<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><span style="font-family: 'helvetica Neue', helvetica;">Hi, </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">I’m integrating a web application using angularjs 1.4.6 and keycloak 1.5.0. </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">The application and keycloak app-servers are on different ports. </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">The application works ok when the session is not expired. </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">After session expiration keycloak.updateToken() fails with </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">400 Bad Request. Chrome shows the following in the console: </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">XMLHttpRequest cannot load </span><a href="http://localhost:8080/auth/realms/demo/protocol/openid-connect/token" style="font-family: 'helvetica Neue', helvetica;">http://localhost:8080/auth/realms/demo/protocol/openid-connect/token</a><span style="font-family: 'helvetica Neue', helvetica;">. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '</span><a href="http://localhost:9080'" style="font-family: 'helvetica Neue', helvetica;">http://localhost:9080'</a><span style="font-family: 'helvetica Neue', helvetica;"> is therefore not allowed access. The response had HTTP status code 400. </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">The behavior is same with Safari and Firefox. </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">If I get it right, this 400 response from keycloak shouldn’t be </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">interpreted as CORS failure by browsers? </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">This is keycloak response when session is alive: </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> --> HTTP/1.1 200 OK </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> X-Powered-By: Undertow/1 </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Server: WildFly/9 </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Access-Control-Expose-Headers: Access-Control-Allow-Methods </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Date: </span><a href="http://airmail.calendar/2015-09-29%2010:54:52%20GMT+6" style="font-family: 'helvetica Neue', helvetica;">Tue, 29 Sep 2015 04:54:52 GMT</a><span style="font-family: 'helvetica Neue', helvetica;"> </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Connection: keep-alive </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Access-Control-Allow-Origin: </span><a href="http://localhost:9080/" style="font-family: 'helvetica Neue', helvetica;">http://localhost:9080</a><span style="font-family: 'helvetica Neue', helvetica;"> </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Access-Control-Allow-Credentials: true </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Transfer-Encoding: chunked </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Content-Type: application/json </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">And this one with session expired: </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> --> HTTP/1.1 400 Bad Request </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Connection: keep-alive </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> X-Powered-By: Undertow/1 </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Server: WildFly/9 </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Transfer-Encoding: chunked </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Content-Type: application/json </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;"> Date: </span><a href="http://airmail.calendar/2015-09-29%2010:55:03%20GMT+6" style="font-family: 'helvetica Neue', helvetica;">Tue, 29 Sep 2015 04:55:03 GMT</a><span style="font-family: 'helvetica Neue', helvetica;"> </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">So my concerns are: </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">1. Why CORS headers depend on session validity? This caused much confusion for me, </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">because I thought there is a problem with CORS, until I understood this was session problem. </span><br style="font-family: 'helvetica Neue', helvetica;"><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">2. I think it would also be great to have some more context on error responses </span><br style="font-family: 'helvetica Neue', helvetica;"><span style="font-family: 'helvetica Neue', helvetica;">(like returning some json with error description), because HTTP responses are too generic. </span><br style="font-family: 'helvetica Neue', helvetica;"></div><br><div id="bloop_sign_1443600488081101824" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px">-- <br>Tair Sabirgaliev</div><div style="font-family:helvetica,arial;font-size:13px">Bee Software, LLP</div></div></body></html>