Many endpoints in IdentityServer will be accessed via Ajax calls from JavaScript. Given that IdentityServer will most likely be hosted on a different origin than these clients, this implies that Cross-Origin Resource Sharing (CORS) will be an issue.

Cors Policy Service

IdentityServer3 allows the hosting application to implement a ICorsPolicyService to determine the CORS policy. This service is registered on the IdentityServerServiceFactory.

The single method on the ICorsPolicyService is:

You can implement a custom implementation to determine in any way you see fit if the calling origin is allowed.

Provided implementations

There are two implementations that are provided from IdentityServer core:

There is one last implementation provided from IdentityServer3.EntityFramework: