[keycloak-user] Resolution for 99% of CORS's problems
Karol Buler
K.Buler at adbglobal.com
Tue Oct 10 05:50:12 EDT 2017
You have right Stian, IMO the best solution in Keycloak is '+', which
permits origins of all redirects URIs.
On 26.09.2017 15:17, Stian Thorgersen wrote:
> For the record using '*' as web origin is really rather bad from a
> security perspective and should ONLY be used in development/testing.
>
> On 26 September 2017 at 10:01, Karol Buler <K.Buler at adbglobal.com
> <mailto:K.Buler at adbglobal.com>> wrote:
>
> I had exactly the same problem with "Access-Control-Allow-Origin"
> and my
> solution resolved this. Which version of KC do you have? I'm using
> 3.2.1.Final for now and didn't check on other versions.
>
> In other hand what do you type into Web Origins? '*' or
> 'https://135.112.123.183' ?
>
>
> On 25.09.2017 20 <tel:25.09.2017%2020>:43, shimin q wrote:
> > Thanks for posting your solution, Karol. I have been having trouble
> > with Keycloak CORS also. I followed your suggestion:
> >
> > 1 - set client Web Origins
> > 2 - in Keycloak.json, added "enable-cors": true
> >
> > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json
> > {
> > "realm": "rtna",
> > "realm-public-key":
> >
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> > "auth-server-url": "https://135.112.123.194:8666/auth
> <https://135.112.123.194:8666/auth>",
> > "ssl-required": "external",
> > "resource": "main",
> > "public-client": true,
> > "enable-cors": true
> > }
> >
> > I am still getting error:
> >
> > 135.112.123.183/:1 <http://135.112.123.183/:1> XMLHttpRequest
> cannot load
> >
> https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token
> <https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token>.
> > No 'Access-Control-Allow-Origin' header is present on the requested
> > resource. Origin 'https://135.112.123.183' is therefore not allowed
> > access.
> >
> > I also tried to add request header in
> > /opt/sso/keycloak/standalone/configuration/standalone.xml, not
> > working either.
> >
> > * If standalone.xml has <response-header
> > name="Access-Control-Allow-Origin"
> > header-name="Access-Control-Allow-Origin" header-value="*"/>:
> >
> > I get the error:(index):82 keycloakinit done......
> >
> > (index):1 XMLHttpRequest cannot load
> >
> https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token
> <https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token>.
> > The value of the 'Access-Control-Allow-Origin' header in the
> response
> > must not be the wildcard '*' when the request's credentials mode is
> > 'include'. Origin 'https://135.112.123.183' is therefore not allowed
> > access. The credentials mode of requests initiated by the
> > XMLHttpRequest is controlled by the withCredentials attribute.
> >
> > Is there anything I am missing? Any idea how to make it work
> would be
> > appreciated!!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
> > <K.Buler at adbglobal.com <mailto:K.Buler at adbglobal.com>> wrote:
> >
> >
> > Hi,
> >
> > after huge amounts of hours of investigations I found the resolution
> > for almost all problems with CORS. I decided that maybe I am not
> alone
> > with it, so here you go:
> >
> > 1. Go to admin console of Keycloak and set 'Web Origins' of your
> > client to address of your application (or just * ).
> >
> > 2. In your application.properties (keycloak.json) set
> keycloak.cors =
> > true (don't know the name of this property in keycloak.json).
> >
> > 3. Thats it! Only 2 steps resolves almost all my problems with
> CORS in
> > our applications.
> >
> > Best regards,
> > Karol
> >
> > [https://www.adbglobal.com/wp-content/uploads/adb.png
> <https://www.adbglobal.com/wp-content/uploads/adb.png>]
> > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com
> <https://www.adbglobal.com>>
> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png
> <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<https://www.linkedin.com/company-beta/162280/
> <https://www.linkedin.com/company-beta/162280/>>
> >
> [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
> <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>]
> > <https://twitter.com/adb_global <https://twitter.com/adb_global>>
> > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
> <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>]
> > <https://pinterest.com/adbglobal/pins/
> <https://pinterest.com/adbglobal/pins/>>
> > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg
> <https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg>]<https://www.adbglobal.com/meet-us-at-ibc2017/
> <https://www.adbglobal.com/meet-us-at-ibc2017/>>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> <mailto:keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
More information about the keycloak-user
mailing list