[keycloak-dev] Are we all set?

Bruno Oliveira bruno at abstractj.org
Wed Sep 10 13:22:43 EDT 2014


You guys totally deserve it. Thanks for the fuckin' amazing work.

On 2014-09-10, Stian Thorgersen wrote:
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Marek Posolda" <mposolda at redhat.com>, "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 10 September, 2014 4:35:53 PM
> > Subject: Re: [keycloak-dev] Are we all set?
> >
> > Yeah, take a break, celebrate!  Wish we could all go out and have a beer.
>
> Just one beer? ;)
>
> >
> > On 9/10/2014 10:35 AM, Marek Posolda wrote:
> > > Ok, will just create JIRAs for next version.
> > >
> > > Marek
> > >
> > > On 10.9.2014 16:31, Bill Burke wrote:
> > >> Yeah, just wait IMO.
> > >>
> > >> On 9/10/2014 10:27 AM, Marek Posolda wrote:
> > >>> I've pushed the fix for reduced INFO logging level.
> > >>>
> > >>> I've found few other things during quick testing like:
> > >>>
> > >>> - Users can register with invalid email like "aaa" . Also they can
> > >>> change their email in account management to "aaa". Just keycloak admin
> > >>> console is fine and allows to save just valid email (
> > >>>
> > >>> - In account management, when I fill firstName, lastName for admin user
> > >>> and won't fill email and then click "Save", it displays me error message
> > >>> "You didn't specify email", which is correct. But firstName and lastName
> > >>> are cleared too. Similar can be reproduced when updating user. Basically
> > >>> Account mgmt form is always reading persistent values from DB and
> > >>> ignores values previously filled by user before failed validation.
> > >>>
> > >>> I guess these are not blocker for release and especially the second one
> > >>> might be risky to fix now? wdyt?
> > >>>
> > >>> Marek
> > >>>
> > >>> On 10.9.2014 15:49, Marek Posolda wrote:
> > >>>> Hi Bill,
> > >>>>
> > >>>> I am on reducing INFO stuff and will commit the fix in few minutes.
> > >>>> Will
> > >>>> let you know again once it's done.
> > >>>>
> > >>>> Marek
> > >>>>
> > >>>> On 10.9.2014 15:37, Bill Burke wrote:
> > >>>>> I'll handle the logging stuff if Marek hasn't gotten to it yet. Thanks
> > >>>>> for doing all the issues reported by Marek last night.
> > >>>>>
> > >>>>> i'll run my last tests using IE and EAP 6.3 to make sure we're good on
> > >>>>> those platforms.
> > >>>>>
> > >>>>> On 9/10/2014 9:28 AM, Stian Thorgersen wrote:
> > >>>>>> There's no Safari issue after all! So we're good to go.
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>>> Sent: Wednesday, 10 September, 2014 3:03:12 PM
> > >>>>>>> Subject: Re: [keycloak-dev] Are we all set?
> > >>>>>>>
> > >>>>>>> I'm charging up my macbook.  I'll look into it.
> > >>>>>>>
> > >>>>>>> On 9/10/2014 8:49 AM, Stian Thorgersen wrote:
> > >>>>>>>> Apparently login with keycloak.js doesn't work on Safari
> > >>>>>>>> (https://issues.jboss.org/browse/KEYCLOAK-675). We need to fix
> > >>>>>>>> this before
> > >>>>>>>> releasing :/
> > >>>>>>>>
> > >>>>>>>> ----- Original Message -----
> > >>>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>>>>> Sent: Wednesday, 10 September, 2014 2:11:34 PM
> > >>>>>>>>> Subject: Re: [keycloak-dev] Are we all set?
> > >>>>>>>>>
> > >>>>>>>>> We also need to reduce info level log output from adapters. I did
> > >>>>>>>>> this for
> > >>>>>>>>> the server for rc-2, but completely forgot about adapters.
> > >>>>>>>>> Marek is
> > >>>>>>>>> already
> > >>>>>>>>> working on this, and I guess it shouldn't take very long.
> > >>>>>>>>>
> > >>>>>>>>> ----- Original Message -----
> > >>>>>>>>>> From: "Stian Thorgersen" <stian at redhat.com>
> > >>>>>>>>>> To: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>>>>>> Sent: Wednesday, 10 September, 2014 10:37:15 AM
> > >>>>>>>>>> Subject: Re: [keycloak-dev] Are we all set?
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>>
> > >>>>>>>>>> ----- Original Message -----
> > >>>>>>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>>>>>> To: "Marek Posolda" <mposolda at redhat.com>, "Stian Thorgersen"
> > >>>>>>>>>>> <stian at redhat.com>
> > >>>>>>>>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>>>>>>>> Sent: Wednesday, 10 September, 2014 3:09:20 AM
> > >>>>>>>>>>> Subject: Re: [keycloak-dev] Are we all set?
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>>>
> > >>>>>>>>>>> On 9/9/2014 5:47 PM, Marek Posolda wrote:
> > >>>>>>>>>>>> Hi,
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> I am sorry to not help more with the release as I needed to
> > >>>>>>>>>>>> work
> > >>>>>>>>>>>> especially on some portal related stuff last weeks (hopefully
> > >>>>>>>>>>>> it's gone
> > >>>>>>>>>>>> now)...
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> Found couple of things:
> > >>>>>>>>>>>> * AccountService is actually broken for me in Chrome due to
> > >>>>>>>>>>>> latest CSRF
> > >>>>>>>>>>>> stuff. In FF it works fine, but in Chrome I can't update
> > >>>>>>>>>>>> account or
> > >>>>>>>>>>>> password. For some reason Chrome is always adding "Origin"
> > >>>>>>>>>>>> header to
> > >>>>>>>>>>>> the
> > >>>>>>>>>>>> update requests (even if they are not ajax requests). So the
> > >>>>>>>>>>>> newly
> > >>>>>>>>>>>> added
> > >>>>>>>>>>>> condition for CSRF in AccountService.init will always fail. I
> > >>>>>>>>>>>> have
> > >>>>>>>>>>>> Chrome 37.0.2062.94 (64-bit) .
> > >>>>>>>>>>>>
> > >>>>>>>>>>> Ok, I thought Origin header wasn't supposed to be sent with
> > >>>>>>>>>>> Browser
> > >>>>>>>>>>> requests.  I can probably fix this by allowing same origin.
> > >>>>>>>>>> Added fix to allow same origin. I also added check of 'Referer'
> > >>>>>>>>>> header to
> > >>>>>>>>>> make sure it's same origin as well.
> > >>>>>>>>>>
> > >>>>>>>>>>>> * ServerInfo request
> > >>>>>>>>>>>> (http://localhost:8080/auth/admin/serverinfo) is
> > >>>>>>>>>>>> not available with CORS . I've created JIRA
> > >>>>>>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-670 and send PR
> > >>>>>>>>>>>> https://github.com/keycloak/keycloak/pull/683 for this, which
> > >>>>>>>>>>>> is adding
> > >>>>>>>>>>>> authentication for ServerInfoAdminResource and then it use
> > >>>>>>>>>>>> allowOrigins
> > >>>>>>>>>>>> from the authenticated bearer token. Admin console is already
> > >>>>>>>>>>>> using
> > >>>>>>>>>>>> bearer token for sending ServerInfo requests, so no changes
> > >>>>>>>>>>>> are needed
> > >>>>>>>>>>>> here. I believe that ServerInfoAdminResource should be
> > >>>>>>>>>>>> authenticated
> > >>>>>>>>>>>> (don't know why stuff like available social providers or
> > >>>>>>>>>>>> themes should
> > >>>>>>>>>>>> be publicly available). Let me know if you seeing issues with
> > >>>>>>>>>>>> it. I did
> > >>>>>>>>>>>> not merge PR so far as version in master is already changed to
> > >>>>>>>>>>>> 1.0-Final
> > >>>>>>>>>>>> so not sure what is the state of the release .
> > >>>>>>>>>>>>
> > >>>>>>>>>>> Merge it.
> > >>>>>>>>>>>
> > >>>>>>>>>>>> * Realm public resource
> > >>>>>>>>>>>> (http://localhost:8080/auth/realms/master) is
> > >>>>>>>>>>>> also not available for CORS requests. Not sure if this is an
> > >>>>>>>>>>>> issue or
> > >>>>>>>>>>>> not? Thing is that unauthenticated requests can't use CORS at
> > >>>>>>>>>>>> this
> > >>>>>>>>>>>> moment as I don't know what allowedOrigins to use. Only option
> > >>>>>>>>>>>> is to
> > >>>>>>>>>>>> allow it for all allowedOrigins (send same
> > >>>>>>>>>>>> "Access-Control-Allow-Origin"
> > >>>>>>>>>>>> as original value of "Origin" header from the request)
> > >>>>>>>>>>>>
> > >>>>>>>>>>>> * There is still quite a lot of INFO logging . For example
> > >>>>>>>>>>>> when I send
> > >>>>>>>>>>>> product request from the cors-demo example I have 6 new INFO
> > >>>>>>>>>>>> messages
> > >>>>>>>>>>>> in
> > >>>>>>>>>>>> log (Mainly from org.keycloak.adapters package)
> > >>>>>>>>>>>>
> > >>>>>>>>>>> Ping me on your status tomorrow (Wednesday). I'll complete
> > >>>>>>>>>>> whatever you
> > >>>>>>>>>>> don't finish above.
> > >>>>>>>>>>>
> > >>>>>>>>>>> Thanks.
> > >>>>>>>>>>>
> > >>>>>>>>>>> --
> > >>>>>>>>>>> Bill Burke
> > >>>>>>>>>>> JBoss, a division of Red Hat
> > >>>>>>>>>>> http://bill.burkecentral.com
> > >>>>>>>>>>>
> > >>>>>>>>>> _______________________________________________
> > >>>>>>>>>> keycloak-dev mailing list
> > >>>>>>>>>> keycloak-dev at lists.jboss.org
> > >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>>>>>>>>
> > >>>>>>>>> _______________________________________________
> > >>>>>>>>> keycloak-dev mailing list
> > >>>>>>>>> keycloak-dev at lists.jboss.org
> > >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>>>>>>>
> > >>>>>>> --
> > >>>>>>> Bill Burke
> > >>>>>>> JBoss, a division of Red Hat
> > >>>>>>> http://bill.burkecentral.com
> > >>>>>>>
> > >>>> _______________________________________________
> > >>>> keycloak-dev mailing list
> > >>>> keycloak-dev at lists.jboss.org
> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>>
> > >>
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj
PGP: 0x84DC9914


More information about the keycloak-dev mailing list