[keycloak-user] How to set up CORS for javascript calling a REST app

Boettcher, Jim jim.boettcher at hp.com
Fri May 9 17:23:49 EDT 2014 

Here is some more information on my problem.
I have done a local build with the source from 5/8/2014.
I deployed the auth-server to JBoss 7.1.1 running at localhost:8080
I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116
I have 2 applications running on the server at myhost.net:7116
 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app
 2. rest-app - a REST service
Both the gui-app and rest-app are configured to be secured by the auth-server.

When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good.

When the Ajax request is made to  the rest-app the problems start.
First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server.
In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains.
Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console:
XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi…backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access.

If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error:
XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error:
XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access.

I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access. 
But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent.

Can you look into these problems and let me know if there is a way to get this working for the applications that I have?

Thanks
-Jim

-----Original Message-----
From: Boettcher, Jim 
Sent: Tuesday, May 06, 2014 8:31 AM
To: 'Stian Thorgersen'; Bill Burke
Cc: keycloak-user at lists.jboss.org
Subject: RE: How to set up CORS for javascript calling a REST app

I first tried with the Alpa-3 release.
I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source.

I also noticed that with the latest source running on JBoss 7.1.1 when I tried to  import a realm I get this error:
Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V
	at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:]
	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:]
	at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:]
	at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:]

Jim


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Tuesday, May 06, 2014 4:55 AM
To: Bill Burke
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app

I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source?

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-user at lists.jboss.org
> Sent: Monday, 5 May, 2014 11:42:11 PM
> Subject: Re: [keycloak-user] How to set up CORS for javascript calling 
> a REST app
> 
> You are using the latest release? I'll take a look.  I don't have any 
> unit tests for the CORs stuff in the last alpha release (have some in 
> trunk though) and I don't think I tested it manually either.
> 
> On 5/5/2014 3:41 PM, Boettcher, Jim wrote:
> > Hi,
> >
> > I’m trying to get CORS working for a javascript app. The javascript 
> > app
> > (gui_app) is making AJAX requests to a different REST app (rest_app).
> >
> > In the Keycloak admin console I created an application for the 
> > rest_app application and set a Web Origin of “*” . I then copied the 
> > Installation for Jboss Subsystem XML to the standalone.xml of the 
> > JBoss 7.1.1 server that the rest_app is running on. I modified the 
> > configuration to add
> >
> > <enable-cors>true</enable-cors>
> >
> > When I try to open the gui_app from Chrome I get errors like:
> >
> > XMLHttpRequest cannot load
> > http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true.
> > No 'Access-Control-Allow-Origin' header is present on the requested 
> > resource. Origin 'https://localhost:7116' is therefore not allowed access.
> >
> > I’ve tried playing with various settings but can’t get anything to work.
> >
> > Is there an example available for how to get this to work?
> >
> > Is there anything else that needs to be done on the Keycloak server 
> > side? Or on the Adapter side?
> >
> > Thanks,
> >
> > Jim
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list