I was about to say "I am using confidential".   Switching to public does indeed drop the need for preflight.  Learned something new :-)

Still want me to submit a PR for the refresh preflight?   Obviously using confidential doesn't add any security here, but I don't think supporting it can hurt either (and the JavaScript code supports it already.)


On Tue, Dec 2, 2014 at 8:24 AM, Bill Burke <bburke@redhat.com> wrote:
You mean the "public" application type.

On 12/2/2014 10:10 AM, Stian Thorgersen wrote:
> The code->token and refresh token requests are being pre-flighted because there's a 'Authorization: Basic' header in there. For a GWT app you should use the confidential application type, which doesn't require a secret.
>
> ----- Original Message -----
>> From: "Alain Penders" <alain@rexorient.com>
>> To: "Stian Thorgersen" <stian@redhat.com>
>> Cc: keycloak-dev@lists.jboss.org
>> Sent: Tuesday, 2 December, 2014 4:02:15 PM
>> Subject: Re: [keycloak-dev] Fwd: Preflight for token refresh
>>
>> Not really.  It needs CORS for every URI it hits.  Refresh is a different
>> URI from the code->token exchange one it uses initially.
>>
>> When Keycloak redirects back to the GWT app and the code is exchanged for
>> the tokens, I see this in the Network trace:
>>
>> First an OPTIONS request:
>>
>>
>>     1. Remote Address:
>>     127.0.0.1:8080
>>     2. Request URL:
>>     http://localhost:8080/auth/realms/GameSeeder/tokens/access/codes
>>     3. Request Method:
>>     OPTIONS
>>     4. Status Code:
>>     200 OK
>>     5. Request Headersview source
>>        1. Accept:
>>        */*
>>        2. Accept-Encoding:
>>        gzip, deflate, sdch
>>        3. Accept-Language:
>>        en-US,en;q=0.8
>>        4. Access-Control-Request-Headers:
>>        authorization, content-type
>>        5. Access-Control-Request-Method:
>>        POST
>>        6. Connection:
>>        keep-alive
>>        7. Host:
>>        localhost:8080
>>        8. Origin:
>>        http://127.0.0.1:8888
>>        9. Referer:
>>        http://127.0.0.1:8888/Main.html
>>        10. User-Agent:
>>        Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
>>        Gecko) Chrome/39.0.2171.71 Safari/537.36
>>        6. Response Headersview source
>>        1. Access-Control-Allow-Credentials:
>>        true
>>        2. Access-Control-Allow-Headers:
>>        Origin, Accept, X-Requested-With, Content-Type,
>>        Access-Control-Request-Method, Access-Control-Request-Headers,
>> Authorization
>>        3. Access-Control-Allow-Methods:
>>        GET, HEAD, OPTIONS
>>        4. Access-Control-Allow-Origin:
>>        http://127.0.0.1:8888
>>        5. Access-Control-Max-Age:
>>        3600
>>        6. Connection:
>>        keep-alive
>>        7. Content-Length:
>>        0
>>        8. Date:
>>        Tue, 02 Dec 2014 14:51:47 GMT
>>        9. Server:
>>        WildFly/8
>>        10. X-Powered-By:
>>        Undertow/1
>>
>>
>> Then the actual code exchange request:
>>
>>
>>     1. Remote Address:
>>     127.0.0.1:8080
>>     2. Request URL:
>>     http://localhost:8080/auth/realms/GameSeeder/tokens/access/codes
>>     3. Request Method:
>>     POST
>>     4. Status Code:
>>     200 OK
>>     5. Request Headersview source
>>        1. Accept:
>>        */*
>>        2. Accept-Encoding:
>>        gzip, deflate
>>        3. Accept-Language:
>>        en-US,en;q=0.8
>>        4. Authorization:
>>        Basic R2FtZVNlZWRlcjoyYTczYTQ0Yi1lMGFhLTRiMTYtODk2OC1hY2YwZTVlMGVlNTk=
>>        5. Connection:
>>        keep-alive
>>        6. Content-Length:
>>        85
>>        7. Content-type:
>>        application/x-www-form-urlencoded
>>        8. Cookie:
>>        KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI5NTA4ZTg2Yi04ZjdhLTRmN2UtOWYzOC1jMTFhMDdkNjUyOWMiLCJleHAiOjE0MjAxMjM5MDYsIm5iZiI6MCwiaWF0IjoxNDE3NTMxOTA2LCJpc3MiOiJHYW1lU2VlZGVyIiwic3ViIjoiOTY0ZjkwNWMtZTg2ZC00NDUzLWE3MzItYWVlMDE5NGY5YTIwIiwic2Vzc2lvbl9zdGF0ZSI6ImVjODE0NjcyLTFhOWYtNDM1ZS04YjU4LTU4ZmI4MDNiMDZkYSIsInJlc291cmNlX2FjY2VzcyI6e319.LiS51MggFZVPJ-TUlcYejPD7x6pJvgdOYCLrHV8LKiIP6BGZzS7D4W0t3xsXeKxqBr-h3cSaY_BqWKRl4RGn67SHuWvoDRrS6xKPZuWPQ08NS_iQVrIKGOATtGF2VFMutnroa4Y_UNmi5T2gZFc-wphRWRV5YG-x-DGAqd4h42U;
>>        KEYCLOAK_SESSION=GameSeeder/964f905c-e86d-4453-a732-aee0194f9a20/ec814672-1a9f-435e-8b58-58fb803b06da;
>>        KEYCLOAK_REMEMBER_ME=username:alain
>>        9. Host:
>>        localhost:8080
>>        10. Origin:
>>        http://127.0.0.1:8888
>>        11. Referer:
>>        http://127.0.0.1:8888/Main.html
>>        12. User-Agent:
>>        Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
>>        Gecko) Chrome/39.0.2171.71 Safari/537.36
>>        6. Form Dataview sourceview URL encoded
>>        1. code:
>>
>>        sCnqEAuF8YuobscjJnCKdGu6xqnZ-CsqT5prXc5i7os.b9cda44e-50d6-49dd-b30a-dee68b530662
>>        7. Response Headersview source
>>        1. Access-Control-Allow-Credentials:
>>        true
>>        2. Access-Control-Allow-Headers:
>>        Origin, Accept, X-Requested-With, Content-Type,
>>        Access-Control-Request-Method, Access-Control-Request-Headers,
>> Authorization
>>        3. Access-Control-Allow-Methods:
>>        POST
>>        4. Access-Control-Allow-Origin:
>>        http://127.0.0.1:8888
>>        5. Access-Control-Expose-Headers:
>>        Access-Control-Allow-Methods
>>        6. Access-Control-Max-Age:
>>        3600
>>        7. Connection:
>>        keep-alive
>>        8. Content-Type:
>>        application/json
>>        9. Date:
>>        Tue, 02 Dec 2014 14:51:47 GMT
>>        10. Server:
>>        WildFly/8
>>        11. Transfer-Encoding:
>>        chunked
>>        12. X-Powered-By:
>>        Undertow/1
>>
>>
>> Now I wait 5+ minutes, forcing keycloak to use the refresh token. Since
>> this uses the refresh URI for the first time, Chrome performs a preflight
>> check:
>>
>>
>>     1. Remote Address:
>>     127.0.0.1:8080
>>     2. Request URL:
>>     http://localhost:8080/auth/realms/GameSeeder/tokens/refresh
>>     3. Request Method:
>>     OPTIONS
>>     4. Status Code:
>>     200 OK
>>     5. Request Headersview source
>>        1. Accept:
>>        */*
>>        2. Accept-Encoding:
>>        gzip, deflate, sdch
>>        3. Accept-Language:
>>        en-US,en;q=0.8
>>        4. Access-Control-Request-Headers:
>>        authorization, content-type
>>        5. Access-Control-Request-Method:
>>        POST
>>        6. Connection:
>>        keep-alive
>>        7. Host:
>>        localhost:8080
>>        8. Origin:
>>        http://127.0.0.1:8888
>>        9. Referer:
>>        http://127.0.0.1:8888/Main.html
>>        10. User-Agent:
>>        Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
>>        Gecko) Chrome/39.0.2171.71 Safari/537.36
>>        6. Response Headersview source
>>        1. Access-Control-Allow-Credentials:
>>        true
>>        2. Access-Control-Allow-Headers:
>>        Origin, Accept, X-Requested-With, Content-Type,
>>        Access-Control-Request-Method, Access-Control-Request-Headers,
>> Authorization
>>        3. Access-Control-Allow-Methods:
>>        GET, HEAD, OPTIONS
>>        4. Access-Control-Allow-Origin:
>>        http://127.0.0.1:8888
>>        5. Access-Control-Max-Age:
>>        3600
>>        6. Connection:
>>        keep-alive
>>        7. Content-Length:
>>        0
>>        8. Date:
>>        Tue, 02 Dec 2014 15:00:32 GMT
>>        9. Server:
>>        WildFly/8
>>        10. X-Powered-By:
>>        Undertow/1
>>
>>
>> Followed by the actual refresh:
>>
>>
>>     1. Remote Address:
>>     127.0.0.1:8080
>>     2. Request URL:
>>     http://localhost:8080/auth/realms/GameSeeder/tokens/refresh
>>     3. Request Method:
>>     POST
>>     4. Status Code:
>>     200 OK
>>     5. Request Headersview source
>>        1. Accept:
>>        */*
>>        2. Accept-Encoding:
>>        gzip, deflate
>>        3. Accept-Language:
>>        en-US,en;q=0.8
>>        4. Authorization:
>>        Basic R2FtZVNlZWRlcjoyYTczYTQ0Yi1lMGFhLTRiMTYtODk2OC1hY2YwZTVlMGVlNTk=
>>        5. Connection:
>>        keep-alive
>>        6. Content-Length:
>>        699
>>        7. Content-type:
>>        application/x-www-form-urlencoded
>>        8. Host:
>>        localhost:8080
>>        9. Origin:
>>        http://127.0.0.1:8888
>>        10. Referer:
>>        http://127.0.0.1:8888/Main.html
>>        11. User-Agent:
>>        Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like
>>        Gecko) Chrome/39.0.2171.71 Safari/537.36
>>        6. Form Dataview sourceview URL encoded
>>        1. grant_type:
>>        refresh_token
>>        2. refresh_token:
>>
>>        eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJjMWZlOGUyNS0yNTlkLTQwYjYtOGFmMS0yMDU0Y2EwMTRkYWEiLCJleHAiOjE0MTc1MzkxMDcsIm5iZiI6MCwiaWF0IjoxNDE3NTMxOTA3LCJpc3MiOiJHYW1lU2VlZGVyIiwic3ViIjoiOTY0ZjkwNWMtZTg2ZC00NDUzLWE3MzItYWVlMDE5NGY5YTIwIiwidHlwIjoiUkVGUkVTSCIsImF6cCI6IkdhbWVTZWVkZXIiLCJzZXNzaW9uX3N0YXRlIjoiZWM4MTQ2NzItMWE5Zi00MzVlLThiNTgtNThmYjgwM2IwNmRhIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbInZpZXctcHJvZmlsZSIsIm1hbmFnZS1hY2NvdW50Il19fX0.HlAXTyosQ4SHL2WyqRVMDEwN2TXNQyqTKE8PRkbhnbhjJPq4alDP2mCBH2RV3a5KPDCTj1-H-bnKpebrV8fOWNVrQCCL5NN6t7KEYLH1hA75ak_xWSUNzz7s_ZlW9AVucuMCFk1-bXnDaQOilU9JOS2yomQYa4PvexmrbzEJ5Bs
>>        7. Response Headersview source
>>        1. Access-Control-Allow-Credentials:
>>        true
>>        2. Access-Control-Allow-Headers:
>>        Origin, Accept, X-Requested-With, Content-Type,
>>        Access-Control-Request-Method, Access-Control-Request-Headers,
>> Authorization
>>        3. Access-Control-Allow-Methods:
>>        POST
>>        4. Access-Control-Allow-Origin:
>>        http://127.0.0.1:8888
>>        5. Access-Control-Expose-Headers:
>>        Access-Control-Allow-Methods
>>        6. Access-Control-Max-Age:
>>        3600
>>        7. Connection:
>>        keep-alive
>>        8. Content-Type:
>>        application/json
>>        9. Date:
>>        Tue, 02 Dec 2014 15:00:32 GMT
>>        10. Server:
>>        WildFly/8
>>        11. Transfer-Encoding:
>>        chunked
>>        12. X-Powered-By:
>>        Undertow/1
>>
>>
>>
>>
>> On Tue, Dec 2, 2014 at 7:49 AM, Stian Thorgersen <stian@redhat.com> wrote:
>>
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Alain Penders" <alain@rexorient.com>
>>>> To: "Stian Thorgersen" <stian@redhat.com>
>>>> Cc: keycloak-dev@lists.jboss.org
>>>> Sent: Tuesday, 2 December, 2014 3:43:13 PM
>>>> Subject: Re: [keycloak-dev] Fwd: Preflight for token refresh
>>>>
>>>> I'm testing my UI using GWTs Super Dev Mode, which means its origin is
>>> set
>>>> to http://127.0.0.1:8888.    Keycloak runs on http://127.0.0.1:8080/auth
>>> .
>>>
>>> Yes, that requires CORS, but doesn't necessarily require a PREFLIGHT
>>> request. My guess is that "GWTs Super Dev Mode" sets some custom headers on
>>> all requests.
>>>
>>>>
>>>> On Tue, Dec 2, 2014 at 7:32 AM, Stian Thorgersen <stian@redhat.com>
>>> wrote:
>>>>
>>>>> It's the correct approach to add the preflight. Please send a PR and
>>> we'll
>>>>> merge it.
>>>>>
>>>>> Out of curiosity do you know why it's sending a preflight in your app?
>>> It
>>>>> doesn't when I test it out here, which AFAIK is correct according to
>>> spec
>>>>> (content-type is application/x-www-form-urlencoded and there's no
>>> custom
>>>>> headers set).
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Alain Penders" <alain@rexorient.com>
>>>>>> To: keycloak-dev@lists.jboss.org
>>>>>> Sent: Tuesday, 2 December, 2014 3:04:50 PM
>>>>>> Subject: [keycloak-dev] Fwd: Preflight for token refresh
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm building a new app using GWT 2.7 using the Keycloak javascript
>>>>> adapter
>>>>>> and GWT jsInterop. This works extremely well.
>>>>>>
>>>>>> The problem I ran into is if I walk away for 5 minutes and then try
>>> to do
>>>>>> something, the token refresh fails on preflight. As shown in the
>>>>>> documentation, I call keycloak.updateToken(30) to refresh the base
>>> token
>>>>> in
>>>>>> case it has expired. Since in this case it has indeed expired,
>>> keycloak
>>>>>> makes a call to /auth/realms/<myrealm>/tokens/refresh. The OPTIONS
>>> call
>>>>> to
>>>>>> this location doesn't contain the Accept headers, and my app ends up
>>>>> dead in
>>>>>> the water.
>>>>>>
>>>>>> To fix this, I added the following code to OpenIDConnectService:
>>>>>>
>>>>>> /**
>>>>>> * CORS preflight path for refresh token requests
>>>>>> *
>>>>>> * @return
>>>>>> */
>>>>>> @Path("refresh")
>>>>>> @OPTIONS
>>>>>> @Produces(MediaType.APPLICATION_JSON)
>>>>>> public Response refreshAccessTokenPreflight() {
>>>>>> if (logger.isDebugEnabled()) {
>>>>>> logger.debugv("cors request from: {0}",
>>>>>> request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
>>>>>> }
>>>>>> return Cors.add(request, Response.ok()).auth().preflight().build();
>>>>>> }
>>>>>>
>>>>>> If this wasn't the correct solution for my problem, I'd enjoy hearing
>>>>> where I
>>>>>> went wrong.
>>>>>>
>>>>>> Thanks,
>>>>>> Alain
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> keycloak-dev mailing list
>>>>>> keycloak-dev@lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev