Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add CORS support to OIDC dynamic client registration endpoints #43625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add CORS support to OIDC dynamic client registration endpoints #43625

wants to merge 1 commit into from

Conversation

stianst
Copy link
Contributor

@stianst stianst commented Oct 21, 2025
edited
Loading

Still need to update Admin UI to allow creating initial access tokens with allowed web origins.

Closes #8863

Signed-off-by: stianst [email protected]

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 21, 2025
View reviewed changes
@stianst stianst force-pushed the cors-dynamic-client-reg branch 3 times, most recently from c24430b to 3f2ba02 Compare October 23, 2025 09:36
@stianst stianst force-pushed the cors-dynamic-client-reg branch from 3f2ba02 to 1388ae9 Compare October 23, 2025 12:51
@stianst stianst marked this pull request as ready for review October 23, 2025 13:59
@stianst stianst requested review from a team as code owners October 23, 2025 13:59
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 23, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

mposolda
mposolda reviewed Oct 23, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stianst I have one question inline. LGTM besides that.

services/src/main/java/org/keycloak/services/cors/DefaultCors.java
}

if (failOnInvalidOrigin) {
throw new ForbiddenException("Invalid origin");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this ok from the backwards compatibility?

Just wondering about the use-case like:

  • Initial access token (or registration access token) migrated from previous version. So without any allowed-origins inside
  • Client registration request, which used Origin header. The request was not necessarily sent from the browser SPA and hence there was not CORS error (even if CORS headers were not added in the response). Now it would be 403 returned.

At the same time, I am not sure if it is valid to assume that client-registration request can use Origin header even if not sent from the browser SPA. Is it rather a corner-case, which we can ignore?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda left review comments

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

flaky-test team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add CORS support to OIDC dynamic client registration endpoints

2 participants

@stianst @mposolda