To make cross origin requests work I had to make the following changes for my REST service:


Put "enable-cors": true in the json config.

Enable CORS support in Spring. So far I have just put the @CrossOrigin annotation on my REST controller, which seem to put the request host in the allowed origin response header.


If someone could explain why both is necessary that would be interesting.



From: Sebastien Blanc [mailto:sblanc@redhat.com]
Sent: 02 August 2016 18:24
To: Robert van Loenhout <r.vanloenhout@greenvalley.nl>
Cc: keycloak-user@lists.jboss.org
Subject: Re: [keycloak-user] Configuring javascript calling REST service



I'm not entirely sure but I think that "enable-cors" is not supported for the Spring Security Adapter.

For now, you have to deal with CORS "manually" on the server side. I think Spring has a annotation like "@CrossOrigin".



On Tue, Aug 2, 2016 at 5:30 PM, Robert van Loenhout <r.vanloenhout@greenvalley.nl> wrote:

I'm using the keycloak javascript adapter and the spring security adapter for my REST service.

The REST service is configured as a client with 'bearer-only' access type.

The javascript client is authenticated. When it does an ajax call to my REST service I receive the following error in my browser:


Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:30001/rest1/greeting. (Reason: CORS header 'Access-Control-Allow-Origin' missing).


I have added

"enable-cors": true

to my REST keycloak configuration.

However where do I configure which origins are allowed?


For 'public' and 'confidential' clients you can configure the web origins in the admin console.

But when I set it to 'bearer-only' this field is gone.


So what exactly are the steps you have to take to configure a javascript client that call a REST service on another host?

keycloak-user mailing list