Fix js for cors requests

integration/js/src/main/resources/META-INF/resources/js/keycloak.js

@@ -38,9 +38,9 @@ var Keycloak = function (options) {
             delete sessionStorage.oauthToken;
             processCallback(successCallback, errorCallback);
         } else if (options.token) {
-            setToken(options.token, successCallback);
+            kc.setToken(options.token, successCallback);
         } else if (sessionStorage.oauthToken) {
-            setToken(sessionStorage.oauthToken, successCallback);
+            kc.setToken(sessionStorage.oauthToken, successCallback);
         } else if (options.onload) {
             switch (options.onload) {
                 case 'login-required' :
@@ -58,7 +58,7 @@ var Keycloak = function (options) {
     }
 
     kc.logout = function () {
-        setToken(undefined);
+        kc.setToken(undefined);
         window.location.href = kc.createLogoutUrl();
     }
 
@@ -164,8 +164,10 @@ var Keycloak = function (options) {
             var url = kc.getRealmUrl() + '/tokens/access/codes';
 
             var req = new XMLHttpRequest();
-            req.open('POST', url, true, options.clientId, options.clientSecret);
+            req.open('POST', url, true);
             req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
+            req.setRequestHeader('Authorization', 'Basic ' + btoa(options.clientId + ':' + options.clientSecret));
+            req.withCredentials = true;
 
             req.onreadystatechange = function () {
                 if (req.readyState == 4) {
@@ -197,12 +199,12 @@ var Keycloak = function (options) {
 
             kc.tokenParsed = JSON.parse(atob(token.split('.')[1]));
             kc.authenticated = true;
-            kc.username = kc.tokenParsed.sub;
+            kc.subject = kc.tokenParsed.sub;
             kc.realmAccess = kc.tokenParsed.realm_access;
             kc.resourceAccess = kc.tokenParsed.resource_access;
 
             setTimeout(function() {
-                successCallback && successCallback({ authenticated: kc.authenticated, username: kc.username });
+                successCallback && successCallback({ authenticated: kc.authenticated, subject: kc.subject });
             }, 0);
         } else {
             delete sessionStorage.oauthToken;

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -38,6 +38,7 @@ import javax.ws.rs.GET;
 import javax.ws.rs.HeaderParam;
 import javax.ws.rs.NotAcceptableException;
 import javax.ws.rs.NotAuthorizedException;
+import javax.ws.rs.OPTIONS;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -343,6 +344,13 @@ public class TokenService {
         return processLogin(clientId, scopeParam, state, redirect, formData);
     }
 
+    @Path("access/codes")
+    @OPTIONS
+    @Produces("application/json")
+    public Response accessCodeToTokenPreflight() {
+        return Cors.add(request, Response.ok()).auth().preflight().build();
+    }
+
     @Path("access/codes")
     @POST
     @Produces("application/json")
@@ -418,7 +426,7 @@ public class TokenService {
                                               .generateIDToken()
                                               .generateRefreshToken().build();
 
-        return Cors.add(request, Response.ok(res)).allowedOrigins(client).allowedMethods("POST").build();
+        return Cors.add(request, Response.ok(res)).auth().allowedOrigins(client).allowedMethods("POST").build();
     }
 
     protected ClientModel authorizeClient(String authorizationHeader) {