[keycloak-user] No 'Access-Control-Allow-Origin' header found in preflight response
Nhut Thai Le
ntle at castortech.com
Mon Jun 11 16:38:06 EDT 2018
Hello,
I am having issue with CORS, here is my setup:
I'm using keycloak 4.0.0.Beta2.
In the client setting page of keycloak admin console, I have web origin set
to *
Keycloak jetty adaptor is configured programmatically as follow:
AdapterConfig keycloakConfig = new AdapterConfig();
...
keycloakConfig.setCors(true);
keycloakConfig.setCorsAllowedMethods("POST, PUT, DELETE, GET");
keycloakConfig.setCorsAllowedHeaders("Origin, X-Requested-With,
Content-Type, Accept, Cache-Control, Cookie, Host, Pragma, Referer,
User-Agent");
>From the browser, I see a GEt request:
https://dev.test.com:9443/diagram/services/diagrams/rest/common/getData?diagramID=_uulwGnlHS8ycCW-SGOpRjg&synchronize=false&_=1528746961564
And the server response:
HTTP/1.1 302 Found Date: Mon, 11 Jun 2018 19:56:04 GMT Set-Cookie:
JSESSIONID=node0lc6bl81dkagi1q62aulvltr183.node0;Path=/diagram/services/diagrams/rest;Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie:
OAuth_Token_Request_State=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73;HttpOnly
Location:
https://dev.test.com:8543/auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F%2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid
Content-Length: 0 Server: Jetty(9.4.6.v20170531)
Somehow this 302 instructs the browser to do a preflight check with OPTIONS:
OPTIONS
/auth/realms/bigrealm/protocol/openid-connect/auth?response_type=code&client_id=test&redirect_uri=https%3A%2F%
2Fdev.test.com%3A9443%2Fdiagram%2Fservices%2Fdiagrams%2Frest%2Fcommon%2FgetData?diagramID%3D_uulwGnlHS8ycCW-SGOpRjg%26synchronize%3Dfalse%26_%3D1528746961564&state=27cf3ab7-942e-4dda-8baa-c90b5d2a4a73&login=true&scope=openid
HTTP/1.1 Host: dev.test.com:8543 Connection: keep-alive Pragma: no-cache
Cache-Control: no-cache Access-Control-Request-Method: GET Origin:
https://dev.test.com:9443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64;
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79
Safari/537.36 Access-Control-Request-Headers: x-requested-with Accept: */*
Accept-Encoding: gzip, deflate, br Accept-Language:
en-GB,en-US;q=0.9,en;q=0.8
However, when keycloak reply to the preflight, it set status to 204
(perhaps correct since it has nothing) but no 'Access-Control-Allow-Origin'
header is returned.
I think because of this, the real GET request is not sent.
Did I miss anything when config keycloak that may cause this?
Thai
More information about the keycloak-user
mailing list