There seems to be a number of questions on several blogs, Q&A sites, and comments that ask variants of the question:
How do I correctly use CORS with OpenID Connect?
The context of these questions are usually applied to one of these roles:
- The issuer such as Facebook, Azure AD (This is the "OP" or "OpenID Provider" in the Specification)
- A relying party such as StackExchange, or FB Connect Auth (The website "client" in the Specification)
While reviewing the questions, sometimes the asker or answerer is referencing some specific profile, while not explicitly mapping the use case to the relevant OpenID Connect Flow
- Web browser authentication with redirects, or Javascript
- A single page application (SPA)
- An active client (Flash, Browser Plugin, native phone app)
- Device flow (Activating AppleTV)
I'm looking for one or more correct answers that describe how and when CORS is appropriate for a given role or usage profile. Since the quantity of correct usages of CORS w.r.t. OpenID Connect are finite, I think it's possible to have several correct answers.
Question (rephrased)
What CORS policies should be used on the OP, or Client servers?
What CORS policies should be used for:
- Implicit
- Authorization code
- Hybrid
- Client credentials
- Resource owner password
- Refresh tokens
- Extension grants
When is CORS not applicable, or specifically a threat to security?