Allow CORS on keys and token endpoints #775
Conversation
|
|
||
| // TODO(ericchiang): rate limit certain paths based on IP. | ||
| handleFunc("/token", s.handleToken) | ||
| handleFunc("/keys", s.handlePublicKeys) | ||
| handleWithCORS("/token", s.handleToken) |
There was a problem hiding this comment.
why the token endpoint?
There was a problem hiding this comment.
token endpoint could be used by a js application to get refresh token or to get a token in the hybrid or code flows.
In my use case I don't need it (implicit flow is enough for me), no problem to not handle CORS on it if you prefer.
There was a problem hiding this comment.
Let's skip this for now. At some point I think we'll want to just allow specific flows instead of response_types. E.g.
allowedFlows := []string{"hybrid", "code", "implicit"}
When we do that, we can enable /token if "hybrid" is specified
| @@ -116,7 +116,7 @@ type Server struct { | |||
|
|
|||
| supportedResponseTypes map[string]bool | |||
|
|
|||
| discoveryAllowedOrigins []string | |||
| allowedOrigins []string | |||
There was a problem hiding this comment.
since this is only used when setting up the handlers I don't think we need this on the server.
|
|
||
| return discoveryHandler, nil | ||
| func (s *Server) setupCORS(handler http.Handler) http.Handler { |
There was a problem hiding this comment.
maybe move this to where the handlers are setup?
There was a problem hiding this comment.
Do you mean in server/server.go ?
There was a problem hiding this comment.
Yes. Maybe even inside of newServer as a closure.
|
LGTM |
|
@xeonx, it would be great if you could add your implicit flow example as an example-app for dex (refer: https://github.com/coreos/dex/tree/master/cmd/example-app). |
As discussed in #766 this PR is to allow a js client to access keys and token end points.