How to configure Gatekeeper to support CORS

VincentSch4rf · October 16, 2019, 1:16pm

Hi folks,

I am struggling with the Gatekeeper and its CORS functionality. I searched every single CORS related issue and post I could find but didn’t find any similar issues. This is why I guess, that this is a configuration issue rather than a bug in the application.

The gatekeeper itself and all authentication are working just fine. So I want to enable the CORS functionality for the Keycloak Gatekeeper. According to the documentation, I should add the following lines to the configuration .yaml in order to activate CORS:

cors-origins:
- '*'
cors-methods:
- GET
- POST

I did this, unfortunately, there is no Access-Control-Allow-Origin header present in the preflight-request response. However, I figured, that the behaviour of the gatekeeper changes. Instead of returning a 302 due to no Authorization header being provided with the OPTIONS request during preflight (which is correct according to specification), it now returns a 200 OK but without the necessary CORS headers that got specified in the configuration yaml.

Does anyone have an idea about this behaviour and how to enable CORS properly?

abstractj · October 17, 2019, 6:34pm

@VincentSch4rf Hi Vincent, could you please provide the version of Gatekeeper and Keycloak Server you trying?

We merged some changes some weeks ago, and maybe that’s your issue. Please see: https://github.com/keycloak/keycloak-gatekeeper/pull/441/files

VincentSch4rf · October 18, 2019, 7:15am

@abstractj Thank you very much for your reply!
I tested this with the most recent 7.0.0 and the 6.0.1 and observed the same behaviour.

I found the JIRA ticket regarding this changes during my research. My Problem is not, that I need the CORS headers on upstream side. I need the Gatekeeper to send the CORS headers in the response to the client. Currently I cant get this to work, so in my WebApplication I get the famous

[...] has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

jangaraj · November 17, 2019, 3:40pm

cors-origins:
  - '*'

This is invalid for https or for call with credentials. Try to specify origins explicitly.

check preflight (OPTION) request, maybe it is requesting CORS with some special headers (Access-Control-Request-Headers)/method(Access-Control-Request-Method) - they need to be allowed in gatekeeper configuration, e.g.:

cors-methods:
    - GET
    - POST
    - OPTIONS
    - HEAD
    - DELETE
cors-headers:
    - authorization
    - content-type

Topic		Replies	Views
CORS issues with Keycloak and jax-rs: CORS header ‘Access-Control-Allow-Origin’ missing Getting advice	0	609	June 6, 2024
No 'Access-Control-Allow-Origin' header is present on the requested resource in Keycloak 21	4	1505	April 22, 2024
Keycloak - Preflight missing allow origin header Configuring the server authentication	3	3502	March 15, 2021
CORS problem in custom REST endpoint Getting advice	6	2137	August 12, 2021
RESTEASY003655 on OPTIONS request for CORS - No 'Access-Control-Allow-Origin' header is present on the requested resource Configuring the server authentication , oidc	4	4536	November 14, 2021

How to configure Gatekeeper to support CORS

Related topics