with the
Keycloak Tomcat adapter?
For cors app you should select bearer-only as the client type, that'll prevent the
redirect with XMLHttpRequest. Bearer only applications are "services" that only
verify tokens sent in request, but doesn't allow users to login directly. You also
need to make sure that
is secured properly, in web.xml if
that's how you secure it. Once deployed check that you can visit
sends the bearer token in the
authorization header when invoking cors/test.txt
----- Original Message -----
From: "Henk Laracker"
<Henk.Laracker(a)planonsoftware.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com>,
keycloak-user(a)lists.jboss.org
Sent: Thursday, May 28, 2015 8:18:31 PM
Subject: Re: [keycloak-user] Cors not working Final 1.2
I understand, but we have some weird behaviour once we've logged in into
http://localhost/app1/index.html .
If you first login on
http://localhost/app1/index.html , then go directly
to
http://localhost/cors/test.txt we are able to see the txt file without
logging in.
When we go back to
http://localhost/app1/index.html it's working as
intended, and we get no keycloak redirect.
On 28/05/15 14:01, "Stian Thorgersen" <stian(a)redhat.com> wrote:
>Looks like what's happening is that you're doing a XMLHttpRequest to a
>resource that requires authentication. In this case the adapter returns a
>302 and it'll redirected to the login screen on the Keycloak server.
>
>The login screen is not expected to be invoked with XMLHttpRequest/CORS
>so it shouldn't have CORS headers.
>
>Further the Keycloak adapter only adds CORS headers when a bearer token
>is present (Authorization: Bearer ...). If you want CORS headers for
>non-protected endpoints you'll have to add those yourself as Keycloak
>pulls the permitted origins from the bearer token.
>
>Just make sure you invoke your secured endpoints with a valid bearer
>token and it should work fine. With regards to it returning a 302 for a
>XMLHttpRequest that's an improvement we can do in the adapters to only do
>that if Accept header contains text/html.
>
>----- Original Message -----
>> From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com>,
>>keycloak-user(a)lists.jboss.org
>> Sent: Thursday, 28 May, 2015 1:38:12 PM
>> Subject: Re: [keycloak-user] Cors not working Final 1.2
>>
>> As requested:
>>
>>
>> cors keycloak.json -
http://pastebin.com/raw.php?i=n9McFRGH
>> app1 keycloak.json -
http://pastebin.com/raw.php?i=jaL0c6us
>>
>> index.html -
http://pastebin.com/raw.php?i=SndsyL8F
>> test.txt -
http://pastebin.com/raw.php?i=BeaRUCHE
>>
>> Thanks for looking in.
>>
>>
>> On 28/05/15 12:22, "Stian Thorgersen" <stian(a)redhat.com> wrote:
>>
>> >
>> >
>> >----- Original Message -----
>> >> From: "Henk Laracker"
<Henk.Laracker(a)planonsoftware.com>
>> >> To: keycloak-user(a)lists.jboss.org
>> >> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com>
>> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
>> >> Subject: [keycloak-user] Cors not working Final 1.2
>> >>
>> >> Hi,
>> >>
>> >> Cors headers missing during login procedure of keycloak
>> >>
>> >>
>> >> ===============================
>> >> Step 1 - Prepare keycloak realm:
>> >> ===============================
>> >>
>> >> Create a simple keycloak realm for testing,
>> >>
>> >> ===============================
>> >> Step 2 - Create a user
>> >> ===============================
>> >>
>> >> Add a user and a client to the realm
>> >> The client should be configured as follows:
>> >>
>> >> Client Protocol openid-connect
>> >> Access Type public
>> >>
>> >> Valid redirect uri's:
http://localhost/*
>> >>
http://localhost
>> >> Web origins:
http://localhost/*
>> >>
http://localhost
>> >>
>> >> ===============================
>> >> Step 3 - Create test application on tomcat
>> >> ===============================
>> >>
>> >> On a given tomcat server (I'm using localhost for this example) add
2
>> >>web
>> >> applications:
>> >> app1 with a simple index.html
>> >> cors with a simple test.txt with the content "Some data"
>> >>
>> >> The following url's are now available:
>> >>
http://localhost/app1/index.html
>> >>
http://localhost/cors/test.txt
>> >>
>> >> In
http://localhost/app1/index.html create javascript which loads
>>data
>> >>from
>> >>
http://localhost/cors/test.txt
>> >>
>> >> If you go to
http://localhost/app1/index.html now, a GET will be
>> >>performed to
>> >>
http://localhost/cors/test.txt and the data is displayed
>> >>
>> >>
>> >> ===============================
>> >> Step 4 - Adding keycloak to the applications
>> >> ===============================
>> >>
>> >> Add keycloak configuration on "app1".
>> >>
>> >>
>> >> Add keycloak configuration on "cors"
>> >> Additionally, add
>> >> "enable-cors": "true"
>> >> to the json file.
>> >>
>> >> ===============================
>> >> Step 5 - Log in to app1
>> >> ===============================
>> >>
>> >> If you log in to app1 in a new browser the data from app
"cors" will
>> >>not be
>> >> loaded. The following error will be displayed in the console of your
>> >>browser
>> >> (using chrome)
>> >>
>> >> XMLHttpRequest cannot load
>> >>
>>
>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/aut
>>>>h?
>>
>>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&logi
>>>>n=
>> >>true.
>> >> No 'Access-Control-Allow-Origin' header is present on the
requested
>> >>resource.
>> >> Origin 'http://localhost' is therefore not allowed access.
>> >
>> >This request to "/protocol/openid-connect/auth" makes no sense to
me.
>>How
>> >are you invoking this? Can you include the source for index.html?
>> >
>> >>
>> >>
>> >> If it loaded the data, make sure that you're logged out, or try it
in
>> >>private
>> >> browsing mode.
>> >>
>> >>
>> >> ===============================
>> >> Expected result
>> >> ===============================
>> >>
>> >> We expected "Access-Control-Allow-Origin" to be set to the
"Web
>> >>origins",
>> >> allowing for cross-application requests without editing existing
>> >> applications.
>> >>
>> >>
>> >>
>> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen /
>> >>Très
>> >> cordialement,
>> >>
>> >>
>> >>
>> >>
>> >> Henk Laracker
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user(a)lists.jboss.org
>> >>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>