[keycloak-dev] Are we all set?
Marek Posolda
mposolda at redhat.com
Tue Sep 9 17:47:49 EDT 2014
Hi,
I am sorry to not help more with the release as I needed to work
especially on some portal related stuff last weeks (hopefully it's gone
now)...
Found couple of things:
* AccountService is actually broken for me in Chrome due to latest CSRF
stuff. In FF it works fine, but in Chrome I can't update account or
password. For some reason Chrome is always adding "Origin" header to the
update requests (even if they are not ajax requests). So the newly added
condition for CSRF in AccountService.init will always fail. I have
Chrome 37.0.2062.94 (64-bit) .
* ServerInfo request (http://localhost:8080/auth/admin/serverinfo) is
not available with CORS . I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-670 and send PR
https://github.com/keycloak/keycloak/pull/683 for this, which is adding
authentication for ServerInfoAdminResource and then it use allowOrigins
from the authenticated bearer token. Admin console is already using
bearer token for sending ServerInfo requests, so no changes are needed
here. I believe that ServerInfoAdminResource should be authenticated
(don't know why stuff like available social providers or themes should
be publicly available). Let me know if you seeing issues with it. I did
not merge PR so far as version in master is already changed to 1.0-Final
so not sure what is the state of the release .
* Realm public resource (http://localhost:8080/auth/realms/master) is
also not available for CORS requests. Not sure if this is an issue or
not? Thing is that unauthenticated requests can't use CORS at this
moment as I don't know what allowedOrigins to use. Only option is to
allow it for all allowedOrigins (send same "Access-Control-Allow-Origin"
as original value of "Origin" header from the request)
* There is still quite a lot of INFO logging . For example when I send
product request from the cors-demo example I have 6 new INFO messages in
log (Mainly from org.keycloak.adapters package)
I will continue with the testing tomorrow.
Marek
On 9.9.2014 20:01, Stian Thorgersen wrote:
> Yes - I'll do a round of testing tomorrow, but there's nothing outstanding I'm aware of
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 9 September, 2014 7:30:16 PM
>> Subject: [keycloak-dev] Are we all set?
>>
>> can I start doing final testing and release Thursday?
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140909/a8c20edf/attachment.html
More information about the keycloak-dev
mailing list