Hello everyone, We're running a Keycloak 6.0.1 cluster running in kubernetes, and we're running into issues with CORS requests by Kibana as a part of refreshing the access token. Here is the situation 1. User logs into the SP and is able to successfully authenticate. 2. The users token expires in the background. 3. The SP notices this expired token, and attempts to refresh the token starting to issue an auth request to Keycloak. It issues an 'OPTIONS' request to determine what it can perform, and this request is missing headers. Here is the full output sample from curl: [jboss@keycloak-dev-0 ~]$ curl ' http://127.0.0.1:8080/auth/realms/globalauth/protocol/openid-connect/auth... -X OPTIONS -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: */*' -H 'Accept-Language: en- US,en;q=0.5' --compressed -H 'Access-Control-Request-Method: GET' -H 'Access-Control-Request-Headers: content-type,kbn-version' -H 'Referer: https://kibana.[[SPURL]]/app/kibana' -H 'Origin: https://[[SPURL]]' -H 'Connection: keep-alive' -H 'Host: [[IDPURL]]' -v * About to connect() to 127.0.0.1 port 8080 (#0) * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) connect/auth?client_id=fps- demo&response_type=code&redirect_uri=https%3A%2F%2F[[SPURL]]%2Fauth%2Fo penid%2Flogin&state=hP95iVphOxSnWk0tkjE2rg&scope=openid%20profile%20ema il%20address%20phone HTTP/1.1 Firefox/68.0 < HTTP/1.1 204 No Content < Date: Tue, 23 Jul 2019 20:38:39 GMT < * Connection #0 to host 127.0.0.1 left intact [jboss@keycloak-dev-0 ~]$ Here is the configuration of the client, the "Web Origins" item has been set to the specific origin, +, and *. The result is the same across all. { "clientId": "fps-demo", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "redirectUris": [ "https://kibana.[[SPURL]]" ], "webOrigins": [ "+" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, "publicClient": false, "frontchannelLogout": false, "protocol": "openid-connect", "attributes": { "saml.assertion.signature": "false", "saml.multivalued.roles": "false", "saml.force.post.binding": "false", "saml.encrypt": "false", "saml.server.signature": "false", "saml.server.signature.keyinfo.ext": "false", "exclude.session.state.from.auth.response": "false", "saml_force_name_id_format": "false", "saml.client.signature": "false", "tls.client.certificate.bound.access.tokens": "false", "saml.authnstatement": "false", "display.on.consent.screen": "false", "saml.onetimeuse.condition": "false" }, "authenticationFlowBindingOverrides": {}, "fullScopeAllowed": false, "nodeReRegistrationTimeout": -1, "protocolMappers": [ { "name": "client roles", "protocol": "openid-connect", "protocolMapper": "oidc-usermodel-client-role-mapper", "consentRequired": false, "config": { "multivalued": "true", "userinfo.token.claim": "false", "id.token.claim": "true", "access.token.claim": "true", "claim.name": "roles", "jsonType.label": "String", "usermodel.clientRoleMapping.clientId": "fps-demo" } }, { "name": "allowed web origins", "protocol": "openid-connect", "protocolMapper": "oidc-allowed-origins-mapper", "consentRequired": false, "config": {} } ], "defaultClientScopes": [ "web-origins", "role_list", "profile", "roles", "email" ], "optionalClientScopes": [ "address", "phone", "offline_access" ], "access": { "view": true, "configure": true, "manage": true } } Help is appreciated. We've tried multiple different combinations of configs with no success. Thanks! David This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.