...
- CORS - In order to set a cookie,
Access-Control-Allow-Origincan't be*and we needAccess-Control-Allow-Credentials: true.- Options:
- Allow this to be configurable?
- Would need to be configurable on a per-tenant basis
- Would need to be dynamic to handle new tenants
- Need to be careful not to make it difficult for UI/edge module developers
- Skip CORS handling for the
/_/invoke/tenants/<tenantId>/<path>route - delegate this to the module being called- Easier to configure - there are already tenant-specific SSO settings that are read by this module
- Isolates the changes to a much smaller portion of FOLIO (really only mod-login-saml?)
- Make mod-login-saml directly accessible (a la the edge modules) and handle CORS in the module.
- this module would need to log in as an institutional/system user in order to make the necessary calls to users/configuration/etc.
- How this would work requires additional thought and would likely require a fair amount of refactoring.
- Introduce a way to specify whether or not CORS handling should be enabled or not in the module descriptor definition for a given endpoint
- Default would be true (current behavior)
- Possibly only allow this for /_/invoke/tenant/<tenantId>/<path> ?
- Allow this to be configurable?
- NOTE: Depending no how we choose to implement refresh tokens, these changes may be applicable to our that conversation as well.
- Options:
...
- We have to build in support for specifying an origin whitelist anyway to accommodate stripes/okapi being on different hosts/domains, so adding the IdP origin to the whitelist isn't all that difficult.
- Running front-end and back-end on the same host like https://folio.example.com/ and https://folio.example.com/okapi/ (sample proxy) avoids many pre-flight CORS requests and the latency they cause.
JIRAs
Jira Legacy server System Jira serverId 01505d01-b853-3c2e-90f1-ee9b165564fc key MODLOGSAML-59
...