Re: [keycloak-user] CORS headers not sent issue

Hi Marek, In our case the client application is not using keycloak.js adapter. Application was developed by the partner and they used their own OIDC identity server. When we connected the application to our keycloak instance, the CORS problem I have previously described appeared. As you said, I think CORS headers should be added to all the public endpoints (including certs). In our case the client application (AngularJS) is using implicit flow and is trying to verify jwt token it receives and for that it needs certs. This is only my understanding of the problem, I don't know the architecture of the application, I am just trying to integrate it :) I can create bug on JIRA, but I am not sure what you meant by PR? Thanks for info. Tomas -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: 4. októbra 2016 19:40 To: GRMAN, Tomas <Tomas.GRMAN(a)orange.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] CORS headers not sent issue Hi Tomas, Nice to see you on our ML :-) I think you're right. The Cors headers are not added to the "certs" endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information. Feel free to create JIRA and/or even better send PR :-) Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token). Cheers, Marek On 04/10/16 17:10, GRMAN, Tomas wrote: