Permissive CORS settings for the discovery endpoint only

[lortabac]

Hello,
We have some clients who want to call the discovery endpoint programmatically from the browser.
As far as I understand, in order to allow this flow we would need to set allowed_origins: [*] in the settings of the public API.
The problem is that I don't want to enable the same policy on all the public endpoints. I would like to allow any origin on the discovery endpoint, and have a more granular per-client policy on the other endpoints (/oauth2/token, /userinfo, /oauth2/revoke).
Is this currently possible? If not, does is make sense as a feature request?

[vinckr]

Hello @lortabac

Is this currently possible?

No, and I think it it also would not make sense to implement

Keep in mind that the OAuth 2.0 Authorization Endpoint (/oauth2/auth) doesn't expose CORS by design. This endpoint should never be consumed in a CORS-fashion.

Only endpoints /oauth2/token and /oauth2/revoke and wellknown can be consumed as an API, which makes it possible for them to be CORS-able.

More context here

[lortabac]

Thanks for your response!

I think there is a misunderstanding. I am not referring to the Authorization Endpoint (/oauth2/auth).

I am talking about the .well-known/openid-configuration endpoint. My client wants to consume it as an API but is having CORS errors.
I thought it was not possible but now I realize I was wrong. They just need to use Basic Authentication.

We can close this discussion as far as I'm concerned.