It's the correct approach to add the preflight. Please send a PR and we'll merge it.
Out of curiosity do you know why it's sending a preflight in your app? It doesn't when I test it out here, which AFAIK is correct according to spec (content-type is application/x-www-form-urlencoded and there's no custom headers set).
----- Original Message -----
> From: "Alain Penders" <alain@rexorient.com>
> _______________________________________________> To: keycloak-dev@lists.jboss.org
> Sent: Tuesday, 2 December, 2014 3:04:50 PM
> Subject: [keycloak-dev] Fwd: Preflight for token refresh
>
> Hi all,
>
> I'm building a new app using GWT 2.7 using the Keycloak javascript adapter
> and GWT jsInterop. This works extremely well.
>
> The problem I ran into is if I walk away for 5 minutes and then try to do
> something, the token refresh fails on preflight. As shown in the
> documentation, I call keycloak.updateToken(30) to refresh the base token in
> case it has expired. Since in this case it has indeed expired, keycloak
> makes a call to /auth/realms/<myrealm>/tokens/refresh. The OPTIONS call to
> this location doesn't contain the Accept headers, and my app ends up dead in
> the water.
>
> To fix this, I added the following code to OpenIDConnectService:
>
> /**
> * CORS preflight path for refresh token requests
> *
> * @return
> */
> @Path("refresh")
> @OPTIONS
> @Produces(MediaType.APPLICATION_JSON)
> public Response refreshAccessTokenPreflight() {
> if (logger.isDebugEnabled()) {
> logger.debugv("cors request from: {0}",
> request.getHttpHeaders().getRequestHeaders().getFirst("Origin"));
> }
> return Cors.add(request, Response.ok()).auth().preflight().build();
> }
>
> If this wasn't the correct solution for my problem, I'd enjoy hearing where I
> went wrong.
>
> Thanks,
> Alain
>
>
> keycloak-dev mailing list
> keycloak-dev@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev