[keycloak-user] CORS headers not sent issue

Marek Posolda mposolda at redhat.com
Thu Oct 6 03:09:17 EDT 2016


Ok, I understand better now. Thanks.

By "PR" I meant "Pull Request" to Github to fix the issue in Keycloak 
master. You can always create JIRA, but if you have time and you want 
quick fix, fixing the issue by yourself and sending PR is always a bit 
better :-)

Marek

On 05/10/16 10:07, GRMAN, Tomas wrote:
> Hi Marek,
>
> In our case the client application is not using keycloak.js adapter.
> Application was developed by the partner and they used their own OIDC identity server. When we connected the application to our keycloak instance, the CORS problem I have previously described appeared.
>
> As you said, I think CORS headers should be added to all the public endpoints (including certs). In our case the client application (AngularJS) is using implicit flow and is trying to verify jwt token it receives and for that it needs certs. This is only my understanding of the problem, I don't know the architecture of the application, I am just trying to integrate it :)
>
> I can create bug on JIRA, but I am not sure what you meant by PR? Thanks for info.
>
> Tomas
>
>
>
> -----Original Message-----
> From: Marek Posolda [mailto:mposolda at redhat.com]
> Sent: 4. októbra 2016 19:40
> To: GRMAN, Tomas <Tomas.GRMAN at orange.com>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] CORS headers not sent issue
>
> Hi Tomas,
>
> Nice to see you on our ML :-)
>
> I think you're right. The Cors headers are not added to the "certs"
> endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information.
> Feel free to create JIRA and/or even better send PR :-)
>
> Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token).
>
> Cheers,
> Marek
>
> On 04/10/16 17:10, GRMAN, Tomas wrote:
>> Hello
>>
>> I have come across weird issue regarding CORS implementation in
>> Keycloak (ver. 2.2.1 )
>>
>> I have properly specified "Web Origins" settings in Admin Console for the OIDC client.
>> The problem is that the CORS headers (Access-Control-Allow-Origin) are
>> not sent for all the requests coming towards idp.example.com (Implicit
>> Flow)
>>
>> https://idp.example.com/auth/realms/test/.well-known/openid-configurat
>> ion (CORS headers are sent)
>>
>> https://idp.example.com/auth/realms/test/protocol/openid-connect/certs
>> (CORS headers are not sent)
>>
>> Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug?
>>
>> Curently I have added CORS headers on NGINX reverse proxy for this
>> endpoint. (certs)
>>
>> Any advice is appreciated :)
>>
>> Tomas Grman
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



More information about the keycloak-user mailing list