I'm using this very straight-forward script to connect to KeyCloak and fetch the users profile after successful login. It is basically copied together from documentation:
<script type="text/javascript" src="http://localhost:8280/js/keycloak.js"></script>
<script type="text/javascript">
const keycloak = new Keycloak({
url: 'http://localhost:8280/',
realm: 'mordor',
clientId: 'int_accounts-ui'
});
keycloak
.init({
onLoad: 'check-sso',
silentCheckSsoRedirectUri: window.location.origin + '/assets/silent-check-sso.html'
})
.then(_ => {
if (!keycloak.authenticated) {
keycloak.login()
} else {
// works
keycloak.loadUserInfo()
.then(function (info) {
console.info("User Info:");
console.info(info);
})
.catch(function () {
console.error('Failed to load user info');
});
// fails with CORS issue
keycloak.loadUserProfile()
.then(function (profile) {
console.info("User Profile:");
console.info(profile);
})
.catch(function () {
console.error('Failed to load user profile');
});
}
});
</script>
While the keycloak.loadUserInfo call works correctly, the keycloak.loadUserProfile call fails with the following CORS issue:
Access to XMLHttpRequest at 'http://localhost:8280/realms/mordor/account' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
What I did / checked already:
- Configured client with
full scope allowed, but also just with roleview-profile on account - Set
Web Originsfor client to+and then to* - Used different
keycloak.jsversions, the actual one is loaded from the kc instance itself and must be compatible therefore - Tried different browsers (Chrome, FF and Brave)
- Ran the failing request as cURL from console, works there. Response proves, that no CORS header is sent:
curl -v 'http://localhost:8280/realms/mordor/account' \
-H 'Accept: application/json' \
-H 'Accept-Language: en-US,en;q=0.9,de;q=0.8' \
-H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO...[truncated]' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Origin: http://localhost:4200' \
-H 'Pragma: no-cache' \
-H 'Referer: http://localhost:4200/' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-site' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
--compressed
* Trying 127.0.0.1:8280...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8280 (#0)
> GET /realms/mordor/account HTTP/1.1
> Host: localhost:8280
> Accept-Encoding: deflate, gzip, br
> Accept: application/json
> Accept-Language: en-US,en;q=0.9,de;q=0.8
> Authorization: bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO...[truncated]
> Cache-Control: no-cache
> Connection: keep-alive
> Origin: http://localhost:4200
> Pragma: no-cache
> Referer: http://localhost:4200/
> Sec-Fetch-Dest: empty
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: same-site
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
> sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "Linux"
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Referrer-Policy: no-referrer
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Cache-Control: no-cache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Type: application/json
< content-length: 741
<
* Connection #0 to host localhost left intact
{"id":"1bddfa1f-c840-4439-8435-c4537be62b20","username":"test-account-mgmt","firstName":"Account","lastName":"Mgmt","email":"accountmgmt@mordor","emailVerified":true,"userProfileMetadata":{"attributes":[{"name":"username","displayName":"${username}","required":true,"readOnly":true,"validators":{}},{"name":"email","displayName":"${email}","required":true,"readOnly":false,"validators":{"email":{"ignore.empty.value":true}}},{"name":"firstName","displayName":"${firstName}","required":true,"readOnly":false,"validators":{}},{"name":"lastName","displayName":"${lastName}","required":true,"readOnly":false,"validators":{}}]},"attributes":{"lastImport":["2022-08-30T12:12:05.276620735Z"],"userId":["e32dd0ea-8669-4ec1-a282-aebd9c95fa5a"]}}%
Key Cloak Version: 18.0.2 on docker (bitnami/keycloak:18)
Any other ideas? Just wanted to ask community, before I open a bugticket.