<div dir="ltr">I had this working with previous versions of keycloak.  Now I am not able to figure it out.  I have one confidential javascript application with the following config:<div><br></div><div><div>{</div><div>  &quot;realm&quot;: &quot;abecorn&quot;,</div><div>  &quot;realm-public-key&quot;: &quot;MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB&quot;,</div><div>  &quot;auth-server-url&quot;: &quot;<a href="http://fnb-dean-vm2:8080/auth">http://fnb-dean-vm2:8080/auth</a>&quot;,</div><div>  &quot;ssl-required&quot;: &quot;external&quot;,</div><div>  &quot;resource&quot;: &quot;item_repository&quot;,</div><div>  &quot;enable-cors&quot;: true,</div><div>  &quot;cors-max-age&quot;: 1000,</div><div>  &quot;credentials&quot;: {</div><div>    &quot;secret&quot;: &quot;d1d72a4d-7ab2-4dbe-82b2-f78ef386908a&quot;</div><div>  }</div><div>}</div></div><div><br></div><div>I have another for REST services that is bearer only:</div><div><div>{</div><div>  &quot;realm&quot;: &quot;abecorn&quot;,</div><div>  &quot;realm-public-key&quot;: &quot;MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB&quot;,</div><div>  &quot;bearer-only&quot;: true,</div><div>  &quot;enable-cors&quot;: true,</div><div>  &quot;cors-max-age&quot;: 1000,</div><div>  &quot;ssl-required&quot;: &quot;external&quot;,</div><div>  &quot;resource&quot;: &quot;itemreposervices&quot;</div><div>}</div></div><div><br></div><div>No matter what web origins I add to the first &quot;confidential&quot; application, I continue to get the error: XMLHttpRequest cannot load <a href="http://localhost:8080/itemrepository-rs/rest/items">http://localhost:8080/itemrepository-rs/rest/items</a>. The request was redirected to &#39;<a href="http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login?">http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login?</a>…s%2Frest%2Fitems&amp;state=0%2F025e3003-59a5-43d3-9927-396d966d7e5a&amp;login=true&#39;, which is disallowed for cross-origin requests that require preflight.</div><div><br></div><div>I also tried making the bearer only application into a confidential application and gave it the appropriate web origins.  Still no luck.  Shouldn&#39;t the bearer only applications have a place to enter web origins like the admin console had a while back?  How do you make the white list for a bearer only application to allow cross domain javascript?</div></div>