[keycloak-user] Cors not working Final 1.2

Stian Thorgersen stian at redhat.com
Fri May 29 10:31:05 EDT 2015 


----- Original Message -----
> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>, keycloak-user at lists.jboss.org
> Sent: Friday, 29 May, 2015 3:27:21 PM
> Subject: Re: [keycloak-user] Cors not working Final 1.2
> 
> 
> On 29/05/15 09:19, "Stian Thorgersen" <stian at redhat.com> wrote:
> 
> >I assume you've secured http://localhost/app1 and http://localhost/cors
> >with the Keycloak Tomcat adapter?
> 
> Yes
> 
> >
> >For cors app you should select bearer-only as the client type, that'll
> >prevent the redirect with XMLHttpRequest. Bearer only applications are
> >"services" that only verify tokens sent in request, but doesn't allow
> >users to login directly. You also need to make sure that
> >http://localhost/cors/test.txt is secured properly, in web.xml if that's
> >how you secure it. Once deployed check that you can visit
> >http://localhost/cors/test.txt in the browser.
> >
> >Next step would be to make sure http://localhost/app1 sends the bearer
> >token in the authorization header when invoking cors/test.txt
> 
> This means that I have to change my application and send the token. In the
> example I can, but in real life I can to change the application. Is there
> not other way?

If you want to do a XMLHttpRequest to a secured endpoint you obviously need to include authentication details. Some JS frameworks will let you do that with interceptors without having to change your app.

> 
> >
> >----- Original Message -----
> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>,
> >>keycloak-user at lists.jboss.org
> >> Sent: Thursday, May 28, 2015 8:18:31 PM
> >> Subject: Re: [keycloak-user] Cors not working Final 1.2
> >> 
> >> I understand, but we have some weird behaviour once we've logged in into
> >> http://localhost/app1/index.html .
> >> 
> >> If you first login on http://localhost/app1/index.html , then go
> >>directly
> >> to http://localhost/cors/test.txt we are able to see the txt file
> >>without
> >> logging in.
> >> When we go back to http://localhost/app1/index.html it's working as
> >> intended, and we get no keycloak redirect.
> >> 
> >> 
> >> 
> >> 
> >> On 28/05/15 14:01, "Stian Thorgersen" <stian at redhat.com> wrote:
> >> 
> >> >Looks like what's happening is that you're doing a XMLHttpRequest to a
> >> >resource that requires authentication. In this case the adapter
> >>returns a
> >> >302 and it'll redirected to the login screen on the Keycloak server.
> >> >
> >> >The login screen is not expected to be invoked with XMLHttpRequest/CORS
> >> >so it shouldn't have CORS headers.
> >> >
> >> >Further the Keycloak adapter only adds CORS headers when a bearer token
> >> >is present (Authorization: Bearer ...). If you want CORS headers for
> >> >non-protected endpoints you'll have to add those yourself as Keycloak
> >> >pulls the permitted origins from the bearer token.
> >> >
> >> >Just make sure you invoke your secured endpoints with a valid bearer
> >> >token and it should work fine. With regards to it returning a 302 for a
> >> >XMLHttpRequest that's an improvement we can do in the adapters to only
> >>do
> >> >that if Accept header contains text/html.
> >> >
> >> >----- Original Message -----
> >> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> >> To: "Stian Thorgersen" <stian at redhat.com>
> >> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>,
> >> >>keycloak-user at lists.jboss.org
> >> >> Sent: Thursday, 28 May, 2015 1:38:12 PM
> >> >> Subject: Re: [keycloak-user] Cors not working Final 1.2
> >> >> 
> >> >> As requested:
> >> >> 
> >> >> 
> >> >> cors keycloak.json - http://pastebin.com/raw.php?i=n9McFRGH
> >> >> app1 keycloak.json - http://pastebin.com/raw.php?i=jaL0c6us
> >> >> 
> >> >> index.html  - http://pastebin.com/raw.php?i=SndsyL8F
> >> >> test.txt - http://pastebin.com/raw.php?i=BeaRUCHE
> >> >> 
> >> >> Thanks for looking in.
> >> >> 
> >> >> 
> >> >> On 28/05/15 12:22, "Stian Thorgersen" <stian at redhat.com> wrote:
> >> >> 
> >> >> >
> >> >> >
> >> >> >----- Original Message -----
> >> >> >> From: "Henk Laracker" <Henk.Laracker at planonsoftware.com>
> >> >> >> To: keycloak-user at lists.jboss.org
> >> >> >> Cc: "Mark Bertels" <Mark.Bertels at planonsoftware.com>
> >> >> >> Sent: Thursday, 28 May, 2015 12:01:47 PM
> >> >> >> Subject: [keycloak-user] Cors not working Final 1.2
> >> >> >> 
> >> >> >> Hi,
> >> >> >> 
> >> >> >> Cors headers missing during login procedure of keycloak
> >> >> >> 
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Step 1 - Prepare keycloak realm:
> >> >> >> ===============================
> >> >> >> 
> >> >> >> Create a simple keycloak realm for testing,
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Step 2 - Create a user
> >> >> >> ===============================
> >> >> >> 
> >> >> >> Add a user and a client to the realm
> >> >> >> The client should be configured as follows:
> >> >> >> 
> >> >> >> Client Protocol openid-connect
> >> >> >> Access Type public
> >> >> >> 
> >> >> >> Valid redirect uri's: http://localhost/*
> >> >> >> http://localhost
> >> >> >> Web origins: http://localhost/*
> >> >> >> http://localhost
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Step 3 - Create test application on tomcat
> >> >> >> ===============================
> >> >> >> 
> >> >> >> On a given tomcat server (I'm using localhost for this example)
> >>add 2
> >> >> >>web
> >> >> >> applications:
> >> >> >> app1 with a simple index.html
> >> >> >> cors with a simple test.txt with the content "Some data"
> >> >> >> 
> >> >> >> The following url's are now available:
> >> >> >> http://localhost/app1/index.html
> >> >> >> http://localhost/cors/test.txt
> >> >> >> 
> >> >> >> In http://localhost/app1/index.html create javascript which loads
> >> >>data
> >> >> >>from
> >> >> >> http://localhost/cors/test.txt
> >> >> >> 
> >> >> >> If you go to http://localhost/app1/index.html now, a GET will be
> >> >> >>performed to
> >> >> >> http://localhost/cors/test.txt and the data is displayed
> >> >> >> 
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Step 4 - Adding keycloak to the applications
> >> >> >> ===============================
> >> >> >> 
> >> >> >> Add keycloak configuration on "app1".
> >> >> >> 
> >> >> >> 
> >> >> >> Add keycloak configuration on "cors"
> >> >> >> Additionally, add
> >> >> >> "enable-cors": "true"
> >> >> >> to the json file.
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Step 5 - Log in to app1
> >> >> >> ===============================
> >> >> >> 
> >> >> >> If you log in to app1 in a new browser the data from app "cors"
> >>will
> >> >> >>not be
> >> >> >> loaded. The following error will be displayed in the console of
> >>your
> >> >> >>browser
> >> >> >> (using chrome)
> >> >> >> 
> >> >> >> XMLHttpRequest cannot load
> >> >> >> 
> >> >> 
> >> 
> >>>>>>http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/a
> >>>>>>ut
> >> >>>>h?
> >> >> 
> >> 
> >>>>>>reŠlient%2Ftest.txt&state=6%2Fa1e9817b-7f9b-4d30-ab4e-17637c9d190a&lo
> >>>>>>gi
> >> >>>>n=
> >> >> >>true.
> >> >> >> No 'Access-Control-Allow-Origin' header is present on the
> >>requested
> >> >> >>resource.
> >> >> >> Origin 'http://localhost' is therefore not allowed access.
> >> >> >
> >> >> >This request to "/protocol/openid-connect/auth" makes no sense to
> >>me.
> >> >>How
> >> >> >are you invoking this? Can you include the source for index.html?
> >> >> >
> >> >> >> 
> >> >> >> 
> >> >> >> If it loaded the data, make sure that you're logged out, or try
> >>it in
> >> >> >>private
> >> >> >> browsing mode.
> >> >> >> 
> >> >> >> 
> >> >> >> ===============================
> >> >> >> Expected result
> >> >> >> ===============================
> >> >> >> 
> >> >> >> We expected "Access-Control-Allow-Origin" to be set to the "Web
> >> >> >>origins",
> >> >> >> allowing for cross-application requests without editing existing
> >> >> >> applications.
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> Met vriendelijke groet / Yours sincerely / Mit freundlichen
> >>Grüßen /
> >> >> >>Très
> >> >> >> cordialement,
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> 
> >> >> >> Henk Laracker
> >> >> >> 
> >> >> >> _______________________________________________
> >> >> >> keycloak-user mailing list
> >> >> >> keycloak-user at lists.jboss.org
> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> >> 
> >> >>
> >> 
> >>
> 
>

More information about the keycloak-user mailing list