Set CORS headers on OAuth2 introspection endpoint (!97656) · Merge requests · GitLab.org / GitLab · GitLab

Simon Ser requested to merge emersion/gitlab:cors-oauth-introspect into master Sep 12, 2022

What does this MR do and why?

It allows CORS requests for the OAuth 2.0 token introspection endpoint.

Related: !52641 (merged), !89566 (merged)

How to set up and validate locally

Setup an OAuth2 application.
Issue a curl command with the client ID and client secret:

curl --user <CLIENT_ID> -H "Origin: myhost.com" -X OPTIONS -v "https://localhost:3443/oauth/introspect"

Check that the following is returned:

< access-control-allow-methods: POST, OPTIONS
< access-control-allow-origin: *
< access-control-max-age: 7200

MR acceptance checklist

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 12, 2022 by Simon Ser