The reason is that we're protecting all http verbs (including OPTIONS) with keycloak. The browser doesn't send auth info with the CORS OPTIONS request, so it's rejected by KC and the browser thinks CORS isn't enabled. The solution is to allow OPTIONS requests without authentication info.