0

In my spring boot application i used springdoc openapi.

  <dependency>
      <groupId>org.springdoc</groupId>
      <artifactId>springdoc-openapi-ui</artifactId>
       <version>1.6.11</version>
  </dependency>

All the api in my app is secure by token, so i added OAuth2 authentication to my config like below.

@Bean
public OpenAPI openAPI() {
    final String authUrl = "https://test/auth/realms/test/protocol/openid-connect";
    return new OpenAPI()
            .components(new Components()
                    .addSecuritySchemes("spring_oauth", new SecurityScheme()
                            .type(SecurityScheme.Type.OAUTH2)
                            .description("Oauth2 flow")
                            .flows(new OAuthFlows()
                                    .clientCredentials(new OAuthFlow()
                                            .authorizationUrl(authUrl + "/auth")
                                            .refreshUrl(authUrl + "/token")
                                            .tokenUrl(authUrl + "/token")
                                            .scopes(new Scopes())
                                    ))))
            .security(Collections.singletonList(new SecurityRequirement().addList("spring_oauth")))
            .info(new Info()
                    .title("Test Service API")
                    .description("Documentation Test Service API v1.0")
                    .version("v1.0"));
}

I have the CorsFilter config

@Bean
public CorsFilter corsFilter() {
    final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    final CorsConfiguration config = new CorsConfiguration();
    config.setAllowedOrigins(Collections.singletonList("*"));
    config.addAllowedHeader("*");
    config.addAllowedMethod("GET");
    config.addAllowedMethod("POST");
    config.addAllowedMethod("OPTIONS");
    config.addAllowedMethod("PATCH");

    if (CollectionUtils.isNotEmpty(config.getAllowedOrigins())) {
        source.registerCorsConfiguration("/api/**", config);
        source.registerCorsConfiguration("/health", config);
        source.registerCorsConfiguration("/info", config);
        source.registerCorsConfiguration("/prometheus", config);
        source.registerCorsConfiguration("/swagger-ui/**", config);
        source.registerCorsConfiguration("/v3/api-docs/**", config);
    }

    return new CorsFilter(source);
}

When i tried to authorize, i get an error Auth ErrorTypeError: Failed to fetch

enter image description here

In the console i have the below error, even though i added * in the AllowedOrigins

Access to fetch at 'https://test/auth/realms/test/protocol/openid-connect/token' from origin 'http://localhost:9019' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Aymen Kanzari
  • 1,765
  • 7
  • 41
  • 73

1 Answers1

0

My guess is that the confidential client obfuscated on your screenshot has no Allowed Origins configured with http://localhost:9019 in Keycloak.

If the failing request is https://test/auth/realms/test/protocol/openid-connect/token, then it's a request to the token endpoint of the test realm on a Keycloak (19 or before) instance. It's the request for the REST client to get an access-token (using the client-credentials flow you configured), before querying your resource-server (your spring-security config on the resource-server has not been evaluated yet).

Go to Keycloak administration console, browse to the test realm, open clients tab, select your confidential client and check allowed origins in its settings.

ch4mp
  • 6,622
  • 6
  • 29
  • 49