To resolve a CORS error on the OpenID Connect endpoint in Ory Network, you need to configure your project to explicitly allow your domain as an accepted CORS origin. Steps to configure CORS for your domain: 1. Add your domain to the CORS origins list: - Go to the [Ory Console](https://console.ory.sh/projects/current/custom-domains) and navigate to your project. - Under Branding → Custom domains, add your domain as a CORS origin. Ory recommends using exact matches (e.g.,

<https://my-app.example.com>

) rather than wildcards for security and reliability. Wildcards like

https://*.<http://example.com|example.com>

are supported, but exact matches are preferred. - Ory does not allow

*

,

null

, or

localhost/127.0.0.1

as CORS origins. For local development, use [Ory Tunnel](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel). 2. Alternatively, use the Ory CLI:

bash    ory patch project <your-project-id> \      --replace '/cors_public/enabled=true' \      --replace '/cors_public/origins=["<https://my-app.example.com>"]'

Replace

<https://my-app.example.com>

with your actual domain. You can add multiple domains if needed. 3. Custom domains and CORS: - If you are using a custom domain, make sure to configure CORS specifically for that domain in the custom domains section of the Ory Console. This ensures that requests to endpoints like

.well-known/openid-configuration

are accepted from your frontend domain. - Avoid configuring both project-wide and custom domain CORS settings for the same domain, as this can cause issues like duplicated headers, which may result in CORS errors in browsers ([see this issue for details](https://github.com/ory/network/issues/427)). 4. Check your configuration: - After updating your CORS settings, test your application again. If you still see errors like

Access-Control-Allow-Origin

containing multiple values, review your CORS configuration to ensure the domain is not listed in both project-wide and custom domain settings. For more details, see the official Ory documentation on [setting up CORS](https://www.ory.sh/docs/guides/cors) and [custom domains](https://www.ory.sh/docs/guides/custom-domains#cors). If you continue to experience issues, double-check that your domain is not duplicated in both the global and custom domain CORS settings, as this can cause the

Access-Control-Allow-Origin

header to be set multiple times, which browsers will reject as invalid [CORS not working for custom domain](https://github.com/ory/network/issues/427).