How can I fix CORS issue in an app that makes a request from front end to another MVC app that uses another .NET Core app as Identity Server

Question

I have the following error in console

• Access to XMLHttpRequest at 'https://www.example.org/login/.abcdef/configuration' from origin 'http://localhost:1227' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

The issue here is that the frontend is a separate app and when I am not serving the dist folder inside the www.example.org app in IIS I am getting the above CORS error. My www.example.org app is a VB app in which in Global.asax in Application_BeginRequest method I have the following code

If (Request.Headers("Origin") <> "" AndAlso
                (Request.Url.AbsolutePath.ToLower.Contains("/rest/") OrElse
                Request.Url.AbsolutePath.ToLower.Contains("/login/"))) Then
                If (Request.Headers("Origin") <> "") Then Response.AddHeader("Access-Control-Allow-Origin", Request.Headers("Origin"))

                Response.AddHeader("Access-Control-Allow-Credentials", "true")
                Response.AddHeader("Access-Control-Allow-Methods", "*")

                If (Request.Headers("Access-Control-Request-Headers") <> "") Then Response.AddHeader("Access-Control-Allow-Headers", Request.Headers("Access-Control-Request-Headers"))

                Response.AddHeader("Access-Control-Max-Age", "300")

                If Request.HttpMethod = "OPTIONS" Then
                   Response.Flush()
                End If
            End If 

and in the web.config

<customHeaders>
        <add name="Access-Control-Allow-Headers" value="Authorization,Content-Type,X-Requested-With" />
</customHeaders>

The way that the login is made is through using Identity Server and OpenID so the link redirects to a separate .NET Core app and it is as well configured to use CORS, so in StartUp.cs under ConfigureServices I have

services.AddCors();
...
 var cors = new DefaultCorsPolicyService(loggerFactory.CreateLogger<DefaultCorsPolicyService>())
  {
     AllowAll = true
  };
 services.AddSingleton<ICorsPolicyService>(cors);

and in the Configure method I have

 app.UseCors(builder =>
            {
                builder.AllowAnyHeader();
                builder.AllowAnyMethod();
                builder.AllowAnyOrigin();
            });

ICorsPolicyService is an interface for a class that has a method that checks if the origin is contained in a dictionary. If it is contained it is allowed.

I have IIS CORS 1.0 module installed and what I have tried is

1. Changing the web.config from my MVC (www.example.org) app to include the following custom headers

<add name="Access-Control-Allow-Origin" value="http://localhost" />
<add name="Access-Control-Allow-Headers" value="X-AspNet-Version,X-Powered-By,Date,Server,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Host,Origin,Pragma,Referer,User-Agent" />
<add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" />
<add name="Access-Control-Max-Age" value="1000" />

2. I tried making another simple request from the front end to only the MVC app and it also failed with the same CORS error making me think that the issue is in the MVC app and not the .NET Core app

3. I tried debugging Global.asax to see if I receive the request and I don't which makes me think that IIS is blocking the requests and they are not hitting my app at all

4. I tried commenting out the code that handles the origins and the headers in a conditional manner in Global.asax and just allow all headers and origins and methods and it also did not work.

5. I tried implementing an ActionFilter as it is described here and add it to the AuthController but this doesn't work either.

6. I tried enabling CORS in Global.asax.vb and it also did not work

Dim cors = new EnableCorsAttribute("*","*","*")
config.EnableCors(cors);

So any tips on what I might be missing or any suggestions that I might try are more than welcome.