[keycloak-user] CORS headers not sent issue
Marek Posolda
mposolda at redhat.com
Tue Oct 4 13:40:05 EDT 2016
Hi Tomas,
Nice to see you on our ML :-)
I think you're right. The Cors headers are not added to the "certs"
endpoint. Probably we should just add "*" similarly like it's done for
well-known endpoint as the public keys are defacto public information.
Feel free to create JIRA and/or even better send PR :-)
Btv. I am bit curious why exactly you need it? AFAIK Cors are usually
needed for the browser apps, but if you're using our keycloak.js
adapter, it doesn't need public keys as it doesn't do any signature
verifications by itself. Token's signature verifications are always done
on server side (eg. REST endpoint where JS application sent it's token).
Cheers,
Marek
On 04/10/16 17:10, GRMAN, Tomas wrote:
> Hello
>
> I have come across weird issue regarding CORS implementation in Keycloak (ver. 2.2.1 )
>
> I have properly specified "Web Origins" settings in Admin Console for the OIDC client.
> The problem is that the CORS headers (Access-Control-Allow-Origin) are not sent for all the requests coming towards idp.example.com (Implicit Flow)
>
> https://idp.example.com/auth/realms/test/.well-known/openid-configuration (CORS headers are sent)
>
> https://idp.example.com/auth/realms/test/protocol/openid-connect/certs (CORS headers are not sent)
>
> Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug?
>
> Curently I have added CORS headers on NGINX reverse proxy for this endpoint. (certs)
>
> Any advice is appreciated :)
>
> Tomas Grman
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list