search

stonith404 / pocket-id

A simple OIDC provider that allows users to authenticate with their passkeys to your services.
BSD 2-Clause "Simplified" License
339 stars 4 forks source link

🐛 Bug Report: CORS issue when using PKCE Code Challenge with SPA #64

Closed cdemi closed 3 days ago

cdemi commented 5 days ago

Reproduction steps

You can test it using https://oidcdebugger.com/ Authorization Code Flow with PKCE

Expected behavior

To be honest, no idea what the expected behaviour should be. Maybe the callback domains could be added to the CORS list?

Actual Behavior

Access to XMLHttpRequest at 'https://mypocketiddomain/api/oidc/token' from origin 'https://oidcdebugger.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

cdemi commented 5 days ago

Actually, looks like the CORS issue does not only affect the /api/oidc/token endpoint but also the /.well-known/openid-configuration.

For example, in Grafana, when you try to setup Generic OAuth, you can give it the OpenID Connect Discovery URL and the browser fetches it to auto populate the fields, but due to CORS: `Access to fetch at 'https://mypocketiddomain/.well-known/openid-configuration' from origin 'https://mygrafanadomain' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

stonith404 commented 3 days ago

PKCE is actually not implemented yet. I've created a feature request #65.

I'll close this issue but feel free to subscribe to #65 to get a notification when this gets implemented.