Details
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
index c9c394a..a3d6e0c 100644
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@@ -163,7 +163,7 @@ public class TokenEndpoint {
if (logger.isDebugEnabled()) {
logger.debugv("CORS preflight from: {0}", headers.getRequestHeaders().getFirst("Origin"));
}
- return Cors.add(request, Response.ok()).auth().preflight().build();
+ return Cors.add(request, Response.ok()).auth().preflight().allowedMethods("POST", "OPTIONS").build();
}
private void checkSsl() {
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
index f4c9819..07935bc 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
@@ -23,6 +23,7 @@ import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.impl.client.CloseableHttpClient;
@@ -248,6 +249,17 @@ public class OAuthClient {
return new DefaultHttpClient();
}
+ public CloseableHttpResponse doPreflightRequest() {
+ try (CloseableHttpClient client = newCloseableHttpClient()) {
+ HttpOptions options = new HttpOptions(getAccessTokenUrl());
+ options.setHeader("Origin", "http://example.com");
+
+ return client.execute(options);
+ } catch (IOException ioe) {
+ throw new RuntimeException(ioe);
+ }
+ }
+
public AccessTokenResponse doAccessTokenRequest(String code, String password) {
try (CloseableHttpClient client = newCloseableHttpClient()) {
HttpPost post = new HttpPost(getAccessTokenUrl());
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/PreflightRequestTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/PreflightRequestTest.java
new file mode 100644
index 0000000..7aa1d36
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/PreflightRequestTest.java
@@ -0,0 +1,51 @@
+package org.keycloak.testsuite.oauth;
+
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.junit.Rule;
+import org.junit.Test;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.testsuite.AbstractKeycloakTest;
+import org.keycloak.testsuite.AssertEvents;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
+
+/**
+ * @author <a href="mailto:mkanis@redhat.com">Martin Kanis</a>
+ */
+public class PreflightRequestTest extends AbstractKeycloakTest {
+
+ @Rule
+ public AssertEvents events = new AssertEvents(this);
+
+ @Override
+ public void beforeAbstractKeycloakTest() throws Exception {
+ super.beforeAbstractKeycloakTest();
+ }
+
+ @Override
+ public void addTestRealms(List<RealmRepresentation> testRealms) {
+ RealmRepresentation testRealmRep = new RealmRepresentation();
+ testRealmRep.setId(TEST);
+ testRealmRep.setRealm(TEST);
+ testRealmRep.setEnabled(true);
+ testRealms.add(testRealmRep);
+ }
+
+ @Test
+ public void preflightRequest() throws Exception {
+ CloseableHttpResponse response = oauth.doPreflightRequest();
+
+ String[] methods = response.getHeaders("Access-Control-Allow-Methods")[0].getValue().split(", ");
+ Set allowedMethods = new HashSet(Arrays.asList(methods));
+
+ assertEquals(2, allowedMethods.size());
+ assertTrue(allowedMethods.containsAll(Arrays.asList("POST", "OPTIONS")));
+ }
+}
