search

mariovalney / laravel-keycloak-web-guard

Simple Keycloak Guard to Laravel Web Routes - https://packagist.org/packages/vizir/laravel-keycloak-web-guard
146 stars 80 forks source link

Problem with Cors and web middleware #44

Closed homeoftheunits closed 3 years ago

homeoftheunits commented 3 years ago

Hey guys,

i have some Problem, with the logout when i add the web middleware:

            Route::middleware(['web', 'keycloak'])
                //->middleware('keycloak')
                ->namespace($this->namespace)
                ->group(base_path('routes/web.php'));

I do this to make the route model binding work. When i do it like your documentation, the logout works, but not the model binding. With the web middleware, i got an cors error, login works correctly

Cheers Ralf

mariovalney commented 3 years ago

Hi.

Would you please try to add logout to VerifyCsrfToken except?

homeoftheunits commented 3 years ago

Hi,

i add this, to the AuthController:

    public function __construct()
    {
        $this->middleware(\App\Http\Middleware\VerifyCsrfToken::class, ['except' => ['logout']]);
    }

But the result is the same

Cheers Ralf

mariovalney commented 3 years ago

I'm not sure this is the way.

Please try something like this:

<?php

namespace App\Http\Middleware;

use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;

class VerifyCsrfToken extends Middleware
{
    /**
     * The URIs that should be excluded from CSRF verification.
     *
     * @var array
     */
    protected $except = [
        'logout', // Or the URL in config, if you changed it
    ];
}
homeoftheunits commented 3 years ago

same :(

mariovalney commented 3 years ago

Well.. let's try another approach.

Here is my local environment: https://github.com/mariovalney/laravel-keycloak-web-guard-example

I checked here and I'm able to use model binding on a controller with keycloak-web.

This way you are not required to overwrite the AuthController. If you need do something before AuthController you can create your own route and redirect to route('keycloak.logout');.

homeoftheunits commented 3 years ago

It looks like, i solved this. We use inertiaJS, and the the Logout Button is an Inertia-Link Attribute. When i use an a-Attribute for the link, it works. Very strange

In this case, the Binding works fine and i don't have CORS Error from Keycloak

Route::middleware(['web', 'keycloak'])
                ->namespace($this->namespace)
                ->group(base_path('routes/web.php'));

By the way, you can renounce StartSession::class in your ServiceProvider. The web Middlewaregroup includes that.