SSO Server

CORS with credentials enabled

As of Identity Server 8.3.2 any resources that are shared across origins and require to authenticate the user are disabled by default as their allowed origins are required to be declared explicitly..

Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: https://www.example.com

Endpoint	Description
/uas/refresh/*	The session refresh endpoint

CORS enabled

Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: *

Endpoint	Description
/uas/saml2/metadata.xml /uas/wsf/FederationMetadata.xml /uas/.well-known/* /uas/oauth2/metadata.json /uas/oauth2/metadata.jwks	Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/* /uas/template/* /uas/resource/*	Discovery and Template API
/uas/status /uas/ping	Status endpoints
/uas/oauth2/token /uas/oauth2/userinfo /uas/oauth2/introspection /uas/oauth2/revocation	OAuth 2.0 and OpenID Connect 1.0 protocol endpoints Cannot use client_secret_basic client credentials, other client credentials types are possible Authorization endpoint is not CORS enabled

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

Password

All CORS requests are blocked.

Management Console

All CORS requests are blocked.

References

http://www.w3.org/TR/cors/

Browser not supported