Figured it out.  I was using angularjs' $resource to send the request.  I followed the instructions on how to set custom headers to include the Authorization header.  I must be doing something wrong.  When I switched to using JQuery $.ajax, I include the Authorization header and it works.

On Thu, Oct 16, 2014 at 3:35 PM, Dean Peterson <peterson.dean@gmail.com> wrote:
I had this working with previous versions of keycloak.  Now I am not able to figure it out.  I have one confidential javascript application with the following config:

{
  "realm": "abecorn",
  "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
  "auth-server-url": "http://fnb-dean-vm2:8080/auth",
  "ssl-required": "external",
  "resource": "item_repository",
  "enable-cors": true,
  "cors-max-age": 1000,
  "credentials": {
    "secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
  }
}

I have another for REST services that is bearer only:
{
  "realm": "abecorn",
  "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
  "bearer-only": true,
  "enable-cors": true,
  "cors-max-age": 1000,
  "ssl-required": "external",
  "resource": "itemreposervices"
}

No matter what web origins I add to the first "confidential" application, I continue to get the error: XMLHttpRequest cannot load http://localhost:8080/itemrepository-rs/rest/items. The request was redirected to 'http://fnb-dean-vm2:8080/auth/realms/abecorn/protocol/openid-connect/login?…s%2Frest%2Fitems&state=0%2F025e3003-59a5-43d3-9927-396d966d7e5a&login=true', which is disallowed for cross-origin requests that require preflight.

I also tried making the bearer only application into a confidential application and gave it the appropriate web origins.  Still no luck.  Shouldn't the bearer only applications have a place to enter web origins like the admin console had a while back?  How do you make the white list for a bearer only application to allow cross domain javascript?