locked
ADFS 2016 TP5: Cross Origin Request Failure for OpenID Discovery Endpoint RRS feed

  • Question

  • We have an HTML5 app supported by microservices and no back-end logic. The team is exploring OpenID Connect on ADFS 2016 TP5 as a means of authentication and authorization, but we get a cross origin failure when trying to get the OpenID Connect discovery endpoint.

    BACKGROUND: When starting, the user launches a web browser and navigates to our app URL. The web server returns our app HTML, which, from the browser, then makes a JavaScript call to the ADFS OpenID discovery endpoint to initiate the authentication process. A Fiddler trace shows that we get the right response from ADFS, but the browser rejects the response due to the cross origin call. Unlike a native mobile app, our app runs in the context of a web browser and is beholden to cross origin security.

    XMLHttpRequest cannot load [ADFS_URL]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '[APP_URL]' is therefore not allowed access.

    Given that the information from the discovery endpoint is somewhat trivial (issuer, authorization_endpoint, jwks_uri... which we can determine out-of-band), are we expected to manually "fix" this information into our app?  Or are there plans to set the Access-Control-Allow-Origin header on the discovery endpoint?

    UPDATE: This CORS issue still affects the ID Token signature verification, which uses the endpoint at jwks_uri.  Seems a bit hacky to manually set this information in the app code. Prefer Access-Control-Allow-Origin header.
    • Edited by Roehl Sioson Monday, July 4, 2016 3:16 PM ID Token verification scope
    Monday, July 4, 2016 2:50 PM

All replies

  • Have you by chance discovered more about this? We've set up our initial ADFS4 sandbox (w/o WAP) and developers are stymied by the return "No 'Access-Control-Allow-Origin' header is present on the requested resource" - the only information I've found online regarding enabling CORS support suggest using a WAP or 3rd party proxy service to 'inject' the header into response.
    Tuesday, April 24, 2018 10:31 PM