[Openid-specs-ab] CORS response_mode
vladimir at connect2id.com
Tue Aug 25 06:31:10 UTC 2015
Has there been any discussion on specifying a response_mode for CORS / XMLHttpRequests ?
We have the following case:
* id_token refreshed by OIDC authentication request sent via CORS XHR using the withCredentials flag so that the session cookie gets passed to OP
My understanding is that for this to work the response must be returned with a non-302 HTTP status (otherwise the browser will transparently redirect); also the token must not be encoded in the fragment (the fragment cannot be accessed in a XHR).
More information about the Openid-specs-ab