[Openid-specs-ab] CORS response_mode

Vladimir Dzhuvinov vladimir at connect2id.com
Tue Aug 25 06:31:10 UTC 2015


Has there been any discussion on specifying a response_mode for CORS / XMLHttpRequests ?

We have the following case:

* Browser-based JavaScript app

* id_token refreshed by OIDC authentication request sent via CORS XHR using the withCredentials flag so that the session cookie gets passed to OP

My understanding is that for this to work the response must be returned with a non-302 HTTP status (otherwise the browser will transparently redirect); also the token must not be encoded in the fragment (the fragment cannot be accessed in a XHR).



Vladimir Dzhuvinov

More information about the Openid-specs-ab mailing list