OPTIONS request blocked on userinfo endpoint

[defgsus]

The problem is partly described in #249 but was subsequently ignored.

At least the oidc-client-js library does an OPTIONS request against the userinfo endpoint which gets blocked by the `protected_resource_view' decorator.

The openid-connect-core specification does not explicitly require supporting OPTIONS, though it's seems to be practiced by implementations. For example, auth0.com supports an unauthorized OPTIONS request against userinfo.

As @q3aiml points out, supporting OPTIONS is part of supporting CORS.

I suggest an unprotected_methods parameter to the protected_resource_view decorator in lib/utils/oauth2.py, which would make it possible to let OPTIONS requests pass for this endpoint but does not break any existing code.

[zvyn]

@defgsus sorry, I didn't see your commit until after I implemented it as well! I'll create a PR now, hoping it gets merged upstream.

[svenstucki]

We're facing the same issue. It would be great to get a fix for this merged, instead of having to use a fork.

@juanifioren would it be possible to merge #321 ? It's a fairly small change.

I think this objectively is a bug in the current implementation, as the OPTIONS request method is used for the CORS preflight only. But the specs do not allow a preflight request to have an access token (there is a limited set of permitted headers).

[Cediddi]

I'm having this issue as well, I'm currently using a fork right now but would much prefer this issue to be solved.