So what it seems like is that we have to use CORS Policy and add it before the Keycloak authentication policy in order for my preflight to pass .. thats the part i was missing completely . i'm not sure if its should be considered a bug or flexibility to do what we want .. But thanks for the explaination Marc. 

Anyway .. i'm still having a problem with CORS Policy, probably I just dont have the latest code. i added some details to the JIRA ticket 

On Wed, Aug 19, 2015 at 5:53 AM, Marc Savy <marc.savy@redhat.com> wrote:
I replicated your set up as far as I could, and I couldn't replicate your issue (perhaps your CORS setup is wrong?). Please see the JIRA comments and screenshots - https://issues.jboss.org/browse/APIMAN-516

Either way, I also fixed a bug unrelated to your problem, so please re-build the plugins before trying again :-).

On 18/08/2015 19:25, Fadi Abdin wrote:
It did not work .

I setup everything they way you told me Marc and i'm testing it on my
local.
It seems its sending that preflight OPTIONS and coming back with 401 still

On Tue, Aug 18, 2015 at 10:48 AM, Fadi Abdin <fadiabdeen@gmail.com
 <mailto:fadiabdeen@gmail.com>> wrote:

    I'm still working on it :( .. i had to give the network guys few ip
    addresses to whitelist so i can mvn install .. ... almost there.

    On Tue, Aug 18, 2015 at 9:46 AM, Marc Savy <marc.savy@redhat.com
     <mailto:marc.savy@redhat.com>> wrote:

        My pleasure! Did it work?

        On 17/08/2015 16:38, Fadi Abdin wrote:

            cool .. you're the man ;)


            On Mon, Aug 17, 2015 at 11:37 AM, Marc Savy
            <marc.savy@redhat.com <mailto:marc.savy@redhat.com>
            <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>>
            wrote:

                 I'm actually testing the fix right now. It will land
            both on the 1.2.x
                 branch and the 1.1.x branch shortly. You should be able
            to test it out
                 in a short while: I'll send you an email when it's
            available.

                 On 17/08/2015 16:23, Fadi Abdin wrote:

                     Thank you Marc,
                     Is there a work around that you can think of ?
                     I'm doing it with angularjs  , very simple

                     $http({method: 'GET', url:
            'http://server/apiman-gateway/service',
                     headers: {
                           'Authorization': 'Bearer XXXXXXXXXXXXX'}
                     });

                     I assume you will fix it in the new version , right?



                     On Mon, Aug 17, 2015 at 10:52 AM, Marc Savy
                     <marc.savy@redhat.com <mailto:marc.savy@redhat.com>
            <mailto:marc.savy@redhat.com <mailto:marc.savy@redhat.com>>
                     <mailto:marc.savy@redhat.com
            <mailto:marc.savy@redhat.com> <mailto:marc.savy@redhat.com
            <mailto:marc.savy@redhat.com>>>> wrote:

                          Hi,

                          This is related to the JIRA I linked you to
                          (https://issues.jboss.org/browse/APIMAN-516).
            Because of
                     the way the
                          policy chain currently works the behaviour of
            CORS is
                     invalid in a
                          few very specific cases (e.g. when you stack
            it with an auth
                          policy). I'll let you know when it's fixed.

                          Regards,
                          Marc

                          On 17/08/2015 15:44, Fadi Abdin wrote:

                              I have a problem in calling a service in
            apiman-gateway
                     with the
                              Authorization: Bearer <token> in the header.

                              It seems to preflight OPTIONS and return

                                1.
                                   X-Policy-Failure-Message:
                                   OAuth2 'Authorization' header or
            'access_token' query
                              parameter must
                                   be provided.

                              I am sending the bearer token with the
            request and i
                     make sure
                              in the
                              preflight its sent in the request.

                                1.
                                   Access-Control-Request-Headers:
                                   accept, authorization

                              Does anyone know if there Is something i'm
            missing ?
                     do i need
                              to get
                              authorization enabled or added anywhere ?
            as a side
                     note i have
                              below in
                              my api as well:


              response.setHeader("Access-Control-Allow-Headers",
                     "Authorization");



              _______________________________________________
                              Apiman-user mailing list
            Apiman-user@lists.jboss.org
            <mailto:Apiman-user@lists.jboss.org>
            <mailto:Apiman-user@lists.jboss.org
            <mailto:Apiman-user@lists.jboss.org>>
                     <mailto:Apiman-user@lists.jboss.org
            <mailto:Apiman-user@lists.jboss.org>
                     <mailto:Apiman-user@lists.jboss.org
            <mailto:Apiman-user@lists.jboss.org>>>
            https://lists.jboss.org/mailman/listinfo/apiman-user