[keycloak-user] Resolution for 99% of CORS's problems

Stian Thorgersen sthorger at redhat.com
Tue Sep 26 09:17:26 EDT 2017 

For the record using '*' as web origin is really rather bad from a security
perspective and should ONLY be used in development/testing.

On 26 September 2017 at 10:01, Karol Buler <K.Buler at adbglobal.com> wrote:

> I had exactly the same problem with "Access-Control-Allow-Origin" and my
> solution resolved this. Which version of KC do you have? I'm using
> 3.2.1.Final for now and didn't check on other versions.
>
> In other hand what do you type into Web Origins? '*' or
> 'https://135.112.123.183' ?
>
>
> On 25.09.2017 20:43, shimin q wrote:
> > Thanks for posting your solution, Karol.  I have been having trouble
> > with Keycloak CORS also.  I followed your suggestion:
> >
> > 1 - set client Web Origins
> > 2 - in Keycloak.json, added "enable-cors": true
> >
> > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$  cat keycloak.json
> > {
> >       "realm": "rtna",
> >         "realm-public-key":
> > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVP
> Pl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/
> 9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/
> hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl467
> 0nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69
> TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5
> BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> >           "auth-server-url": "https://135.112.123.194:8666/auth",
> >             "ssl-required": "external",
> >               "resource": "main",
> >                 "public-client": true,
> >                 "enable-cors": true
> > }
> >
> > I am still getting error:
> >
> > 135.112.123.183/:1 XMLHttpRequest cannot load
> > https://135.112.123.194:8666/auth/realms/rtna/protocol/
> openid-connect/token.
> > No 'Access-Control-Allow-Origin' header is present on the requested
> > resource. Origin 'https://135.112.123.183' is therefore not allowed
> > access.
> >
> > I also tried to add request header in
> >  /opt/sso/keycloak/standalone/configuration/standalone.xml, not
> > working either.
> >
> >   * If standalone.xml has <response-header
> >     name="Access-Control-Allow-Origin"
> >     header-name="Access-Control-Allow-Origin" header-value="*"/>:
> >
> > I get the error:(index):82 keycloakinit done......
> >
> > (index):1 XMLHttpRequest cannot load
> > https://135.112.123.194:8666/auth/realms/rtna/protocol/
> openid-connect/token.
> > The value of the 'Access-Control-Allow-Origin' header in the response
> > must not be the wildcard '*' when the request's credentials mode is
> > 'include'. Origin 'https://135.112.123.183' is therefore not allowed
> > access. The credentials mode of requests initiated by the
> > XMLHttpRequest is controlled by the withCredentials attribute.
> >
> > Is there anything I am missing?  Any idea how to make it work would be
> > appreciated!!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
> > <K.Buler at adbglobal.com> wrote:
> >
> >
> > Hi,
> >
> > after huge amounts of hours of investigations I found the resolution
> > for almost all problems with CORS. I decided that maybe I am not alone
> > with it, so here you go:
> >
> > 1. Go to admin console of Keycloak and set 'Web Origins' of your
> > client to address of your application (or just * ).
> >
> > 2. In your application.properties (keycloak.json) set keycloak.cors =
> > true (don't know the name of this property in keycloak.json).
> >
> > 3. Thats it! Only 2 steps resolves almost all my problems with CORS in
> > our applications.
> >
> > Best regards,
> > Karol
> >
> > [https://www.adbglobal.com/wp-content/uploads/adb.png]
> > adbglobal.com<https://www.adbglobal.com>
> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<
> https://www.linkedin.com/company-beta/162280/>
> >       [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
> > <https://twitter.com/adb_global>
> > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
> > <https://pinterest.com/adbglobal/pins/>
> > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<
> https://www.adbglobal.com/meet-us-at-ibc2017/>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list