quarkus: CORS Error when Keycloak Token Timesout

Describe the bug If you enable OIDC Support with Keycloak calls to REST-APIs start to fail once the Token provided by Keycloak is timed out with an CORS-Failure like this:

Access to XMLHttpRequest at 'http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus' (redirected from 'http://localhost:8080/hello') from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

GET http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus net::ERR_FAILED

Uncaught (in promise) Error: Network Error
    at e.exports (spread.js:25)
    at XMLHttpRequest.l.onerror (spread.js:25)

Expected behavior The timeout of the token should not lead to an error

Actual behavior CORS Error produced

To Reproduce Clone https://github.com/tomsontom/keycloak-cors/ and follow the steps there

Configuration

quarkus.oidc.auth-server-url=${AUTH_URL}
quarkus.oidc.client-id=quarkus
quarkus.oidc.credentials.secret=${AUTH_CREDENTIALS}
quarkus.oidc.application-type=web-app
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated

Screenshots Bildschirmfoto 2020-06-23 um 11 23 08

Environment (please complete the following information):

  • Output of uname -a or ver: Darwin Toms-MacBook-Pro.local 19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64
  • Output of java -version: openjdk version “11.0.6” 2020-01-14
  • GraalVM version (if different from Java): -
  • Quarkus version or git rev: 1.5.2.final
  • Build tool (ie. output of mvnw --version or gradlew --version): 3.6.3

Additional context

Working request/response look like this:

General:

Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade

Response Headers:

Content-Length: 5
Content-Type: text/plain;charset=UTF-8

Request Headers:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: q_session=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLSjBBcjZrUnFyWEFYajNlVmdGMFk2MUp4aEt4V2NWU1lDUE5HVHJMNFBVIn0.eyJqdGkiOiI3ODAxYjMzYS1hMDlmLTRhNTktYWY4Mi03NmY1MzNiNzA1OGMiLCJleHAiOjE1OTI5MDMxNzEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJxdWFya3VzIiwic3ViIjoiNmFhYmU4YmEtYmFjNy00OTdjLTljMzItYWIwYjlkYmM2NzFlIiwidHlwIjoiSUQiLCJhenAiOiJxdWFya3VzIiwiYXV0aF90aW1lIjoxNTkyOTAzMTExLCJzZXNzaW9uX3N0YXRlIjoiN2UyZTYzMzktMDYzOS00YmY5LWExYmEtMzQ4ZDRkODIxMGRlIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCJ9.FkVV5YkOkFgrRU6I_xGTAJmlJdrNj5NbCrR8_kNYvzScVFTyQcE0W1F7b7NnokWTfZjE-PWvNtG602djiihaS00y5TYHh5mCVHNVUzVyG85A0VJovuxvrlfCLnxu0w8WSF4E3KC5twgD_Zf3YAkPpi1t-PXi9B4mSLC0GwOcvtdanW6Ul72evwk_TVeeZBzLDyEApiFuZkZ2MK5kuxV7M2W6_4CJntXA18dpGMoTZ2Ue3wVFOzalk2u2J96jFT3OtbIj9oRMVju-9fy8l1Lks88dQnzAI-x9BSk787yT8IVgA-VCeo5zAERcjBe8LPnJUD4MfrrS2Cj0vCIvCga6mg|eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLSjBBcjZrUnFyWEFYajNlVmdGMFk2MUp4aEt4V2NWU1lDUE5HVHJMNFBVIn0.eyJqdGkiOiI4MDc2NjYwNi00OTU2LTQ5YzYtYWFhYS0yMDIxNDA4N2Q0NTUiLCJleHAiOjE1OTI5MDMxNzEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNmFhYmU4YmEtYmFjNy00OTdjLTljMzItYWIwYjlkYmM2NzFlIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicXVhcmt1cyIsImF1dGhfdGltZSI6MTU5MjkwMzExMSwic2Vzc2lvbl9zdGF0ZSI6IjdlMmU2MzM5LTA2MzktNGJmOS1hMWJhLTM0OGQ0ZDgyMTBkZSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCJ9.YSIQeitfiVHTN6pvfud-oW4sncfU_2NgWssAKmAYlKgOFzJyyTKbPyXCljRL3Smm-pSz0tlnVXIps-Qb6NihV7yJUr1fCn9z5AnqhNl9PQSRJ6VAJDmKyLbgtu81GNQ3vg_pYF94dmqpTzvoBLaa5OPOGACmpesCKUvUyGlTG1HPFfNsgfc-6-p2ozj-XVbPYanLFDFWliuFPv6TrhEg3SP4vyySVPltBk9-BgIGn8sCncb7m5ox0DXCzBlFQ-oaVbO9htbp5HIXFWUbYE5yfBEHnmHGFIaJIlO8YtYv9_t3YrKJwQkgP19Ej7MOZNCeQA8grYMlpbjN3YylPnDKSQ|eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDdkYjg5Yy00NWJkLTQ1MDktODFkMi1lN2IxYjMxYjBhNDYifQ.eyJqdGkiOiI5NTQxY2U5My04MDlkLTRjNjQtODVjMy00ZWZmN2Q3YTg2YzgiLCJleHAiOjE1OTI5MDQ5MTEsIm5iZiI6MCwiaWF0IjoxNTkyOTAzMTExLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJzdWIiOiI2YWFiZThiYS1iYWM3LTQ5N2MtOWMzMi1hYjBiOWRiYzY3MWUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoicXVhcmt1cyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlMmU2MzM5LTA2MzktNGJmOS1hMWJhLTM0OGQ0ZDgyMTBkZSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.gOCSVyXETE24TJntdbLByVcKLFSOWIonQ5MXO9zuMFs
Host: localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36

Failing request/response look like this:

General:

Request URL: http://localhost:8080/hello
Request Method: GET
Status Code: 302 Found
Remote Address: [::1]:8080
Referrer Policy: no-referrer-when-downgrade

Response Headers:

content-length: 0
location: http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus
set-cookie: q_auth=ba3be67d-a18b-4c6f-acb9-6e617c05674e; Max-Age=1800; Expires=Tue, 23 Jun 2020 09:36:13 GMT; HTTPOnly

Request Headers:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Host: localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36

General:

Request URL: http://localhost:8081/auth/realms/keycloak-cors-public/protocol/openid-connect/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fhello&state=ba3be67d-a18b-4c6f-acb9-6e617c05674e&scope=openid&response_type=code&client_id=quarkus
Referrer Policy: no-referrer-when-downgrade

Response Headers:

Cache-Control: no-store, must-revalidate, max-age=0
Connection: keep-alive
Content-Language: en
Content-Length: 3089
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
Content-Type: text/html;charset=utf-8
Date: Tue, 23 Jun 2020 09:06:13 GMT
Set-Cookie: AUTH_SESSION_ID=b2d2fe22-a5ec-4ea7-bcfc-3f248d07ee56.0a08cbc5521a; Version=1; Path=/auth/realms/keycloak-cors-public/; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDdkYjg5Yy00NWJkLTQ1MDktODFkMi1lN2IxYjMxYjBhNDYifQ.eyJjaWQiOiJxdWFya3VzIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2hlbGxvIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODEvYXV0aC9yZWFsbXMva2V5Y2xvYWstY29ycy1wdWJsaWMiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9oZWxsbyIsInN0YXRlIjoiYmEzYmU2N2QtYTE4Yi00YzZmLWFjYjktNmU2MTdjMDU2NzRlIn19.Bj9kuulCAHnH17VjkgpqZUwG21uLObERAOi4rVbtSrE; Version=1; Path=/auth/realms/keycloak-cors-public/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block

Request Headers:

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Host: localhost:8081
Origin: http://localhost:8080
Referer: http://localhost:8080/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Safari/537.36

Query String Parameters:

redirect_uri: http://localhost:8080/hello
state: ba3be67d-a18b-4c6f-acb9-6e617c05674e
scope: openid
response_type: code
client_id: quarkus

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 50 (29 by maintainers)

Most upvoted comments

so the keycloak post is https://keycloak.discourse.group/t/authorizationendpoint-does-not-support-cors/3495

+1
tomsontom on Jun 25, 2020
Read more comments on GitHub
← quarkus: CORS broken?
quarkus: CORS not working correctly →