[keycloak-user] update token: CORS error after session timeout

Marek Posolda mposolda at redhat.com
Wed Sep 30 06:15:21 EDT 2015 

Hi,

it seems we are not adding CORS headers to error responses. Could you 
create JIRA for it? We are returning JSON with error descriptions and 
details, the only issue is that you were not able to read those error 
details due to the CORS headers.

Marek

On 30/09/15 10:08, Tair Sabirgaliev wrote:
> Hi,
>
> I’m integrating a web application using angularjs 1.4.6 and keycloak 
> 1.5.0.
> The application and keycloak app-servers are on different ports.
> The application works ok when the session is not expired.
> After session expiration keycloak.updateToken() fails with
> 400 Bad Request. Chrome shows the following in the console:
>
> XMLHttpRequest cannot load 
> http://localhost:8080/auth/realms/demo/protocol/openid-connect/token. 
> No 'Access-Control-Allow-Origin' header is present on the requested 
> resource. Origin 'http://localhost:9080' <http://localhost:9080%27> is 
> therefore not allowed access. The response had HTTP status code 400.
>
> The behavior is same with Safari and Firefox.
>
> If I get it right, this 400 response from keycloak shouldn’t be
> interpreted as CORS failure by browsers?
>
> This is keycloak response when session is alive:
>
>                  --> HTTP/1.1 200 OK
>                      X-Powered-By: Undertow/1
>                      Server: WildFly/9
>                      Access-Control-Expose-Headers: 
> Access-Control-Allow-Methods
>                      Date: Tue, 29 Sep 2015 04:54:52 GMT 
> <http://airmail.calendar/2015-09-29%2010:54:52%20GMT+6>
>                      Connection: keep-alive
>                      Access-Control-Allow-Origin: 
> http://localhost:9080 <http://localhost:9080/>
>                      Access-Control-Allow-Credentials: true
>                      Transfer-Encoding: chunked
>                      Content-Type: application/json
>
> And this one with session expired:
>
>                 --> HTTP/1.1 400 Bad Request
>                     Connection: keep-alive
>                     X-Powered-By: Undertow/1
>                     Server: WildFly/9
>                     Transfer-Encoding: chunked
>                     Content-Type: application/json
>                     Date: Tue, 29 Sep 2015 04:55:03 GMT 
> <http://airmail.calendar/2015-09-29%2010:55:03%20GMT+6>
>
> So my concerns are:
>
> 1. Why CORS headers depend on session validity? This caused much 
> confusion for me,
> because I thought there is a problem with CORS, until I understood 
> this was session problem.
>
> 2. I think it would also be great to have some more context on error 
> responses
> (like returning some json with error description), because HTTP 
> responses are too generic.
>
> -- 
> Tair Sabirgaliev
> Bee Software, LLP
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20150930/2c8c710d/attachment.html

More information about the keycloak-user mailing list