[keycloak-user] Cors not working Final 1.2

Stian Thorgersen stian at redhat.com
Fri May 29 03:19:13 EDT 2015


I assume you've secured http://localhost/app1 and http://localhost/cors with the Keycloak Tomcat adapter?

For cors app you should select bearer-only as the client type, that'll prevent the redirect with XMLHttpRequest. Bearer only applications are "services" that only verify tokens sent in request, but doesn't allow users to login directly. You also need to make sure that http://localhost/cors/test.txt is secured properly, in web.xml if that's how you secure it. Once deployed check that you can visit http://localhost/cors/test.txt in the browser.

Next step would be to make sure http://localhost/app1 sends the bearer token in the authorization header when invoking cors/test.txt

----- Original Message -----
> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>, keycloak-user at lists.jboss.org
> Sent: Thursday, May 28, 2015 8:18:31 PM
> Subject: Re: [keycloak-user] Cors not working Final 1.2
> 
> I understand, but we have some weird behaviour once we've logged in into
> http://localhost/app1/index.html .
> 
> If you first login on http://localhost/app1/index.html , then go directly
> to http://localhost/cors/test.txt we are able to see the txt file without
> logging in.
> When we go back to http://localhost/app1/index.html it's working as
> intended, and we get no keycloak redirect.
> 
> 
> 
> 
> On 28/05/15 14:01, "Stian Thorgersen" <stian at redhat.com> wrote:
> 
> >Looks like what's happening is that you're doing a XMLHttpRequest to a
> >resource that requires authentication. In this case the adapter returns a
> >302 and it'll redirected to the login screen on the Keycloak server.
> >
> >The login screen is not expected to be invoked with XMLHttpRequest/CORS
> >so it shouldn't have CORS headers.
> >
> >Further the Keycloak adapter only adds CORS headers when a bearer token
> >is present (Authorization: Bearer ...). If you want CORS headers for
> >non-protected endpoints you'll have to add those yourself as Keycloak
> >pulls the permitted origins from the bearer token.
> >
> >Just make sure you invoke your secured endpoints with a valid bearer
> >token and it should work fine. With regards to it returning a 302 for a
> >XMLHttpRequest that's an improvement we can do in the adapters to only do
> >that if Accept header contains text/html.
> >
> >----- Original Message -----
> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>,
> >>keycloak-user at lists.jboss.org
> >> Sent: Thursday, 28 May, 2015 1:38:12 PM
> >> Subject: Re: [keycloak-user] Cors not working Final 1.2
> >> 
> >> As requested:
> >> 
> >> 
> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH
> >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us
> >> 
> >> index.html  - http://pastebin.com/raw.php?i=SndsyL8F
> >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE
> >> 
> >> Thanks for looking in.
> >> 
> >> 
> >> On 28/05/15 12:22, "Stian Thorgersen" <stian at redhat.com> wrote:
> >> 
> >> >
> >> >
> >> >----- Original Message -----
> >> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> >> To: keycloak-user at lists.jboss.org
> >> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>
> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
> >> >> Subject: [keycloak-user] Cors not working Final 1.2
> >> >> 
> >> >> Hi,
> >> >> 
> >> >> Cors headers missing during login procedure of keycloak
> >> >> 
> >> >> 
> >> >> ===============================
> >> >> Step 1 - Prepare keycloak realm:
> >> >> ===============================
> >> >> 
> >> >> Create a simple keycloak realm for testing,
> >> >> 
> >> >> ===============================
> >> >> Step 2 - Create a user
> >> >> ===============================
> >> >> 
> >> >> Add a user and a client to the realm
> >> >> The client should be configured as follows:
> >> >> 
> >> >> Client Protocol openid-connect
> >> >> Access Type public
> >> >> 
> >> >> Valid redirect uri's: http://localhost/*
> >> >> http://localhost
> >> >> Web origins: http://localhost/*
> >> >> http://localhost
> >> >> 
> >> >> ===============================
> >> >> Step 3 - Create test application on tomcat
> >> >> ===============================
> >> >> 
> >> >> On a given tomcat server (I'm using localhost for this example) add 2
> >> >>web
> >> >> applications:
> >> >> app1 with a simple index.html
> >> >> cors with a simple test.txt with the content "Some data"
> >> >> 
> >> >> The following url's are now available:
> >> >> http://localhost/app1/index.html
> >> >> http://localhost/cors/test.txt
> >> >> 
> >> >> In http://localhost/app1/index.html create javascript which loads
> >>data
> >> >>from
> >> >> http://localhost/cors/test.txt
> >> >> 
> >> >> If you go to http://localhost/app1/index.html now, a GET will be
> >> >>performed to
> >> >> http://localhost/cors/test.txt and the data is displayed
> >> >> 
> >> >> 
> >> >> ===============================
> >> >> Step 4 - Adding keycloak to the applications
> >> >> ===============================
> >> >> 
> >> >> Add keycloak configuration on "app1".
> >> >> 
> >> >> 
> >> >> Add keycloak configuration on "cors"
> >> >> Additionally, add
> >> >> "enable-cors": "true"
> >> >> to the json file.
> >> >> 
> >> >> ===============================
> >> >> Step 5 - Log in to app1
> >> >> ===============================
> >> >> 
> >> >> If you log in to app1 in a new browser the data from app "cors" will
> >> >>not be
> >> >> loaded. The following error will be displayed in the console of your
> >> >>browser
> >> >> (using chrome)
> >> >> 
> >> >> XMLHttpRequest cannot load
> >> >> 
> >> 
> >>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/aut
> >>>>h?
> >> 
> >>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&logi
> >>>>n=
> >> >>true.
> >> >> No 'Access-Control-Allow-Origin' header is present on the requested
> >> >>resource.
> >> >> Origin 'http://localhost' is therefore not allowed access.
> >> >
> >> >This request to "/protocol/openid-connect/auth" makes no sense to me.
> >>How
> >> >are you invoking this? Can you include the source for index.html?
> >> >
> >> >> 
> >> >> 
> >> >> If it loaded the data, make sure that you're logged out, or try it in
> >> >>private
> >> >> browsing mode.
> >> >> 
> >> >> 
> >> >> ===============================
> >> >> Expected result
> >> >> ===============================
> >> >> 
> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web
> >> >>origins",
> >> >> allowing for cross-application requests without editing existing
> >> >> applications.
> >> >> 
> >> >> 
> >> >> 
> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen /
> >> >>Très
> >> >> cordialement,
> >> >> 
> >> >> 
> >> >> 
> >> >> 
> >> >> Henk Laracker
> >> >> 
> >> >> _______________________________________________
> >> >> keycloak-user mailing list
> >> >> keycloak-user at lists.jboss.org
> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> 
> >>
> 
>



More information about the keycloak-user mailing list