Allow OPTIONS method for OAuth2 token endpoints (!89566) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-oauth-allow-options-cors into master Jun 08, 2022

What does this MR do and why?

!52641 (merged) made it possible to perform cross-origin requests for OAuth endpoints. However, a CORS preflight request issues an OPTIONS request to see if the server can support this. Since this method wasn't allowed, the browser halted the CORS request.

Relates to #364680 (closed)

How to set up and validate locally

Set up an OAuth2 application: /admin/applications:

Use master.
Issue a curl command with your client_id and client_secret from the OAuth application page:

curl -H "Origin: myhost.com" -X OPTIONS -v "https://gdk.test:3443/oauth/token?grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&redirect_uri=https://gdk.test:3443/test"

In master, you should not see any access-control-* headers. With this branch, you see this:

< access-control-allow-methods: POST, OPTIONS
< access-control-allow-origin: *
< access-control-max-age: 7200

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jun 08, 2022 by Stan Hu

Allow OPTIONS method for OAuth2 token endpoints

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports