[keycloak-user] CORS ?Access-Control-Allow-Origin? missing
Jan Garaj
jan.garaj at gmail.com
Thu Aug 16 06:12:05 EDT 2018
Hi Ryan,
IMHO jQuery "crossDomain: true" doesn't help - that's for JSONP request.
I'm not familiar with Wildfly, but I don't understand why should I
configure CORS headers in the app server when I can return them from the
app (Keycloak in this case).
What is your Keycloak version and preflight request/response?
*Jan Garaj*
Web: http://www.jangaraj.com / http://monitoringartist.com
LinkedIn: http://www.linkedin.com/in/jangaraj
On Wed, Aug 15, 2018 at 2:25 PM Ryan Slominski <ryans at jlab.org> wrote:
> Hi Jan,
>
> If I comment out the jQuery "crossDomain: true" and "xhrFields:
> {withCredentials: true}" attributes of the XHR object then I do see the
> OPTIONS header in the web browser console. If I include the attributes I
> don't see OPTIONS. Is it possible preflight isn't needed if you've
> configured your client to use crossDomain? If forgot to include in my last
> email the final request HTTP status response code: it is 303. Is that a
> clue?
>
> What about all of the CORS options such as cors-max-age,
> cors-allowed-headers, cors-allowed-methods, etc. I am not including them
> in Wildfly standalone.xml currently. Are they needed to make this work?
> It doesn't seem to make a difference when experimenting, but I'm not sure
> what values to use...
>
> Thanks,
>
> Ryan
>
> ----- Original Message -----
> From: "Jan Garaj" <jan.garaj at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, August 15, 2018 3:36:24 AM
> Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing
>
> Hi,
>
> Actually, Access-Control-Allow-Origin is not missing, because it should be
> available in the preflight (OPTIONS) response and not in GET/POST response.
>
> My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it
> doesn't support any JS cross-domain access at the moment.
>
> More details:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D8006&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=xO_Xo8SRP4TXwbIk7CPBiUzJDX8qO0puq3c6DETKMrc&e=
>
> You can find this CORS problem also on StackOverflow:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_51706569_angular-2Dkeycloak-2Dcant-2Dget-2Dtoken-2Dusing-2Dapi&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=BuR5cmrMaYekh0LpJ5W6LHIoRbc5eGA3Ggbb0miMXy0&e=
>
> Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*"
>
> *Jan Garaj*
> Web:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=Tx5iqmJUoxKQgUDirUvQgFYQbTsuYCFphwi5oNK_TcQ&e=
> /
> https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=kCQFpK79UDMJrCjzikL7pd2Zg6p7GTvg9Qby5r_7RfQ&e=
> LinkedIn:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=EqJM5sOC0V-WcpgSSukViubjO8zlR7k0l5BUapC2u9I&e=
>
> On Wed, Aug 15, 2018 at 8:09 AM <keycloak-user-request at lists.jboss.org>
> wrote:
>
> > Send keycloak-user mailing list submissions to
> > keycloak-user at lists.jboss.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
> > or, via email, send a message with subject or body 'help' to
> > keycloak-user-request at lists.jboss.org
> >
> > You can reach the person managing the list at
> > keycloak-user-owner at lists.jboss.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of keycloak-user digest..."
> > Today's Topics:
> >
> > 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski)
> > 2. How to force client to use PKCE code exchange? (Eric B)
> > 3. Client roles in Access Token (Henning Waack)
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: Ryan Slominski <ryans at jlab.org>
> > To: keycloak-user <keycloak-user at lists.jboss.org>
> > Cc:
> > Bcc:
> > Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT)
> > Subject: [keycloak-user] CORS ‘Access-Control-Allow-Origin’ missing
> > Hi Keycloak Users,
> >
> > I'm attempting to save my users a few button clicks by automatically
> > trying brokered identity providers in the background with AJAX requests
> > before redirecting them to the Keycloak login form (AJAX requests using
> > kc_idp_hint parameter). In most cases users will already be logged into
> > one of the brokered identity providers (the client is often on one of
> > several SPNEGO protected subnets) and instead of showing users the login
> > form with buttons to try the brokered providers manually one by one I was
> > hoping to simply do it for them in the background and when directed to
> the
> > login form for the realm the common case would be for users to be
> > immediately redirected back because they're logged in already. I'm using
> > the Wildfly client adapters (Java servlet container managed security)
> > configured as confidential clients. I have the client "Web Origins" set
> to
> > "*". In the Wildfly standalone.xml I have the clients configured with
> > "<enable-cors>true</enable-cors>". I'm using Keycloak!
> > 4.1.0. On the client side I'm using jQuery and have "crossDomain:
> true"
> > and "xhrFields:{withCredentials: true}" set on the XHR object. The
> > keycloak server still doesn't respond with a Access-Control-Allow-Origin
> > header though so the login fails. It works if not using AJAX. The
> > network trace of an AJAX request from the web browser console looks like:
> >
> > --- Request 1 ---
> > GET
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_protected-3Fkc-5Fidp-5Fhint-3Dbroker1-2Dkeycloak-2Doidc-26returnUrl-3Dhttps-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dRo4-TfbjKFf6XrJCbbaKe7nCb619uVIVyZ6gd5HW94&e=
> > Host: myhost.example.com
> > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> > Firefox/52.0
> > Accept: text/html, */*; q=0.01
> > Accept-Language: en-US,en;q=0.5
> > Accept-Encoding: gzip, deflate, br
> > Referer:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> > Cookie: OAuth_Token_Request_State=<REDACTED>;
> JSESSIONID=<REDACTED>.myhost
> > Connection: keep-alive
> >
> > --- Response 1 ---
> > Cache-Control: no-cache, no-store, must-revalidate
> > Connection: Keep-Alive
> > Content-Length: 0
> > Date: Tue, 14 Aug 2018 19:48:46 GMT
> > Expires: 0
> > Keep-Alive: timeout=5, max=100
> > Location:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fprotected-3FreturnUrl-253Dhttps-25253A-25252F-25252Fmyhost.example.com-25252Fmyapp-25252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=uPEL7M5FvZx0CxiSv1V4uZm0nEyFhIxNSSSj2OVRd7M&e=
> > <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> > Pragma: no-cache
> > Server: WildFly/11
> > Set-Cookie: OAuth_Token_Request_State=<REDACTED>; HttpOnly
> > X-Powered-By: Undertow/1
> >
> > --- Request 2 ---
> > GET
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.example.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=7QuU6fpn5Is6atfdUgb7aFz9qqnq9059Xad3fN7GAxU&e=
> > <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> > Host: keycloak1.example.com
> > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> > Firefox/52.0
> > Accept: text/html, */*; q=0.01
> > Accept-Language: en-US,en;q=0.5
> > Accept-Encoding: gzip, deflate, br
> > Referer:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> > Origin:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e=
> > Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> > Connection: keep-alive
> >
> > --- Response 2 ---
> > Status: 401
> > Cache-Control: no-store, must-revalidate, max-age=0
> > Connection: Keep-Alive
> > Content-Length: 615
> > Content-Type: text/html;charset=UTF-8
> > Date: Tue, 14 Aug 2018 19:48:48 GMT
> > Keep-Alive: timeout=5, max=100
> > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> > Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> > Path=/auth/realms/myrealm/; Secure; HttpOnly
> > KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> > HttpOnly
> > WWW-Authenticate: Negotiate
> >
> > --- Request 3 ---
> > GET
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.exampel.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dkCL2WAVz5tGNSss8fH1oxnS6zPPbV_9SHYhhayp31A&e=
> > <REDACTED>&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid
> > Host: keycloak1.example.com
> > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
> > Firefox/52.0
> > Accept: text/html, */*; q=0.01
> > Accept-Language: en-US,en;q=0.5
> > Accept-Encoding: gzip, deflate, br
> > Referer:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e=
> > Origin:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e=
> > Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED>
> > Connection: keep-alive
> > Authorization: Negotiate <REDACTED>
> >
> > --- Response 3 ---
> > Cache-Control: no-store, must-revalidate, max-age=0
> > Connection: Keep-Alive
> > Content-Length: 0
> > Date: Tue, 14 Aug 2018 19:48:48 GMT
> > Keep-Alive: timeout=5, max=99
> > Location:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_broker_broker1-2Dkeycloak-2Doidc_login-3Fsession-5Fcode-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=FsNAP79N8n3OUuS9Kr0McTejbOuEkVr-6h89z7HAgic&e=
> > <REDACTED>&client_id=client1&tab_id=FP3hTW-bfQ8
> > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5
> > Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1;
> > Path=/auth/realms/myrealm/; Secure; HttpOnly
> > KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure;
> > HttpOnly
> >
> > Notice I must redirect off a protected URL on my client app since Wildfly
> > client adapter only works on pages which are explicitly protected by the
> > container managed security. Also notice in the third and final request
> the
> > response is missing the Access-Control-Allow-Origin header, which results
> > in the error in the browser web console and the process ending. Any
> ideas?
> >
> > Thanks,
> >
> > Ryan
> >
> >
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: Eric B <ebenzacar at gmail.com>
> > To: keycloak-user at lists.jboss.org
> > Cc:
> > Bcc:
> > Date: Tue, 14 Aug 2018 23:23:57 -0400
> > Subject: [keycloak-user] How to force client to use PKCE code exchange?
> > I'm using keycloak 3.4.3. Is there a way in the client configuration to
> > require PKCE code exchange? I can't seem to find an option that would
> > require to support this vs just the standard code exchange flow.
> >
> > Thanks
> >
> > Eric
> >
> >
> >
> >
> > ---------- Forwarded message ----------
> > From: Henning Waack <henning.waack at codecentric.de>
> > To: keycloak-user at lists.jboss.org
> > Cc:
> > Bcc:
> > Date: Wed, 15 Aug 2018 09:08:41 +0200
> > Subject: [keycloak-user] Client roles in Access Token
> > Dear all.
> >
> > Using KC 4.2.1, I get the following access token for a "Service Account
> > User":
> >
> > {
> > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878",
> > "exp": 1534251578,
> > "nbf": 0,
> > "iat": 1534251278,
> > "iss": "
> https://urldefense.proofpoint.com/v2/url?u=https-3A__xxx_auth_realms_NAK&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=HrT8nsYF-O64VcYc45s_nWug0Ri9Ca0ZrmObVHiTNeE&e=
> ",
> > "aud": "nak-portal",
> > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4",
> > "typ": "Bearer",
> > "azp": "nak-portal",
> > "auth_time": 0,
> > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0",
> > "name": "nak portal",
> > "given_name": "nak",
> > "family_name": "portal",
> > "preferred_username": "service-account-nak-portal",
> > "email": "service-account-nak-portal at placeholder.de",
> > "email_verified": true,
> > "acr": "1",
> > "allowed-origins": [
> > "
> https://urldefense.proofpoint.com/v2/url?u=http-3A__dummy-3A8008&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=YDJWqlS6wwV1oG7ouEQZAjPf1Bfb2wd1T1eOXtMmNSo&e=
> "
> > ],
> > "realm_access": {
> > "roles": [
> > "source_system"
> > ]
> > },
> > "resource_access": {
> > "realm-management": {
> > "roles": [
> > "manage-users",
> > "view-users",
> > "query-clients",
> > "query-groups",
> > "query-users"
> > ]
> > }
> > },
> > "scope": "email profile",
> > "clientId": "nak-portal",
> > "clientHost": "80.242.181.71",
> > "clientAddress": "80.242.181.71",
> > "client_id": "nak-portal",
> > "username": "service-account-nak-portal",
> > "active": true
> > }
> >
> > Please note the five realm-management client roles. Problem is that for
> the
> > given service account I have assigned many more roles, please see
> attached
> > screenshot
> >
> > Why don't I see all effective roles (or assigned roles) in my access
> token?
> > Interestingly enough I am also missing some of my realm roles. I have
> > mapped 4 realm roles, but in the token I only have 1. Am I missing
> > something?
> >
> > Thanks in advance, greetings
> >
> > Henning
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e=
>
More information about the keycloak-user
mailing list