Re: [keycloak-dev] Are we all set?

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Wednesday, 10 September, 2014 10:37:15 AM Subject: Re: [keycloak-dev] Are we all set? ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Marek Posolda" <mposolda(a)redhat.com&gt;, "Stian Thorgersen" > <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Wednesday, 10 September, 2014 3:09:20 AM > Subject: Re: [keycloak-dev] Are we all set? > > > > On 9/9/2014 5:47 PM, Marek Posolda wrote: > > Hi, > > > > I am sorry to not help more with the release as I needed to work > > especially on some portal related stuff last weeks (hopefully it's gone > > now)... > > > > Found couple of things: > > * AccountService is actually broken for me in Chrome due to latest CSRF > > stuff. In FF it works fine, but in Chrome I can't update account or > > password. For some reason Chrome is always adding "Origin" header to the > > update requests (even if they are not ajax requests). So the newly added > > condition for CSRF in AccountService.init will always fail. I have > > Chrome 37.0.2062.94 (64-bit) . > > > > Ok, I thought Origin header wasn't supposed to be sent with Browser > requests. I can probably fix this by allowing same origin. Added fix to allow same origin. I also added check of 'Referer' header to make sure it's same origin as well. > > > > * ServerInfo request (http://localhost:8080/auth/admin/serverinfo) is > > not available with CORS . I've created JIRA > > https://issues.jboss.org/browse/KEYCLOAK-670 and send PR > > https://github.com/keycloak/keycloak/pull/683 for this, which is adding > > authentication for ServerInfoAdminResource and then it use allowOrigins > > from the authenticated bearer token. Admin console is already using > > bearer token for sending ServerInfo requests, so no changes are needed > > here. I believe that ServerInfoAdminResource should be authenticated > > (don't know why stuff like available social providers or themes should > > be publicly available). Let me know if you seeing issues with it. I did > > not merge PR so far as version in master is already changed to 1.0-Final > > so not sure what is the state of the release . > > > > Merge it. > > > * Realm public resource (http://localhost:8080/auth/realms/master) is > > also not available for CORS requests. Not sure if this is an issue or > > not? Thing is that unauthenticated requests can't use CORS at this > > moment as I don't know what allowedOrigins to use. Only option is to > > allow it for all allowedOrigins (send same "Access-Control-Allow-Origin" > > as original value of "Origin" header from the request) > > > > * There is still quite a lot of INFO logging . For example when I send > > product request from the cors-demo example I have 6 new INFO messages in > > log (Mainly from org.keycloak.adapters package) > > > > Ping me on your status tomorrow (Wednesday). I'll complete whatever you > don't finish above. > > Thanks. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev