[keycloak-user] CORS problems

Sebastien Blanc sblanc at redhat.com
Fri May 26 10:48:33 EDT 2017 

Hi,

The problem is that you have defined yourself a CORS filter + enabled CORS
in the keycloak.json, that will duplicate the CORS headers and fail. Remove
your CORS filter and it should be okay (or disable CORS in keycloak.json)


On Wed, May 24, 2017 at 4:44 PM, <sesnor.silva at sapo.pt> wrote:

> Hello again,
>
> I forgot to mention I'm using Keycloak 3.1.0 Final.
> Meanwhile i searched a bit more and found more people with the same
> problem, but sadly, no solution:
> http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
> http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html
>
> I also made a really basic WAR application, protected by keycloak,
> that just says "Hello" when you access the route /hello. The minimal
> client code that reproduces the problem:
> <script type="text/javascript"
> src="https://code.jquery.com/jquery-3.1.0.min.js"></script>
> <script type="text/javascript"
> src="http://localhost:9000/auth/js/keycloak.js"></script>
> <script type="text/javascript">
>     var keycloak = Keycloak('keycloak.json');
>         keycloak.init({ onLoad: 'login-required'
> }).success(function(authenticated) {
>             if (authenticated) {
>                 $.ajax({method: "GET",   url: "http://localhost:8080/hello
> ",
>                     headers: {  'Authorization': 'Bearer ' +
> keycloak.token }
>                 });
>              }
>         });
> </script>
>
> I'm able to login successfully and acquire a valid working token.
> However the AJAX call fails with the same errors mentioned before.
>
> In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header
> contains multiple values 'http://localhost, http://localhost', but
> only one is allowed. Origin 'http://localhost' is therefore not
> allowed access."
>
> In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy
> disallows reading the remote resource. (Reason: CORS header
> ‘Access-Control-Allow-Origin’ does not match ‘(null)’)".
>
> It works in IE11 but the page refreshes constantly, similar to what
> I've mentioned
> here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,
> even when accepting third-party cookies.
>
> Anyone have any hints please? What's going on with my setup? :(
>
> Some additional information:
>
> My API has the CORS filter enabled, like this:
> <filter>
>     <filter-name>CorsFilter</filter-name>
>     <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>     <init-param>
>         <param-name>cors.allowed.origins</param-name>
>         <param-value>*</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.allowed.methods</param-name>
>         <param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.allowed.headers</param-name>
>
>  <param-value>Content-Type,X-Requested-With,accept,Origin,
> Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.exposed.headers</param-name>
>
>  <param-value>Access-Control-Allow-Origin,Access-Control-
> Allow-Credentials</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.support.credentials</param-name>
>         <param-value>true</param-value>
>     </init-param>
>     <init-param>
>         <param-name>cors.preflight.maxage</param-name>
>         <param-value>10</param-value>
>     </init-param>
> </filter>
> <filter-mapping>
>     <filter-name>CorsFilter</filter-name>
>     <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> My Client has "enable-cors": true.
>
> Strangely I'm able to access the API through cURL if I use the valid
> access-token.
>
> Any help is appreciated at this point :(.
>
> Best regards,
> Silva
>
>
> Citando sesnor.silva at sapo.pt:
>
> > Hello,
> >
> > I have protected a Java web application that's compiled in a WAR
> > package and accessible through a Tomcat 8 sever. To do this I followed
> > the steps here:
> > https://keycloak.gitbooks.io/documentation/securing_apps/
> topics/oidc/java/tomcat-adapter.html
> >
> > My Java Application is a RESTful API which can only be accessed by
> > authorized users that bear a token.
> >
> > In Keycloak I configured my client (and keycloak.json) as follows:
> > {
> >   "realm": "MainDomain",
> >   "bearer-only": true,
> >   "auth-server-url": "http://<My Keycloak Server>:8081/auth",
> >   "ssl-required": "none",
> >   "resource": "main-domain-server"
> > }
> >
> > If I have a valid token I can access the service fine through cURL
> > requests. However, using any browser (Firefox, Chrome, Opera, expect
> > IE, which for some reason works) I can't access any resource through
> > AJAX as I get CORS problems:
> > "Response to preflight request doesn't pass access control check: No
> > 'Access-Control-Allow-Origin' header is present on the requested
> > resource. Origin 'http://localhost:3000' is therefore not allowed
> > access. The response had HTTP status code 401."
> >
> > I searched around and found I should put "enable_cors": true in my
> > keycloak.json, however this causes the following CORS problem:
> > "The 'Access-Control-Allow-Origin' header contains multiple values
> > 'http://localhost:3000, http://localhost:3000', but only one is
> > allowed. Origin 'http://localhost:3000' is therefore not allowed
> > access."
> >
> > I think I'm out of ideas at the moment on what could be causing this.
> > Does anyone have any idea what could be wrong in my configuration?
> >
> > My best regards,
> > Silva
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.orghttps://lists.jboss.org/
> mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list