[keycloak-user] Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR

Niels Bertram nielsbne at gmail.com
Mon Oct 17 06:30:25 EDT 2016 

Hi guys,

 I have configured the keycloak angular example
<https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app>
to utilise a production grade setup Keycloak server and the example ends up
in an endless redirect loop.

I can see that the Keycloak server POST response in the authorization code
exchange contains 2 identical Access-Control-Allow-Credentials headers,
which the Chrome browser cannot understand and then subsequently fails the
XHR request. I included the full HTTP trace below for reference.

Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1
Keycloak JavaScript clients but given the browsers refuse to accept the
server response headers the client is pretty much irrelevant.

Did anyone of you ever came across this issue?

Cheers,
Niels



*Request*
URL:
https://sso.server.com/auth/realms/[redacted]/protocol/openid-connect/token
Request Method:POST
Status Code:200 OK
Remote Address:[redacted]:8080

*Request Headers*
POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1
Host: sso.server.com
Connection: keep-alive
Content-Length: 205
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X)
AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143
Safari/601.1
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://localhost:8080/angular-product/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,de;q=0.6
Cookie:
KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[redacted];KEYCLOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted]

*Form Data*
code=[redacted]&grant_type=authorization_code&client_id=example-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fangular-product%2F

*Response Headers*
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 06:13:24 GMT
*Access-Control-Allow-Credentials: true  <-- Chrome cannot understand this*
*Access-Control-Allow-Credentials: true**  <-- Chrome cannot understand
this*
Access-Control-Allow-Origin: http://localhost:8080
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Content-Type: application/json
Content-Length: 3795
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive

More information about the keycloak-user mailing list