No "access-control-allow-origin" in case of 401-Unauthorized call

gianpaolo.zanella · February 20, 2021, 5:28pm

I have implemented some APIs in Spring Boot, using KeycloakWebSecurityConfigurerAdapter to manage service authentication using KeyCloak.

Authentication works perfectly.

My problem is the following:

in case of successful authentication, in the response header I correctly find the key “access-control-allow-origin” with the respective value.
in case of invalid authentication (for example for an expired token), I don’t find the “access-control-allow-origin” key, but a “www-authenticate” key with the error description in the value (for example: Bearer realm = “xxx”, error = “invalid_token”, error_description = “Token is not active”)

In this way, however, the frontend of the application blocks the call, considering it as “CORS error”.

In fact I would expect, even in case of status 401, to receive the correct value of “access-control-allow-origin” in the response header.

Any suggestions on how to handle this problem?

Thanks in advance,
Gianpaolo

alex88 · June 23, 2021, 3:29pm

Did you find any solution for this?

gianpaolo.zanella · June 24, 2021, 8:21am

Unfortunately, not yet.

Do you have any suggestions about this?

Topic		Replies	Views
No 'Access-Control-Allow-Origin' header is present on the requested resource authentication	0	435	February 23, 2021
No 'Access-Control-Allow-Origin' header is present on the requested resource in Keycloak 21	4	1551	April 22, 2024
Fix CORS problem - No Access Control Allow Origin header is present on the requested resource Configuring the server	7	33353	March 18, 2020
Spring Boot + React + Keycloak after login returns No Access-Controll-Allow-Origin header is present Configuring the server authentication	3	2148	February 13, 2024
Header ‘authorization’ is not allowed according to header ‘Access-Control-Allow-Headers’	0	660	May 27, 2020