Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16108

Dynamic oauth client CORS config should have accept credentials

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Target Version/s:
    • Support Ticket IDs:

      Description

      The SDKs are setting credentials: 'include' on their CORS requests, and so AM needs to respond with Access-Control-Allow-Credentials: true to permit the request.

      While fixing this, we should also review default settings of OAuth2 client's CORs configs.
      Ensure they are more pervasive than current (e.g. allow credentials is exposed) in their default state.

      Further actions may be of use - for example updating the exposed settings in the Oauth2 client's CORS configurations to allow this setting to be manually editted by an AM admin without recreating the dynamic config in a static form.

      Code Analysis
      The org.forgerock.openam.cors.OAuth2ClientCorsConfig#allowCredentials method returns false and should be changed to true

        Attachments

          Activity

            People

            • Assignee:
              david.luna@forgerock.com David Luna
              Reporter:
              jamesphillpotts James Phillpotts
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: