On 7/21/2015 4:54 AM, Stian Thorgersen wrote:
I'd like all changes in and issues fixed by the end of the week
for 1.4 release. There's still quite a few issues remaining.
Auth/required actions:
----------
There's quite a few issues outstanding in JIRA related to the new authentication
SPIs:
KEYCLOAK-1457 Auth flow for non-browser auth
KEYCLOAK-1552 NPE if brute force detection enabled
KEYCLOAK-1508 Re-Login fails after session timeout
KEYCLOAK-1489 auth timeouts should restart flow
KEYCLOAK-1481 reimplement AuthenticationManagerTest
KEYCLOAK-1466 Find better way to propagate BruteForceProtector
KEYCLOAK-1465 Cleanup obsolete auth code
KEYCLOAK-1463 Need better UI for Terms and Conditions
KEYCLOAK-1457 Auth flow for non-browser auth
KEYCLOAK-1455 remove user.isTotp() usage
KEYCLOAK-1450 Re-enable Brute Force Protection
I'm working on 1457 right now which is a blocker for 1465.
Also, what's the status with regards to:
* Migration
Implemented. Not really tested beyond what we already have for test
scripts.
* Is brute force enabled?
Need to work on this this week.
* Is the improvements with regards to login time outs added?
Still some work here.
* Do we need to polish the UI with regards to auth work?
Yes, we need some polish. I'm horrible at creating nice UIs unless
there is some template to work from. I don't have one to work from for
the auth work.
Other things:
-------------
* KEYCLOAK-1539 Accessing secured resource should not return 200 OK when not
authenticated - adapters redirect to login page even for json/xml requests. That
doesn't make any sense. We should only redirect to login page if Accept header is */*,
text/* or text/html.
We're not changing the adapters to change their response based on Accept
header. That is a horrible hack solution. See my recent comment on
this issue in jira.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com