<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1443652682787_3960">Hi to all,</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">in my use case i have a typical web application made up on a frontend layer written completely with Angular js and a REST server layer wirtten with jersey 2.0.</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">Till now i made my test simply securing the REST layer using web.xml descriptor and registering it as webapplication client into keycloak realm. The security type was confidential.</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">Simply invoking a service REST url i was redirected to the keycloak login page where i could insert my credential and so on....</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">Now i want to go further... it's the turn of the angular js application. </div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">It invokes obviously the rest services and it has to be secured. The keycloak CORS example shows a use case similar to the mine one, so i choose to follow it. I realize that it adds a javascript adapter to the Angular level without registering the service webapplication inside the CORS realm.</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">On keycloak guidelines i read that this is not the best way to follow as securing the application this way makes to loose the confidential data transport between client and server.</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">By the way... i try 2 approaches to the problem:</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr"><br></div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">1)following exactly the CORS example: i added the js adapter to the angular js application; i configured only the client inside my realm as public, and eventually imported the keycloak.js. Result: when i run the application i'm redirected to the keycloak login page; i filled out the form but after the login i'm blocked by the browser because it does'nt find the access-control-allow-origin header in the get token request. The keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr"><br></div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">2)i left the REST layer secured expecting that at the first angular REST request i should be redirected to the keycloak login page. But even in this case browser blocks me because it misses access control allow origin header. Even in this case the keycloak.json in the WEB-INF folder of the rest service specifies enabled-cors:true</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr"><br></div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">So where am i wrong?</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">What is the right approach for securing my web application?</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr">Why browser continues blocking my request?</div><div id="yui_3_16_0_1_1443652682787_3960" dir="ltr"><br></div></div></body></html>