Where else do we need to specify the use of CORS support?

Issue #980 open
Michael Jones created an issue

While the UserInfo Endpoint specifies the use of CORS at http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo, we failed to do this for the Discovery endpoint and likely other relevant endpoints as well. What else did we leave out?

Without this, JavaScript clients won't work.

Comments (6)

  1. Justin Richer

    In MITREid Connect, we have CORS enabled on:

    • token endpoint
    • JWK publishing enpdoint
    • everything in .well-known (both configuration and webfinger)
    • client registration endpoint (and management endpoints as we create them as sub-URLs of the registration endpoint)
    • userinfo endpoint
    • introspection endpoint
    • revocation endpoint

    There are a couple of others that are application-specific but these are the ones all defined by standards of some flavor in our implementation.

  2. Nov Matake

    Does "introspection endpoint" means what provided for resource servers? Then I don't think CORS is needed for the endpoint.

    Otherwise, I agree Justin's list.

  3. Michael Jones reporter

    Brian says that whether to CORS enable the token endpoint and registration endpoint are policy decisions. It's necessary if they are to be called from JavaScript.

    The introspection and revocation endpoints don't appear in Connect, and so aren't relevant for the errata process.

  4. Mitar

    I think it is important to also document that CORS should not be enabled for authorization endpoint. If it is done, this can lead to enabling bad design: an SPA client which is configured as it is a confidential client.

  5. Log in to comment