[keycloak-dev] bug: how did javascript adapter ever work?

Bill Burke bburke at redhat.com
Sun Apr 8 21:09:05 EDT 2018


Maybe its just a firefox thing?  The preflight sets the
ACCESS_CONTROL_ALLOW_ORIGIN, but I think firefox doesn't remember this
and expects the same header for the POST response to code to token.

On Sun, Apr 8, 2018 at 9:04 PM, Bill Burke <bburke at redhat.com> wrote:
> Does our javascript adapter use code to token flow by default?  Is
> that the preferred mechanism?  I don't think anybody is using it and
> has never used it if so, because...its broken.
>
> I'm integrating with a non-keycloak html5 app that is using code to
> token and the code to token request is failing with a CORS error.
> This is because we do not set allowed origins in TokenEndpoint:
>
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L416
>
> Embarrassing?  Or am i missing something?
>
> --
> Bill Burke
> Red Hat



-- 
Bill Burke
Red Hat


More information about the keycloak-dev mailing list