 2014 4:19:26 PM > >> Subject: [keycloak-dev] security headers/realm attributes > >> > >> I'm going to add realm attributes to JPA model and move some stuff there > >> (brute force settings for example) > >> > >> Also, I'm going to add a new menu item "Attack Prevention" (if you can > >> think of a better name, let me know). Under this I'll move "Brute Force > >> Protection". Eventually we'll probably put IP Filtering there. Also, > >> will add a "Security Headers". Under this will allow you to manually > >> set these headers: > > > > "Intrusion prevention"? > > > > BTW the number of tabs on realm settings makes it span multiple rows if > > social is enabled > > > > I didn't see this problem on Firefox unless you seriously minimized your > browser screen. I added more submenus because the Settings page was > scrolling off the page and you might not know some things exist. > > I can break out roles/default roles into a new menu item? I like the split, there was to much crud on one screen before. It happens when I enable the social tab and it looks like there's not much that cases it to happen, so may be some issue with fonts on Windows vs Linux. Changing 'Cache Config' to just 'Cache' would work as well. > > >> > >> https://www.owasp.org/index.php/List_of_useful_HTTP_headers > >> > >> By default, iframe will use a same origin policy. > >> > >> Some of these headers are quite complex (Content-Security-Policy), so it > >> might be easiest to just allow the user to set the header manually. > > > > For 1.0.final that's probably best, but for the future I think we should > > figure this out so users doesn't have to ;) > > > > I originally toyed with the idea of having a simple drop down list for > options, but when you look at Content-Security-Policy, it is quite > complex and I didn't want to create this huge UI for it. > > We can set up some good defaults though. +1 To good defaults, with some options on configuring it in the future > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > From bburke at redhat.com Tue Aug 12 10:32:40 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Aug 2014 10:32:40 -0400 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> <53E902E2.6010909@redhat.com> <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> Message-ID: <53EA2588.6010700@redhat.com> An icon to the right of every HTML form input seems messy to me. I was thinking an icon at the

title. And tooltips on the labels. I'll fool around with it and see how it looks. On 8/11/2014 6:11 PM, Gabriel Cardoso wrote: > They are still working on the forms pattern. > > It is more user friendly to put the tooltip in the ? or info (i) icon > rather than the label. > > We have something like that in LiveOak. > > > Gabriel > > On Aug 11, 2014, at 2:52 PM, Bill Burke > wrote: > >> They have a tooltip standard, but dont' use a '?' icon. >> >> On 8/11/2014 1:22 PM, Stan Silvert wrote: >>> On 8/11/2014 12:52 PM, Bill Burke wrote: >>>> I don't see "?" tooltips in patternfly. Should we do the tooltips over >>>> the labels instead without the '?' icon? >>>> >>> I'd ask the patternfly people if they have a standard for it. >>> _______________________ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > --- > Gabriel Cardoso > User Experience Designer @ Red Hat > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From gcardoso at redhat.com Tue Aug 12 10:51:47 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Tue, 12 Aug 2014 11:51:47 -0300 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: <53EA2588.6010700@redhat.com> References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> <53E902E2.6010909@redhat.com> <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> <53EA2588.6010700@redhat.com> Message-ID: > An icon to the right of every HTML form input seems messy to me. Will you have tooltips in every input? > I was thinking an icon at the
title. And tooltips on the labels. I'll fool around with it and see how it looks. From what I?ve seen until now, it is a pattern to put a tooltip in the info sign. Never seen in labels. Some users will not realise this. As a designer I wouldn?t do that. --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140812/95fcd75d/attachment.html From bburke at redhat.com Tue Aug 12 11:11:39 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Aug 2014 11:11:39 -0400 Subject: [keycloak-dev] menu refactor, removed breadcrumbs Message-ID: <53EA2EAB.5000503@redhat.com> Stian mentioned months and months ago that he thought breadcrumbs were redundant. So...I removed them. Also, I added a top=level menu item "roles". This made the settings submenu a bit smaller. Bill -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From gcardoso at redhat.com Tue Aug 12 11:22:54 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Tue, 12 Aug 2014 12:22:54 -0300 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> <53E902E2.6010909@redhat.com> <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> <53EA2588.6010700@redhat.com> Message-ID: Bill, I?ve talked to Stian and will make some research and a proposal for this asap. Gabriel On Aug 12, 2014, at 11:51 AM, Gabriel Cardoso wrote: >> An icon to the right of every HTML form input seems messy to me. > Will you have tooltips in every input? > >> I was thinking an icon at the
title. And tooltips on the labels. I'll fool around with it and see how it looks. > From what I?ve seen until now, it is a pattern to put a tooltip in the info sign. Never seen in labels. Some users will not realise this. As a designer I wouldn?t do that. > > --- > Gabriel Cardoso > User Experience Designer @ Red Hat > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140812/331332eb/attachment.html From bburke at redhat.com Tue Aug 12 12:17:51 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Aug 2014 12:17:51 -0400 Subject: [keycloak-dev] tooltip doesn't match patternfly In-Reply-To: References: <53E8F4D4.4040609@redhat.com> <53E8FBCD.7040607@redhat.com> <53E902E2.6010909@redhat.com> <2B3BF6A1-15CF-4800-B220-1BDB8BD4612D@redhat.com> <53EA2588.6010700@redhat.com> Message-ID: <53EA3E2F.3070901@redhat.com> On 8/12/2014 10:51 AM, Gabriel Cardoso wrote: >> An icon to the right of every HTML form input seems messy to me. > Will you have tooltips in every input? > Most as we need to explain what it does. >> I was thinking an icon at the
title. And tooltips on the labels. >> I'll fool around with it and see how it looks. > From what I?ve seen until now, it is a pattern to put a tooltip in the > info sign. Never seen in labels. Some users will not realise this. As a > designer I wouldn?t do that. > I'll do it with an icon then. I'll change it once your recommendations come in. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From mposolda at redhat.com Tue Aug 12 13:24:30 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 12 Aug 2014 19:24:30 +0200 Subject: [keycloak-dev] Sync commited In-Reply-To: <53E8D293.1030202@redhat.com> References: <53E7ED98.3000901@redhat.com> <53E8D293.1030202@redhat.com> Message-ID: <53EA4DCE.9010103@redhat.com> I've pushed the support for configuration in admin console and created JIRAs for 1.1 for rest of the tasks (2 ways sync, roles sync, verifying removed users during LDAP sync) Marek On 11.8.2014 16:26, Bill Burke wrote: > Just create tasks for stuff for 1.1. We'll wait for feedback on these > LDAP features from community. We need to start closing out our JIRAs > for RC-1 and 1.0.Final. From mposolda at redhat.com Tue Aug 12 13:25:58 2014 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 12 Aug 2014 19:25:58 +0200 Subject: [keycloak-dev] Keycloak Admin Console guide (for UPS) In-Reply-To: <6362420.27998352.1407770086071.JavaMail.zimbra@redhat.com> References: <53E791D8.5080500@redhat.com> <53E7EEDB.2000005@redhat.com> <53E8D2C9.30304@redhat.com> <1366564795.27963273.1407768485787.JavaMail.zimbra@redhat.com> <53E8D974.1040907@redhat.com> <6362420.27998352.1407770086071.JavaMail.zimbra@redhat.com> Message-ID: <53EA4E26.7090209@redhat.com> I can help here as well once I return from PTO (25th August) and once it will be more clear and decided with UXP/Patternfly team how exactly we do it. Marek On 11.8.2014 17:14, Stian Thorgersen wrote: > Added an example for realm enabled: > > https://github.com/keycloak/keycloak/commit/7f96770089ed35e81133aeba73a66b198c1002cc#diff-d41d8cd98f00b204e9800998ecf8427e > > ----- Original Message ----- >> From: "Bill Burke" >> To: "Stian Thorgersen" >> Cc: keycloak-dev at lists.jboss.org >> Sent: Monday, 11 August, 2014 3:55:48 PM >> Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) >> >> >> >> On 8/11/2014 10:48 AM, Stian Thorgersen wrote: >>> >>> ----- Original Message ----- >>>> From: "Bill Burke" >>>> To: keycloak-dev at lists.jboss.org >>>> Sent: Monday, 11 August, 2014 3:27:21 PM >>>> Subject: Re: [keycloak-dev] Keycloak Admin Console guide (for UPS) >>>> >>>> I would like that a lot. Just is there time to do it before 1.0.Final? >>>> I don't have time to look into it. >>> I can probably spend a couple hours adding some when I get back to PTO. >>> Would be after RC1 though, but I don't think that's a big prob? >>> >> I would do it too, I just don't know how to. Do we have any examples >> anywhere? >> >> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From bburke at redhat.com Tue Aug 12 16:32:38 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Aug 2014 16:32:38 -0400 Subject: [keycloak-dev] tooltips started Message-ID: <53EA79E6.70103@redhat.com> I did it for "Settings, Users, Roles" and their submenus. Let me know if you like them. Going to finish them up tomorrow. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Wed Aug 13 09:13:02 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 13 Aug 2014 09:13:02 -0400 Subject: [keycloak-dev] tooltips started In-Reply-To: <53EA79E6.70103@redhat.com> References: <53EA79E6.70103@redhat.com> Message-ID: <53EB645E.5040005@redhat.com> On 8/12/2014 4:32 PM, Bill Burke wrote: > I did it for "Settings, Users, Roles" and their submenus. Let me know > if you like them. Going to finish them up tomorrow. > This is a big usability improvement! I noticed that among Settings, Users, and Roles, there is still some help text missing. Assume it's just work in progress? Under Users --> Attributes --> Required User Actions, only half of the ? icon shows up. The field hides part of it. That made me wonder if the help text was incomplete or hidden. The only other ? icon on that page is User Enabled. From gcardoso at redhat.com Wed Aug 13 16:33:05 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Wed, 13 Aug 2014 17:33:05 -0300 Subject: [keycloak-dev] tooltips started In-Reply-To: <53EB645E.5040005@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> Message-ID: <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> Hi Bill, Here is my proposal: - Remove the tooltip from the heading and display it as a help text below. - Place the info icons close to the labels instead of inputs. Use icons from font awesome: http://fortawesome.github.io/Font-Awesome/icon/info-circle/ - Use tooltips placed at the top, so the user can still see the input on the right. I believe you don?t need some tooltips. In this page, for instance, available roles and application is pretty obvious (my opinion). Patternfly is working on this. Here an excerpt of their draft: "To ensure that it remains effective and useful, use help text sparingly in your forms. Striving to minimize the amount of help text on your forms will push you toward better design solutions. Use help text to explain unfamiliar fields (particularly for new or infrequent users) or syntax for complex fields. Don?t use help text to compensate for the shortcomings of your forms." Gabriel On Aug 13, 2014, at 10:13 AM, Stan Silvert wrote: > On 8/12/2014 4:32 PM, Bill Burke wrote: >> I did it for "Settings, Users, Roles" and their submenus. Let me know >> if you like them. Going to finish them up tomorrow. >> > This is a big usability improvement! > > I noticed that among Settings, Users, and Roles, there is still some > help text missing. Assume it's just work in progress? > > Under Users --> Attributes --> Required User Actions, only half of the ? > icon shows up. The field hides part of it. That made me wonder if the > help text was incomplete or hidden. The only other ? icon on that page > is User Enabled. > > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140813/f33ad4d1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: form-help.png Type: image/png Size: 54928 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140813/f33ad4d1/attachment-0001.png From bburke at redhat.com Wed Aug 13 17:42:40 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Aug 2014 17:42:40 -0400 Subject: [keycloak-dev] tooltips started In-Reply-To: <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> Message-ID: <53EBDBD0.7020901@redhat.com> I like your proposals for the screen you mention. But for other screens I like the tooltip icons to the right of the input types as it gives a lot of space for the tooltip to appear in. I'll switch the icon type. Should we have a disable tooltips option? On 8/13/2014 4:33 PM, Gabriel Cardoso wrote: > Hi Bill, > > Here is my proposal: > > > - Remove the tooltip from the heading and display it as a help text below. > > - Place the info icons close to the labels instead of inputs. Use icons > from font awesome: > http://fortawesome.github.io/Font-Awesome/icon/info-circle/ > > - Use tooltips placed at the top, so the user can still see the input on > the right. > > I believe you don?t need some tooltips. In this page, for instance, > available roles and application is pretty obvious (my opinion). > > Patternfly is working on this. Here an excerpt of their draft: "To > ensure that it remains effective and useful, use help text sparingly in > your forms. Striving to minimize the amount of help text on your forms > will push you toward better design solutions. Use help text to explain > unfamiliar fields (particularly for new or infrequent users) or syntax > for complex fields. Don?t use help text to compensate for the > shortcomings of your forms." > > Gabriel > > On Aug 13, 2014, at 10:13 AM, Stan Silvert > wrote: > >> On 8/12/2014 4:32 PM, Bill Burke wrote: >>> I did it for "Settings, Users, Roles" and their submenus. Let me know >>> if you like them. Going to finish them up tomorrow. >>> >> This is a big usability improvement! >> >> I noticed that among Settings, Users, and Roles, there is still some >> help text missing. Assume it's just work in progress? >> >> Under Users --> Attributes --> Required User Actions, only half of the ? >> icon shows up. The field hides part of it. That made me wonder if the >> help text was incomplete or hidden. The only other ? icon on that page >> is User Enabled. >> >> >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > --- > Gabriel Cardoso > User Experience Designer @ Red Hat > > > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From gcardoso at redhat.com Thu Aug 14 10:17:44 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Thu, 14 Aug 2014 11:17:44 -0300 Subject: [keycloak-dev] tooltips started In-Reply-To: <53EBDBD0.7020901@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> <53EBDBD0.7020901@redhat.com> Message-ID: <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> > I like your proposals for the screen you mention. Cool! > But for other screens I like the tooltip icons to the right of the input > types as it gives a lot of space for the tooltip to appear in. I'll > switch the icon type. Triggers next to the labels are a PatternFly recommendation: " Place triggers for user-activated help text (icons, links, or buttons) next to field labels and not input fields. Here is the part of the draft that talks about help: https://www.patternfly.org/wikis/patterns/pattern-development/draft-patterns/forms/#copy-help > Should we have a disable tooltips option? I don?t think so. User will just interact with them if he wants to. But place the tooltips in the console and we can evaluate if there is a not for this. Please let me know when you?re done with the tooltips, so I can review the console and make design adjustments :) Gabriel > On 8/13/2014 4:33 PM, Gabriel Cardoso wrote: >> Hi Bill, >> >> Here is my proposal: >> >> >> - Remove the tooltip from the heading and display it as a help text below. >> >> - Place the info icons close to the labels instead of inputs. Use icons >> from font awesome: >> http://fortawesome.github.io/Font-Awesome/icon/info-circle/ >> >> - Use tooltips placed at the top, so the user can still see the input on >> the right. >> >> I believe you don?t need some tooltips. In this page, for instance, >> available roles and application is pretty obvious (my opinion). >> >> Patternfly is working on this. Here an excerpt of their draft: "To >> ensure that it remains effective and useful, use help text sparingly in >> your forms. Striving to minimize the amount of help text on your forms >> will push you toward better design solutions. Use help text to explain >> unfamiliar fields (particularly for new or infrequent users) or syntax >> for complex fields. Don?t use help text to compensate for the >> shortcomings of your forms." >> >> Gabriel >> >> On Aug 13, 2014, at 10:13 AM, Stan Silvert > > wrote: >> >>> On 8/12/2014 4:32 PM, Bill Burke wrote: >>>> I did it for "Settings, Users, Roles" and their submenus. Let me know >>>> if you like them. Going to finish them up tomorrow. >>>> >>> This is a big usability improvement! >>> >>> I noticed that among Settings, Users, and Roles, there is still some >>> help text missing. Assume it's just work in progress? >>> >>> Under Users --> Attributes --> Required User Actions, only half of the ? >>> icon shows up. The field hides part of it. That made me wonder if the >>> help text was incomplete or hidden. The only other ? icon on that page >>> is User Enabled. >>> >>> >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> --- >> Gabriel Cardoso >> User Experience Designer @ Red Hat >> >> >> >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140814/fdc61882/attachment.html From bburke at redhat.com Thu Aug 14 11:37:39 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 11:37:39 -0400 Subject: [keycloak-dev] tooltips started In-Reply-To: <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> <53EBDBD0.7020901@redhat.com> <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> Message-ID: <53ECD7C3.1070008@redhat.com> Problem is that adding the info icon next to some labels puts the label on the next line and it looks weird. Solving this requires increasing the label column size to 3 (col-sm-3). Is that ok? On 8/14/2014 10:17 AM, Gabriel Cardoso wrote: >> I like your proposals for the screen you mention. > > Cool! > >> But for other screens I like the tooltip icons to the right of the input >> types as it gives a lot of space for the tooltip to appear in. I'll >> switch the icon type. > > Triggers next to the labels are a PatternFly recommendation: " > > * Place triggers for user-activated help text (icons, links, or > buttons) next to field labels and not input fields. > > Here is the part of the draft that talks about help: > https://www.patternfly.org/wikis/patterns/pattern-development/draft-patterns/forms/#copy-help > >> Should we have a disable tooltips option? > > I don?t think so. User will just interact with them if he wants to. But > place the tooltips in the console and we can evaluate if there is a not > for this. > > Please let me know when you?re done with the tooltips, so I can review > the console and make design adjustments :) > > Gabriel > >> On 8/13/2014 4:33 PM, Gabriel Cardoso wrote: >>> Hi Bill, >>> >>> Here is my proposal: >>> >>> >>> - Remove the tooltip from the heading and display it as a help text >>> below. >>> >>> - Place the info icons close to the labels instead of inputs. Use icons >>> from font awesome: >>> http://fortawesome.github.io/Font-Awesome/icon/info-circle/ >>> >>> - Use tooltips placed at the top, so the user can still see the input on >>> the right. >>> >>> I believe you don?t need some tooltips. In this page, for instance, >>> available roles and application is pretty obvious (my opinion). >>> >>> Patternfly is working on this. Here an excerpt of their draft: "To >>> ensure that it remains effective and useful, use help text sparingly in >>> your forms. Striving to minimize the amount of help text on your forms >>> will push you toward better design solutions. Use help text to explain >>> unfamiliar fields (particularly for new or infrequent users) or syntax >>> for complex fields. Don?t use help text to compensate for the >>> shortcomings of your forms." >>> >>> Gabriel >>> >>> On Aug 13, 2014, at 10:13 AM, Stan Silvert >> > wrote: >>> >>>> On 8/12/2014 4:32 PM, Bill Burke wrote: >>>>> I did it for "Settings, Users, Roles" and their submenus. Let me know >>>>> if you like them. Going to finish them up tomorrow. >>>>> >>>> This is a big usability improvement! >>>> >>>> I noticed that among Settings, Users, and Roles, there is still some >>>> help text missing. Assume it's just work in progress? >>>> >>>> Under Users --> Attributes --> Required User Actions, only half of the ? >>>> icon shows up. The field hides part of it. That made me wonder if the >>>> help text was incomplete or hidden. The only other ? icon on that page >>>> is User Enabled. >>>> >>>> >>>> _ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> --- >>> Gabriel Cardoso >>> User Experience Designer @ Red Hat >>> >>> >>> >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > --- > Gabriel Cardoso > User Experience Designer @ Red Hat > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Aug 14 11:47:20 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 11:47:20 -0400 Subject: [keycloak-dev] tooltips started In-Reply-To: <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> <53EBDBD0.7020901@redhat.com> <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> Message-ID: <53ECDA08.6030406@redhat.com> Ugh, let me rephrase last email... The problem is that when you put the info icon directly to the right of the label, it sometimes appears in the next line by itself depending on the length of the label. Extending the column style of the label helps in some cases, in others the label can look even more weird when the label text is long. On 8/14/2014 10:17 AM, Gabriel Cardoso wrote: >> I like your proposals for the screen you mention. > > Cool! > >> But for other screens I like the tooltip icons to the right of the input >> types as it gives a lot of space for the tooltip to appear in. I'll >> switch the icon type. > > Triggers next to the labels are a PatternFly recommendation: " > > * Place triggers for user-activated help text (icons, links, or > buttons) next to field labels and not input fields. > > Here is the part of the draft that talks about help: > https://www.patternfly.org/wikis/patterns/pattern-development/draft-patterns/forms/#copy-help > >> Should we have a disable tooltips option? > > I don?t think so. User will just interact with them if he wants to. But > place the tooltips in the console and we can evaluate if there is a not > for this. > > Please let me know when you?re done with the tooltips, so I can review > the console and make design adjustments :) > > Gabriel > >> On 8/13/2014 4:33 PM, Gabriel Cardoso wrote: >>> Hi Bill, >>> >>> Here is my proposal: >>> >>> >>> - Remove the tooltip from the heading and display it as a help text >>> below. >>> >>> - Place the info icons close to the labels instead of inputs. Use icons >>> from font awesome: >>> http://fortawesome.github.io/Font-Awesome/icon/info-circle/ >>> >>> - Use tooltips placed at the top, so the user can still see the input on >>> the right. >>> >>> I believe you don?t need some tooltips. In this page, for instance, >>> available roles and application is pretty obvious (my opinion). >>> >>> Patternfly is working on this. Here an excerpt of their draft: "To >>> ensure that it remains effective and useful, use help text sparingly in >>> your forms. Striving to minimize the amount of help text on your forms >>> will push you toward better design solutions. Use help text to explain >>> unfamiliar fields (particularly for new or infrequent users) or syntax >>> for complex fields. Don?t use help text to compensate for the >>> shortcomings of your forms." >>> >>> Gabriel >>> >>> On Aug 13, 2014, at 10:13 AM, Stan Silvert >> > wrote: >>> >>>> On 8/12/2014 4:32 PM, Bill Burke wrote: >>>>> I did it for "Settings, Users, Roles" and their submenus. Let me know >>>>> if you like them. Going to finish them up tomorrow. >>>>> >>>> This is a big usability improvement! >>>> >>>> I noticed that among Settings, Users, and Roles, there is still some >>>> help text missing. Assume it's just work in progress? >>>> >>>> Under Users --> Attributes --> Required User Actions, only half of the ? >>>> icon shows up. The field hides part of it. That made me wonder if the >>>> help text was incomplete or hidden. The only other ? icon on that page >>>> is User Enabled. >>>> >>>> >>>> _ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >>> --- >>> Gabriel Cardoso >>> User Experience Designer @ Red Hat >>> >>> >>> >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > > --- > Gabriel Cardoso > User Experience Designer @ Red Hat > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Aug 14 12:21:54 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 12:21:54 -0400 Subject: [keycloak-dev] tooltips started In-Reply-To: <53ECDA08.6030406@redhat.com> References: <53EA79E6.70103@redhat.com> <53EB645E.5040005@redhat.com> <83DC1700-FE7F-4C69-9948-B4CCE2E1A8C9@redhat.com> <53EBDBD0.7020901@redhat.com> <2FB341BD-B49A-4B08-9355-D84B6881E079@redhat.com> <53ECDA08.6030406@redhat.com> Message-ID: <53ECE222.4010004@redhat.com> Finally, another thing is that the tooltip box is really narrow too. Maybe that is fixable. On 8/14/2014 11:47 AM, Bill Burke wrote: > Ugh, let me rephrase last email... > > The problem is that when you put the info icon directly to the right of > the label, it sometimes appears in the next line by itself depending on > the length of the label. Extending the column style of the label helps > in some cases, in others the label can look even more weird when the > label text is long. > > On 8/14/2014 10:17 AM, Gabriel Cardoso wrote: >>> I like your proposals for the screen you mention. >> >> Cool! >> >>> But for other screens I like the tooltip icons to the right of the input >>> types as it gives a lot of space for the tooltip to appear in. I'll >>> switch the icon type. >> >> Triggers next to the labels are a PatternFly recommendation: " >> >> * Place triggers for user-activated help text (icons, links, or >> buttons) next to field labels and not input fields. >> >> Here is the part of the draft that talks about help: >> https://www.patternfly.org/wikis/patterns/pattern-development/draft-patterns/forms/#copy-help >> >>> Should we have a disable tooltips option? >> >> I don?t think so. User will just interact with them if he wants to. But >> place the tooltips in the console and we can evaluate if there is a not >> for this. >> >> Please let me know when you?re done with the tooltips, so I can review >> the console and make design adjustments :) >> >> Gabriel >> >>> On 8/13/2014 4:33 PM, Gabriel Cardoso wrote: >>>> Hi Bill, >>>> >>>> Here is my proposal: >>>> >>>> >>>> - Remove the tooltip from the heading and display it as a help text >>>> below. >>>> >>>> - Place the info icons close to the labels instead of inputs. Use icons >>>> from font awesome: >>>> http://fortawesome.github.io/Font-Awesome/icon/info-circle/ >>>> >>>> - Use tooltips placed at the top, so the user can still see the input on >>>> the right. >>>> >>>> I believe you don?t need some tooltips. In this page, for instance, >>>> available roles and application is pretty obvious (my opinion). >>>> >>>> Patternfly is working on this. Here an excerpt of their draft: "To >>>> ensure that it remains effective and useful, use help text sparingly in >>>> your forms. Striving to minimize the amount of help text on your forms >>>> will push you toward better design solutions. Use help text to explain >>>> unfamiliar fields (particularly for new or infrequent users) or syntax >>>> for complex fields. Don?t use help text to compensate for the >>>> shortcomings of your forms." >>>> >>>> Gabriel >>>> >>>> On Aug 13, 2014, at 10:13 AM, Stan Silvert >>> > wrote: >>>> >>>>> On 8/12/2014 4:32 PM, Bill Burke wrote: >>>>>> I did it for "Settings, Users, Roles" and their submenus. Let me know >>>>>> if you like them. Going to finish them up tomorrow. >>>>>> >>>>> This is a big usability improvement! >>>>> >>>>> I noticed that among Settings, Users, and Roles, there is still some >>>>> help text missing. Assume it's just work in progress? >>>>> >>>>> Under Users --> Attributes --> Required User Actions, only half of the ? >>>>> icon shows up. The field hides part of it. That made me wonder if the >>>>> help text was incomplete or hidden. The only other ? icon on that page >>>>> is User Enabled. >>>>> >>>>> >>>>> _ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>>> --- >>>> Gabriel Cardoso >>>> User Experience Designer @ Red Hat >>>> >>>> >>>> >>>> _ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >>> >>> -- >>> Bill Burke >>> JBoss, a division of Red Hat >>> http://bill.burkecentral.com >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> >> --- >> Gabriel Cardoso >> User Experience Designer @ Red Hat >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Thu Aug 14 13:29:53 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 14 Aug 2014 13:29:53 -0400 Subject: [keycloak-dev] keycloak-server.json Message-ID: <53ECF211.4050806@redhat.com> In the keycloak-server module, the keycloak-server.json file refers to the ExampleDS datasource[1] instead of KeycloakDS, which is used everywhere in the distribution. If we change this in the main build then we won't need to use the replacer[2] plugin in the dist. But before I push the change I'm wondering if there was a reason it was done that way? Nothing seems to break in the tests when I change it. Should I go ahead push the change? Stan [1] https://github.com/keycloak/keycloak/blob/master/server/src/main/resources/META-INF/keycloak-server.json#L68 [2] https://github.com/keycloak/keycloak/blob/master/distribution/war-zip/pom.xml#L52-73 From ssilvert at redhat.com Thu Aug 14 15:09:07 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 14 Aug 2014 15:09:07 -0400 Subject: [keycloak-dev] URGENT BUG Message-ID: <53ED0953.6040907@redhat.com> Looks like saving a role is broken in the UI. Can someone confirm? Stan From bburke at redhat.com Thu Aug 14 16:28:35 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 16:28:35 -0400 Subject: [keycloak-dev] URGENT BUG In-Reply-To: <53ED0953.6040907@redhat.com> References: <53ED0953.6040907@redhat.com> Message-ID: <53ED1BF3.2040701@redhat.com> I can create and save a role. Maybe i didn't take same steps as you. On 8/14/2014 3:09 PM, Stan Silvert wrote: > Looks like saving a role is broken in the UI. Can someone confirm? > > Stan > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Aug 14 16:32:27 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 16:32:27 -0400 Subject: [keycloak-dev] keycloak-server.json In-Reply-To: <53ECF211.4050806@redhat.com> References: <53ECF211.4050806@redhat.com> Message-ID: <53ED1CDB.8070503@redhat.com> It should refer to KeycloakDS. It is not a good practice to use ExampleDS as this is something the user will want to change probably. On 8/14/2014 1:29 PM, Stan Silvert wrote: > In the keycloak-server module, the keycloak-server.json file refers to > the ExampleDS datasource[1] instead of KeycloakDS, which is used > everywhere in the distribution. If we change this in the main build > then we won't need to use the replacer[2] plugin in the dist. > > But before I push the change I'm wondering if there was a reason it was > done that way? Nothing seems to break in the tests when I change it. > > Should I go ahead push the change? > > Stan > > [1] > https://github.com/keycloak/keycloak/blob/master/server/src/main/resources/META-INF/keycloak-server.json#L68 > [2] > https://github.com/keycloak/keycloak/blob/master/distribution/war-zip/pom.xml#L52-73 > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Thu Aug 14 17:27:57 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 14 Aug 2014 17:27:57 -0400 Subject: [keycloak-dev] URGENT BUG In-Reply-To: <53ED1BF3.2040701@redhat.com> References: <53ED0953.6040907@redhat.com> <53ED1BF3.2040701@redhat.com> Message-ID: <53ED29DD.7030207@redhat.com> On 8/14/2014 4:28 PM, Bill Burke wrote: > I can create and save a role. Maybe i didn't take same steps as you. I just create an application then try to add a role. Realm roles work fine. This is an application role. It looks like the Save button isn't doing anything. Also, the Save and Cancel buttons are in the extreme lower right on that page. I have to scroll down to find them. > > On 8/14/2014 3:09 PM, Stan Silvert wrote: >> Looks like saving a role is broken in the UI. Can someone confirm? >> >> Stan >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From ssilvert at redhat.com Thu Aug 14 17:52:49 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 14 Aug 2014 17:52:49 -0400 Subject: [keycloak-dev] menu refactor, removed breadcrumbs In-Reply-To: <53EA2EAB.5000503@redhat.com> References: <53EA2EAB.5000503@redhat.com> Message-ID: <53ED2FB1.7090406@redhat.com> On 8/12/2014 11:11 AM, Bill Burke wrote: > Stian mentioned months and months ago that he thought breadcrumbs were > redundant. So...I removed them. If it doesn't cause other problems, I'd like to request the reinstatement of the bread crumbs. I've found that the breadcrumbs are not always redundant. Any time you choose something from a list and then from there you need to use another page with a list, you can get lost and need a lot of clicks to get back. I think the only time this is a problem right now is when adding a Role to an Application. But it will likely come up again in the future. Let's say I need to add several roles to an application. I'm in Applications --> MyApp --> Roles --> Add Role. To add a second role without breadcrumbs, I need to go all the way out and do several clicks: Click Applications on lefthand menu Find my App again in the (possibly long) list Click on Roles again Click Add If I still had breadcrumbs this task would always be two clicks instead of four or more. Also, forcing you to go all the way out to the lefthand menu and re-navigate the list seems wrong. > > Also, I added a top=level menu item "roles". This made the settings > submenu a bit smaller. > > Bill > From bburke at redhat.com Thu Aug 14 18:01:23 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 18:01:23 -0400 Subject: [keycloak-dev] menu refactor, removed breadcrumbs In-Reply-To: <53ED2FB1.7090406@redhat.com> References: <53EA2EAB.5000503@redhat.com> <53ED2FB1.7090406@redhat.com> Message-ID: <53ED31B3.5030503@redhat.com> On 8/14/2014 5:52 PM, Stan Silvert wrote: > On 8/12/2014 11:11 AM, Bill Burke wrote: >> Stian mentioned months and months ago that he thought breadcrumbs were >> redundant. So...I removed them. > If it doesn't cause other problems, I'd like to request the > reinstatement of the bread crumbs. > > I've found that the breadcrumbs are not always redundant. Any time you > choose something from a list and then from there you need to use another > page with a list, you can get lost and need a lot of clicks to get > back. I think the only time this is a problem right now is when adding > a Role to an Application. But it will likely come up again in the future. > > Let's say I need to add several roles to an application. I'm in > Applications --> MyApp --> Roles --> Add Role. > > To add a second role without breadcrumbs, I need to go all the way out > and do several clicks: > Click Applications on lefthand menu > Find my App again in the (possibly long) list > Click on Roles again > Click Add > > If I still had breadcrumbs this task would always be two clicks instead > of four or more. Also, forcing you to go all the way out to the > lefthand menu and re-navigate the list seems wrong. > Thanks stan, i'll look into stuff and your role bug. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Thu Aug 14 18:47:59 2014 From: bburke at redhat.com (Bill Burke) Date: Thu, 14 Aug 2014 18:47:59 -0400 Subject: [keycloak-dev] menu refactor, removed breadcrumbs In-Reply-To: <53ED31B3.5030503@redhat.com> References: <53EA2EAB.5000503@redhat.com> <53ED2FB1.7090406@redhat.com> <53ED31B3.5030503@redhat.com> Message-ID: <53ED3C9F.5060203@redhat.com> Ok, application and oauth client breadcrumbs added back. I fixed the add role problems. On 8/14/2014 6:01 PM, Bill Burke wrote: > > > On 8/14/2014 5:52 PM, Stan Silvert wrote: >> On 8/12/2014 11:11 AM, Bill Burke wrote: >>> Stian mentioned months and months ago that he thought breadcrumbs were >>> redundant. So...I removed them. >> If it doesn't cause other problems, I'd like to request the >> reinstatement of the bread crumbs. >> >> I've found that the breadcrumbs are not always redundant. Any time you >> choose something from a list and then from there you need to use another >> page with a list, you can get lost and need a lot of clicks to get >> back. I think the only time this is a problem right now is when adding >> a Role to an Application. But it will likely come up again in the future. >> >> Let's say I need to add several roles to an application. I'm in >> Applications --> MyApp --> Roles --> Add Role. >> >> To add a second role without breadcrumbs, I need to go all the way out >> and do several clicks: >> Click Applications on lefthand menu >> Find my App again in the (possibly long) list >> Click on Roles again >> Click Add >> >> If I still had breadcrumbs this task would always be two clicks instead >> of four or more. Also, forcing you to go all the way out to the >> lefthand menu and re-navigate the list seems wrong. >> > > Thanks stan, i'll look into stuff and your role bug. > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Fri Aug 15 08:32:07 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 15 Aug 2014 08:32:07 -0400 Subject: [keycloak-dev] menu refactor, removed breadcrumbs In-Reply-To: <53ED3C9F.5060203@redhat.com> References: <53EA2EAB.5000503@redhat.com> <53ED2FB1.7090406@redhat.com> <53ED31B3.5030503@redhat.com> <53ED3C9F.5060203@redhat.com> Message-ID: <53EDFDC7.5060802@redhat.com> On 8/14/2014 6:47 PM, Bill Burke wrote: > Ok, application and oauth client breadcrumbs added back. I fixed the > add role problems. Thanks Bill! Looks like it's working now. > > On 8/14/2014 6:01 PM, Bill Burke wrote: >> >> On 8/14/2014 5:52 PM, Stan Silvert wrote: >>> On 8/12/2014 11:11 AM, Bill Burke wrote: >>>> Stian mentioned months and months ago that he thought breadcrumbs were >>>> redundant. So...I removed them. >>> If it doesn't cause other problems, I'd like to request the >>> reinstatement of the bread crumbs. >>> >>> I've found that the breadcrumbs are not always redundant. Any time you >>> choose something from a list and then from there you need to use another >>> page with a list, you can get lost and need a lot of clicks to get >>> back. I think the only time this is a problem right now is when adding >>> a Role to an Application. But it will likely come up again in the future. >>> >>> Let's say I need to add several roles to an application. I'm in >>> Applications --> MyApp --> Roles --> Add Role. >>> >>> To add a second role without breadcrumbs, I need to go all the way out >>> and do several clicks: >>> Click Applications on lefthand menu >>> Find my App again in the (possibly long) list >>> Click on Roles again >>> Click Add >>> >>> If I still had breadcrumbs this task would always be two clicks instead >>> of four or more. Also, forcing you to go all the way out to the >>> lefthand menu and re-navigate the list seems wrong. >>> >> Thanks stan, i'll look into stuff and your role bug. >> From gcardoso at redhat.com Fri Aug 15 08:44:57 2014 From: gcardoso at redhat.com (Gabriel Cardoso) Date: Fri, 15 Aug 2014 09:44:57 -0300 Subject: [keycloak-dev] menu refactor, removed breadcrumbs In-Reply-To: <53EDFDC7.5060802@redhat.com> References: <53EA2EAB.5000503@redhat.com> <53ED2FB1.7090406@redhat.com> <53ED31B3.5030503@redhat.com> <53ED3C9F.5060203@redhat.com> <53EDFDC7.5060802@redhat.com> Message-ID: <33D691C5-B7F0-445A-81FF-4AEE39D7A732@redhat.com> I always believed in the breadcrumbs :) On Aug 15, 2014, at 9:32 AM, Stan Silvert wrote: > On 8/14/2014 6:47 PM, Bill Burke wrote: >> Ok, application and oauth client breadcrumbs added back. I fixed the >> add role problems. > Thanks Bill! Looks like it's working now. > >> >> On 8/14/2014 6:01 PM, Bill Burke wrote: >>> >>> On 8/14/2014 5:52 PM, Stan Silvert wrote: >>>> On 8/12/2014 11:11 AM, Bill Burke wrote: >>>>> Stian mentioned months and months ago that he thought breadcrumbs were >>>>> redundant. So...I removed them. >>>> If it doesn't cause other problems, I'd like to request the >>>> reinstatement of the bread crumbs. >>>> >>>> I've found that the breadcrumbs are not always redundant. Any time you >>>> choose something from a list and then from there you need to use another >>>> page with a list, you can get lost and need a lot of clicks to get >>>> back. I think the only time this is a problem right now is when adding >>>> a Role to an Application. But it will likely come up again in the future. >>>> >>>> Let's say I need to add several roles to an application. I'm in >>>> Applications --> MyApp --> Roles --> Add Role. >>>> >>>> To add a second role without breadcrumbs, I need to go all the way out >>>> and do several clicks: >>>> Click Applications on lefthand menu >>>> Find my App again in the (possibly long) list >>>> Click on Roles again >>>> Click Add >>>> >>>> If I still had breadcrumbs this task would always be two clicks instead >>>> of four or more. Also, forcing you to go all the way out to the >>>> lefthand menu and re-navigate the list seems wrong. >>>> >>> Thanks stan, i'll look into stuff and your role bug. >>> > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev --- Gabriel Cardoso User Experience Designer @ Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140815/8457404a/attachment-0001.html From ssilvert at redhat.com Tue Aug 19 15:37:20 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 19 Aug 2014 15:37:20 -0400 Subject: [keycloak-dev] May need a hold on RC1 Message-ID: <53F3A770.9020902@redhat.com> I don't know if you are still planning to do the release on Thursday, but I want to give you a heads up that the subsystem might not be ready by then. They've made a change to the WildFly controller API that breaks backwards compatibility in our subsystem. Hopefully, this can be resolved quickly, but I wanted to let everyone know just in case it takes longer. Stan From bburke at redhat.com Tue Aug 19 16:15:01 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 19 Aug 2014 16:15:01 -0400 Subject: [keycloak-dev] May need a hold on RC1 In-Reply-To: <53F3A770.9020902@redhat.com> References: <53F3A770.9020902@redhat.com> Message-ID: <53F3B045.3050103@redhat.com> I am still doing rc1 on thursday. Can you log a JIRA on this so I can schedule it for 1.0.Final? Will our new subsystem be compatible with older versions of Wildfly? On 8/19/2014 3:37 PM, Stan Silvert wrote: > I don't know if you are still planning to do the release on Thursday, > but I want to give you a heads up that the subsystem might not be ready > by then. > > They've made a change to the WildFly controller API that breaks > backwards compatibility in our subsystem. Hopefully, this can be > resolved quickly, but I wanted to let everyone know just in case it > takes longer. > > Stan > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From ssilvert at redhat.com Tue Aug 19 22:53:16 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 19 Aug 2014 22:53:16 -0400 Subject: [keycloak-dev] May need a hold on RC1 In-Reply-To: <53F3B045.3050103@redhat.com> References: <53F3A770.9020902@redhat.com> <53F3B045.3050103@redhat.com> Message-ID: <53F40D9C.3010901@redhat.com> On 8/19/2014 4:15 PM, Bill Burke wrote: > I am still doing rc1 on thursday. Can you log a JIRA on this so I can > schedule it for 1.0.Final? > > Will our new subsystem be compatible with older versions of Wildfly? That's one of the things I'm worried about. I'll do my best to get it resolved as quickly as possible. > > On 8/19/2014 3:37 PM, Stan Silvert wrote: >> I don't know if you are still planning to do the release on Thursday, >> but I want to give you a heads up that the subsystem might not be ready >> by then. >> >> They've made a change to the WildFly controller API that breaks >> backwards compatibility in our subsystem. Hopefully, this can be >> resolved quickly, but I wanted to let everyone know just in case it >> takes longer. >> >> Stan >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From bburke at redhat.com Tue Aug 19 23:20:03 2014 From: bburke at redhat.com (Bill Burke) Date: Tue, 19 Aug 2014 23:20:03 -0400 Subject: [keycloak-dev] May need a hold on RC1 In-Reply-To: <53F40D9C.3010901@redhat.com> References: <53F3A770.9020902@redhat.com> <53F3B045.3050103@redhat.com> <53F40D9C.3010901@redhat.com> Message-ID: <53F413E3.5090609@redhat.com> On 8/19/2014 10:53 PM, Stan Silvert wrote: > On 8/19/2014 4:15 PM, Bill Burke wrote: >> I am still doing rc1 on thursday. Can you log a JIRA on this so I can >> schedule it for 1.0.Final? >> >> Will our new subsystem be compatible with older versions of Wildfly? > That's one of the things I'm worried about. I'll do my best to get it > resolved as quickly as possible. If it is not compatible, then we need to fork the subsystem code to support both. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Wed Aug 20 13:02:27 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Wed, 20 Aug 2014 19:02:27 +0200 Subject: [keycloak-dev] Account Management Cancel buttons still validate form Message-ID: Hi, we noticed a little issue on the "account management" view. In the Account Management section of the UPS, when clicking "cancel" for any of the forms, the form is still trying to be validated. And also, on the top the "link" back to the "UPS console" is then missing, after the validation error. Has one noticed the same problem? We noticed this with Beta4 and the lastest of RC-1. Thanks, Matthias [1] https://issues.jboss.org/browse/AGPUSH-950 -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140820/b6f7a389/attachment.html From bburke at redhat.com Wed Aug 20 13:33:04 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Aug 2014 13:33:04 -0400 Subject: [keycloak-dev] Account Management Cancel buttons still validate form In-Reply-To: References: Message-ID: <53F4DBD0.4040405@redhat.com> I see this too. Fixing... Release later today, FYI. We'll probably do an RC2 next week too. On 8/20/2014 1:02 PM, Matthias Wessendorf wrote: > Hi, > > we noticed a little issue on the "account management" view. > > In the Account Management section of the UPS, when clicking "cancel" for > any of the forms, the form is still trying to be validated. > > And also, on the top the "link" back to the "UPS console" is then > missing, after the validation error. > > Has one noticed the same problem? We noticed this with Beta4 and the > lastest of RC-1. > > Thanks, > Matthias > > [1] https://issues.jboss.org/browse/AGPUSH-950 > > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Wed Aug 20 14:37:47 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Aug 2014 14:37:47 -0400 Subject: [keycloak-dev] Account Management Cancel buttons still validate form In-Reply-To: References: Message-ID: <53F4EAFB.5070500@redhat.com> Fix incoming. Doign a release right after. On 8/20/2014 1:02 PM, Matthias Wessendorf wrote: > Hi, > > we noticed a little issue on the "account management" view. > > In the Account Management section of the UPS, when clicking "cancel" for > any of the forms, the form is still trying to be validated. > > And also, on the top the "link" back to the "UPS console" is then > missing, after the validation error. > > Has one noticed the same problem? We noticed this with Beta4 and the > lastest of RC-1. > > Thanks, > Matthias > > [1] https://issues.jboss.org/browse/AGPUSH-950 > > > -- > Matthias Wessendorf > > blog: http://matthiaswessendorf.wordpress.com/ > sessions: http://www.slideshare.net/mwessendorf > twitter: http://twitter.com/mwessendorf > > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Wed Aug 20 15:02:33 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Wed, 20 Aug 2014 21:02:33 +0200 Subject: [keycloak-dev] Account Management Cancel buttons still validate form In-Reply-To: <53F4EAFB.5070500@redhat.com> References: <53F4EAFB.5070500@redhat.com> Message-ID: Alright! thanks a lot! BTW. for proper release notes, I have moved the bug over to your JIRA instance: https://issues.jboss.org/browse/KEYCLOAK-638 On Wed, Aug 20, 2014 at 8:37 PM, Bill Burke wrote: > Fix incoming. Doign a release right after. > > On 8/20/2014 1:02 PM, Matthias Wessendorf wrote: > > Hi, > > > > we noticed a little issue on the "account management" view. > > > > In the Account Management section of the UPS, when clicking "cancel" for > > any of the forms, the form is still trying to be validated. > > > > And also, on the top the "link" back to the "UPS console" is then > > missing, after the validation error. > > > > Has one noticed the same problem? We noticed this with Beta4 and the > > lastest of RC-1. > > > > Thanks, > > Matthias > > > > [1] https://issues.jboss.org/browse/AGPUSH-950 > > > > > > -- > > Matthias Wessendorf > > > > blog: http://matthiaswessendorf.wordpress.com/ > > sessions: http://www.slideshare.net/mwessendorf > > twitter: http://twitter.com/mwessendorf > > > > > > _ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140820/33a14c5f/attachment.html From bburke at redhat.com Wed Aug 20 16:20:10 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Aug 2014 16:20:10 -0400 Subject: [keycloak-dev] 1.0 RC 1 released Message-ID: <53F502FA.6030103@redhat.com> We're getting closer to 1.0.Final and are still scheduled for a final release 2nd week of September. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Wed Aug 20 16:25:42 2014 From: bburke at redhat.com (Bill Burke) Date: Wed, 20 Aug 2014 16:25:42 -0400 Subject: [keycloak-dev] [keycloak-user] 1.0 RC 1 released In-Reply-To: <53F50360.1090805@redhat.com> References: <53F502FA.6030103@redhat.com> <53F50360.1090805@redhat.com> Message-ID: <53F50446.2010608@redhat.com> No, I'm not exactly sure how to do it and don't want to screw it up when Stian isn't here. On 8/20/2014 4:21 PM, Steven Pousty wrote: > This is awesome - Has the OpenShift cartridge been updated? > Thanks > Steve > On 08/20/2014 01:20 PM, Bill Burke wrote: >> We're getting closer to 1.0.Final and are still scheduled for a final >> release 2nd week of September. >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From matzew at apache.org Thu Aug 21 08:00:25 2014 From: matzew at apache.org (Matthias Wessendorf) Date: Thu, 21 Aug 2014 14:00:25 +0200 Subject: [keycloak-dev] 1.0 RC 1 released In-Reply-To: <53F502FA.6030103@redhat.com> References: <53F502FA.6030103@redhat.com> Message-ID: awesome work guys! our 1.0.0.Final is using the RC-1; During september we might have some 1.0.x releases, mainly to pickup updated dependencies (e.g. new versions of keycloak and others) and, if needed, fixes. Thanks a lot for the great support to the AeroGear team! -Matthias On Wed, Aug 20, 2014 at 10:20 PM, Bill Burke wrote: > We're getting closer to 1.0.Final and are still scheduled for a final > release 2nd week of September. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140821/8cbbae41/attachment.html From ssilvert at redhat.com Fri Aug 22 13:54:05 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 22 Aug 2014 13:54:05 -0400 Subject: [keycloak-dev] May need a hold on RC1 In-Reply-To: <53F3B045.3050103@redhat.com> References: <53F3A770.9020902@redhat.com> <53F3B045.3050103@redhat.com> Message-ID: <53F783BD.4080105@redhat.com> On 8/19/2014 4:15 PM, Bill Burke wrote: > I am still doing rc1 on thursday. Can you log a JIRA on this so I can > schedule it for 1.0.Final? Jira and PR created. See https://issues.jboss.org/browse/KEYCLOAK-642. > Will our new subsystem be compatible with older versions of Wildfly? Yes. It turns out that it will as long as we go ahead and compile the subsystem against the new version of the API. > > On 8/19/2014 3:37 PM, Stan Silvert wrote: >> I don't know if you are still planning to do the release on Thursday, >> but I want to give you a heads up that the subsystem might not be ready >> by then. >> >> They've made a change to the WildFly controller API that breaks >> backwards compatibility in our subsystem. Hopefully, this can be >> resolved quickly, but I wanted to let everyone know just in case it >> takes longer. >> >> Stan >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From stian at redhat.com Tue Aug 26 04:19:46 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 26 Aug 2014 04:19:46 -0400 (EDT) Subject: [keycloak-dev] keycloak-server.json In-Reply-To: <53ED1CDB.8070503@redhat.com> References: <53ECF211.4050806@redhat.com> <53ED1CDB.8070503@redhat.com> Message-ID: <40555566.38380666.1409041186356.JavaMail.zimbra@redhat.com> The reason we had it like this is so you can deploy the server WAR to a plain WildFly without adding the datasource. I'm all for changing it, at least personally I very rarely deploy it this way and can easily create the datasource when I do. ----- Original Message ----- > From: "Bill Burke" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 14 August, 2014 10:32:27 PM > Subject: Re: [keycloak-dev] keycloak-server.json > > It should refer to KeycloakDS. It is not a good practice to use > ExampleDS as this is something the user will want to change probably. > > > On 8/14/2014 1:29 PM, Stan Silvert wrote: > > In the keycloak-server module, the keycloak-server.json file refers to > > the ExampleDS datasource[1] instead of KeycloakDS, which is used > > everywhere in the distribution. If we change this in the main build > > then we won't need to use the replacer[2] plugin in the dist. > > > > But before I push the change I'm wondering if there was a reason it was > > done that way? Nothing seems to break in the tests when I change it. > > > > Should I go ahead push the change? > > > > Stan > > > > [1] > > https://github.com/keycloak/keycloak/blob/master/server/src/main/resources/META-INF/keycloak-server.json#L68 > > [2] > > https://github.com/keycloak/keycloak/blob/master/distribution/war-zip/pom.xml#L52-73 > > _ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From stian at redhat.com Tue Aug 26 04:24:23 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 26 Aug 2014 04:24:23 -0400 (EDT) Subject: [keycloak-dev] URGENT BUG In-Reply-To: <53ED29DD.7030207@redhat.com> References: <53ED0953.6040907@redhat.com> <53ED1BF3.2040701@redhat.com> <53ED29DD.7030207@redhat.com> Message-ID: <1326197707.38382073.1409041463886.JavaMail.zimbra@redhat.com> Do you still have issues with this? I just tried to create a new app + a role and it worked fine. Buttons are just on the bottom/right of the form as well (see attached screenshot). What browser are you using? Can you send a screenshot? ----- Original Message ----- > From: "Stan Silvert" > To: keycloak-dev at lists.jboss.org > Sent: Thursday, 14 August, 2014 11:27:57 PM > Subject: Re: [keycloak-dev] URGENT BUG > > On 8/14/2014 4:28 PM, Bill Burke wrote: > > I can create and save a role. Maybe i didn't take same steps as you. > I just create an application then try to add a role. Realm roles work > fine. This is an application role. > > It looks like the Save button isn't doing anything. Also, the Save and > Cancel buttons are in the extreme lower right on that page. I have to > scroll down to find them. > > > > > On 8/14/2014 3:09 PM, Stan Silvert wrote: > >> Looks like saving a role is broken in the UI. Can someone confirm? > >> > >> Stan > >> _ > >> keycloak-dev mailing list > >> keycloak-dev at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: app-role.png Type: image/png Size: 37456 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140826/06f87903/attachment-0001.png From ssilvert at redhat.com Tue Aug 26 08:19:16 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 26 Aug 2014 08:19:16 -0400 Subject: [keycloak-dev] keycloak-server.json In-Reply-To: <40555566.38380666.1409041186356.JavaMail.zimbra@redhat.com> References: <53ECF211.4050806@redhat.com> <53ED1CDB.8070503@redhat.com> <40555566.38380666.1409041186356.JavaMail.zimbra@redhat.com> Message-ID: <53FC7B44.2090908@redhat.com> I'm glad you agree. We already made the change. On 8/26/2014 4:19 AM, Stian Thorgersen wrote: > The reason we had it like this is so you can deploy the server WAR to a plain WildFly without adding the datasource. > > I'm all for changing it, at least personally I very rarely deploy it this way and can easily create the datasource when I do. > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev at lists.jboss.org >> Sent: Thursday, 14 August, 2014 10:32:27 PM >> Subject: Re: [keycloak-dev] keycloak-server.json >> >> It should refer to KeycloakDS. It is not a good practice to use >> ExampleDS as this is something the user will want to change probably. >> >> >> On 8/14/2014 1:29 PM, Stan Silvert wrote: >>> In the keycloak-server module, the keycloak-server.json file refers to >>> the ExampleDS datasource[1] instead of KeycloakDS, which is used >>> everywhere in the distribution. If we change this in the main build >>> then we won't need to use the replacer[2] plugin in the dist. >>> >>> But before I push the change I'm wondering if there was a reason it was >>> done that way? Nothing seems to break in the tests when I change it. >>> >>> Should I go ahead push the change? >>> >>> Stan >>> >>> [1] >>> https://github.com/keycloak/keycloak/blob/master/server/src/main/resources/META-INF/keycloak-server.json#L68 >>> [2] >>> https://github.com/keycloak/keycloak/blob/master/distribution/war-zip/pom.xml#L52-73 >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From ssilvert at redhat.com Tue Aug 26 08:20:47 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 26 Aug 2014 08:20:47 -0400 Subject: [keycloak-dev] URGENT BUG In-Reply-To: <1326197707.38382073.1409041463886.JavaMail.zimbra@redhat.com> References: <53ED0953.6040907@redhat.com> <53ED1BF3.2040701@redhat.com> <53ED29DD.7030207@redhat.com> <1326197707.38382073.1409041463886.JavaMail.zimbra@redhat.com> Message-ID: <53FC7B9F.6020709@redhat.com> Bill fixed it awhile ago. Works fine now. On 8/26/2014 4:24 AM, Stian Thorgersen wrote: > Do you still have issues with this? I just tried to create a new app + a role and it worked fine. Buttons are just on the bottom/right of the form as well (see attached screenshot). > > What browser are you using? Can you send a screenshot? > > ----- Original Message ----- >> From: "Stan Silvert" >> To: keycloak-dev at lists.jboss.org >> Sent: Thursday, 14 August, 2014 11:27:57 PM >> Subject: Re: [keycloak-dev] URGENT BUG >> >> On 8/14/2014 4:28 PM, Bill Burke wrote: >>> I can create and save a role. Maybe i didn't take same steps as you. >> I just create an application then try to add a role. Realm roles work >> fine. This is an application role. >> >> It looks like the Save button isn't doing anything. Also, the Save and >> Cancel buttons are in the extreme lower right on that page. I have to >> scroll down to find them. >> >>> On 8/14/2014 3:09 PM, Stan Silvert wrote: >>>> Looks like saving a role is broken in the UI. Can someone confirm? >>>> >>>> Stan >>>> _ >>>> keycloak-dev mailing list >>>> keycloak-dev at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>> >> _ >> keycloak-dev mailing list >> keycloak-dev at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> From ssilvert at redhat.com Tue Aug 26 08:27:08 2014 From: ssilvert at redhat.com (Stan Silvert) Date: Tue, 26 Aug 2014 08:27:08 -0400 Subject: [keycloak-dev] URGENT BUG In-Reply-To: <53FC7B9F.6020709@redhat.com> References: <53ED0953.6040907@redhat.com> <53ED1BF3.2040701@redhat.com> <53ED29DD.7030207@redhat.com> <1326197707.38382073.1409041463886.JavaMail.zimbra@redhat.com> <53FC7B9F.6020709@redhat.com> Message-ID: <53FC7D1C.2070906@redhat.com> BTW, it was very diligent of you to follow up on these older issues. Thanks. On 8/26/2014 8:20 AM, Stan Silvert wrote: > Bill fixed it awhile ago. Works fine now. > > On 8/26/2014 4:24 AM, Stian Thorgersen wrote: >> Do you still have issues with this? I just tried to create a new app + a role and it worked fine. Buttons are just on the bottom/right of the form as well (see attached screenshot). >> >> What browser are you using? Can you send a screenshot? >> >> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: keycloak-dev at lists.jboss.org >>> Sent: Thursday, 14 August, 2014 11:27:57 PM >>> Subject: Re: [keycloak-dev] URGENT BUG >>> >>> On 8/14/2014 4:28 PM, Bill Burke wrote: >>>> I can create and save a role. Maybe i didn't take same steps as you. >>> I just create an application then try to add a role. Realm roles work >>> fine. This is an application role. >>> >>> It looks like the Save button isn't doing anything. Also, the Save and >>> Cancel buttons are in the extreme lower right on that page. I have to >>> scroll down to find them. >>> >>>> On 8/14/2014 3:09 PM, Stan Silvert wrote: >>>>> Looks like saving a role is broken in the UI. Can someone confirm? >>>>> >>>>> Stan >>>>> _ >>>>> keycloak-dev mailing list >>>>> keycloak-dev at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>> >>> _ >>> keycloak-dev mailing list >>> keycloak-dev at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From stian at redhat.com Tue Aug 26 08:35:20 2014 From: stian at redhat.com (Stian Thorgersen) Date: Tue, 26 Aug 2014 08:35:20 -0400 (EDT) Subject: [keycloak-dev] URGENT BUG In-Reply-To: <53FC7D1C.2070906@redhat.com> References: <53ED0953.6040907@redhat.com> <53ED1BF3.2040701@redhat.com> <53ED29DD.7030207@redhat.com> <1326197707.38382073.1409041463886.JavaMail.zimbra@redhat.com> <53FC7B9F.6020709@redhat.com> <53FC7D1C.2070906@redhat.com> Message-ID: <1882024875.38548311.1409056520235.JavaMail.zimbra@redhat.com> It's just me not wanting to do proper work on the first day back after holiday ;) ----- Original Message ----- > From: "Stan Silvert" > To: keycloak-dev at lists.jboss.org > Sent: Tuesday, 26 August, 2014 2:27:08 PM > Subject: Re: [keycloak-dev] URGENT BUG > > BTW, it was very diligent of you to follow up on these older issues. > Thanks. > > On 8/26/2014 8:20 AM, Stan Silvert wrote: > > Bill fixed it awhile ago. Works fine now. > > > > On 8/26/2014 4:24 AM, Stian Thorgersen wrote: > >> Do you still have issues with this? I just tried to create a new app + a > >> role and it worked fine. Buttons are just on the bottom/right of the form > >> as well (see attached screenshot). > >> > >> What browser are you using? Can you send a screenshot? > >> > >> ----- Original Message ----- > >>> From: "Stan Silvert" > >>> To: keycloak-dev at lists.jboss.org > >>> Sent: Thursday, 14 August, 2014 11:27:57 PM > >>> Subject: Re: [keycloak-dev] URGENT BUG > >>> > >>> On 8/14/2014 4:28 PM, Bill Burke wrote: > >>>> I can create and save a role. Maybe i didn't take same steps as you. > >>> I just create an application then try to add a role. Realm roles work > >>> fine. This is an application role. > >>> > >>> It looks like the Save button isn't doing anything. Also, the Save and > >>> Cancel buttons are in the extreme lower right on that page. I have to > >>> scroll down to find them. > >>> > >>>> On 8/14/2014 3:09 PM, Stan Silvert wrote: > >>>>> Looks like saving a role is broken in the UI. Can someone confirm? > >>>>> > >>>>> Stan > >>>>> _ > >>>>> keycloak-dev mailing list > >>>>> keycloak-dev at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>>>> > >>> _ > >>> keycloak-dev mailing list > >>> keycloak-dev at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > > _ > > keycloak-dev mailing list > > keycloak-dev at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From alarik at zwift.com Tue Aug 26 20:52:48 2014 From: alarik at zwift.com (Alarik Myrin) Date: Tue, 26 Aug 2014 20:52:48 -0400 Subject: [keycloak-dev] Private Key encryption Message-ID: Does anyone think it would be a good idea to store the private key encrypted? This would require a separate secret, presumably stored in a configuration file, or using the PicketLink Vault Tool, to decrypt the private key for use. Anyone who can get the private key can start issuing access tokens to whatever resources they want. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140826/c16fe3ea/attachment.html From alarik at zwift.com Tue Aug 26 21:08:42 2014 From: alarik at zwift.com (Alarik Myrin) Date: Tue, 26 Aug 2014 21:08:42 -0400 Subject: [keycloak-dev] Private Key encryption In-Reply-To: References: Message-ID: ...sorry, and by "private key" I mean the realm private key. On Tue, Aug 26, 2014 at 8:52 PM, Alarik Myrin wrote: > Does anyone think it would be a good idea to store the private key > encrypted? This would require a separate secret, presumably stored in a > configuration file, or using the PicketLink Vault Tool, to decrypt the > private key for use. Anyone who can get the private key can start issuing > access tokens to whatever resources they want. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140826/45a4cef8/attachment.html From stian at redhat.com Wed Aug 27 02:10:06 2014 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 27 Aug 2014 02:10:06 -0400 (EDT) Subject: [keycloak-dev] Private Key encryption In-Reply-To: References: Message-ID: <1244568173.39079347.1409119806047.JavaMail.zimbra@redhat.com> Absolutely :) This is something we've been discussing and we aim to add it, but it'll be after 1.0.final is released. ----- Original Message ----- > From: "Alarik Myrin" > To: keycloak-dev at lists.jboss.org > Sent: Wednesday, 27 August, 2014 3:08:42 AM > Subject: Re: [keycloak-dev] Private Key encryption > > ...sorry, and by "private key" I mean the realm private key. > > > On Tue, Aug 26, 2014 at 8:52 PM, Alarik Myrin < alarik at zwift.com > wrote: > > > > Does anyone think it would be a good idea to store the private key encrypted? > This would require a separate secret, presumably stored in a configuration > file, or using the PicketLink Vault Tool, to decrypt the private key for > use. Anyone who can get the private key can start issuing access tokens to > whatever resources they want. > > > _ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From stian at redhat.com Wed Aug 27 05:25:31 2014 From: stian at redhat.com (Stian Thorgersen) Date: Wed, 27 Aug 2014 05:25:31 -0400 (EDT) Subject: [keycloak-dev] Last release candidate before final In-Reply-To: <1994603101.39183045.1409131481337.JavaMail.zimbra@redhat.com> Message-ID: <244405983.39183513.1409131531861.JavaMail.zimbra@redhat.com> All, We aim to release RC-2 on Friday. This will hopefully be the last release candidate before 1.0.final is released, so please if you have any issues with RC-1 let us now asap. Regards, Stian From stian at redhat.com Thu Aug 28 06:01:08 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 28 Aug 2014 06:01:08 -0400 (EDT) Subject: [keycloak-dev] [keycloak-user] 1.0 RC 1 released In-Reply-To: <53F50360.1090805@redhat.com> References: <53F502FA.6030103@redhat.com> <53F50360.1090805@redhat.com> Message-ID: <1014493962.40068459.1409220068655.JavaMail.zimbra@redhat.com> OpenShift cartridge is now updated to 1.0 RC-1 ----- Original Message ----- > From: "Steven Pousty" > To: "Bill Burke" , keycloak-dev at lists.jboss.org, keycloak-user at lists.jboss.org > Sent: Wednesday, 20 August, 2014 10:21:52 PM > Subject: Re: [keycloak-user] 1.0 RC 1 released > > This is awesome - Has the OpenShift cartridge been updated? > Thanks > Steve > On 08/20/2014 01:20 PM, Bill Burke wrote: > > We're getting closer to 1.0.Final and are still scheduled for a final > > release 2nd week of September. > > > > _________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From stian at redhat.com Thu Aug 28 07:56:15 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 28 Aug 2014 07:56:15 -0400 (EDT) Subject: [keycloak-dev] Added password token for totp logins In-Reply-To: <1086598838.40123392.1409226771614.JavaMail.zimbra@redhat.com> Message-ID: <477026343.40125985.1409226975096.JavaMail.zimbra@redhat.com> In the past when authenticating a user with totp we used to include the username and password in plain-text in hidden input fields on the login-totp form. This was not good in case this html gets cached. I've improved this by adding a password-token type credential. The flow now is: 1. User logs in with username and password 2. Password is verified, if valid a password-token is generated (realm name, user id and timestamp encrypted with realm private key) 3. Redirect to login-totp, including password-token instead of password 4. User enters totp 5. Password token and totp is verified From stian at redhat.com Thu Aug 28 07:58:22 2014 From: stian at redhat.com (Stian Thorgersen) Date: Thu, 28 Aug 2014 07:58:22 -0400 (EDT) Subject: [keycloak-dev] Audit renamed to Event In-Reply-To: <876518151.40129467.1409227070911.JavaMail.zimbra@redhat.com> Message-ID: <628490821.40130124.1409227102374.JavaMail.zimbra@redhat.com> Audit has been renamed to Events. This change applies to: * AuditListener renamed to EventsListener * AuditProvider renamed to EventsStore * Admin console This was a fairly big change, which I wasn't really happy with doing now, but it needed to be done.