Versions Compared

Version Old Version 2 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSO Server

CORS with authentication enabled

Resources that require to authenticate the user via Authentication header are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.

  • Access-Control-Allow-Headers: Authorization

  • Access-Control-Expose-Headers: WWW-Authenticate
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS with credentials enabled

Resources that require to authenticate the user with credentials are by default allowed for all origins. How to restrict allowed origins, see Configuring CORS with credentials Restricting allowed origins for CORS.

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/refresh/*
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/saml2/metadata.xml
/uas/wsf/FederationMetadata.xml
/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/*
/uas/template/*
/uas/resource/*
Discovery and Template API
/uas/status
/uas/ping
Status endpoints

...