0

I am trying to read the /.well-known/openid-configuration from an Salesforce OpenID Connect implementation.

I can see the file in browser but the file cannot be loaded by script:

Access to XMLHttpRequest at 'https://xxx.force.com/.well-known/openid-configuration' from origin 'https://pds-dev' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is there a way to enable CORS for this static file in Salesforce?

Thank you, Radu

Radu Negrila
  • 627
  • 1
  • 6
  • 11

1 Answers1

1

Salesforce does not allow CORS on unauthenticated resources.

As a workaround, the least intrusive approach is a CORS proxy. A simple implementation of a CORS proxy in the Salesforce world would be a custom Apex REST service with API authorization via the usual Salesforce oAuth semantics. The service would grab OIDC config and retransmit it in HTTP response. You can then whitelist your origin in SF and get past the CORS check.

UPDATE: As of Winter '21 release (live in Sept-Oct '20), CORS is allowed on the following resources without any additional config steps:

/.well-known/openid-configuration
/.well-known/auth-configuration
/services/oauth2/id/keys
identigral
  • 3,920
  • 16
  • 31
  • This looks like a workaround, might use it as fallback I am somehow surprised that the Salesforce OpenID Connect is ignoring javascript clients for the SSO implementation in 2019. – Radu Negrila Sep 02 '19 at 08:03
  • Yup, unfortunately that's the current state of the art. If you create an enhancement Idea on [IdeaExchange](https://success.salesforce.com/ideaSearch), you'll have our upvote. – identigral Sep 02 '19 at 18:29