From da8ba49b775fd3797db3c842df688fd7ea44b976 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 16:09:55 +0200 Subject: [PATCH 1/6] Proposal for CORS language --- recommendations.md | 10 ++++++++++ references.md | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/recommendations.md b/recommendations.md index 1fddd2a..b34443b 100644 --- a/recommendations.md +++ b/recommendations.md @@ -241,3 +241,13 @@ If the authorization response is sent with in-browser communication techniques like postMessage [@postmessage_api] instead of HTTP redirects, both the initiator and receiver of the in-browser message MUST be strictly verified as described in (#rec_ibc). + +### Usage of CORS + +To support browser-based clients, endpoints directly accessed by such clients +including the Token Endpoint, Authorization Server Metadata Endpoint, `jwks_uri` +Endpoint, and the Dynamic Client Registration Endpoint MAY support the use of +Cross-Origin Resource Sharing (CORS, [@CORS]). + +However, CORS MUST NOT be supported at the Authorization Endpoint as it is redirected +to by the client and not directly accessed. diff --git a/references.md b/references.md index 06f3bdc..26ab32f 100644 --- a/references.md +++ b/references.md @@ -295,3 +295,11 @@ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens + + + + Fetch Standard: CORS protocol + WHATWG + + + \ No newline at end of file From a2d461e8690a6d4610fc96211ada95ac905c5874 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 16:11:12 +0200 Subject: [PATCH 2/6] Editorial --- recommendations.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/recommendations.md b/recommendations.md index b34443b..a5343e3 100644 --- a/recommendations.md +++ b/recommendations.md @@ -242,12 +242,9 @@ like postMessage [@postmessage_api] instead of HTTP redirects, both the initiator and receiver of the in-browser message MUST be strictly verified as described in (#rec_ibc). -### Usage of CORS - To support browser-based clients, endpoints directly accessed by such clients including the Token Endpoint, Authorization Server Metadata Endpoint, `jwks_uri` Endpoint, and the Dynamic Client Registration Endpoint MAY support the use of -Cross-Origin Resource Sharing (CORS, [@CORS]). - -However, CORS MUST NOT be supported at the Authorization Endpoint as it is redirected -to by the client and not directly accessed. +Cross-Origin Resource Sharing (CORS, [@CORS]). However, CORS MUST NOT be +supported at the Authorization Endpoint as it is redirected to by the client and +not directly accessed. From 7f8d30c817e4cea5d2b442b48ae9adda9f0bc50a Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 16:22:03 +0200 Subject: [PATCH 3/6] Add document history --- documenthistory.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/documenthistory.md b/documenthistory.md index 9b016ef..4f9f6fb 100644 --- a/documenthistory.md +++ b/documenthistory.md @@ -2,6 +2,13 @@ [[ To be removed from the final specification ]] + -23 + + * Added CORS considerations + * Reworded (#client_impersonating_countermeasures) to be more in line with OAuth 2.1 + * Editorial changes + * Clarifications and updated references + -22 * Added section on securing in-browser communication From 4b431b37f7ed3c831fde519cf515fede78c33fe6 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 16:53:32 +0200 Subject: [PATCH 4/6] Fix reference --- references.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/references.md b/references.md index 26ab32f..aec2e2b 100644 --- a/references.md +++ b/references.md @@ -296,10 +296,10 @@ OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens - + Fetch Standard: CORS protocol WHATWG - \ No newline at end of file + From 87a04524516f59f4f652da49319d236ebf5eaf7d Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 17:11:26 +0200 Subject: [PATCH 5/6] Update recommendations.md Co-authored-by: Aaron Parecki --- recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recommendations.md b/recommendations.md index a5343e3..e0096c3 100644 --- a/recommendations.md +++ b/recommendations.md @@ -246,5 +246,5 @@ To support browser-based clients, endpoints directly accessed by such clients including the Token Endpoint, Authorization Server Metadata Endpoint, `jwks_uri` Endpoint, and the Dynamic Client Registration Endpoint MAY support the use of Cross-Origin Resource Sharing (CORS, [@CORS]). However, CORS MUST NOT be -supported at the Authorization Endpoint as it is redirected to by the client and +supported at the Authorization Endpoint as the client does not access this not directly accessed. From 39c70e68be1034fc774da86a2abce1bff475a7c2 Mon Sep 17 00:00:00 2001 From: Daniel Fett Date: Mon, 5 Jun 2023 17:11:31 +0200 Subject: [PATCH 6/6] Update recommendations.md Co-authored-by: Aaron Parecki --- recommendations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recommendations.md b/recommendations.md index e0096c3..3d62a78 100644 --- a/recommendations.md +++ b/recommendations.md @@ -247,4 +247,4 @@ including the Token Endpoint, Authorization Server Metadata Endpoint, `jwks_uri` Endpoint, and the Dynamic Client Registration Endpoint MAY support the use of Cross-Origin Resource Sharing (CORS, [@CORS]). However, CORS MUST NOT be supported at the Authorization Endpoint as the client does not access this -not directly accessed. +endpoint directly, instead the client redirects the user agent to it.