Browser does not send Origin for GET requests from fetch and XHR

[gsahbi]

This assumption that all modern browsers send Origin by default is not true.

oauth-agent-node-express/src/lib/validateRequest.ts

Line 23 in 510154b

if (data.allowedOrigins.findIndex((value) => value === data.originHeader) == -1) {

And so getClaims and getUserInfo fail.

As per MDN documentation of fetch API https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin

Quote:

Broadly speaking, user agents add the Origin request header to:

• cross origin requests.
• same-origin requests except for GET or HEAD requests (i.e. they are added to same-origin POST, OPTIONS, PUT, PATCH, and DELETE requests).

End Quote

[gary-archer]

In same site setups you can set an environment variable of CORS_ENABLED='false' to fix this. This turns off any cross origin behavior or setting of CORS headers. You should also set the equivalent setting in the oauth proxy nginx module.

Our default deployment uses sibling domains for web static content and token handler components. If you want to avoid this, eg to reduce the overhead of CORS pre-flight requests, you would overwrite our example SPA deployment like this, and the above environment variable is then set:

export BASE_DOMAIN='example.com'
export WEB_SUBDOMAIN='www'
export API_SUBDOMAIN='www'
export IDSVR_SUBDOMAIN='login'