0

I have webservice protected by gatekeeper(louketo-proxy). When I call protected service via ajax request it won't redirect me to login page. It's showing me message "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://127.0.0.1:3000/app-name/api/getSession. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)."

Below is the gatekeeper configuration file:

client-id: app_id
client-secret: app_secret
discovery-url: http://127.0.0.1:8080/auth/realms/app_realm
redirection-url: http://127.0.0.1:3000
upstream-url: http://127.0.0.1:8043
enable-logging: true
enable-json-logging: true
verbose: true
enable-session-cookies: true
skip-upstream-tls-verify: true
skip-openid-provider-tls-verify: true
encryption-key: enc_key
listen: 0.0.0.0:3000
secure-cookie: false
enable-logging: true
enable-json-logging: true
enable-refresh-tokens: true
enable-session-cookies: true
enable-cors: true
cors-max-age : 1000 
cors-headers:
  - Accept
  - Content-Type
  - Cache-Control
  - Pragma
  - X-Custom-Header
  - Source
debug: true
resources:
  - uri: /app/api/v5/stylesheets/key=CSS
    white-listed: true
  - uri: /app/api/v5/images/key=FAVICON
    white-listed: true
  - uri: /app/api/v5/*

Keycloak version which I am using is 10.0.2

enter image description here

sandeep
  • 41
  • 7

1 Answers1

1

Did you try to define some allowed CORS origins, like

cors-origins:
  - '*'

to try out what happens if you allow everything?

hecko84
  • 1,224
  • 1
  • 16
  • 29
  • I have also tried this. But not able to redirect me to keycloak auth login page. Although i am able to see the request in the browser network tab – sandeep Sep 03 '20 at 08:34
  • Did you try to add Access-Control-Allow-Origin for cors-headers as well? – hecko84 Sep 03 '20 at 10:45
  • cors-origins: - '*' cors-headers: - Accept - Content-Type - Cache-Control - Pragma - X-Custom-Header - Source - Origin - X-Requested-With - Access-Control-Request-Method - Access-Control-Request-Headers - Access-Control-Allow-Origin - Authorization cors-methods: - GET - POST - PUT - OPTIONS - HEAD - DELETE debug: true This is config that i have set in gatekeeper config apart from above mention options. – sandeep Sep 03 '20 at 12:42
  • If you intercept the request, does it include the Access-Control-Allow-Origin header? – hecko84 Sep 03 '20 at 13:01
  • yes. Its showing Access-Control-Allow-Origin header – sandeep Sep 03 '20 at 13:28
  • Here my issue is now that browser not able to load authentication page of keycloak, when secured resource is called. The auth request is visible in browser network tab. – sandeep Sep 03 '20 at 13:32