重定向至登录时出现Keycloak CORS问题 [英] Keycloak CORS issue when being redirected to login

问题描述

我正在尝试使 nodeJS密钥斗篷适配器与我的Express应用程序一起使用，但是当它尝试重定向到我用keycloak中间件保护的路由的登录页面时，遇到了CORS问题:

I am trying to get the nodeJS keycloak adapter working with my Express application, but am facing a CORS issue when it tries to redirect to the login page for routes I have protected with the keycloak middleware:

XMLHttpRequest无法加载 http://localhost:5001 " 访问.

XMLHttpRequest cannot load http://192.168.132.44:8080/auth/realms/Actora/protocol/openid-connect/auth?client_id=actora-test&state=0e9c9778-c41b-4aa8-8052-d0f0125045ac&redirect_uri=http%3A%2F%2Flocalhost%3A5001%2Fauth%2Fchecktoken%3Fauth_callback%3D1&scope=openid&response_type=code. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:5001' is therefore not allowed access.

在我的keycloak客户端设置中，我向"Web Origins"配置部分添加了一个"*"值.

In my keycloak client settings I have added a single value of '*' to the Web Origins config section.

我还按照本快速指南我使用keycloak的3.2.1版本以防万一(我看到一个新版本已成为RC)

I using version 3.2.1 of keycloak in case that makes any difference (I see a new version is out as an RC)

有人遇到类似问题并设法解决吗?我一直在研究许多JBOSS邮件列表线程和其他stackoverflows，所有这些似乎都建议它像在keycloak管理站点上为客户端的web origins config部分添加'*'条目一样简单，但事实并非如此.我.

Has anyone faced similar issues and managed to resolve? I have been digging through many JBOSS mailing list threads and other stackoverflows, and all seem to suggest its as simple as adding the '*' entry to the web origins config section for the client on the keycloak admin site but this is not the case for me.

谢谢

推荐答案

我也正在使用mindparse解决此问题.

I am also working on this issue with mindparse.

我认为这里的关键问题是，尽管密钥库服务器已在密钥库管理门户中正确配置了"Web Origins"设置，但密钥库服务器没有响应任何ACCESS-CONTROL-ALLOW-ORIGIN标头.

I think the key issue here is that the keycloak server is not responding with any ACCESS-CONTROL-ALLOW-ORIGIN headers despite the fact that he has correctly configured the "web Origins" setting in the keycloak admin portal.

该流程的更深层次流程是:

A more in depth flow of the process is:

1. 用户尝试在节点快速服务器上调用密钥隐藏安全路由
2. Keycloak中间件检测到用户未通过身份验证，并且 以302(重定向)响应请求，该请求指向托管的自定义登录页面 通过keycloak服务器.
3. 浏览器将一个OPTIONS请求发送到密钥斗篷服务器，以检查是否为 因为它是跨源请求.
4. 密钥斗篷服务器的响应不包含ACCESS-CONTROL-ALLOW- ORIGIN标头，告知浏览器它具有进行此操作的权限 请求.
5. 然后，浏览器将读取此响应，因此不会执行以下操作 请求，因为它没有通过访问控制允许来源检查

1. The user attempts to call a keycloak secured route on a node express server
2. Keycloak middleware detects that the user is not authenticated and responds to the request with a 302 (redirect) to a custom login page hosted by the keycloak server.
3. The browser sends an OPTIONS request to the keycloak server to check if it is because it is a cross origin request.
4. The keycloak servers response DOES NOT include the ACCESS-CONTROL-ALLOW- ORIGIN header to tell the browser that it has permission to make this request.
5. The browser then reads this response and therefore does not make the follow up request because it did not pass the access control allow origin checks

这篇关于重定向至登录时出现Keycloak CORS问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！