authgear-server icon indicating copy to clipboard operation
authgear-server copied to clipboard

Published 20 hours ago verified publisher icon authgear

Separate CORS origins config

Open tung2744 opened this issue 1 year ago • 5 comments

Currently we need to configure the following redirect uris when using capacitor app, or there will be CORS error:

  • https://localhost
  • capacitor://localhost

We should consider always allow these origins in server. Or even always allow localhost?

tung2744 avatar Jan 17 '24 05:01 tung2744

@louischan-oursky Not sure if we should do it, what do you think?

tung2744 avatar Jan 29 '24 08:01 tung2744

Maybe it is not a good idea to allow localhost in production https://community.auth0.com/t/why-localhost-is-not-recommended-as-an-allowed-callback-or-origin-for-production/46668/11

tung2744 avatar Jan 29 '24 10:01 tung2744

I've checked how auth0 and google handled cors. Google has separated config for allowed origin: Image

And auth0 also has similar config: https://auth0.com/docs/get-started/applications/set-up-cors

It seems what we should do is to separate allowed origin config from redirect uris.

@fungc-io @louischan-oursky

tung2744 avatar Jan 29 '24 10:01 tung2744

We do have separate allowed origins http.allowed_origins but it is not client-specific. Maybe we should add client-specific allowed origins.

louischan-oursky avatar Jan 30 '24 03:01 louischan-oursky

I think we mainly want the user to be able to set it in portal, so they can add allowed origins for the capacitor app.

tung2744 avatar Jan 30 '24 06:01 tung2744