i am having same issues. OIDC /auth call is not sending cors headers. the flow:

1. client log in with KC and receive token.
2. this token send to API gateway gateway till responsible for /auth, validate this token
3. i am using keycloak-connect inside this keycloak.protect() function.
4. this funciton will perform auth.
5. but when it made req to /auth with redirect_uri before GET req the PREFLIGHT take place and in responce of this req there is no cors headers
6. then one of the reson is OIDC endpoints are internal so ig keycloak does't give importance to send cors headers.

if is other solution idk then commen it.