Honestly I can't because I am Java programmer. JavaScript application is from another team, but unfortunately only I have from them is that the problem is with x-client CORS header (it isn't added to "allowed headers" from Keycloak's server, but it is in request from keycloak-auth-utils). They use "obtainDirectly(username, password)" method. Also I have the curl request which is produced by keycloak-auth-utils, and here it is: curl 'http://<keycloak_host>/auth/realms/master/protocol/openid-connect/token' <http://keycloak.pz-test.graphyne2.adbglobal.com/auth/realms/ADB/protocol/... -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:8082' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: authorization,x-client' --compressed If you call Keycloak with curl above you will see that there is no X-Client header in Access-Control-Allow-Headers, but (!!!) request must be from another host. Why they don't use keycloak-connect? I have no idea ;/ On 29.06.2017 11:40, Bruno Oliveira wrote: