[OpenID] Discovery Endpoint CORS support?
John Bradley
ve7jtb at ve7jtb.com
Tue Jun 23 18:10:10 UTC 2015
Yes we should have mentioned that in the discovery spec. That and the JWKS file for the keys.
John B.
> On Jun 23, 2015, at 2:57 PM, Cal Heldenbrand <cal at fbsdata.com> wrote:
>
> Hi everyone,
>
> I noticed when reading through the OIDC core spec, Section 4 <http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo> has a blurb recommending CORS header support:
>
> The UserInfo Endpoint SHOULD support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable Java Script Clients to access the endpoint. <>
>
> But when I look through the Discovery document <https://openid.net/specs/openid-connect-discovery-1_0.html>, there are no mentions of CORS support. If an OP advertises the implicit flow in the metadata, shouldn't CORS support be a requirement in the specification? Otherwise a js client will choke on an AJAX discovery request, and the whole process is busted unless the developer manually specifies the endpoints.
>
> I ran into this when testing the Implicit flow against Google's discovery endpoint, and started down the rabbit hole of reading. ;-)
>
> Thank you!
>
> --Cal
>
> ---------------------------------------------------------------
> Cal Heldenbrand
> Web Operations at FBS
> Creators of flexmls <http://flexmls.com/>® and Spark Platform <http://sparkplatform.com/>
> cal at fbsdata.com <mailto:cal at fbsdata.com>_______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150623/1ce32ccc/attachment.html>
More information about the general
mailing list