3:10 a.m.
Hi,
after huge amounts of hours of investigations I found the resolution for almost all
problems with CORS. I decided that maybe I am not alone with it, so here you go:
1. Go to admin console of Keycloak and set 'Web Origins' of your client to address
of your application (or just * ).
2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know
the name of this property in keycloak.json).
3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications.
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
[https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...
[https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
<https://twitter.com/adb_global>
[https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
<https://pinterest.com/adbglobal/pins/>
[https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<https://www...
![https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...](https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]%3Chttps://www.linkedin.com/company-beta/162280/%3E){kind=link}
![https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<https://www...](https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]%3Chttps://www.adbglobal.com/meet-us-at-ibc2017/%3E){kind=link}
3:52 a.m.
Very thanks your info....
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Karol Buler
Sent: 2017年9月20日 16:11
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Resolution for 99% of CORS's problems
Hi,
after huge amounts of hours of investigations I found the resolution for almost all
problems with CORS. I decided that maybe I am not alone with it, so here you go:
1. Go to admin console of Keycloak and set 'Web Origins' of your client to address
of your application (or just * ).
2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know
the name of this property in keycloak.json).
3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications.
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
[https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...
[https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
<https://twitter.com/adb_global>
[https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
<https://pinterest.com/adbglobal/pins/>
[https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<https://www...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:43 p.m.
Thanks for posting your solution, Karol. I have been having trouble with Keycloak CORS
also. I followed your suggestion:
1 - set client Web Origins 2 - in Keycloak.json, added "enable-cors": true
/usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json{ "realm":
"rtna", "realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
"auth-server-url": "https://135.112.123.194:8666/auth",
"ssl-required": "external", "resource":
"main", "public-client": true,
"enable-cors": true}
I am still getting error:
135.112.123.183/:1 XMLHttpRequest cannot load
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. No
'Access-Control-Allow-Origin' header is present on the requested resource. Origin
'https://135.112.123.183' is therefore not allowed access.
I also tried to add request header in
/opt/sso/keycloak/standalone/configuration/standalone.xml, not working either.
- If standalone.xml has <response-header
name="Access-Control-Allow-Origin"
header-name="Access-Control-Allow-Origin" header-value="*"/>:
I get the error:(index):82 keycloak init done......
(index):1 XMLHttpRequest cannot load
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token. The value of
the 'Access-Control-Allow-Origin' header in the response must not be the wildcard
'*' when the request's credentials mode is 'include'. Origin
'https://135.112.123.183' is therefore not allowed access. The credentials mode of
requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Is there anything I am missing? Any idea how to make it work would be appreciated!!
On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
<K.Buler(a)adbglobal.com> wrote:
Hi,
after huge amounts of hours of investigations I found the resolution for almost all
problems with CORS. I decided that maybe I am not alone with it, so here you go:
1. Go to admin console of Keycloak and set 'Web Origins' of your client to address
of your application (or just * ).
2. In your application.properties (keycloak.json) set keycloak.cors = true (don't know
the name of this property in keycloak.json).
3. Thats it! Only 2 steps resolves almost all my problems with CORS in our applications.
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
[https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...
[https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
<https://twitter.com/adb_global>
[https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
<https://pinterest.com/adbglobal/pins/>
[https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<https://www...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
![https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...](https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]%3Chttps://www.linkedin.com/company-beta/162280/%3E%C2%A0){kind=link}
3:01 a.m.
I had exactly the same problem with "Access-Control-Allow-Origin" and my
solution resolved this. Which version of KC do you have? I'm using
3.2.1.Final for now and didn't check on other versions.
In other hand what do you type into Web Origins? '*' or
'https://135.112.123.183' ?
On 25.09.2017 20:43, shimin q wrote:
Thanks for posting your solution, Karol. I have been having trouble
with Keycloak CORS also. I followed your suggestion:
1 - set client Web Origins
2 - in Keycloak.json, added "enable-cors": true
/usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json
{
"realm": "rtna",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
"auth-server-url": "https://135.112.123.194:8666/auth",
"ssl-required": "external",
"resource": "main",
"public-client": true,
"enable-cors": true
}
I am still getting error:
135.112.123.183/:1 XMLHttpRequest cannot load
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token.
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'https://135.112.123.183' is therefore not allowed
access.
I also tried to add request header in
/opt/sso/keycloak/standalone/configuration/standalone.xml, not
working either.
* If standalone.xml has <response-header
name="Access-Control-Allow-Origin"
header-name="Access-Control-Allow-Origin" header-value="*"/>:
I get the error:(index):82 keycloakinit done......
(index):1 XMLHttpRequest cannot load
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token.
The value of the 'Access-Control-Allow-Origin' header in the response
must not be the wildcard '*' when the request's credentials mode is
'include'. Origin 'https://135.112.123.183' is therefore not allowed
access. The credentials mode of requests initiated by the
XMLHttpRequest is controlled by the withCredentials attribute.
Is there anything I am missing? Any idea how to make it work would be
appreciated!!
On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
<K.Buler(a)adbglobal.com> wrote:
Hi,
after huge amounts of hours of investigations I found the resolution
for almost all problems with CORS. I decided that maybe I am not alone
with it, so here you go:
1. Go to admin console of Keycloak and set 'Web Origins' of your
client to address of your application (or just * ).
2. In your application.properties (keycloak.json) set keycloak.cors =
true (don't know the name of this property in keycloak.json).
3. Thats it! Only 2 steps resolves almost all my problems with CORS in
our applications.
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
[https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<https:...
[https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
<https://twitter.com/adb_global>
[https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
<https://pinterest.com/adbglobal/pins/>
[https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<https://www...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:17 a.m.
For the record using '*' as web origin is really rather bad from a security
perspective and should ONLY be used in development/testing.
On 26 September 2017 at 10:01, Karol Buler <K.Buler(a)adbglobal.com> wrote:
I had exactly the same problem with
"Access-Control-Allow-Origin" and my
solution resolved this. Which version of KC do you have? I'm using
3.2.1.Final for now and didn't check on other versions.
In other hand what do you type into Web Origins? '*' or
'https://135.112.123.183' ?
On 25.09.2017 20:43, shimin q wrote:
> Thanks for posting your solution, Karol. I have been having trouble
> with Keycloak CORS also. I followed your suggestion:
>
> 1 - set client Web Origins
> 2 - in Keycloak.json, added "enable-cors": true
>
> /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json
> {
> "realm": "rtna",
> "realm-public-key":
> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVP
Pl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/
9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/
hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl467
0nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69
TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5
BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> "auth-server-url":
"https://135.112.123.194:8666/auth",
> "ssl-required": "external",
> "resource": "main",
> "public-client": true,
> "enable-cors": true
> }
>
> I am still getting error:
>
> 135.112.123.183/:1 XMLHttpRequest cannot load
> https://135.112.123.194:8666/auth/realms/rtna/protocol/
openid-connect/token.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'https://135.112.123.183' is therefore not allowed
> access.
>
> I also tried to add request header in
> /opt/sso/keycloak/standalone/configuration/standalone.xml, not
> working either.
>
> * If standalone.xml has <response-header
> name="Access-Control-Allow-Origin"
> header-name="Access-Control-Allow-Origin"
header-value="*"/>:
>
> I get the error:(index):82 keycloakinit done......
>
> (index):1 XMLHttpRequest cannot load
> https://135.112.123.194:8666/auth/realms/rtna/protocol/
openid-connect/token.
> The value of the 'Access-Control-Allow-Origin' header in the response
> must not be the wildcard '*' when the request's credentials mode is
> 'include'. Origin 'https://135.112.123.183' is therefore not
allowed
> access. The credentials mode of requests initiated by the
> XMLHttpRequest is controlled by the withCredentials attribute.
>
> Is there anything I am missing? Any idea how to make it work would be
> appreciated!!
>
>
>
>
>
>
>
>
>
>
> On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
> <K.Buler(a)adbglobal.com> wrote:
>
>
> Hi,
>
> after huge amounts of hours of investigations I found the resolution
> for almost all problems with CORS. I decided that maybe I am not alone
> with it, so here you go:
>
> 1. Go to admin console of Keycloak and set 'Web Origins' of your
> client to address of your application (or just * ).
>
> 2. In your application.properties (keycloak.json) set keycloak.cors =
> true (don't know the name of this property in keycloak.json).
>
> 3. Thats it! Only 2 steps resolves almost all my problems with CORS in
> our applications.
>
> Best regards,
> Karol
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> adbglobal.com<https://www.adbglobal.com>
> [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<
https://www.linkedin.com/company-beta/162280/>
> [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png]
> <https://twitter.com/adb_global>
> [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png]
> <https://pinterest.com/adbglobal/pins/>
> [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<
https://www.adbglobal.com/meet-us-at-ibc2017/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
![https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]<](https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png]%3C){kind=link}
![https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]<](https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg]%3C){kind=link}
4:50 a.m.
You have right Stian, IMO the best solution in Keycloak is '+', which
permits origins of all redirects URIs.
On 26.09.2017 15:17, Stian Thorgersen wrote:
For the record using '*' as web origin is really rather bad
from a
security perspective and should ONLY be used in development/testing.
On 26 September 2017 at 10:01, Karol Buler <K.Buler(a)adbglobal.com
<mailto:K.Buler@adbglobal.com>> wrote:
I had exactly the same problem with "Access-Control-Allow-Origin"
and my
solution resolved this. Which version of KC do you have? I'm using
3.2.1.Final for now and didn't check on other versions.
In other hand what do you type into Web Origins? '*' or
'https://135.112.123.183' ?
On 25.09.2017 20 <tel:25.09.2017%2020>:43, shimin q wrote:
> Thanks for posting your solution, Karol. I have been having trouble
> with Keycloak CORS also. I followed your suggestion:
>
> 1 - set client Web Origins
> 2 - in Keycloak.json, added "enable-cors": true
>
> /usr/share/tomcat/webapps/main/WEB-INF]-bash-$ cat keycloak.json
> {
> "realm": "rtna",
> "realm-public-key":
>
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvJlVZqi8KaZDZVPPl29y/nnPBHaPvH+NoG71w6BMDwIImw6vkNlO3CSr+kRAyLnpnP/9248gEZx6YwqEKwE4Oy5R6wuuxwOd2FdpYFM2wDw5zhF7U4oYy0WK1m31/hQdLGnpKtDdGReEwdkMOMtG655Nnqw8WdtmF3S2XcEm2t0gaNoYycd6gl4670nRqx6bRxs6UndERHZmHfkzLcL71RflgO1cyuOqMsjMb7oWIDy5bkE4ddB69TAbrpXVzLvwG1OIaM/XdfXOZIaIAajfacP3Vk8bZFa9eAsh5BVaeGzlqktsdk1JjbV0a14OVXQcCRusnV2wE+zSZhPNxhfFwIDAQAB",
> "auth-server-url": "https://135.112.123.194:8666/auth
<https://135.112.123.194:8666/auth>";,
> "ssl-required": "external",
> "resource": "main",
> "public-client": true,
> "enable-cors": true
> }
>
> I am still getting error:
>
> 135.112.123.183/:1 <http://135.112.123.183/:1> XMLHttpRequest
cannot load
>
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token
<https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/tok...;.
> No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'https://135.112.123.183' is therefore not allowed
> access.
>
> I also tried to add request header in
> /opt/sso/keycloak/standalone/configuration/standalone.xml, not
> working either.
>
> * If standalone.xml has <response-header
> name="Access-Control-Allow-Origin"
> header-name="Access-Control-Allow-Origin"
header-value="*"/>:
>
> I get the error:(index):82 keycloakinit done......
>
> (index):1 XMLHttpRequest cannot load
>
https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/token
<https://135.112.123.194:8666/auth/realms/rtna/protocol/openid-connect/tok...;.
> The value of the 'Access-Control-Allow-Origin' header in the
response
> must not be the wildcard '*' when the request's credentials mode is
> 'include'. Origin 'https://135.112.123.183' is therefore not
allowed
> access. The credentials mode of requests initiated by the
> XMLHttpRequest is controlled by the withCredentials attribute.
>
> Is there anything I am missing? Any idea how to make it work
would be
> appreciated!!
>
>
>
>
>
>
>
>
>
>
> On Wednesday, September 20, 2017, 4:14:00 AM EDT, Karol Buler
> <K.Buler(a)adbglobal.com <mailto:K.Buler@adbglobal.com>> wrote:
>
>
> Hi,
>
> after huge amounts of hours of investigations I found the resolution
> for almost all problems with CORS. I decided that maybe I am not
alone
> with it, so here you go:
>
> 1. Go to admin console of Keycloak and set 'Web Origins' of your
> client to address of your application (or just * ).
>
> 2. In your application.properties (keycloak.json) set
keycloak.cors =
> true (don't know the name of this property in keycloak.json).
>
> 3. Thats it! Only 2 steps resolves almost all my problems with
CORS in
> our applications.
>
> Best regards,
> Karol
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png
<https://www.adbglobal.com/wp-content/uploads/adb.png>]
> adbglobal.com <http://adbglobal.com><https://www.adbglobal.com
<https://www.adbglobal.com>>
> [https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png
<https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht...
<https://www.linkedin.com/company-beta/162280/>>
>
[https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
<https://www.adbglobal.com/wp-content/uploads/twitter_logo.png>]
> <https://twitter.com/adb_global <https://twitter.com/adb_global>>
> [https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
<https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png>]
> <https://pinterest.com/adbglobal/pins/
<https://pinterest.com/adbglobal/pins/>>
> [https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg
<https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg>]<https:/...
<https://www.adbglobal.com/meet-us-at-ibc2017/>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
<mailto:keycloak-user@lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
![https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png>]<ht...](https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png%3E]%3Chttps://www.linkedin.com/company-beta/162280/){kind=link}
![https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg>]<https:/...](https://www.adbglobal.com/wp-content/uploads/ComeJoin.jpg%3E]%3Chttps://www.adbglobal.com/meet-us-at-ibc2017/){kind=link}
2647
days inactive
2667
days old
5 comments
4 participants
participants (4)
-
Karol Buler -
shimin q -
Stian Thorgersen -
Zou, Zhiyuan (NSB - CN/Beijing)