Pinniped server CORS headers missing #2132
Comments
|
Hi @exolicious, thanks for creating this issue. As you noticed, currently the Supervisor doesn't support single page apps (SPAs). Sorry if the doc did not make that clear. It currently assumes that your webapp has a backend, and that the backend is what will redeem the authcodes at the token endpoint. It still requires PKCE for these apps as well, because it is considered the current best practice for OAuth2. We could take a look at what would be required to also support SPAs. |
|
@cfryanr Thank you very much for answering so quickly. We would really appreciate if pinniped supported SPAs, since we would like to have a fully state/sessionless backend if possible. |
|
@cfryanr I looked at the code and this is a quick solution: For example: I can create a PR for a more sophisticated solution tomorrow, if you want. |
What happened?
I want to configure pinniped-oidc for a webapp according to this guide: https://pinniped.dev/docs/howto/configure-auth-for-webapps/
It says: "Clients must use PKCE during the authorization code flow."
However the supervisor does not seem to set CORS related Headers.
Setting them on an httpproxy (contour) is also not an option, since tlspassthrough is recomended.
What did you expect to happen?
I expect the CORS headers to be set on the response, since the guide's title is "Using the Pinniped Supervisor to provide authentication for web applications" and it says "Clients must use PKCE during the authorization code flow."
What is the simplest way to reproduce this behavior?
Connect any SPA as an oidcclient in pinniped supervisor and try to access the wellknown endpoint through a js-fetch.
In what environment did you see this bug?
(other stuff is not relevant)
What else is there to know about this bug?
The text was updated successfully, but these errors were encountered: