[keycloak-user] CORS headers not sent issue

GRMAN, Tomas Tomas.GRMAN at orange.com
Wed Oct 5 04:07:26 EDT 2016 

Hi Marek,

In our case the client application is not using keycloak.js adapter.
Application was developed by the partner and they used their own OIDC identity server. When we connected the application to our keycloak instance, the CORS problem I have previously described appeared.

As you said, I think CORS headers should be added to all the public endpoints (including certs). In our case the client application (AngularJS) is using implicit flow and is trying to verify jwt token it receives and for that it needs certs. This is only my understanding of the problem, I don't know the architecture of the application, I am just trying to integrate it :)

I can create bug on JIRA, but I am not sure what you meant by PR? Thanks for info.

Tomas



-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: 4. októbra 2016 19:40
To: GRMAN, Tomas <Tomas.GRMAN at orange.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] CORS headers not sent issue

Hi Tomas,

Nice to see you on our ML :-)

I think you're right. The Cors headers are not added to the "certs" 
endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information. 
Feel free to create JIRA and/or even better send PR :-)

Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token).

Cheers,
Marek

On 04/10/16 17:10, GRMAN, Tomas wrote:
> Hello
>
> I have come across weird issue regarding CORS implementation in 
> Keycloak (ver. 2.2.1 )
>
> I have properly specified "Web Origins" settings in Admin Console for the OIDC client.
> The problem is that the CORS headers (Access-Control-Allow-Origin) are 
> not sent for all the requests coming towards idp.example.com (Implicit 
> Flow)
>
> https://idp.example.com/auth/realms/test/.well-known/openid-configurat
> ion (CORS headers are sent)
>
> https://idp.example.com/auth/realms/test/protocol/openid-connect/certs 
> (CORS headers are not sent)
>
> Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug?
>
> Curently I have added CORS headers on NGINX reverse proxy for this 
> endpoint. (certs)
>
> Any advice is appreciated :)
>
> Tomas Grman
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list