TechQA.

Pac4j - CORS Allow Origin Not Matching Origin

103 views Asked by At

My javalin API receive a request on a route secured by pac4j. But no matter what I try, I always end up with a "CORS Allow Origin Not Matching Origin" error on OPTION, and "NS_ERROR_DOM_BAD_URI" on GET
Unprotected route works normally.

Here is my api :

val securityHandler: SecurityHandler = SecurityHandler(authenticationConfig, "KeycloakOidcClient")
app.before("/protected", securityHandler)
app.get("/protected") { ctx ->
  ctx.result("Hello Keycloak protected!")
}
app.get("/notprotected") { ctx ->
  ctx.result("Hello unprotected!")
}

And here is my config :

fun setUpAuthentication(properties: Properties): AuthenticationConfig {

  val oidcConfig: KeycloakOidcConfiguration = KeycloakOidcConfiguration()
  oidcConfig.setClientId(properties.get(KEYCLOAK_ID))
  oidcConfig.setSecret(properties.get(KEYCLOAK_SECRET))
  oidcConfig.setDiscoveryURI(properties.get(KEYCLOAK_DISC_URI))
  oidcConfig.setBaseUri(properties.get(KEYCLOAK_BASE_URI))
  oidcConfig.setRealm(properties.get(KEYCLOAK_REALM))
  oidcConfig.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)

  val keyCloakClient = KeycloakOidcClient(oidcConfig)
  val clients = Clients(properties.get(API_BASE_URL)+"/callback", keyCloakClient)
  val config = AuthenticationConfig(clients)
  config.addAuthorizer("csfr", CsrfAuthorizer())
  return config
}

My keycloak client is configured with both the front-end and back-end url as allowed web origins (I even tried * or /* but it doesn't change anything)

What could be the cause ?

Edit :

I just tried to add a CorsMatcher as suggested but to no effect :

val corsMatcher = CorsMatcher()
corsMatcher.setAllowOrigin(null)
config.addMatcher("cors", corsMatcher)
return config

@jleleu is it what you had in mind in order to "a CORS configuration with the null host" ?

Edit 2 :

val keyCloakClient = KeycloakOidcClient(oidcConfig)
val clients = Clients(properties.get(API_BASE_URL)+"/callback", keyCloakClient)
val config = AuthenticationConfig(clients)
val corsMatcher = CorsMatcher()
corsMatcher.setAllowOrigin(properties.get(FRONT_URL) + " " + properties.get(KEYCLOAK_BASE_URI))
// also tried 
// corsMatcher.setAllowOrigin(properties.get(FRONT_URL))
// corsMatcher.setAllowOrigin(properties.get(KEYCLOAK_BASE_URI))
// but reading Matcher code it seems to overwrite the first one 
config.addMatcher("cors", corsMatcher)
return config
keycloak pac4j javalin
Original Q&A
1

There are 1 answers

9
jleleu On

By default, security headers are applied by pac4j. Can you try using the SecurityHandler(authenticationConfig, "KeycloakOidcClient", "isAuthenticated", "none") constructor?

Related Questions in KEYCLOAK

Related Questions in PAC4J

Related Questions in JAVALIN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions