[keycloak-user] CORS's problem with JavaScript's library

Karol Buler K.Buler at adbglobal.com
Thu Jun 29 08:02:10 EDT 2017


Honestly I can't because I am Java programmer. JavaScript application is 
from another team, but unfortunately only I have from them is that the 
problem is with x-client CORS header (it isn't added to "allowed 
headers" from Keycloak's server, but it is in request from 
keycloak-auth-utils). They use "obtainDirectly(username, password)" 
method. Also I have the curl request which is produced by 
keycloak-auth-utils, and here it is:

curl 
'http://<keycloak_host>/auth/realms/master/protocol/openid-connect/token' 
<http://keycloak.pz-test.graphyne2.adbglobal.com/auth/realms/ADB/protocol/openid-connect/token%27> 
-X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: 
POST' -H 'Origin: http://localhost:8082' -H 'Accept-Encoding: gzip, 
deflate, sdch' -H 'Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4' 
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' -H 'Accept: */*' 
-H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 
'Access-Control-Request-Headers: authorization,x-client' --compressed

If you call Keycloak with curl above you will see that there is no 
X-Client header in Access-Control-Allow-Headers, but (!!!) request must 
be from another host.

Why they don't use keycloak-connect? I have no idea ;/


On 29.06.2017 11:40, Bruno Oliveira wrote:
> Hi Karol, could you write an integration test with the exact steps to
> reproduce your issue?
> See: https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/test/integration/grant-manager-spec.js
>
> That would help us to investigate.
>
> Out of curiosity, why don't you use keycloak-connect?
>
> On 2017-06-28, Karol Buler wrote:
>> Hi Everyone,
>>
>> We have problem with CORS. We are using this lib: https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript application.
>>
>> When we try to get AccessToken we are getting this message:
>>
>> Fetch API cannot load http://<keycloak_address>/auth/realms/master/protocol/openid-connect/token. Request header field x-client is not allowed by Access-Control-Allow-Headers in preflight response.
>>
>> We tried to modify CORS headers in standalone.xml file of Keycloak's server, but we found that CORS headers are hardcoded and added "in air".
>>
>> Best regards,
>> Karol Buler
>>
>> [https://www.adbglobal.com/wp-content/uploads/adb.png]
>> connecting lives
>> connecting worlds
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> --
>
> abstractj



More information about the keycloak-user mailing list