[keycloak-user] CORS ‘Access-Control-Allow-Origin’ missing

Ryan Slominski ryans at jlab.org
Tue Aug 14 16:21:54 EDT 2018 

Hi Keycloak Users,

I'm attempting to save my users a few button clicks by automatically trying brokered identity providers in the background with AJAX requests before redirecting them to the Keycloak login form (AJAX requests using kc_idp_hint parameter).  In most cases users will already be logged into one of the brokered identity providers (the client is often on one of several SPNEGO protected subnets) and instead of showing users the login form with buttons to try the brokered providers manually one by one I was hoping to simply do it for them in the background and when directed to the login form for the realm the common case would be for users to be immediately redirected back because they're logged in already.  I'm using the Wildfly client adapters (Java servlet container managed security) configured as confidential clients.  I have the client "Web Origins" set to "*".  In the Wildfly standalone.xml I have the clients configured with "<enable-cors>true</enable-cors>".  I'm using Keycloak 4.1.0.  On the client side I'm using jQuery and have "crossDomain: true" and "xhrFields:{withCredentials: true}" set on the XHR object.  The keycloak server still doesn't respond with a Access-Control-Allow-Origin header though so the login fails.  It works if not using AJAX.   The network trace of an AJAX request from the web browser console looks like:

--- Request 1 ---
GET https://myhost.example.com/myapp/protected?kc_idp_hint=broker1-keycloak-oidc&returnUrl=https://myhost.example.com/myapp/mypage
Host: myhost.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://myhost.example.com/myapp/mypage
Cookie: OAuth_Token_Request_State=<REDACTED>; JSESSIONID=<REDACTED>.myhost
Connection: keep-alive

--- Response 1 ---
Cache-Control: no-cache, no-store, must-revalidate
Connection: Keep-Alive
Content-Length: 0
Date: Tue, 14 Aug 2018 19:48:46 GMT
Expires: 0
Keep-Alive: timeout=5, max=100
Location: https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fprotected?returnUrl%3Dhttps%253A%252F%252Fmyhost.example.com%252Fmyapp%252Fmypage&state=<REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
Pragma: no-cache
Server: WildFly/11
Set-Cookie: OAuth_Token_Request_State=<REDACTED>; HttpOnly
X-Powered-By: Undertow/1

--- Request 2 ---
GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.example.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=<REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
Host: keycloak1.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://myhost.example.com/myapp/mypage
Origin: https://myhost.example.com
Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
Connection: keep-alive

--- Response 2 ---
Status: 401
Cache-Control: no-store, must-revalidate, max-age=0
Connection: Keep-Alive
Content-Length: 615
Content-Type: text/html;charset=UTF-8
Date: Tue, 14 Aug 2018 19:48:48 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly
KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly
WWW-Authenticate: Negotiate

--- Request 3 ---
GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.exampel.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=<REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
Host: keycloak1.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://myhost.example.com/myapp/mypage
Origin: https://myhost.example.com
Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
Connection: keep-alive
Authorization: Negotiate <REDACTED>

--- Response 3 ---
Cache-Control: no-store, must-revalidate, max-age=0
Connection: Keep-Alive
Content-Length: 0
Date: Tue, 14 Aug 2018 19:48:48 GMT
Keep-Alive: timeout=5, max=99
Location: https://keycloak1.example.com/auth/realms/myrealm/broker/broker1-keycloak-oidc/login?session_code=<REDACTED>&client_id=client1&tab_id=FP3hTW-bfQ8
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly
KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly

Notice I must redirect off a protected URL on my client app since Wildfly client adapter only works on pages which are explicitly protected by the container managed security.  Also notice in the third and final request the response is missing the Access-Control-Allow-Origin header, which results in the error in the browser web console and the process ending.  Any ideas?

Thanks,

Ryan

More information about the keycloak-user mailing list