[keycloak-user] CORS ?Access-Control-Allow-Origin? missing
Ryan Slominski
ryans at jlab.org
Wed Aug 15 09:25:36 EDT 2018
Hi Jan,
If I comment out the jQuery "crossDomain: true" and "xhrFields: {withCredentials: true}" attributes of the XHR object then I do see the OPTIONS header in the web browser console. If I include the attributes I don't see OPTIONS. Is it possible preflight isn't needed if you've configured your client to use crossDomain? If forgot to include in my last email the final request HTTP status response code: it is 303. Is that a clue?
What about all of the CORS options such as cors-max-age, cors-allowed-headers, cors-allowed-methods, etc. I am not including them in Wildfly standalone.xml currently. Are they needed to make this work? It doesn't seem to make a difference when experimenting, but I'm not sure what values to use...
Thanks,
Ryan
----- Original Message -----
From: "Jan Garaj" <jan.garaj at gmail.com>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Wednesday, August 15, 2018 3:36:24 AM
Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing
Hi,
Actually, Access-Control-Allow-Origin is not missing, because it should be
available in the preflight (OPTIONS) response and not in GET/POST response.
My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it
doesn't support any JS cross-domain access at the moment.
More details: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D8006&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=xO_Xo8SRP4TXwbIk7CPBiUzJDX8qO0puq3c6DETKMrc&e=
You can find this CORS problem also on StackOverflow:
https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_51706569_angular-2Dkeycloak-2Dcant-2Dget-2Dtoken-2Dusing-2Dapi&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=BuR5cmrMaYekh0LpJ5W6LHIoRbc5eGA3Ggbb0miMXy0&e=
Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*"
*Jan Garaj*
Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=Tx5iqmJUoxKQgUDirUvQgFYQbTsuYCFphwi5oNK_TcQ&e= / https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=kCQFpK79UDMJrCjzikL7pd2Zg6p7GTvg9Qby5r_7RfQ&e=
LinkedIn: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=EqJM5sOC0V-WcpgSSukViubjO8zlR7k0l5BUapC2u9I&e=
On Wed, Aug 15, 2018 at 8:09 AM <keycloak-user-request at lists.jboss.org>
wrote:
> Send keycloak-user mailing list submissions to
> keycloak-user at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request at lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
> Today's Topics:
>
> 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski)
> 2. How to force client to use PKCE code exchange? (Eric B)
> 3. Client roles in Access Token (Henning Waack)
>
>
>
> ---------- Forwarded message ----------
> From: Ryan Slominski <ryans at jlab.org>
> To: keycloak-user <keycloak-user at lists.jboss.org>
> Cc:
> Bcc:
> Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT)
> Subject: [keycloak-user] CORS ‘Access-Control-Allow-Origin’ missing
> Hi Keycloak Users,
>
> I'm attempting to save my users a few button clicks by automatically
> trying brokered identity providers in the background with AJAX requests
> before redirecting them to the Keycloak login form (AJAX requests using
> kc_idp_hint parameter). In most cases users will already be logged into
> one of the brokered identity providers (the client is often on one of
> several SPNEGO protected subnets) and instead of showing users the login
> form with buttons to try the brokered providers manually one by one I was
> hoping to simply do it for them in the background and when directed to the
> login form for the realm the common case would be for users to be
> immediately redirected back because they're logged in already. I'm using
> the Wildfly client adapters (Java servlet container managed security)
> configured as confidential clients. I have the client "Web Origins" set to
> "*". In the Wildfly standalone.xml I have the clients configured with
> "<enable-cors>true</enable-cors>". I'm using Keycloak!
> 4.1.0. On the client side I'm using jQuery and have "crossDomain: true"
> and "xhrFields:{withCredentials: true}" set on the XHR object. The
> keycloak server still doesn't respond with a Access-Control-Allow-Origin
> header though so the login fails. It works if not using AJAX. The
> network trace of an AJAX request from the web browser console looks like:
>
> --- Request 1 ---
> GET
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_protected-3Fkc-5Fidp-5Fhint-3Dbroker1-2Dkeycloak-2Doidc-26returnUrl-3Dhttps-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dRo4-TfbjKFf6XrJCbbaKe7nCb619uVIVyZ6gd5HW94&e=
> Host: myhost.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> Cookie: OAuth_Token_Request_State=<REDACTED>; JSESSIONID=<REDACTED>.myhost
> Connection: keep-alive
>
> --- Response 1 ---
> Cache-Control: no-cache, no-store, must-revalidate
> Connection: Keep-Alive
> Content-Length: 0
> Date: Tue, 14 Aug 2018 19:48:46 GMT
> Expires: 0
> Keep-Alive: timeout=5, max=100
> Location:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fprotected-3FreturnUrl-253Dhttps-25253A-25252F-25252Fmyhost.example.com-25252Fmyapp-25252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=uPEL7M5FvZx0CxiSv1V4uZm0nEyFhIxNSSSj2OVRd7M&e=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Pragma: no-cache
> Server: WildFly/11
> Set-Cookie: OAuth_Token_Request_State=<REDACTED>; HttpOnly
> X-Powered-By: Undertow/1
>
> --- Request 2 ---
> GET
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.example.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=7QuU6fpn5Is6atfdUgb7aFz9qqnq9059Xad3fN7GAxU&e=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Host: keycloak1.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> Origin: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e=
> Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> Connection: keep-alive
>
> --- Response 2 ---
> Status: 401
> Cache-Control: no-store, must-revalidate, max-age=0
> Connection: Keep-Alive
> Content-Length: 615
> Content-Type: text/html;charset=UTF-8
> Date: Tue, 14 Aug 2018 19:48:48 GMT
> Keep-Alive: timeout=5, max=100
> Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> Path=/auth/realms/myrealm/; Secure; HttpOnly
> KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> HttpOnly
> WWW-Authenticate: Negotiate
>
> --- Request 3 ---
> GET
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.exampel.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dkCL2WAVz5tGNSss8fH1oxnS6zPPbV_9SHYhhayp31A&e=
> <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> Host: keycloak1.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> Firefox/52.0
> Accept: text/html, */*; q=0.01
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate, br
> Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> Origin: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e=
> Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> Connection: keep-alive
> Authorization: Negotiate <REDACTED>
>
> --- Response 3 ---
> Cache-Control: no-store, must-revalidate, max-age=0
> Connection: Keep-Alive
> Content-Length: 0
> Date: Tue, 14 Aug 2018 19:48:48 GMT
> Keep-Alive: timeout=5, max=99
> Location:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_broker_broker1-2Dkeycloak-2Doidc_login-3Fsession-5Fcode-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=FsNAP79N8n3OUuS9Kr0McTejbOuEkVr-6h89z7HAgic&e=
> <REDACTED>&client_id=client1&tab_id=FP3hTW-bfQ8
> Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> Path=/auth/realms/myrealm/; Secure; HttpOnly
> KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> HttpOnly
>
> Notice I must redirect off a protected URL on my client app since Wildfly
> client adapter only works on pages which are explicitly protected by the
> container managed security. Also notice in the third and final request the
> response is missing the Access-Control-Allow-Origin header, which results
> in the error in the browser web console and the process ending. Any ideas?
>
> Thanks,
>
> Ryan
>
>
>
>
>
> ---------- Forwarded message ----------
> From: Eric B <ebenzacar at gmail.com>
> To: keycloak-user at lists.jboss.org
> Cc:
> Bcc:
> Date: Tue, 14 Aug 2018 23:23:57 -0400
> Subject: [keycloak-user] How to force client to use PKCE code exchange?
> I'm using keycloak 3.4.3. Is there a way in the client configuration to
> require PKCE code exchange? I can't seem to find an option that would
> require to support this vs just the standard code exchange flow.
>
> Thanks
>
> Eric
>
>
>
>
> ---------- Forwarded message ----------
> From: Henning Waack <henning.waack at codecentric.de>
> To: keycloak-user at lists.jboss.org
> Cc:
> Bcc:
> Date: Wed, 15 Aug 2018 09:08:41 +0200
> Subject: [keycloak-user] Client roles in Access Token
> Dear all.
>
> Using KC 4.2.1, I get the following access token for a "Service Account
> User":
>
> {
> "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878",
> "exp": 1534251578,
> "nbf": 0,
> "iat": 1534251278,
> "iss": "https://urldefense.proofpoint.com/v2/url?u=https-3A__xxx_auth_realms_NAK&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=HrT8nsYF-O64VcYc45s_nWug0Ri9Ca0ZrmObVHiTNeE&e= ",
> "aud": "nak-portal",
> "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4",
> "typ": "Bearer",
> "azp": "nak-portal",
> "auth_time": 0,
> "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0",
> "name": "nak portal",
> "given_name": "nak",
> "family_name": "portal",
> "preferred_username": "service-account-nak-portal",
> "email": "service-account-nak-portal at placeholder.de",
> "email_verified": true,
> "acr": "1",
> "allowed-origins": [
> "https://urldefense.proofpoint.com/v2/url?u=http-3A__dummy-3A8008&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=YDJWqlS6wwV1oG7ouEQZAjPf1Bfb2wd1T1eOXtMmNSo&e= "
> ],
> "realm_access": {
> "roles": [
> "source_system"
> ]
> },
> "resource_access": {
> "realm-management": {
> "roles": [
> "manage-users",
> "view-users",
> "query-clients",
> "query-groups",
> "query-users"
> ]
> }
> },
> "scope": "email profile",
> "clientId": "nak-portal",
> "clientHost": "80.242.181.71",
> "clientAddress": "80.242.181.71",
> "client_id": "nak-portal",
> "username": "service-account-nak-portal",
> "active": true
> }
>
> Please note the five realm-management client roles. Problem is that for the
> given service account I have assigned many more roles, please see attached
> screenshot
>
> Why don't I see all effective roles (or assigned roles) in my access token?
> Interestingly enough I am also missing some of my realm roles. I have
> mapped 4 realm roles, but in the token I only have 1. Am I missing
> something?
>
> Thanks in advance, greetings
>
> Henning
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
More information about the keycloak-user
mailing list