Access type confidential causes CORS problems with keycloak.js


I created a new client with access type set to “public” and login from my web application using keycloak.js which works, at least with 10.0.
Now I switched the same setup to access type “confidential” and I get the error that the “Access-Control-Allow-Origin” header is missing.

Keycloak runs in development mode with a self signed cert and my client on localhostin non SSL mode.
Is that expected to work at all?

If so, what would I have to do? I am running 11.0.2 right now, but can easily switch to a different version if needed.


Edit So I went through the docs again and the keycloak.js part explicitly states that in the browser only the public setting is expected to work.

You need to have configured Web Origins client config properly for confidential OIDC client.