ajax support cors,Add CORS feature to support AJAX use of password grant flow

Hi there,

I am using the password grant flow via an ajax call where the requesting app is not running on the same domain as the OAuth server. Without CORS headers, the oauth password grant flow from a web client posting to the oauth server does not work. I did see some people just globally adding the CORS headers in the oauth server middleware or the fronting apache proxy, e.g.

app.use(function (req, res, next) {

res.header('Access-Control-Allow-Origin', 'http://localhost:8100');

res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');

res.header('Access-Control-Allow-Headers', 'Content-Type');

next();

});

Making CORS part of the client configuration will enable a per client configuration. The only thing that needs to be added is a configuration property to the client like client.addCorsHeader and for the actual header to be returned one could use the client.redirectUri parameter on the client. If the addCorsHeader property is enabled, simply strip off the path from the client redirectUri and return this in the Access-Control-Allow-Origin header with the response.

Et voila the OAuth server would now support CORS multiple different oauth clients that call from different domains using the password grant.

Does that work as a proposal and more importantly would this be a valid use case?

Cheers, Niels

Detailed use case:

OAuth server running on https://oauth.fancydomain.com

Client App running on https://myclient.com

Client App client is configured like:

{

"clientId" : "id123",

"clientSecret" : "some client secret",

"addCorsHeader": true,

"redirectUri" : "https://myclient.com/#/app/login"

}

OAuth server and Client App are from the same developer and the Client App only wants to post following to get an access token for use of some other backend API that is a protected resource server:

POST /oauth/token HTTP/1.1

Host: oauth.fancydomain.com

Cache-Control: no-cache

Content-Type: application/x-www-form-urlencoded

grant_type=password&username=somedude&password=secret&client_id=id123

The response the client is after will look something like this:

Remote Address: oauth.fancydomain.com

Request URL: https://oauth.fancydomain.com/oauth/token

Request Method: POST

Status Code: 200 OK

Access-Control-Allow-Headers: Content-Type

Access-Control-Allow-Methods: GET,PUT,POST,DELETE

Access-Control-Allow-Origin: https://myclient.com

...

Content-Type: application/json; charset=utf-8

{"token_type":"bearer","access_token":"a29fe185e2529917e7c778fb9b748a0912f030af","expires_in":2400}