CORS issues on oauth authorization url

I have an application defined, with a callback of


Auth0 says that "By default, all your callback URLs will be allowed. "

However, on a redirect to

the OPTIONS preflight does not return any origin headers,

Response headers:
access-control-allow-headers: Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language
access-control-allow-methods: GET, PUT, POST, DELETE, PATCH, OPTIONS
access-control-max-age: 1000
cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
content-length: 2

and therefore the request fails with the infamous

No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

What am I missing ?

I have the same problem with the API /oauth/device/code but not with the api /oauth/token

I suspect there is some bug on CORS settings :frowning: (I have also added the url in the “Allowed Web Origin” setting)