...
- CORS - In order to set a cookie,
Access-Control-Allow-Origincan't be*and we needAccess-Control-Allow-Credentials: true.- Options:
- Allow this to be configurable?
- Would need to be configurable on a per-tenant basis
- Would need to be dynamic to handle new tenants
- Need to be careful not to make it difficult for UI/edge module developers
- Skip CORS handling for the
/_/invoke/tenants/<tenantId>/<path>route - delegate this to the module being called- Easier to configure - there are already tenant-specific SSO settings that are read by this module
- Isolates the changes to a much smaller portion of FOLIO (really only mod-login-saml?)
- Make mod-login-saml directly accessible (a la the edge modules) and handle CORS in the module.
- this module would need to log in as an institutional/system user in order to make the necessary calls to users/configuration/etc.
- How this would work requires additional thought and would likely require a fair amount of refactoring.
- Introduce a way to specify whether or not CORS handling should be enabled or not in the module descriptor definition for a given endpoint
- Default would be true (current behavior)
- Only allow this for /_/invoke/tenant/<tenantId>/<path> ?
- Allow this to be configurable?
- NOTE: Depending no how we choose to implement refresh tokens, these changes may be applicable to our that conversation as well.
- Options:
...