[Openid-specs-ab] [OpenID] Discovery Endpoint CORS support?

Mike Jones Michael.Jones at microsoft.com
Fri Aug 14 21:36:19 UTC 2015

What’s the full list of endpoints for which we failed to describe the need for CORS support?  And by what criteria can we know when it’s required?

                                                            -- Mike

From: general [mailto:openid-general-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Tuesday, June 23, 2015 2:10 PM
To: Cal Heldenbrand
Cc: openid-general at lists.openid.net
Subject: Re: [OpenID] Discovery Endpoint CORS support?

Yes we should have mentioned that in the discovery spec.     That and the JWKS file for the keys.

John B.
On Jun 23, 2015, at 2:57 PM, Cal Heldenbrand <cal at fbsdata.com<mailto:cal at fbsdata.com>> wrote:

Hi everyone,
I noticed when reading through the OIDC core spec, Section 4<http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo> has a blurb recommending CORS header support:

The UserInfo Endpoint SHOULD support the use of Cross Origin Resource Sharing (CORS) [CORS] and or other methods as appropriate to enable Java Script Clients to access the endpoint.

But when I look through the Discovery document<https://openid.net/specs/openid-connect-discovery-1_0.html>, there are no mentions of CORS support.  If an OP advertises the implicit flow in the metadata, shouldn't CORS support be a requirement in the specification?  Otherwise a js client will choke on an AJAX discovery request, and the whole process is busted unless the developer manually specifies the endpoints.
I ran into this when testing the Implicit flow against Google's discovery endpoint, and started down the rabbit hole of reading.  ;-)
Thank you!
Cal Heldenbrand
   Web Operations at FBS
   Creators of flexmls<http://flexmls.com/>® and Spark Platform<http://sparkplatform.com/>
   cal at fbsdata.com<mailto:cal at fbsdata.com>
general mailing list
general at lists.openid.net<mailto:general at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150814/3435f449/attachment.html>

More information about the Openid-specs-ab mailing list