1.1 Beta 1 monday?
by Bill Burke
Finish up as many jiras as possible then release 1.1.Beta1 on Monday?
Nice feature list:
* Deep clustering support
* SAML 2.0 support
* Tomcat 7 adapter
* Multi-tenant adapter???
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 2 months
1.0.4.Final coming soon
by Stian Thorgersen
While fixing one security issue for 1.0.3.Final I broke something.
If there's a hyphen in the domain name (for example OpenShift) login-status-iframe.html fails to load. Fix and release coming asap!
10 years, 2 months
Proposed changes to access code
by Stian Thorgersen
We have a few issues with how we generate access codes:
* Abuse of RSA
* SHA-1 is no good
* Action + timestamp is guessable (this may just be theoretical)
* Both key and code query params sent in emails (making the links longer that necessary)
To resolve these issues I propose:
* When realm keys are updated we generate a realm code secret (UUID) - this is a secret required to create valid codes
* When the action and timestamp is updated we generate a action key (UUID) - this is a unique identifier for that specific action
Then an access code is created with:
MessageDigest digest = MessageDigest.getInstance("sha-256");
digest.update(realm.getCodeSecret());
digest.update("/".getBytes());
digest.update(clientSession.getActionKey());
String hash = Base64Url.encode(digest.digest());
StringBuilder sb = new StringBuilder();
sb.append(hash);
sb.append(".");
sb.append(clientSession.getId());
String code = sb.toString();
An example access code will now be:
Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
10 years, 2 months
AdapterTokenStore change
by Marek Posolda
Another change which worth mention on ML is AdapterTokenStore introduced
for https://issues.jboss.org/browse/KEYCLOAK-702 .
* There is new option "token-store" in adapter-configuration with
possible values "session" and "cookie" .
* Default value is "session", which means that info about authenticated
user are saved in Adapter in HttpSession (same behaviour like it was before)
* Alternative "cookie" means that all token info is stored in cookie,
which means that HttpSession is not created at all for particular
application. It's alternative useful for stateless applications, which
doesn't need HttpSession.
I've added AdapterTokenStore as an abstraction to handle
saving/loading/removing this account info.
Everything is again backwards compatible (existing apps are still saving
info in Http Session and are not affected at all, as default value is
"session", which is used if nothing is specified in config)
Marek
10 years, 2 months
Summary emails of work (especially refactoring)
by Stian Thorgersen
All,
Can we please write a summary of work that has been done and send to mailing lists? This especially applies to any refactoring or changing existing functionality.
10 years, 2 months
runit()
by Stian Thorgersen
Out of curiosity what is:
@Test
@Ignore
public void runit() throws Exception {
Thread.sleep(10000000);
}
My poor brain can't come up with a single use for it ;)
10 years, 2 months
application importers SPI
by Bill Burke
I created an admin SPI for importing applications. ApplicationImporter.
Basically it will allocate a JAX-RS service that can be referenced
under root/admin/realms/{realm}/application-importers/{id}
Admin console applicaiton list page now has a "import" button. This
brings you to a page where you can import one or more applications from
a selected format. Right now, I only support "SAML 2.0 Entity
Descriptor", but we should add one for our own JSON format, and OIDC too.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 2 months
