You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to mimic the behaviour of the adapter that was maintained by the keycloak team, but that is now deprecated.
In class org.keycloak.adapters.AuthenticatedActionsHandler they used to read the allowed-origins claim and validate the Origin header of the HTTP request.
This claim is populated with the urls that are configured on the client, in the Admin Console : Clients -> #the client# -> Settings -> Web Origins
A nice feature is that when we set this form field with a plus sign + every valid redirect URI is also a valid web-origin that is copied in the token.
It seems that configuring cors with spring's CorsConfigurationSource is not dynamic enough to read from the token with each request.
What would be the cleanest way of doing it ?
Thanks
The text was updated successfully, but these errors were encountered:
ulk200
changed the title
Handle CORS Requets with Keycloak's "allowed-origins" claim like the keycloak's adapter (now deprecated)
Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated)
Apr 4, 2024
allowed-origins is a private claim. If other authorization servers were providing with equivalents, it would probably in other claims. In such a case, it could be worth to implement something similar to how authorities mapping is done (expose some configuration property accepting a JSON path to allowed origins claim). But I don't know any other provider exposing the origins it allows in claims, reason why I'm not quite inclined to add such a feature to spring-addons-starter-oidc.
However, your use-case is interesting and I'll try to put together the Java configuration to add (might take a few days to find the time for that).
Yes a code sample or a tutorial would be enough since this is not standard. Your project always comes along when searching for a replacement for the adapters that the Keycloak team used to maintain, so i think it's an ideal place to find everything that can permit to fully replace it.
Thank you
I would like to mimic the behaviour of the adapter that was maintained by the keycloak team, but that is now deprecated.
In class
org.keycloak.adapters.AuthenticatedActionsHandler
they used to read theallowed-origins
claim and validate theOrigin
header of the HTTP request.This claim is populated with the urls that are configured on the client, in the Admin Console : Clients -> #the client# -> Settings -> Web Origins
A nice feature is that when we set this form field with a plus sign + every valid redirect URI is also a valid web-origin that is copied in the token.
It seems that configuring cors with spring's
CorsConfigurationSource
is not dynamic enough to read from the token with each request.What would be the cleanest way of doing it ?
Thanks
The text was updated successfully, but these errors were encountered: