Proper way of handling CORS in frontend - backend combo
353 views
Skip to first unread message
Tero Ahonen
Feb 11, 2021, 12:30:58 PM2/11/21
to Keycloak User
Hi,
I'm truggling a bit with CORS.
I have app.example.com running frontend (Angular) and backend running in Wildfly 16, JavaEE REST. users-api.example.com. And then Keycloak 7 running Keycloak.example.com
There is basically three places where I can but CORS headers
1. Application as CORS Filter
2. Wildfly config filter/header config
3. Keycloak adapter config.
I first tested adding headers to wildly filters. -> Firefox works after few requests, Safari and Chrome Don't
Then I removed wildfly filter config and added CORS filter to application -> Same results
Then I removed app CORS filter and added wildfly filters + Keycloak adapter CORS config. -> Nothing worked since double CORS headers
Then app CORS filter and Keycloak adapter CORS configs. -> Firefox is working others not.
Last config feels correct but doesn't work. When checking Chrome console, it says 404 preflight OPTIONS request
OPTIONS user-api.example.com/v1/users/me 404
When I test with curl
curl -i -X OPTIONS https://user-api.example.com/v1/users/me
HTTP/1.1 200 OK
Access-Control-Allow-Headers: origin, content-type, accept, authorization
Date: Thu, 11 Feb 2021 17:24:07 GMT
Allow: HEAD, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Content-Type: text/plain;charset=UTF-8
Content-Length: 18
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Max-Age: 1209600
Set-Cookie: 8ab0e4839bad454683c8a580e07b486f=4723ea45ba902fb510af0be55984f04f; path=/; HttpOnly; Secure
Cache-control: private
So address is correct. So I'm wondering where request is lost. Application doesn't receive, since application log is empty, I have logging in CORS filter.
There is not evidence in Wildfly servers logs with DEBUG level.
Kind of hard to figure out what is going on. Can OpenShift HaProxy router break everything.....funny part is that everything has been working like 3 days ago.
Tero Ahonen
Feb 11, 2021, 12:39:27 PM2/11/21
to Keycloak User
Forgot to mention that Keycloak log has following
17:27:24,159 DEBUG [io.undertow.request] (default I/O-1) Matched default handler path /v1/users/me
And in client using condidential openid-connect client. Bearer only in backend.
I have tested different settings in Valid Redirect Urls and Web Origins....now both are *
Tero Ahonen
Feb 12, 2021, 7:34:53 AM2/12/21
to Keycloak User
Hi,
and eventually when applications stops working 404 error
Managed to find out some level of understanding what is happening. It might not be CORS error but redirect.
When website is not working Keycloak log has these
12:26:31,808 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v1/users/me
12:26:31,808 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v1/users/login
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/extrainfo
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/features/list/active/legacyIds
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/urlhistory
12:26:31,831 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/settings/followedGamesSettings
12:26:31,808 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v1/users/login
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/extrainfo
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/features/list/active/legacyIds
12:26:31,824 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/urlhistory
12:26:31,831 DEBUG [io.undertow.request] (default I/O-3) Matched default handler path /v2/users/settings/followedGamesSettings
and eventually when applications stops working 404 error
12:27:17,255 DEBUG [io.undertow.request] (default I/O-1) Matched default handler path /
So somehow Keycloak js adapter or java adapter in Wildfly redirect request that are supposed to go to example.com they go to keycloak.example.com ...I don't know what configuration does this. In client config I don't have Base Url or Root Url.....And this happens also with resources that are on Wildfly but not "protected" by Keycloak
12:30:41,341 DEBUG [org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism] (default task-3) Evaluating request for path [http://api.example.com/v1/public/entries/us]
12:30:41,341 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-3) adminRequest http://api.example.com/v1/public/entries/us
12:30:41,341 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-3) --> authenticate()
12:30:41,341 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-3) try bearer
12:30:41,341 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-3) try query paramter auth
12:30:41,341 TRACE [org.keycloak.adapters.RequestAuthenticator] (default task-3) try basic auth
12:30:41,341 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-3) NOT_ATTEMPTED: bearer only
12:30:41,341 INFO [TRACELOGGER] (default task-3) n/a: GET: /v1/public/entries/us
Reply all
Reply to author
Forward
0 new messages