Enable CORS headers for OpenID Connect discovery endpoints (!63276) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-openid-connect-discovery-cors into master Jun 04, 2021

As https://openid.net/specs/openid-connect-core-1_0.html#toc mentions, OpenID Connect Discovery endpoints should support the use of Cross Origin Resource Sharing so that single-page JavaScript applications can work with GitLab. These endpoints, which are provided by the doorkeeper-openid_connect gem, now have CORS headers:

/oauth/userinfo
/oauth/discovery/keys
/.well-known/openid-configuration
/.well-known/webfinger

In addition, this commit adds CORS headers to:

/oauth/revoke

In !49756 (merged), we added added CORS headers for /oauth/token to support OAuth Proof Key for Code Exchange (PKCE) flow. Adding /aouth/revoke is an extension of that work.

We also add the OPTIONS method for these endpoints so that the CORS preflight checks can work.

Closes #209259 (closed)

Edited Jun 05, 2021 by Stan Hu

Enable CORS headers for OpenID Connect discovery endpoints

Merge request reports