[keycloak-user] CORS ?Access-Control-Allow-Origin? missing
Jan Garaj
jan.garaj at gmail.com
Wed Aug 15 03:36:24 EDT 2018
Hi,
Actually, Access-Control-Allow-Origin is not missing, because it should be
available in the preflight (OPTIONS) response and not in GET/POST response.
My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it
doesn't support any JS cross-domain access at the moment.
More details: https://issues.jboss.org/browse/KEYCLOAK-8006
You can find this CORS problem also on StackOverflow:
https://stackoverflow.com/questions/51706569/angular-keycloak-cant-get-token-using-api
Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*"
*Jan Garaj*
Web: http://www.jangaraj.com / http://monitoringartist.com
LinkedIn: http://www.linkedin.com/in/jangaraj
On Wed, Aug 15, 2018 at 8:09 AM <keycloak-user-request at lists.jboss.org>
wrote:
> Send keycloak-user mailing list submissions to
> keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
> Today's Topics:
>
> 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski)
> 2. How to force client to use PKCE code exchange? (Eric B)
> 3. Client roles in Access Token (Henning Waack)
>
>
>
> ---------- Forwarded message ----------
> From: Ryan Slominski <ryans at jlab.org>
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Cc:
> Bcc:
> Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT)
> Subject: [keycloak-user] CORS ‘Access-Control-Allow-Origin’ missing
> Hi Keycloak Users,
>
> I'm attempting to save my users a few button clicks by automatically
> trying brokered identity providers in the background with AJAX requests
> before redirecting them to the Keycloak login form (AJAX requests using
> kc_idp_hint parameter). In most cases users will already be logged into
> one of the brokered identity providers (the client is often on one of
> several SPNEGO protected subnets) and instead of showing users the login
> form with buttons to try the brokered providers manually one by one I was
> hoping to simply do it for them in the background and when directed to the
> login form for the realm the common case would be for users to be
> immediately redirected back because they're logged in already. I'm using
> the Wildfly client adapters (Java servlet container managed security)
> configured as confidential clients. I have the client "Web Origins" set to
> "*". In the Wildfly standalone.xml I have the clients configured with
> "<enable-cors>true</enable-cors>". I'm using Keycloak!
> 4.1.0. On the client side I'm using jQuery and have "crossDomain: true"
> and "xhrFields:{withCredentials: true}" set on the XHR object. The
> keycloak server still doesn't respond with a Access-Control-Allow-Origin
> header though so the login fails. It works if not using AJAX. The
> network trace of an AJAX request from the web browser console looks like:
>
> --- Request 1 ---
> GET
> https://myhost.example.com/myapp/protected?kc_idp_hint=broker1-keycloak-oidc&returnUrl=https://myhost.example.com/myapp/mypage
> Host: myhost.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://myhost.example.com/myapp/mypage
> Cookie: OAuth_Token_Request_State=<REDACTED>; JSESSIONID=<REDACTED>.myhost
> Connection: keep-alive
>
> --- Response 1 ---
> Cache-Control: no-cache, no-store, must-revalidate
> Connection: Keep-Alive
> Content-Length: 0
> Date: Tue, 14 Aug 2018 19:48:46 GMT
> Expires: 0
> Keep-Alive: timeout=5, max=100
> Location:
> https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fprotected?returnUrl%3Dhttps%253A%252F%252Fmyhost.example.com%252Fmyapp%252Fmypage&state=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Pragma: no-cache
> Server: WildFly/11
> Set-Cookie: OAuth_Token_Request_State=<REDACTED>; HttpOnly
> X-Powered-By: Undertow/1
>
> --- Request 2 ---
> GET
> https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.example.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Host: keycloak1.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://myhost.example.com/myapp/mypage
> Origin: https://myhost.example.com
> Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> Connection: keep-alive
>
> --- Response 2 ---
> Status: 401
> Cache-Control: no-store, must-revalidate, max-age=0
> Connection: Keep-Alive
> Content-Length: 615
> Content-Type: text/html;charset=UTF-8
> Date: Tue, 14 Aug 2018 19:48:48 GMT
> Keep-Alive: timeout=5, max=100
> Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> Path=/auth/realms/myrealm/; Secure; HttpOnly
> KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> HttpOnly
> WWW-Authenticate: Negotiate
>
> --- Request 3 ---
> GET
> https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.exampel.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Host: keycloak1.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://myhost.example.com/myapp/mypage
> Origin: https://myhost.example.com
> Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> Connection: keep-alive
> Authorization: Negotiate <REDACTED>
>
> --- Response 3 ---
> Cache-Control: no-store, must-revalidate, max-age=0
> Connection: Keep-Alive
> Content-Length: 0
> Date: Tue, 14 Aug 2018 19:48:48 GMT
> Keep-Alive: timeout=5, max=99
> Location:
> https://keycloak1.example.com/auth/realms/myrealm/broker/broker1-keycloak-oidc/login?session_code=
> <REDACTED>&client_id=client1&tab_id=FP3hTW-bfQ8
> Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> Path=/auth/realms/myrealm/; Secure; HttpOnly
> KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> HttpOnly
>
> Notice I must redirect off a protected URL on my client app since Wildfly
> client adapter only works on pages which are explicitly protected by the
> container managed security. Also notice in the third and final request the
> response is missing the Access-Control-Allow-Origin header, which results
> in the error in the browser web console and the process ending. Any ideas?
>
> Thanks,
>
> Ryan
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Eric B <ebenzacar at gmail.com>
> To: keycloak-user at lists.jboss.org
> Cc:
> Bcc:
> Date: Tue, 14 Aug 2018 23:23:57 -0400
> Subject: [keycloak-user] How to force client to use PKCE code exchange?
> I'm using keycloak 3.4.3. Is there a way in the client configuration to
> require PKCE code exchange? I can't seem to find an option that would
> require to support this vs just the standard code exchange flow.
>
> Thanks
>
> Eric
>
>
>
>
> ---------- Forwarded message ----------
> From: Henning Waack <henning.waack at codecentric.de>
> To: keycloak-user at lists.jboss.org
> Cc:
> Bcc:
> Date: Wed, 15 Aug 2018 09:08:41 +0200
> Subject: [keycloak-user] Client roles in Access Token
> Dear all.
>
> Using KC 4.2.1, I get the following access token for a "Service Account
> User":
>
> {
> "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878",
> "exp": 1534251578,
> "nbf": 0,
> "iat": 1534251278,
> "iss": "https://xxx/auth/realms/NAK",
> "aud": "nak-portal",
> "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4",
> "typ": "Bearer",
> "azp": "nak-portal",
> "auth_time": 0,
> "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0",
> "name": "nak portal",
> "given_name": "nak",
> "family_name": "portal",
> "preferred_username": "service-account-nak-portal",
> "email": "service-account-nak-portal at placeholder.de",
> "email_verified": true,
> "acr": "1",
> "allowed-origins": [
> "http://dummy:8008"
> ],
> "realm_access": {
> "roles": [
> "source_system"
> ]
> },
> "resource_access": {
> "realm-management": {
> "roles": [
> "manage-users",
> "view-users",
> "query-clients",
> "query-groups",
> "query-users"
> ]
> }
> },
> "scope": "email profile",
> "clientId": "nak-portal",
> "clientHost": "80.242.181.71",
> "clientAddress": "80.242.181.71",
> "client_id": "nak-portal",
> "username": "service-account-nak-portal",
> "active": true
> }
>
> Please note the five realm-management client roles. Problem is that for the
> given service account I have assigned many more roles, please see attached
> screenshot
>
> Why don't I see all effective roles (or assigned roles) in my access token?
> Interestingly enough I am also missing some of my realm roles. I have
> mapped 4 realm roles, but in the token I only have 1. Am I missing
> something?
>
> Thanks in advance, greetings
>
> Henning
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list