我有一个使用 Quarkus OIDC 集成的 Quarkus + Primefaces(服务器端呈现)网络应用程序。 配置如下:
quarkus.oidc.auth-server-url=${oidc_serverUrl}
quarkus.oidc.client-id=my-jsf-app
quarkus.oidc.application-type=web-app
quarkus.oidc.credentials.secret=${oidc-secret}
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.authentication.cookie-same-site=lax
quarkus.oidc.logout.path=/secure/logout
quarkus.oidc.logout.post-logout-path=/secure/user/home.xhtml
quarkus.oidc.token-state-manager.split-tokens=true
quarkus.oidc.token-state-manager.strategy=id-refresh-tokens
quarkus.oidc.authentication.cookie-path=/
quarkus.oidc.token.refresh-expired=true
quarkus.oidc.token.refresh-token-time-skew=5M
quarkus.oidc.authentication.session-age-extension=30M
Ajax (XHR) POST 请求在空闲时间后失败,这是在浏览器控制台中打印的内容:
Access to XMLHttpRequest at 'https://keycloak.mydomain.com/auth/realms/my-realm/protocol/openid-connect/auth?response_type=code&client_id=my-jsf-appapp&scope=openid&redirect_uri=http%3A%2F%2Fjam.lan%3A8080%2Fsecure%2Fuser%2FaccountWizard.xhtml&state=8580d0d5-cff9-48cc-b9c4-743173c9d279' (redirected from 'http://jam.lan:8080/secure/user/accountWizard.xhtml?jfwid=40e7c') from origin 'http://jam.lan:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
这是 Quarkus 日志中针对同一请求发生的情况:
2023-05-18 12:28:41,987 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Starting an authentication challenge
2023-05-18 12:28:41,989 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Authentication request redirect_uri parameter: http://jam.lan:8080/secure/user/accountWizard.xhtml
2023-05-18 12:28:41,992 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) q_auth_8580d0d5-cff9-48cc-b9c4-743173c9d279 cookie 'max-age' parameter is set to 1800
2023-05-18 12:28:41,994 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) Code flow redirect to: https://keycloak.diligesoft.com/auth/realms/collar-club/protocol/openid-connect/auth?response_type=code&client_id=collar-club-jsf-app&scope=openid&redirect_uri=http%3A%2F%2Fjam.lan%3A8080%2Fsecure%2Fuser%2FaccountWizard.xhtml&state=8580d0d5-cff9-48cc-b9c4-743173c9d279
问题:
我试图修复 Keycloak 端的“已被 CORS 策略阻止”,但仍然失败。它是否适用于 XMLHttpRequests?如果发生这样的故障(对用户隐藏),在客户端恢复的正确方法是什么?
在此状态下,强制页面重新加载不起作用 - 浏览器在 401 上失败并且 Quarkus 日志显示此消息:
2023-05-18 12:55:08,555 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) State parameter can not be empty or multi-valued if the state cookie is present
为了继续,用户必须清理浏览器缓存。如何在服务器或客户端处理此问题,因此不需要清除浏览器缓存?
试图在客户端捕获 401 并强制重新加载页面:
$(document).ajaxError(function (e, xhr, settings) {
location.reload();
});
没有成功。