openiddict-documentation icon indicating copy to clipboard operation
openiddict-documentation copied to clipboard
verified publisher icon openiddict

Add comment about Cors config

Open davhdavh opened this issue 1 year ago • 4 comments

Confirm you've already contributed to this project or that you sponsor it

  • [X] I confirm I'm a sponsor or a contributor

Describe the solution you'd like

It was quite impossible to figure out how to set a specific cors policy for Openiddict rather than open all endpoints to a permissive default policy.

Can't figure out where it belongs in docs though.

Program.cs:

//BEFORE host.UseCors();
host.Use((context, next) => {
   if (!context.Request.Path.StartsWithSegments("/.well-known/openid-configuration")) return next(context);
   if (context.GetEndpoint() is not null) return next(context);
   context.SetEndpoint(new(null, new(new EnableCorsAttribute("MyCorsPolicyForOpeniddict")), null));
   return next(context);
});
host.UseCors();
host.UseAuthentication();

The other endpoints are map-able, so that can be done via normal procedure. E.g.

app.MapPost("/connect/token", [EnableCorsAttribute("MyCorsPolicyForOpeniddict)] [AllowAnonymous] async (HttpContext      context, ...) => ...);

Additional context

No response

davhdavh avatar Nov 18 '24 16:11 davhdavh

Good idea.

Can't figure out where it belongs in docs though.

Maybe it should be added to the ASP.NET Core docs?

kevinchalet avatar Nov 19 '24 14:11 kevinchalet

Not really? The problem with openiddict in this regard is how the auth pipeline intercepts the request and answers. Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

davhdavh avatar Nov 20 '24 01:11 davhdavh

Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

The "normal way" consists in OpenIddict fully handling a request without ever giving flow control back to ASP.NET Core: the pass-through mode is an exception that is only offered for a few select endpoint for which it makes sense (e.g the authorization or token endpoints).

Using endpoints in the authentication stack was discussed at some point with the ASP.NET team but we were unable to come up with a design that made everyone happy.

Not really?

What do you suggest, then?

kevinchalet avatar Nov 20 '24 03:11 kevinchalet

What do you suggest, then?

I actually think the current design is just fine. But as for CORS the only googleable solution was a sitewide opening for all endpoints, which was not acceptable for us. Thus I present my detected workaround/hack to fix the issue for openiddict specifically.

davhdavh avatar Nov 20 '24 23:11 davhdavh