API authentication with OIDC


I’m stuck with an authentication problem on API calls.

Here’s the stack:

  • Keycloak
  • Angular (test.local)
  • Mayan (mayan.test.local)

Angular authenticates successfully with Keycloak. Mayan’s authentication method is OIDC. If I open a tab with mayan.test.local/oidc/authenticate, authentication is successful, and redirection to the Angular page is too (according to MAYAN_LOGIN_REDIRECT_URL set in the Docker Compose file).

However, after that, when I make an endpoint call (GET http://mayan.test.local/api/v4/cabinets/1/, for example) from Angular, the response is 200 but empty. It seems that the sessionid cookie is mandatory; otherwise, Mayan considers me as a non-authenticated user. Mayan is on a subdomain, which may be the reason why the sessionid cookie is not sent on the Angular call.

If I try to call GET http://mayan.test.local/oidc/authenticate from Angular (hoping the sessionid cookie would be set on the Angular domain), I encounter a CORS error on the Keycloak redirection :

Access to XMLHttpRequest at 'http://test.local/auth/realms/realm-test/protocol/openid-connect/auth?response_type=code&scope=openid+email&client_id=client-test&redirect_uri=http%3A%2F%2Fmayan.test.local%2Foidc%2Fcallback%2F&state=o1EXcEQ0DeGvUFNUq0XJLVuwBdvagYPW&nonce=jNlmj1FkBURMBl36TVfYy6XHl3XQYFuY' (redirected from 'http://mayan.test.local/oidc/authenticate') from origin 'http://test.local' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Am I missing something?

EDIT : With Chrome launched in no CORS mode, calling Mayan authenticate from Angular works fine. Sessionid cookie is here and set in header when I’m calling an endpoint.
I’ve got to find out why there is this CORS issue. Something to set in Mayan ? In Keycloak (redirect URI and web origins seems to be allowed) ? In Traefik inside the Docker Compose file ?

Thank you.