[keycloak-user] Keycloak-spring-boot-adapter CORS bug?

Sebastien Blanc sblanc at redhat.com
Thu Nov 3 04:44:05 EDT 2016

Hi !

Before looking at the CORS stuff let's check how you have set up your
keycloak configuration ? The example you refer to is : a SpringBoot REST
service and a JS frontend, which means :

- Your REST service must be a particular keyloak client with bearer-only.

- Your frontend service must be a particular keycloak client, and your JS
app should use the keycloak.js adapter. From that client you will be
redirected to the keycloak login page, after it redirects back you have to
pass the token in the header before doing your backend call.

Regarding cors config in the properties file, these are not relevant for
the SpringBoot adapter (we need to document that or make it work ;) ) but
configuring CORS directly in SB should be enough.

Regarding your SB 1.4.1 , this has been reported and fixed, it will be
available in the next KC release.


On Thu, Nov 3, 2016 at 8:53 AM, Björn Janson <bjorn.j.janson at gmail.com>

> Hello all,
> I'm building an application with a Spring Boot (1.4.0) resource service and
> AngularJS (1.5.8) front-end. Both are separate projects and run on
> different ports. Therefore I applied global Spring Boot CORS configuration
> as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
> . This works fine. When I want to secure my application using Keycloak I
> get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
> to retrieve data from the service.
> Because I'm using keycloak-spring-boot-adapter the configuration has to be
> done in the application.properties. I added these lines:
> keycloak.cors = true
> keycloak.cors-max-age = 1000
> keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
> These didn't give an error. (keycloak.enable-cors = true did). Still, I get
> a 401 with a No 'Access-Control-Allow-Origin' error.
> I tried several versions of the keycloak-spring-boot-adapter as well as
> Spring Boot 1.4.1 (which actually resulted in an internal error as
> described here:
> http://stackoverflow.com/questions/39794779/how-do-i-
> configure-the-spring-boot-quickstart-for-keycloak).
> I tried disabling the Spring Boot CORS configuration. I also tried to
> minimize the lines in my application.properties and only adding
> keycloak.cors
> = true for CORS configuration. All didn't work.
> I'm just starting out with Keycloak so I don't know if I'm missing
> something or that I actually stumbled upon a bug. Is there anyone who might
> be able to help me?
> Kind regards,
> Björn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list