You couldn't do that
as mentioned in the document:
The CORS specification also states that setting origins to "*" (all
origins) is invalid if the Access-Control-Allow-Credentials header is
present.
and this part in the document:
When responding to a credentialed request:
The server must not specify the "*" wildcard for the
Access-Control-Allow-Origin response-header value, but must instead
specify an explicit origin;
for example: Access-Control-Allow-Origin:
https://example.com
The server must not specify the "" wildcard for
the Access-Control-Allow-Headers response-header value, but must
instead specify an explicit list of header names;
for example,Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
The server
must not specify the "" wildcard for the Access-Control-Allow-Methods
response-header value, but must instead specify an explicit list of
method names;
for example, Access-Control-Allow-Methods: POST, GET
The server must not specify the "*" wildcard for the
Access-Control-Expose-Headers response-header value, but must instead
specify an explicit list of header names;
for example, Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision
If you set with WithOrigins("*")
it would add Access-Control-Allow-Origin:*
to the response header
.AllowCredentials()
orWithOrigins