oidc: enable CORS for internal apps

src/oidc.js

@@ -801,6 +801,12 @@ async function start() {
                 return false;
             }
         },
+        clientBasedCORS(ctx, origin, client) {
+            // allow CORS for clients where at least the origin matches where we redirect back to
+            if (client.redirectUris.find((u) => u.indexOf(origin) === 0)) return true;
+
+            return false;
+        },
         conformIdTokenClaims: false,
         // https://github.com/panva/node-oidc-provider/blob/main/recipes/skip_consent.md
         loadExistingGrant: async function (ctx) {