Blog

keycloak-js adapter: public clients, CORS on the token endpoint, and realm versus client URL configuration

Keycloak realms expose multiple endpoints—ensure each path used by the browser is listed in CORS policies on reverse proxies.

Published: 2028-01-26Updated: 2028-01-281 min read

keycloakoauth2cors

Themes

Custom login themes may embed third-party assets—those origins must be allowed in Content-Security-Policy and CORS.

Locale switching can change form actions—verify CORS after i18n updates.

Sticky sessions behind load balancers can affect token refresh timing—align with CORS cache TTLs.

Cross-datacenter replication delays should not cause intermittent CORS denials—monitor health endpoints.