OAuth2 provider and CORS

[acquleo]

Description

I'm trying to integrate gitea OpenId Connect authentication from another website.
I have configured the following cors parameters:
[cors]
ENABLED = true
ALLOW_DOMAIN = *
ALLOW_CREDENTIALS = true

It look like CORS is working on API, so if I try to call /packages/{owner}?, the browser includes the header Origin in the request and gitea response includes :
Access-Control-Allow-Origin: *

than if I try to use Oauth2 provider authentication the gitea response doesn't include Access-Control-Allow-Origin generating the following cors error:

Access to XMLHttpRequest at 'http://:3000/.well-known/openid-configuration' from origin 'http://:8085' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

how can I fix this?

Thanks

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu 22.04.2 LTS

How are you running Gitea?

I'm running GITEA as stack on docker swarm node.
image: gitea/gitea:1.19.3
image: postgres:11-alpine

Database

PostgreSQL

[acquleo]

added wireshark trace
https://drive.google.com/file/d/1xpmX0k0MHbEcz_MOQZn4GimcX-esPNUO/view?usp=sharing

[silverwind]

OAuth to my knowledge does not require CORS. What are you trying to do?

[acquleo]

I'm trying to delegate user Oauth2 authentication to gitea from another website and get a token session to be used to call gitea API.
In details

• user open custom_website
• click in login button
• custom_website navigate to Outh2 authentication page of gitea
• user put credentials in gitea
• gitea redirect the login page to custom_website passing the user access token
• custom_website uses the access token to call gitea API

[wxiaoguang]

It's not documented, but the CORS only applies to these handlers: