Is it correct that the adapters only read allowed web origins from the token? If so does that not mean that unless a user is authenticated CORS won't be enabled? I don't think that'll work.