i am using keycloak 5.0.0, on a setup with spring security backend and an angular frontend.
all has been autowired and setup by jhipster to work out of the box.
however…
when a user is not yet authenticated and the frontend makes a call to a secured “account” endpoint to validate if the used is authenticated or not, this call triggers a redirect to keycloak to login. keycloak then sends a response with the url to login.
unfortunatelly this response does not include the CORS Access Control Allow Origin and therefore is blocked by the browser preventing the redirect. (see attached image)
On my keycloak instance i have configured the Web Origins: *
And valid redirect urls: *
The client is using the confidential access type with a client secret
are you saying that i should place a keycloak property (keycloak.cors=true) to the properties file of my app backend? enabling cors should not be something to do at the keycloak side?
as far as i can observe, it’s the response from keycloak that is missing the access control allow origin headers
i have attached the oauth2 configuration part of my application.yml (jhipster backend)
are you able to recognize this structure and sugest a missing property?
Well I have never worked with jhipster, so I don’t recognize this. To me it looks like you are not using keycloak provided adapter, but something provided by jhipster, are you?
If I remember correctly my issue looked very similar to yours and it was solved by allowing cors for backend application. My investigation of that problem was that when frontend app send preflight OPTIONS request to backend, the request was redirected to keycloak, however it should be served by backend server saying: “yes, I am allowing frontend app origin to access me”.
If you would be using keycloak adapter it will solve this issue when you add enable-cors: true for keycloak.json file or keycloak.cors = true for application.properties, otherwise you probably need to do it yourself. After quick search I find something like this: https://stackoverflow.com/questions/51730409/jhipster-cors-enable it might be worth trying.
after further investigation on the issue, i can confirm that the situation described by @mhajas is happening. the preflight request is being redirected and it should be served by the backend.
i have confirmed that on this issue thread of the jhipster repo: https://github.com/jhipster/generator-jhipster/issues/10642
if anyone has the same problem regarding the interconnection of keycloak and jhipster, then you can continue by following the above conversation. jhipster team is currently analyzing the situation in order to provide a fix.
After trying to place keycloak-gatekeeper in front of my node.js web app, I’m now suffering from what looks like the same cors issue (keycloak oidc was already successfully integrated into my app).
I’m currently running the jboss/keycloak:7.0.1 docker container, but I can’t find either the application.properties or keycloak.json file. Should one of them be in the container somewhere?
