I have a following setup
JS React app (js-client) => Node JS Backend (api-client) => Keycloak auth server
For js-client I have set Web Origins to +, so it would work with all valid redirect urls.
api-client is Bearer only, so it doesn’t have cors settings.
Still, after I hit secured endpoint and login user in the browser, keycloak js adapter fails to get tokens, failing with:
Access to XMLHttpRequest at ‘…/protocol/openid-connect/token’ (redirected from ‘…/protocol/openid-connect/token’) from origin ‘http://localhost:8000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
Localhost is also in the valid redirect urls.