重定向至登录时出现Keycloak CORS问题 [英] Keycloak CORS issue when being redirected to login
问题描述
我正在尝试使 nodeJS密钥斗篷适配器与我的Express应用程序一起使用,但是当它尝试重定向到我用keycloak中间件保护的路由的登录页面时,遇到了CORS问题:
I am trying to get the nodeJS keycloak adapter working with my Express application, but am facing a CORS issue when it tries to redirect to the login page for routes I have protected with the keycloak middleware:
XMLHttpRequest无法加载 http://localhost:5001 " 访问.
XMLHttpRequest cannot load http://192.168.132.44:8080/auth/realms/Actora/protocol/openid-connect/auth?client_id=actora-test&state=0e9c9778-c41b-4aa8-8052-d0f0125045ac&redirect_uri=http%3A%2F%2Flocalhost%3A5001%2Fauth%2Fchecktoken%3Fauth_callback%3D1&scope=openid&response_type=code. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:5001' is therefore not allowed access.
在我的keycloak客户端设置中,我向"Web Origins"配置部分添加了一个"*"值.
In my keycloak client settings I have added a single value of '*' to the Web Origins config section.
我还按照本快速指南我使用keycloak的3.2.1版本以防万一(我看到一个新版本已成为RC)
I using version 3.2.1 of keycloak in case that makes any difference (I see a new version is out as an RC)
有人遇到类似问题并设法解决吗?我一直在研究许多JBOSS邮件列表线程和其他stackoverflows,所有这些似乎都建议它像在keycloak管理站点上为客户端的web origins config部分添加'*'条目一样简单,但事实并非如此.我.
Has anyone faced similar issues and managed to resolve? I have been digging through many JBOSS mailing list threads and other stackoverflows, and all seem to suggest its as simple as adding the '*' entry to the web origins config section for the client on the keycloak admin site but this is not the case for me.
谢谢
推荐答案
我也正在使用mindparse解决此问题.
I am also working on this issue with mindparse.
我认为这里的关键问题是,尽管密钥库服务器已在密钥库管理门户中正确配置了"Web Origins"设置,但密钥库服务器没有响应任何ACCESS-CONTROL-ALLOW-ORIGIN标头.
I think the key issue here is that the keycloak server is not responding with any ACCESS-CONTROL-ALLOW-ORIGIN headers despite the fact that he has correctly configured the "web Origins" setting in the keycloak admin portal.
该流程的更深层次流程是:
A more in depth flow of the process is:
- 用户尝试在节点快速服务器上调用密钥隐藏安全路由
- Keycloak中间件检测到用户未通过身份验证,并且 以302(重定向)响应请求,该请求指向托管的自定义登录页面 通过keycloak服务器.
- 浏览器将一个OPTIONS请求发送到密钥斗篷服务器,以检查是否为 因为它是跨源请求.
- 密钥斗篷服务器的响应不包含ACCESS-CONTROL-ALLOW- ORIGIN标头,告知浏览器它具有进行此操作的权限 请求.
- 然后,浏览器将读取此响应,因此不会执行以下操作 请求,因为它没有通过访问控制允许来源检查
- The user attempts to call a keycloak secured route on a node express server
- Keycloak middleware detects that the user is not authenticated and responds to the request with a 302 (redirect) to a custom login page hosted by the keycloak server.
- The browser sends an OPTIONS request to the keycloak server to check if it is because it is a cross origin request.
- The keycloak servers response DOES NOT include the ACCESS-CONTROL-ALLOW- ORIGIN header to tell the browser that it has permission to make this request.
- The browser then reads this response and therefore does not make the follow up request because it did not pass the access control allow origin checks
这篇关于重定向至登录时出现Keycloak CORS问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!