Silent authentication CORS problem when using Keycloak
I'm trying to perform Silent Authentication on my site using the following call:
fetch('http://localhost:8100/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=portal&redirect_uri=http%3A//localhost%3A8080/o/auth/oidc/callback&state=CJOREX0_bHtivjgNUYRkE3908LqdnUUvm2Jhxo5U8tg&nonce=MJj2eQkCtlwqIx0UbSFdWRsbll7fiBSUkRkbxzi2VFs&prompt=none', {
method: 'GET',
mode: 'cors'
})
I have configured web origins for my client as follows:
But I'm still getting CORS error:
Access to fetch at 'http://localhost:8100/auth/realms/master/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=portal&redirect_uri=http%3A//localhost%3A8080/o/auth/oidc/callback&state=CJOREX0_bHtivjgNUYRkE3908LqdnUUvm2Jhxo5U8tg&nonce=MJj2eQkCtlwqIx0UbSFdWRsbll7fiBSUkRkbxzi2VFs&prompt=none' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Any idea what am I missing here?
The whole approach was a mistake here. I was trying to use Authorization Code flow from the client, which is not how it should work. Authorization Code flow is always about server to server interaction with client side redirects.
If you'd like to use it, you will need to open the target page in an iframe or a separate page (for silent authentication, an invisible iframe will do).
If your goal is to have pure client-side authentication you'd rather consider using Implicit (which is classic and simple, but is not currently recommended for security reasons) or Authorization Code with PKCE flows.
There are many resources regarding auth flows, but if you'd like to see quick and high-level overview of them, I recommend to check this short article: https://dev.to/hem/oauth-2-0-flows-explained-in-gifs-2o7a
- Origin header missing on API call outside of network using Azure
- Download image blob from Google Photos using JavaScript and REST API
- Origin null is not allowed by Access-Control-Allow-Origin
- How can I enable CORS on Django REST Framework
- How to Solve CORS error in accessing laravel routes
- Origin <origin> is not allowed by Access-Control-Allow-Origin
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Why the fetch gets failed even when I am using cors dependency?
- Firebase Storage and Access-Control-Allow-Origin
- Spring Boot Restful Service and CORS problem
- Background-image in CSS url blocked by Opaque Response Blocking
- Stripe Checkout example running into CORS error from localhost
- How to disable CORS policy for special routes in Node.js/Express server?
- Cors error persists no matter what I try with server
- How to handle cors in express js? It works with the HTTP module but the origin in the header undefined in express js
- Is there a way to update a Cors policy after startup?
- CORS error in node express REST API (PATCH Request)
- How to allow Cross-Origin using vite and express
- Setting cors in strapi 4
- How do i allow a CORS requests in my google script?
- Spring Security 6.3.3 WebFlux CORS
- cross origin resource policy issue when playing files from s3 on deployed app
- The 'Access-Control-Allow-Origin' header contains multiple values
- CORS error on same domain?
- CORS errors using Spring Boot, Spring Security and React
- CORS Error when trying to access API Gateway Endpoint
- Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
- CORS Configuration not working in WSO2 API Manager for Oauth2/token API
- Google Web App Only Logging When Accessed Via Browser
- Access to web manifest blocked by CORS policy