KEYCLOAK-5146 TokenEndpoint returns wrong methods for preflight requests (#4455)

services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java

@@ -163,7 +163,7 @@ public class TokenEndpoint {
         if (logger.isDebugEnabled()) {
             logger.debugv("CORS preflight from: {0}", headers.getRequestHeaders().getFirst("Origin"));
         }
-        return Cors.add(request, Response.ok()).auth().preflight().build();
+        return Cors.add(request, Response.ok()).auth().preflight().allowedMethods("POST", "OPTIONS").build();
     }
 
     private void checkSsl() {

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java

@@ -23,6 +23,7 @@ import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpOptions;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URLEncodedUtils;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -248,6 +249,17 @@ public class OAuthClient {
         return new DefaultHttpClient();
     }
 
+    public CloseableHttpResponse doPreflightRequest() {
+        try (CloseableHttpClient client = newCloseableHttpClient()) {
+            HttpOptions options = new HttpOptions(getAccessTokenUrl());
+            options.setHeader("Origin", "http://example.com");
+
+            return client.execute(options);
+        } catch (IOException ioe) {
+            throw new RuntimeException(ioe);
+        }
+    }
+
     public AccessTokenResponse doAccessTokenRequest(String code, String password) {
         try (CloseableHttpClient client = newCloseableHttpClient()) {
             HttpPost post = new HttpPost(getAccessTokenUrl());

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/PreflightRequestTest.java

@@ -0,0 +1,51 @@
+package org.keycloak.testsuite.oauth;
+
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.junit.Rule;
+import org.junit.Test;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.testsuite.AbstractKeycloakTest;
+import org.keycloak.testsuite.AssertEvents;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
+
+/**
+ * @author <a href="mailto:mkanis@redhat.com">Martin Kanis</a>
+ */
+public class PreflightRequestTest extends AbstractKeycloakTest {
+
+    @Rule
+    public AssertEvents events = new AssertEvents(this);
+
+    @Override
+    public void beforeAbstractKeycloakTest() throws Exception {
+        super.beforeAbstractKeycloakTest();
+    }
+
+    @Override
+    public void addTestRealms(List<RealmRepresentation> testRealms) {
+        RealmRepresentation testRealmRep = new RealmRepresentation();
+        testRealmRep.setId(TEST);
+        testRealmRep.setRealm(TEST);
+        testRealmRep.setEnabled(true);
+        testRealms.add(testRealmRep);
+    }
+
+    @Test
+    public void preflightRequest() throws Exception {
+        CloseableHttpResponse response = oauth.doPreflightRequest();
+
+        String[] methods = response.getHeaders("Access-Control-Allow-Methods")[0].getValue().split(", ");
+        Set allowedMethods = new HashSet(Arrays.asList(methods));
+
+        assertEquals(2, allowedMethods.size());
+        assertTrue(allowedMethods.containsAll(Arrays.asList("POST", "OPTIONS")));
+    }
+}