Skip to content

fix(idp): allow CORS for all clients on token endpoint#11

Open
melvincarvalho wants to merge 3 commits intogh-pagesfrom
fix/oidc-cors-all-clients
Open

fix(idp): allow CORS for all clients on token endpoint#11
melvincarvalho wants to merge 3 commits intogh-pagesfrom
fix/oidc-cors-all-clients

Conversation

@melvincarvalho
Copy link
Copy Markdown
Contributor

@melvincarvalho melvincarvalho commented Dec 29, 2025

Summary

  • Simplify clientBasedCORS to return true for all clients
  • Fixes OIDC login for web apps loaded from CDN (like Mashlib from unpkg.com)

Problem

When Mashlib is loaded from CDN, the OIDC token exchange fails with:

400 Bad Request - origin not allowed for client

The previous code only allowed CORS for clients with tokenEndpointAuthMethod === 'none', but dynamically registered clients default to client_secret_basic.

Solution

Solid servers are public and should accept token requests from any web app origin, so clientBasedCORS now returns true for all clients.

Test plan

  • Clear browser cache/cookies for test server
  • Navigate to a resource with Mashlib enabled
  • Click "Sign In" and complete OIDC login
  • Verify token exchange succeeds (no 400 error)
  • Verify authenticated user can access protected resources

Fixes #10

@melvincarvalho
fix(idp): allow CORS for all clients on token endpoint
48614c5 
Simplify clientBasedCORS to return true for all clients, not just
public clients with tokenEndpointAuthMethod 'none'.

This fixes OIDC login for web apps loaded from CDN (like Mashlib from
unpkg.com) where the origin doesn't match the client's redirect URIs.

Solid servers are public and should accept token requests from any
web app origin.

Fixes #10
@melvincarvalho
fix(cors): add DPoP to allowed headers for Solid-OIDC
3f3d4e7 
Solid-OIDC requires DPoP (Demonstrating Proof-of-Possession) tokens
which use a DPoP HTTP header. Without this header in the CORS
allowed headers list, browsers block the token exchange request.
@melvincarvalho
fix(idp): strip iss parameter from authorization redirects
b496dc4 
oidc-provider v9+ always includes the iss parameter (RFC 9207) in
authorization responses. Mashlib's solid-ui auth library doesn't
handle this parameter, causing the OAuth callback to fail.

This intercepts the Location header and strips the iss parameter
before sending the redirect to the client.
@melvincarvalho melvincarvalho mentioned this pull request Dec 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OIDC token endpoint returns 400 'origin not allowed for client' for CDN-loaded apps

1 participant

@melvincarvalho