keycloak realmresourceprovider corse

Question

I\'m evaluating some IAM Products and encountered a Problem with CORS with the RealmResourceProvider from Keycloak. The goal is to write an angular4 client able to create u

Answer 1

Keycloak should automatically handle CORS headers for you when you set "enable-cors": true in the client configuration JSON file as you mention.

The reason why the server is not adding the Access-Control-Allow-Origin header is because Keycloak rejects the origin unless the token is configured (via the admin console) to do so. It's very subtle, but it's mentioned in the docs (https://www.keycloak.org/docs/4.1/securing_apps/index.html):

enable-cors This enables CORS support. It will handle CORS preflight requests. It will also look into the access token to determine valid origins.

Notice the last sentence. The "valid origins" in the "access token" are part of the client configuration, which is set via the admin UI.