[keycloak-user] CORS Problem

Marek Posolda mposolda at redhat.com
Wed Jan 28 04:57:37 EST 2015


Hi,

it looks to me that your CORS settings on adapters side and also for 
your frontend application looks good. However keycloak returned 403 
Forbidden and hence did not add cors headers (we are adding cors headers 
after successful authentication). Do you have something in the server log?

What I would try is:
- Temporary set "ssl-required" to "none" in the adapters configuration

- If it doesn't help, then see how it will behave if both frontend 
application and rest application are on same origin (either 
http://162.244.28.89:8080 or http://162.244.28.89)

- Maybe using hostname like "myhost.com" instead of IP address could 
help. If you have opportunity to temporarily add virtual host and use 
hostname it worth a try (it's strange, but who knows...)

Marek


On 27.1.2015 07:55, Brem, Robert wrote:
>
> Hy @ll,
>
> For my current project I use Docker and run each service in a own 
> container, and spread the services over multiple servers. All 
> connected via REST.
>
> For the security I found Keycloak, and I think it’s a really cool 
> tool. But I never was the best friend of security… JASS/Spring Security…
>
> My problem is, I try to use the cors example 
> (https://github.com/keycloak/keycloak/tree/master/examples/cors). I 
> also use AngularJS for the frontend that consumes multiple REST Services.
>
> But I don’t get it to work. I always get the following error:
>
> XMLHttpRequest cannot load 
> http://162.244.28.89:8080/BrandService/resources/brands/. No 
> 'Access-Control-Allow-Origin' header is present on the requested 
> resource. Origin 'http://162.244.28.89' is therefore not allowed 
> access. The response had HTTP status code 403.
>
> Google Chrome give me the following output for the http request:
>
> Remote Address:162.244.28.89:8080
>
> Request URL:http://162.244.28.89:8080/BrandService/resources/brands/
>
> Request Method:GET
>
> Status Code:403 Forbidden
>
> *_Request Headersview source_*
>
> Accept:application/json, text/plain, */*
>
> Accept-Encoding:gzip, deflate, sdch
>
> Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
>
> Authorization:Bearer 
> eyJhbGciOiJSUzI1NiJ9….ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII
>
> Connection:keep-alive
>
> Host:162.244.28.89:8080
>
> Origin:http://162.244.28.89
>
> Referer:http://162.244.28.89/
>
> User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 
> (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
>
> *_Response Headersview source_*
>
> Cache-Control:no-cache, no-store, must-revalidate
>
> Connection:keep-alive
>
> Content-Length:68
>
> Content-Type:text/html;charset=UTF-8
>
> Date:Fri, 23 Jan 2015 19:23:33 GMT
>
> Expires:0
>
> Pragma:no-cache
>
> Server:WildFly/8
>
> X-Powered-By:Undertow/1
>
> ConsoleSearchEmulationRendering
>
> What I don’t get is the response header. Shouldn’t there be the 
> following header settings:
>
> Access-Control-Allow-Credentials:true
>
> Access-Control-Allow-Headers:origin,accept,content-type
>
> Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD
>
> Access-Control-Allow-Origin:*
>
> Access-Control-Max-Age:151200
>
> Allow:HEAD, POST, GET, OPTIONS, PUT
>
> My keycloak.json looks like that:
>
> {
>
> "realm": "openPixx",
>
> "realm-public-key": "…bmwCckE..gWjLQIDAQAB",
>
> "ssl-required": "external",
>
> "resource": "BrandService",
>
> "bearer-only": true,
>
> "cors-max-age" : 1000,
>
> "enable-cors": true,
>
> "cors-allowed-methods" : "POST, PUT, DELETE, GET"
>
> }
>
> In Keycloak I’ve defined the BrandFrontend:
>
> Enabled: true
>
> Client Protocol: openid-connect
>
> Access Type: public
>
> Redirect URL: http://162.244.28.89/*
>
> Web Origin: http://162.244.28.89
>
> For the AngularJS part I’ve used the authinterceptor from the example.
>
> If you have read until here.
>
> Thank you very much and sorry for my bad English J
>
> Greets
>
> Rob
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150128/31545c10/attachment-0001.html 


More information about the keycloak-user mailing list