search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
99 stars 43 forks source link

Enable CORS also on well-known endpoint #725

Closed federicaagostini closed 3 months ago

federicaagostini commented 3 months ago

When a GET request to the well-known endpoint which contains some Origin in the header is performed, IAM replies with Access-Control-Allow-Origin: * in the response header.

E.g. request without origin in the request header

$ curl -k http://localhost:8080/.well-known/openid-configuration -I 
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Content-Length: 3113
Date: Mon, 11 Mar 2024 16:02:10 GMT

request with origin:

$ curl -k http://localhost:8080/.well-known/openid-configuration -I -H "Origin: https://test.example"
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Content-Length: 3113
Date: Mon, 11 Mar 2024 16:02:22 GMT
sonarcloud[bot] commented 3 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

robbarnsley commented 2 months ago

Hi, i've been having cors issues on our instance of IAM. Apologies if i've read this incorrect, but is the result of these commits that the access-control-allow-origin is not set to * by default?

Commit 6adf138 seems to add a cors entry into the application.yml but 42537bb removes it.

federicaagostini commented 2 months ago

This PR always enables access-control-allow-origin to * for the well-known endpoint (we have decided to not make it configurable). Some other endpoints already allowed CORS, such as /token, /jwk, etc., but the well-known did not allowed any CORS before this PR.

The feature is included in the next IAM release, that should happen within May.