Hi,

it looks to me that your CORS settings on adapters side and also for your frontend application looks good. However keycloak returned 403 Forbidden and hence did not add cors headers (we are adding cors headers after successful authentication). Do you have something in the server log?

What I would try is:
- Temporary set "ssl-required" to "none" in the adapters configuration

- If it doesn't help, then see how it will behave if both frontend application and rest application are on same origin (either http://162.244.28.89:8080 or http://162.244.28.89)

- Maybe using hostname like "myhost.com" instead of IP address could help. If you have opportunity to temporarily add virtual host and use hostname it worth a try (it's strange, but who knows...)

Marek


On 27.1.2015 07:55, Brem, Robert wrote:

Hy @ll,

 

For my current project I use Docker and run each service in a own container, and spread the services over multiple servers. All connected via REST.

 

For the security I found Keycloak, and I think it’s a really cool tool. But I never was the best friend of security… JASS/Spring Security…

 

My problem is, I try to use the cors example (https://github.com/keycloak/keycloak/tree/master/examples/cors). I also use AngularJS for the frontend that consumes multiple REST Services.

But I don’t get it to work. I always get the following error:

XMLHttpRequest cannot load http://162.244.28.89:8080/BrandService/resources/brands/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://162.244.28.89' is therefore not allowed access. The response had HTTP status code 403.

 

Google Chrome give me the following output for the http request:

Remote Address:162.244.28.89:8080

Request URL:http://162.244.28.89:8080/BrandService/resources/brands/

Request Method:GET

Status Code:403 Forbidden

Request Headersview source

Accept:application/json, text/plain, */*

Accept-Encoding:gzip, deflate, sdch

Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

Authorization:Bearer eyJhbGciOiJSUzI1NiJ9….ay2Sr-GP0CYfSDV7O2Q8sNyx91RgHdhy2S600NYEHUFG2VoF5cRCDBJpkuPbcXVtz2liMy-80S3KY9lfII

Connection:keep-alive

Host:162.244.28.89:8080

Origin:http://162.244.28.89

Referer:http://162.244.28.89/

User-Agent:Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

Response Headersview source

Cache-Control:no-cache, no-store, must-revalidate

Connection:keep-alive

Content-Length:68

Content-Type:text/html;charset=UTF-8

Date:Fri, 23 Jan 2015 19:23:33 GMT

Expires:0

Pragma:no-cache

Server:WildFly/8

X-Powered-By:Undertow/1

ConsoleSearchEmulationRendering

 

What I don’t get is the response header. Shouldn’t there be the following header settings:

Access-Control-Allow-Credentials:true

Access-Control-Allow-Headers:origin,accept,content-type

Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS, HEAD

Access-Control-Allow-Origin:*

Access-Control-Max-Age:151200

Allow:HEAD, POST, GET, OPTIONS, PUT

 

My keycloak.json looks like that:

{

  "realm": "openPixx",

  "realm-public-key": "…bmwCckE..gWjLQIDAQAB",

  "ssl-required": "external",

  "resource": "BrandService",

  "bearer-only": true,

  "cors-max-age" : 1000,

  "enable-cors": true,

  "cors-allowed-methods" : "POST, PUT, DELETE, GET"

}

 

In Keycloak I’ve defined the BrandFrontend:

Enabled: true

Client Protocol: openid-connect

Access Type: public

Redirect URL: http://162.244.28.89/*

Web Origin: http://162.244.28.89

 

For the AngularJS part I’ve used the authinterceptor from the example.

 

If you have read until here.

Thank you very much and sorry for my bad English J

 

Greets

Rob

 



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user