github/pocket-id
1
1
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-01-10 18:38:25 -05:00
Code Issues Packages Projects Releases Wiki Activity

🐛 Bug Report: CORS error for accessing the userinfo endpoint using a web client #113

New Issue
Closed
opened 2025-07-08 08:40:11 -04:00 by AtHeartEngineer · 0 comments
AtHeartEngineer commented 2025-07-08 08:40:11 -04:00
Owner
Copy Link

Originally created by @simonfranken on 6/2/2025

Reproduction steps

  • Create an OIDC provider with the options Public Client and PKCE Enabled.
  • Configure a web frontend (in my case, Vue.js with oidc-client-ts) for using Pocket ID as the identity provider.
  • After successful authentication, the package attempts to retrieve the user information using the userinfo endpoint of Pocket ID and sends the obtained token via the Authorization header.
  • However, the response from Pocket ID does not permit the Authorization header due to a CORS error.

Expected behavior

The Pocket ID should permit the Authorization header to be included at the very least for clients that are configured as Public.
I conducted the following tests:

  • I configured Pocket ID behind a Nginx reverse proxy, which adds the Access-Control-Allow-Headers: * header to all responses. This header resolves the issue in my specific case. However, it is important to note that this is merely a workaround, as the inclusion of this header should not be applied to all responses.

Actual Behavior

Pocket ID sends a response, which does not allow the Authorization header.

Version and Environment

v1.0

Log Output

No response

*Originally created by @simonfranken on 6/2/2025* ### Reproduction steps * Create an OIDC provider with the options `Public Client` and `PKCE Enabled`. * Configure a web frontend (in my case, Vue.js with [oidc-client-ts](https://authts.github.io/oidc-client-ts/)) for using Pocket ID as the identity provider. * After successful authentication, the package attempts to retrieve the user information using the userinfo endpoint of Pocket ID and sends the obtained token via the `Authorization` header. * However, the response from Pocket ID does not permit the `Authorization` header due to a CORS error. ### Expected behavior The Pocket ID should permit the Authorization header to be included at the very least for clients that are configured as Public. I conducted the following tests: * I configured Pocket ID behind a Nginx reverse proxy, which adds the `Access-Control-Allow-Headers: *` header to all responses. This header resolves the issue in my specific case. However, it is important to note that this is merely a workaround, as the inclusion of this header should not be applied to all responses. ### Actual Behavior Pocket ID sends a response, which does not allow the `Authorization` header. ### Version and Environment v1.0 ### Log Output _No response_
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
breaking
breaking
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
bug
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
dependencies
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
feature
go
go
javascript
javascript
javascript
javascript
javascript
javascript
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
needs more upvotes
open to pull requests
open to pull requests
open to pull requests
open to pull requests
open to pull requests
No Label bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
AtHeartEngineer
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github/pocket-id#113
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?