Added OIDC client CORS attributes

2026-05-19 15:15:47 +00:00
parent 78bae3c2bb
commit 2342a1aab6
9 changed files with 645 additions and 7 deletions
@@ -29,6 +29,7 @@ from gatehouse_app.exceptions.auth_exceptions import (
 from gatehouse_app.utils.constants import AuditAction
 from gatehouse_app.services.audit_service import AuditService
 from gatehouse_app.services.oidc_audit_service import OIDCAuditService
+from gatehouse_app.utils.validators import validate_cors_origins

 logger = logging.getLogger(__name__)

@@ -816,6 +817,11 @@ def oidc_register():
        except Exception:
            return jsonify({"error": "invalid_request", "error_description": f"Invalid redirect_uri: {uri}"}), 400

+    cors_origins_raw = data.get("allowed_cors_origins")
+    cors_origins, cors_error = validate_cors_origins(cors_origins_raw)
+    if cors_error:
+        return jsonify({"error": "invalid_request", "error_description": cors_error}), 400
+
    client_id = f"oidc_{secrets.token_urlsafe(16)}"
    client_secret = f"secret_{secrets.token_urlsafe(24)}"
    client_secret_hash = flask_bcrypt.generate_password_hash(client_secret).decode("utf-8")
@@ -842,6 +848,7 @@ def oidc_register():
        grant_types=data.get("grant_types", ["authorization_code", "refresh_token"]),
        response_types=data.get("response_types", ["code"]),
        scopes=data.get("scope", "openid profile email roles").split(),
+        allowed_cors_origins=cors_origins,
        is_active=True,
        is_confidential=True,
        require_pkce=True,
@@ -871,6 +878,7 @@ def oidc_register():
        "client_secret_expires_at": 0,
        "client_name": client_name,
        "redirect_uris": redirect_uris,
+        "allowed_cors_origins": client.allowed_cors_origins,
        "token_endpoint_auth_method": data.get("token_endpoint_auth_method", "client_secret_basic"),
        "grant_types": client.grant_types,
        "response_types": client.response_types,