🐛 Bug Report: CORS issue when using PKCE Code Challenge with SPA #450

New Issue

OVERLORD · 2025-10-08T00:09:04+03:00

OVERLORD commented

2025-10-08 00:09:04 +03:00

Originally created by @cdemi on GitHub.

Reproduction steps

You can test it using https://oidcdebugger.com/ Authorization Code Flow with PKCE

Expected behavior

To be honest, no idea what the expected behaviour should be. Maybe the callback domains could be added to the CORS list?

Actual Behavior

Access to XMLHttpRequest at 'https://mypocketiddomain/api/oidc/token' from origin 'https://oidcdebugger.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Originally created by @cdemi on GitHub. ### Reproduction steps You can test it using https://oidcdebugger.com/ Authorization Code Flow with PKCE ### Expected behavior To be honest, no idea what the expected behaviour should be. Maybe the callback domains could be added to the CORS list? ### Actual Behavior Access to XMLHttpRequest at 'https://mypocketiddomain/api/oidc/token' from origin 'https://oidcdebugger.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

OVERLORD added the bug label 2025-10-08 00:09:04 +03:00

OVERLORD closed this issue

2025-10-08 00:09:04 +03:00

OVERLORD commented

2025-10-08 00:09:06 +03:00

@cdemi commented on GitHub:

Actually, looks like the CORS issue does not only affect the /api/oidc/token endpoint but also the /.well-known/openid-configuration.

For example, in Grafana, when you try to setup Generic OAuth, you can give it the OpenID Connect Discovery URL and the browser fetches it to auto populate the fields, but due to CORS: `Access to fetch at 'https://mypocketiddomain/.well-known/openid-configuration' from origin 'https://mygrafanadomain' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

@cdemi commented on GitHub: Actually, looks like the CORS issue does not only affect the `/api/oidc/token` endpoint but also the `/.well-known/openid-configuration`. For example, in Grafana, when you try to setup Generic OAuth, you can give it the OpenID Connect Discovery URL and the browser fetches it to auto populate the fields, but due to CORS: `Access to fetch at 'https://mypocketiddomain/.well-known/openid-configuration' from origin 'https://mygrafanadomain' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

OVERLORD commented

2025-10-08 00:09:07 +03:00

@stonith404 commented on GitHub:

PKCE is actually not implemented yet. I've created a feature request #65.

I'll close this issue but feel free to subscribe to #65 to get a notification when this gets implemented.

@stonith404 commented on GitHub: PKCE is actually not implemented yet. I've created a feature request #65. I'll close this issue but feel free to subscribe to #65 to get a notification when this gets implemented.

OVERLORD referenced this issue

2025-10-08 00:17:29 +03:00

[PR #450] [MERGED] chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 in /backend in the go_modules group across 1 directory #804

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#450