[keycloak-user] Keycloak SpringBoot Adapter: CORS Preflight requests allowed from every Origin

[Skorupa, Sascha]

Hi,

we have a BearerOnly SpringBoot REST service that does authentication and authorisation with the keycloak springboot adapter. So, we use PolicyEnforcer and
the Keycloak Authorisation Services to perform the authz process. Spring Security is not enabled and is also not part of the classpath.

Everything works as it is expected, except some CORS functionalities. Usually, we configured the allowed origins, methods, headers by using the Spring
features (CorsFilter). But since we integrated the PolicyEnforcer, it was necessary to set the "keycloak.cors" property to true as well, because otherwise the
PolicyEnforcer was rejecting all Preflight (HTTP Options) requests.

But now, the problem is that all Preflight requests are answered with HTTP 200, although the included Origin in the HTTP request Header is not allowed. I do not
know if this behaviour is intended, but without the KC adapter Spring usually rejects these kind of requests with a 403. I take a look in the class "PreAuthActionsHandler"
and found that the Origin Header is just copied to the response without being checked. Allowed methods and headers are configurable in the KeycloakDeployment, but allowed
origins not.

Is it a bug or a missing feature? In my understanding such requests should be rejected like in the Spring filters.
A workaround would be to disable the keycloak.cors property and let spring do the cors stuff. But unfortunately the policy enforcement denies all options
requests without token.

Cheers,
sascha