Keycloak CORS behind traefik on Kubernetes

0
votes

We are currently facing the following problem for our Webapplication using Keycloak as an IDP behind an Traefik 1.7:

Chrome console tells us:

Access to manifest at 'https://keycloak.dev.example.com/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclient&redirect_uri=...' (redirected from 'https://myfrontend.dev.example.com/manifest.json') from origin 'https://myfrontend.dev.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

In keycloak we set Web Origins = * for client myclient inside the myrealm realm.

We already tried to set https://myfrontend.dev.example.com as the Web Origins. That did not help.

We configured the Ingress inside the namespace where our keycloak is deployed. Adding the annotations:

ingress.kubernetes.io/cors-allow-origin: https://myfrontend.dev.example.com
ingress.kubernetes.io/enable-cors: "true"

It did not help.

In the past we had a setup with the IDP just using the same subdomain. Of corse this will prevent any CORS issues, but we want to seperate this.

Any suggestions on where to add configuration to apply the CORS-related headers? Thank you.

2
kubernetescorskeycloaktraefik

2 Answers

1
votes

After some hours of analysis, not understanding what happens here:

  • Setting the Web Origins to * is ok, while I suggest to set it explicitly to the right origins, here: https://myfrontend.dev.example.com (without the /* as in Stuck's answer)
  • If we check the /token endpoint using within an cross-origin request, it works, because the expected response headers are set
  • BUT: the probleme here occured with the /auth endpoint

So, whoever runs into this problem, Keycloak as in 10/2020 with version 11.x does simply not support CORS on the /auth OpenID-connect OIDC endpoint. It is not a requirement from the OIDC specs, so Keycloak (and other tools) do not support CORS here.

If we set the Web Origin and have CORS enable, it will work for some endpoint, e.g. /token, but for some not, e.g. /auth. This is because /auth is count as a user-only endpoint, a user would explicitly request or a user would be redirected to AND NOT the frontend should somehow send requests in the background to.

We have implemented a wrong workflow inside a part of our application. Not an keycloak (or traefik or kubernetes) problem.

Please check this discussion here for any feature updates: https://keycloak.discourse.group/t/authorizationendpoint-does-not-support-cors/3495

0
votes

AFAIK * is not allowed in this scenario. When setting the frontend domain, try adding /* at the end:

https://myfrontend.dev.example.com/*

If this still does not work, have a look at the keycloak logs as well as the response headers in Chrome devtools and post them to your question.