Allow CORS requests to JWK Set endpoint

[dgt-amexio]

Describe the bug
CORS issue with /oauth2/jwks endpoint

To Reproduce
Integrate spring-authorization-server in a SpringBoot Application
(following example provided in repo : https://github.com/spring-projects-experimental/spring-authorization-server/tree/master/samples/boot/oauth2-integration/authorizationserver)

Call the /oauth2/jwks endpoint from a JS application (or through any REST Client)

Expected behavior
The associated endpoint should allow CORS requests, but it doesn't.
Usual Spring mechanisms tested, but I seems that the JwkSetEndpointFilter behaviour could not be overriden to allow CORS requests.

Question : how could the service be configured in order to allow CORS requests on /oauth2/jwks ?

Sample
Use https://github.com/spring-projects-experimental/spring-authorization-server/tree/master/samples/boot/oauth2-integration/authorizationserver

[jgrandja]

Thanks for the report @dgt-amexio.

I'm able to access http://localhost:9000/oauth2/jwks (from the sample) using a browser or Postman.

Call the /oauth2/jwks endpoint from a JS application (or through any REST Client)

I'm curious why you need to call the endpoint from a JS application? Can you provide more details on your use case/flow?

[dgt-amexio]

Hello,
Sorry for my late answer, due to holidays.

My use case is to assess whether this library could be used as the backbone of a custom OpenID Connect service.
To achieve this,

• I created a SpringBoot application using spring-authorization-server as a dependency + adding an extra "./well-known/openid-configuration" endpoint
• I then tried to reference this SB application in an Angular app relying on angular-oauth2-oidc (which brings OIDC client logic in Angular apps)

When attempting to perform authentication, the following calls are performed from my Angular app to the SB app (let's suppose this SB app is accessible on https://server) :

• GET https://server/.well-known/openid-configuration > returns a HTTP 200 status (OK) and provides OpenID config as per my custom openid-configuration endpoint
• GET https://server/oauth2/jwks > raises a "Access to XMLHttpRequest at 'https://server/oauth2/jwks' from origin 'https://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."

The question is "how could I configure spring-authorization-server to define the proper Access-Control-Allow-Origin strategy ?