Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Setting a trusted-hosts client policy in the Client Registration does not set the appropriate headers for CORS in /realms/<realm>/clients-registrations/openid-connect. The endpoint doesn't support the OPTIONS HTTP method.
Version
26.2.4 Latest
Regression
- The issue is a regression
Expected behavior
CORS headers are included in OIDC client registration endpoints following the trusted-hosts policy (including *).
Actual behavior
CORS headers are not included and requests from the browser fail.
How to Reproduce?
Start an anonymous client registration from a browser and check browser network tab failures.
Anything else?
Found when testing an MCP server in MCP Inspector. Using keycloak as authentication provider with OAuth 2.0 Dynamic Client Registration Protocol (RFC7591).
Related issue #8863 from 2021. Opening a new one to make sure triage works with the correct issue labels.