CORS

The Curity Identity Server supports CORS on various endpoints. The following endpoints allow CORS without any configuration:

  • OpenID Connect metadata
  • JWKS

These can be used without authentication and only support GET requests; consequently, they also do not require a pre-flight request.

The following endpoints can be enabled to support CORS:

  • Revoke
  • Dynamic Client Registration (DCR)
  • OpenID Connect User Info
  • User management (e.g., SCIM)
  • Logout

These all require a pre-flight check because they demand authentication or other non-trivial request/response parameters. To enable CORS for any of these endpoints, the allowed origins need to be set on a zone where those endpoints are defined. That zone will typically be the default one, but it could be any. The list of allowed origins can be set in the CLI or REST API for any zone. They can only be set on the default zone in the admin UI. The following listing shows how to set the allowed origins in the CLI for some zone called internal:

admin@host% set environments environment services zones zone internal allowed-origins-for-cors [ \
> http://example.com \
> http://other.example.com \
> ]