CORS different with client public or confidential

Hi there,

I have angular app.
When I set the access type to confidential I get CORS errors in the browser and no ‘Access-Control-Allow-Origin’ header is present.
When switching to public I get no CORS Problem and I can see the ‘Access-Control-Allow-Origin’ headers.

I see that it does not make much sense to set the access to confidation using a angular app where the secret can bee seen in the browser.

Still I am wondering if my observation are correct and that they make sense.

Thanks for any input

1 Like

You need:

  • confidential client
  • with correctly configured Web origins configuration (that’s not a ‘*’) => no CORS error
  • OpenID Connect Code Flow with PKCE (or not recommended implicit flow) => no secrets in the browser

Thanks for the answer. This is what I did not PKCE yet.

I am following this example with access type public no CORS errors with confidential I get CORS errors.

It turned out, it was not a CORS problem the client credential authentication failed.

This was removed in 8.0.0

It does not make much sense in a browser app.

hi torsten,

Did you find a solution for this issue? Apparently the solution “with correctly configured Web origins configuration (that’s not a ‘*’) => no CORS error” doesn’t work for me.

I am using now this solution for Angular implementation.

Thank you,

I ran into several issues when trying to get angular-oauth2-oidc to work with Keycloak when using the Authorization Code Flow with PKCE.

I ended up switching to oidc-client.


I am having the same issues. If I use a confidential client I can not perform the login properly. If I switch to public I can login with no problems.

I am using keycloak-angular library.

1 Like

Hey guys, just to bump the thread.
I am having the same issue and switching to public is not really an option.

The issue of switching to Public is that Authorization tab (features) are no longer present.
And for our project we are using these features (resources, scopes, permissions etc…)

Now from what I see in PRs:

and majority of the posts I find advise switching to public to ‘solve the issue’, again, this causes us to lose out on a feature as it gets disabled.

Keycloak documentation for reference:

Basically all I need is a way to use keycloak from angular with Access Type set to confidential (because that is the only way to see / use authorization tab)

Keycloak version: 9.0.0
keycloak-angular version: 7.3.1
keycloak-js version: 10.0.2
angular version: 9.1.7

client settings:

Hey guys,

For what it’s worth, we did manage to use confidential by using an older version of keycloak-angular:

"@angular/core": "9.1.7",
"keycloak-angular": "^6.1.0"

keycloak server version is: 9.0.0

Again, our issue was not how the secret was handled but that by switching to ‘public’ we lost out on the Authorization keycloak features - resource, scope, policy and permission management.
But with this rollback, it seems to work. Something to consider if you need Authorization features (thus ‘confidential’ enabled)