[keycloak-user] Keycloak-spring-boot-adapter CORS bug?

Björn Janson bjorn.j.janson at gmail.com
Thu Nov 3 06:33:27 EDT 2016

​​Hello Sebastien,

Thank you for the quick reply. I did configure the JS app using the
keycloak.js adapter, and the REST service as a client with bearer-only. I
redid all my configuration again and for some reason I got right what I did
wrong the last two nights I was working on it... Unfortunately I'm still
clueless as to what I did wrong (I didn't commit my code which produced the
error). I think I didn't configure the AngularJS $http Authorization header
properly the times I got the REST service settings right.

Trying to reproduce my error I got the feeling that the CORS config in
application.properties is relevant after all. Taking the following steps
produced a 401:
- Remove CORS config from application.properties and restart the service
- Clear browser cache and restart the browser
- Visit the frontend application and successfully log in using Keycloak
- After the redirect back to the AngularJS homepage the REST service
response was a 401

Then, adding back the CORS config in application.properties, restarting the
service, clearing browser cache, restarting browser and logging in resulted
in a 200.

I repeated these steps several times and didn't change any other code or
settings. So I think configuring CORS in Spring Boot is not sufficient
after all.

Kind regards and thanks once more,

2016-11-03 9:44 GMT+01:00 Sebastien Blanc <sblanc at redhat.com>:

> Hi !
> Before looking at the CORS stuff let's check how you have set up your
> keycloak configuration ? The example you refer to is : a SpringBoot REST
> service and a JS frontend, which means :
> - Your REST service must be a particular keyloak client with bearer-only.
> - Your frontend service must be a particular keycloak client, and your JS
> app should use the keycloak.js adapter. From that client you will be
> redirected to the keycloak login page, after it redirects back you have to
> pass the token in the header before doing your backend call.
> Regarding cors config in the properties file, these are not relevant for
> the SpringBoot adapter (we need to document that or make it work ;) ) but
> configuring CORS directly in SB should be enough.
> Regarding your SB 1.4.1 , this has been reported and fixed, it will be
> available in the next KC release.
> Sebi
> On Thu, Nov 3, 2016 at 8:53 AM, Björn Janson <bjorn.j.janson at gmail.com>
> wrote:
>> Hello all,
>> I'm building an application with a Spring Boot (1.4.0) resource service
>> and
>> AngularJS (1.5.8) front-end. Both are separate projects and run on
>> different ports. Therefore I applied global Spring Boot CORS configuration
>> as instructed on this page: https://spring.io/guides/gs/re
>> st-service-cors/
>> . This works fine. When I want to secure my application using Keycloak I
>> get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
>> to retrieve data from the service.
>> Because I'm using keycloak-spring-boot-adapter the configuration has to be
>> done in the application.properties. I added these lines:
>> keycloak.cors = true
>> keycloak.cors-max-age = 1000
>> keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
>> These didn't give an error. (keycloak.enable-cors = true did). Still, I
>> get
>> a 401 with a No 'Access-Control-Allow-Origin' error.
>> I tried several versions of the keycloak-spring-boot-adapter as well as
>> Spring Boot 1.4.1 (which actually resulted in an internal error as
>> described here:
>> http://stackoverflow.com/questions/39794779/how-do-i-configu
>> re-the-spring-boot-quickstart-for-keycloak).
>> I tried disabling the Spring Boot CORS configuration. I also tried to
>> minimize the lines in my application.properties and only adding
>> keycloak.cors
>> = true for CORS configuration. All didn't work.
>> I'm just starting out with Keycloak so I don't know if I'm missing
>> something or that I actually stumbled upon a bug. Is there anyone who
>> might
>> be able to help me?
>> Kind regards,
>> Björn
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list