[OpenID] Discovery Endpoint CORS support?
Cal Heldenbrand
cal at fbsdata.com
Tue Jun 23 17:57:32 UTC 2015
Hi everyone,
I noticed when reading through the OIDC core spec, Section 4
<http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo> has
a blurb recommending CORS header support:
The UserInfo Endpoint SHOULD support the use of Cross Origin Resource
> Sharing (CORS) [CORS] and or other methods as appropriate to enable Java
> Script Clients to access the endpoint.
But when I look through the Discovery document
<https://openid.net/specs/openid-connect-discovery-1_0.html>, there are no
mentions of CORS support. If an OP advertises the implicit flow in the
metadata, shouldn't CORS support be a requirement in the specification?
Otherwise a js client will choke on an AJAX discovery request, and the
whole process is busted unless the developer manually specifies the
endpoints.
I ran into this when testing the Implicit flow against Google's discovery
endpoint, and started down the rabbit hole of reading. ;-)
Thank you!
--Cal
---------------------------------------------------------------
Cal Heldenbrand
Web Operations at FBS
Creators of flexmls <http://flexmls.com>® and Spark Platform
<http://sparkplatform.com>
cal at fbsdata.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150623/dcf55852/attachment.html>
More information about the general
mailing list