No "access-control-allow-origin" in case of 401-Unauthorized call

gianpaolo.zanella · February 20, 2021, 5:28pm

I have implemented some APIs in Spring Boot, using KeycloakWebSecurityConfigurerAdapter to manage service authentication using KeyCloak.

Authentication works perfectly.

My problem is the following:

in case of successful authentication, in the response header I correctly find the key “access-control-allow-origin” with the respective value.
in case of invalid authentication (for example for an expired token), I don’t find the “access-control-allow-origin” key, but a “www-authenticate” key with the error description in the value (for example: Bearer realm = “xxx”, error = “invalid_token”, error_description = “Token is not active”)

In this way, however, the frontend of the application blocks the call, considering it as “CORS error”.

In fact I would expect, even in case of status 401, to receive the correct value of “access-control-allow-origin” in the response header.

Any suggestions on how to handle this problem?

Thanks in advance,
Gianpaolo

alex88 · June 23, 2021, 3:29pm

Did you find any solution for this?

gianpaolo.zanella · June 24, 2021, 8:21am

Unfortunately, not yet.

Do you have any suggestions about this?

Topic		Replies	Views
Fix CORS problem - No Access Control Allow Origin header is present on the requested resource Configuring the server	7	31374	March 18, 2020
Spring Boot + React + Keycloak after login returns No Access-Controll-Allow-Origin header is present Configuring the server authentication	3	1860	February 13, 2024
No 'Access-Control-Allow-Origin' header is present on the requested resource in Keycloak 21	4	860	April 22, 2024
CORS issue when redirecting from Angular UI to Keycloak (Ver 23.0.5) for authentication, using a Spring Security backend Configuring the server oidc	2	1015	February 1, 2024
Access-Control-Allow-Origin Getting advice	10	1933	August 20, 2021