.well-known/openid-configuration endpoint and CORS

DuendeSoftware / Support

Support for Duende Software products

21 stars 0 forks source link

.well-known/openid-configuration endpoint and CORS #1408

Closed pampua84 closed 1 month ago

pampua84 commented 2 months ago

Hi, I’m trying to fetch data from the .well-known/openid-configuration endpoint using a JavaScript client to get all the IdS endpoints to call, but I’m encountering CORS problems. Why is this endpoint also protected by a CORS policy? Is there a specific reason? Thank you

RolandGuijt commented 2 months ago

The endpoint isn't explicitly protected. The browser enforces the same-origin policy. It prevents cross-origin requests from JavaScript by default. With a CORS policy you can basically create an exception to the same-origin rule imposed by the browser.

You can configure a CORS policy in the client configuration of IdentityServer. It uses ASP.NET Core's CORS middleware under the covers. Following the link you'll also see how to implement a custom policy service if needed.

RolandGuijt commented 2 months ago

@pampua84 In case you read the answer yesterday: I corrected the last paragraph.

pampua84 commented 2 months ago

Thanks for the reply. Question: when a javascript client wants to load .well-known/openid-configuration the as in the examples made in c# (IdentityModel):

var client = new HttpClient();

var disco = await client.GetDiscoveryDocumentAsync("https://demo.identityserver.io");
if (disco.IsError) throw new Exception(disco.Error);

the request is generic, the client is not specified yet. How does it work with javascript?

RolandGuijt commented 1 month ago

This isn't related to the previous question you asked. In addition this doesn't have a direct relationship with our IdentityServer product. If the below doesn't help you out, please create an issue on a relevant platform.

You are correct when you say the request is generic. The discovery endpoint basically just exposes the configuration of the identity provider. The endpoints are in there as well and the URL of the token endpoint is used in the sample you mention. You can see what the endpoint returns here.

The discovery endpoint returns JSON. IdentityModel just takes that and deserializes it into an object. (disco). You can do the same in javascript: after doing the request to the endpoint you'll end up with JSON which you can then deserialize by using JSON.parse.

pampua84 commented 1 month ago

Thank you very much for the answer and the explanation. So at the IdS level the configuration on CORS was done only on the other endpoints I guess. Where exactly? Thanks

RolandGuijt commented 1 month ago

When you add the client origin (URL) to the AllowedCorsOrigins collection in the client configuration, the ASP.NET Core project that uses IdentityServer will allow cross origin requests done by that origin. Under the covers it uses the standard ASP.NET Core CORS middleware for that.

Not sure if that answers your last question. If not, can you please clarify what you mean?

pampua84 commented 1 month ago

That's clear. Thank you so much.