[keycloak-user] Cors not working Final 1.2

Henk Laracker Henk.Laracker at planonsoftware.com
Thu May 28 06:01:47 EDT 2015 

Hi,

Cors headers missing during login procedure of keycloak


===============================
Step 1 - Prepare keycloak realm:
===============================

Create a simple keycloak realm for testing,

===============================
Step 2 - Create a user
===============================

Add a user and a client to the realm
The client should be configured as follows:

Client Protocol openid-connect
Access Type public

Valid redirect uri's: http://localhost/*
http://localhost
Web origins: http://localhost/*
                            http://localhost

===============================
Step 3 - Create test application on tomcat
===============================

On a given tomcat server (I'm using localhost for this example) add 2 web applications:
app1 with a simple index.html
cors with a simple test.txt with the content "Some data"

The following url's are now available:
http://localhost/app1/index.html
http://localhost/cors/test.txt

In http://localhost/app1/index.html create javascript which loads data from http://localhost/cors/test.txt

If you go to http://localhost/app1/index.html now, a GET will be performed to http://localhost/cors/test.txt and the data is displayed


===============================
Step 4 - Adding keycloak to the applications
===============================

Add keycloak configuration on "app1".


Add keycloak configuration on "cors"
Additionally, add
"enable-cors": "true"
to the json file.

===============================
Step 5 - Log in to app1
===============================

If you log in to app1 in a new browser the data from app "cors" will not be loaded. The following error will be displayed in the console of your browser (using chrome)

XMLHttpRequest cannot load http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?re…lient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&login=true.
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.


If it loaded the data, make sure that you're logged out, or try it in private browsing mode.


===============================
Expected result
===============================

We expected "Access-Control-Allow-Origin" to be set to the "Web origins", allowing for cross-application requests without editing existing applications.

Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,

Henk Laracker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150528/951ca9cf/attachment.html

More information about the keycloak-user mailing list