Re: [keycloak-user] Cors not working Final 1.2

From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt; Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com&gt;, keycloak-user(a)lists.jboss.org Sent: Thursday, May 28, 2015 8:18:31 PM Subject: Re: [keycloak-user] Cors not working Final 1.2 I understand, but we have some weird behaviour once we've logged in into http://localhost/app1/index.html . If you first login on http://localhost/app1/index.html , then go directly to http://localhost/cors/test.txt we are able to see the txt file without logging in. When we go back to http://localhost/app1/index.html it's working as intended, and we get no keycloak redirect. On 28/05/15 14:01, "Stian Thorgersen" <stian(a)redhat.com&gt; wrote: >Looks like what's happening is that you're doing a XMLHttpRequest to a >resource that requires authentication. In this case the adapter returns a >302 and it'll redirected to the login screen on the Keycloak server. > >The login screen is not expected to be invoked with XMLHttpRequest/CORS >so it shouldn't have CORS headers. > >Further the Keycloak adapter only adds CORS headers when a bearer token >is present (Authorization: Bearer ...). If you want CORS headers for >non-protected endpoints you'll have to add those yourself as Keycloak >pulls the permitted origins from the bearer token. > >Just make sure you invoke your secured endpoints with a valid bearer >token and it should work fine. With regards to it returning a 302 for a >XMLHttpRequest that's an improvement we can do in the adapters to only do >that if Accept header contains text/html. > >----- Original Message ----- >> From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com&gt; >> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com&gt;, &gt;&gt;keycloak-user(a)lists.jboss.org >> Sent: Thursday, 28 May, 2015 1:38:12 PM >> Subject: Re: [keycloak-user] Cors not working Final 1.2 >> >> As requested: >> >> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us >> >> index.html - http://pastebin.com/raw.php?i=SndsyL8F >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE >> >> Thanks for looking in. >> >> >> On 28/05/15 12:22, "Stian Thorgersen" <stian(a)redhat.com&gt; wrote: >> >> > >> > >> >----- Original Message ----- >> >> From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com&gt; >> >> To: keycloak-user(a)lists.jboss.org >> >> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com&gt; >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM >> >> Subject: [keycloak-user] Cors not working Final 1.2 >> >> >> >> Hi, >> >> >> >> Cors headers missing during login procedure of keycloak >> >> >> >> >> >> =============================== >> >> Step 1 - Prepare keycloak realm: >> >> =============================== >> >> >> >> Create a simple keycloak realm for testing, >> >> >> >> =============================== >> >> Step 2 - Create a user >> >> =============================== >> >> >> >> Add a user and a client to the realm >> >> The client should be configured as follows: >> >> >> >> Client Protocol openid-connect >> >> Access Type public >> >> >> >> Valid redirect uri's: http://localhost/* >> >> http://localhost >> >> Web origins: http://localhost/* >> >> http://localhost >> >> >> >> =============================== >> >> Step 3 - Create test application on tomcat >> >> =============================== >> >> >> >> On a given tomcat server (I'm using localhost for this example) add 2 >> >>web >> >> applications: >> >> app1 with a simple index.html >> >> cors with a simple test.txt with the content "Some data" >> >> >> >> The following url's are now available: >> >> http://localhost/app1/index.html >> >> http://localhost/cors/test.txt >> >> >> >> In http://localhost/app1/index.html create javascript which loads >>data >> >>from >> >> http://localhost/cors/test.txt >> >> >> >> If you go to http://localhost/app1/index.html now, a GET will be >> >>performed to >> >> http://localhost/cors/test.txt and the data is displayed >> >> >> >> >> >> =============================== >> >> Step 4 - Adding keycloak to the applications >> >> =============================== >> >> >> >> Add keycloak configuration on "app1". >> >> >> >> >> >> Add keycloak configuration on "cors" >> >> Additionally, add >> >> "enable-cors": "true" >> >> to the json file. >> >> >> >> =============================== >> >> Step 5 - Log in to app1 >> >> =============================== >> >> >> >> If you log in to app1 in a new browser the data from app "cors" will >> >>not be >> >> loaded. The following error will be displayed in the console of your >> >>browser >> >> (using chrome) >> >> >> >> XMLHttpRequest cannot load >> >> >> >>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/aut >>>>h? >> >>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&logi >>>>n= >> >>true. >> >> No 'Access-Control-Allow-Origin' header is present on the requested >> >>resource. >> >> Origin 'http://localhost' is therefore not allowed access. >> > >> >This request to "/protocol/openid-connect/auth" makes no sense to me. >>How >> >are you invoking this? Can you include the source for index.html? >> > >> >> >> >> >> >> If it loaded the data, make sure that you're logged out, or try it in >> >>private >> >> browsing mode. >> >> >> >> >> >> =============================== >> >> Expected result >> >> =============================== >> >> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web >> >>origins", >> >> allowing for cross-application requests without editing existing >> >> applications. >> >> >> >> >> >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / >> >>Très >> >> cordialement, >> >> >> >> >> >> >> >> >> >> Henk Laracker >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user(a)lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>