Hi all, I've observed this issue for a long time now. Standard scenario: a backend app secured with Springboot Adapter + a frontend app which uses keycloak.js library. Two clients are configured (*public* for token acquisition + *bearer only* for REST calls). Allowed CORS origins are set to * (Web Origins field for the public client). application.properties has *keycloak.cors *set to *true*. REST controller has *@CrossOrigin *annotation. Everything works as expected. Until: the frontend app sends an erroneous token in the Authorization header (e.g.: "Bearer blablabla"). As a result, I get a CORS error, which says: *Access to XMLHttpRequest at 'https://xxxxxx.herokuapp.com/items <https://xxxxxx.herokuapp.com/items>' from origin 'http://localhost:1234 <http://localhost:1234>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.* [image: Screenshot 2019-05-01 at 22.31.40.png] If I look at the preflight request though, then the *Access-Control-Allow-Origin* header is indeed set. [image: Screenshot 2019-05-01 at 22.37.16.png] Why that error message then? I must admit this confused me multiple times, as I thought that I had issues with CORS. Also the frontend logic is undermined, as I should include a custom interceptor (which I don't want to do heheh). I tried both 4.8.3.Final and 5.0.0 - same result. Any ideas? Thanks in advance! Regards, Pavel Maslov, MS