How to configure CORS in APIMan

Question

I'm new on apiman, and I'm trying to use some API calls with Jquery. But unfortunately I got this error:

XMLHttpRequest cannot load https://apigtw.url/apiman-gateway///1.0/?apikey=9999999-8888-6666-33333-968a712ce68b. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myapp.local' is therefore not allowed access. The response had HTTP status code 500.

So, I'm using some policies, such as:

Keycloak Authorization Policy:

Require OAuth: true
Require Transport Security: true
Blacklist Unsafe Tokens: false
Realm: https://sso.local/auth/realms/test-realm
Keycloak Realm Certificate: <keycloak key certificate>
Forward Realm Roles? true

Authorization Policy Configuration:

Path: .*
Verb: *
Required Role: my-role

Did I miss something on apiman configuration?

I believe I should add CORs, but I don't know if it is necessary. I tried to use this but the error still occurs.

Please, need help

Does anyone know how to configure APIMan CORs?

Edit:

It seems this is was solved in issue 516, but still occurs with me. I'm using version 1.2.3 of APIMan

Here is the Response Headers:

Connection:close
Content-Type:application/json
Date:Wed, 28 Dec 2016 13:54:08 GMT
Server:Apache/2.4.18 (Ubuntu)
Transfer-Encoding:chunked
X-Gateway-Error:API not public.
X-Powered-By:Undertow/1

and

Here is the Request Headers:

Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:authorization, x-api-key
Access-Control-Request-Method:GET
Connection:keep-alive
Host: apiman.url
Origin:http://192.168.56.22:8080
Referer:http://192.168.56.22:8080/app
User-Agent:Mozilla/5.0 ...
Query String Parameters
view source
view URL encoded

And here is my ajax request:

$.ajax({
  url: 'https://apiman.url/apiman-gateway/<org>/<api>/1.0/<method>?apikey=xxxxxx-xxxxx-xxxxx-xxxxx',
  headers: {
      'Content-Type':'application/json',
      'Accept' : 'application/json',
      'Authorization' : 'Bearer ' + keycloak.token
  },
  method: 'GET',
  dataType: 'json',
  success: function(data){
    console.log('header1', data);
  }
});

Answer 1

Have you ensured that the CORS policy is before the Keycloak policy in the policy chain? That will ensure CORS is serviced first.

i.e. CORS Policy -> Keycloak Policy -> Authorization Policy

NB: If you're using the CORS policy then you should probably pass your API key as a query parameter because browsers do not pass custom headers during preflight request (that it performs on your behalf).

See: https://stackoverflow.com/a/13997235/2766538