Skip to content

Allow OPTIONS method for OAuth2 token endpoints

Stan Hu requested to merge sh-oauth-allow-options-cors into master

What does this MR do and why?

!52641 (merged) made it possible to perform cross-origin requests for OAuth endpoints. However, a CORS preflight request issues an OPTIONS request to see if the server can support this. Since this method wasn't allowed, the browser halted the CORS request.

Relates to #364680 (closed)

How to set up and validate locally

  1. Set up an OAuth2 application: /admin/applications:

image

  1. Use master.
  2. Issue a curl command with your client_id and client_secret from the OAuth application page:
curl -H "Origin: myhost.com" -X OPTIONS -v "https://gdk.test:3443/oauth/token?grant_type=client_credentials&client_id=<YOUR-CLIENT-ID>&client_secret=<YOUR-CLIENT-SECRET>&redirect_uri=https://gdk.test:3443/test"

In master, you should not see any access-control-* headers. With this branch, you see this:

< access-control-allow-methods: POST, OPTIONS
< access-control-allow-origin: *
< access-control-max-age: 7200

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports

Loading