✊🏿 Black Lives Matter. Please consider donating to Black Girls Code today.
🐇 Announcing Dash VTK for 3d simulation graphics. Check out the March webinar.

CORS preflight request freezes our app

Hello folks,

in need some help with a tricky CORS problem :wink:

We are currently developing a small Dash application. Our app is hosted in the cloud, so we need some sort of security. We have connected our app to our enterprise identity management system (KeyCloak).
Therefore we use the framework flask_oidc (1.4.0). We configured the client_secrets.json and protect every view-function of our dash-app:

    def _protect_dashviews(dash_app):
        for view_func in dash_app.server.view_functions:
            if view_func.startswith(dash_app.config.url_base_pathname):
                dash_app.server.view_functions[view_func] = oidc.require_login(
                    dash_app.server.view_functions[view_func])

This works pretty fine. On the initial visit of our app the user is redirected to the login page of our idm and after a successful login back to our app. Except of one point: After some time our oidc token seems to time out. When the page _/dash-update-component is called, the javascript behind this component sends a HTTP-Request to /auth/realms/appid-0798/protocol/openid-connect/auth?xyz. Sadly this request is declined because of CORS. The preflight request of this request gets the following response:

Access to fetch at 'https://login.idm.company.com/auth/realms/appid-0798/protocol/openid-connect/auth?xyz (redirected from ‘https://app.cloud.net/_dash-update-component’) from origin ‘https://app.cloud.net’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I understand why this preflight request is sent. And i understand that the responding idm system needs to respond with a ‘Access-Control-Allow-Origin’ header. This could be a possible fix, but in the moment it is not possible to modify the settings of the idm system.
Is there any chance to fix this on our side (inside the app)? Is there any possibility to modify the component or request, so no preflight request is sent?

Thanks in advance.
Regards, Florian