6

There seems to be a number of questions on several blogs, Q&A sites, and comments that ask variants of the question:

How do I correctly use CORS with OpenID Connect?

The context of these questions are usually applied to one of these roles:

  • The issuer such as Facebook, Azure AD (This is the "OP" or "OpenID Provider" in the Specification)
  • A relying party such as StackExchange, or FB Connect Auth (The website "client" in the Specification)

While reviewing the questions, sometimes the asker or answerer is referencing some specific profile, while not explicitly mapping the use case to the relevant OpenID Connect Flow

  • Web browser authentication with redirects, or Javascript
  • A single page application (SPA)
  • An active client (Flash, Browser Plugin, native phone app)
  • Device flow (Activating AppleTV)

I'm looking for one or more correct answers that describe how and when CORS is appropriate for a given role or usage profile. Since the quantity of correct usages of CORS w.r.t. OpenID Connect are finite, I think it's possible to have several correct answers.

Question (rephrased)

  1. What CORS policies should be used on the OP, or Client servers?

  2. What CORS policies should be used for:

    • Implicit
    • Authorization code
    • Hybrid
    • Client credentials
    • Resource owner password
    • Refresh tokens
    • Extension grants

  3. When is CORS not applicable, or specifically a threat to security?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 4
    It's a snow day in NYC, and quiet at the office, so I'll be reading the OIDC specification in an attempt to create an answer. If anyone wants to beat me to it, please do. :) – makerofthings7 Feb 09 '17 at 15:09

2 Answers2

3

When is CORS a risk to security

CORS can override the default rules, so an overly permissive CORS policy can be worse than no policy.

How permissive should CORS be

CORS should be as restrictive as possible while still allowing the use cases you wish to enable. CORS can help prevent CSRF attacks, so care should be taken to not weaken this defence too much.

Where does CORS apply

CORS only applies within the browser, so it does not apply to the options outside of the browser, such as native apps and device login.

  • Web browser authentication with redirects, or Javascript

    • CORS applies

  • A single page application (SPA)

    • CORS applies

  • An active client (Flash, Browser Plugin, native phone app)

    • CORS does not apply - not inside of a browser

  • Device flow (Activating AppleTV)

    • CORS does not apply - not inside of a browser
jrtapsell
  • 3,169
  • 15
  • 30
1

This answer is very short but my view is that CORS doesn’t really come into play at all here because communication between the “app” and the authentication provider is done via HTTP Redirect; i.e, there is no cross-origin AJAX JS call being made in a proper implementation.

RibaldEddie
  • 336
  • 2
  • 9