Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CORS block keycloak sign-in #2331

Open
bo0ts opened this issue Dec 10, 2024 · 6 comments
Open

CORS block keycloak sign-in #2331

bo0ts opened this issue Dec 10, 2024 · 6 comments

Comments

@bo0ts
Copy link

bo0ts commented Dec 10, 2024

I've configured Keycloak according to the documentation. When I click on the Enterprise Sign In button I get the following error message in the browser console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://keycloak.mydomain.intern/realms/mycompany/.well-known/openid-configuration. (Reason: CORS request did not succeed). Status code: (null).

I have the following configuration related to CORS

CORS_ALLOWED_ORIGINS: https://secobserve.mydomain.intern

The Keycloak version is 26.0.6. I assume we can fix this as soon as the multiple CORS Origins change is available? Maybe an addition to the documentation would be helpful as well.
@bo0ts
Copy link
Author

bo0ts commented Dec 10, 2024

After some investigation I suspect that this is actually caused by the private CA that is used for the keycloak domain. I'm looking for a way to easily inject a new CA in the backend image.

@StefanFl
Copy link
Collaborator

Ho @bo0ts , can we close this ticket or is there still something to do?

@bo0ts
Copy link
Author

bo0ts commented Dec 12, 2024

@StefanFl I don't think so. I've updated to 1.23.0 and have configured CORS_ALLOWED_ORIGINS: "https://secobserve.mydomain.intern,https://keycloak.mydomain.intern" in the backend.

I still get the same CORS error when clicking Enterprise Sign In.

@StefanFl
Copy link
Collaborator

The backend is not involved in this step. It happens between the frontend and keycloak. Several sources say, to add a + in the Web origins field in Keycloak's client administration:
grafik

@bo0ts
Copy link
Author

bo0ts commented Dec 13, 2024

I've tried several options (include + and *) for the Web origins and this hasn't been necessary for any other client. Frankly, I don't see why it should. The request doesn't go to a client endpoint, but https://keycloak.mydomain.intern/realms/mycompany/.well-known/openid-configuration which isn't client aware.

Any other ideas where to look?

@StefanFl
Copy link
Collaborator

I tested it just now with docker-compose-dev-keycloak.yml. With the + in Web origins the login works:

grafik

When I remove the + in Web origins and make this field empty, the login doesn't work anymore and I get this message in the browser console: Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf http://localhost:8080/realms/secobserve/protocol/openid-connect/token. (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' fehlt). Statuscode: 200.

I am not a KeyCloak expert so I don't now anything more unfortunately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bo0ts @StefanFl