I have an SPA application deployed on Apache side as the static files.
I use the apache module mod_auth_openidc as RP to authenticate the users.
I use Spring boot as backend API. And I use Keycloak as IDP.
During the first authentication the redirection to Keycloak is done correctly and the API calls from the SPA to the Java backend work fine. However, after the session expires, when the user clicks on a link in the SPA, he is automatically redirected to the IDP (via HTTP 302 code). But this time the browser raises a CORS error. Because the MIME type is incorrect.
Here is the configuration used on Apache side.
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCClientID myapp
OIDCClientSecret xxxxxxxxxxxxxxxxxxx
OIDCScope "openid"
OIDCProviderMetadataURL https://keycloak-host/auth/realms/myclient/.well-known/openid-configuration
OIDCRedirectURI https://myapp-host/myapp/accueil
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Methods "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS"
Header always set Access-Control-Max-Age "3600"
Header always set Access-Control-Allow-Headers "Content-Type, Accept, X-Requested-With, Authorization"
<Location /myapp/>
AuthType openid-connect
Require valid-user
LogLevel debug
</Location>
# only Api request is forwaded to backend Java
SetEnvIf Request_URI !"/myapp/api/*" no-j
JkMount /myapp/api/* app1
Here is Keycloak configuration:
Valid Redirect URIs = 'https://myapp-host/*'
Web Origins = '+'
Do you have any idea of the cause of the error? Here is the error in Chrome console :
Refused to execute script from 'https://keycloak-host/auth/realms/intradef/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=mayapp&state=cdPzfatA1au8hWag3puQWeYXzlc&redirect_uri=https%3A%2F%2F10.29.150.131%2Fmyapp%2Faccueil&nonce=MxMAAJWaVX0dCcHgHSp94S24_JTDJA6D8D4i6UloCx8' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.