Re: [keycloak-user] CORS only for OPTIONS?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Yes, there are two apps in the game: - - frontend, with http://127.0.0.1:9000 as an allowed origin - - backend, bearer-only, without origins defined Frontend is an HTML-only application, while backend is a REST-only API. - - Juca. On 04/03/2014 04:20 PM, Stian Thorgersen wrote: > Have you specified any web origins for your application? > > ----- Original Message ----- >> From: "Juraci Paixão Kröhling" <juraci(a)kroehling.de&gt; To: >> keycloak-user(a)lists.jboss.org Sent: Thursday, 3 April, 2014 >> 3:14:50 PM Subject: Re: [keycloak-user] CORS only for OPTIONS? >> > On 04/03/2014 03:25 PM, Bill Burke wrote: >>>> Authenticated, non-preflight requests are handled. >>>> Non-authenticated requests are not handled. > > Ok, I'm not sure if you mean that the second part is for > "non-preflight" as well. In any case, the authorization header is > not sent on the preflight (understandably), so, I guess you meant > "non-authenticated" on the first part. > > A couple of requests/responses from my application, to illustrate > what is currently happening: > > Pre-flight (OPTIONS) request, without authentication (CORS sent) - > http://pastebin.com/45raBqy0 > > Non-preflight (POST), authenticated (no CORS sent): > http://pastebin.com/E9B6iaAE > > Because of the second request, Chrome (and possibly other > browsers) will not deliver the response to the web application, > even though it executed the request (as it was allowed by the CORS > from the first request). > > Is this how it should be, or is there a bug somewhere? > > - Juca. >> _______________________________________________ keycloak-user >> mailing list keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user