OpenID Discovery document does not have CORS headers
Summary
https://gitlab.com/.well-known/openid-configuration does not have any CORS headers set prevents browser based user-agents (ie. Single Page Applications) being able to use it.
The URL for jwks_uri
returned in the discovery document also does not have any CORS headers either.
The following endpoints should have CORS headers to enable browser based user-agents to work with Gitlab.
-
/.well-known/openid-configuration
GET (after #233956 (closed) is done) -
/.well-known/oauth-authorization-server
GET -
/oauth/userinfo
GET -
/oauth/token
POST (to support PKCE based flows from the browser) -
/oauth/revoke
POST (to support revoking from the browser) -
/oauth/discovery/keys
GET, HEAD (otherwise it is not possible to validateid_token
s in the browser,HEAD
so that one can check local cache quickly)
Steps to reproduce
It can be observed that there is no Access-Control-Allow-Origin
header in the response:
curl -i -H 'Origin: https://example.com' -s https://gitlab.com/.well-known/openid-configuration
You can also open a browser tab to https://example.com and in the JavaScript console use the following:
window.fetch('https://gitlab.com/.well-known/openid-configuration').then(response => response.json()).then(json => console.log(json))
Chrome returns: Access to fetch at 'https://gitlab.com/.well-known/openid-configuration' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Firefox returns: Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gitlab.com/.well-known/openid-configuration. (Reason: CORS header 'Access-Control-Allow-Origin' missing).
What is the current bug behavior?
Missing Access-Control-Allow-Origin
header in the response.
What is the expected correct behavior?
Following header added to the discovery document:
Access-Control-Allow-Origin: *
As no authentication is used (cookies) are expected and only GET
is used the wildcard should work well here.
Relevant logs and/or screenshots
$ curl -H 'Origin: https://example.com' -i -s https://gitlab.com/.well-known/openid-configuration
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 06 Mar 2020 11:59:11 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 942
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"190cbffffe21d9da3c1d23c2074ffe4b"
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: Omw8mWQWtu7
X-Runtime: 0.008884
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
GitLab-LB: fe-17-lb-gprd
GitLab-SV: web-08-sv-gprd
{"issuer":"https://gitlab.com","authorization_endpoint":"https://gitlab.com/oauth/authorize","token_endpoint":"https://gitlab.com/oauth/token","revocation_endpoint":"https://gitlab.com/oauth/revoke","introspection_endpoint":"https://gitlab.com/oauth/introspect","userinfo_endpoint":"https://gitlab.com/oauth/userinfo","jwks_uri":"https://gitlab.com/oauth/discovery/keys","scopes_supported":["api","read_user","read_repository","write_repository","read_registry","sudo","openid","profile","email"],"response_types_supported":["code","token"],"response_modes_supported":["query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"claim_types_supported":["normal"],"claims_supported":["iss","sub","aud","exp","iat","sub_legacy","name","nickname","email","email_verified","website","profile","picture","groups"]}