Hi,
we have a BearerOnly SpringBoot REST service that does authentication and authorisation
with the keycloak springboot adapter. So, we use PolicyEnforcer and
the Keycloak Authorisation Services to perform the authz process. Spring Security is not
enabled and is also not part of the classpath.
Everything works as it is expected, except some CORS functionalities. Usually, we
configured the allowed origins, methods, headers by using the Spring
features (CorsFilter). But since we integrated the PolicyEnforcer, it was necessary to set
the "keycloak.cors" property to true as well, because otherwise the
PolicyEnforcer was rejecting all Preflight (HTTP Options) requests.
But now, the problem is that all Preflight requests are answered with HTTP 200, although
the included Origin in the HTTP request Header is not allowed. I do not
know if this behaviour is intended, but without the KC adapter Spring usually rejects
these kind of requests with a 403. I take a look in the class
"PreAuthActionsHandler"
and found that the Origin Header is just copied to the response without being checked.
Allowed methods and headers are configurable in the KeycloakDeployment, but allowed
origins not.
Is it a bug or a missing feature? In my understanding such requests should be rejected
like in the Spring filters.
A workaround would be to disable the keycloak.cors property and let spring do the cors
stuff. But unfortunately the policy enforcement denies all options
requests without token.
Cheers,
sascha
Show replies by date