[Openid-specs-ab] CORS response_mode

[Vladimir Dzhuvinov]

Hello,

Has there been any discussion on specifying a response_mode for CORS / XMLHttpRequests ?

We have the following case:

* Browser-based JavaScript app

* id_token refreshed by OIDC authentication request sent via CORS XHR using the withCredentials flag so that the session cookie gets passed to OP

My understanding is that for this to work the response must be returned with a non-302 HTTP status (otherwise the browser will transparently redirect); also the token must not be encoded in the fragment (the fragment cannot be accessed in a XHR).

Thanks,

Vladimir

-- 
Vladimir Dzhuvinov