Keycloak is deployed on localhost port 8080.
The gui-app is deployed on
myhost.domain.com/gui-app
The rest-app is deployed on
myhost.domain.com/rest-app
The XHR origin is
myhost.domain.com/gui-app. This app is setup and configured to use the
as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a GET
request (I tried POST and got same error). The rest-app is also set up and configured to
use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter which
attempts to get an access code from the Keycloak server which it would then exchange for
an access token. The adapter on the rest-app fails after it receives the redirected
response from Keycloak with the access code. It tries to send a redirect response with the
access code stripped off but this fails as explained before.
-----Original Message-----
From: Bill Burke [mailto:bburke@redhat.com]
Sent: Friday, May 09, 2014 5:38 PM
To: Boettcher, Jim; Stian Thorgersen
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: How to set up CORS for javascript calling a REST app
I want to reproduce your setup as a CORS example. So your setup is?
1. Keycloak deployed on
auth.domain.com
2. gui-app deployed on
gui.domain.com
3. rest-app deployed on
rest-app.domain.com
Is that right?
The XHR's origin is "gui.domain.com" correct? This request to rest-app is
made using the access token (bearer auth)? Just curious, how do you obtain the access
token?
If that is correct, I'll put together an example that you can try out within master.
On 5/9/2014 5:23 PM, Boettcher, Jim wrote:
Here is some more information on my problem.
I have done a local build with the source from 5/8/2014.
I deployed the auth-server to JBoss 7.1.1 running at localhost:8080
I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116
I have 2 applications running on the server at myhost.net:7116
1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST service in
rest-app
2. rest-app - a REST service
Both the gui-app and rest-app are configured to be secured by the auth-server.
When the jsp from gui-app is requested it will get redirected to the auth-server and get
the login form and successfully login. I can see the KEYCLOAK_IDENTITY cookie set and get
the access code and exchange the access code for an access token. Everything looks good.
When the Ajax request is made to the rest-app the problems start.
First of all for the Anguar.js config I had to set $httpProvider.defaults.withCredentials
= true or the KEYCLOAK_IDENTITY cookie would not get sent when the request was redirected
to the auth-server.
In the Cors.build() method the origin value from the request is null so none of this code
executes. This may be because I have the auth-server and my apps on different instances of
JBoss with different domains.
Also since I have already successfully logged in (with the call from the jsp) the method
that gets called is in OAuthFlows. redirectAccessCode (). This method does not set any of
the Access-Control-Allow-* methods and I get an error in the browser console:
XMLHttpRequest cannot load
http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&am....
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://myhost.net:7116' is therefore not allowed access.
If I modify the code to add the Access-Control-Allow-* headers to the response, I get
further along. Now the redirect with the access code get processed by the adapter. When
the adapter strips the access code and sends back a redirect response without the access
code it does not add the Access-Control-Allow-* headers so this fails with the error:
XMLHttpRequest cannot load
https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUv....
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'null' is therefore not allowed access.
Modifying the adapter to add the Access-Control-Allow-* for this redirect response gets a
little further. Now the problem is that the Origin=null in the request header and I get
this error:
XMLHttpRequest cannot load
https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM....
The 'Access-Control-Allow-Origin' header has a value
'https://myhost.net:7116' that is not equal to the supplied origin. Origin
'null' is therefore not allowed access.
I tried to set the Access-Control-Allow-Origin = * to get around this null issue, but
then I get an error:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header
when the credentials flag is true. Origin 'null' is therefore not allowed access.
But I have to set the credentials flag to true in order to get the KEYCLOAK_IDENTITY
cookie to be sent.
Can you look into these problems and let me know if there is a way to get this working
for the applications that I have?
Thanks
-Jim
-----Original Message-----
From: Boettcher, Jim
Sent: Tuesday, May 06, 2014 8:31 AM
To: 'Stian Thorgersen'; Bill Burke
Cc: keycloak-user(a)lists.jboss.org
Subject: RE: How to set up CORS for javascript calling a REST app
I first tried with the Alpa-3 release.
I then did a build with latest source and deployed the auth-server.war and the
keycloak-as7-adapter module. I still have the same problem with the latest source.
I also noticed that with the latest source running on JBoss 7.1.1 when I tried to import
a realm I get this error:
Caused by: java.lang.NoSuchMethodError:
org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V
at
org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132)
[keycloak-services-1.0-beta-1-SNAPSHOT.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_45]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155)
[resteasy-jaxrs-2.3.2.Final.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
[resteasy-jaxrs-2.3.2.Final.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
[resteasy-jaxrs-2.3.2.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152)
[resteasy-jaxrs-2.3.2.Final.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
[resteasy-jaxrs-2.3.2.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:525)
[resteasy-jaxrs-2.3.2.Final.jar:]
Jim
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stian Thorgersen
Sent: Tuesday, May 06, 2014 4:55 AM
To: Bill Burke
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app
I added some fixes to CORS in the adapters that haven't made it into a release yet.
Have you tried with building the server from source?
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-user(a)lists.jboss.org
> Sent: Monday, 5 May, 2014 11:42:11 PM
> Subject: Re: [keycloak-user] How to set up CORS for javascript calling
> a REST app
>
> You are using the latest release? I'll take a look. I don't have any
> unit tests for the CORs stuff in the last alpha release (have some in
> trunk though) and I don't think I tested it manually either.
>
> On 5/5/2014 3:41 PM, Boettcher, Jim wrote:
>> Hi,
>>
>> I’m trying to get CORS working for a javascript app. The javascript
>> app
>> (gui_app) is making AJAX requests to a different REST app (rest_app).
>>
>> In the Keycloak admin console I created an application for the
>> rest_app application and set a Web Origin of “*” . I then copied the
>> Installation for Jboss Subsystem XML to the standalone.xml of the
>> JBoss 7.1.1 server that the rest_app is running on. I modified the
>> configuration to add
>>
>> <enable-cors>true</enable-cors>
>>
>> When I try to open the gui_app from Chrome I get errors like:
>>
>> XMLHttpRequest cannot load
>>
http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest....
>> No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'https://localhost:7116' is therefore not allowed
access.
>>
>> I’ve tried playing with various settings but can’t get anything to work.
>>
>> Is there an example available for how to get this to work?
>>
>> Is there anything else that needs to be done on the Keycloak server
>> side? Or on the Adapter side?
>>
>> Thanks,
>>
>> Jim
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com