Hi,
I am sorry to not help more with the release as I needed to work
especially on some portal related stuff last weeks (hopefully it's
gone now)...
Found couple of things:
* AccountService is actually broken for me in Chrome due to latest
CSRF stuff. In FF it works fine, but in Chrome I can't update
account or password. For some reason Chrome is always adding
"Origin" header to the update requests (even if they are not ajax
requests). So the newly added condition for CSRF in
AccountService.init will always fail. I have Chrome
37.0.2062.94 (64-bit)
.
* ServerInfo request (
http://localhost:8080/auth/admin/serverinfo)
is not available with CORS . I've created JIRA
https://issues.jboss.org/browse/KEYCLOAK-670 and send PR
https://github.com/keycloak/keycloak/pull/683
for this, which is adding authentication for
ServerInfoAdminResource and then it use allowOrigins from the
authenticated bearer token. Admin console is already using bearer
token for sending ServerInfo requests, so no changes are needed
here. I believe that ServerInfoAdminResource should be
authenticated (don't know why stuff like available social
providers or themes should be publicly available). Let me know if
you seeing issues with it. I did not merge PR so far as version in
master is already changed to 1.0-Final so not sure what is the
state of the release .
* Realm public resource (
http://localhost:8080/auth/realms/master)
is also not available for CORS requests. Not sure if this is an
issue or not? Thing is that unauthenticated requests can't use
CORS at this moment as I don't know what allowedOrigins to use.
Only option is to allow it for all allowedOrigins (send same
"Access-Control-Allow-Origin" as original value of "Origin" header
from the request)
* There is still quite a lot of INFO logging . For example when I
send product request from the cors-demo example I have 6 new INFO
messages in log (Mainly from org.keycloak.adapters package)
I will continue with the testing tomorrow.
Marek
On 9.9.2014 20:01, Stian Thorgersen wrote: