![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Julian-Stuecker-Thijs-Reus-trimplement-portrait-455x1024.png\")
The default setup will cause an HTTP 403 Forbidden response from the API-gateway during the authenticate-step on the Keycloak login page because the browser sends the HTTP request-header ‘origin: null<\/em>‘, which is identified by the API-gateway as a CORS-request, and denied because ‘null<\/em>‘ is not an allowed origin. <\/p>\n\n\n\n The root-cause for this behavior is that Keycloak always sends the HTTP response-header ‘Referrer-Policy: no-referrer<\/em>‘. This instructs the browser to omit the Referer HTTP request-header, and send the HTTP request-header ‘origin: null<\/em>‘ for subsequent requests to Keycloak.<\/p>\n\n\n\n Our solution is to rewrite the HTTP response-header from Keycloak in the API-gateway, so that instead of ‘Referrer-Policy: no-referrer<\/em>‘ the browser will receive ‘Referrer-Policy: same-origin<\/em>‘. <\/p>\n\n\n\n An API-gateway, such as Spring Cloud Gateway, is typically used in a microservice architecture to expose multiple services at a single endpoint.<\/p>\n\n\n\n It is not uncommon to expose an IAM-solution, such as Keycloak, via an API-gateway.<\/p>\n\n\n\n Services may require CORS support for some endpoints, which is typically managed at the API-gateway level.<\/p>\n\n\n\n According to https:\/\/www.keycloak.org\/about<\/a> \u201cKeycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.\u201d<\/em><\/p>\n\n\n\n According to https:\/\/spring.io\/projects\/spring-cloud-gateway<\/a> the Spring Cloud Gateway \u201c provides a library for building an API Gateway on top of Spring WebFlux. Spring Cloud Gateway aims to provide a simple, yet effective way to route to APIs and provide cross-cutting concerns to them such as security, monitoring\/metrics, and resiliency.\u201d<\/em><\/p>\n\n\n\n According to https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CORS<\/a> \u201cCross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.\u201d<\/em><\/p>\n\n\n\n In order to reproduce the problem, you need the following setup:<\/p>\n\n\n\n The following steps will then reproduce the problem:<\/strong><\/p>\n\n\n\n If you cannot reproduce the problem, be sure that:<\/strong><\/p>\n\n\n\n The problem can be fixed (or rather, worked-around) by rewriting the HTTP response-header from Keycloak in the API-gateway, e.g. so that instead of ‘Referrer-Policy: no-referrer<\/em>‘ the browser receives ‘Referrer-Policy: same-origin<\/em>‘. Then you can repeat the steps to observe that the fix works<\/strong><\/p>\n\n\n\n The browser sends the HTTP request-header ‘origin: null<\/em>‘ when the ‘Referrer-Policy<\/em>‘ is ‘no-referrer<\/em>‘. <\/p>\n\n\n\n Whenever the ‘origin<\/em>‘ header is present in the HTTP request, the API-gateway considers it a CORS request. A CORS request causes the API-gateway to validate if the origin is in the list of allowed origins. For ‘null<\/em>‘ this is typically not the case (as it’s not recommended), leading it to reject the request with HTTP 403 Forbidden<\/em>.<\/p>\n\n\n\n Allowing ‘null<\/em>‘ as ‘Access-Control-Allow-Origin<\/em>‘ is not<\/strong> recommended, as it introduces multiple security problems. See https:\/\/w3c.github.io\/webappsec-cors-for-developers\/#avoid-returning-access-control-allow-origin-null<\/a> for more details.<\/p>\n\n\n\n While allowing all origins\/methods for CORS would prevent the problem, it would also introduce significant security issues. CORS settings should always be as restrictive as possible, especially when sensitive data (such as credentials) is involved. See https:\/\/stackoverflow.com\/a\/56457665<\/a> for details.<\/p>\n\n\n\n We would recommend Keycloak to make the ‘Referrer-Policy<\/em>‘ value configurable, just as they allow for certain other headers.<\/p>\n\n\n\n The following Keycloak bug-report was created (not by us) in October 2020 for this issue, suggesting exactly this: https:\/\/issues.redhat.com\/browse\/KEYCLOAK-16032<\/a><\/p>\n\n\n\n Somehow the Keycloak devs got confused in the bug thread and closed it as ‘explained’ by stating that ‘null<\/em>‘ is a valid value for ‘origin<\/em>‘ (which is not the issue), rather than actually fixing the problem (e.g. by making the ‘Referrer-Policy<\/em>‘ customizable, similar to other HTTP response header values).<\/p>\n\n\n\n It is true that ‘no-referrer<\/em>‘ is a stricter ‘Referrer-Policy<\/em>‘ compared to e.g. ‘same-origin<\/em>‘, as it causes the browser to send fewer details to the API-gateway in the ‘Referer<\/em>‘ and ‘origin<\/em>‘ headers.<\/p>\n\n\n\n However, in combination with a CORS-enabled API-gateway, using ‘no-referrer<\/em>‘ totally breaks Keycloak from a system-level perspective, rendering it completely useless. So using this setting provides the same level of security and functionality as shutting down Keycloak.<\/p>\n\n\n\n In order to make this work with a CORS-enabled API-gateway, the browser must send some more details, specifically a proper value for the ‘origin<\/em>‘ header for requests with the same origin. This can be achieved by using a different ‘Referrer-Policy<\/em>‘, such as ‘same-origin<\/em>‘. <\/p>\n\n\n\n For us this is an acceptable (very limited) reduction in security to at least have the expected functionality; in addition, these details only affect the same origin, which is fully under our control.<\/p>\n\n\n\n You can choose a referrer-policy that works for your setup, there is no requirement to use ‘same-origin<\/em>‘. For example, the typical browser-default ‘strict-origin-when-cross-origin<\/em>‘ works fine as well.<\/p>\n\n\n\n This article describes how you can use Keycloak behind an API-gateway that considers CORS requests, which by default does not work. It presents a tutorial for a work-around that can be used until a proper fix for the root-cause of the problem is provided by Keycloak.<\/p>\n","protected":false},"author":5,"featured_media":2359,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[162],"tags":[9,171,260,259],"class_list":["post-2349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software-development-tutorials","tag-api","tag-coding","tag-cors","tag-keycloak"],"_links":{"self":[{"href":"\/blog\/wp-json\/wp\/v2\/posts\/2349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"\/blog\/wp-json\/wp\/v2\/comments?post=2349"}],"version-history":[{"count":15,"href":"\/blog\/wp-json\/wp\/v2\/posts\/2349\/revisions"}],"predecessor-version":[{"id":2405,"href":"\/blog\/wp-json\/wp\/v2\/posts\/2349\/revisions\/2405"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/blog\/wp-json\/wp\/v2\/media\/2359"}],"wp:attachment":[{"href":"\/blog\/wp-json\/wp\/v2\/media?parent=2349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/blog\/wp-json\/wp\/v2\/categories?post=2349"},{"taxonomy":"post_tag","embeddable":true,"href":"\/blog\/wp-json\/wp\/v2\/tags?post=2349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Background<\/h2>\n\n\n\n
Keycloak <\/strong><\/h3>\n\n\n\n
Spring Cloud Gateway <\/strong><\/h3>\n\n\n\n
CORS <\/strong><\/h3>\n\n\n\n
How to Reproduce the Problem<\/h2>\n\n\n\n
![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Graphic-Flow-Browser-API-Keycloak-1-1024x278.jpg\")
<\/figure><\/div>\n\n\n\n
<\/li>![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Keycloak-CORC-API-1-886x1024.jpg\")
<\/figure><\/div>\n\n\n\n
<\/li>
<\/li>![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Keycloak-CORC-API-2-1-1024x494.jpg\")
<\/figure>\n\n\n\nspring.cloud.gateway.globalcors.cors-configurations.[\/**].allowedOrigins=\"https:\/\/some.domain.org\"\nspring.cloud.gateway.globalcors.cors-configurations.[\/**].allowedMethods=GET<\/code><\/pre>\n\n\n\nThe Solution<\/h2>\n\n\n\n
Spring Cloud Gateway provides a convenient RewriteResponseHeaderGatewayFilterFactory<\/em> for this, which we set up as follows:<\/p>\n\n\n\n@Bean\npublic RouteLocator theRoutes(RouteLocatorBuilder builder) {\n return builder.routes()\n \t .route(\"auth\", r ->\n \t\t r.path(\"\/auth\/**\")\n \t\t .filters(f -> f.rewriteResponseHeader(\"Referrer-Policy\", \"no-referrer\", \"same-origin\"))\n \t\t .uri(\"https:\/\/keycloak\"))\n \t .build();\n}<\/code><\/pre>\n\n\n\n
<\/li>![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Keycloak-CORC-API-4-890x1024.jpg\")
<\/figure><\/div>\n\n\n\n
<\/li>
<\/li>![\"\"](\"\/blog\/wp-content\/uploads\/2021\/10\/Keycloak-CORC-API-5-886x1024.jpg\")
<\/figure><\/div>\n\n\n\nQuestions and Considerations<\/h2>\n\n\n\n
Why Is the API-gateway Rejecting the HTTP Request?<\/h3>\n\n\n\n
Why Don’t You Just Allow null as CORS Origin?<\/h3>\n\n\n\n
Why Don’t You Just Allow All Origins \/ Methods for CORS?<\/h3>\n\n\n\n
Shouldn’t Keycloak Fix This Issue?<\/h3>\n\n\n\n
Doesn’t This Work-Around Reduce Overall Security?<\/h3>\n\n\n\n
Can I Use Other Referrer-Policy Values?<\/h3>\n\n\n\n
Further Details<\/h2>\n\n\n\n