[keycloak-dev] [aerogear-dev] Aerogear UPS + Keycloak cartridge combined together POC

[Apostolos Emmanouilidis]

This case appears because Chrome and Safari are sending the Origin
header on same origin PUT, DELETE & POST requests.
On the other side, Firefox does not send the Origin header on same
origin requests. As the Keycloak team explained to me, 
in most JS/HTML apps you'd add origin part of the base url as web origin
in the application's settings through the Keycloak administration
console.
However, this does not apply to non-js based app and that's why the base
url is not automatically considered as web origin.

Request Method:POST
Request Headersview source
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,el;q=0.6
Connection:keep-alive
Content-Length:15
Content-Type:application/json
Cookie:JSESSIONID=Tw9NmJjHUlRO6JnimwyzS1w3.undefined
Host:agpushkeycloak-mobileqa.rhcloud.com
Origin:http://agpushkeycloak-mobileqa.rhcloud.com
Referer:http://agpushkeycloak-mobileqa.rhcloud.com/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.63 Safari/537.36
X-Requested-With:XMLHttpRequest

On Tue, 2014-02-04 at 18:13 +0100, Karel Piwko wrote:

> * Ember in UPS is firing AJAX request to REST Endpoints on the same domain.
>   However, as it goes through Keycloak Auth Server, this is considered CORS
>   request. I had to configure Web Origin for UPS application. This is
>   confusing to me, Origin header should be transparent for Keycloak as I'm
>   firing request to the same domain. Note this does not happen in Firefox,
>   which identifies same domain and avoids Origin header. I need some insight
>   here from more skilled people.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20140205/3d6a3595/attachment.html