Documentation for Cors configuration

[rithujohn191]

[ericchiang]

In addition, if someone has allowed the public flow AND hasn't added a specific CORs profile, we should just default to a basic CORs profile that makes public flows work. This would make this just kinda work out of the box instead of blowing up due to CORs.

[agentgonzo]

Could someone provide some guidance on how to set this up in the configs? I've added the following to the config:

web:
  allowedOrigins: ['*']

And can see that this is getting picked up in the logs: time="2018-04-10T15:18:11Z" level=info msg="config allowed origins: [*]"

However, when by browser does the pre-flight OPTIONS request to the /auth endpoint, it's returning a 302 to the upstream login provider (google in our case) without the CORS headers. The browser then raises an error because it needs a 200 response from the options request.

Checking this with curl:

$ curl -X OPTIONS "http:/dex.example.com/auth?client_id=..."
HTTP/1.1 302 Found
Location: /auth/google?req=zqvxnvtgkvv6zu4sebtzwy324
Date: Tue, 10 Apr 2018 15:36:59 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

[malikimprowised]

Any update on this issue? Do you have added support for CORS?

[pratikbin]

Any update on this issue? Do you have added support for CORS?

[ischenxin]

I have added it to the configuration, but still display a cors error

web:
  allowedOrigins: ['*']

[Sliceosome]

Hello there

Any update on this issue? Basically I'm in the same spot than the others, still not any CORS headers while I've added the "allowedOrigins: ['*']", or also with specific domain, to the Dex config, and it got taken into account in the Dex logs.

Thanks :D

[harmjanblok]

According to server/server.go#L373-L412 not all endpoints insert an Access-Control-Allow-Origin header, but only following endpoints:

• /.well-known/openid-configuration
• /token
• /keys
• /userinfo

I've tested in dex 2.37.0 the setting allowedOrigins: ['https://example.host.com', 'http://another.host.com'], with following results:

curl -v -H "Origin: https://example.host.com" 10.96.182.36:5556/.well-known/openid-configuration
*   Trying 10.96.182.36:5556...
* Connected to 10.96.182.36 (10.96.182.36) port 5556 (#0)
> GET /.well-known/openid-configuration HTTP/1.1
> Host: 10.96.182.36:5556
> User-Agent: curl/7.81.0
> Accept: */*
> Origin: https://example.host.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: https://example.host.com
< Content-Length: 1074
< Content-Type: application/json
< Vary: Origin

curl -v -H "Origin: http://another.host.com" 10.96.182.36:5556/.well-known/openid-configuration
*   Trying 10.96.182.36:5556...
* Connected to 10.96.182.36 (10.96.182.36) port 5556 (#0)
> GET /.well-known/openid-configuration HTTP/1.1
> Host: 10.96.182.36:5556
> User-Agent: curl/7.81.0
> Accept: */*
> Origin: http://another.host.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://another.host.com
< Content-Length: 1074
< Content-Type: application/json
< Vary: Origin
< Date: Fri, 01 Dec 2023 10:15:51 GMT

curl -v -H "Origin: https://not.listed.com" 10.96.182.36:5556/.well-known/openid-configuration
*   Trying 10.96.182.36:5556...
* Connected to 10.96.182.36 (10.96.182.36) port 5556 (#0)
> GET /.well-known/openid-configuration HTTP/1.1
> Host: 10.96.182.36:5556
> User-Agent: curl/7.81.0
> Accept: */*
> Origin: https://not.listed.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Length: 1074
< Content-Type: application/json
< Date: Fri, 01 Dec 2023 10:15:26 GMT

To me the allowedOrigins configuration seems to behave as expected.