CORS - Pre Flight vs ASM & APM

Hi

So I have 2 VS

VS_A with ASM attached and forwards to VS_B with APM attached

I have written irule for handling CORS request that sits on VS_A

based on https://community.f5.com/t5/codeshare/cors-implementation/ta-p/274720

My issue is - I have Jira and Confluence on VS_C but the URI are protected by APM - using OAUTH and VS_B is the OAuth server

so ajax / xhr requests are sent to VS_C but when the OAUth token needs to be refreshed it (VS_C APM) send a 302 to VS_B

My guess is the ATLASSIAN code see a 302 on a xhr/ajax call so it then does a CORS OPTIONS / PreFlight - not sure why it doesn't just call with ORIGIN but

So the OPTIONS call gets send to VS_B - which means its goes to VS_A first to uri /f5-oauth2/v1/authorize

The irule sends back the relevant headers

then the atlassian code does a GET request with ORIGIN Header

/f5-oauth2/v1/authorize then responds with a 302 to /my.policy (this seems strange normal OAuth ops don't do this )
same cycle again

OPTIONS CALL

then get call and my.policy send it to /my.log.out.php?errorcode=19

When i test this with our internal ajax code - it just does a js FETCH which turns into a GET and it just work

Now that I have written this I wonder if the error is with /f5-oauth2/v1/authorize as it should have consumed the request !!!

EDIT:

I tested on the internal that does a strange GET with ORIGIN - it goes to the /f5-oauth2/v1/authorize and that does a 302 ... so its not that ... some thing strange going on with APM