[keycloak-user] Cors not working Final 1.2

Thu May 28 08:01:48 EDT 2015

Looks like what's happening is that you're doing a XMLHttpRequest to a resource that requires authentication. In this case the adapter returns a 302 and it'll redirected to the login screen on the Keycloak server.

The login screen is not expected to be invoked with XMLHttpRequest/CORS so it shouldn't have CORS headers.

Further the Keycloak adapter only adds CORS headers when a bearer token is present (Authorization: Bearer ...). If you want CORS headers for non-protected endpoints you'll have to add those yourself as Keycloak pulls the permitted origins from the bearer token.

Just make sure you invoke your secured endpoints with a valid bearer token and it should work fine. With regards to it returning a 302 for a XMLHttpRequest that's an improvement we can do in the adapters to only do that if Accept header contains text/html.

----- Original Message -----
> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, 28 May, 2015 1:38:12 PM
> Subject: Re: [keycloak-user] Cors not working Final 1.2
> 
> As requested:
> 
> 
> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH
> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us
> 
> index.html  - http://pastebin.com/raw.php?i=SndsyL8F
> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE
> 
> Thanks for looking in.
> 
> 
> On 28/05/15 12:22, "Stian Thorgersen" <stian at redhat.com> wrote:
> 
> >
> >
> >----- Original Message -----
> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> To: keycloak-user at lists.jboss.org
> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>
> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
> >> Subject: [keycloak-user] Cors not working Final 1.2
> >> 
> >> Hi,
> >> 
> >> Cors headers missing during login procedure of keycloak
> >> 
> >> 
> >> ===============================
> >> Step 1 - Prepare keycloak realm:
> >> ===============================
> >> 
> >> Create a simple keycloak realm for testing,
> >> 
> >> ===============================
> >> Step 2 - Create a user
> >> ===============================
> >> 
> >> Add a user and a client to the realm
> >> The client should be configured as follows:
> >> 
> >> Client Protocol openid-connect
> >> Access Type public
> >> 
> >> Valid redirect uri's: http://localhost/*
> >> http://localhost
> >> Web origins: http://localhost/*
> >> http://localhost
> >> 
> >> ===============================
> >> Step 3 - Create test application on tomcat
> >> ===============================
> >> 
> >> On a given tomcat server (I'm using localhost for this example) add 2
> >>web
> >> applications:
> >> app1 with a simple index.html
> >> cors with a simple test.txt with the content "Some data"
> >> 
> >> The following url's are now available:
> >> http://localhost/app1/index.html
> >> http://localhost/cors/test.txt
> >> 
> >> In http://localhost/app1/index.html create javascript which loads data
> >>from
> >> http://localhost/cors/test.txt
> >> 
> >> If you go to http://localhost/app1/index.html now, a GET will be
> >>performed to
> >> http://localhost/cors/test.txt and the data is displayed
> >> 
> >> 
> >> ===============================
> >> Step 4 - Adding keycloak to the applications
> >> ===============================
> >> 
> >> Add keycloak configuration on "app1".
> >> 
> >> 
> >> Add keycloak configuration on "cors"
> >> Additionally, add
> >> "enable-cors": "true"
> >> to the json file.
> >> 
> >> ===============================
> >> Step 5 - Log in to app1
> >> ===============================
> >> 
> >> If you log in to app1 in a new browser the data from app "cors" will
> >>not be
> >> loaded. The following error will be displayed in the console of your
> >>browser
> >> (using chrome)
> >> 
> >> XMLHttpRequest cannot load
> >> 
> >>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?
> >>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login=
> >>true.
> >> No 'Access-Control-Allow-Origin' header is present on the requested
> >>resource.
> >> Origin 'http://localhost' is therefore not allowed access.
> >
> >This request to "/protocol/openid-connect/auth" makes no sense to me. How
> >are you invoking this? Can you include the source for index.html?
> >
> >> 
> >> 
> >> If it loaded the data, make sure that you're logged out, or try it in
> >>private
> >> browsing mode.
> >> 
> >> 
> >> ===============================
> >> Expected result
> >> ===============================
> >> 
> >> We expected "Access-Control-Allow-Origin" to be set to the "Web
> >>origins",
> >> allowing for cross-application requests without editing existing
> >> applications.
> >> 
> >> 
> >> 
> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen /
> >>Très
> >> cordialement,
> >> 
> >> 
> >> 
> >> 
> >> Henk Laracker
> >> 
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
>