Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Another one, shouldn't the `/oauth2/token` endpoint allow the cors origins defined in the oauth client? or do we need to setup a custom domain for this to enable cors globally?

Hello <@U04BKJH06MV>

Yes the endpoint should allow the CORS origins defined in the Oauth2 client

&gt; These are the allowed Origins you can set on your custom domain. By default, we add your custom domain to the origin. You’ll likely want to add more origins to this list to allow requests to our API from a different origin.
Did you add a custom domain? Did you add another origin and you cant call the API from there?

Alright. I added a http domain to the allowed cors origins of my oauth2 client and the token endpoint failed with a cors error.

But i am able to initialize the flow from this host.