Keycloak CORS behind traefik on Kubernetes

After some hours of analysis, not understanding what happens here:

• Setting the Web Origins to * is ok, while I suggest to set it explicitly to the right origins, here: https://myfrontend.dev.example.com (without the /* as in Stuck's answer)
• If we check the /token endpoint using within an cross-origin request, it works, because the expected response headers are set
• BUT: the probleme here occured with the /auth endpoint

So, whoever runs into this problem, Keycloak as in 10/2020 with version 11.x does simply not support CORS on the /auth OpenID-connect OIDC endpoint. It is not a requirement from the OIDC specs, so Keycloak (and other tools) do not support CORS here.

If we set the Web Origin and have CORS enable, it will work for some endpoint, e.g. /token, but for some not, e.g. /auth.This is because /auth is count as a user-only endpoint, a user would explicitly request or a user would be redirected to AND NOT the frontend should somehow send requests in the background to.

We have implemented a wrong workflow inside a part of our application. Not an keycloak (or traefik or kubernetes) problem.

Please check this discussion here for any feature updates:https://keycloak.discourse.group/t/authorizationendpoint-does-not-support-cors/3495

AFAIK * is not allowed in this scenario. When setting the frontend domain, try adding /* at the end:

https://myfrontend.dev.example.com/*

If this still does not work, have a look at the keycloak logs as well as the response headers in Chrome devtools and post them to your question.