Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow CORS on keys and token endpoints #775

Merged
merged 1 commit into from
Jan 17, 2017
Merged

Conversation

simonhege
Copy link
Contributor

As discussed in #766 this PR is to allow a js client to access keys and token end points.


// TODO(ericchiang): rate limit certain paths based on IP.
handleFunc("/token", s.handleToken)
handleFunc("/keys", s.handlePublicKeys)
handleWithCORS("/token", s.handleToken)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why the token endpoint?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

token endpoint could be used by a js application to get refresh token or to get a token in the hybrid or code flows.
In my use case I don't need it (implicit flow is enough for me), no problem to not handle CORS on it if you prefer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's skip this for now. At some point I think we'll want to just allow specific flows instead of response_types. E.g.

allowedFlows := []string{"hybrid", "code", "implicit"}

When we do that, we can enable /token if "hybrid" is specified

@@ -116,7 +116,7 @@ type Server struct {

supportedResponseTypes map[string]bool

discoveryAllowedOrigins []string
allowedOrigins []string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since this is only used when setting up the handlers I don't think we need this on the server.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, will do


return discoveryHandler, nil
func (s *Server) setupCORS(handler http.Handler) http.Handler {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe move this to where the handlers are setup?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean in server/server.go ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Maybe even inside of newServer as a closure.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, will do

Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ericchiang ericchiang added this to the v2.1.0 milestone Jan 17, 2017
@rithujohn191
Copy link
Contributor

LGTM

@rithujohn191 rithujohn191 merged commit fe93f60 into dexidp:master Jan 17, 2017
@rithujohn191
Copy link
Contributor

@xeonx, it would be great if you could add your implicit flow example as an example-app for dex (refer: https://github.com/coreos/dex/tree/master/cmd/example-app).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants