Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CORS also on well-known endpoint #725

Merged
merged 3 commits into from
Mar 22, 2024
Merged

Enable CORS also on well-known endpoint #725

merged 3 commits into from
Mar 22, 2024

Conversation

federicaagostini
Copy link
Contributor

@federicaagostini federicaagostini commented Mar 11, 2024
edited
Loading

When a GET request to the well-known endpoint which contains some Origin in the header is performed, IAM replies with Access-Control-Allow-Origin: * in the response header.

E.g. request without origin in the request header

$ curl -k http://localhost:8080/.well-known/openid-configuration -I 
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Content-Length: 3113
Date: Mon, 11 Mar 2024 16:02:10 GMT

request with origin:

$ curl -k http://localhost:8080/.well-known/openid-configuration -I -H "Origin: https://test.example"
HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Content-Language: en-US
Content-Length: 3113
Date: Mon, 11 Mar 2024 16:02:22 GMT

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@enricovianello enricovianello merged commit 0714724 into develop Mar 22, 2024
4 checks passed
@enricovianello enricovianello deleted the cors branch March 22, 2024 13:24
@robbarnsley
Copy link

Hi, i've been having cors issues on our instance of IAM. Apologies if i've read this incorrect, but is the result of these commits that the access-control-allow-origin is not set to * by default?

Commit 6adf138 seems to add a cors entry into the application.yml but 42537bb removes it.

@federicaagostini
Copy link
Contributor Author

This PR always enables access-control-allow-origin to * for the well-known endpoint (we have decided to not make it configurable). Some other endpoints already allowed CORS, such as /token, /jwk, etc., but the well-known did not allowed any CORS before this PR.

The feature is included in the next IAM release, that should happen within May.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enricovianello enricovianello enricovianello approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@federicaagostini @robbarnsley @enricovianello