[OpenID] Discovery Endpoint CORS support?
Breno de Medeiros
breno at google.com
Tue Jun 23 18:18:38 UTC 2015
A more important point is that we should have documented the usage of
'full' ID tokens that contain profile info.
On Tue, Jun 23, 2015 at 11:10 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes we should have mentioned that in the discovery spec. That and the
> JWKS file for the keys.
>
> John B.
>
> On Jun 23, 2015, at 2:57 PM, Cal Heldenbrand <cal at fbsdata.com> wrote:
>
> Hi everyone,
>
> I noticed when reading through the OIDC core spec, Section 4
> <http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo>
> has a blurb recommending CORS header support:
>
> The UserInfo Endpoint SHOULD support the use of Cross Origin Resource
>> Sharing (CORS) [CORS] and or other methods as appropriate to enable Java
>> Script Clients to access the endpoint.
>
>
> But when I look through the Discovery document
> <https://openid.net/specs/openid-connect-discovery-1_0.html>, there are
> no mentions of CORS support. If an OP advertises the implicit flow in the
> metadata, shouldn't CORS support be a requirement in the specification?
> Otherwise a js client will choke on an AJAX discovery request, and the
> whole process is busted unless the developer manually specifies the
> endpoints.
>
> I ran into this when testing the Implicit flow against Google's discovery
> endpoint, and started down the rabbit hole of reading. ;-)
>
> Thank you!
>
> --Cal
>
> ---------------------------------------------------------------
> Cal Heldenbrand
> Web Operations at FBS
> Creators of flexmls <http://flexmls.com/>® and Spark Platform
> <http://sparkplatform.com/>
> cal at fbsdata.com
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
--
--Breno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150623/492b97a9/attachment.html>
More information about the general
mailing list