Page tree
Skip to end of metadata
Go to start of metadata

SSO Server

CORS with credentials enabled

As of Identity Server 8.3.2 any resources that are shared across origins and require to authenticate the user are disabled by default as their allowed origins are required to be declared explicitly..

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: https://www.example.comĀ 
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
Discovery and Template API
Status endpoints

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.


All CORS requests are blocked.

Management Console

All CORS requests are blocked.


  • No labels