In this situation we have a flow like
- prodigy XMLHttpRequest -> API GW in front of prodigy backend
- API GW wants to refresh token -> redirect to IDP
- prodigy XMLHttpRequest follow redirect -> IDP
We would like to have cors enabled in prodigy, and so we have enabled in the config.
As a result on step 3) a cors preflight request is triggered, and we return the appropriate cors headers.
With cors satisfied, the actual request is sent to the idp, but the idp cookie is missing.
Therefore the question:
Do you set 'withCredentials' property to 'true' on the XMLHttpRequest object that executes requests from js?
For an explanation, see e.g. Cross-Origin Resource Sharing (CORS) - HTTP | MDN
Thanks for your help!