[CORS] Allow Access-Control-Allow-Headers customization #36473

dteleguin · 2025-01-15T09:03:54Z

This PR allows simple customization of HTTP headers that should be allowed in cross-origin requests, in addition to the built-in list. A new CLI option is introduced:

--http-cors-headers <headers>
                     The comma-separated list of custom HTTP headers that should be allowed in
                       cross-origin (CORS) requests.

Corresponding environment variable:

KC_HTTP_CORS_HEADERS

This is a global (server-level) setting. The main use case is supporting headers that are added by various tracing systems and web frameworks.

Closes: #12682

Closes: keycloak#12682 Signed-off-by: Dmitry Telegin <dmitryt@backbase.com>

mabartos

@dteleguin Thanks for the PR! I think the enhancement is valid, but it should be also reviewed by @keycloak/core team.

Review:

I've added a small comment for String vs. Set
Please add some basic tests for CORS
In order to pass the HelpCommandDistTest, execute:

KEYCLOAK_REPLACE_EXPECTED=true mvn clean install -Dtest=HelpCommandDistTest -f quarkus/tests/integration/pom.xml

mabartos · 2025-01-15T10:07:46Z

services/src/main/java/org/keycloak/services/cors/DefaultCors.java

    private Set<String> exposedHeaders;

    private boolean preflight;
    private boolean auth;

-    DefaultCors(KeycloakSession session) {
+    DefaultCors(KeycloakSession session, String defaultAllowHeaders) {


Suggested change

DefaultCors(KeycloakSession session, String defaultAllowHeaders) {

DefaultCors(KeycloakSession session, Set<String> defaultAllowHeaders) {

Is it possible to accept a Set of headers? In order to execute String.format("%s, %s", only at one place -> DefaultCors. The manageability would be better.

stianst

This should not be a top-level server config option, but rather if we want to do this just an SPI provider option on the default cors provider.

The option should probably also be additional headers, rather than headers; as otherwise you'd have to include all headers KC needs already.

dteleguin · 2025-01-15T12:47:21Z

@stianst there is an SPI provider option already, namely kc.spi-cors-default-headers / KC_SPI_CORS_DEFAULT_HEADERS.

I have introduced an abbreviated version (KC_HTTP_CORS_HEADERS) to keep aligned with Quarkus's equivalent, QUARKUS_HTTP_CORS_HEADERS. That should simplify migration from Quarkus CORS (which used to work with Keycloak, but is not working anymore).

So, you are suggesting that we remove --http-cors-headers / KC_HTTP_CORS_HEADERS and stick with something like kc.spi-cors-default-extra-headers?

dteleguin · 2025-01-16T12:56:35Z

@mabartos ,

I've added a small comment for String vs. Set

I was thinking of the same - using sets will also allow to sort / deduplicate header names, which would not be possible with preformatted strings.

Please add some basic tests for CORS

Could you please suggest particular tests for this PR?

In order to pass the HelpCommandDistTest, execute:

Thanks for the hint. The top-level config option is currently being discussed with Stian.

jonkoops

I like the extension to the CORS SPI to set the headers, it is an obvious boon for extension developers that should be controllable. I don't think we should be adding any options to overwrite these options through configuration at this point in time (see #12682 (comment)).

dteleguin · 2025-05-28T02:41:33Z

Okay, so there seems to be a consensus that we should not be exposing this as a top-level user-visible config option (at least for now). I will close this PR and create another one covering just the API part.

The user-visible config option will be implemented as a 3rd-party extension.

dteleguin · 2025-05-28T02:41:55Z

Superseded by #40011

dteleguin requested review from a team as code owners January 15, 2025 09:03

keycloak-github-bot bot added team/cloud-native labels Jan 15, 2025

dteleguin mentioned this pull request Jan 15, 2025

Allow Access-Control-Allow-Headers customization #27334

Closed

[CORS] Allow Access-Control-Allow-Headers customization

7a29e65

Closes: keycloak#12682 Signed-off-by: Dmitry Telegin <dmitryt@backbase.com>

dteleguin force-pushed the feature/#12682-CORS-custom-headers-take2 branch from 70df3cf to 7a29e65 Compare January 15, 2025 09:05

mabartos requested changes Jan 15, 2025

View reviewed changes

mabartos requested a review from a team January 15, 2025 10:17

mposolda self-assigned this Jan 15, 2025

stianst requested changes Jan 15, 2025

View reviewed changes

jonkoops mentioned this pull request Jan 20, 2025

[CORS] Allow Access-Control-Allow-Headers customization #12682

Open

jonkoops requested changes Jan 20, 2025

View reviewed changes

dteleguin closed this May 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[CORS] Allow Access-Control-Allow-Headers customization #36473

[CORS] Allow Access-Control-Allow-Headers customization #36473

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

	DefaultCors(KeycloakSession session, String defaultAllowHeaders) {
	DefaultCors(KeycloakSession session, Set<String> defaultAllowHeaders) {

[CORS] Allow Access-Control-Allow-Headers customization #36473

[CORS] Allow Access-Control-Allow-Headers customization #36473

Uh oh!

Conversation

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!