Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi all! I’m working on a web app (SPA) using <https://github.com/IdentityModel/oidc-client-js>. This library makes a request to `https://&lt;slug&gt;.<http://projects.oryapis.com/.well-known/openid-configuration|projects.oryapis.com/.well-known/openid-configuration>`  which fails (in Firefox and Chrome) due to a missing CORS header ‘Access-Control-Allow-Origin’.
According to the documentation, adding a custom domain as CORS header is a paid feature.
But there must be some other way, right?
I tried explicitly setting CORS to `true` or `false` with `ory patch oauth2-config --replace '/serve/public/cors/enabled=false'` , but that did not have any effect. What am I missing?