-
-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CORS - OPTIONS request blocked on userinfo request #249
Comments
Hi @happy-dev, nice to hear this lib helps you. The spec says:
So we can't add OPTIONS to the userinfo endpoint. If we add I'll check what others frameworks are doing with this. |
@juanifioren The spec also states:
Supporting OPTIONS is part of supporting CORS: https://www.w3.org/TR/access-control/. The preflight OPTIONS request is a side effect of a GET or POST request issued by the client. The OPTIONS implementation only needs to return the relevant headers -- it does not need to carry out the full userinfo request or return the standard response body. |
Example for juanifioren#249. If this approach seems acceptable I can add/update tests.
Example for juanifioren#249. If this approach seems acceptable I can add/update tests.
@juanifioren : Thanks for your response @q3aiml : Exactly. I think you understood perfectly |
You're not. We ran head first into this issue as well (trying to do an ajax call to a 3rd party that authenticates against us..). We've punted on it for the time being so I'm very happy there is a solution. |
to be released on next version |
Thanks for your fix @q3aiml, |
Opened a new issue for the blocking thing #304 |
Hi guys,
Thank you for this great application. It saved us a lot of time.
If the client app is not served by the same server as our Django OIDC provider, the OPTIONS request triggered by the browser on the
/openid/userinfo
URL fails for three reasons :OPTIONS
HTTP verb is blocked by the applicationAuthorization
header is not sent to the server in the OPTIONS preflightAuthorization
header is not whitelisted in theAccess-Control-Allow-Headers
We coded a workaround on our side, but wanted to let you know of the problem.
I would be surprised to be the first facing it.
If you have a recommanded solution, I would be happy to implement it.
All the best !
The text was updated successfully, but these errors were encountered: