<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 26 February 2014 15:42, Stian Thorgersen <span dir="ltr"><<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
<br>
----- Original Message -----<br>
> From: "Bill Burke" <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>><br>
</div><div class="">> To: "Stian Thorgersen" <<a href="mailto:stian@redhat.com">stian@redhat.com</a>><br>
> Cc: <a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
> Sent: Wednesday, 26 February, 2014 12:40:32 AM<br>
> Subject: Re: [keycloak-dev] 1.0 Final roadmap<br>
><br>
><br>
><br>
</div><div class="">> On 2/25/2014 12:44 PM, Stian Thorgersen wrote:<br>
> > See comments in-line<br>
> ><br>
> > Mobile adapters would be really good to have. If we can get help from the<br>
> > AeroGear team to do these, maybe we could include this as well? For<br>
> > simplicity we could just aim for a working Cordova example, but Android<br>
> > and iOS adapters would be great.<br></div></blockquote><div><br></div><div>Sure, we could give it a trial with our iOS adapter. </div><div>Android one is not yet available.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
> ><br>
><br>
> Unless we get a community submission for mobile adapters, this is going<br>
> to have to wait as I'm not sure we have time. I also wanted Tomcat,<br>
> Jetty, Node.js, and JIRA adapters too, but those I think might have to wait.<br>
><br>
> > It would also be nice to make Keycloak more "embeddable". I'd like to be<br>
> > able to improve how Keycloak is embedded into LiveOak, but there's also<br>
> > the issue around WildFly console needing to embed it. Let's have a<br>
> > separate thread on this, but my current (updated) thinking is to utilize<br>
> > RestEasy, but to remove use of servlets<br>
> ><br>
> > There's a whole bunch of JIRA issues with fix for beta1. In the effort to<br>
> > prune this list a bit, here's some I think we can postpone to later:<br>
> ><br>
><br>
> I vote we keep everything in JIRA until we start running out of time,<br>
> then we'll defer.<br>
><br>
> ><br>
> > Any particular reason for June?<br>
> ><br>
><br>
> Aerogear requirement to get us in product. Which is a good thing. :)<br>
<br>
</div>Nice :)<br>
<div class=""><br>
><br>
> ><br>
> > We probably need a separate thread to discuss this, but it's important that<br>
> > users can view what applications can currently access their account and<br>
> > revoke access to individual apps. This means we need to know what refresh<br>
> > tokens are valid, and which have been revoked by a user.<br>
> ><br>
><br>
> Crap. I forgot about this. Thanks for reminding me.<br>
><br>
> >> * Remember Me for social logins<br>
> >> * Federation of users/credentials with LDAP/AD. Hopefully through<br>
> >> Picketlink.<br>
> ><br>
> > Is this really required for the first release?<br>
><br>
> If we want to be considered in Middleware BU as an SSO solution, we need<br>
> this. Also will relieve some tensions with PL team hopefully if we<br>
> leverage their stuff.<br>
<br>
</div>Makes sense<br>
<div class=""><br>
><br>
> ><br>
> >> * User session management. Admin can logout a user.<br>
> >> * Audit log.<br>
> ><br>
> > Related things we'll need are brute force protection (including max failed<br>
> > login attempt before locking a users account) and email notifications on<br>
> > certain events.<br>
> ><br>
><br>
> Wouldn't it be better just to add a 1 second sleep? Checking max failed<br>
> logins would require persistence per authentication.<br>
<br>
</div>I think it's something that's a hard-requirement for anyone with really strong security needs. I'd assume it would be an optional feature.<br>
<br>
For audit we'll need to persist failed logins, maybe also last logins. We can piggy-back on that.<br>
<br>
Admins should be able to go to the admin console and view the recent audit logs. Users should also be able to see events related to their account.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> --<br>
> Bill Burke<br>
> JBoss, a division of Red Hat<br>
> <a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div></div></blockquote></div><br></div></div>