[keycloak-user] update token: CORS error after session timeout

Tair Sabirgaliev tair.sabirgaliev at bee.kz
Wed Sep 30 04:08:41 EDT 2015 

Hi, 

I’m integrating a web application using angularjs 1.4.6 and keycloak 1.5.0.  
The application and keycloak app-servers are on different ports. 
The application works ok when the session is not expired.  
After session expiration keycloak.updateToken() fails with 
400 Bad Request. Chrome shows the following in the console: 

XMLHttpRequest cannot load http://localhost:8080/auth/realms/demo/protocol/openid-connect/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9080' is therefore not allowed access. The response had HTTP status code 400. 

The behavior is same with Safari and Firefox. 

If I get it right, this 400 response from keycloak shouldn’t be  
interpreted as CORS failure by browsers?  

This is keycloak response when session is alive: 

                         --> HTTP/1.1 200 OK 
                             X-Powered-By: Undertow/1 
                             Server: WildFly/9 
                             Access-Control-Expose-Headers: Access-Control-Allow-Methods 
                             Date: Tue, 29 Sep 2015 04:54:52 GMT 
                             Connection: keep-alive 
                             Access-Control-Allow-Origin: http://localhost:9080 
                             Access-Control-Allow-Credentials: true 
                             Transfer-Encoding: chunked 
                             Content-Type: application/json 

And this one with session expired: 

                        --> HTTP/1.1 400 Bad Request 
                            Connection: keep-alive 
                            X-Powered-By: Undertow/1 
                            Server: WildFly/9 
                            Transfer-Encoding: chunked 
                            Content-Type: application/json 
                            Date: Tue, 29 Sep 2015 04:55:03 GMT 

So my concerns are: 

1. Why CORS headers depend on session validity? This caused much confusion for me,  
because I thought there is a problem with CORS, until I understood this was session problem.  

2. I think it would also be great to have some more context on error responses  
(like returning some json with error description), because HTTP responses are too generic. 

-- 
Tair Sabirgaliev
Bee Software, LLP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/59bc90f5/attachment-0001.html

More information about the keycloak-user mailing list