...
- CORS - In order to set a cookie,
Access-Control-Allow-Origin
can't be*
and we needAccess-Control-Allow-Credentials: true
.- Options:
- Allow this to be configurable?
- Would need to be configurable on a per-tenant basis
- Would need to be dynamic to handle new tenants
- Need to be careful not to make it difficult for UI/edge module developers
- Skip CORS handling for the
/_/invoke/tenants/<tenantId>/<path>
route - delegate this to the module being called- Easier to configure - there are already tenant-specific SSO settings that are read by this module
- Isolates the changes to a much smaller portion of FOLIO (really only mod-login-saml?)
- Make mod-login-saml directly accessible (a la the edge modules) and handle CORS in the module.
- this module would need to log in as an institutional/system user in order to make the necessary calls to users/configuration/etc.
- How this would work requires additional thought and would likely require a fair amount of refactoring.
- Introduce a way to specify whether or not CORS handling should be enabled or not in the module descriptor definition for a given endpoint
- Default would be true (current behavior)
- Only allow this for In OKAPI, when handling requests to /_/invoke/tenant/<tenantId>/<path> ? , check if the target endpoint wants CORS handled by OKAPI or delegated to the module.
- Example:
Here, if delegateCORS == true, OKAPI would
Code Block collapse true ...elided... { "methods": [ "POST" ], "pathPattern": "/saml/login", "modulePermissions": [ "configuration.entries.collection.get" ], "delegateCORS": true }, { "methods": [ "POST" ], "pathPattern": "/saml/callback", "modulePermissions": [ "auth.signtoken", "configuration.entries.collection.get", "users.collection.get" ], "delegateCORS": true }, ...elided...
- Allow this to be configurable?
- NOTE: Depending no how we choose to implement refresh tokens, these changes may be applicable to our that conversation as well.
- Options:
...