OidcSupport.java doesn't allow CORS requests. Shouldn't it allow CORS requests?
See original GitHub issueGetting below error when trying to execute a login request from Frontend (React + TypeScript) to Backend (Java Helidon MP Service). I have added CORS attributes in helidon application config, and it is being honored for all application requests - except this instance of /oidc/redirect
. I was able to make some progress by including CorsSupport handler as part of RoutingRules.
Access to XMLHttpRequest at ‘http://localhost:7987/oidc/redirect?code=AgAgYmE2MGQwOGQwYWUzNDhjZGFlNWNhODQ0NTMyMjIxN2EIABDZvnqDDc9zE1bXeAfQgOctAAAAQOK27SgPqB4iaXNvqK-3q6h15tM7075vxJZqfWdC08VecVPDxfY78SgsWC2h96hhOzwsv97-v3y8L_2VlcwXCcE=&state=%2Fsession%2Fsecure’ (redirected from ‘http://localhost:7987/session/secure’) from origin ‘http://localhost:9000’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
Based on my minimal understanding, OidcSupport.update method should be updated so something similar to below, to be able to allow CORS requests to be processed properly.
public void update(Routing.Rules rules) {
if (enabled) {
rules.get(oidcConfig.redirectUri(), CorsSupport.builder().allowOrigins("ORIGIN").allowMethods("*").build(), this::processOidcRedirect)
.any(this::addRequestAsHeader);
}
}
Environment Details
- Helidon Version: 2.3.3
- Helidon MP
- JDK version: JDK 11
- OS: Windows 10
Expected the redirect call from OidcProvider instance should re-direct properly with no errors / issues.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (3 by maintainers)
Top GitHub Comments
In looking on the web at other OIDC providers, it seems fairly widespread that they support CORS. In a quick chat, Santiago tends to agree.
As a result, we should probably go ahead and allow users to enable CORS support for our OIDC support.
Fixed in 2.x and 3.x.