Skip to content

Reject CORS requests with invalid Origin before endpoint logic runs#48469

Draft
gaoyikeshuer wants to merge 1 commit intokeycloak:mainfrom
gaoyikeshuer:45957-fix-cors-issue
Draft

Reject CORS requests with invalid Origin before endpoint logic runs#48469
gaoyikeshuer wants to merge 1 commit intokeycloak:mainfrom
gaoyikeshuer:45957-fix-cors-issue

Conversation

@gaoyikeshuer
Copy link
Copy Markdown
Contributor

@gaoyikeshuer gaoyikeshuer commented Apr 24, 2026
edited
Loading

This PR links to #45957

This PR chnages CORS handling from late response to early request validation for endpoints that already know their allowed origins.

Before this change, and invalid Origin could still reach the endpoint logic and trigger work, with CORS only failing later when response header were added. After this change, request with an invalid Origin are rejected immediatly with 403, before endpoint logic runs

@gaoyikeshuer gaoyikeshuer force-pushed the 45957-fix-cors-issue branch from 81354c6 to 336d55f Compare April 24, 2026 15:15
@keycloak-github-bot keycloak-github-bot Bot mentioned this pull request Apr 24, 2026
Open
@gaoyikeshuer gaoyikeshuer force-pushed the 45957-fix-cors-issue branch 11 times, most recently from 4080ce6 to c437a1c Compare April 28, 2026 10:11
@gaoyikeshuer gaoyikeshuer force-pushed the 45957-fix-cors-issue branch from c437a1c to fdf3854 Compare April 28, 2026 12:46
keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented Apr 28, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.RPInitiatedFrontChannelLogoutTest#testFrontChannelLogoutWithoutSessionRequired

Keycloak CI - Forms IT (firefox)

org.openqa.selenium.TimeoutException: 
Navigation timed out after 10000 ms
Build info: version: '4.28.1', revision: '73f5ad48a2'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '6.17.0-1010-azure', java.version: '25.0.2'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
...

Report flaky test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

flaky-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gaoyikeshuer