Re: [keycloak-user] Resolution for 99% of CORS's problems

For the record using '*' as web origin is really rather bad from a security perspective and should ONLY be used in development/testing. On 26 September 2017 at 10:01, Karol Buler <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: I had exactly the same problem with "Access-Control-Allow-Origin" and my solution resolved this. Which version of KC do you have? I'm using 3.2.1.Final for now and didn't check on other versions. In other hand what do you type into Web Origins? '*' or 'https://135.112.123.183' ? On 25.09.2017 20 <tel:25.09.2017%2020>:43, shimin q wrote: > Thanks for posting your solution, Karol.  I have been having trouble > with Keycloak CORS also.  I followed your suggestion: > > 1 - set client Web Origins > 2 - in Keycloak.json, added "enable-cors": true > > /usr/share/tomcat/webapps/main/WEB-INF]-bash-$  cat keycloak.json > { >       "realm": "rtna", >         "realm-public-key": > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB", >           "auth-server-url": "https://135.112.123.194:8666/auth <https://135.112.123.194:8666/auth>";, >             "ssl-required": "external", >               "resource": "main", >                 "public-client": true, >                 "enable-cors": true > } > > I am still getting error: > > 135.112.123.183/:1 <http://135.112.123.183/:1> XMLHttpRequest cannot load > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token <https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/tok...;. > No 'Access-Control-Allow-Origin' header is present on the requested > resource. Origin 'https://135.112.123.183' is therefore not allowed > access. > > I also tried to add request header in >  /opt/sso/keycloak/standalone/configuration/standalone.xml, not > working either. > >   * If standalone.xml has <response-header >     name="Access-Control-Allow-Origin" >     header-name="Access-Control-Allow-Origin" header-value="*"/>: > > I get the error:(index):82 keycloakinit done...... > > (index):1 XMLHttpRequest cannot load > https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token <https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/tok...;. > The value of the 'Access-Control-Allow-Origin' header in the response > must not be the wildcard '*' when the request's credentials mode is > 'include'. Origin 'https://135.112.123.183' is therefore not allowed > access. The credentials mode of requests initiated by the > XMLHttpRequest is controlled by the withCredentials attribute. > > Is there anything I am missing?  Any idea how to make it work would be > appreciated!! > > > > > > > > > > > On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler > <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote: > > > Hi, > > after huge amounts of hours of investigations I found the resolution > for almost all problems with CORS. I decided that maybe I am not alone > with it, so here you go: > > 1. Go to admin console of Keycloak and set 'Web Origins' of your > client to address of your application (or just * ). > > 2. In your application.properties (keycloak.json) set keycloak.cors = > true (don't know the name of this property in keycloak.json). > > 3. Thats it! Only 2 steps resolves almost all my problems with CORS in > our applications. > > Best regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png <https://www.adbglobal.com/wp-content/uploads/adb.png>] > adbglobal.com <http://adbglobal.com><https://www.adbglobal.com <https://www.adbglobal.com>> > [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png <https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht... <https://www.linkedin.com/company-beta/162280/>> >       [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png <https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>] > <https://twitter.com/adb_global <https://twitter.com/adb_global>> > [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png <https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>] > <https://pinterest.com/adbglobal/pins/ <https://pinterest.com/adbglobal/pins/>> > [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg <https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg>]<https:/... <https://www.adbglobal.com/meet-us-at-ibc2017/>> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> <mailto:keycloak-user@lists.jboss.org <mailto:keycloak-user@lists.jboss.org>> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>