[keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource
James Falkner
jfalkner at redhat.com
Thu Nov 17 17:50:56 EST 2016
Hey Grant - if it's a protected URL, and you've configured web origins
correctly for the client, and the adapter, and the browser is sending the
right stuff - then Keycloak adapter *should* add the CORS headers. I have a
few demos I've created that work in this way, but they all use the official
Red Hat SSO product, based on Keycloak 1.9.4.
If you use "curl" with the same headers, does it fail too? See the end of
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
for an example of how to obtain a token and issue a request using curl.
-James
On Wed, Nov 16, 2016 at 2:51 PM, Grant Marrow <grantmarrow at gmail.com> wrote:
> Hi James
>
> Yes I have used the chrome and firefox postmaster addon to process the
> same HTTP GET request to my rest service.
>
> During this request I added the authorisation bearer header with a valid
> token and it still returned the same error.
>
> The only time it worked was when I stripped out keycloak completely and
> just added the standard cors configuration in my web.xml of my service
> worked successfully. That's why I'm leaning to the fact that it might be a
> keycloak error.
>
> Regards
> Grant
> On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:
>
>> In the developer console in your browser, can you verify that the proper
>> Authorization header is being passed in the REST call? Something like
>> 'Authorization: bearer <token>'.
>>
>> -James
>>
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 2:22 PM
>> I'm familiar with cors. I have used the exact same setup with versions
>> 1.3,
>> 1.4 and 1.9 version of keycloak. This problem has started since I upgraded
>> to version 2.3 if keycloak.
>>
>> I have also tried adding the cors-enabled-headers and cors-enabled-methods
>> properties to the keycloak.json file on my rest service application and
>> that did not work as well.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory at edlogics.com>
>> November 16, 2016 at 2:11 PM
>> This doesn’t appear to be Keycloak related at all. This is just CORS
>> errors on your API.
>>
>> Try reading up here for some more background.
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>>
>> But in short, what you need to do is have your API respond with a couple
>> of headers; primarily the 'Access-Control-Allow-Origin' header so the
>> browser knows that XHR calls to the domain http://localhost:8081 are
>> allowed be called from pages that are served off of the domain
>> http://localhost:9000
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com
>>
>>
>>
>>
>> From: Grant Marrow <grantmarrow at gmail.com> <grantmarrow at gmail.com>
>> Date: Wednesday, November 16, 2016 at 2:07 PM
>> To: Chris Savory <chris.savory at edlogics.com> <chris.savory at edlogics.com>,
>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
>> present on the requested resource
>>
>> Ok below is a step by step of events:
>> 1. User navigates to web application at http://localhost:9000
>> 2. Use clicks the sign in button at http://localhost:9000/login
>> 3. User is redirected to keycloak at http://localhost:8080 to login
>> 4. Once signed in the user ia redirected to http://localhost:9000
>> 5. Authenticated User navigates to registrations page at
>> http://localhost:9000/registrations. During this step a http GET request
>> is done to http://localhost:8081/leap-service/resouces/private/registra
>> tions.
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com>
>> <grantmarrow at gmail.com> wrote:
>> Hi Chris
>> Thanks for getting back to me. I have done that and it didnt work. I
>> have also tired adding *. That did not work as well. What else can I try?
>> Please let me know. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com>
>> <chris.savory at edlogics.com> wrote:
>> In the admin, click on Clients, then select your client. Do you have any
>> values for “Web Origins” there? If not, you need to add ‘
>> http://localhost:9000’
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>
>> <http://www.edlogics.com/> <http://www.edlogics.com/>
>> <https://www.linkedin.com/company/edlogics>
>> <https://www.linkedin.com/company/edlogics>
>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces at lists.jboss.org on behalf of
>> grantmarrow at gmail.com>
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the
>> META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries
>> navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while
>> executing the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>> login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange
>> because
>> I have the same setup but using an older version of keycloak (1.9*),
>> which
>> worked fine. I know this might be a silly problem, but if you have
>> some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 2:07 PM
>> Ok below is a step by step of events:
>>
>> 1. User navigates to web application at http://localhost:9000
>>
>> 2. Use clicks the sign in button at http://localhost:9000/login
>>
>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>
>> 4. Once signed in the user ia redirected to http://localhost:9000
>>
>> 5. Authenticated User navigates to registrations page at
>> http://localhost:9000/registrations. During this step a http GET request
>> is
>> done to http://localhost:8081/leap-service/resouces/private/registrations
>> .
>>
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory at edlogics.com>
>> November 16, 2016 at 1:15 PM
>> In the admin, click on Clients, then select your client. Do you have any
>> values for “Web Origins” there? If not, you need to add ‘
>> http://localhost:9000’
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>
>> <http://www.edlogics.com/> <http://www.edlogics.com/>
>> <https://www.linkedin.com/company/edlogics>
>> <https://www.linkedin.com/company/edlogics>
>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces at lists.jboss.org on behalf of
>> grantmarrow at gmail.com>
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
>> login page was defined for FORM authentication in context [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange because
>> I have the same setup but using an older version of keycloak (1.9*), which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 1:08 PM
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
>> login page was defined for FORM authentication in context [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange because
>> I have the same setup but using an older version of keycloak (1.9*), which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
More information about the keycloak-user
mailing list