Following up on this!
The 403 for fully went away when I added a value to my “Web Origins” entry for the “account” client. This value seems to default to blank for all clients, and also doesn’t seem to automatically inherit a value from the “Frontend URL” value of the realm.
For the moment, for testing, I added “*”,
The online help for the “web origin” field says something like:
“Allowed CORS origins. To permit all origins of Valid Redirect URIs, add ‘+’. This does not include the ‘’ wildcard though. To permit all origins, explicitly add '’.”
Which isn’t super helpful. I would figure that this would have been mentioned in the hostname documentation, where if you allow multiple hostnames, this is one of the things you need to configure.
I also would have loved to find a log entry in keycloak that says something like “returning a 403 for (foo.js) because (url) is not listed as a valid web origin.”
I would have never found this, if not for this serverfault post