CORS support - SSO

SSO Server

CORS with credentials enabled

As of Identity Server 8.3.2 any resources that are shared across origins and require to authenticate the user are disabled by default as their allowed origins are required to be declared explicitly..

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: https://www.example.com 
EndpointDescription
/uas/refresh/*
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/saml2/metadata.xml
/uas/wsf/FederationMetadata.xml
/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/*
/uas/template/*
/uas/resource/*
Discovery and Template API
/uas/status
/uas/ping
Status endpoints
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

Password

All CORS requests are blocked.

Management Console

All CORS requests are blocked.

References