[keycloak-user] CORS Headers not present on OPTIONS request
David Leonard
David.Leonard at flexential.com
Tue Jul 23 16:44:18 EDT 2019
Hello everyone,
We're running a Keycloak 6.0.1 cluster running in kubernetes, and we're
running into issues with CORS requests by Kibana as a part of
refreshing the access token. Here is the situation
1. User logs into the SP and is able to successfully authenticate.
2. The users token expires in the background.
3. The SP notices this expired token, and attempts to refresh the token
starting to issue an auth request to Keycloak. It issues an 'OPTIONS'
request to determine what it can perform, and this request is missing
headers. Here is the full output sample from curl:
[jboss at keycloak-dev-0 ~]$ curl '
http://127.0.0.1:8080/auth/realms/globalauth/protocol/openid-connect/auth?client_id=fps-demo&response_type=code&redirect_uri=https%3A%2F%2F[[SPURL]]%2Fauth%2Fopenid%2Flogin&state=hP95iVphOxSnWk0tkjE2rg&scope=openid%20profile%20email%20address%20phone'
-X OPTIONS -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0' -H 'Accept: */*' -H 'Accept-Language: en-
US,en;q=0.5' --compressed -H 'Access-Control-Request-Method: GET' -H
'Access-Control-Request-Headers: content-type,kbn-version' -H 'Referer:
https://kibana.[[SPURL]]/app/kibana' -H 'Origin: https://[[SPURL]]' -H
'Connection: keep-alive' -H 'Host: [[IDPURL]]' -v
* About to connect() to 127.0.0.1 port 8080 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> OPTIONS /auth/realms/globalauth/protocol/openid-
connect/auth?client_id=fps-
demo&response_type=code&redirect_uri=https%3A%2F%2F[[SPURL]]%2Fauth%2Fo
penid%2Flogin&state=hP95iVphOxSnWk0tkjE2rg&scope=openid%20profile%20ema
il%20address%20phone HTTP/1.1
> Accept-Encoding: deflate, gzip
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: content-type,kbn-version
> Referer: https://[[SPURL]]/app/kibana
> Origin: https://[[SPURL]]
> Connection: keep-alive
> Host: [[IDPURL]]
>
< HTTP/1.1 204 No Content
< Date: Tue, 23 Jul 2019 20:38:39 GMT
<
* Connection #0 to host 127.0.0.1 left intact
[jboss at keycloak-dev-0 ~]$
Here is the configuration of the client, the "Web Origins" item has
been set to the specific origin, +, and *. The result is the same
across all.
{
"clientId": "fps-demo",
"surrogateAuthRequired": false,
"enabled": true,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://kibana.[[SPURL]]"
],
"webOrigins": [
"+"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.multivalued.roles": "false",
"saml.force.post.binding": "false",
"saml.encrypt": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": false,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "client roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-client-role-mapper",
"consentRequired": false,
"config": {
"multivalued": "true",
"userinfo.token.claim": "false",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "roles",
"jsonType.label": "String",
"usermodel.clientRoleMapping.clientId": "fps-demo"
}
},
{
"name": "allowed web origins",
"protocol": "openid-connect",
"protocolMapper": "oidc-allowed-origins-mapper",
"consentRequired": false,
"config": {}
}
],
"defaultClientScopes": [
"web-origins",
"role_list",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
Help is appreciated. We've tried multiple different combinations of
configs with no success.
Thanks! David
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.
More information about the keycloak-user
mailing list