RESTEASY003655 on OPTIONS request for CORS - No 'Access-Control-Allow-Origin' header is present on the requested resource


I am using keycloak (8.0.1) to secure an Angular app and a python backend.
Currently my backend return me a 302 to validate a session is open in keycloak.
I go into a CORS validation issue quite usual:

Access to XMLHttpRequest at 'http://localhost-kc.localdomain:8080/auth/realms/XXX/protocol/openid-connect/auth?client_id=xxx-backend&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocalhost.localdomain%3A4200%2Fapi%2Fredirect_uri&state=XXXXXXXXXXXXXX&nonce=XXXXXXXXXXXXXX&prompt=none' (redirected from 'http://localhost.localdomain:4200/api/category/1/groups') from origin 'http://localhost.localdomain:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Off course http://localhost.localdomain:4200 is set as WebOrigins.

In fact I discovered that I got no real answer for CORS but something else. By the mean of a tcpdump and a keycloak on http, I got this:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: application/json
Content-Length: 93
Date: Thu, 06 Feb 2020 13:52:55 GMT
{"error":"RESTEASY003655: No resource method found for options, return OK with Allow header"}

Any idea how to get out of this ? Do you think I should create an issue on the Issue Tracker ?


Try setting your client’s Web Origins to: *

Screen Shot 2020-02-07 at 15.41.27

No effect, exactly same behaviour with same message from RESTEASY and no errors in Keycloak logs

Hello all,
I know, this was almost 1.5 years ago, but I got the same issue, but only with revoking. May be it will help others. The problem was: I got the CORS error from my angular app while trying to logout the user (login was ok). And the main problem of all - preflight request. Please, read more here. So, my problem was not in Keycloak, it was in WildFly, as by default it does not enable any CORS (I am using Keycloak 15.0.2 in docker). To resolve my revoking issue, I update standalone-ha.xml:

<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
            <buffer-cache name="default"/>
            <server name="default-server">
                <ajp-listener name="ajp" socket-binding="ajp"/>
                <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" security-realm="ApplicationRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                    <filter-ref name="Access-Control-Allow-Origin"/>
                    <filter-ref name="Access-Control-Allow-Methods"/>
                    <filter-ref name="Access-Control-Allow-Headers"/>
                    <filter-ref name="Access-Control-Allow-Credentials"/>
                    <filter-ref name="Access-Control-Max-Age"/>
            <servlet-container name="default">
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
                <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
                <response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
                <response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
                <response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
                <response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
                <response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="1"/>

The mail changes: adding filter-ref tags with filters one. I used Enable CORS Wildfly topic.

Thank you very much and I hope this helps someone.

I think you need to update standalone.xml not standalone-ha.xml