[keycloak-dev] CORS and Keycloak

Stian Thorgersen stian at redhat.com
Tue Oct 8 12:59:46 EDT 2013 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 8 October, 2013 5:21:38 PM
> Subject: [keycloak-dev] CORS and Keycloak
> 
> Based on our Hangout conversation, I'm trying to figure out what we need
> to do for CORS.
> 
> First, we absolutely need to allow CORS requests to Keycloak hosted
> resources: specifically the token service and the admin REST api.
> 
> The question is, do we manage CORS for applications?  How does this
> information get transmitted?  What support do we need to add?  Here's my
> take:

That's a brilliant idea - if you mentioned this in our Hangout I completely missed it (end of day ==> tired brain!) ;)

> 
> * Keycloak application adapters (i.e. the Tomcat Valve, or the Undertow
> Handler) can be set up to handle CORS requests.
> * Allowed origins can be specified within the adapter's config file.
> 
> Additionally we could:
> * Store allowed origins per application within the Keycloak realm database
> * Have a Keycloak REST API to obtain allowed origins for an application
> * Optionally store allowed origins in the signed access token.
> 
> The Keycloak application adapter then has 3 options to authorize a CORS
> invocation:
> 
> 1) Its config file
> 2) a REST call to the Keycloak sever
> 3) From the access token.
> 
> #3 could get quite problematic as the access token could get quite large.
> 
> #3 does fit in nicely with Keycloak's concept of a Scope though.

I don't like 1 as I think it would have to be something that can be changed through the admin console, without having to update applications. If ignoring access token size #3 is definitively the most attractive option.

> 
> Do I understand everything correctly as it pertains to CORS?  DId I
> cover everything?  Does what I'm saying make sense?
> 
> CORS could be another nice core feature we support. So our main
> marketing would say Keycloak is a
> 
> a) A social broker
> b) SSO/SLO
> c) OAuth
> d) CORS
> 
> 
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list