Hi Keycloak Users, I'm attempting to save my users a few button clicks by automatically trying brokered identity providers in the background with AJAX requests before redirecting them to the Keycloak login form (AJAX requests using kc_idp_hint parameter). In most cases users will already be logged into one of the brokered identity providers (the client is often on one of several SPNEGO protected subnets) and instead of showing users the login form with buttons to try the brokered providers manually one by one I was hoping to simply do it for them in the background and when directed to the login form for the realm the common case would be for users to be immediately redirected back because they're logged in already. I'm using the Wildfly client adapters (Java servlet container managed security) configured as confidential clients. I have the client "Web Origins" set to "*". In the Wildfly standalone.xml I have the clients configured with "<enable-cors>true</enable-cors>". I'm using Keycloak 4.1.0. On the client side I'm using jQuery and have "crossDomain: true" and "xhrFields:{withCredentials: true}" set on the XHR object. The keycloak server still doesn't respond with a Access-Control-Allow-Origin header though so the login fails. It works if not using AJAX. The network trace of an AJAX request from the web browser console looks like: --- Request 1 --- GET https://myhost.example.com/myapp/protected?kc_idp_hint=broker1-keycloak-o... Host: myhost.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Cookie: OAuth_Token_Request_State=<REDACTED>; JSESSIONID=<REDACTED>.myhost Connection: keep-alive --- Response 1 --- Cache-Control: no-cache, no-store, must-revalidate Connection: Keep-Alive Content-Length: 0 Date: Tue, 14 Aug 2018 19:48:46 GMT Expires: 0 Keep-Alive: timeout=5, max=100 Location: https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect... Pragma: no-cache Server: WildFly/11 Set-Cookie: OAuth_Token_Request_State=<REDACTED>; HttpOnly X-Powered-By: Undertow/1 --- Request 2 --- GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect... Host: keycloak1.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Origin: https://myhost.example.com Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED> Connection: keep-alive --- Response 2 --- Status: 401 Cache-Control: no-store, must-revalidate, max-age=0 Connection: Keep-Alive Content-Length: 615 Content-Type: text/html;charset=UTF-8 Date: Tue, 14 Aug 2018 19:48:48 GMT Keep-Alive: timeout=5, max=100 Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly WWW-Authenticate: Negotiate --- Request 3 --- GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect... Host: keycloak1.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Origin: https://myhost.example.com Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; KC_RESTART=<REDACTED> Connection: keep-alive Authorization: Negotiate <REDACTED> --- Response 3 --- Cache-Control: no-store, must-revalidate, max-age=0 Connection: Keep-Alive Content-Length: 0 Date: Tue, 14 Aug 2018 19:48:48 GMT Keep-Alive: timeout=5, max=99 Location: https://keycloak1.example.com/auth/realms/myrealm/broker/broker1-keycloak... Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 Set-Cookie: AUTH_SESSION_ID=<REDACTED>.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly KC_RESTART=<REDACTED>; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly Notice I must redirect off a protected URL on my client app since Wildfly client adapter only works on pages which are explicitly protected by the container managed security. Also notice in the third and final request the response is missing the Access-Control-Allow-Origin header, which results in the error in the browser web console and the process ending. Any ideas? Thanks, Ryan