From bc8c8468d3c5ffb664afb9110fac1a47374f3303 Mon Sep 17 00:00:00 2001
From: Josiah Evans <josiah.evans@lunit.io>
Date: Thu, 21 Sep 2023 15:15:14 +0900
Subject: [PATCH] feat: Add configurable CORS Headers

---
 cmd/dex/config.go |  1 +
 cmd/dex/serve.go  |  1 +
 server/server.go  | 11 +++++++----
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/cmd/dex/config.go b/cmd/dex/config.go
index 831156fd40..9df7a96a12 100644
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -150,6 +150,7 @@ type Web struct {
 	TLSCert        string   `json:"tlsCert"`
 	TLSKey         string   `json:"tlsKey"`
 	AllowedOrigins []string `json:"allowedOrigins"`
+    AllowedHeaders []string `json:"allowedHeaders"`
 }
 
 // Telemetry is the config format for telemetry including the HTTP server config.
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 47b090aeab..9e0450384d 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -265,6 +265,7 @@ func runServe(options serveOptions) error {
 		AlwaysShowLoginScreen:  c.OAuth2.AlwaysShowLoginScreen,
 		PasswordConnector:      c.OAuth2.PasswordConnector,
 		AllowedOrigins:         c.Web.AllowedOrigins,
+        AllowedHeaders:         c.Web.AllowedHeaders,
 		Issuer:                 c.Issuer,
 		Storage:                s,
 		Web:                    c.Frontend,
diff --git a/server/server.go b/server/server.go
index bf83dd81f0..c26e5e50a4 100644
--- a/server/server.go
+++ b/server/server.go
@@ -77,6 +77,9 @@ type Config struct {
 	// domain.
 	AllowedOrigins []string
 
+    // List of allowed headers for CORS requests on discovery, token, and keys endpoint.
+    AllowedHeaders []string
+
 	// If enabled, the server won't prompt the user to approve authorization requests.
 	// Logging in implies approval.
 	SkipApprovalScreen bool
@@ -214,6 +217,9 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	if len(c.SupportedResponseTypes) == 0 {
 		c.SupportedResponseTypes = []string{responseTypeCode}
 	}
+    if len(c.AllowedHeaders) == 0 {
+        c.AllowedHeaders = []string{"Authorization"}
+    }
 
 	allSupportedGrants := map[string]bool{
 		grantTypeAuthorizationCode: true,
@@ -353,12 +359,9 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 	handleWithCORS := func(p string, h http.HandlerFunc) {
 		var handler http.Handler = h
 		if len(c.AllowedOrigins) > 0 {
-			allowedHeaders := []string{
-				"Authorization",
-			}
 			cors := handlers.CORS(
 				handlers.AllowedOrigins(c.AllowedOrigins),
-				handlers.AllowedHeaders(allowedHeaders),
+				handlers.AllowedHeaders(c.AllowedHeaders),
 			)
 			handler = cors(handler)
 		}