corskeycloakkeycloak-services
CORS issue with Keycloak OIDC token endpoint
I'm encountering a CORS (Cross-Origin Resource Sharing) issue when trying to obtain an access token from the Keycloak OIDC token endpoint. I'm running my web application on http://localhost:8000, and Keycloak is running on http://localhost:8080.
When my application makes a request to http://localhost:8080/realms/myrealm/protocol/openid-connect/token, I get the following CORS error:
Access to XMLHttpRequest at 'http://localhost:8080/realms/myrealm/protocol/openid-connect/token' from origin 'http://localhost:8000' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'http://localhost:8080' that is not equal to the supplied origin.
I have configured the following settings in my client's settings on the Keycloak Administration Console:
Valid Redirect URIs: http://localhost:8000/ Valid Post Logout Redirect URIs: http://localhost:8000/ Web Origins: http://localhost:8000 Despite these configurations, the CORS issue persists when my application tries to obtain an access token from the Keycloak OIDC token endpoint.
Can someone please help me resolve this CORS issue and allow my application to successfully obtain an access token from the Keycloak OIDC token endpoint?
My Keycloak version is 22.0
Here is my app.js
var express = require('express');
var app = express();
var stringReplace = require('string-replace-middleware');
var KC_URL = process.env.KC_URL || "http://localhost:8080";
var SERVICE_URL = process.env.SERVICE_URL || "http://localhost:3000/secured";
app.use(stringReplace({
'SERVICE_URL': SERVICE_URL,
'KC_URL': KC_URL
}));
app.use(express.static('.'))
app.get('/', function(req, res) {
res.render('index.html');
});
app.get('/client.js', function(req, res) {
res.render('client.js');
});
app.listen(8000);
<!DOCTYPE html>
<html>
<head>
<title>Keycloak Example Application</title>
<script type="text/javascript" src="KC_URL/js/keycloak.js"></script>
<script type="text/javascript">
function output(content) {
if (typeof content === 'object') {
content = JSON.stringify(content, null, 2)
}
document.getElementById('output').textContent = content;
}
function profile() {
if (kc.idTokenParsed.name) {
document.getElementById('name').textContent = 'Hello ' + kc.idTokenParsed.name;
} else {
document.getElementById('name').textContent = 'Hello ' + kc.idTokenParsed.preferred_username;
}
if (kc.idTokenParsed.picture) {
document.getElementById('picture').src = kc.idTokenParsed.picture;
}
document.getElementById('user').style.display = 'block';
}
function sendRequest() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState === 4) {
output(req.status + '\n\n' + req.responseText);
}
}
req.open('GET', 'SERVICE_URL', true);
req.setRequestHeader('Authorization', 'Bearer ' + kc.token);
req.send();
}
var kc = new Keycloak({ realm: 'myrealm', clientId: 'myclient' });
window.onload = function() {
kc.init({'messageReceiveTimeout': 100000}).then(function() {
if(kc.authenticated) {
profile();
} else {
document.getElementById('anonymous').style.display = 'block';
}
});
}
</script>
</head>
<body>
<div id="anonymous" style="display: none">
<button onclick="window.kc.login()">Login</button>
</div>
<div id="user" style="display: none">
<button onclick="window.kc.logout()">Logout</button>
<button onclick="output(kc.idTokenParsed)">Show ID Token</button>
<button onclick="output(kc.tokenParsed)">Show Access Token</button>
<button onclick="window.kc.updateToken(-1).then(function() { output(kc.idTokenParsed); profile() })">Refresh</button>
<button onclick="sendRequest()">Invoke Service</button>
<hr/>
<h2 id="name"></h2>
<img id="picture" width="50px" height="50px"/>
<hr/>
<pre id="output"></pre>
</div>
</body>
</html>
I am running keycloak using Docker
docker run -p 8080:8080 \
-p 8443:8443 \
--add-host=host.docker.internal:host-gateway \
--name keycloak \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
quay.io/keycloak/keycloak:22.0.0 start-dev
Solution
My "Allow CORS: Access-Control-Allow-Origin" extension was on. Turning it off solved the problem
- Access to fetch at https://accounts.google.com/o/oauth2/v2/auth has been blocked by CORS
- Cors configuration
- What is an opaque response, and what purpose does it serve?
- Blocked by CORS policy despite domain name present in server side file
- Servers that supports CORS?
- CORS with spring-boot and angularjs not working
- Understanding CORS
- How fix CorsOptions for Rocket?
- CORS actix-web Access to XMLHttpRequest has been blocked by CORS policy
- Http-only cookie in response header from backend, but not being stored in client browser
- CORs Error only when trying to send a file to the API
- Configure CORS policy for Spring Cloud Gateway
- Spring Boot Restful Service and CORS problem
- Why is CSRF protection needed for connecting to websockets if Spring Security implements Same Origin Policy at server level?
- Why am i getting 405 Method Not Allowed while doing a POST Request
- ASP.NET Core 8 Web API + Ajax call to controller: Completely disable Cors
- The 'Access-Control-Allow-Origin' Header Contains Multiple Values. However I Only Have One Value Defined in the Header?
- Bean is expected to be of type CorsFilter but was actually of type UrlBasedCorsConfigurationSource with Spring Security 6
- CORS, SQLite and JavaScript. Any way to access the actual database without a local server?
- Cors error between spring boot and angular
- Access-Control-Allow-Origin wildcard subdomains, ports, and protocols
- YII 2 REST CORS issue on remote server
- Enable Access-Control-Allow-Origin for multiple domains in Node.js
- How to manage CORS policy properly in express?
- Third-party cookie will be blocked - warning, not able to logout
- How do i allow a CORS requests in my google script?
- Trying to access API but keep getting CORS errors. Client says the API is public. Who is right?
- How do I configure actix-web to accept CORS requests from any origin?
- How to overcome the CORS issue in ReactJS
- Global CSS is not properly loading with SSG in Next JS - CORS error?