Customizing Access-Control-Allow-Headers

Within an Angular application we’re building we’re using a client library that interacts with the Identity Providers portion of Keycloak to perform a brokered authentication to an OIDC IdP.

We are not using any keycloak adapters, just using fairly standard OIDC patterns – one wrinkle is this library is aware of DPoP and is providing a “dpop” header as part of the pre-flight request and is being rejected because dpop is not a valid header in keycloak/Cors.java at master · keycloak/keycloak · GitHub

Are these header values configurable in some way I’m not seeing? Or the Cors implementation able to be overridden with an extension?

Thanks!
jc

1 Like

Hi Folks,

I am facing the same issue that joshdcollins did.

I am using spring security 5.6.1, an angular v.10 frontend and codecentric/keycloak helm chart v12.
I am trying to implement OpenId Connect 1.0 Logout

I also have CSRF protection turned on, which means that angular and spring pass an XSRF-TOKEN cookie and X-XSRF-TOKEN header to prohibit csrf attacks.

When using the OpenId 1.0 Logout, spring successfully logs the user out, invalidates the session and cookies and then creates a redirect to keycloak.
Because keycloak is hosted in a different domain, the browser creates a CORS preflight. Keycloak fails this preflight with the error:

Access to XMLHttpRequest http://kklkvslv at from origin ‘http://dfhsdjfhdsjhh’ has been blocked by CORS policy: Request header field x-xsrf-token is not allowed by Access-Control-Allow-Headers in preflight response.

My question: is there anyway to configure keycloak to allow such a header?

Thanks,

Steve