[keycloak-user] Cors not working Final 1.2

Henk Laracker Henk.Laracker at planonsoftware.com
Fri May 29 10:27:21 EDT 2015 

On 29/05/15 09:19, "Stian Thorgersen" <stian at redhat.com> wrote:

>I assume you've secured http://localhost/app1 and http://localhost/cors
>with the Keycloak Tomcat adapter?

Yes

>
>For cors app you should select bearer-only as the client type, that'll
>prevent the redirect with XMLHttpRequest. Bearer only applications are
>"services" that only verify tokens sent in request, but doesn't allow
>users to login directly. You also need to make sure that
>http://localhost/cors/test.txt is secured properly, in web.xml if that's
>how you secure it. Once deployed check that you can visit
>http://localhost/cors/test.txt in the browser.
>
>Next step would be to make sure http://localhost/app1 sends the bearer
>token in the authorization header when invoking cors/test.txt

This means that I have to change my application and send the token. In the
example I can, but in real life I can to change the application. Is there
not other way?

>
>----- Original Message -----
>> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>,
>>keycloak-user at lists.jboss.org
>> Sent: Thursday, May 28, 2015 8:18:31 PM
>> Subject: Re: [keycloak-user] Cors not working Final 1.2
>> 
>> I understand, but we have some weird behaviour once we've logged in into
>> http://localhost/app1/index.html .
>> 
>> If you first login on http://localhost/app1/index.html , then go
>>directly
>> to http://localhost/cors/test.txt we are able to see the txt file
>>without
>> logging in.
>> When we go back to http://localhost/app1/index.html it's working as
>> intended, and we get no keycloak redirect.
>> 
>> 
>> 
>> 
>> On 28/05/15 14:01, "Stian Thorgersen" <stian at redhat.com> wrote:
>> 
>> >Looks like what's happening is that you're doing a XMLHttpRequest to a
>> >resource that requires authentication. In this case the adapter
>>returns a
>> >302 and it'll redirected to the login screen on the Keycloak server.
>> >
>> >The login screen is not expected to be invoked with XMLHttpRequest/CORS
>> >so it shouldn't have CORS headers.
>> >
>> >Further the Keycloak adapter only adds CORS headers when a bearer token
>> >is present (Authorization: Bearer ...). If you want CORS headers for
>> >non-protected endpoints you'll have to add those yourself as Keycloak
>> >pulls the permitted origins from the bearer token.
>> >
>> >Just make sure you invoke your secured endpoints with a valid bearer
>> >token and it should work fine. With regards to it returning a 302 for a
>> >XMLHttpRequest that's an improvement we can do in the adapters to only
>>do
>> >that if Accept header contains text/html.
>> >
>> >----- Original Message -----
>> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
>> >> To: "Stian Thorgersen" <stian at redhat.com>
>> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>,
>> >>keycloak-user at lists.jboss.org
>> >> Sent: Thursday, 28 May, 2015 1:38:12 PM
>> >> Subject: Re: [keycloak-user] Cors not working Final 1.2
>> >> 
>> >> As requested:
>> >> 
>> >> 
>> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH
>> >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us
>> >> 
>> >> index.html  - http://pastebin.com/raw.php?i=SndsyL8F
>> >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE
>> >> 
>> >> Thanks for looking in.
>> >> 
>> >> 
>> >> On 28/05/15 12:22, "Stian Thorgersen" <stian at redhat.com> wrote:
>> >> 
>> >> >
>> >> >
>> >> >----- Original Message -----
>> >> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
>> >> >> To: keycloak-user at lists.jboss.org
>> >> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>
>> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
>> >> >> Subject: [keycloak-user] Cors not working Final 1.2
>> >> >> 
>> >> >> Hi,
>> >> >> 
>> >> >> Cors headers missing during login procedure of keycloak
>> >> >> 
>> >> >> 
>> >> >> ===============================
>> >> >> Step 1 - Prepare keycloak realm:
>> >> >> ===============================
>> >> >> 
>> >> >> Create a simple keycloak realm for testing,
>> >> >> 
>> >> >> ===============================
>> >> >> Step 2 - Create a user
>> >> >> ===============================
>> >> >> 
>> >> >> Add a user and a client to the realm
>> >> >> The client should be configured as follows:
>> >> >> 
>> >> >> Client Protocol openid-connect
>> >> >> Access Type public
>> >> >> 
>> >> >> Valid redirect uri's: http://localhost/*
>> >> >> http://localhost
>> >> >> Web origins: http://localhost/*
>> >> >> http://localhost
>> >> >> 
>> >> >> ===============================
>> >> >> Step 3 - Create test application on tomcat
>> >> >> ===============================
>> >> >> 
>> >> >> On a given tomcat server (I'm using localhost for this example)
>>add 2
>> >> >>web
>> >> >> applications:
>> >> >> app1 with a simple index.html
>> >> >> cors with a simple test.txt with the content "Some data"
>> >> >> 
>> >> >> The following url's are now available:
>> >> >> http://localhost/app1/index.html
>> >> >> http://localhost/cors/test.txt
>> >> >> 
>> >> >> In http://localhost/app1/index.html create javascript which loads
>> >>data
>> >> >>from
>> >> >> http://localhost/cors/test.txt
>> >> >> 
>> >> >> If you go to http://localhost/app1/index.html now, a GET will be
>> >> >>performed to
>> >> >> http://localhost/cors/test.txt and the data is displayed
>> >> >> 
>> >> >> 
>> >> >> ===============================
>> >> >> Step 4 - Adding keycloak to the applications
>> >> >> ===============================
>> >> >> 
>> >> >> Add keycloak configuration on "app1".
>> >> >> 
>> >> >> 
>> >> >> Add keycloak configuration on "cors"
>> >> >> Additionally, add
>> >> >> "enable-cors": "true"
>> >> >> to the json file.
>> >> >> 
>> >> >> ===============================
>> >> >> Step 5 - Log in to app1
>> >> >> ===============================
>> >> >> 
>> >> >> If you log in to app1 in a new browser the data from app "cors"
>>will
>> >> >>not be
>> >> >> loaded. The following error will be displayed in the console of
>>your
>> >> >>browser
>> >> >> (using chrome)
>> >> >> 
>> >> >> XMLHttpRequest cannot load
>> >> >> 
>> >> 
>> 
>>>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/a
>>>>>>ut
>> >>>>h?
>> >> 
>> 
>>>>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&lo
>>>>>>gi
>> >>>>n=
>> >> >>true.
>> >> >> No 'Access-Control-Allow-Origin' header is present on the
>>requested
>> >> >>resource.
>> >> >> Origin 'http://localhost' is therefore not allowed access.
>> >> >
>> >> >This request to "/protocol/openid-connect/auth" makes no sense to
>>me.
>> >>How
>> >> >are you invoking this? Can you include the source for index.html?
>> >> >
>> >> >> 
>> >> >> 
>> >> >> If it loaded the data, make sure that you're logged out, or try
>>it in
>> >> >>private
>> >> >> browsing mode.
>> >> >> 
>> >> >> 
>> >> >> ===============================
>> >> >> Expected result
>> >> >> ===============================
>> >> >> 
>> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web
>> >> >>origins",
>> >> >> allowing for cross-application requests without editing existing
>> >> >> applications.
>> >> >> 
>> >> >> 
>> >> >> 
>> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen
>>Grüßen /
>> >> >>Très
>> >> >> cordialement,
>> >> >> 
>> >> >> 
>> >> >> 
>> >> >> 
>> >> >> Henk Laracker
>> >> >> 
>> >> >> _______________________________________________
>> >> >> keycloak-user mailing list
>> >> >> keycloak-user at lists.jboss.org
>> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >> 
>> >>
>> 
>>

More information about the keycloak-user mailing list