CORS issue when using Keycloak with WF26

Skip to first unread message

Filou Tage

Sep 19, 2022, 2:31:35 PMSep 19
to WildFly

I'm having CORS issues when using Keycloak (19.0.1) with WF26.

Everything works fine as long as the Keycloak session is active.
However, when the session expires and I perform an AJAX call, I get an HTTP 302 response redirecting me to the keycloak login page and a subsequent CORS issue with "No 'Access-Control-Allow-Origin' header is present on the requested resource". The end user result is that the AJAX call doesn't do anything.

As far as I understand I should rather get an HTTP 401 and handle it in my front to perform a full browser redirect (as suggested here: The problem is that none of my code gets executed before this redirect (I tried to add a CorsFilter for instance, adding the needed headers). I can see that some undertow code gets executed, but then nothing below that.
So I don't see how I could change this behavior and provide a 401 instead of 302 in this case, which is why I write this message.

I've configured a oidc.json file in my app (and therefore configured OIDC as auth method in the web.xml):
"realm": "myRealm",
"auth-server-url": "http://x.x.x.x:8080/",
"ssl-required": "none",
"resource": "myClient",
"verify-token-audience": true,
"credentials": {
"secret": "someSecret"
"use-resource-role-mappings": false,
"enable-cors": true,
"cors-allowed-methods" : "*",
"cors-exposed-headers" : "*",
"cors-allowed-headers" : "*",
"cors-max-age" : 123456789,

I've tried adding filters in the standalone.xml, under the undertow subsystem:
<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
                <response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="*"/>
                <response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="*"/>
                <response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>

And I've set Web Origins to "*" in Keycloak (also: confidential mode)

As for my environment, I'm using a JSF application (packaged in a WAR, and this war is packaged in an EAR alongside other custom JAR/libs)

Any help on this would be greatly appreciated. If I can provide more details, don't hesitate to ask :)
Reply all
Reply to author
0 new messages