No "access-control-allow-origin" in case of 401-Unauthorized call

I have implemented some APIs in Spring Boot, using KeycloakWebSecurityConfigurerAdapter to manage service authentication using KeyCloak.

Authentication works perfectly.

My problem is the following:

  • in case of successful authentication, in the response header I correctly find the key “access-control-allow-origin” with the respective value.
  • in case of invalid authentication (for example for an expired token), I don’t find the “access-control-allow-origin” key, but a “www-authenticate” key with the error description in the value (for example: Bearer realm = “xxx”, error = “invalid_token”, error_description = “Token is not active”)

In this way, however, the frontend of the application blocks the call, considering it as “CORS error”.

In fact I would expect, even in case of status 401, to receive the correct value of “access-control-allow-origin” in the response header.

Any suggestions on how to handle this problem?

Thanks in advance,

1 Like

Did you find any solution for this?

Unfortunately, not yet.

Do you have any suggestions about this?