I've recently updated our angular app to use Auth0 for authentication and authorization, almost everything is working so far. The issue I'm having is when signed into a non-host tenant a '_tenant' header gets automatically added to all API requests.
When the '_tenant' header is included to Auth0's ./well-known/openid-configuration endpoint the error response is 'Request header field __tenant is not allowed by Access-Control-Allow-Headers in preflight response This is only occurring when signed into a tenant, the host tenant does not include this header and does not receive this error response.
Is there a way to exclude the '_tenant' header to this, and other Auth0 endpoint?
Full error message:
Access to XMLHttpRequest at 'https://{removed}/.well-known/openid-configuration' from origin 'https://localhost:4200' has been blocked by CORS policy: Request header field __tenant is not allowed by Access-Control-Allow-Headers in preflight response.