Hello again,
I forgot to mention I'm using Keycloak 3.1.0 Final.
Meanwhile i searched a bit more and found more people with the same
problem, but sadly, no solution:
http://lists.jboss.org/pipermail/keycloak-user/2014-May/000259.html
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006147.html
I also made a really basic WAR application, protected by keycloak,
that just says "Hello" when you access the route /hello. The minimal
client code that reproduces the problem:
<script type="text/javascript"
src="https://code.jquery.com/jquery-3.1.0.min.js"></scrip...
<script type="text/javascript"
src="http://localhost:9000/auth/js/keycloak.js"></script>
<script type="text/javascript">
var keycloak = Keycloak('keycloak.json');
keycloak.init({ onLoad: 'login-required'
}).success(function(authenticated) {
if (authenticated) {
$.ajax({method: "GET", url:
"http://localhost:8080/hello",
headers: { 'Authorization': 'Bearer ' +
keycloak.token }
});
}
});
</script>
I'm able to login successfully and acquire a valid working token.
However the AJAX call fails with the same errors mentioned before.
In Chrome 57 and Opera : "The 'Access-Control-Allow-Origin' header
contains multiple values 'http://localhost,
http://localhost';, but
only one is allowed. Origin 'http://localhost' is therefore not
allowed access."
In Firefox 52: "Cross-Origin Request Blocked: The Same Origin Policy
disallows reading the remote resource. (Reason: CORS header
‘Access-Control-Allow-Origin’ does not match ‘(null)’)".
It works in IE11 but the page refreshes constantly, similar to what
I've mentioned
here: http://lists.jboss.org/pipermail/keycloak-user/2017-May/010677.html,
even when accepting third-party cookies.
Anyone have any hints please? What's going on with my setup? :(
Some additional information:
My API has the CORS filter enabled, like this:
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>*</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
</init-param>
<init-param>
<param-name>cors.exposed.headers</param-name>
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
</init-param>
<init-param>
<param-name>cors.support.credentials</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>cors.preflight.maxage</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
My Client has "enable-cors": true.
Strangely I'm able to access the API through cURL if I use the valid
access-token.
Any help is appreciated at this point :(.
Best regards,
Silva
Citando sesnor.silva(a)sapo.pt:
Hello,
I have protected a Java web application that's compiled in a WAR
package and accessible through a Tomcat 8 sever. To do this I followed
the steps here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
My Java Application is a RESTful API which can only be accessed by
authorized users that bear a token.
In Keycloak I configured my client (and keycloak.json) as follows:
{
"realm": "MainDomain",
"bearer-only": true,
"auth-server-url": "http://<My Keycloak Server>:8081/auth",
"ssl-required": "none",
"resource": "main-domain-server"
}
If I have a valid token I can access the service fine through cURL
requests. However, using any browser (Firefox, Chrome, Opera, expect
IE, which for some reason works) I can't access any resource through
AJAX as I get CORS problems:
"Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:3000' is therefore not allowed
access. The response had HTTP status code 401."
I searched around and found I should put "enable_cors": true in my
keycloak.json, however this causes the following CORS problem:
"The 'Access-Control-Allow-Origin' header contains multiple values
'http://localhost:3000,
http://localhost:3000';, but only one is
allowed. Origin 'http://localhost:3000' is therefore not allowed
access."
I think I'm out of ideas at the moment on what could be causing this.
Does anyone have any idea what could be wrong in my configuration?
My best regards,
Silva
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user