* Possibility to add exposed headers

* Default allow headers
* Fix warnings, unused import, redundancies

services/src/main/java/org/keycloak/services/resources/Cors.java

@@ -19,6 +19,7 @@ public class Cors {
 
     public static final long DEFAULT_MAX_AGE = TimeUnit.HOURS.toSeconds(1);
     public static final String DEFAULT_ALLOW_METHODS = "GET, HEAD, OPTIONS";
+    public static final String DEFAULT_ALLOW_HEADERS = "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers";
 
     public static final String ORIGIN_HEADER = "Origin";
     public static final String AUTHORIZATION_HEADER = "Authorization";
@@ -26,6 +27,7 @@ public class Cors {
     public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
     public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
     public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
+    public static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
     public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
     public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
 
@@ -34,6 +36,7 @@ public class Cors {
     private ResponseBuilder response;
     private Set<String> allowedOrigins;
     private Set<String> allowedMethods;
+    private Set<String> exposedHeaders;
 
     private boolean preflight;
     private boolean auth;
@@ -69,6 +72,11 @@ public class Cors {
         return this;
     }
 
+    public Cors exposedHeaders(String... exposedHeaders) {
+        this.exposedHeaders = new HashSet<String>(Arrays.asList(exposedHeaders));
+        return this;
+    }
+
     public Response build() {
         String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER);
         if (origin == null) {
@@ -87,9 +95,15 @@ public class Cors {
             response.header(ACCESS_CONTROL_ALLOW_METHODS, DEFAULT_ALLOW_METHODS);
         }
 
+        if (exposedHeaders != null) {
+            response.header(ACCESS_CONTROL_EXPOSE_HEADERS, CollectionUtil.join(exposedHeaders));
+        }
+
         response.header(ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.toString(auth));
         if (auth) {
-            response.header(ACCESS_CONTROL_ALLOW_HEADERS, AUTHORIZATION_HEADER);
+            response.header(ACCESS_CONTROL_ALLOW_HEADERS, String.format("%s, %s", DEFAULT_ALLOW_HEADERS, AUTHORIZATION_HEADER));
+        } else {
+            response.header(ACCESS_CONTROL_ALLOW_HEADERS, DEFAULT_ALLOW_HEADERS);
         }
 
         response.header(ACCESS_CONTROL_MAX_AGE, DEFAULT_MAX_AGE);

services/src/main/java/org/keycloak/services/resources/TokenService.java

@@ -58,7 +58,6 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.NewCookie;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriBuilder;
@@ -126,8 +125,7 @@ public class TokenService {
     }
 
     public static UriBuilder tokenServiceBaseUrl(UriBuilder baseUriBuilder) {
-        UriBuilder base = baseUriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getTokenService");
-        return base;
+        return baseUriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getTokenService");
     }
 
     public static UriBuilder accessCodeToTokenUrl(UriInfo uriInfo) {
@@ -295,7 +293,7 @@ public class TokenService {
 
         ClientModel client = authorizeClient(authorizationHeader, form, audit);
         String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
-        AccessToken accessToken = null;
+        AccessToken accessToken;
         try {
             accessToken = tokenManager.refreshAccessToken(realm, client, refreshToken, audit);
         } catch (OAuthErrorException e) {
@@ -313,7 +311,7 @@ public class TokenService {
 
         audit.success();
 
-        return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(client).allowedMethods("POST").build();
+        return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
     }
 
     @Path("auth/request/login")
@@ -501,7 +499,7 @@ public class TokenService {
             credentials.setValue(formData.getFirst("password"));
 
             boolean passwordUpdateSuccessful;
-            String passwordUpdateError = null;
+            String passwordUpdateError;
             try {
                 passwordUpdateSuccessful = AuthenticationProviderManager.getManager(realm, providerSession).updatePassword(user, formData.getFirst("password"));
                 passwordUpdateError = "Password update failed";
@@ -654,12 +652,12 @@ public class TokenService {
 
         audit.success();
 
-        return Cors.add(request, Response.ok(res)).auth().allowedOrigins(client).allowedMethods("POST").build();
+        return Cors.add(request, Response.ok(res)).auth().allowedOrigins(client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
     }
 
     protected ClientModel authorizeClient(String authorizationHeader, MultivaluedMap<String, String> formData, Audit audit) {
-        String client_id = null;
-        String clientSecret = null;
+        String client_id;
+        String clientSecret;
         if (authorizationHeader != null) {
             String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
             if (usernameSecret == null) {
@@ -1011,11 +1009,7 @@ public class TokenService {
     }
 
     private boolean checkSsl() {
-        if (realm.isSslNotRequired()) {
-            return true;
-        }
-
-        return uriInfo.getBaseUri().getScheme().equals("https");
+        return realm.isSslNotRequired() || uriInfo.getBaseUri().getScheme().equals("https");
     }
 
 }