Some relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.
Java Servlet Container
At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:
Jetty: https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/CrossOriginFilter.html
Example filter configuration for web.xml: Cross-origin AJAX requests for Shib-protected resources
Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
Spring CORS Configuration
IdP V4.2 provides a native/proprietary mechanism for supporting this via Spring. A global bean called shibboleth.CorsConfigurations may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token correponds with https://idp.example.org/idp/profile/oidc/token).
By default, the map is not defined and thus Spring doesn’t provide any CORS handling.
The following example contains an example that activates the Spring CORS handling for the OP plugin’s token -endpoint:
<util:map id="shibboleth.CorsConfigurations" value-type="org.springframework.web.cors.CorsConfiguration">
<entry key="/oidc/token">
<bean class="org.springframework.web.cors.CorsConfiguration"
p:allowedOrigins="http://localhost:8080,http://localhost:8081"
p:allowedMethods="POST"
p:allowedHeaders="Authorization"
p:maxAge="1800" />
</entry>
</util:map>
This enables the CORS pre-flight request handling from two example origins, when the HTTP request header Access-Control-Request-Method is set to POST.
Debugging
The debug-logging of the Spring class org.springframework.web.cors.DefaultCorsProcessor is useful for debugging why the pre-flight requests may fail.
Some examples of log-lines when the pre-flight request has not been compatible with the shibboleth.CorsConfiguration:
2024-05-31 13:37:29,843 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:119] - Reject: 'http://localhost:8082' origin is not allowed
2024-05-31 13:37:57,109 - DEBUG [org.springframework.web.cors.DefaultCorsProcessor:127] - Reject: HTTP 'GET' is not allowed