Re: [keycloak-dev] Are we all set?

On 10.9.2014 16:53, Stian Thorgersen wrote: > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: "Marek Posolda" <mposolda(a)redhat.com&gt;, "Stian Thorgersen" >> <stian(a)redhat.com&gt; >> Cc: keycloak-dev(a)lists.jboss.org >> Sent: Wednesday, 10 September, 2014 4:35:53 PM >> Subject: Re: [keycloak-dev] Are we all set? >> >> Yeah, take a break, celebrate! Wish we could all go out and have a >> beer. > Just one beer? ;) I think I will take few more today's evening:-) > >> On 9/10/2014 10:35 AM, Marek Posolda wrote: >>> Ok, will just create JIRAs for next version. >>> >>> Marek >>> >>> On 10.9.2014 16:31, Bill Burke wrote: >>>> Yeah, just wait IMO. >>>> >>>> On 9/10/2014 10:27 AM, Marek Posolda wrote: >>>>> I've pushed the fix for reduced INFO logging level. >>>>> >>>>> I've found few other things during quick testing like: >>>>> >>>>> - Users can register with invalid email like "aaa" . Also they can >>>>> change their email in account management to "aaa". Just keycloak >>>>> admin >>>>> console is fine and allows to save just valid email ( >>>>> >>>>> - In account management, when I fill firstName, lastName for admin >>>>> user >>>>> and won't fill email and then click "Save", it displays me error >>>>> message >>>>> "You didn't specify email", which is correct. But firstName and >>>>> lastName >>>>> are cleared too. Similar can be reproduced when updating user. >>>>> Basically >>>>> Account mgmt form is always reading persistent values from DB and >>>>> ignores values previously filled by user before failed validation. >>>>> >>>>> I guess these are not blocker for release and especially the >>>>> second one >>>>> might be risky to fix now? wdyt? >>>>> >>>>> Marek >>>>> >>>>> On 10.9.2014 15:49, Marek Posolda wrote: >>>>>> Hi Bill, >>>>>> >>>>>> I am on reducing INFO stuff and will commit the fix in few minutes. >>>>>> Will >>>>>> let you know again once it's done. >>>>>> >>>>>> Marek >>>>>> >>>>>> On 10.9.2014 15:37, Bill Burke wrote: >>>>>>> I'll handle the logging stuff if Marek hasn't gotten to it yet. >>>>>>> Thanks >>>>>>> for doing all the issues reported by Marek last night. >>>>>>> >>>>>>> i'll run my last tests using IE and EAP 6.3 to make sure we're >>>>>>> good on >>>>>>> those platforms. >>>>>>> >>>>>>> On 9/10/2014 9:28 AM, Stian Thorgersen wrote: >>>>>>>> There's no Safari issue after all! So we're good to go. >>>>>>>> >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>> Sent: Wednesday, 10 September, 2014 3:03:12 PM >>>>>>>>> Subject: Re: [keycloak-dev] Are we all set? >>>>>>>>> >>>>>>>>> I'm charging up my macbook. I'll look into it. >>>>>>>>> >>>>>>>>> On 9/10/2014 8:49 AM, Stian Thorgersen wrote: >>>>>>>>>> Apparently login with keycloak.js doesn't work on Safari >>>>>>>>>> (https://issues.jboss.org/browse/KEYCLOAK-675). We need to fix >>>>>>>>>> this before >>>>>>>>>> releasing :/ >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- >>>>>>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>>>> To: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>>>> Sent: Wednesday, 10 September, 2014 2:11:34 PM >>>>>>>>>>> Subject: Re: [keycloak-dev] Are we all set? >>>>>>>>>>> >>>>>>>>>>> We also need to reduce info level log output from adapters. >>>>>>>>>>> I did >>>>>>>>>>> this for >>>>>>>>>>> the server for rc-2, but completely forgot about adapters. >>>>>>>>>>> Marek is >>>>>>>>>>> already >>>>>>>>>>> working on this, and I guess it shouldn't take very long. >>>>>>>>>>> >>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>> From: "Stian Thorgersen" <stian(a)redhat.com&gt; >>>>>>>>>>>> To: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>>>>> Sent: Wednesday, 10 September, 2014 10:37:15 AM >>>>>>>>>>>> Subject: Re: [keycloak-dev] Are we all set? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ----- Original Message ----- >>>>>>>>>>>>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>>>>>>>>>>>> To: "Marek Posolda" <mposolda(a)redhat.com&gt;, "Stian Thorgersen" >>>>>>>>>>>>> <stian(a)redhat.com&gt; >>>>>>>>>>>>> Cc: keycloak-dev(a)lists.jboss.org >>>>>>>>>>>>> Sent: Wednesday, 10 September, 2014 3:09:20 AM >>>>>>>>>>>>> Subject: Re: [keycloak-dev] Are we all set? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 9/9/2014 5:47 PM, Marek Posolda wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I am sorry to not help more with the release as I needed to >>>>>>>>>>>>>> work >>>>>>>>>>>>>> especially on some portal related stuff last weeks >>>>>>>>>>>>>> (hopefully >>>>>>>>>>>>>> it's gone >>>>>>>>>>>>>> now)... >>>>>>>>>>>>>> >>>>>>>>>>>>>> Found couple of things: >>>>>>>>>>>>>> * AccountService is actually broken for me in Chrome due to >>>>>>>>>>>>>> latest CSRF >>>>>>>>>>>>>> stuff. In FF it works fine, but in Chrome I can't update >>>>>>>>>>>>>> account or >>>>>>>>>>>>>> password. For some reason Chrome is always adding "Origin" >>>>>>>>>>>>>> header to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> update requests (even if they are not ajax requests). So the >>>>>>>>>>>>>> newly >>>>>>>>>>>>>> added >>>>>>>>>>>>>> condition for CSRF in AccountService.init will always >>>>>>>>>>>>>> fail. I >>>>>>>>>>>>>> have >>>>>>>>>>>>>> Chrome 37.0.2062.94 (64-bit) . >>>>>>>>>>>>>> >>>>>>>>>>>>> Ok, I thought Origin header wasn't supposed to be sent with >>>>>>>>>>>>> Browser >>>>>>>>>>>>> requests. I can probably fix this by allowing same origin. >>>>>>>>>>>> Added fix to allow same origin. I also added check of >>>>>>>>>>>> 'Referer' >>>>>>>>>>>> header to >>>>>>>>>>>> make sure it's same origin as well. >>>>>>>>>>>> >>>>>>>>>>>>>> * ServerInfo request >>>>>>>>>>>>>> (http://localhost:8080/auth/admin/serverinfo) is >>>>>>>>>>>>>> not available with CORS . I've created JIRA >>>>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-670 and send PR >>>>>>>>>>>>>> https://github.com/keycloak/keycloak/pull/683 for this, >>>>>>>>>>>>>> which >>>>>>>>>>>>>> is adding >>>>>>>>>>>>>> authentication for ServerInfoAdminResource and then it use >>>>>>>>>>>>>> allowOrigins >>>>>>>>>>>>>> from the authenticated bearer token. Admin console is >>>>>>>>>>>>>> already >>>>>>>>>>>>>> using >>>>>>>>>>>>>> bearer token for sending ServerInfo requests, so no changes >>>>>>>>>>>>>> are needed >>>>>>>>>>>>>> here. I believe that ServerInfoAdminResource should be >>>>>>>>>>>>>> authenticated >>>>>>>>>>>>>> (don't know why stuff like available social providers or >>>>>>>>>>>>>> themes should >>>>>>>>>>>>>> be publicly available). Let me know if you seeing issues >>>>>>>>>>>>>> with >>>>>>>>>>>>>> it. I did >>>>>>>>>>>>>> not merge PR so far as version in master is already >>>>>>>>>>>>>> changed to >>>>>>>>>>>>>> 1.0-Final >>>>>>>>>>>>>> so not sure what is the state of the release . >>>>>>>>>>>>>> >>>>>>>>>>>>> Merge it. >>>>>>>>>>>>> >>>>>>>>>>>>>> * Realm public resource >>>>>>>>>>>>>> (http://localhost:8080/auth/realms/master) is >>>>>>>>>>>>>> also not available for CORS requests. Not sure if this is an >>>>>>>>>>>>>> issue or >>>>>>>>>>>>>> not? Thing is that unauthenticated requests can't use >>>>>>>>>>>>>> CORS at >>>>>>>>>>>>>> this >>>>>>>>>>>>>> moment as I don't know what allowedOrigins to use. Only >>>>>>>>>>>>>> option >>>>>>>>>>>>>> is to >>>>>>>>>>>>>> allow it for all allowedOrigins (send same >>>>>>>>>>>>>> "Access-Control-Allow-Origin" >>>>>>>>>>>>>> as original value of "Origin" header from the request) >>>>>>>>>>>>>> >>>>>>>>>>>>>> * There is still quite a lot of INFO logging . For example >>>>>>>>>>>>>> when I send >>>>>>>>>>>>>> product request from the cors-demo example I have 6 new INFO >>>>>>>>>>>>>> messages >>>>>>>>>>>>>> in >>>>>>>>>>>>>> log (Mainly from org.keycloak.adapters package) >>>>>>>>>>>>>> >>>>>>>>>>>>> Ping me on your status tomorrow (Wednesday). I'll complete >>>>>>>>>>>>> whatever you >>>>>>>>>>>>> don't finish above. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks. >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Bill Burke >>>>>>>>>>>>> JBoss, a division of Red Hat >>>>>>>>>>>>> http://bill.burkecentral.com >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-dev mailing list >>>>>>>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-dev mailing list >>>>>>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Bill Burke >>>>>>>>> JBoss, a division of Red Hat >>>>>>>>> http://bill.burkecentral.com >>>>>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-dev mailing list >>>>>> keycloak-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >>