diff --git a/services/src/main/java/org/keycloak/services/resources/Cors.java b/services/src/main/java/org/keycloak/services/resources/Cors.java
index ade3df2..9dbcd39 100755
--- a/services/src/main/java/org/keycloak/services/resources/Cors.java
+++ b/services/src/main/java/org/keycloak/services/resources/Cors.java
@@ -19,6 +19,7 @@ public class Cors {
public static final long DEFAULT_MAX_AGE = TimeUnit.HOURS.toSeconds(1);
public static final String DEFAULT_ALLOW_METHODS = "GET, HEAD, OPTIONS";
+ public static final String DEFAULT_ALLOW_HEADERS = "Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers";
public static final String ORIGIN_HEADER = "Origin";
public static final String AUTHORIZATION_HEADER = "Authorization";
@@ -26,6 +27,7 @@ public class Cors {
public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
+ public static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
@@ -34,6 +36,7 @@ public class Cors {
private ResponseBuilder response;
private Set<String> allowedOrigins;
private Set<String> allowedMethods;
+ private Set<String> exposedHeaders;
private boolean preflight;
private boolean auth;
@@ -69,6 +72,11 @@ public class Cors {
return this;
}
+ public Cors exposedHeaders(String... exposedHeaders) {
+ this.exposedHeaders = new HashSet<String>(Arrays.asList(exposedHeaders));
+ return this;
+ }
+
public Response build() {
String origin = request.getHttpHeaders().getRequestHeaders().getFirst(ORIGIN_HEADER);
if (origin == null) {
@@ -87,9 +95,15 @@ public class Cors {
response.header(ACCESS_CONTROL_ALLOW_METHODS, DEFAULT_ALLOW_METHODS);
}
+ if (exposedHeaders != null) {
+ response.header(ACCESS_CONTROL_EXPOSE_HEADERS, CollectionUtil.join(exposedHeaders));
+ }
+
response.header(ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.toString(auth));
if (auth) {
- response.header(ACCESS_CONTROL_ALLOW_HEADERS, AUTHORIZATION_HEADER);
+ response.header(ACCESS_CONTROL_ALLOW_HEADERS, String.format("%s, %s", DEFAULT_ALLOW_HEADERS, AUTHORIZATION_HEADER));
+ } else {
+ response.header(ACCESS_CONTROL_ALLOW_HEADERS, DEFAULT_ALLOW_HEADERS);
}
response.header(ACCESS_CONTROL_MAX_AGE, DEFAULT_MAX_AGE);
diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java
index a262c83..1aa7baf 100755
--- a/services/src/main/java/org/keycloak/services/resources/TokenService.java
+++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java
@@ -58,7 +58,6 @@ import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
@@ -126,8 +125,7 @@ public class TokenService {
}
public static UriBuilder tokenServiceBaseUrl(UriBuilder baseUriBuilder) {
- UriBuilder base = baseUriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getTokenService");
- return base;
+ return baseUriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getTokenService");
}
public static UriBuilder accessCodeToTokenUrl(UriInfo uriInfo) {
@@ -295,7 +293,7 @@ public class TokenService {
ClientModel client = authorizeClient(authorizationHeader, form, audit);
String refreshToken = form.getFirst(OAuth2Constants.REFRESH_TOKEN);
- AccessToken accessToken = null;
+ AccessToken accessToken;
try {
accessToken = tokenManager.refreshAccessToken(realm, client, refreshToken, audit);
} catch (OAuthErrorException e) {
@@ -313,7 +311,7 @@ public class TokenService {
audit.success();
- return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(client).allowedMethods("POST").build();
+ return Cors.add(request, Response.ok(res, MediaType.APPLICATION_JSON_TYPE)).auth().allowedOrigins(client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
@Path("auth/request/login")
@@ -501,7 +499,7 @@ public class TokenService {
credentials.setValue(formData.getFirst("password"));
boolean passwordUpdateSuccessful;
- String passwordUpdateError = null;
+ String passwordUpdateError;
try {
passwordUpdateSuccessful = AuthenticationProviderManager.getManager(realm, providerSession).updatePassword(user, formData.getFirst("password"));
passwordUpdateError = "Password update failed";
@@ -654,12 +652,12 @@ public class TokenService {
audit.success();
- return Cors.add(request, Response.ok(res)).auth().allowedOrigins(client).allowedMethods("POST").build();
+ return Cors.add(request, Response.ok(res)).auth().allowedOrigins(client).allowedMethods("POST").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
protected ClientModel authorizeClient(String authorizationHeader, MultivaluedMap<String, String> formData, Audit audit) {
- String client_id = null;
- String clientSecret = null;
+ String client_id;
+ String clientSecret;
if (authorizationHeader != null) {
String[] usernameSecret = BasicAuthHelper.parseHeader(authorizationHeader);
if (usernameSecret == null) {
@@ -1011,11 +1009,7 @@ public class TokenService {
}
private boolean checkSsl() {
- if (realm.isSslNotRequired()) {
- return true;
- }
-
- return uriInfo.getBaseUri().getScheme().equals("https");
+ return realm.isSslNotRequired() || uriInfo.getBaseUri().getScheme().equals("https");
}
}
