Dex: Documentation for Cors configuration

Created on 14 Aug 2017  路  3Comments  路  Source: dexidp/dex

Most helpful comment

Any update on this issue? Do you have added support for CORS?

All 3 comments

In addition, if someone has allowed the public flow AND hasn't added a specific CORs profile, we should just default to a basic CORs profile that makes public flows work. This would make this just kinda work out of the box instead of blowing up due to CORs.

Could someone provide some guidance on how to set this up in the configs?
I've added the following to the config:

web:
  allowedOrigins: ['*']

And can see that this is getting picked up in the logs:
time="2018-04-10T15:18:11Z" level=info msg="config allowed origins: [*]"

However, when by browser does the pre-flight OPTIONS request to the /auth endpoint, it's returning a 302 to the upstream login provider (google in our case) without the CORS headers.
The browser then raises an error because it needs a 200 response from the options request.

Checking this with curl:

$ curl -X OPTIONS "http:/dex.example.com/auth?client_id=..."
HTTP/1.1 302 Found
Location: /auth/google?req=zqvxnvtgkvv6zu4sebtzwy324
Date: Tue, 10 Apr 2018 15:36:59 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

Any update on this issue? Do you have added support for CORS?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lukasmrtvy picture lukasmrtvy  路  5Comments

NexoMichael picture NexoMichael  路  7Comments

alon-argus picture alon-argus  路  7Comments

se0wtf picture se0wtf  路  3Comments

srenatus picture srenatus  路  4Comments