[keycloak-user] CORS problems

Wed May 24 10:44:48 EDT 2017

Hello again,

I forgot to mention I'm using Keycloak 3.1.0 Final.
Meanwhile i searched a bit more and found more people with the same  
problem, but sadly, no solution:
http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html

I also made a really basic WAR application, protected by keycloak,  
that just says "Hello" when you access the route /hello. The minimal  
client code that reproduces the problem:
<script type="text/javascript"  
src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
<script type="text/javascript"  
src="http://localhost:9000/auth/js/keycloak.js"></script>
<script type="text/javascript">
    var keycloak = Keycloak('keycloak.json');
        keycloak.init({ onLoad: 'login-required'  
}).success(function(authenticated) {
            if (authenticated) {
                $.ajax({method: "GET",   url: "http://localhost:8080/hello",
                    headers: {  'Authorization': 'Bearer ' + keycloak.token }
                });
             }
        });
</script>

I'm able to login successfully and acquire a valid working token.  
However the AJAX call fails with the same errors mentioned before.

In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header  
contains multiple values 'http://localhost, http://localhost', but  
only one is allowed. Origin 'http://localhost' is therefore not  
allowed access."

In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy  
disallows reading the remote resource. (Reason: CORS header  
‘Access-Control-Allow-Origin’ does not match ‘(null)’)".

It works in IE11 but the page refreshes constantly, similar to what  
I've mentioned  
here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,  
even when accepting third-party cookies.

Anyone have any hints please? What's going on with my setup? :(

Some additional information:

My API has the CORS filter enabled, like this:
<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>*</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>

 <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>

 <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
    <init-param>
        <param-name>cors.support.credentials</param-name>
        <param-value>true</param-value>
    </init-param>
    <init-param>
        <param-name>cors.preflight.maxage</param-name>
        <param-value>10</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

My Client has "enable-cors": true.

Strangely I'm able to access the API through cURL if I use the valid  
access-token.

Any help is appreciated at this point :(.

Best regards,
Silva

Citando sesnor.silva at sapo.pt:

> Hello,
>
> I have protected a Java web application that's compiled in a WAR
> package and accessible through a Tomcat 8 sever. To do this I followed
> the steps here:
> https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/tomcat-adapter.html
>
> My Java Application is a RESTful API which can only be accessed by
> authorized users that bear a token.
>
> In Keycloak I configured my client (and keycloak.json) as follows:
> {
>   "realm": "MainDomain",
>   "bearer-only": true,
>   "auth-server-url": "http://<My Keycloak Server>:8081/auth",
>   "ssl-required": "none",
>   "resource": "main-domain-server"
> }
>
> If I have a valid token I can access the service fine through cURL
> requests. However, using any browser (Firefox, Chrome, Opera, expect
> IE, which for some reason works) I can't access any resource through
> AJAX as I get CORS problems:
> "Response to preflight request doesn't pass access control check: No
> 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:3000' is therefore not allowed
> access. The response had HTTP status code 401."
>
> I searched around and found I should put "enable_cors": true in my
> keycloak.json, however this causes the following CORS problem:
> "The 'Access-Control-Allow-Origin' header contains multiple values
> 'http://localhost:3000, http://localhost:3000', but only one is
> allowed. Origin 'http://localhost:3000' is therefore not allowed
> access."
>
> I think I'm out of ideas at the moment on what could be causing this.
> Does anyone have any idea what could be wrong in my configuration?
>
> My best regards,
> Silva
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user