Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CORS Error when Keycloak Token Timesout
See original GitHub issueDescribe the bug If you enable OIDC Support with Keycloak calls to REST-APIs start to fail once the Token provided by Keycloak is timed out with an CORS-Failure like this:
Access to XMLHttpRequest at 'http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus' (redirected from 'http://localhost:8080/hello') from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus net::ERR_FAILED
Uncaught (in promise) Error: Network Error
at e.exports (spread.js:25)
at XMLHttpRequest.l.onerror (spread.js:25)
Expected behavior The timeout of the token should not lead to an error
Actual behavior CORS Error produced
To Reproduce Clone https://github.com/tomsontom/keycloak-cors/ and follow the steps there
Configuration
quarkus.oidc.auth-server-url=${AUTH_URL}
quarkus.oidc.client-id=quarkus
quarkus.oidc.credentials.secret=${AUTH_CREDENTIALS}
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
Screenshots
Environment (please complete the following information):
- Output of
uname -aorver: Darwin Toms-MacBook-Pro.local 19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64 - Output of
java -version: openjdk version “11.0.6” 2020-01-14 - GraalVM version (if different from Java): -
- Quarkus version or git rev: 1.5.2.final
- Build tool (ie. output of
mvnw --versionorgradlew --version): 3.6.3
Additional context
Working request/response look like this:
General:
Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade
Response Headers:
Content-Length: 5
Content-Type: text/plain;charset=UTF-8
Request Headers:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: q_session=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLSjBBcjZrUnFyWEFYajNlVmdGMFk2MUp4aEt4V2NWU1lDUE5HVHJMNFBVIn0.eyJqdGkiOiI3ODAxYjMzYS1hMDlmLTRhNTktYWY4Mi03NmY1MzNiNzA1OGMiLCJleHAiOjE1OTI5MDMxNzEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJxdWFya3VzIiwic3ViIjoiNmFhYmU4YmEtYmFjNy00OTdjLTljMzItYWIwYjlkYmM2NzFlIiwidHlwIjoiSUQiLCJhenAiOiJxdWFya3VzIiwiYXV0aF90aW1lIjoxNTkyOTAzMTExLCJzZXNzaW9uX3N0YXRlIjoiN2UyZTYzMzktMDYzOS00YmY5LWExYmEtMzQ4ZDRkODIxMGRlIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCJ9.FkVV5YkOkFgrRU6I_xGTAJmlJdrNj5NbCrR8_kNYvzScVFTyQcE0W1F7b7NnokWTfZjE-PWvNtG602djiihaS00y5TYHh5mCVHNVUzVyG85A0VJovuxvrlfCLnxu0w8WSF4E3KC5twgD_Zf3YAkPpi1t-PXi9B4mSLC0GwOcvtdanW6Ul72evwk_TVeeZBzLDyEApiFuZkZ2MK5kuxV7M2W6_4CJntXA18dpGMoTZ2Ue3wVFOzalk2u2J96jFT3OtbIj9oRMVju-9fy8l1Lks88dQnzAI-x9BSk787yT8IVgA-VCeo5zAERcjBe8LPnJUD4MfrrS2Cj0vCIvCga6mg|eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLSjBBcjZrUnFyWEFYajNlVmdGMFk2MUp4aEt4V2NWU1lDUE5HVHJMNFBVIn0.eyJqdGkiOiI4MDc2NjYwNi00OTU2LTQ5YzYtYWFhYS0yMDIxNDA4N2Q0NTUiLCJleHAiOjE1OTI5MDMxNzEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmFhYmU4YmEtYmFjNy00OTdjLTljMzItYWIwYjlkYmM2NzFlIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicXVhcmt1cyIsImF1dGhfdGltZSI6MTU5MjkwMzExMSwic2Vzc2lvbl9zdGF0ZSI6IjdlMmU2MzM5LTA2MzktNGJmOS1hMWJhLTM0OGQ0ZDgyMTBkZSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCJ9.YSIQeitfiVHTN6pvfud-oW4sncfU_2NgWssAKmAYlKgOFzJyyTKbPyXCljRL3Smm-pSz0tlnVXIps-Qb6NihV7yJUr1fCn9z5AnqhNl9PQSRJ6VAJDmKyLbgtu81GNQ3vg_pYF94dmqpTzvoBLaa5OPOGACmpesCKUvUyGlTG1HPFfNsgfc-6-p2ozj-XVbPYanLFDFWliuFPv6TrhEg3SP4vyySVPltBk9-BgIGn8sCncb7m5ox0DXCzBlFQ-oaVbO9htbp5HIXFWUbYE5yfBEHnmHGFIaJIlO8YtYv9_t3YrKJwQkgP19Ej7MOZNCeQA8grYMlpbjN3YylPnDKSQ|eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDdkYjg5Yy00NWJkLTQ1MDktODFkMi1lN2IxYjMxYjBhNDYifQ.eyJqdGkiOiI5NTQxY2U5My04MDlkLTRjNjQtODVjMy00ZWZmN2Q3YTg2YzgiLCJleHAiOjE1OTI5MDQ5MTEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJzdWIiOiI2YWFiZThiYS1iYWM3LTQ5N2MtOWMzMi1hYjBiOWRiYzY3MWUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicXVhcmt1cyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlMmU2MzM5LTA2MzktNGJmOS1hMWJhLTM0OGQ0ZDgyMTBkZSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.gOCSVyXETE24TJntdbLByVcKLFSOWIonQ5MXO9zuMFs
Host: localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
Failing request/response look like this:
General:
Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 302 Found
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade
Response Headers:
content-length: 0
location: http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus
set-cookie: q_auth=ba3be67d-a18b-4c6f-acb9-6e617c05674e; Max-Age=1800; Expires=Tue, 23 Jun 2020 09:36:13 GMT; HTTPOnly
Request Headers:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Host: localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
General:
Request URL: http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus
Referrer Policy: no-referrer-when-downgrade
Response Headers:
Cache-Control: no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Language: en
Content-Length: 3089
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Content-Type: text/html;charset=utf-8
Date: Tue, 23 Jun 2020 09:06:13 GMT
Set-Cookie: AUTH_SESSION_ID=b2d2fe22-a5ec-4ea7-bcfc-3f248d07ee56.0a08cbc5521a; Version=1; Path=/auth/realms/keycloak-cors-public/; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDdkYjg5Yy00NWJkLTQ1MDktODFkMi1lN2IxYjMxYjBhNDYifQ.eyJjaWQiOiJxdWFya3VzIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2hlbGxvIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9oZWxsbyIsInN0YXRlIjoiYmEzYmU2N2QtYTE4Yi00YzZmLWFjYjktNmU2MTdjMDU2NzRlIn19.Bj9kuulCAHnH17VjkgpqZUwG21uLObERAOi4rVbtSrE; Version=1; Path=/auth/realms/keycloak-cors-public/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
Request Headers:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Host: localhost:8081
Origin: http://localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36
Query String Parameters:
redirect_uri: http://localhost:8080/hello
state: ba3be67d-a18b-4c6f-acb9-6e617c05674e
scope: openid
response_type: code
client_id: quarkus
Issue Analytics
- State:
- Created 3 years ago
- Comments:50 (29 by maintainers)
Top Results From Across the Web
[keycloak-user] update token: CORS error after session timeout
Previous message: [keycloak-user] update token: CORS error after session timeout; Next message: [keycloak-user] Support for Implicit Flow ...
Read more >CORS-Error when refreshing access token from keycloak
We suspect, that this is a configuration problem and we did not configure the CORS Header on one component correctly. Do we need...
Read more >Getting cors error when calling userinfo endpoint with expired ...
Hello. I am making a simple html and javascript page with different calls to keycloak. I can login, get tokens, refresh tokens and...
Read more >Token endpoint doesn't add CORS headers to error responses
I'm integrating a web application using angularjs 1.4.6 and keycloak 1.5.0. The application and keycloak app-servers are on different ports.
Read more >Cors-Error When Refreshing Access Token From ... - ADocLib
CORS error. Occurs when you have an invalid web origin. Configuring Keycloak tokens. A user token expires after. The keycloak server still doesn't...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
so the keycloak post is https://keycloak.discourse.group/t/authorizationendpoint-does-not-support-cors/3495
@tomsontom FYI, #10651