CORS requests against OIDC
Liam Hoekenga
liamr at umich.edu
Wed May 15 17:17:59 EDT 2019
We've deployed the GEANT OIDC extension and we have angular developers who
are asking us to allow CORS requests against all of the URLs exposed by the
extension.
I've looked at some of commercial and social providers and see that support
is mixed (google and MS seem to support it, salesforce doesn't, etc).
Our IDP is running behind an apache httpd proxy.
I'm hesitant to permit unrestricted access ("Access-Control-Allow-Origin:
*"), but allowing CORS /seems/ like a reasonable request?
I'm considering adding this to the OIDC urls ("/oidc/",
"/idp/profile/oidc/", and "/.well-known/openid-configuration")
SetEnvIf Origin
"^http(s)?://(.+\.)?(localhost|umich\.edu)(:[0-9]+)?$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e
env=origin_is
Does that seem reasonable?
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190515/cbe1d50f/attachment.html>
More information about the users
mailing list