[keycloak-dev] KC + apiman + CORS
Eric Wittmann
eric.wittmann at redhat.com
Fri Aug 21 10:17:16 EDT 2015
Well, I was going to wait on this until I've done some more testing and
really come up to speed. But can have a go at it now with what I know.
After looking into it, we are in fact *not* using the KC CORS support.
Why are we not using it? That's a great question with a real answer...
but it's what I need more time to figure out. Perhaps @msavy has some
insight into that.
In any case, we've implemented our own CORS support for our API (as a
simple filter). However, as you can imagine it doesn't work for
preflighting because KC denies the OPTIONS request since it doesn't
include the auth creds (the browser doesn't send auth creds for
preflight requests).
So I guess we either need to use the KC CORS support, in which case I
need to figure out why we *stopped* using it. Or else we'd need to
request a way to bypass KC auth for OPTIONS requests.
More information about the keycloak-dev
mailing list