Does AccessTokenValidation allow for CORS enforcing?

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3

Apache License 2.0

91 stars 149 forks source link

Does AccessTokenValidation allow for CORS enforcing? #83

Closed svrooij closed 8 years ago

svrooij commented 8 years ago

Current setup:

IdentityServer3
IdentityServer3.Admin
A lot of Clients defined (including a number of clients developed by thirty party apps)
One API with AccessTokenValidation

We want to enforce the CORS specified in the IdentityServer on the API, and not just allow every site to use it. Is this possible?

Currently we use Microsoft.Owin.Cors

app.UseCors(CorsOptions.AllowAll);

brockallen commented 8 years ago

We don't so any CORS work in the access token validation MW -- that's up to you.

svrooij commented 8 years ago

It would be nice to have an option in the app.UseIdentityServerVearerTokenAuthentication(...) call to say, RegisterIdentityServerCorsPolicy = true What would then fetch all registered Cors from IdentityServer and register a CorsPolicy for it, like it does on IdentityServer3 itself.

leastprivilege commented 8 years ago

separation of concerns.

That's separate middleware

svrooij commented 8 years ago

Do you know if identity server provides something like the .well-known/openid-connect for fetching the Cors? Willing to create middleware for this purpose.

leastprivilege commented 8 years ago

I don't follow.

svrooij commented 8 years ago

Can I get a Json file with all the CORS defined in IdentityServer. Or does this need to be build as well.

brockallen commented 8 years ago

IdentityServer's allowed CORS origins is for Ajax calls to its endpoints, not your web apis endpoints. If you want your web apis to use the same list, then you'd have to build something to share them.