Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add CORS support to OIDC dynamic client registration endpoints #43625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add CORS support to OIDC dynamic client registration endpoints #43625

wants to merge 1 commit into from

Conversation

@stianst
Copy link
Contributor

@stianst stianst commented Oct 21, 2025
edited
Loading

Still need to update Admin UI to allow creating initial access tokens with allowed web origins.

Closes #8863

Signed-off-by: stianst [email protected]

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 21, 2025
View reviewed changes
@stianst stianst force-pushed the cors-dynamic-client-reg branch 3 times, most recently from c24430b to 3f2ba02 Compare October 23, 2025 09:36
@stianst stianst force-pushed the cors-dynamic-client-reg branch from 3f2ba02 to 1388ae9 Compare October 23, 2025 12:51
@stianst stianst marked this pull request as ready for review October 23, 2025 13:59
@stianst stianst requested review from a team as code owners October 23, 2025 13:59
keycloak-github-bot[bot]
keycloak-github-bot bot reviewed Oct 23, 2025
View reviewed changes
Copy link

@keycloak-github-bot keycloak-github-bot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest#updateLDAPUsernameTest

Keycloak CI - Base IT (5)

org.keycloak.testsuite.runonserver.RunOnServerException: java.lang.NullPointerException
	at org.keycloak.testsuite.client.KeycloakTestingClient$Server.fetchString(KeycloakTestingClient.java:185)
	at org.keycloak.testsuite.federation.ldap.LDAPProvidersIntegrationTest.updateLDAPUsernameTest(LDAPProvidersIntegrationTest.java:1656)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
...

Report flaky test

mposolda
mposolda reviewed Oct 23, 2025
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stianst I have one question inline. LGTM besides that.

services/src/main/java/org/keycloak/services/cors/DefaultCors.java
}

if (failOnInvalidOrigin) {
throw new ForbiddenException("Invalid origin");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this ok from the backwards compatibility?

Just wondering about the use-case like:

  • Initial access token (or registration access token) migrated from previous version. So without any allowed-origins inside
  • Client registration request, which used Origin header. The request was not necessarily sent from the browser SPA and hence there was not CORS error (even if CORS headers were not added in the response). Now it would be 403 returned.

At the same time, I am not sure if it is valid to assume that client-registration request can use Origin header even if not sent from the browser SPA. Is it rather a corner-case, which we can ignore?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Origin header should only be sent by browsers. There's no real way around this though as we need to fail the request if the origin isn't correct; otherwise the creation would go through, but the browser would block the response only.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I see. Hopefully this is not a problem and people not use Origin header from other clients than browsers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mposolda mposolda mposolda approved these changes

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add CORS support to OIDC dynamic client registration endpoints

2 participants

@stianst @mposolda