I've been trying to setup apiman + keycloak-oauth-plugin + keycloak + keycloak.js with a client-side angularjs app and a REST API. It's a scenario very similar to https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular-product-app, but with apiman and CORS.

My test are going well with curl, but using my javascript app the browser it is performing a CORS preflight OPTIONS request without authorization header.

OPTIONS request works well with authorization header using curl, therefore, I'm not sure whether the browser should include authorization header or apiman should allows CORS preflight requests (OPTIONS) without authorization header.