-
-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated) #202
Comments
Hi @ulk200 and thanks for reaching out.
However, your use-case is interesting and I'll try to put together the Java configuration to add (might take a few days to find the time for that). |
Yes a code sample or a tutorial would be enough since this is not standard. Your project always comes along when searching for a replacement for the adapters that the Keycloak team used to maintain, so i think it's an ideal place to find everything that can permit to fully replace it. |
I would like to mimic the behaviour of the adapter that was maintained by the keycloak team, but that is now deprecated.
In class
org.keycloak.adapters.AuthenticatedActionsHandler
they used to read theallowed-origins
claim and validate theOrigin
header of the HTTP request.This claim is populated with the urls that are configured on the client, in the Admin Console : Clients -> #the client# -> Settings -> Web Origins
A nice feature is that when we set this form field with a plus sign + every valid redirect URI is also a valid web-origin that is copied in the token.
It seems that configuring cors with spring's
CorsConfigurationSource
is not dynamic enough to read from the token with each request.What would be the cleanest way of doing it ?
Thanks
The text was updated successfully, but these errors were encountered: