[keycloak-dev] CORS and Keycloak

Bill Burke bburke at redhat.com
Tue Oct 8 12:21:38 EDT 2013

Based on our Hangout conversation, I'm trying to figure out what we need 
to do for CORS.

First, we absolutely need to allow CORS requests to Keycloak hosted 
resources: specifically the token service and the admin REST api.

The question is, do we manage CORS for applications?  How does this 
information get transmitted?  What support do we need to add?  Here's my 

* Keycloak application adapters (i.e. the Tomcat Valve, or the Undertow 
Handler) can be set up to handle CORS requests.
* Allowed origins can be specified within the adapter's config file.

Additionally we could:
* Store allowed origins per application within the Keycloak realm database
* Have a Keycloak REST API to obtain allowed origins for an application
* Optionally store allowed origins in the signed access token.

The Keycloak application adapter then has 3 options to authorize a CORS 

1) Its config file
2) a REST call to the Keycloak sever
3) From the access token.

#3 could get quite problematic as the access token could get quite large.

#3 does fit in nicely with Keycloak's concept of a Scope though.

Do I understand everything correctly as it pertains to CORS?  DId I 
cover everything?  Does what I'm saying make sense?

CORS could be another nice core feature we support. So our main 
marketing would say Keycloak is a

a) A social broker
c) OAuth

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-dev mailing list