Hosting OIDC well-known config in laravel with CORS

Question

Context

I'm trying to configure a laravel server as an OIDC provider. For my local machine, it works well, unless I change my origin away from one listed in my CORS policy.

Problem

The issue is that laravel is still populating the cors headers for my OIDC well-known route, and so the client fails fetch/xhr GET requests.

Possible solutions I have found

1. Enable CORS for all hosts - works but not the path I want to go. I value the security of having the CORS to be limited in scope.
2. Generate a static file for my well known file, and host it from the public directory. - also unideal as it makes my server less dynamic.

Is there some way I could achieve (1), but only for the well-known route? older Laravel packages allowed me to configure different profiles based on the host. What I need here, is that all hosts may access the .well-known group.

Answer 1

Finally figured it out!

In config/cors.php the paths key can accept either

1. A array of acceptable paths for all listed hosts.
2. A key value pair, with the keys as the host, and the value as an array of acceptable paths.

Thus i made a CORS policy for my frontend hosts, and a CORS policy for my OIDC routes.