I am using Keycloak 4.4.0 to secure my rest service, which is implemented using Spring Boot and I am using React for the front end. I get a CORS error when the front end (running on localhost:3000) makes an API call to localhost:8080/login and is redirected to the Keycloak login page. The error is: `localhost/:1 Failed to load http://localhost:8080/login: Redirect from 'http://localhost:8080/login' to 'http://localhost:9080/auth/realms/hbs/protocol/openid-connect/auth?response_type=code&client_id=hbs&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&state=ab5034a9-4baa-4be3-9ec1-feefbe5f9c0b&login=true&scope=openid' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.` I have added a single value of '*' to the Web Origins config section in the Keycloak client. I have annotated my REST controller as follows: @RestController class MyController { @CrossOrigin @GetMapping("/login") public ResponseEntity<Foo> getFoo(Principal principal) { return ResponseEntity.ok(new Foo("blah")); } } I have enabled keycloak and cors in the application properties: keycloak.cors = true keycloak.enabled = true If I disable keycloak the CORS problem goes away. As described here <https://stackoverflow.com/a/46222250/820657> , I suspect the issue is to do with the keycloak server not responding with any ACCESS-CONTROL-ALLOW-ORIGIN headers despite "web Origins" being correctly configured in the keycloak admin portal. But I'm not completely sure how to confirm this. -- Sent from: http://keycloak-user.88327.x6.nabble.com/