Then it its just a matter of giving the gui-app an allowed origin of itself.
Admin console->Applications->gui-app->Web
The rest-app should just be a plain bearer-only service that turns on
cors in the keycloak.json file:
"enable-cors": true
On 5/14/2014 1:35 PM, Boettcher, Jim wrote:
Hi Bill,
Thank you for the cors example.
The setup we were trying to get to work is somewhat different than what you have in the
cors example. We were not using the keycloak.js adapter to do the token negotiation on the
client. We have a number of different client apps and we were hoping to get this working
by using the server adapter.
The gui-app is configured to use the as7-adapter module installed in the JBoss server.
When the jsp page is requested the adapter on the server intercepts the request and does
all the token negotiation and then stores the access token in the session. The user should
now be logged in with SSO.
Now when an Ajax request is made from the gui-app to the rest-app we were hoping to get
the SSO to work on the rest-app. The rest-app is also configured to use the as7-adapter
module installed in the JBoss server. We were hoping to get this to work similar to how
the demo example for the customer and product apps work with SSO. In our case the gui-app
would work like the customer-portal of the example and our rest-app would work like the
product-portal of the example.
So in our case we wanted to try to get our rest-app to do the SSO token negotiation
using the KEYCLOAK_IDENTITY cookie and access code like the product-portal example does.
Note we are not trying to do the bearer token type calls to the database rest service like
the demo example does.
-Jim
-----Original Message-----
From: Bill Burke [mailto:bburke@redhat.com]
Sent: Tuesday, May 13, 2014 5:58 PM
To: Boettcher, Jim
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] How to set up CORS for javascript calling a REST app
Ok, I have an example working in master for your setup.
$ git@github.com:keycloak/keycloak.git
$ cd keycloak
$ mvn clean install
$ cd distribution
$ mvn clean install
$ cd application-dist/target
$ unzip keycloak*...zip
In one window bring up server:
$ cd application-dist/target/keycloak.../keycloak/bin
$ standalone.sh
In another build the demo:
$ cd application-dist/target/keycloak.../examples/cors
$ mvn clean install jboss-as:deploy
Read the README.md in the examples/cors directory to run the demo.
Let me know how it goes. The key to getting it working is setting the Web Origin for the
application you are logging into. Basicallhy the origin should be whatever the base URI
is (minus the path) for that application. Also, setting keycloak.json setting of
enable-cors to true is also a must.
On 5/12/2014 11:25 AM, Bill Burke wrote:
> If I don't ping you by late tomorrow with an example for you, feel
> free to chastise me :)
>
> On 5/10/2014 10:00 PM, Boettcher, Jim wrote:
>> Keycloak is deployed on localhost port 8080.
>> The gui-app is deployed on
myhost.domain.com/gui-app The rest-app is
>> deployed on
myhost.domain.com/rest-app
>>
>> The XHR origin is
myhost.domain.com/gui-app. This app is setup and configured to
use the as7-adapter installed as a JBoss module. The XHR request made to the rest-app is a
GET request (I tried POST and got same error). The rest-app is also set up and configured
to use the as7-adapter. The XHR request to the rest-app is intercepted by the adapter
which attempts to get an access code from the Keycloak server which it would then exchange
for an access token. The adapter on the rest-app fails after it receives the redirected
response from Keycloak with the access code. It tries to send a redirect response with the
access code stripped off but this fails as explained before.
>>
>>
>> -----Original Message-----
>> From: Bill Burke [mailto:bburke@redhat.com]
>> Sent: Friday, May 09, 2014 5:38 PM
>> To: Boettcher, Jim; Stian Thorgersen
>> Cc: keycloak-user(a)lists.jboss.org
>> Subject: Re: How to set up CORS for javascript calling a REST app
>>
>> I want to reproduce your setup as a CORS example. So your setup is?
>>
>> 1. Keycloak deployed on
auth.domain.com 2. gui-app deployed on
>>
gui.domain.com 3. rest-app deployed on
rest-app.domain.com
>>
>> Is that right?
>>
>> The XHR's origin is "gui.domain.com" correct? This request to
rest-app is made using the access token (bearer auth)? Just curious, how do you obtain
the access token?
>>
>> If that is correct, I'll put together an example that you can try out within
master.
>>
>>
>>
>> On 5/9/2014 5:23 PM, Boettcher, Jim wrote:
>>> Here is some more information on my problem.
>>> I have done a local build with the source from 5/8/2014.
>>> I deployed the auth-server to JBoss 7.1.1 running at localhost:8080
>>> I deployed the as7-adapter to JBoss 7.1.1 running at myhost.net:7116
>>> I have 2 applications running on the server at myhost.net:7116
>>> 1. gui-app - a jsp that uses Angular.js to make an Ajax call to a REST
service in rest-app
>>> 2. rest-app - a REST service
>>> Both the gui-app and rest-app are configured to be secured by the
auth-server.
>>>
>>> When the jsp from gui-app is requested it will get redirected to the
auth-server and get the login form and successfully login. I can see the KEYCLOAK_IDENTITY
cookie set and get the access code and exchange the access code for an access token.
Everything looks good.
>>>
>>> When the Ajax request is made to the rest-app the problems start.
>>> First of all for the Anguar.js config I had to set
$httpProvider.defaults.withCredentials = true or the KEYCLOAK_IDENTITY cookie would not
get sent when the request was redirected to the auth-server.
>>> In the Cors.build() method the origin value from the request is null so none
of this code executes. This may be because I have the auth-server and my apps on different
instances of JBoss with different domains.
>>> Also since I have already successfully logged in (with the call from the jsp)
the method that gets called is in OAuthFlows. redirectAccessCode (). This method does not
set any of the Access-Control-Allow-* methods and I get an error in the browser console:
>>> XMLHttpRequest cannot load
http://localhost:8080/auth/realms/demo/tokens/login?client_id=rest-app&am....
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'https://myhost.net:7116' is therefore not allowed access.
>>>
>>> If I modify the code to add the Access-Control-Allow-* headers to the
response, I get further along. Now the redirect with the access code get processed by the
adapter. When the adapter strips the access code and sends back a redirect response
without the access code it does not add the Access-Control-Allow-* headers so this fails
with the error:
>>> XMLHttpRequest cannot load
https://myhost.net:7116/rest-app/restws/backupt…FHbNf0z2R0hVsU6QBMamaEVUv....
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'null' is therefore not allowed access.
>>>
>>> Modifying the adapter to add the Access-Control-Allow-* for this redirect
response gets a little further. Now the problem is that the Origin=null in the request
header and I get this error:
>>> XMLHttpRequest cannot load
https://myhost.net:7116/rest-app/restws/backupt…5LL8dP6-ZEEE_t1fLf-OrJBTM....
The 'Access-Control-Allow-Origin' header has a value
'https://myhost.net:7116' that is not equal to the supplied origin. Origin
'null' is therefore not allowed access.
>>>
>>> I tried to set the Access-Control-Allow-Origin = * to get around this null
issue, but then I get an error:
>>> A wildcard '*' cannot be used in the
'Access-Control-Allow-Origin' header when the credentials flag is true. Origin
'null' is therefore not allowed access.
>>> But I have to set the credentials flag to true in order to get the
KEYCLOAK_IDENTITY cookie to be sent.
>>>
>>> Can you look into these problems and let me know if there is a way to get
this working for the applications that I have?
>>>
>>> Thanks
>>> -Jim
>>>
>>> -----Original Message-----
>>> From: Boettcher, Jim
>>> Sent: Tuesday, May 06, 2014 8:31 AM
>>> To: 'Stian Thorgersen'; Bill Burke
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Subject: RE: How to set up CORS for javascript calling a REST app
>>>
>>> I first tried with the Alpa-3 release.
>>> I then did a build with latest source and deployed the auth-server.war and
the keycloak-as7-adapter module. I still have the same problem with the latest source.
>>>
>>> I also noticed that with the latest source running on JBoss 7.1.1 when I
tried to import a realm I get this error:
>>> Caused by: java.lang.NoSuchMethodError:
org.jboss.resteasy.plugins.providers.multipart.InputPart.setMediaType(Ljavax/ws/rs/core/MediaType;)V
>>> at
org.keycloak.services.resources.admin.RealmsAdminResource.uploadRealm(RealmsAdminResource.java:132)
[keycloak-services-1.0-beta-1-SNAPSHOT.jar:]
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_45]
>>> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_45]
>>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_45]
>>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
>>> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:155)
[resteasy-jaxrs-2.3.2.Final.jar:]
>>> at
org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
[resteasy-jaxrs-2.3.2.Final.jar:]
>>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
[resteasy-jaxrs-2.3.2.Final.jar:]
>>> at
org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:152)
[resteasy-jaxrs-2.3.2.Final.jar:]
>>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91)
[resteasy-jaxrs-2.3.2.Final.jar:]
>>> at
>>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(Synchronou
>>> sDispatcher.java:525) [resteasy-jaxrs-2.3.2.Final.jar:]
>>>
>>> Jim
>>>
>>>
>>> -----Original Message-----
>>> From: keycloak-user-bounces(a)lists.jboss.org
>>> [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Stian
>>> Thorgersen
>>> Sent: Tuesday, May 06, 2014 4:55 AM
>>> To: Bill Burke
>>> Cc: keycloak-user(a)lists.jboss.org
>>> Subject: Re: [keycloak-user] How to set up CORS for javascript
>>> calling a REST app
>>>
>>> I added some fixes to CORS in the adapters that haven't made it into a
release yet. Have you tried with building the server from source?
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-user(a)lists.jboss.org
>>>> Sent: Monday, 5 May, 2014 11:42:11 PM
>>>> Subject: Re: [keycloak-user] How to set up CORS for javascript
>>>> calling a REST app
>>>>
>>>> You are using the latest release? I'll take a look. I don't
have
>>>> any unit tests for the CORs stuff in the last alpha release (have
>>>> some in trunk though) and I don't think I tested it manually either.
>>>>
>>>> On 5/5/2014 3:41 PM, Boettcher, Jim wrote:
>>>>> Hi,
>>>>>
>>>>> I’m trying to get CORS working for a javascript app. The
>>>>> javascript app
>>>>> (gui_app) is making AJAX requests to a different REST app
(rest_app).
>>>>>
>>>>> In the Keycloak admin console I created an application for the
>>>>> rest_app application and set a Web Origin of “*” . I then copied
>>>>> the Installation for Jboss Subsystem XML to the standalone.xml of
>>>>> the JBoss 7.1.1 server that the rest_app is running on. I modified
>>>>> the configuration to add
>>>>>
>>>>> <enable-cors>true</enable-cors>
>>>>>
>>>>> When I try to open the gui_app from Chrome I get errors like:
>>>>>
>>>>> XMLHttpRequest cannot load
>>>>>
http://localhost:8080/auth/rest/realms/dp-gui/tokens/login?client_id=rest....
>>>>> No 'Access-Control-Allow-Origin' header is present on the
>>>>> requested resource. Origin 'https://localhost:7116' is
therefore not allowed access.
>>>>>
>>>>> I’ve tried playing with various settings but can’t get anything to
work.
>>>>>
>>>>> Is there an example available for how to get this to work?
>>>>>
>>>>> Is there anything else that needs to be done on the Keycloak
>>>>> server side? Or on the Adapter side?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>>
http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com