The CORS documentation is not accurate

[glen-84]

The CORS documentation is not accurate

Description

The CORS documentation states that CORS is enabled by default, but it's not.

I'm trying to use exchangeOAuthCodeForAccessTokenUsingPKCE, and it's failing due to CORS. I had expected that adding the origin to Authorized request origin URLs would automatically handle CORS, but that doesn't appear to be the case?

Affects versions

1.36.0

Steps to reproduce

Steps to reproduce the behavior:

1. Go to /admin/system-configuration/edit after installing with Docker.
2. Note that CORS filter is not enabled.

Expected behavior

For this issue, for CORS to be enabled. However, handling it automatically based on Authorized request origin URLs would be better.

Screenshots

Platform

• Device: Desktop
• OS: Windows 11
• Browser + version: Chrome 100.0.4896.88
• Database: Default

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

n/a

[mooreds]

Thanks for filing the issue @glen-84 ! Glad you figured it out. We'll get the docs updated.

[robotdan]

This is probably working as designed.

We have discussed automatically adding things to CORS for callbacks in SAML or OAuth2. To date, we've err'd on the side of not doing anything too magical, and just doing our best to document where possible that a CORS configuration may be required.

[glen-84]

If that's true, then this line should perhaps be changed?

Most of the time this works as designed, you do not need to think much about CORS configuration.

CORS will always be required when connecting from the client side.

[robotdan]

@mooreds is there more doc or UI updates to make this for one, or can we close it out?

[mooreds]

Just filed a PR updating the doc, confirmed that by default, out of the box, CORS is disabled.

[robotdan]

@mooreds can I close this one out if we have updated the doc?

[mooreds]

Closing.