Is it possible to enable authentication on your REST service but not on your CORS OPTIONS Request. The specs of CORS preflight clearly state to exclude credentials.
While we have authentication set to custom we could bypass this by checking the HTTP Method and return a user that is not allowed anything in the system, i would prefer if the authentication was just skipped for OPTIONS Request.
Edit3: Our workarround for now is that we give anyone that does not provide credentials with a dummy preflight user that has a userrole which is only allowed to run the preflight microflows.
Edit: Because we are unable to determine the HTTP Request type we cannot determine what user to use in the custom authentication microflow
Edit2: It seems that strikethrough is not shown correctly
Guess this no longer is a question.