CORS error in refresh token by XHR

I integrated an angular application with a JAVA EE backend in the same WAR deployed in Wildfly, with a Keycloak client, Confidential access type

I have correctly configured https://prueba.com in the Web Origin client
in client scope: web origin

When I run the angular application index.html it redirects me to the idp login
I log everything ok
If I execute a GET from the browser it works OK
If I run a GET by XHR it works OK
After the token expires when executing GET from the browser, redirect to the idp and refresh the token
After the token expires when executing GET by XHR, it redirects to the idp, the idp responds but gives CORS error in console
Access to XMLRequest at ‘https://idp.com/auth/realms/PRU/protocol/openid-connect/auth?312345&state-7d503346-d911-xxxx/prueba-keycloak&login=true&scope=openid’ (redirect from ‘https://prueba.com/prueba-keycloak/rs/back/solicitud/datos-propios/3123458’) from origin ‘https://prueba.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
GET at ‘https://idp.com/auth/realms/PRU/protocol/openid-connect/auth?312345&state-7d503346-d911-xxxx/prueba-keycloak&login=true&scope=openid
net::ERR_FAILED
ERROR Unknown Server Error: http failed response for 'https://prueba.com/prueba-keycloak/rs/back/solicitud/datos-propios/3123458
Anyone know what might be happening ? or is it that Keycloak does not allow the refresh of the token from an XHR call

You have CORS issue, because you have wrong implementation. Your JAVA EE backend is acting as web application, but it should be backend/API. It should only validate token and if it is not valid it should return 401 Unauthorized for XHR requests (and frontend should solve the problem, e.g. refresh access token via refresh token). But it looks like now your backend is not returning 401, but 301 - redirect to IDP auth. That’s wrong, because user won’t be able to see any login form from XHR request (even when you don’t have CORS issue).