Thanks for your reply. We did add our front end to the clientâs web origins but the CORS policy blocks front end request randomly.
In most time redeployment could make it work. But I hope there is a better solution.
Not sure what kind of prove is expected? Or whatâs the best way to verify my assumption?
Pls, prove thatâs ârandomlyâ. Shows that the same preflight request is giving you different response in the time. Easy task for curl.
I have solid experience that SPA devs donât understand how CORS works for OIDC and have unrealistic expectations (e.g. auth endpoint must work with XHR, because token endpoint works as well, â*â in web origins allows everything, because itâs regexp and not literal, it will be working on localhost, wrong flows). Iâm âsickâ of those wrong expectations - I have created repo with basic hints GitHub - jangaraj/keycloak-cors-issue-debugging: Recommendations how to solve/debug CORS issues, when Keycloak IDP is used
It doesnât mean Iâm 100% right. You just still didnât prove your claim âweb origins are not stableâ. Itâs very vague error description, so you need to support that. CORS issue indicates very likely problem with client configuration or with your code (and you didnât show those, so there is nothing what can be pointed as a problem).