keycloak/keycloak

CORS Header missing when accessing /account endpoint with an expired session

Open

#47 934 ouverte le 10 avr. 2026

Voir sur GitHub
 (1 commentaire) (3 réactions) (0 assignés)Java (34 398 stars) (8 346 forks)batch import
area/account/apihelp wantedkind/bugpriority/lowstatus/auto-bumpstatus/auto-expireteam/core-clientsteam/core-shared

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

account/api

Describe the bug

When a user session ends (e.g. by using the session limit) and loadUserProfile() (on the Keaycloak js-adapter) is called, it does not result in an 401 error but in a low level TypeError caused by CORS. The result is: The user is redirected to a low level error page instead of the login page. When we look at the actual request, we see, that the request to /account results in a 401 but with missing CORS headers. Because of this, the 401 is ignored by the browser and a TypeError is thrown.

Version

26.6.0

Regression

  • The issue is a regression

Expected behavior

TypeError is thrown

Actual behavior

401 can be handled correctly

How to Reproduce?

End the users session in Keycloak and call loadUserProfile() in the frontend.

Anything else?

No response

Guide contributeur

Stack technique
javarest api
Domaine
backendsecurityapiauthentication
Type d'issue
bug
DifficultéDifficulté estimée pour un nouveau contributeur, de 1 pour un très petit changement à 5 pour un travail expert.
3
Temps estiméFourchette de temps approximative pour investiguer, implémenter, tester et préparer une pull request.
1-3 hours
Statut d'activitéDisponibilité apparente de l'issue : fraîche, active, ancienne, bloquée ou en attente d'un mainteneur.
fresh
ClartéClarté avec laquelle l'issue explique le changement attendu, les critères d'acceptation et la prochaine étape.
mostly clear
Prérequis
understanding of CORSfamiliarity with Keycloak server side code
Accessibilité débutantScore de 1 à 100 estimant l'accessibilité de cette issue pour un premier contributeur.
45
Direction de recherche
Investigate the /account endpoint's response handling, specifically how CORS headers are added. Check the Keycloak CORS filter configuration and ensure it applies to error responses (e.g., 401). Look at the code in the `account` module (likely `services/src/main/java/org/keycloak/account`). See if the issue is in the account endpoint itself or in the global CORS filter (e.g., `CorsFilter`). Test by simulating an expired session and verifying headers. The fix should add CORS headers to the 401 response.