@rserj,
Thanks for having already signed the Contribution License Agreement. Your agreement was validated by .NET Foundation. We will now review your pull request.
Thanks,
.NET Foundation Pull Request Bot

Cool stuff happening here! 👍

Two remarks, tho':

• You shouldn't use OpenIdSettings.Audiences for the trusted origins. Audiences is only supposed to contain the list of "resources" a client application is allowed to query, not the URLs of the clients that act as JS HTTP clients (it should probably renamed to Resources). Consider using a separate list. Alternatively, we could consider adding the list directly under each application, and resolve the trusted origins dynamically, using OpenIdApplicationStore.

• Doing CORS at the controller/action level (with [EnableCors]) is likely not the best option for at least 3 reasons:

  • API endpoints like the discovery endpoints (configuration + JWKS) are directly managed by OpenIddict and don't have dedicated controllers/actions. Yet, JS apps should be able to use them.

  • Even if you have an action for the token endpoint, requests that are directly rejected by OpenIddict (e.g because they lack a required parameter, or because client authentication failed) won't get the CORS response headers and the JS apps that receive errored responses won't be able to read them.

  • OpenIddict (well, the OIDC server behind OpenIddict to be exact) is quite zealous and will automatically reject HTTP requests that don't use GET or POST (depending on the endpoint). Concretely, this means that preflight requests will be rejected by OpenIddict before they have a chance to be handled by MVC's CORS filter.

For these reasons, you should instead consider implementing CORS at the middleware level.

/cc @sebastienros

Thanks @PinpointTownes, great explanation.

That does raise a very fundamental question, unless I'm mistaken, this means throughout Orchard we cannot use MVC Cors (they are mutually exclusive). By default, we can only apply a single policy using the middleware UseCors, so we'd need to implement ICorsPolicyProvider to select the policy based on the HttpContext route dictionary.

Thinking out loud:
Implement ICorsPolicyProvider in the new Cors module, for example an AppSettingsCorsPolicyProvider that loads the policies from appsettings:

    "Cors": {
        "Policies": [
            {
                "Name": "Orchard.OpenId.UserInfo",
                "Origins": [ "https://my.externaldomain.com" ],
                "Methods": [ "GET", "POST", "OPTIONS" ],
                "Headers": [ "accept", "content-type", "authorization" ],
                "PreflightMaxAge": 86400
            },
            {
                "Name": "Orchard.SomeOtherModule.SomeController.Index",
                "Origins": [ "https://my.externaldomain.com" ],
                "Methods": [ "GET", "POST", "PATCH", "OPTIONS" ],
                "Headers": [ "accept", "content-type", "authorization" ],
                "AllowCredentials": true
                "PreflightMaxAge": 43200
            }
        ]
    }

And something along the lines of:

        public static IServiceCollection AddCors(this IServiceCollection services, IConfiguration configuration) {
            var cors = new CorsOptions();
            configuration.GetSection("Cors").Bind(cors);
            services.AddCors(options => {
                foreach (var policy in cors.Policies) {
                    options.AddPolicy(policy.Name, config => {
                        config
                            .WithOrigins(policy.Origins)
                            .WithMethods(policy.Methods)
                            .WithHeaders(policy.Headers)
                            .SetPreflightMaxAge(TimeSpan.FromSeconds(policy.PreflightMaxAge));
                    });
                }
                options.DefaultPolicyName = cors.DefaultPolicy;
            });
            return services;
        }

The naming of the policies can follow a pattern that identifies the requests to apply each policy on, increasingly more specific (or conversely, more generic), based on Area, Controller, Action. For example, the policy provider would look for a policy for /Orchard.OpenId/UserInfo/Me like this:

• Orchard.OpenId.UserInfo.Me
• Orchard.OpenId.UserInfo
• Orchard.OpenId
• Orchard
• Default
• (Deny)

Lastly, having gone full circle, I'm really not so sure that the OpenId module should generate these policies dynamically. I'd much prefer a single point of truth and very granular control instead of assumptions by modules.

If we decided stick with Middleware approach, probably we should use MVC RouteTemplate (eg {controller}/{Action}/{arg1}/{arg2}) instead of "Name"?
In such case Do we need to fall-back request to the parent policy if current policy's route didn't mach?
(like, ActionPolicy->ControllerPolicy->Deny)

Basicaly it means we are trying implement the same filtration approach which we have in MVC but in middleware level.

I see two big conserns

1. Every time Admin, creates, update OpenId Application he should also go to the configuration file and manualy change origins.
2. Unlike MVC Filters ([EnableCors]), Middleware will be executing in each request, we may have perfomance problems

I'm not an export in OpenIddict but I tried "Password flow" with MVC Origin Filtration ([EnableCors]) with Cross Origin requests, I could retrieve Token and Discovery End-points worked as well.
Probably we should stick With MVC Filtration approach? All we have todo add Origins configuration per OpenId Application.

I just made a quick PoC in one of our internal projects using the ICorsPolicyProvider, completely removing attributes and dynamically selecting the policy, albeit using policy names composed of request path + method instead of Area/Controller/Action. It does provide the granularity and control I'm seeking.

This is an alternative approach to the current PR, but if anyone's interested, I can put this in a separate PR over the next few days so we can compare the two, pick & mix and arrive at a solution to move forward with. Simply 👍 or 👎 me here :)

PS: Sorry @rserj our comments got cross-wired.

• The point is that we need to move this out of MVC, as it is not available at this stage in the pipeline,
• Yes, it needs to fall back all the way to denying the Cors request.
• Once the settings-driven approach is implemented, which I feel will benefit all of Orchard, we can add the "dynamic" per-app origins from OpenId (and any other module that needs it), though probably the AppSettings would always override. To me this is just an administrative nice-to-have, but if it's important to you, then it may be important to others.
• I doubt there's much of a noticeable difference in performance between declarative and programmatic, after all, it uses the same internals. But this we can measure :)

I added AllowedOrigins Property to OpenId Application and made some changes according to your notes.
Please take a look, thanks

I have one concern here, In case if I made changes to OpenId Application's AllowedOrigins, in order to changes take effect, I have to restart Tenant, I guess I have to Warn about it as we do in global OpenId settings by showing Warning message, what do you think?

Nicholas and Wojciech I made commit regarding to your reviews, thanks

Sorry, holidays. Will get back to this thread shortly.

I'll close this PR, better to separate CORS from "OpenId Application" settings, please see discussion in
#854