Describe the bug

Enabling CORS support on the public endpoints seems to be working as expected by enabling the settings in the configuration, however when setting the allowed_cors_origins setting in the client, the additional origin URLs are not being allowed.

Reproducing the bug

Steps to reproduce the behavior:

1. Create a hydra environment version 1.3.2 with the below configuration
2. create an authorization_code client my_client with allowed_cors_origin set to an alternate (additional) Origin URL
3. POST to the /oauth2/token endpoint with the Origin: header (ie 'Origin: https://client-app.example.com'), and client_id: my_client in the body of the request.
4. Request should return the following response headers
   access-control-allow-credentials: true
   access-control-allow-origin: https://client-app.example.com

Server logs

Server configuration

Expected behavior

expect https://client-app.example.com to be an allowed origin

Environment

• Version: v1.3.2
• Environment: Docker

Additional context

Add any other context about the problem here.