如何处理Quarkus OIDC cookie过期和Ajax请求CORS失败？

问：

我有一个使用 Quarkus OIDC 集成的 Quarkus + Primefaces（服务器端渲染）Web 应用程序。 配置如下：

quarkus.oidc.auth-server-url=${oidc_serverUrl}
quarkus.oidc.client-id=my-jsf-app
quarkus.oidc.application-type=web-app
quarkus.oidc.credentials.secret=${oidc_secret}
quarkus.http.auth.permission.authenticated.paths=/secure/*
quarkus.http.auth.permission.authenticated.policy=authenticated
quarkus.oidc.authentication.cookie-same-site=lax
quarkus.oidc.tls.verification=none
# Only the authenticated users can initiate a logout:
quarkus.oidc.logout.path=/secure/logout
# Logged-out users should be returned to the /welcome.html site which will offer an option to re-login:
quarkus.oidc.logout.post-logout-path=/secure/user/home.xhtml
quarkus.oidc.token-state-manager.split-tokens=true
quarkus.oidc.token-state-manager.strategy=id-refresh-tokens
quarkus.oidc.authentication.cookie-path=/secure/

在浏览器端的 q_session 和 q_session_rt cookie 过期后，第一个 Ajax 请求被重定向到 OIDC 端点进行重新身份验证。浏览器控制台记录以下内容：

Access to XMLHttpRequest at 'https://keycloak.myapp.com/auth/realms/my-app/protocol/openid-connect/auth?response_type=code&client_id=my-jsf-app&scope=openid&redirect_uri=https%3A%2F%2Fdev.myapp.com%2Fsecure%2Fuser%2FaccountWizard.xhtml&state=b8afe3c2-0302-4592-a2b4-ad67997fad32' (redirected from 'https://dev.myapp.com/secure/user/accountWizard.xhtml?jfwid=cc9f2') from origin 'https://dev.myapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

在 Ajax 请求失败后 - 所有普通的 GET/POST 请求也开始失败，并出现 401。处于此状态时，强制页面重新加载也不起作用（浏览器显示“此页面不起作用”+ 401 状态代码）。Quarkus应用日志显示：

2023-06-10 21:49:22,257 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) State parameter can not be empty or multi-valued if the state cookie is present

为了继续，用户必须清理浏览器缓存。

我向Keycloak Web源添加了正确的URL，但是当Ajax请求重定向到Keycloak时，它仍然失败。如何解决？

交叉引用 https://github.com/keycloak/keycloak/discussions/20910