getAccessTokenSilently() included unnecessary headers with custom domain, /oauth/token endpoint throws CORS policy

[nhien-cerebral]

Checklist

• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Hi everyone, Currently we are using a custom domain to integrate with our react application. The method getAccessTokenSilently() added some unwanted headers and make a call to /oauth/token. I messaged the auth0 support and they responded to me this one. **It looks like the CORS error in your screenshot is showing the message "request header field x-datadog-origin is not allowed by access-control-allow-headers" on a request to the /oauth/token endpoint.

Unfortunately, /oauth/token endpoint does not accept any other headers apart from the ones listed below:

Origin, Content-Type, Accept, X-Requested-With, Authorization, Auth0-Client, X-Request-Language

It's not possible to allow/add other headers currently**

I tried to disable our datadog implementation and it works properly. It seems like datadog automatically include some headers and the SDK made the call with them.

Describe the ideal solution

I think it's better to send only the necessary headers to /oauth/token

Alternatives and current workarounds

No response

Additional context

No response

[nhien-cerebral]

I think we got the answer. Datadog had override some headers and it's the root cause of issue