Keycloak's login page add header Origin: null when /authenticate request is submitted

I’m trying to run keycloak, behind apigw. But I get the following issue. When user is redirected to the keycloak’s login page(http://localhost:8888/auth/realms/{realm}/protocol/openid-connect/auth?client_id={c_id}&redirect_uri={r_uri}&response_type=code&scope=openid …) and hit the submit button the page triggers POST request against http://localhost:8888/auth/realms/{realm}/login-actions/authenticate with header Origin: null:

This origin: null header works fine, when i’m serving the login page directly from keycloak, but when I put it behind apigw with cors policy enabled - it fails.

From what I saw, the origin header is controlled by the browsers, and it is their’s responsibility to add it with every post request. My question is do you know why it set to null on the keycloak’s login page? And is there any chance if this behavior can be configured/overridden by some keycloak property?

Keycloak version: 12.0.3

This blog post explain the root cause of the problem in details and provides a solution:

1 Like