[OpenID] Discovery Endpoint CORS support?

Cal Heldenbrand cal at fbsdata.com
Tue Jun 23 18:28:52 UTC 2015 

What is a full ID token?

---------------------------------------------------------------
Cal Heldenbrand
   Web Operations at FBS
   Creators of flexmls <http://flexmls.com>® and Spark Platform
<http://sparkplatform.com>
   cal at fbsdata.com

On Tue, Jun 23, 2015 at 1:18 PM, Breno de Medeiros <breno at google.com> wrote:

> A more important point is that we should have documented the usage of
> 'full' ID tokens that contain profile info.
>
> On Tue, Jun 23, 2015 at 11:10 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> Yes we should have mentioned that in the discovery spec.     That and the
>> JWKS file for the keys.
>>
>> John B.
>>
>> On Jun 23, 2015, at 2:57 PM, Cal Heldenbrand <cal at fbsdata.com> wrote:
>>
>> Hi everyone,
>>
>> I noticed when reading through the OIDC core spec, Section 4
>> <http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo>
>> has a blurb recommending CORS header support:
>>
>> The UserInfo Endpoint SHOULD support the use of Cross Origin Resource
>>> Sharing (CORS) [CORS] and or other methods as appropriate to enable Java
>>> Script Clients to access the endpoint.
>>
>>
>> But when I look through the Discovery document
>> <https://openid.net/specs/openid-connect-discovery-1_0.html>, there are
>> no mentions of CORS support.  If an OP advertises the implicit flow in the
>> metadata, shouldn't CORS support be a requirement in the specification?
>> Otherwise a js client will choke on an AJAX discovery request, and the
>> whole process is busted unless the developer manually specifies the
>> endpoints.
>>
>> I ran into this when testing the Implicit flow against Google's discovery
>> endpoint, and started down the rabbit hole of reading.  ;-)
>>
>> Thank you!
>>
>> --Cal
>>
>> ---------------------------------------------------------------
>> Cal Heldenbrand
>>    Web Operations at FBS
>>    Creators of flexmls <http://flexmls.com/>® and Spark Platform
>> <http://sparkplatform.com/>
>>    cal at fbsdata.com
>>  _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>
>
> --
> --Breno
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150623/a889c72c/attachment.html>

More information about the general mailing list