Handle CORS Requests with Keycloak's "allowed-origins" claim like the keycloak adapter (now deprecated)

[ulk200]

I would like to mimic the behaviour of the adapter that was maintained by the keycloak team, but that is now deprecated.
In class org.keycloak.adapters.AuthenticatedActionsHandler they used to read the allowed-origins claim and validate the Origin header of the HTTP request.

This claim is populated with the urls that are configured on the client, in the Admin Console : Clients -> #the client# -> Settings -> Web Origins

A nice feature is that when we set this form field with a plus sign + every valid redirect URI is also a valid web-origin that is copied in the token.

It seems that configuring cors with spring's CorsConfigurationSource is not dynamic enough to read from the token with each request.
What would be the cleanest way of doing it ?

Thanks

[ch4mpy]

Hi @ulk200 and thanks for reaching out.

allowed-origins is a private claim. If other authorization servers were providing with equivalents, it would probably in other claims. In such a case, it could be worth to implement something similar to how authorities mapping is done (expose some configuration property accepting a JSON path to allowed origins claim). But I don't know any other provider exposing the origins it allows in claims, reason why I'm not quite inclined to add such a feature to spring-addons-starter-oidc.

However, your use-case is interesting and I'll try to put together the Java configuration to add (might take a few days to find the time for that).

[ulk200]

Yes a code sample or a tutorial would be enough since this is not standard. Your project always comes along when searching for a replacement for the adapters that the Keycloak team used to maintain, so i think it's an ideal place to find everything that can permit to fully replace it.
Thank you