Hello,

I believe there is still a real issue here that should not be closed as By design. Allow me to explain.
Currently, the only way to support Pre-Flight OPTIONS requests using CORS is to enable a application-wide CORS policy using app.UseCors() in Configure.

• As this issue describes, the RequireCors method does not support OPTIONS requests at all.
• In addition, the [EnableCors] attribute does not work when Authorization Middleware is in use, as the Authorization middleware intercepts the Pre-Flight request first and returns a 401. There used to be an option with Mvc using the CorsAuthorizationFilterFactory as a filter, but this appears to have been removed in asp.net core 3.

As such, it seems with my 4 hours of attempting combinations and reading the newly updated documentation in regards to CORS, that the only way to achieve this is to enable application wide CORS support. This probably isn't ideal, as the documentation states, it would be much more secure to be able to target specific controllers with specific CORS policies as needed.

As it stands I have had to go with a global policy, but I would prefer to not have to do this, by having either of the other two options work with Authorization middleware without workarounds.

Solved When using Endpoint Routing CORS and IdentityServer4, the call to UseCors() must be after UseRouting() but BEFORE UseIdentityServer() and UseAuthorization(). Otherwise it will appear to work but Pre-Flight checks will fail

https://cors3.azurewebsites.net/ try the PUT button and see my source in the article

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!