CORS issue when using Keycloak with WF26
620 views
Skip to first unread message
Filou Tage
Sep 19, 2022, 2:31:35 PM9/19/22
to WildFly
Hey,
I'm having CORS issues when using Keycloak (19.0.1) with WF26.
Everything works fine as long as the Keycloak session is active.
However, when the session expires and I perform an AJAX call, I get an HTTP 302 response redirecting me to the keycloak login page and a subsequent CORS issue with "No 'Access-Control-Allow-Origin' header is present on the requested resource". The end user result is that the AJAX call doesn't do anything.
As far as I understand I should rather get an HTTP 401 and handle it in my front to perform a full browser redirect (as suggested here: https://keycloak.discourse.group/t/cors-error-in-refresh-token-by-xhr/7818). The problem is that none of my code gets executed before this redirect (I tried to add a CorsFilter for instance, adding the needed headers). I can see that some undertow code gets executed, but then nothing below that.
So I don't see how I could change this behavior and provide a 401 instead of 302 in this case, which is why I write this message.
I've configured a oidc.json file in my app (and therefore configured OIDC as auth method in the web.xml):
"realm": "myRealm",
"auth-server-url": "http://x.x.x.x:8080/",
"ssl-required": "none",
"resource": "myClient",
"verify-token-audience": true,
"credentials": {
"secret": "someSecret"
},
"use-resource-role-mappings": false,
"enable-cors": true,
"cors-allowed-methods" : "*",
"cors-exposed-headers" : "*",
"cors-allowed-headers" : "*",
"cors-max-age" : 123456789,
"auth-server-url": "http://x.x.x.x:8080/",
"ssl-required": "none",
"resource": "myClient",
"verify-token-audience": true,
"credentials": {
"secret": "someSecret"
},
"use-resource-role-mappings": false,
"enable-cors": true,
"cors-allowed-methods" : "*",
"cors-exposed-headers" : "*",
"cors-allowed-headers" : "*",
"cors-max-age" : 123456789,
I've tried adding filters in the standalone.xml, under the undertow subsystem:
<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
<response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="*"/>
<response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="*"/>
<response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="*"/>
<response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="*"/>
<response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
And I've set Web Origins to "*" in Keycloak (also: confidential mode)
As for my environment, I'm using a JSF application (packaged in a WAR, and this war is packaged in an EAR alongside other custom JAR/libs)
Any help on this would be greatly appreciated. If I can provide more details, don't hesitate to ask :)
Reply all
Reply to author
Forward
0 new messages