Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • CORS - In order to set a cookie, Access-Control-Allow-Origin can't be * and we need Access-Control-Allow-Credentials: true.
    • Options: 
      1. Allow this to be configurable? 
        • Would need to be configurable on a per-tenant basis
        • Would need to be dynamic to handle new tenants
        • Need to be careful not to make it difficult for UI/edge module developers
      2. Skip CORS handling for the /_/invoke/tenants/<tenantId>/<path> route - delegate this to the module being called
        • Easier to configure - there are already tenant-specific SSO settings that are read by this module
        • Isolates the changes to a much smaller portion of FOLIO (really only mod-login-saml?)
      3. Make mod-login-saml directly accessible (a la the edge modules) and handle CORS in the module.
        • this module would need to log in as an institutional/system user in order to make the necessary calls to users/configuration/etc.
        • How this would work requires additional thought and would likely require a fair amount of refactoring.
      4. Introduce a way to specify whether or not CORS handling should be enabled or not in the module descriptor definition for a given endpoint
        • Default would be true (current behavior)
        • Only allow this for In OKAPI, when handling requests to /_/invoke/tenant/<tenantId>/<path> , check if the target endpoint wants CORS handled by OKAPI or delegated to the module. 
        • Example:
          • Here, if delegateCORS == true, OKAPI would 

            Code Block
            collapsetrue
                    ...elided... 
                    {
                      "methods": [
                        "POST"
                      ],
                      "pathPattern": "/saml/login",
                      "modulePermissions": [
                        "configuration.entries.collection.get"
                      ],
                      "delegateCORS": true
                    },
                    {
                      "methods": [
                        "POST"
                      ],
                      "pathPattern": "/saml/callback",
                      "modulePermissions": [
                        "auth.signtoken",
                        "configuration.entries.collection.get",
                        "users.collection.get"
                      ],
                      "delegateCORS": true
                    }, 
                    ...elided...


    • NOTE:  Depending no how we choose to implement refresh tokens, these changes may be applicable to our that conversation as well.

...