Keycloak - Preflight missing allow origin header

jkdrx · March 15, 2021, 2:23pm

Hey everyone,

I am trying to authenticate users with Keycloak to access my Java application using the Keycloak Java Servlet Filter Adapter.

At the moment everything works fine until the user perform some actions that trigger a CORS request to GET some data from a different path in my application (i.e. /path2/someinfo ). When this happens the AJAX request made from /path1 is blocked because the Keycloak server is not adding the Access-Control-Allow-Origin to the response of the preflight request (OPTIONS).

I tried setting the Web Origin in my Keycloak Server to a url like “https://localhost:8888”, + and *. None of these worked. I also have enable-cors: true set in my keycloak.json file.

Any idea how I can fix this?
I have tried everything I have found online with no luck.

Thanks in advance.

jangaraj · March 15, 2021, 3:23pm

Could you follow - GitHub - jangaraj/keycloak-cors-issue-debugging: Recommendations how to solve/debug CORS issues, when Keycloak IDP is used please.
There are also details what to report when you have CORS issue. For example it’s not clear which flow are you using and how did you configure client, …

jkdrx · March 15, 2021, 5:15pm

Hey, thanks for the reply.

I’m using Keycloak 12.0.1 and I have also tried Keycloak 11.

I’m using the Authorization Code flow with no PKCE.
For the client I am using the JAVA Servlet Filter Adapter and it is using this config file:

{
  "realm": "master",
  "auth-server-url": "http://localhost:9090/auth/",
  "ssl-required": "external",
  "resource": "testapp",
  "enable-cors": true,
  "verify-token-audience": true,
  "credentials": {
    "secret": "4ee80bf4-93b9-4fd8-814a-495748c1b9d0"
  },
  "confidential-port": 0
}

And this is client configuration in keycloak:

{
      "id": "3618d93f-2c7a-4abe-ad5a-270c1763a42a",
      "clientId": "testapp",
      "rootUrl": "",
      "surrogateAuthRequired": false,
      "enabled": true,
      "alwaysDisplayInConsole": false,
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
        "https://192.168.1.77:8443/*"
      ],
      "webOrigins": [
        "https://192.168.1.77:8443"
      ],
      "notBefore": 0,
      "bearerOnly": false,
      "consentRequired": false,
      "standardFlowEnabled": true,
      "implicitFlowEnabled": false,
      "directAccessGrantsEnabled": true,
      "serviceAccountsEnabled": true,
      "authorizationServicesEnabled": true,
      "publicClient": false,
      "frontchannelLogout": false,
      "protocol": "openid-connect",
      "attributes": {
        "saml.assertion.signature": "false",
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "saml.server.signature": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "exclude.session.state.from.auth.response": "false",
        "saml_force_name_id_format": "false",
        "saml.client.signature": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "false",
        "display.on.consent.screen": "false",
        "saml.onetimeuse.condition": "false"
      },
      "authenticationFlowBindingOverrides": {},
      "fullScopeAllowed": false,
      "nodeReRegistrationTimeout": -1,
      "protocolMappers": [
        {
          "id": "8ccecdf9-ded7-4f1c-a015-0483b6aa0a4d",
          "name": "Client ID",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-usersessionmodel-note-mapper",
          "consentRequired": false,
          "config": {
            "user.session.note": "clientId",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "clientId",
            "jsonType.label": "String"
          }
        },
        {
          "id": "330a8735-af5f-4899-967f-3805b724de37",
          "name": "Client IP Address",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-usersessionmodel-note-mapper",
          "consentRequired": false,
          "config": {
            "user.session.note": "clientAddress",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "clientAddress",
            "jsonType.label": "String"
          }
        },
        {
          "id": "16607424-62c2-4416-a445-312963d7b811",
          "name": "Client Host",
          "protocol": "openid-connect",
          "protocolMapper": "oidc-usersessionmodel-note-mapper",
          "consentRequired": false,
          "config": {
            "user.session.note": "clientHost",
            "id.token.claim": "true",
            "access.token.claim": "true",
            "claim.name": "clientHost",
            "jsonType.label": "String"
          }
        }
      ],
      "defaultClientScopes": [
        "web-origins",
        "role_list",
        "profile",
        "roles",
        "email"
      ],
      "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
      ],
      "authorizationSettings": {
        "allowRemoteResourceManagement": true,
        "policyEnforcementMode": "ENFORCING",
        "resources": [
          {
            "name": "Default Resource",
            "type": "urn:testapp:resources:default",
            "ownerManagedAccess": false,
            "attributes": {},
            "_id": "00c92519-aecf-46be-803f-48b80c58fdbe",
            "uris": [
              "/*"
            ]
          }
        ],
        "policies": [
          {
            "id": "6a423f9b-3719-4803-b5ff-37b30cb7195d",
            "name": "Default Policy",
            "description": "A policy that grants access only for users within this realm",
            "type": "js",
            "logic": "POSITIVE",
            "decisionStrategy": "AFFIRMATIVE",
            "config": {
              "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
            }
          },
          {
            "id": "1382c805-d4cf-4585-801f-85dcaf0360a9",
            "name": "Default Permission",
            "description": "A permission that applies to the default resource type",
            "type": "resource",
            "logic": "POSITIVE",
            "decisionStrategy": "UNANIMOUS",
            "config": {
              "defaultResourceType": "urn:testapp:resources:default",
              "applyPolicies": "[\"Default Policy\"]"
            }
          }
        ],
        "scopes": [],
        "decisionStrategy": "UNANIMOUS"
      }
    }

I have tried Chrome and Firefox in case that was the issue but nope.

jangaraj · March 15, 2021, 7:47pm

Could you provide har file wit the issue, please? You are using authorization services, so that one seems to be a problem.

Topic		Replies	Views
Access-Control-Allow-Origin header missing Securing applications	26	77914	March 8, 2022
Fix CORS problem - No Access Control Allow Origin header is present on the requested resource Configuring the server	7	31356	March 18, 2020
Access-Control-Allow-Origin Getting advice	10	1917	August 20, 2021
Missing CORS Header Problem Getting advice	1	520	August 17, 2022
No 'Access-Control-Allow-Origin' header is present on the requested resource in Keycloak 21	4	852	April 22, 2024

Keycloak - Preflight missing allow origin header

Related Topics