Allow users to delete their own MFA devices

Hello all-

I’m working on building Keycloak into a React app and am trying to do so as transparently as possible. That is, I want to avoid sending users to the Keycloak account manager as much as possible to make the experience as cohesive as possible.

To that end, I’ve been using a lot of Application Initiated Actions- allowing users to update their name, email, password, and add MFA devices. Interestingly enough, there doesn’t appear to be an AIA that allows users to delete an MFA device, but saw the account console makes a simple DELETE request to remove a device.

However, when I try to do this from the react app with the user token, I keep hitting CORS errors since DELETE is not an allowed CORS method.

Is there:

  • a way to use Application Initiated Actions to have a user delete an MFA device?
  • a way to enable DELETE cross-origin requests? I’m using the jboss/keycloak Docker image
  • some completely different method I haven’t though of that will work way better?

Thanks in advance!