Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OPTIONS request blocked on userinfo endpoint #304

Open
defgsus opened this issue Dec 6, 2018 · 3 comments
Open

OPTIONS request blocked on userinfo endpoint #304

defgsus opened this issue Dec 6, 2018 · 3 comments

Comments

@defgsus
Copy link

defgsus commented Dec 6, 2018
edited
Loading

The problem is partly described in #249 but was subsequently ignored.

At least the oidc-client-js library does an OPTIONS request against the userinfo endpoint which gets blocked by the `protected_resource_view' decorator.

The openid-connect-core specification does not explicitly require supporting OPTIONS, though it's seems to be practiced by implementations. For example, auth0.com supports an unauthorized OPTIONS request against userinfo.

As @q3aiml points out, supporting OPTIONS is part of supporting CORS.

I suggest an unprotected_methods parameter to the protected_resource_view decorator in lib/utils/oauth2.py, which would make it possible to let OPTIONS requests pass for this endpoint but does not break any existing code.
defgsus added a commit to netzkolchose/django-oidc-provider that referenced this issue Dec 6, 2018
@defgsus
let OPTIONS request on /userinfo pass unauthorized
98cfdc2 
juanifioren#304
@defgsus defgsus mentioned this issue Dec 6, 2018
Closed
zvyn added a commit to zvyn/django-oidc-provider that referenced this issue May 10, 2019
@zvyn
Allow unauthenticated OPTIONS request to /userinfo
59de41e 
Implements the solution suggested by @defgsus in juanifioren#304
@zvyn
Copy link

zvyn commented May 10, 2019
edited
Loading

@defgsus sorry, I didn't see your commit until after I implemented it as well! I'll create a PR now, hoping it gets merged upstream.

@zvyn zvyn mentioned this issue May 10, 2019
Open
zvyn added a commit to zvyn/django-oidc-provider that referenced this issue May 25, 2019
@zvyn
Allow unauthenticated OPTIONS request to /userinfo
7048f29 
Implements the solution suggested by @defgsus in juanifioren#304
@svenstucki
Copy link

We're facing the same issue. It would be great to get a fix for this merged, instead of having to use a fork.

@juanifioren would it be possible to merge #321 ? It's a fairly small change.

I think this objectively is a bug in the current implementation, as the OPTIONS request method is used for the CORS preflight only. But the specs do not allow a preflight request to have an access token (there is a limited set of permitted headers).

@Cediddi
Copy link

Cediddi commented Dec 3, 2019

I'm having this issue as well, I'm currently using a fork right now but would much prefer this issue to be solved.

zvyn added a commit to zvyn/django-oidc-provider that referenced this issue Jul 24, 2023
@zvyn
Allow unauthenticated OPTIONS request to /userinfo
f6a5b4d 
Implements the solution suggested by @defgsus in juanifioren#304
zvyn added a commit to zvyn/django-oidc-provider that referenced this issue Oct 21, 2024
@zvyn
Allow unauthenticated OPTIONS request to /userinfo
37fbf24 
Implements the solution suggested by @defgsus in juanifioren#304
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@svenstucki @zvyn @Cediddi @defgsus