Merge pull request #3351 from mposolda/master

KEYCLOAK-3653 CORS headers not sent in certs endpoint

examples/cors/angular-product-app/src/main/webapp/index.html

@@ -92,9 +92,20 @@
         <h2><span>Realm info</span></h2>
         <button type="submit" data-ng-click="loadPublicRealmInfo()">Load public realm info</button>
 
-        <div data-ng-show="realm">
-            Realm name: {{realm.realm}} <br/>
-            Public key: {{realm.public_key}} <br/>
+        <div data-ng-show="publicKeys">
+            <b>Realm issuer</b>: {{realmOIDCInfo.issuer}} <br/>
+            <table class="table" data-ng-show="publicKeys.keys.length > 0">
+                <thead>
+                <tr>
+                    <th>Public Key KIDs</th>
+                </tr>
+                </thead>
+                <tbody>
+                <tr data-ng-repeat="pk in publicKeys.keys">
+                    <td>{{pk.kid}}</td>
+                </tr>
+                </tbody>
+            </table>
         </div>
     </div>
     <hr />

examples/cors/angular-product-app/src/main/webapp/js/app.js

@@ -87,8 +87,13 @@ module.controller('GlobalCtrl', function($scope, $http) {
     };
 
     $scope.loadPublicRealmInfo = function() {
-        $http.get("http://localhost-auth:8080/auth/realms/cors").success(function(data) {
-            $scope.realm = angular.fromJson(data);
+        $http.get("http://localhost-auth:8080/auth/realms/cors/.well-known/openid-configuration").success(function(data) {
+            $scope.realmOIDCInfo = angular.fromJson(data);
+
+            var jwksUri = $scope.realmOIDCInfo.jwks_uri;
+            $http.get(jwksUri).success(function(data) {
+                $scope.publicKeys = angular.fromJson(data);
+            });
         });
     };
 

services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolService.java

@@ -18,6 +18,7 @@
 package org.keycloak.protocol.oidc;
 
 import org.jboss.resteasy.annotations.cache.NoCache;
+import org.jboss.resteasy.spi.HttpRequest;
 import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.keycloak.events.EventBuilder;
 import org.keycloak.forms.login.LoginFormsProvider;
@@ -32,9 +33,12 @@ import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
 import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
 import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
 import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
+import org.keycloak.services.resources.Cors;
 import org.keycloak.services.resources.RealmsResource;
+import org.keycloak.services.util.CacheControlUtil;
 
 import javax.ws.rs.GET;
+import javax.ws.rs.OPTIONS;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
@@ -67,6 +71,9 @@ public class OIDCLoginProtocolService {
     @Context
     private HttpHeaders headers;
 
+    @Context
+    private HttpRequest request;
+
     public OIDCLoginProtocolService(RealmModel realm, EventBuilder event) {
         this.realm = realm;
         this.tokenManager = new TokenManager();
@@ -168,11 +175,18 @@ public class OIDCLoginProtocolService {
         return endpoint;
     }
 
+    @OPTIONS
+    @Path("certs")
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response getVersionPreflight() {
+        return Cors.add(request, Response.ok()).allowedMethods("GET").preflight().auth().build();
+    }
+
     @GET
     @Path("certs")
     @Produces(MediaType.APPLICATION_JSON)
     @NoCache
-    public JSONWebKeySet certs() {
+    public Response certs() {
         List<KeyMetadata> publicKeys = session.keys().getKeys(realm, false);
         JWK[] keys = new JWK[publicKeys.size()];
 
@@ -183,7 +197,9 @@ public class OIDCLoginProtocolService {
 
         JSONWebKeySet keySet = new JSONWebKeySet();
         keySet.setKeys(keys);
-        return keySet;
+
+        Response.ResponseBuilder responseBuilder = Response.ok(keySet).cacheControl(CacheControlUtil.getDefaultCacheControl());
+        return Cors.add(request, responseBuilder).allowedOrigins("*").auth().build();
     }
 
     @Path("userinfo")

services/src/main/java/org/keycloak/services/resources/RealmsResource.java

@@ -40,6 +40,7 @@ import org.keycloak.wellknown.WellKnownProvider;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.NotFoundException;
+import javax.ws.rs.OPTIONS;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
@@ -240,6 +241,14 @@ public class RealmsResource {
         return brokerService;
     }
 
+    @OPTIONS
+    @Path("{realm}/.well-known/{provider}")
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response getVersionPreflight(final @PathParam("realm") String name,
+                                        final @PathParam("provider") String providerName) {
+        return Cors.add(request, Response.ok()).allowedMethods("GET").preflight().auth().build();
+    }
+
     @GET
     @Path("{realm}/.well-known/{provider}")
     @Produces(MediaType.APPLICATION_JSON)
@@ -250,7 +259,7 @@ public class RealmsResource {
         WellKnownProvider wellKnown = session.getProvider(WellKnownProvider.class, providerName);
 
         ResponseBuilder responseBuilder = Response.ok(wellKnown.getConfig()).cacheControl(CacheControlUtil.getDefaultCacheControl());
-        return Cors.add(request, responseBuilder).allowedOrigins("*").build();
+        return Cors.add(request, responseBuilder).allowedOrigins("*").auth().build();
     }
 
     @Path("{realm}/authz")