[keycloak-user] CORS issue - missing "allow origin" headers

[Louis JOHANET]

Hi,

We are currently facing the following issue : calling a protected client with AJAX fails with the following message :

Access to XMLHttpRequest at 'http://localhost:8081/auth/realms/my_realm/protocol/openid-connect/auth?response_type=code&client_id=my_client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmy_client%2F?_%3D1568206228680&state=a03e6fb8-80cd-4f10-b1ea-b710af9f94ed&login=true&scope=openid' (redirected from 'http://localhost:8080/my_client') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Now this client uses the Java adapter, and does have a proper Web Origin (e.g. http://localhost:8080), which is indeed found in the access token. The keycloak.json also has enable-cors set to true.

Indeed Keycloak's response is missing Access-Control-Allow-Origin headers. Adding Web Origins in the client configuration has no effect on the returned headers.

I believe we need to add such headers in the Apache configuration, but I am surprised that this case did not come up in the docs since any client without a valid session receiving an AJAX request will cause the problem above, due to the 302 Redirect to Keycloak. Have you ever come across this issue ?

Best regards,

Louis Johanet