Environment
Description
In #1185 the CORS configuration was changed to set preflightContinue to true, so we can throw 401/403 errors in case the client has no access to the resource on OPTIONS request.
The consequence of that is that the OidcHttpHandler now also receives those OPTIONS requests and modifies the CORS headers in such a way the authentication client can no longer register or it simply fails the request (will have to investigate what happens exactly):
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000/.oidc/reg. (Reason: CORS preflight response did not succeed). Status code: 404.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:3000/.oidc/reg. (Reason: CORS request did not succeed). Status code: (null).
Some solutions:
- Set
preflightContinue to false again and always succeed OPTIONS requests.
- Create a different cors handler for the IDP components with
preflightContinue set to false (will require some config refactoring as the same middleware can't be reused anymore).
- See if we can make the OIDC provider correctly handle the CORS headers (probably the correct solution if posible). More info can be found at https://github.com/panva/node-oidc-provider/blob/main/docs/README.md#clientbasedcors
Environment
Description
In #1185 the CORS configuration was changed to set
preflightContinueto true, so we can throw 401/403 errors in case the client has no access to the resource on OPTIONS request.The consequence of that is that the
OidcHttpHandlernow also receives those OPTIONS requests and modifies the CORS headers in such a way the authentication client can no longer register or it simply fails the request (will have to investigate what happens exactly):Some solutions:
preflightContinueto false again and always succeed OPTIONS requests.preflightContinueset to false (will require some config refactoring as the same middleware can't be reused anymore).