Problem :
I use Keycloak 19.0.1 behind a proxy (nginx) and wasn't able to connect to the admin part of keycloak.
With a reverse proxy nginx and keycloak, login in admin console lead to be blocked on :
/realms/master/protocol/openid-connect/login-status-iframe.html/init?client_id=security-admin-console ....
With a 204
return code and no other errors.
Solution :
I had to explore keycloak source code to find the cause ; This test failed in keycloak.js : if ((event.origin !== loginIframe.iframeOrigin)
in keycloak.js
After a (lot of) time of search, it appears that it compares : https://mydomain/keycloak
and https://mydomain:443/keycloak
because I'd setup hostname-port
to 443
in keycloak.config.
My keycloak configuration :
hostname=mydomain
proxy=reencrypt
hostname-strict=false
hostname-port=443
hostname-path=keycloak
http-relative-path=keycloak
hostname-admin-url=https://mydomain/keycloak
So keycloak build his URL as follow : https://mydomain:443/
And the browser send : https://mydomain/
as 443 is a default port and not displayed in the URL.
By removing the port, it works perfectly :
#hostname-port=443
I open a discussion to improve documentation here
Problem :
I have a standalone application Angular running on localhost:4200 and a standalone SpringBoot2 Oauth running on 8080.
OAUTH is configured with "client_credentials".
As indicate by many articles, the OPTIONS preflight request is issued by browsers to request CORS configuration supported by servers.
I added the CORS filters thanks to this post, normal Webrequest CORS configuration is not working for OAUTH as this one is not handle by Spring MVC.
But still no POST request after the preflight OPTIONS request...
Solution :
I was checking my network requests in the browser console... and the solution was simply in the console... Yeah. Too early this morning.
The error was explicity written : "need to enable content-type headers in the Access-Control-Allow-Headers".
The preflight request say to the browser what kind of request can be emit, if the response of the OPTIONS does not match the original request, this one is not sent.
The preflight request has no authentication headers and must return 200.
Here is the filter code :
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class SimpleCorsFilter implements Filter {
public SimpleCorsFilter() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization, content-type");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}