[keycloak-dev] Are we all set?

Bill Burke bburke at redhat.com
Tue Sep 9 21:09:20 EDT 2014



On 9/9/2014 5:47 PM, Marek Posolda wrote:
> Hi,
>
> I am sorry to not help more with the release as I needed to work
> especially on some portal related stuff last weeks (hopefully it's gone
> now)...
>
> Found couple of things:
> * AccountService is actually broken for me in Chrome due to latest CSRF
> stuff. In FF it works fine, but in Chrome I can't update account or
> password. For some reason Chrome is always adding "Origin" header to the
> update requests (even if they are not ajax requests). So the newly added
> condition for CSRF in AccountService.init will always fail. I have
> Chrome 37.0.2062.94 (64-bit) .
>

Ok, I thought Origin header wasn't supposed to be sent with Browser 
requests.  I can probably fix this by allowing same origin.


> * ServerInfo request (http://localhost:8080/auth/admin/serverinfo) is
> not available with CORS . I've created JIRA
> https://issues.jboss.org/browse/KEYCLOAK-670 and send PR
> https://github.com/keycloak/keycloak/pull/683 for this, which is adding
> authentication for ServerInfoAdminResource and then it use allowOrigins
> from the authenticated bearer token. Admin console is already using
> bearer token for sending ServerInfo requests, so no changes are needed
> here. I believe that ServerInfoAdminResource should be authenticated
> (don't know why stuff like available social providers or themes should
> be publicly available). Let me know if you seeing issues with it. I did
> not merge PR so far as version in master is already changed to 1.0-Final
> so not sure what is the state of the release .
>

Merge it.

> * Realm public resource (http://localhost:8080/auth/realms/master) is
> also not available for CORS requests. Not sure if this is an issue or
> not? Thing is that unauthenticated requests can't use CORS at this
> moment as I don't know what allowedOrigins to use. Only option is to
> allow it for all allowedOrigins (send same "Access-Control-Allow-Origin"
> as original value of "Origin" header from the request)
>
> * There is still quite a lot of INFO logging . For example when I send
> product request from the cors-demo example I have 6 new INFO messages in
> log (Mainly from org.keycloak.adapters package)
>

Ping me on your status tomorrow (Wednesday).  I'll complete whatever you 
don't finish above.

Thanks.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list