[keycloak-dev] Fwd: Preflight for token refresh

Alain Penders alain at rexorient.com
Tue Dec 2 10:02:15 EST 2014


Not really.  It needs CORS for every URI it hits.  Refresh is a different
URI from the code->token exchange one it uses initially.

When Keycloak redirects back to the GWT app and the code is exchanged for
the tokens, I see this in the Network trace:

First an OPTIONS request:


   1. Remote Address:
   127.0.0.1:8080
   2. Request URL:
   http://localhost:8080/auth/realms/GameSeeder/tokens/access/codes
   3. Request Method:
   OPTIONS
   4. Status Code:
   200 OK
   5. Request Headersview source
      1. Accept:
      */*
      2. Accept-Encoding:
      gzip, deflate, sdch
      3. Accept-Language:
      en-US,en;q=0.8
      4. Access-Control-Request-Headers:
      authorization, content-type
      5. Access-Control-Request-Method:
      POST
      6. Connection:
      keep-alive
      7. Host:
      localhost:8080
      8. Origin:
      http://127.0.0.1:8888
      9. Referer:
      http://127.0.0.1:8888/Main.html
      10. User-Agent:
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
      Gecko) Chrome/39.0.2171.71 Safari/537.36
      6. Response Headersview source
      1. Access-Control-Allow-Credentials:
      true
      2. Access-Control-Allow-Headers:
      Origin, Accept, X-Requested-With, Content-Type,
      Access-Control-Request-Method, Access-Control-Request-Headers,
Authorization
      3. Access-Control-Allow-Methods:
      GET, HEAD, OPTIONS
      4. Access-Control-Allow-Origin:
      http://127.0.0.1:8888
      5. Access-Control-Max-Age:
      3600
      6. Connection:
      keep-alive
      7. Content-Length:
      0
      8. Date:
      Tue, 02 Dec 2014 14:51:47 GMT
      9. Server:
      WildFly/8
      10. X-Powered-By:
      Undertow/1


Then the actual code exchange request:


   1. Remote Address:
   127.0.0.1:8080
   2. Request URL:
   http://localhost:8080/auth/realms/GameSeeder/tokens/access/codes
   3. Request Method:
   POST
   4. Status Code:
   200 OK
   5. Request Headersview source
      1. Accept:
      */*
      2. Accept-Encoding:
      gzip, deflate
      3. Accept-Language:
      en-US,en;q=0.8
      4. Authorization:
      Basic R2FtZVNlZWRlcjoyYTczYTQ0Yi1lMGFhLTRiMTYtODk2OC1hY2YwZTVlMGVlNTk=
      5. Connection:
      keep-alive
      6. Content-Length:
      85
      7. Content-type:
      application/x-www-form-urlencoded
      8. Cookie:
      KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5NTA4ZTg2Yi04ZjdhLTRmN2UtOWYzOC1jMTFhMDdkNjUyOWMiLCJleHAiOjE0MjAxMjM5MDYsIm5iZiI6MCwiaWF0IjoxNDE3NTMxOTA2LCJpc3MiOiJHYW1lU2VlZGVyIiwic3ViIjoiOTY0ZjkwNWMtZTg2ZC00NDUzLWE3MzItYWVlMDE5NGY5YTIwIiwic2Vzc2lvbl9zdGF0ZSI6ImVjODE0NjcyLTFhOWYtNDM1ZS04YjU4LTU4ZmI4MDNiMDZkYSIsInJlc291cmNlX2FjY2VzcyI6e319.LiS51MggFZVPJ-TUlcYejPD7x6pJvgdOYCLrHV8LKiIP6BGZzS7D4W0t3xsXeKxqBr-h3cSaY_BqWKRl4RGn67SHuWvoDRrS6xKPZuWPQ08NS_iQVrIKGOATtGF2VFMutnroa4Y_UNmi5T2gZFc-wphRWRV5YG-x-DGAqd4h42U;
      KEYCLOAK_SESSION=GameSeeder/964f905c-e86d-4453-a732-aee0194f9a20/ec814672-1a9f-435e-8b58-58fb803b06da;
      KEYCLOAK_REMEMBER_ME=username:alain
      9. Host:
      localhost:8080
      10. Origin:
      http://127.0.0.1:8888
      11. Referer:
      http://127.0.0.1:8888/Main.html
      12. User-Agent:
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
      Gecko) Chrome/39.0.2171.71 Safari/537.36
      6. Form Dataview sourceview URL encoded
      1. code:

      sCnqEAuF8YuobscjJnCKdGu6xqnZ-CsqT5prXc5i7os.b9cda44e-50d6-49dd-b30a-dee68b530662
      7. Response Headersview source
      1. Access-Control-Allow-Credentials:
      true
      2. Access-Control-Allow-Headers:
      Origin, Accept, X-Requested-With, Content-Type,
      Access-Control-Request-Method, Access-Control-Request-Headers,
Authorization
      3. Access-Control-Allow-Methods:
      POST
      4. Access-Control-Allow-Origin:
      http://127.0.0.1:8888
      5. Access-Control-Expose-Headers:
      Access-Control-Allow-Methods
      6. Access-Control-Max-Age:
      3600
      7. Connection:
      keep-alive
      8. Content-Type:
      application/json
      9. Date:
      Tue, 02 Dec 2014 14:51:47 GMT
      10. Server:
      WildFly/8
      11. Transfer-Encoding:
      chunked
      12. X-Powered-By:
      Undertow/1


Now I wait 5+ minutes, forcing keycloak to use the refresh token. Since
this uses the refresh URI for the first time, Chrome performs a preflight
check:


   1. Remote Address:
   127.0.0.1:8080
   2. Request URL:
   http://localhost:8080/auth/realms/GameSeeder/tokens/refresh
   3. Request Method:
   OPTIONS
   4. Status Code:
   200 OK
   5. Request Headersview source
      1. Accept:
      */*
      2. Accept-Encoding:
      gzip, deflate, sdch
      3. Accept-Language:
      en-US,en;q=0.8
      4. Access-Control-Request-Headers:
      authorization, content-type
      5. Access-Control-Request-Method:
      POST
      6. Connection:
      keep-alive
      7. Host:
      localhost:8080
      8. Origin:
      http://127.0.0.1:8888
      9. Referer:
      http://127.0.0.1:8888/Main.html
      10. User-Agent:
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
      Gecko) Chrome/39.0.2171.71 Safari/537.36
      6. Response Headersview source
      1. Access-Control-Allow-Credentials:
      true
      2. Access-Control-Allow-Headers:
      Origin, Accept, X-Requested-With, Content-Type,
      Access-Control-Request-Method, Access-Control-Request-Headers,
Authorization
      3. Access-Control-Allow-Methods:
      GET, HEAD, OPTIONS
      4. Access-Control-Allow-Origin:
      http://127.0.0.1:8888
      5. Access-Control-Max-Age:
      3600
      6. Connection:
      keep-alive
      7. Content-Length:
      0
      8. Date:
      Tue, 02 Dec 2014 15:00:32 GMT
      9. Server:
      WildFly/8
      10. X-Powered-By:
      Undertow/1


Followed by the actual refresh:


   1. Remote Address:
   127.0.0.1:8080
   2. Request URL:
   http://localhost:8080/auth/realms/GameSeeder/tokens/refresh
   3. Request Method:
   POST
   4. Status Code:
   200 OK
   5. Request Headersview source
      1. Accept:
      */*
      2. Accept-Encoding:
      gzip, deflate
      3. Accept-Language:
      en-US,en;q=0.8
      4. Authorization:
      Basic R2FtZVNlZWRlcjoyYTczYTQ0Yi1lMGFhLTRiMTYtODk2OC1hY2YwZTVlMGVlNTk=
      5. Connection:
      keep-alive
      6. Content-Length:
      699
      7. Content-type:
      application/x-www-form-urlencoded
      8. Host:
      localhost:8080
      9. Origin:
      http://127.0.0.1:8888
      10. Referer:
      http://127.0.0.1:8888/Main.html
      11. User-Agent:
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
      Gecko) Chrome/39.0.2171.71 Safari/537.36
      6. Form Dataview sourceview URL encoded
      1. grant_type:
      refresh_token
      2. refresh_token:

      eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMWZlOGUyNS0yNTlkLTQwYjYtOGFmMS0yMDU0Y2EwMTRkYWEiLCJleHAiOjE0MTc1MzkxMDcsIm5iZiI6MCwiaWF0IjoxNDE3NTMxOTA3LCJpc3MiOiJHYW1lU2VlZGVyIiwic3ViIjoiOTY0ZjkwNWMtZTg2ZC00NDUzLWE3MzItYWVlMDE5NGY5YTIwIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6IkdhbWVTZWVkZXIiLCJzZXNzaW9uX3N0YXRlIjoiZWM4MTQ2NzItMWE5Zi00MzVlLThiNTgtNThmYjgwM2IwNmRhIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbInZpZXctcHJvZmlsZSIsIm1hbmFnZS1hY2NvdW50Il19fX0.HlAXTyosQ4SHL2WyqRVMDEwN2TXNQyqTKE8PRkbhnbhjJPq4alDP2mCBH2RV3a5KPDCTj1-H-bnKpebrV8fOWNVrQCCL5NN6t7KEYLH1hA75ak_xWSUNzz7s_ZlW9AVucuMCFk1-bXnDaQOilU9JOS2yomQYa4PvexmrbzEJ5Bs
      7. Response Headersview source
      1. Access-Control-Allow-Credentials:
      true
      2. Access-Control-Allow-Headers:
      Origin, Accept, X-Requested-With, Content-Type,
      Access-Control-Request-Method, Access-Control-Request-Headers,
Authorization
      3. Access-Control-Allow-Methods:
      POST
      4. Access-Control-Allow-Origin:
      http://127.0.0.1:8888
      5. Access-Control-Expose-Headers:
      Access-Control-Allow-Methods
      6. Access-Control-Max-Age:
      3600
      7. Connection:
      keep-alive
      8. Content-Type:
      application/json
      9. Date:
      Tue, 02 Dec 2014 15:00:32 GMT
      10. Server:
      WildFly/8
      11. Transfer-Encoding:
      chunked
      12. X-Powered-By:
      Undertow/1




On Tue, Dec 2, 2014 at 7:49 AM, Stian Thorgersen <stian at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Alain Penders" <alain at rexorient.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Tuesday, 2 December, 2014 3:43:13 PM
> > Subject: Re: [keycloak-dev] Fwd: Preflight for token refresh
> >
> > I'm testing my UI using GWTs Super Dev Mode, which means its origin is
> set
> > to http://127.0.0.1:8888.    Keycloak runs on http://127.0.0.1:8080/auth
> .
>
> Yes, that requires CORS, but doesn't necessarily require a PREFLIGHT
> request. My guess is that "GWTs Super Dev Mode" sets some custom headers on
> all requests.
>
> >
> > On Tue, Dec 2, 2014 at 7:32 AM, Stian Thorgersen <stian at redhat.com>
> wrote:
> >
> > > It's the correct approach to add the preflight. Please send a PR and
> we'll
> > > merge it.
> > >
> > > Out of curiosity do you know why it's sending a preflight in your app?
> It
> > > doesn't when I test it out here, which AFAIK is correct according to
> spec
> > > (content-type is application/x-www-form-urlencoded and there's no
> custom
> > > headers set).
> > >
> > > ----- Original Message -----
> > > > From: "Alain Penders" <alain at rexorient.com>
> > > > To: keycloak-dev at lists.jboss.org
> > > > Sent: Tuesday, 2 December, 2014 3:04:50 PM
> > > > Subject: [keycloak-dev] Fwd: Preflight for token refresh
> > > >
> > > > Hi all,
> > > >
> > > > I'm building a new app using GWT 2.7 using the Keycloak javascript
> > > adapter
> > > > and GWT jsInterop. This works extremely well.
> > > >
> > > > The problem I ran into is if I walk away for 5 minutes and then try
> to do
> > > > something, the token refresh fails on preflight. As shown in the
> > > > documentation, I call keycloak.updateToken(30) to refresh the base
> token
> > > in
> > > > case it has expired. Since in this case it has indeed expired,
> keycloak
> > > > makes a call to /auth/realms/<myrealm>/tokens/refresh. The OPTIONS
> call
> > > to
> > > > this location doesn't contain the Accept headers, and my app ends up
> > > dead in
> > > > the water.
> > > >
> > > > To fix this, I added the following code to OpenIDConnectService:
> > > >
> > > > /**
> > > > * CORS preflight path for refresh token requests
> > > > *
> > > > * @return
> > > > */
> > > > @Path("refresh")
> > > > @OPTIONS
> > > > @Produces(MediaType.APPLICATION_JSON)
> > > > public Response refreshAccessTokenPreflight() {
> > > > if (logger.isDebugEnabled()) {
> > > > logger.debugv("cors request from: {0}",
> > > > request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
> > > > }
> > > > return Cors.add(request, Response.ok()).auth().preflight().build();
> > > > }
> > > >
> > > > If this wasn't the correct solution for my problem, I'd enjoy hearing
> > > where I
> > > > went wrong.
> > > >
> > > > Thanks,
> > > > Alain
> > > >
> > > >
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141202/15ab7f95/attachment-0001.html 


More information about the keycloak-dev mailing list