New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cleanup] CORS Settings #1028
Comments
Another potential bug here, even with CORS enabled, am I able to exchange an Am I reading this right? The other alternative is to whitelist CORS with the |
Yeah you're right, this is kind of akward. The idea is that
Oh really? That's definitively a bug!
Indeed, there a two ways the token endpoint can be used (or rather three ways the token endpoint allows authorization):
Bearer tokens can be used when revoking access tokens, which is why this is enabled here. |
Yes, this can be closed now! |
I've been trying to tackle getting Hydra (v1.0.0-beta.9) up and running properly and have a couple thoughts:
CORS_ENABLED
enables CORS on both the backend handler as well as the Client ID OAuth2 endpoints - should these be tied together? In other words, if I want CORS to work for my Clients but don't need it for the backend, why am I tied to both from a single setting?/.well-known/
paths currently - what if my SPA needs to read this before trying to initiate a PKCE Auth Code flow as is the case with the AppAuth-JS library?The text was updated successfully, but these errors were encountered: