Versions Compared

Version Old Version 1 New Version 2
Changes made by

John Jellema

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSO Server

CORS with

...

authentication enabled

As of Identity Server 8.3.2 any resources that are shared across origins and Resources that require to authenticate the user via Authentication header are by default allowed for all origins.

  • Access-Control-Allow-Headers: Authorization

  • Access-Control-Expose-Headers: WWW-Authenticate
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS with credentials enabled

Resources that require to authenticate the user with credentials are disabled by default as their allowed for all origins are required to be declared explicitly... How to restrict allowed origins, see Configuring CORS with credentials.

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: https://www.example.com *
EndpointDescription
/uas/refresh/*
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/saml2/metadata.xml
/uas/wsf/FederationMetadata.xml
/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/*
/uas/template/*
/uas/resource/*
Discovery and Template API
/uas/status
/uas/ping
Status endpoints
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation
OAuth 2.0 and OpenID Connect 1.0 protocol endpointsCannot use client_secret_basic client credentials, other client credentials types are possibleAuthorization endpoint is not

CORS

...

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

...

All CORS requests are blocked.

Troubleshooting

You can verify the CORS configuration from the diagnostic logs, see Diag log description:

  • set debug level for INIT for basic filter setup
  • set debug level for com.ubisecure.util.filter.CorsFilter for more details

References