CORS requests against OIDC

Liam Hoekenga liamr at
Wed May 15 17:17:59 EDT 2019

We've deployed the GEANT OIDC extension and we have angular developers who
are asking us to allow CORS requests against all of the URLs exposed by the

I've looked at some of commercial and social providers and see that support
is mixed (google and MS seem to support it, salesforce doesn't, etc).

Our IDP is running behind an apache httpd proxy.

I'm hesitant to permit unrestricted access ("Access-Control-Allow-Origin:
*"), but allowing CORS /seems/ like a reasonable request?

I'm considering adding this to the OIDC urls ("/oidc/",
"/idp/profile/oidc/", and "/.well-known/openid-configuration")
        SetEnvIf Origin
"^http(s)?://(.+\.)?(localhost|umich\.edu)(:[0-9]+)?$" origin_is=$0
        Header always set Access-Control-Allow-Origin %{origin_is}e

Does that seem reasonable?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list