Closed Danny-P closed 4 years ago
mauriciovigolo
commented
6 years ago Hi @Danny-P, may you send more information about your app? This kind of error is usually related to some config error. I would need more information to help you like a sample project with the error and your configs on keycloak. Thanks!
ulise
commented
6 years ago Same here. The login request don´t have an orign header (but referer) and is accepted by my keycloak. The token request has an orign header with postname only ( referer has complete base-url) and is blocked by keacloak.
Failed to load https://keycloak.url/auth/realms/myrealm/protocol/openid-connect/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://ressource-url' is therefore not allowed access. The response had HTTP status code 400.
Origin: https://ressource-url
Referer: https://ressource-url/base-href/@ulise, this is related to a config in your keycloak server. You have to setup the Web Origins of your client 'https://ressource-url' on keycloak.
ulise
commented
6 years ago @mauriciovigolo, I did. I tried with all settings. 'https://ressource-url', + and * Same effect.
mauriciovigolo
commented
6 years ago @ulise, did you try, just for testing purposes, to leave only * in Web Origins field?
ulise
commented
6 years ago @mauriciovigolo : Sorry, I´m out some days. So I cannot verify this right now. But - CORS-Headers with an '*' are not accepted with credentials. So setting the 'correct' Web Origins should do the job. I will give it a try soon. We have some apps running with angular.js and with the same keycloak. I´ll figure out the diffs.
Danny-P
commented
6 years ago @mauriciovigolo now I am back and I have done some more tests
My app is running on a different server than keycloak does.
I have set up keycloak-heroes example from latest github.
That is the configuration in environment.ts
let keycloakConfig: KeycloakConfig = { url: 'https://keycloak-server/auth', realm: 'MA-Portal', clientId: 'webapp' };
and that is the configuration in keycloak:
{ "id": "MA-Portal", "realm": "MA-Portal", "notBefore": 0, "revokeRefreshToken": false, "refreshTokenMaxReuse": 0, "accessTokenLifespan": 300, "accessTokenLifespanForImplicitFlow": 900, "ssoSessionIdleTimeout": 1800, "ssoSessionMaxLifespan": 36000, "offlineSessionIdleTimeout": 2592000, "offlineSessionMaxLifespanEnabled": false, "offlineSessionMaxLifespan": 5184000, "accessCodeLifespan": 60, "accessCodeLifespanUserAction": 300, "accessCodeLifespanLogin": 1800, "actionTokenGeneratedByAdminLifespan": 43200, "actionTokenGeneratedByUserLifespan": 300, "enabled": true, "sslRequired": "external", "registrationAllowed": false, "registrationEmailAsUsername": false, "rememberMe": false, "verifyEmail": false, "loginWithEmailAllowed": true, "duplicateEmailsAllowed": false, "resetPasswordAllowed": false, "editUsernameAllowed": false, "bruteForceProtected": false, "permanentLockout": false, "maxFailureWaitSeconds": 900, "minimumQuickLoginWaitSeconds": 60, "waitIncrementSeconds": 60, "quickLoginCheckMilliSeconds": 1000, "maxDeltaTimeSeconds": 43200, "failureFactor": 30, "roles": { "realm": [ { "id": "ec8f1133-4348-44ef-b3e9-d6d59735a103", "name": "offline_access", "description": "${role_offline-access}", "composite": false, "clientRole": false, "containerId": "MA-Portal" }, { "id": "0a7aff6b-333f-4b64-b0c1-1347bfc4f411", "name": "uma_authorization", "description": "${role_uma_authorization}", "composite": false, "clientRole": false, "containerId": "MA-Portal" }, { "id": "4fe8735c-04eb-4b66-a6b4-d8293294f78b", "name": "users", "composite": false, "clientRole": false, "containerId": "MA-Portal" } ], "client": { "webapp": [], "realm-management": [ { "id": "0b0d71db-c113-499e-b8a7-dc6494a996db", "name": "manage-clients", "description": "${role_manage-clients}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "4ea0aaae-96a7-40ff-9f86-c6c005ec4909", "name": "view-realm", "description": "${role_view-realm}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "8bda7361-4760-4fb4-80b2-db22f1ffb695", "name": "query-groups", "description": "${role_query-groups}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "a618af14-b001-47c7-a34f-902d67861321", "name": "manage-realm", "description": "${role_manage-realm}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "ab85ce6f-501f-4b3e-8207-7e611d553fff", "name": "manage-identity-providers", "description": "${role_manage-identity-providers}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "905da7f3-411f-4887-bd9b-eaac9e62126b", "name": "impersonation", "description": "${role_impersonation}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "375db047-710c-4828-8076-3c75314738d3", "name": "manage-users", "description": "${role_manage-users}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "3d57967f-def2-44bb-a116-c67dcf7ba7eb", "name": "view-identity-providers", "description": "${role_view-identity-providers}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "d48d4f62-e24c-4007-8b2f-803dd01ce77a", "name": "query-realms", "description": "${role_query-realms}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "246d2c35-61f3-4f25-afd4-96de1b5e60c1", "name": "view-events", "description": "${role_view-events}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "4b2ca135-9ea7-4680-9512-b9edda034025", "name": "view-authorization", "description": "${role_view-authorization}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "bb2b5364-b6d2-482c-8f10-a444e65df70f", "name": "view-clients", "description": "${role_view-clients}", "composite": true, "composites": { "client": { "realm-management": [ "query-clients" ] } }, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "1a57a00c-bd0b-4b74-a059-282b3bef231d", "name": "realm-admin", "description": "${role_realm-admin}", "composite": true, "composites": { "client": { "realm-management": [ "manage-clients", "view-realm", "query-groups", "manage-realm", "manage-identity-providers", "impersonation", "manage-users", "view-identity-providers", "query-realms", "view-events", "view-authorization", "view-clients", "query-users", "query-clients", "manage-events", "manage-authorization", "create-client", "view-users" ] } }, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "acd2e5e1-d99f-46ee-a00c-73ea46e56f76", "name": "query-users", "description": "${role_query-users}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "1fc74c59-ce9f-4209-8280-cc84d07e5f59", "name": "query-clients", "description": "${role_query-clients}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "c48cc217-d54a-4589-b5a2-d7e3c89da93a", "name": "manage-events", "description": "${role_manage-events}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "b8dc7e57-8b61-4059-b727-418db1eae19b", "name": "manage-authorization", "description": "${role_manage-authorization}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "516eb019-b74c-468c-bac4-915f1a0c39f9", "name": "create-client", "description": "${role_create-client}", "composite": false, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" }, { "id": "c7193fe7-6cbc-43a4-a943-93e861d0326c", "name": "view-users", "description": "${role_view-users}", "composite": true, "composites": { "client": { "realm-management": [ "query-groups", "query-users" ] } }, "clientRole": true, "containerId": "b15ee460-5aaf-4300-83b5-9db1948e9a37" } ], "security-admin-console": [], "admin-cli": [], "broker": [ { "id": "ad65c805-1995-45b0-9927-743c87d3f19c", "name": "read-token", "description": "${role_read-token}", "composite": false, "clientRole": true, "containerId": "1895004b-c781-47b8-8766-571fad48446c" } ], "account": [ { "id": "ba7ffc60-57e6-4855-8870-aa3c12baaba5", "name": "manage-account-links", "description": "${role_manage-account-links}", "composite": false, "clientRole": true, "containerId": "a104c205-29e3-45be-a3bf-46e4600cb9db" }, { "id": "98da7f7f-5e29-4487-aab2-32bb9613a1e0", "name": "view-profile", "description": "${role_view-profile}", "composite": false, "clientRole": true, "containerId": "a104c205-29e3-45be-a3bf-46e4600cb9db" }, { "id": "95c0c9e3-b65f-4979-9722-ac54ae833d28", "name": "manage-account", "description": "${role_manage-account}", "composite": true, "composites": { "client": { "account": [ "manage-account-links" ] } }, "clientRole": true, "containerId": "a104c205-29e3-45be-a3bf-46e4600cb9db" } ] } }, "groups": [ { "id": "789b3eba-189f-4a40-9e08-a1253b5e9b26", "name": "users", "path": "/users", "attributes": {}, "realmRoles": [], "clientRoles": {}, "subGroups": [] } ], "defaultRoles": [ "uma_authorization", "offline_access" ], "requiredCredentials": [ "password" ], "otpPolicyType": "totp", "otpPolicyAlgorithm": "HmacSHA1", "otpPolicyInitialCounter": 0, "otpPolicyDigits": 6, "otpPolicyLookAheadWindow": 1, "otpPolicyPeriod": 30, "otpSupportedApplications": [ "FreeOTP", "Google Authenticator" ], "scopeMappings": [ { "client": "webapp", "roles": [ "users" ] }, { "clientScope": "offline_access", "roles": [ "offline_access" ] } ], "clientScopeMappings": { "account": [ { "client": "webapp", "roles": [ "view-profile" ] } ] }, "clients": [ { "id": "a104c205-29e3-45be-a3bf-46e4600cb9db", "clientId": "account", "name": "${client_account}", "baseUrl": "/auth/realms/MA-Portal/account", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "defaultRoles": [ "manage-account", "view-profile" ], "redirectUris": [ "/auth/realms/MA-Portal/account/*" ], "webOrigins": [], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": {}, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] }, { "id": "7a415f6d-d3da-4bec-a5af-93f800afa77b", "clientId": "admin-cli", "name": "${client_admin-cli}", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "redirectUris": [], "webOrigins": [], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": false, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": {}, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] }, { "id": "1895004b-c781-47b8-8766-571fad48446c", "clientId": "broker", "name": "${client_broker}", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "redirectUris": [], "webOrigins": [], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": {}, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] }, { "id": "b15ee460-5aaf-4300-83b5-9db1948e9a37", "clientId": "realm-management", "name": "${client_realm-management}", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "redirectUris": [], "webOrigins": [], "notBefore": 0, "bearerOnly": true, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": {}, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] }, { "id": "670f7932-6e64-4674-8d59-1a60ba5a8f56", "clientId": "security-admin-console", "name": "${client_security-admin-console}", "baseUrl": "/auth/admin/MA-Portal/console/index.html", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "redirectUris": [ "/auth/admin/MA-Portal/console/*" ], "webOrigins": [], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": {}, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": 0, "protocolMappers": [ { "id": "7c61f5aa-accc-441c-a806-d2a96c694410", "name": "locale", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "locale", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "locale", "jsonType.label": "String" } } ], "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] }, { "id": "886955bb-e1ab-40dc-b92f-26cee333c866", "clientId": "webapp", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**", "redirectUris": [ "http://localhost:4200/" ], "webOrigins": [ "", "http://localhost:4200" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, "publicClient": true, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { "saml.assertion.signature": "false", "saml.force.post.binding": "false", "saml.multivalued.roles": "false", "saml.encrypt": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "false", "saml.authnstatement": "false", "display.on.consent.screen": "false", "saml.onetimeuse.condition": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": -1, "defaultClientScopes": [ "role_list", "profile", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ] } ], "clientScopes": [ { "id": "2261b076-1e74-434c-a529-e1dc6f9d0183", "name": "profile", "description": "OpenID Connect built-in scope: profile", "protocol": "openid-connect", "attributes": { "consent.screen.text": "${profileScopeConsentText}", "display.on.consent.screen": "true" }, "protocolMappers": [ { "id": "8d7ae628-7929-449b-ab5e-248b0d17f094", "name": "locale", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "locale", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "locale", "jsonType.label": "String" } }, { "id": "a231b4e5-bccc-4c54-ac2e-9806ec7a60bb", "name": "gender", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "gender", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "gender", "jsonType.label": "String" } }, { "id": "58758c5f-c0db-416e-9648-4cc0b8348c6d", "name": "family name", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "lastName", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "family_name", "jsonType.label": "String" } }, { "id": "0008f963-9f22-421f-b1d3-ea32a2d8a731", "name": "given name", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "firstName", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "given_name", "jsonType.label": "String" } }, { "id": "e34febfe-e5f2-4bf4-a09e-871c8b5ab6d3", "name": "nickname", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "nickname", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "nickname", "jsonType.label": "String" } }, { "id": "2037b087-1406-40b3-ae83-df1ecdf02a8f", "name": "picture", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "picture", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "picture", "jsonType.label": "String" } }, { "id": "bbc53bfe-06b9-4d88-abdb-0720352acd0e", "name": "username", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "username", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "preferred_username", "jsonType.label": "String" } }, { "id": "64cefaa0-bb3c-480f-a9d3-5e4292c6f9a8", "name": "full name", "protocol": "openid-connect", "protocolMapper": "oidc-full-name-mapper", "consentRequired": false, "config": { "id.token.claim": "true", "access.token.claim": "true", "userinfo.token.claim": "true" } }, { "id": "26fa7b28-b842-4974-b519-00e614250e88", "name": "updated at", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "updatedAt", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "updated_at", "jsonType.label": "String" } }, { "id": "2f3cf1ac-74b7-4940-8ce7-3181207a46a1", "name": "website", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "website", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "website", "jsonType.label": "String" } }, { "id": "7766c25a-ad4b-4ce7-bb43-c6526f75fb53", "name": "profile", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "profile", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "profile", "jsonType.label": "String" } }, { "id": "8d1775da-3243-49fb-a9c4-64df807bebfb", "name": "birthdate", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "birthdate", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "birthdate", "jsonType.label": "String" } }, { "id": "a3b3278d-c177-4eae-94c7-03057a3e0382", "name": "middle name", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "middleName", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "middle_name", "jsonType.label": "String" } }, { "id": "200670bc-dd98-4da7-92f3-90538f5cf37a", "name": "zoneinfo", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "zoneinfo", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "zoneinfo", "jsonType.label": "String" } } ] }, { "id": "54566b8c-9279-4dfc-9bf8-34b665cd8877", "name": "address", "description": "OpenID Connect built-in scope: address", "protocol": "openid-connect", "attributes": { "consent.screen.text": "${addressScopeConsentText}", "display.on.consent.screen": "true" }, "protocolMappers": [ { "id": "3935a8c4-341c-44b2-9039-deff8cf6578a", "name": "address", "protocol": "openid-connect", "protocolMapper": "oidc-address-mapper", "consentRequired": false, "config": { "user.attribute.formatted": "formatted", "user.attribute.country": "country", "user.attribute.postal_code": "postal_code", "userinfo.token.claim": "true", "user.attribute.street": "street", "id.token.claim": "true", "user.attribute.region": "region", "access.token.claim": "true", "user.attribute.locality": "locality" } } ] }, { "id": "596e5adf-1573-4783-b936-6c4268e26b18", "name": "phone", "description": "OpenID Connect built-in scope: phone", "protocol": "openid-connect", "attributes": { "consent.screen.text": "${phoneScopeConsentText}", "display.on.consent.screen": "true" }, "protocolMappers": [ { "id": "82db4f8a-e9cc-4e5e-ae44-79b662e59225", "name": "phone number verified", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "phoneNumberVerified", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "phone_number_verified", "jsonType.label": "boolean" } }, { "id": "e69280c1-cdfd-497e-a5bc-e458e625a93b", "name": "phone number", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-attribute-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "phoneNumber", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "phone_number", "jsonType.label": "String" } } ] }, { "id": "697a0b17-702f-42cc-8362-832faa740341", "name": "email", "description": "OpenID Connect built-in scope: email", "protocol": "openid-connect", "attributes": { "consent.screen.text": "${emailScopeConsentText}", "display.on.consent.screen": "true" }, "protocolMappers": [ { "id": "883d74fc-b72f-4711-83f2-df74d545e55c", "name": "email", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "email", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "email", "jsonType.label": "String" } }, { "id": "d9004e32-b826-41bc-b604-a0bcc4dd3a0c", "name": "email verified", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-property-mapper", "consentRequired": false, "config": { "userinfo.token.claim": "true", "user.attribute": "emailVerified", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "email_verified", "jsonType.label": "boolean" } } ] }, { "id": "cbe1de92-8084-416b-a766-a586c9eb41a2", "name": "role_list", "description": "SAML role list", "protocol": "saml", "attributes": { "consent.screen.text": "${samlRoleListScopeConsentText}", "display.on.consent.screen": "true" }, "protocolMappers": [ { "id": "0ead0792-370f-4a96-9ecb-cd78b900394a", "name": "role list", "protocol": "saml", "protocolMapper": "saml-role-list-mapper", "consentRequired": false, "config": { "single": "false", "attribute.nameformat": "Basic", "attribute.name": "Role" } } ] }, { "id": "efc292d5-0b8f-4a58-99b8-9e1f49428ee4", "name": "offline_access", "description": "OpenID Connect built-in scope: offline_access", "protocol": "openid-connect", "attributes": { "consent.screen.text": "${offlineAccessScopeConsentText}", "display.on.consent.screen": "true" } } ], "defaultDefaultClientScopes": [ "profile", "email", "role_list" ], "defaultOptionalClientScopes": [ "address", "phone", "offline_access" ], "browserSecurityHeaders": { "xContentTypeOptions": "nosniff", "xRobotsTag": "none", "xFrameOptions": "SAMEORIGIN", "xXSSProtection": "1; mode=block", "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", "strictTransportSecurity": "max-age=31536000; includeSubDomains" }, "smtpServer": {}, "eventsEnabled": false, "eventsListeners": [ "jboss-logging" ], "enabledEventTypes": [], "adminEventsEnabled": false, "adminEventsDetailsEnabled": false, "components": { "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [ { "id": "967ace78-53ef-476a-b433-44f0e4c920ed", "name": "Consent Required", "providerId": "consent-required", "subType": "anonymous", "subComponents": {}, "config": {} }, { "id": "844e82dc-93f6-43cf-8db4-b7a199c37548", "name": "Allowed Client Scopes", "providerId": "allowed-client-templates", "subType": "authenticated", "subComponents": {}, "config": { "allow-default-scopes": [ "true" ] } }, { "id": "ead00057-12b5-4372-93d2-0ecd7a537e06", "name": "Max Clients Limit", "providerId": "max-clients", "subType": "anonymous", "subComponents": {}, "config": { "max-clients": [ "200" ] } }, { "id": "706a2662-ab9e-4913-96f7-ef2edde102f6", "name": "Allowed Protocol Mapper Types", "providerId": "allowed-protocol-mappers", "subType": "authenticated", "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper" ] } }, { "id": "8f08efe8-4762-49f2-827d-58b347d5e9ce", "name": "Allowed Protocol Mapper Types", "providerId": "allowed-protocol-mappers", "subType": "anonymous", "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ "oidc-address-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-role-list-mapper" ] } }, { "id": "cbeeea67-b36a-4483-9283-28150d4329a1", "name": "Allowed Client Scopes", "providerId": "allowed-client-templates", "subType": "anonymous", "subComponents": {}, "config": { "allow-default-scopes": [ "true" ] } }, { "id": "569e9403-df51-460f-9098-f8c7641d84dc", "name": "Trusted Hosts", "providerId": "trusted-hosts", "subType": "anonymous", "subComponents": {}, "config": { "host-sending-registration-request-must-match": [ "true" ], "client-uris-must-match": [ "true" ] } }, { "id": "dd9ada0e-bb43-4eee-b8e5-b0192a8a136a", "name": "Full Scope Disabled", "providerId": "scope", "subType": "anonymous", "subComponents": {}, "config": {} } ], "org.keycloak.keys.KeyProvider": [ { "id": "7d230189-c09f-416e-bb92-d2f0653b751f", "name": "rsa-generated", "providerId": "rsa-generated", "subComponents": {}, "config": { "priority": [ "100" ] } }, { "id": "fae5b1ee-d8f2-4799-a37a-6fcc09d54b8f", "name": "hmac-generated", "providerId": "hmac-generated", "subComponents": {}, "config": { "priority": [ "100" ] } }, { "id": "7a3484a3-c66b-49c8-9d4b-36a7285cfd62", "name": "aes-generated", "providerId": "aes-generated", "subComponents": {}, "config": { "priority": [ "100" ] } } ] }, "internationalizationEnabled": false, "supportedLocales": [], "authenticationFlows": [ { "id": "c6996348-e94d-4c03-ac17-fd998aa8318f", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", "topLevel": false, "builtIn": true, "authenticationExecutions": [ { "authenticator": "idp-confirm-link", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "idp-email-verification", "requirement": "ALTERNATIVE", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "requirement": "ALTERNATIVE", "priority": 30, "flowAlias": "Verify Existing Account by Re-authentication", "userSetupAllowed": false, "autheticatorFlow": true } ] }, { "id": "7b14d0bd-a0aa-430c-868f-1f6019e858bf", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", "topLevel": false, "builtIn": true, "authenticationExecutions": [ { "authenticator": "idp-username-password-form", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "auth-otp-form", "requirement": "OPTIONAL", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "534fd6be-8763-4705-ade8-f63a8d6013ee", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "auth-cookie", "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "auth-spnego", "requirement": "DISABLED", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "identity-provider-redirector", "requirement": "ALTERNATIVE", "priority": 25, "userSetupAllowed": false, "autheticatorFlow": false }, { "requirement": "ALTERNATIVE", "priority": 30, "flowAlias": "forms", "userSetupAllowed": false, "autheticatorFlow": true } ] }, { "id": "e61a245c-33cc-496c-b574-8b90f02f037e", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "client-secret", "requirement": "ALTERNATIVE", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "client-jwt", "requirement": "ALTERNATIVE", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "client-secret-jwt", "requirement": "ALTERNATIVE", "priority": 30, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "7681ded9-2ac6-47bc-ba64-fa5988b1fb8b", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "direct-grant-validate-username", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "direct-grant-validate-password", "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "direct-grant-validate-otp", "requirement": "OPTIONAL", "priority": 30, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "8683bb3e-72bc-45f7-9bff-bda79fc102e5", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "docker-http-basic-authenticator", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "1854462e-0cf5-4694-92c2-73fcfcc30710", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticatorConfig": "review profile config", "authenticator": "idp-review-profile", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticatorConfig": "create unique user config", "authenticator": "idp-create-user-if-unique", "requirement": "ALTERNATIVE", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "requirement": "ALTERNATIVE", "priority": 30, "flowAlias": "Handle Existing Account", "userSetupAllowed": false, "autheticatorFlow": true } ] }, { "id": "18c86a08-a790-444b-ac71-cd24b86b1acc", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", "topLevel": false, "builtIn": true, "authenticationExecutions": [ { "authenticator": "auth-username-password-form", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "auth-otp-form", "requirement": "OPTIONAL", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "94e488a5-0a39-4041-ba67-e7c0ef4907f8", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "registration-page-form", "requirement": "REQUIRED", "priority": 10, "flowAlias": "registration form", "userSetupAllowed": false, "autheticatorFlow": true } ] }, { "id": "d3ef7c49-4830-4475-ad86-b1bf588bcdc8", "alias": "registration form", "description": "registration form", "providerId": "form-flow", "topLevel": false, "builtIn": true, "authenticationExecutions": [ { "authenticator": "registration-user-creation", "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "registration-profile-action", "requirement": "REQUIRED", "priority": 40, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "registration-password-action", "requirement": "REQUIRED", "priority": 50, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "registration-recaptcha-action", "requirement": "DISABLED", "priority": 60, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "ee15c16d-937c-4da1-9c03-0b6eab089ffc", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "reset-credentials-choose-user", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "reset-credential-email", "requirement": "REQUIRED", "priority": 20, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "reset-password", "requirement": "REQUIRED", "priority": 30, "userSetupAllowed": false, "autheticatorFlow": false }, { "authenticator": "reset-otp", "requirement": "OPTIONAL", "priority": 40, "userSetupAllowed": false, "autheticatorFlow": false } ] }, { "id": "98de6d07-f7b3-4b31-85d3-63ad020c1b56", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", "topLevel": true, "builtIn": true, "authenticationExecutions": [ { "authenticator": "http-basic-authenticator", "requirement": "REQUIRED", "priority": 10, "userSetupAllowed": false, "autheticatorFlow": false } ] } ], "authenticatorConfig": [ { "id": "a493b6d0-a527-43e2-8b27-13e211c1d96e", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { "id": "fcaee1e1-4b89-4644-a98c-8b1eaef639ea", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" } } ], "requiredActions": [ { "alias": "CONFIGURE_TOTP", "name": "Configure OTP", "providerId": "CONFIGURE_TOTP", "enabled": true, "defaultAction": false, "priority": 10, "config": {} }, { "alias": "terms_and_conditions", "name": "Terms and Conditions", "providerId": "terms_and_conditions", "enabled": false, "defaultAction": false, "priority": 20, "config": {} }, { "alias": "UPDATE_PASSWORD", "name": "Update Password", "providerId": "UPDATE_PASSWORD", "enabled": true, "defaultAction": false, "priority": 30, "config": {} }, { "alias": "UPDATE_PROFILE", "name": "Update Profile", "providerId": "UPDATE_PROFILE", "enabled": true, "defaultAction": false, "priority": 40, "config": {} }, { "alias": "VERIFY_EMAIL", "name": "Verify Email", "providerId": "VERIFY_EMAIL", "enabled": true, "defaultAction": false, "priority": 50, "config": {} } ], "browserFlow": "browser", "registrationFlow": "registration", "directGrantFlow": "direct grant", "resetCredentialsFlow": "reset credentials", "clientAuthenticationFlow": "clients", "dockerAuthenticationFlow": "docker auth", "attributes": { "_browser_header.xXSSProtection": "1; mode=block", "_browser_header.strictTransportSecurity": "max-age=31536000; includeSubDomains", "_browser_header.xFrameOptions": "SAMEORIGIN", "permanentLockout": "false", "quickLoginCheckMilliSeconds": "1000", "_browser_header.xRobotsTag": "none", "maxFailureWaitSeconds": "900", "minimumQuickLoginWaitSeconds": "60", "failureFactor": "30", "actionTokenGeneratedByUserLifespan": "300", "maxDeltaTimeSeconds": "43200", "_browser_header.xContentTypeOptions": "nosniff", "actionTokenGeneratedByAdminLifespan": "43200", "offlineSessionMaxLifespan": "5184000", "bruteForceProtected": "false", "_browser_header.contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';", "offlineSessionMaxLifespanEnabled": "false", "waitIncrementSeconds": "60" }, "keycloakVersion": "4.4.0.Final", "userManagedAccessAllowed": false }
mauriciovigolo
commented
6 years ago Hi @Danny-P, I will take a look on this. Tks!
Danny-P
commented
5 years ago @mauriciovigolo Have you seen anything wrong in my configuration?
akash19901990
commented
5 years ago @Danny-P I am facing same issue, even after adding * in web origins on keycloak. Did you figure out the solution yet? I am using keycloak version 4.5 and my webapp is deployed in jetty 9.2
Danny-P
commented
5 years ago @akash19901990 unfortunantelly not. I'm still running in this issue. Therefore I cannot use this library in my Project by now :-(
wpcfan
commented
5 years ago @Danny-P did you set your client credential in keycloak? if so, check your keycloak log, it should says something related to client secret. However the browser got the CORS error, instead of this specific error
dsnoeck
commented
5 years ago I had the same issue. I followed this blog: https://symbiotics.co.za/integrating-keycloak-with-an-angular-4-web-application-part-2/ and then change in the client config:
Web Origins: *
to
Web Origins: +
ayratn2018
commented
5 years ago We had similar issue, try to add Web Origins to "admin-cli" instead of "webapp" client since you use public endpoint (I see yours is empty). This solution works for us.
Also you can enable logging in Keycloak, we did this way (we use Red Hat SSO): ` cd /opt/eap/bin ./jboss-cli.sh
connect /subsystem=logging/logger=org.keycloak.services.resources:add(level=DEBUG) ` If it prints that your URL is "not in null", then means that your configuration wasn't taken into account.
Finally there is known issue if you send some wrong request to Keycloak/RHS, the CORS headers won't return in response because this is handled by JBoss Wildfly/EAP. There is also solution for it - to adjust standalone.xml (or standalone-openshift.xml) but you'd better figure out why you are sending incorrect request to them. We had such experience when by mistake were sending application/json instead of x-www-urlencoded and CORS configuration didn't work (so CORS hid the original issue for us). And exactly we saw message like "origin http://localhost:8080 not in allowed origins null" though "http://localhost:8080" was in configuration.
Hope it helps :)
dcagnetta
commented
5 years ago after much frustration and trying out many options, this worked:
on the client add the Default Client Scopes as below
k3rne1pan1c
commented
5 years ago Mhm, sadly I'm facing the same issue. Before i used the JSAdapter from Keycloak directly, but i found your lib and thought it would make things simpler. I'm wondering what you're doing different to my solution, because before i used your lib i did not get any CORS errors at all.
rodelsimangan
commented
5 years ago Adding Client Secret in Keycloak config in environment.ts worked for me. See Pre-requisites (angular side) in https://medium.com/@sairamkrish/keycloak-integration-part-2-integration-with-angular-frontend-f2716c696a28.
I just noticed that apart from CORS Policy error in web browser console, I was getting CODE_TO_TOKEN_ERROR from the Terminal.
Hope this helps.
phamvanthang310
commented
5 years ago Thanks @dcagnetta, It worked for me!
kai-chu
commented
5 years ago @rodelsimangan I regenerate my client secret id and set it in my keycloak.json file for my js adapter, it worked. I tried out a lot of solutions and restart again and again, in the end it turns out it has nothing to do with CORS even though the console keeps telling me CORS problem. Thanks a lot.
scandinave
commented
4 years ago @rodelsimangan I regenerate my client secret id and set it in my keycloak.json file for my js adapter, it worked. I set up web origin to * or my localhost:3000 in the beginning, I can see in chrome console where an OPTION preflight request has gone through CORS but the later post request failed. I tried out a lot of solutions and restart again and again, in the end it turns out it has nothing to do with CORS even though the console keeps telling me CORS problem. thanks a lot.
Maybe i don't understand your words but are you telling you put your client secret in your js client App? If this is the case, it's a big security issue, as JS client can't keep private a secret. You must use a Public client instead, that as no "secret".
For the question, CORS is a problem on the server side, so in keycloak or in your backend.
kai-chu
commented
4 years ago @rodelsimangan I regenerate my client secret id and set it in my keycloak.json file for my js adapter, it worked. I set up web origin to * or my localhost:3000 in the beginning, I can see in chrome console where an OPTION preflight request has gone through CORS but the later post request failed. I tried out a lot of solutions and restart again and again, in the end it turns out it has nothing to do with CORS even though the console keeps telling me CORS problem. thanks a lot.
Maybe i don't understand your words but are you telling you put your client secret in your js client App? If this is the case, it's a big security issue, as JS client can't keep private a secret. You must use a Public client instead, that as no "secret".
For the question, CORS is a problem on the server side, so in keycloak or in your backend.
@scandinave, thanks for the comment. I don't know what I was trying to say at that time. But you are right, I don't use the secret key in my JS client in the end. I'm using public client in my solution now.
mauriciovigolo
commented
4 years ago I'm closing this issue as it is related to the keycloak server-side configuration. If any error persists, then feel free to contact me on Slack or reopen the issue. Thanks.
tiagodiogo
commented
4 years ago hello @mauriciovigolo sorry to reopen this thread but i believe i am facing the same type of issues. keycloak 5.0.0, client configured with client secret and web origins: * all works well when the user is authenticated, however on the first login, when a secured endpoint is requested and a redirect to keycloak is done, the response does not have the access control allow origin headers and therefore is blocked by the browser. this client in particular is using client secret (don't know if that impacts something or not)
tiagodiogo
commented
4 years ago further information if useful...
KrishnaPDarbe
commented
4 years ago HI All,
I am using keycloak with nodejs app.get("/complain", keycloak.protect(), complaintHandler);
But i am getting the CORS error when am accessing the API from Angular application even after setting the CORS at nodejs and keycloak web origins, the error is as follows
Access to fetch at 'http://localhost:8080/auth/realms/ABC/protocol/openid-connect/auth?client_id=testclient&state=8c20862c-d8dc-457b-841a-a08a44e567f6&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcomplain%3Fauth_callback%3D1&scope=openid&response_type=code' (redirected from 'http://localhost:8000/complain') from origin 'http://localhost:8000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
please do the needfull, as its critical
xiaoshunxu
commented
4 years ago Use the implicit flow for Keycloak instead of default authorization-code solved my issue
keycloak.init({
...
initOptions: {
flow: 'implicit',
}
}
NitinNextGen
commented
4 years ago Hi Everyone,
i'm facing issue on similar front, below is the error :-
Access to XMLHttpRequest at 'http://localhost:8080/auth/realms/uDS/protocol/openid-connect/token' from origin 'http://localhost:4200' has been blocked by CORS policy: Request header field access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response.
solutions i tried till now : -
1) web-origins =
2) allow origin =
3) allow method = *
4) allow credential = true
none of the above worked.
any direction will be helpful , i'm ready to share more details if required.
alvigar
commented
4 years ago I am with the same issue, and nothing of the below things work for me.
vbiginner
commented
4 years ago I am facing the same issue.. calling bearer only java application endpoint from angular.. both apps are added in Keycloak. Access to XMLHttpRequest at 'https://domain/auth/realms/myrealm/protocol/openid-connect/token' from origin 'https://client-domain' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I tried all things available on internet.. configured my backend for CORS, set keycloak.cors = true, tried adding different web origins in keycloak client setup like *, +, client url.
Nothing has worked for me. Spent hours on this issue.
ypconstante
commented
4 years ago I've made some progress in discovering what's going on.
The easiest way to fix is to use the version 7.0.1 of keycloak-js, and the latest of keycloak-angular.
Comparing the commits between version 7.0.1 and 8.0.0, the only change that I think could've caused this problem was this pull request, the jira issue and the links on the pull request don't have any explanation on what needs to be migrate from the current behavior.
There's a issue KEYCLOAK-12069, that was shipped with version 9.0.0, that seems to be the a solution to this problem, but for now I wasn't able to check if it really does.
jziggas
commented
4 years ago I have experienced this as well with correct configurations. Even setting + and * to Valid Redirect URIs and Web Origins yields a CORS error.
Hill180
commented
4 years ago I have the same issue. It works fine in public mode in JS. When turning confidential on it hits a CORS error. However my PHP code works fine under confidential mode. Running keycloak 9.0.3
ypconstante
commented
4 years ago From keycloak-js version 8 onwards, the credentials option is not available (PR removing it), so you have to change the Access Type option to Public.
You can use an older keycloak-js version to keep using the confidential mode, even when using a more recent version on the server, but in practice is the same thing, since the secret is available on the client to anyone to see.
paultop6
commented
4 years ago Thank you @ypconstante , saved me alot of hours and pain
Hill180
commented
4 years ago Ditto, thanks @ypconstante.
alexpitacci
commented
4 years ago @vbiginner check your client in keycloak. Open the Scope tab and see if the Full Scope Allowed is checked. Otherwise you need to include on the same tab a Client Role for the "account" client named "view-profile"
rackymuthu
commented
4 years ago The both CORS and CODE_TO_TOKEN_ERROR problem is solved after install the keycloak.js (7.0.1).
Thanks @ypconstante,
rackymuthu
commented
4 years ago Is it possible to authenticate the user without redirecting keycloak login page using keycloak-angular?
jonkoops
commented
4 years ago Is it possible to authenticate the user without redirecting keycloak login page using keycloak-angular?
@rackymuthu You'll need to use silent sso, see: https://github.com/mauriciovigolo/keycloak-angular/issues/185
rackymuthu
commented
4 years ago @jonkoops Thankyou for you response. Based on the above conversation, Keycloak.js (7.0.1) is only the solution for CORS Issue. But Keycloak's 'silentCheckSsoRedirectUri' feature is only available from 10.x.
Is there is any way to prevent the CORS Block issue and the same time to use the silentCheckSsoRedirectUri future?
jonkoops
commented
4 years ago @rackymuthu The CORS issue as far as I can tell is due to a misconfiguration in Keycloak, I'd reccomend looking at a fix based on comments in this thread.
ypconstante
commented
4 years ago @rackymuthu change the Access Type to Public. This comment is explaining why the change is needed for the new versions.
LucasLopesr
commented
4 years ago @rackymuthu altere
Access TypeparaPublic. Este comentário está explicando por que a alteração é necessária para as novas versões.
solved my problem, thanks
default23
commented
4 years ago I solve CORS issues using proxy
in the angular proxy config write this code
{
"/auth": {
"secure": false,
"changeOrigin": true,
"target": "https://your.auth.server"
}
}angular keycloak configuration:
export function keycloakInit(keycloak: KeycloakService): () => Promise<any> {
return (): Promise<any> =>
keycloak.init({
config: {
url: 'https://your.auth.server/auth',
realm: 'realm_name',
clientId: 'client_name',
credentials: {
secret: 'awesome_secret'
}
},
initOptions: {
onLoad: 'login-required',
checkLoginIframe: false
},
enableBearerInterceptor: true
});
}the idea is that when the user goes into the authentication form, he goes directly to the keycloak website that is specified in the configuration. But requests for obtaining a token or account will be converted using the http interceptor, which in turn will go through a proxy server, thereby the browser will stop generating errors about CORS, since requests go directly to the URL from which the current application is running, like http://localhost:4200/auth/realms/realm_name/protocol/openid-connect/token. For this purposes i wrote the next code, that will be imported into main.ts file
export function getCurrentHost(): string {
return window.location.href.split('/').reduce((_, __, ___, arr) => `${arr[0]}//${arr[2]}`, '');
}
const XHROpen = window.XMLHttpRequest.prototype.open;
window.XMLHttpRequest.prototype.open = function (method, url: string): void {
const realm = environment.keycloak.realm;
const tokenURL = `/auth/realms/${realm}/protocol/openid-connect/token`;
const accountURL = `/auth/realms/${realm}/account`;
const re = new RegExp(`${tokenURL}|${accountURL}`, 'g');
const match = url.match(re);
if (match?.length > 0) {
const currentHost = getCurrentHost();
arguments[1] = `${currentHost}${match[0]}`;
return XHROpen.apply(this, arguments);
}
return XHROpen.apply(this, arguments);
};Hope, this solution will help someone else
Rebaiahmed
commented
4 years ago @rackymuthu changes the
Access TypetoPublic. This comment is explaining why the change is needed for the new versions.
How can I change this configuration to public and where?
ypconstante
commented
4 years ago The access type configuration is in the client settings page https://www.keycloak.org/docs/latest/server_admin/#oidc-clients .
infacto
commented
4 years ago ... you have to change the
Access Typeoption toPublic.
I cannot change this to public. (Version 11)
btw. I can login, but on user sign up it throws a cors error. And when I update from keycloak-js 4 to 11, I can't even login due to cors error. 😪 Ok, I see that version 7 works, 8 not.
ypconstante
commented
4 years ago I don't remember what else I changed, but I remember having this same problem. Try changing the other options on the page to see which enables this option. The doc link on my previous comment has a print screen with the public access type selected, try changing your configuration to match that.
jonkoops
commented
4 years ago I notice there is a lot of demand for a clear guide on how to configure a client on Keycloak so I have created an issue to document this in the future: https://github.com/mauriciovigolo/keycloak-angular/issues/290
ahmad2smile
commented
3 years ago @infacto You have to change the one of 2 options below, I don't remember exactly but It's eith Service Accounts Enabled or Authorization Enabled
Then you'll be able to switch the option to public
I have setup keycloak on another host as my angular application. When I access the angular application I get redirected to the login page. After logging in the angular apps tries to load. But then I get CORS errors: Cross-Origin Request blocked Where do I need to configure CORS and which changes are necessay?