[keycloak-user] Keycloak-spring-boot-adapter CORS bug?

Björn Janson bjorn.j.janson at gmail.com
Thu Nov 3 03:53:04 EDT 2016

Hello all,

I'm building an application with a Spring Boot (1.4.0) resource service and
AngularJS (1.5.8) front-end. Both are separate projects and run on
different ports. Therefore I applied global Spring Boot CORS configuration
as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
. This works fine. When I want to secure my application using Keycloak I
get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
to retrieve data from the service.

Because I'm using keycloak-spring-boot-adapter the configuration has to be
done in the application.properties. I added these lines:

keycloak.cors = true
keycloak.cors-max-age = 1000
keycloak.cors-allowed-methods = POST, PUT, DELETE, GET

These didn't give an error. (keycloak.enable-cors = true did). Still, I get
a 401 with a No 'Access-Control-Allow-Origin' error.

I tried several versions of the keycloak-spring-boot-adapter as well as
Spring Boot 1.4.1 (which actually resulted in an internal error as
described here:
I tried disabling the Spring Boot CORS configuration. I also tried to
minimize the lines in my application.properties and only adding keycloak.cors
= true for CORS configuration. All didn't work.

I'm just starting out with Keycloak so I don't know if I'm missing
something or that I actually stumbled upon a bug. Is there anyone who might
be able to help me?

Kind regards,

More information about the keycloak-user mailing list