Metrics recently moved behind keycloak, but in filter CorsResponseFilter.java in package org.hawkular.metrics.api.jaxrs.filter stayed maintaining of Access-Control-Allow-Origin for other origins.

Either remove line 68 or add control so there will not be more than one Access-Control-Allow-Origin header with same value.

Error message which is thrown with all Ajax engines:

The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:9876, http://localhost:9876', but only one is allowed. Origin 'http://localhost:9876' is therefore not allowed access.