Closed federicaagostini closed 3 months ago
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code
This PR always enables access-control-allow-origin
to * for the well-known endpoint (we have decided to not make it configurable). Some other endpoints already allowed CORS, such as /token, /jwk, etc., but the well-known did not allowed any CORS before this PR.
The feature is included in the next IAM release, that should happen within May.
When a GET request to the well-known endpoint which contains some Origin in the header is performed, IAM replies with
Access-Control-Allow-Origin: *
in the response header.E.g. request without origin in the request header
request with origin: