-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow CORS on keys and token endpoints #775
Conversation
|
||
// TODO(ericchiang): rate limit certain paths based on IP. | ||
handleFunc("/token", s.handleToken) | ||
handleFunc("/keys", s.handlePublicKeys) | ||
handleWithCORS("/token", s.handleToken) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why the token endpoint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
token endpoint could be used by a js application to get refresh token or to get a token in the hybrid or code flows.
In my use case I don't need it (implicit flow is enough for me), no problem to not handle CORS on it if you prefer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's skip this for now. At some point I think we'll want to just allow specific flows instead of response_types. E.g.
allowedFlows := []string{"hybrid", "code", "implicit"}
When we do that, we can enable /token if "hybrid" is specified
@@ -116,7 +116,7 @@ type Server struct { | |||
|
|||
supportedResponseTypes map[string]bool | |||
|
|||
discoveryAllowedOrigins []string | |||
allowedOrigins []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since this is only used when setting up the handlers I don't think we need this on the server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, will do
|
||
return discoveryHandler, nil | ||
func (s *Server) setupCORS(handler http.Handler) http.Handler { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe move this to where the handlers are setup?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean in server/server.go ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Maybe even inside of newServer as a closure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, will do
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
LGTM |
@xeonx, it would be great if you could add your implicit flow example as an example-app for dex (refer: https://github.com/coreos/dex/tree/master/cmd/example-app). |
As discussed in #766 this PR is to allow a js client to access keys and token end points.