I propose adding the following section to the OAuth Security BCP specification:
Usage of CORS
The Token Endpoint,
Authorization Server Metadata Endpoint,
<spanx style="verb">jwks_uri</spanx> Endpoint,
Dynamic Client Registration Endpoint,
and any other endpoints directly accessed by Clients
SHOULD support the use of
<xref target="CORS">Cross-Origin Resource Sharing (CORS)</xref>
to enable JavaScript Clients and other browser-based Clients to
access them.
CORS MUST NOT be used at the Authorization Endpoint
as it is redirected to by the client and not directly accessed.
Relevant background information can be found at
https://bitbucket.org/openid/connect/issues/980 and
https://bitbucket.org/openid/connect/pull-requests/338/errata-specified-the-use-of-cors-at.
-- Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
