2:53 a.m.
Hello all,
I'm building an application with a Spring Boot (1.4.0) resource service and
AngularJS (1.5.8) front-end. Both are separate projects and run on
different ports. Therefore I applied global Spring Boot CORS configuration
as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
. This works fine. When I want to secure my application using Keycloak I
get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
to retrieve data from the service.
Because I'm using keycloak-spring-boot-adapter the configuration has to be
done in the application.properties. I added these lines:
keycloak.cors = true
keycloak.cors-max-age = 1000
keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
These didn't give an error. (keycloak.enable-cors = true did). Still, I get
a 401 with a No 'Access-Control-Allow-Origin' error.
I tried several versions of the keycloak-spring-boot-adapter as well as
Spring Boot 1.4.1 (which actually resulted in an internal error as
described here:
http://stackoverflow.com/questions/39794779/how-do-i-configure-the-spring...).
I tried disabling the Spring Boot CORS configuration. I also tried to
minimize the lines in my application.properties and only adding keycloak.cors
= true for CORS configuration. All didn't work.
I'm just starting out with Keycloak so I don't know if I'm missing
something or that I actually stumbled upon a bug. Is there anyone who might
be able to help me?
Kind regards,
Björn
3:44 a.m.
Hi !
Before looking at the CORS stuff let's check how you have set up your
keycloak configuration ? The example you refer to is : a SpringBoot REST
service and a JS frontend, which means :
- Your REST service must be a particular keyloak client with bearer-only.
- Your frontend service must be a particular keycloak client, and your JS
app should use the keycloak.js adapter. From that client you will be
redirected to the keycloak login page, after it redirects back you have to
pass the token in the header before doing your backend call.
Regarding cors config in the properties file, these are not relevant for
the SpringBoot adapter (we need to document that or make it work ;) ) but
configuring CORS directly in SB should be enough.
Regarding your SB 1.4.1 , this has been reported and fixed, it will be
available in the next KC release.
Sebi
On Thu, Nov 3, 2016 at 8:53 AM, Björn Janson <bjorn.j.janson(a)gmail.com>
wrote:
Hello all,
I'm building an application with a Spring Boot (1.4.0) resource service and
AngularJS (1.5.8) front-end. Both are separate projects and run on
different ports. Therefore I applied global Spring Boot CORS configuration
as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
. This works fine. When I want to secure my application using Keycloak I
get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
to retrieve data from the service.
Because I'm using keycloak-spring-boot-adapter the configuration has to be
done in the application.properties. I added these lines:
keycloak.cors = true
keycloak.cors-max-age = 1000
keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
These didn't give an error. (keycloak.enable-cors = true did). Still, I get
a 401 with a No 'Access-Control-Allow-Origin' error.
I tried several versions of the keycloak-spring-boot-adapter as well as
Spring Boot 1.4.1 (which actually resulted in an internal error as
described here:
http://stackoverflow.com/questions/39794779/how-do-i-
configure-the-spring-boot-quickstart-for-keycloak).
I tried disabling the Spring Boot CORS configuration. I also tried to
minimize the lines in my application.properties and only adding
keycloak.cors
= true for CORS configuration. All didn't work.
I'm just starting out with Keycloak so I don't know if I'm missing
something or that I actually stumbled upon a bug. Is there anyone who might
be able to help me?
Kind regards,
Björn
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:33 a.m.
Hello Sebastien,
Thank you for the quick reply. I did configure the JS app using the
keycloak.js adapter, and the REST service as a client with bearer-only. I
redid all my configuration again and for some reason I got right what I did
wrong the last two nights I was working on it... Unfortunately I'm still
clueless as to what I did wrong (I didn't commit my code which produced the
error). I think I didn't configure the AngularJS $http Authorization header
properly the times I got the REST service settings right.
Trying to reproduce my error I got the feeling that the CORS config in
application.properties is relevant after all. Taking the following steps
produced a 401:
- Remove CORS config from application.properties and restart the service
- Clear browser cache and restart the browser
- Visit the frontend application and successfully log in using Keycloak
- After the redirect back to the AngularJS homepage the REST service
response was a 401
Then, adding back the CORS config in application.properties, restarting the
service, clearing browser cache, restarting browser and logging in resulted
in a 200.
I repeated these steps several times and didn't change any other code or
settings. So I think configuring CORS in Spring Boot is not sufficient
after all.
Kind regards and thanks once more,
Björn
2016-11-03 9:44 GMT+01:00 Sebastien Blanc <sblanc(a)redhat.com>:
Hi !
Before looking at the CORS stuff let's check how you have set up your
keycloak configuration ? The example you refer to is : a SpringBoot REST
service and a JS frontend, which means :
- Your REST service must be a particular keyloak client with bearer-only.
- Your frontend service must be a particular keycloak client, and your JS
app should use the keycloak.js adapter. From that client you will be
redirected to the keycloak login page, after it redirects back you have to
pass the token in the header before doing your backend call.
Regarding cors config in the properties file, these are not relevant for
the SpringBoot adapter (we need to document that or make it work ;) ) but
configuring CORS directly in SB should be enough.
Regarding your SB 1.4.1 , this has been reported and fixed, it will be
available in the next KC release.
Sebi
On Thu, Nov 3, 2016 at 8:53 AM, Björn Janson <bjorn.j.janson(a)gmail.com>
wrote:
> Hello all,
>
> I'm building an application with a Spring Boot (1.4.0) resource service
> and
> AngularJS (1.5.8) front-end. Both are separate projects and run on
> different ports. Therefore I applied global Spring Boot CORS configuration
> as instructed on this page: https://spring.io/guides/gs/re
> st-service-cors/
> . This works fine. When I want to secure my application using Keycloak I
> get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
> to retrieve data from the service.
>
> Because I'm using keycloak-spring-boot-adapter the configuration has to be
> done in the application.properties. I added these lines:
>
> keycloak.cors = true
> keycloak.cors-max-age = 1000
> keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
>
> These didn't give an error. (keycloak.enable-cors = true did). Still, I
> get
> a 401 with a No 'Access-Control-Allow-Origin' error.
>
> I tried several versions of the keycloak-spring-boot-adapter as well as
> Spring Boot 1.4.1 (which actually resulted in an internal error as
> described here:
> http://stackoverflow.com/questions/39794779/how-do-i-configu
> re-the-spring-boot-quickstart-for-keycloak).
> I tried disabling the Spring Boot CORS configuration. I also tried to
> minimize the lines in my application.properties and only adding
> keycloak.cors
> = true for CORS configuration. All didn't work.
>
> I'm just starting out with Keycloak so I don't know if I'm missing
> something or that I actually stumbled upon a bug. Is there anyone who
> might
> be able to help me?
>
> Kind regards,
> Björn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2976
days inactive
2976
days old
2 comments
2 participants
participants (2)
-
Björn Janson -
Sebastien Blanc