Where else do we need to specify the use of CORS support?

Comments (15)

1. 

   Justin Richer

   In MITREid Connect, we have CORS enabled on:

   • token endpoint
   • JWK publishing enpdoint
   • everything in .well-known (both configuration and webfinger)
   • client registration endpoint (and management endpoints as we create them as sub-URLs of the registration endpoint)
   • userinfo endpoint
   • introspection endpoint
   • revocation endpoint

   There are a couple of others that are application-specific but these are the ones all defined by standards of some flavor in our implementation.

   • 2015-09-01T01:32:35+00:00
2. 

   Nat Sakimura

   • changed status to open

   • 2015-09-03T14:52:59+00:00
3. 

   Nat Sakimura

   • assigned issue to
     
     Michael Jones

   • 2015-09-03T14:53:20+00:00
4. 

   Nov Matake

   Does "introspection endpoint" means what provided for resource servers? Then I don't think CORS is needed for the endpoint.

   Otherwise, I agree Justin's list.

   • 2015-11-04T05:24:45+00:00
5. 

   Michael Jones reporter

   Brian says that whether to CORS enable the token endpoint and registration endpoint are policy decisions. It's necessary if they are to be called from JavaScript.

   The introspection and revocation endpoints don't appear in Connect, and so aren't relevant for the errata process.

   • 2015-11-16T23:37:53+00:00
6. 

   Mitar

   I think it is important to also document that CORS should not be enabled for authorization endpoint. If it is done, this can lead to enabling bad design: an SPA client which is configured as it is a confidential client.

   • 2021-11-03T20:59:47+00:00
7. 

   Michael Jones reporter

   Will be fixed by https://bitbucket.org/openid/connect/pull-requests/338/errata-specified-the-use-of-cors-at

   • 2022-10-20T19:29:14+00:00
8. 

   Michael Jones reporter

   The PR now says “The use of CORS at the Authorization Endpoint is NOT RECOMMENDED as it is redirected to by the client and not directly accessed.“ Does that work for people?

   • 2022-10-31T06:02:29+00:00
9. 

   Mitar

   I think this is fine, but is there a reason for not being MUST NOT use CORS on at the Authorization Endpoint?

   • 2022-10-31T07:28:33+00:00
10. 

    Michael Jones reporter

    Adding a MUST NOT would be a normative spec change, which we should preferably not as an errata action.

    Anyway, thanks for your diligence on this issue!

    • 2022-10-31T19:42:29+00:00
11. 

    Mitar

    Hm, you are right. Maybe MUST NOT would be more suitable for https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics?

    • 2022-10-31T19:47:20+00:00
12. 

    Michael Jones reporter

    Adding it to the OAuth Security BCP is a great idea - since it’s really an OAuth issue in the first place.

    • 2022-10-31T19:54:00+00:00
13. 

    Michael Jones reporter

    • changed status to resolved

    Addressed by https://bitbucket.org/openid/connect/pull-requests/338

    • 2022-11-01T22:24:53+00:00
14. 

    Aaron Parecki

    To me it seems like the OAuth Security BCP would be the right place to mention NOT adding CORS to the authorization endpoint, but the Browser Apps BCP would be the right place to add the full known list of endpoints that DO need CORS support.

    CORS on the authorization endpoint is a security issue, CORS on the token and endpoints are a matter of whether the AS is usable at all by JS clients.

    • 2022-11-04T19:25:52+00:00
15. 

    Dmitry Telegin

    @aaronpk could you please elaborate on why CORS on the authorization endpoint would be a security issue? (not disputing, just want to understand this better)

    FYI, Connect2ID does allow cross-origin fetch calls to authorization endpoint, but this is limited to prompt=none and their custom response_mode=cors.

    • 2023-03-08T11:10:38+00:00
16. Log in to comment