CORS Header missing when accessing /account endpoint with an expired session
#47,934 opened on 2026年4月10日
Repository metrics
- Stars
- (34,398 stars)
- PR merge metrics
- (平均マージ 6d 19h) (30d で 384 merged PRs)
説明
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
account/api
Describe the bug
When a user session ends (e.g. by using the session limit) and loadUserProfile() (on the Keaycloak js-adapter) is called, it does not result in an 401 error but in a low level TypeError caused by CORS. The result is: The user is redirected to a low level error page instead of the login page. When we look at the actual request, we see, that the request to /account results in a 401 but with missing CORS headers. Because of this, the 401 is ignored by the browser and a TypeError is thrown.
Version
26.6.0
Regression
- The issue is a regression
Expected behavior
TypeError is thrown
Actual behavior
401 can be handled correctly
How to Reproduce?
End the users session in Keycloak and call loadUserProfile() in the frontend.
Anything else?
No response