cicnavi
commented
1 year ago Hmmmm...
CORS should not kick in for simple HTTP requests as getting openid-configuration... Those should be simple HTTP GET requests, and this should work when cross-origin.
Try this: go to your web app, open up the console and run this:
// Just to show current 'origin' as the browser sees it...
console.log(window.location.origin);
// Try to get OIDC config from Google...
fetch('https://accounts.google.com/.well-known/openid-configuration')
.then((response) => response.json())
.then((data) => console.log(data));You should get HTTP 200 OK, without browser issuing any CORS related preflight requests (you can check this in the Network tab). You can replace Google with your SimpleSAMLphp instalation, it should also work without your proxy related modifications...
Ok, but there is a situation where CORS does kicks in, and that is for requests to 'userinfo' endpoint. This is because this request uses Authorization Bearer token header, and this triggers a preflight HTTP request (CORS). We actually do handle this. When you register your public client, you can see an 'Allowed origin' option. There you should enter any origin which will be allowed to send cross-origin requests to userinfo endpoint....
Hi - I've successfully setup this module within my simplesamlphp environment. Now I'm trying to use OIDC from within React, specifically with this module:
https://github.com/authts/react-oidc-context
With a little bit of extra configuration, I can get around the discovery endpoint not outputting CORS headers, however the token endpoint needs to have CORS headers sent to work. Once CORS headers are outputted, it works correctly. I have tested it by having my nginx proxy server in front of simplesamlphp output the headers temporarily.
Ideally it would be nice to support CORS on module.php/oidc/token.php and module.php/oidc/openid-configuration.php ( and .well-known/openid-configuration).