[keycloak-user] How to set up CORS for javascript calling a REST app

Bill Burke bburke at redhat.com
Mon May 12 11:25:31 EDT 2014 

If I don't ping you by late tomorrow with an example for you, feel free 
to chastise me :)

On 5/10/2014 10:00 PM, Boettcher, Jim wrote:
> Keycloak is deployed on localhost port 8080.
> The gui-app is deployed on myhost.domain.com/gui-app
> The rest-app is deployed on myhost.domain.com/rest-app
>
> The XHR origin is myhost.domain.com/gui-app. This app is setup and configured to use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET request (I tried POST and got same  error). The rest-app is also set up and configured to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which attempts to get an access code from the Keycloak server which it would then exchange for an access token. The adapter on the rest-app fails after it receives the redirected response from Keycloak with the access code. It tries to send a redirect response with the access code stripped off but this fails as explained before.
>
>
> -----Original Message-----
> From: Bill Burke [mailto:bburke at redhat.com]
> Sent: Friday, May 09, 2014 5:38 PM
> To: Boettcher, Jim; Stian Thorgersen
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: How to set up CORS for javascript calling a REST app
>
> I want to reproduce your setup as a CORS example.  So your setup is?
>
> 1. Keycloak deployed on auth.domain.com
> 2. gui-app deployed on gui.domain.com
> 3. rest-app deployed on rest-app.domain.com
>
> Is that right?
>
> The XHR's origin is "gui.domain.com" correct?  This request to rest-app is made using the access token (bearer auth)?  Just curious, how do you obtain the access token?
>
> If that is correct, I'll put together an example that you can try out within master.
>
>
>
> On 5/9/2014 5:23 PM, Boettcher, Jim wrote:
>> Here is some more information on my problem.
>> I have done a local build with the source from 5/8/2014.
>> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080
>> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116
>> I have 2 applications running on the server at myhost.net:7116
>>    1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in rest-app
>>    2. rest-app - a REST service
>> Both the gui-app and rest-app are configured to be secured by the auth-server.
>>
>> When the jsp from gui-app is requested it will get redirected to the auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get the access code and exchange the access code for an access token. Everything looks good.
>>
>> When the Ajax request is made to  the rest-app the problems start.
>> First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected to the auth-server.
>> In the Cors.build() method the origin value from the request is null so none of this code executes. This may be because I have the auth-server and my apps on different instances of JBoss with different domains.
>> Also since I have already successfully logged in (with the call from the jsp) the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of the Access-Control-Allow-* methods and I get an error in the browser console:
>> XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&redi…backuptypeoption&state=9%2F17236f38-06ff-4fe7-a44d-4ddaaf7fb048&login=true. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myhost.net:7116' is therefore not allowed access.
>>
>> If I modify the code to add the Access-Control-Allow-* headers to the response, I get further along. Now the redirect with the access code get processed by the adapter. When the adapter strips the access code and sends back a redirect response without the access code it does not add the Access-Control-Allow-* headers so this fails with the error:
>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUvtQ&state=5%2F31a2cfc8-3250-4270-8e01-026bbfd0f243. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
>>
>> Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a little further. Now the problem is that the Origin=null in the request header and I get this error:
>> XMLHttpRequest cannot load https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM6M&state=7%2F602fb48a-216e-47d9-a10a-d142a7250987. The 'Access-Control-Allow-Origin' header has a value 'https://myhost.net:7116' that is not equal to the supplied origin. Origin 'null' is therefore not allowed access.
>>
>> I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but then I get an error:
>> A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'null' is therefore not allowed access.
>> But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY cookie to be sent.
>>
>> Can you look into these problems and let me know if there is a way to get this working for the applications that I have?
>>
>> Thanks
>> -Jim
>>
>> -----Original Message-----
>> From: Boettcher, Jim
>> Sent: Tuesday, May 06, 2014 8:31 AM
>> To: 'Stian Thorgersen'; Bill Burke
>> Cc: keycloak-user at lists.jboss.org
>> Subject: RE: How to set up CORS for javascript calling a REST app
>>
>> I first tried with the Alpa-3 release.
>> I then did a build with latest source and deployed the auth-server.war and the keycloak-as7-adapter module. I still have the same problem with the latest source.
>>
>> I also noticed that with the latest source running on JBoss 7.1.1 when I tried to  import a realm I get this error:
>> Caused by: java.lang.NoSuchMethodError: org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V
>> 	at org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132) [keycloak-services-1.0-beta-1-SNAPSHOT.jar:]
>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
>> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
>> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
>> 	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
>> 	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155) [resteasy-jaxrs-2.3.2.Final.jar:]
>> 	at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) [resteasy-jaxrs-2.3.2.Final.jar:]
>> 	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) [resteasy-jaxrs-2.3.2.Final.jar:]
>> 	at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152) [resteasy-jaxrs-2.3.2.Final.jar:]
>> 	at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.2.Final.jar:]
>> 	at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:]
>>
>> Jim
>>
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Stian Thorgersen
>> Sent: Tuesday, May 06, 2014 4:55 AM
>> To: Bill Burke
>> Cc: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app
>>
>> I added some fixes to CORS in the adapters that haven't made it into a release yet. Have you tried with building the server from source?
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-user at lists.jboss.org
>>> Sent: Monday, 5 May, 2014 11:42:11 PM
>>> Subject: Re: [keycloak-user] How to set up CORS for javascript calling
>>> a REST app
>>>
>>> You are using the latest release? I'll take a look.  I don't have any
>>> unit tests for the CORs stuff in the last alpha release (have some in
>>> trunk though) and I don't think I tested it manually either.
>>>
>>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote:
>>>> Hi,
>>>>
>>>> I’m trying to get CORS working for a javascript app. The javascript
>>>> app
>>>> (gui_app) is making AJAX requests to a different REST app (rest_app).
>>>>
>>>> In the Keycloak admin console I created an application for the
>>>> rest_app application and set a Web Origin of “*” . I then copied the
>>>> Installation for Jboss Subsystem XML to the standalone.xml of the
>>>> JBoss 7.1.1 server that the rest_app is running on. I modified the
>>>> configuration to add
>>>>
>>>> <enable-cors>true</enable-cors>
>>>>
>>>> When I try to open the gui_app from Chrome I get errors like:
>>>>
>>>> XMLHttpRequest cannot load
>>>> http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest_app&redirect_uri=https%3A%2F%2Flocalhost%3A7116%2Frest_app%2Frestws%2Ftimezone&state=3%2F502272ab-ab8f-4d9e-b8ea-4484a81de15c&login=true.
>>>> No 'Access-Control-Allow-Origin' header is present on the requested
>>>> resource. Origin 'https://localhost:7116' is therefore not allowed access.
>>>>
>>>> I’ve tried playing with various settings but can’t get anything to work.
>>>>
>>>> Is there an example available for how to get this to work?
>>>>
>>>> Is there anything else that needs to be done on the Keycloak server
>>>> side? Or on the Adapter side?
>>>>
>>>> Thanks,
>>>>
>>>> Jim
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list