[keycloak-user] Cors not working Final 1.2

Hi, Cors headers missing during login procedure of keycloak =============================== Step 1 - Prepare keycloak realm: =============================== Create a simple keycloak realm for testing, =============================== Step 2 - Create a user =============================== Add a user and a client to the realm The client should be configured as follows: Client Protocol openid-connect Access Type public Valid redirect uri's: http://localhost/* http://localhost Web origins: http://localhost/* http://localhost =============================== Step 3 - Create test application on tomcat =============================== On a given tomcat server (I'm using localhost for this example) add 2 web applications: app1 with a simple index.html cors with a simple test.txt with the content "Some data" The following url's are now available: http://localhost/app1/index.html http://localhost/cors/test.txt In http://localhost/app1/index.html create javascript which loads data from http://localhost/cors/test.txt If you go to http://localhost/app1/index.html now, a GET will be performed to http://localhost/cors/test.txt and the data is displayed =============================== Step 4 - Adding keycloak to the applications =============================== Add keycloak configuration on "app1". Add keycloak configuration on "cors" Additionally, add "enable-cors": "true" to the json file. =============================== Step 5 - Log in to app1 =============================== If you log in to app1 in a new browser the data from app "cors" will not be loaded. The following error will be displayed in the console of your browser (using chrome) XMLHttpRequest cannot load http://localhost-auth:8080/auth/realms/test/protocol/openid-connect/auth?.... No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. If it loaded the data, make sure that you're logged out, or try it in private browsing mode. =============================== Expected result =============================== We expected "Access-Control-Allow-Origin" to be set to the "Web origins", allowing for cross-application requests without editing existing applications. Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement, Henk Laracker