OIDC endpoints and CORS policy

When an application - from the browser - makes a request to an Identify's OIDC endpoint, such as the OIDC discovery endpoint https://#identify_instance_domain#/runtime/oauth2/.well-known/openid-configuration, the certificates endpoint https://#identify_instance_domain#/runtime/oauth2/certs.idp, and the https://#identify_instance_domain#/runtime/oauth2/userinfo.idp endpoint, if no CORS policy is configured, an error message will be returned by default:


As calling these endpoints from browsers happens regularly, we have added default CORS policies for them:


Problem: When calling OIDC endpoints, the CORS error shown below happens:



There can be several reasons for this issue. You can check if you have set up CORS policies somewhere else (e.g. at the IIS level) causing duplication of CORS policies.
Another reason can be that Identify is supporting the Allowed CORS Origins Domains setting. You can set it to * which tells browsers to allow requests from any origin to access all Identify's endpoints. In the previous versions, setting it to * is the easiest way to allow requests from browsers to OIDC endpoints. However, because of the new CORS policies that we have added to Identify by default, the * value ends up causing that duplicate issue. You can choose one of the following solutions:

  • Set the Allowed CORS Origins Domains setting to empty.
  • Or remove those location blocks from Identify Runtime's web.config file.