Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add comment about Cors config #142

Open
1 task done
davhdavh opened this issue Nov 18, 2024 · 4 comments
Open
1 task done

Add comment about Cors config #142

davhdavh opened this issue Nov 18, 2024 · 4 comments
Labels
enhancement

Comments

@davhdavh
Copy link

Confirm you've already contributed to this project or that you sponsor it

  • I confirm I'm a sponsor or a contributor

Describe the solution you'd like

It was quite impossible to figure out how to set a specific cors policy for Openiddict rather than open all endpoints to a permissive default policy.

Can't figure out where it belongs in docs though.

Program.cs:

//BEFORE host.UseCors();
host.Use((context, next) => {
   if (!context.Request.Path.StartsWithSegments("/.well-known/openid-configuration")) return next(context);
   if (context.GetEndpoint() is not null) return next(context);
   context.SetEndpoint(new(null, new(new EnableCorsAttribute("MyCorsPolicyForOpeniddict")), null));
   return next(context);
});
host.UseCors();
host.UseAuthentication();

The other endpoints are map-able, so that can be done via normal procedure. E.g.

app.MapPost("/connect/token", [EnableCorsAttribute("MyCorsPolicyForOpeniddict)] [AllowAnonymous] async (HttpContext      context, ...) => ...);

Additional context

No response
@kevinchalet
Copy link
Member

Good idea.

Can't figure out where it belongs in docs though.

Maybe it should be added to the ASP.NET Core docs?

@davhdavh
Copy link
Author

Not really? The problem with openiddict in this regard is how the auth pipeline intercepts the request and answers. Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

@kevinchalet
Copy link
Member

Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

The "normal way" consists in OpenIddict fully handling a request without ever giving flow control back to ASP.NET Core: the pass-through mode is an exception that is only offered for a few select endpoint for which it makes sense (e.g the authorization or token endpoints).

Using endpoints in the authentication stack was discussed at some point with the ASP.NET team but we were unable to come up with a design that made everyone happy.

Not really?

What do you suggest, then?

@davhdavh
Copy link
Author

What do you suggest, then?

I actually think the current design is just fine. But as for CORS the only googleable solution was a sitewide opening for all endpoints, which was not acceptable for us.
Thus I present my detected workaround/hack to fix the issue for openiddict specifically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davhdavh @kevinchalet