CORS on the OAuth Server

The OAuth server supports CORS. CORS is always enabled for some endpoints whereas others need explicit configuration to enable it.

Default CORS Enabled Endpoints

The following endpoints support CORS without any configuration or setup:

  • OpenID Connect metadata
  • JWKS

These endpoints also do not require pre-flight checks.

Endpoints that Can be CORS Enabled

The following endpoints can be configured to support CORS without configuring for a specific client:

  • Dynamic Client Registration (DCR)
  • OpenID Connect User Info

To enable CORS on these endpoints, refer to the CORS section of the system admin guide.

Additionally, CORS can be enabled for public clients (clients using no authentication method) for following endpoints:

  • Token endpoint for Authorization Code, Token Request
  • Token endpoint Refresh Token Request
  • Revoke

For these endpoints, the origin of the request needs to be configured in the clients Allowed Origins.