Add comment about Cors config

[davhdavh]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Describe the solution you'd like

It was quite impossible to figure out how to set a specific cors policy for Openiddict rather than open all endpoints to a permissive default policy.

Can't figure out where it belongs in docs though.

Program.cs:

//BEFORE host.UseCors();
host.Use((context, next) => {
   if (!context.Request.Path.StartsWithSegments("/.well-known/openid-configuration")) return next(context);
   if (context.GetEndpoint() is not null) return next(context);
   context.SetEndpoint(new(null, new(new EnableCorsAttribute("MyCorsPolicyForOpeniddict")), null));
   return next(context);
});
host.UseCors();
host.UseAuthentication();

The other endpoints are map-able, so that can be done via normal procedure. E.g.

app.MapPost("/connect/token", [EnableCorsAttribute("MyCorsPolicyForOpeniddict)] [AllowAnonymous] async (HttpContext      context, ...) => ...);

Additional context

No response

[kevinchalet]

Good idea.

Can't figure out where it belongs in docs though.

Maybe it should be added to the ASP.NET Core docs?

[davhdavh]

Not really? The problem with openiddict in this regard is how the auth pipeline intercepts the request and answers. Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

[kevinchalet]

Afaik, there isnt the equivalent of EnablePassthrough for the configuration endpoint to do it in the normal way?

The "normal way" consists in OpenIddict fully handling a request without ever giving flow control back to ASP.NET Core: the pass-through mode is an exception that is only offered for a few select endpoint for which it makes sense (e.g the authorization or token endpoints).

Using endpoints in the authentication stack was discussed at some point with the ASP.NET team but we were unable to come up with a design that made everyone happy.

Not really?

What do you suggest, then?

[davhdavh]

What do you suggest, then?

I actually think the current design is just fine. But as for CORS the only googleable solution was a sitewide opening for all endpoints, which was not acceptable for us.
Thus I present my detected workaround/hack to fix the issue for openiddict specifically.