I assume you've secured
http://localhost/app1 and
http://localhost/cors
with the Keycloak Tomcat adapter?
For cors app you should select bearer-only as the client type, that'll
prevent the redirect with XMLHttpRequest. Bearer only applications are
"services" that only verify tokens sent in request, but doesn't allow
users to login directly. You also need to make sure that
http://localhost/cors/test.txt is secured properly, in web.xml if that's
how you secure it. Once deployed check that you can visit
http://localhost/cors/test.txt in the browser.
Next step would be to make sure
http://localhost/app1 sends the bearer
token in the authorization header when invoking cors/test.txt
This means that I have to change my application and send the token. In the
example I can, but in real life I can to change the application. Is there
not other way?
----- Original Message -----
> From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com>,
>keycloak-user(a)lists.jboss.org
> Sent: Thursday, May 28, 2015 8:18:31 PM
> Subject: Re: [keycloak-user] Cors not working Final 1.2
>
> I understand, but we have some weird behaviour once we've logged in into
>
http://localhost/app1/index.html .
>
> If you first login on
http://localhost/app1/index.html , then go
>directly
> to
http://localhost/cors/test.txt we are able to see the txt file
>without
> logging in.
> When we go back to
http://localhost/app1/index.html it's working as
> intended, and we get no keycloak redirect.
>
>
>
>
> On 28/05/15 14:01, "Stian Thorgersen" <stian(a)redhat.com> wrote:
>
> >Looks like what's happening is that you're doing a XMLHttpRequest to a
> >resource that requires authentication. In this case the adapter
>returns a
> >302 and it'll redirected to the login screen on the Keycloak server.
> >
> >The login screen is not expected to be invoked with XMLHttpRequest/CORS
> >so it shouldn't have CORS headers.
> >
> >Further the Keycloak adapter only adds CORS headers when a bearer token
> >is present (Authorization: Bearer ...). If you want CORS headers for
> >non-protected endpoints you'll have to add those yourself as Keycloak
> >pulls the permitted origins from the bearer token.
> >
> >Just make sure you invoke your secured endpoints with a valid bearer
> >token and it should work fine. With regards to it returning a 302 for a
> >XMLHttpRequest that's an improvement we can do in the adapters to only
>do
> >that if Accept header contains text/html.
> >
> >----- Original Message -----
> >> From: "Henk Laracker" <Henk.Laracker(a)planonsoftware.com>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>
> >> Cc: "Mark Bertels" <Mark.Bertels(a)planonsoftware.com>,
> >>keycloak-user(a)lists.jboss.org
> >> Sent: Thursday, 28 May, 2015 1:38:12 PM
> >> Subject: Re: [keycloak-user] Cors not working Final 1.2
> >>
> >> As requested:
> >>
> >>
> >> cors keycloak.json -
http://pastebin.com/raw.php?i=n9McFRGH
> >> app1 keycloak.json -
http://pastebin.com/raw.php?i=jaL0c6us
> >>
> >> index.html -
http://pastebin.com/raw.php?i=SndsyL8F
> >> test.txt -
http://pastebin.com/raw.php?i=BeaRUCHE
> >>
> >> Thanks for looking in.
> >>
> >>
> >> On 28/05/15 12:22, "Stian Thorgersen" <stian(a)redhat.com>
wrote:
> >>
> >> >
> >> >
> >> >----- Original Message -----
> >> >> From: "Henk Laracker"
<Henk.Laracker(a)planonsoftware.com>
> >> >> To: keycloak-user(a)lists.jboss.org
> >> >> Cc: "Mark Bertels"
<Mark.Bertels(a)planonsoftware.com>
> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
> >> >> Subject: [keycloak-user] Cors not working Final 1.2
> >> >>
> >> >> Hi,
> >> >>
> >> >> Cors headers missing during login procedure of keycloak
> >> >>
> >> >>
> >> >> ===============================
> >> >> Step 1 - Prepare keycloak realm:
> >> >> ===============================
> >> >>
> >> >> Create a simple keycloak realm for testing,
> >> >>
> >> >> ===============================
> >> >> Step 2 - Create a user
> >> >> ===============================
> >> >>
> >> >> Add a user and a client to the realm
> >> >> The client should be configured as follows:
> >> >>
> >> >> Client Protocol openid-connect
> >> >> Access Type public
> >> >>
> >> >> Valid redirect uri's:
http://localhost/*
> >> >>
http://localhost
> >> >> Web origins:
http://localhost/*
> >> >>
http://localhost
> >> >>
> >> >> ===============================
> >> >> Step 3 - Create test application on tomcat
> >> >> ===============================
> >> >>
> >> >> On a given tomcat server (I'm using localhost for this
example)
>add 2
> >> >>web
> >> >> applications:
> >> >> app1 with a simple index.html
> >> >> cors with a simple test.txt with the content "Some data"
> >> >>
> >> >> The following url's are now available:
> >> >>
http://localhost/app1/index.html
> >> >>
http://localhost/cors/test.txt
> >> >>
> >> >> In
http://localhost/app1/index.html create javascript which loads
> >>data
> >> >>from
> >> >>
http://localhost/cors/test.txt
> >> >>
> >> >> If you go to
http://localhost/app1/index.html now, a GET will be
> >> >>performed to
> >> >>
http://localhost/cors/test.txt and the data is displayed
> >> >>
> >> >>
> >> >> ===============================
> >> >> Step 4 - Adding keycloak to the applications
> >> >> ===============================
> >> >>
> >> >> Add keycloak configuration on "app1".
> >> >>
> >> >>
> >> >> Add keycloak configuration on "cors"
> >> >> Additionally, add
> >> >> "enable-cors": "true"
> >> >> to the json file.
> >> >>
> >> >> ===============================
> >> >> Step 5 - Log in to app1
> >> >> ===============================
> >> >>
> >> >> If you log in to app1 in a new browser the data from app
"cors"
>will
> >> >>not be
> >> >> loaded. The following error will be displayed in the console of
>your
> >> >>browser
> >> >> (using chrome)
> >> >>
> >> >> XMLHttpRequest cannot load
> >> >>
> >>
>
>>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/a
>>>>>ut
> >>>>h?
> >>
>
>>>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&lo
>>>>>gi
> >>>>n=
> >> >>true.
> >> >> No 'Access-Control-Allow-Origin' header is present on the
>requested
> >> >>resource.
> >> >> Origin 'http://localhost' is therefore not allowed access.
> >> >
> >> >This request to "/protocol/openid-connect/auth" makes no sense
to
>me.
> >>How
> >> >are you invoking this? Can you include the source for index.html?
> >> >
> >> >>
> >> >>
> >> >> If it loaded the data, make sure that you're logged out, or
try
>it in
> >> >>private
> >> >> browsing mode.
> >> >>
> >> >>
> >> >> ===============================
> >> >> Expected result
> >> >> ===============================
> >> >>
> >> >> We expected "Access-Control-Allow-Origin" to be set to
the "Web
> >> >>origins",
> >> >> allowing for cross-application requests without editing existing
> >> >> applications.
> >> >>
> >> >>
> >> >>
> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen
>Grüßen /
> >> >>Très
> >> >> cordialement,
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> Henk Laracker
> >> >>
> >> >> _______________________________________________
> >> >> keycloak-user mailing list
> >> >> keycloak-user(a)lists.jboss.org
> >> >>
https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
>
>