Hi,
Cors headers missing during login procedure of keycloak
===============================
Step 1 - Prepare keycloak realm:
===============================
Create a simple keycloak realm for testing,
===============================
Step 2 - Create a user
===============================
Add a user and a client to the realm
The client should be configured as follows:
Client Protocol openid-connect
Access Type public
Valid redirect uri's:
http://localhost/*
http://localhost
Web origins:
http://localhost/*
http://localhost
===============================
Step 3 - Create test application on tomcat
===============================
On a given tomcat server (I'm using localhost for this example) add 2 web
applications:
app1 with a simple index.html
cors with a simple test.txt with the content "Some data"
The following url's are now available:
http://localhost/app1/index.html
http://localhost/cors/test.txt
In
http://localhost/app1/index.html create javascript which loads data from
http://localhost/cors/test.txt
If you go to
http://localhost/app1/index.html now, a GET will be performed to
http://localhost/cors/test.txt and the data is displayed
===============================
Step 4 - Adding keycloak to the applications
===============================
Add keycloak configuration on "app1".
Add keycloak configuration on "cors"
Additionally, add
"enable-cors": "true"
to the json file.
===============================
Step 5 - Log in to app1
===============================
If you log in to app1 in a new browser the data from app "cors" will not be
loaded. The following error will be displayed in the console of your browser (using
chrome)
XMLHttpRequest cannot load
http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?....
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost' is therefore not allowed access.
If it loaded the data, make sure that you're logged out, or try it in private browsing
mode.
===============================
Expected result
===============================
We expected "Access-Control-Allow-Origin" to be set to the "Web
origins", allowing for cross-application requests without editing existing
applications.
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker