I had this working with previous versions of keycloak. Now I am not able to figure it out. I have one confidential javascript application with the following config:
{
"realm": "abecorn",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
"ssl-required": "external",
"resource": "item_repository",
"enable-cors": true,
"cors-max-age": 1000,
"credentials": {
"secret": "d1d72a4d-7ab2-4dbe-82b2-f78ef386908a"
}
}
I have another for REST services that is bearer only:
{
"realm": "abecorn",
"realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcGOrjJDVkNCzgVtUeIErcEYr+1orw3q/abwd3qzvArWbCrs8PZZDO9JONLMWI5gme+G616gMPw+zPwicT2g+bjYb9b0MwjTUbqxGFr858Vt3GNb25hMdsUdDoxuqnXfmXr59zOn6lX9kceMdQBAwfTGm4Gj21mkQf0UJopE8sMwIDAQAB",
"bearer-only": true,
"enable-cors": true,
"cors-max-age": 1000,
"ssl-required": "external",
"resource": "itemreposervices"
}
I also tried making the bearer only application into a confidential application and gave it the appropriate web origins. Still no luck. Shouldn't the bearer only applications have a place to enter web origins like the admin console had a while back? How do you make the white list for a bearer only application to allow cross domain javascript?