I have implemented some APIs in Spring Boot, using KeycloakWebSecurityConfigurerAdapter to manage service authentication using KeyCloak.
Authentication works perfectly.
My problem is the following:
- in case of successful authentication, in the response header I correctly find the key “access-control-allow-origin” with the respective value.
- in case of invalid authentication (for example for an expired token), I don’t find the “access-control-allow-origin” key, but a “www-authenticate” key with the error description in the value (for example: Bearer realm = “xxx”, error = “invalid_token”, error_description = “Token is not active”)
In this way, however, the frontend of the application blocks the call, considering it as “CORS error”.
In fact I would expect, even in case of status 401, to receive the correct value of “access-control-allow-origin” in the response header.
Any suggestions on how to handle this problem?
Thanks in advance,
Gianpaolo