Api complains no-referrer-when-downgrade with Keycloak

Hi all

I am trying to secure my api service that is running on jetty with Keycloak according to the documentation on https://www.keycloak.org/docs/latest/securing_apps/index.html#_jetty9_adapter.

I have created a clients user-svc that has the following installation in Keycloak:

{
  "realm": "databaker",
  "bearer-only": true,
  "auth-server-url": "http://localhost:8080/auth/",
  "ssl-required": "external",
  "resource": "user-svc",
  "confidential-port": 0
}

The jetty-web.xml configuration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
    <Get name="securityHandler">
        <Set name="authenticator">
            <New class="org.keycloak.adapters.jetty.KeycloakJettyAuthenticator">
                <Set name="adapterConfig">
                    <New class="org.keycloak.representations.adapters.config.AdapterConfig">
                        <Set name="realm">databaker</Set>
                        <Set name="resource">user-svc</Set>
                        <Set name="authServerUrl">http://localhost:8080/auth/</Set>
                        <Set name="sslRequired">external</Set>
                        <Set name="bearerOnly">true</Set>
                        <Set name="confidentialPort">0</Set>
                    </New>
                </Set>
            </New>
        </Set>
    </Get>
</Configure>

and web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
    <servlet>
        <servlet-name>user-svc</servlet-name>
        <servlet-class>io.databaker.UserSvcServlet</servlet-class>
        <async-supported>true</async-supported>
    </servlet>
    <servlet-mapping>
        <servlet-name>user-svc</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>user-svc</web-resource-name>
            <url-pattern>/*</url-pattern>
            <url-pattern>/user/*</url-pattern>
            <url-pattern>/genders</url-pattern>
            <url-pattern>/interests</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>this is ignored currently</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-role>
        <role-name>user</role-name>
    </security-role>

    <filter>
        <filter-name>cross-origin</filter-name>
        <filter-class>org.eclipse.jetty.servlets.CrossOriginFilter</filter-class>
        <init-param>
            <param-name>allowedOrigins</param-name>
            <param-value>http://localhost:3000</param-value>
        </init-param>
        <init-param>
            <param-name>allowedMethods</param-name>
            <param-value>GET,POST,HEAD,PUT,HEAD,OPTIONS</param-value>
        </init-param>
        <init-param>
            <param-name>allowedHeaders</param-name>
            <param-value>X-Requested-With,Content-Type,Accept,Origin,Cache-Control</param-value>
        </init-param>
        <init-param>
            <param-name>chainPreflight</param-name>
            <param-value>false</param-value>
        </init-param>
        <async-supported>true</async-supported>
    </filter>
    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/*</url-pattern>
        <url-pattern>/user/*</url-pattern>
        <url-pattern>/genders</url-pattern>
        <url-pattern>/interests</url-pattern>
    </filter-mapping>
</web-app>

The user-svc service is running on http://localhost:9090

java -jar start.jar -Djetty.http.port=9090
2020-07-13 10:20:16 INFO  log:169 - Logging initialized @230ms to org.eclipse.jetty.util.log.Slf4jLog
2020-07-13 10:20:17 WARN  HomeBaseWarning:72 - This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended.  See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-07-13 10:20:17 INFO  Server:360 - jetty-9.4.29.v20200521; built: 2020-05-21T17:20:40.598Z; git: 77c232aed8a45c818fd27232278d9f95a021095e; jvm 11.0.7+10-LTS
2020-07-13 10:20:17 INFO  ScanningAppProvider:128 - Deployment monitor [file:///home/developer/playground/user-svc-env/jetty-svc/webapps/] at interval 1
2020-07-13 10:20:18 INFO  AnnotationConfiguration:473 - Scanning elapsed time=588ms
2020-07-13 10:20:18 INFO  session:334 - DefaultSessionIdManager workerName=node0
2020-07-13 10:20:18 INFO  session:339 - No SessionScavenger set, using defaults
2020-07-13 10:20:18 INFO  session:140 - node0 Scavenging every 600000ms
2020-07-13 10:20:18 INFO  ContextHandler:849 - Started o.e.j.w.WebAppContext@14dd7b39{root,/,file:///tmp/jetty-0_0_0_0-9090-root_war-_-any-934191447021540237.dir/webapp/,AVAILABLE}{/home/developer/playground/user-svc-env/jetty-svc/webapps/root.war}
2020-07-13 10:20:18 INFO  AbstractConnector:331 - Started ServerConnector@18ca3c62{HTTP/1.1, (http/1.1)}{0.0.0.0:9090}
2020-07-13 10:20:18 INFO  Server:400 - Started @1892ms 

When calling the api service from the webapp, I have got the following error message
[![enter image description here][1]][1]

What am I doing wrong?

Thanks
[1]: https://i.stack.imgur.com/ptQUQ.png