[keycloak-dev] Release status

Stian Thorgersen stian at redhat.com
Tue Jul 21 04:54:50 EDT 2015 

I'd like all changes in and issues fixed by the end of the week for 1.4 release. There's still quite a few issues remaining.


Auth/required actions:
----------
There's quite a few issues outstanding in JIRA related to the new authentication SPIs:

KEYCLOAK-1457 Auth flow for non-browser auth
KEYCLOAK-1552 NPE if brute force detection enabled
KEYCLOAK-1508 Re-Login fails after session timeout
KEYCLOAK-1489 auth timeouts should restart flow
KEYCLOAK-1481 reimplement AuthenticationManagerTest
KEYCLOAK-1466 Find better way to propagate BruteForceProtector
KEYCLOAK-1465 Cleanup obsolete auth code
KEYCLOAK-1463 Need better UI for Terms and Conditions
KEYCLOAK-1457 Auth flow for non-browser auth
KEYCLOAK-1455 remove user.isTotp() usage
KEYCLOAK-1450 Re-enable Brute Force Protection

Also, what's the status with regards to:

* Migration
* Is brute force enabled?
* Is the improvements with regards to login time outs added?
* Do we need to polish the UI with regards to auth work?


Service Accounts:
-----------------
Marek told me service accounts and client credential grants is going to be ready later today. This won't include additional client authentication mechanisms.


UXP improvements:
-----------------
Still a few minor things left. I also need to review what's been done so far. The biggest issue left is updating tables to match the pattern from PatternFly, but that'll be delayed to 1.5 as it's a pretty big task.


Database:
---------
We have tests failing on some databases, as well as a few db related bugs. 


Other things:
-------------
* KEYCLOAK-1539	Accessing secured resource should not return 200 OK when not authenticated - adapters redirect to login page even for json/xml requests. That doesn't make any sense. We should only redirect to login page if Accept header is */*, text/* or text/html.
* KEYCLOAK-1472	WF8 Adapter: Preflight request is redirected for auth. - adapters redirect to login page for OPTIONS request. That doesn't make sense. We don't actually know the valid web origins for non-authenticated requests though. So what should we do?


Is there anything else that needs to be done for 1.4 that's not in JIRA?

More information about the keycloak-dev mailing list