diff --git a/authentik/providers/oauth2/utils.py b/authentik/providers/oauth2/utils.py index 59334ce1d..2ab16c774 100644 --- a/authentik/providers/oauth2/utils.py +++ b/authentik/providers/oauth2/utils.py @@ -101,7 +101,9 @@ def protected_resource_view(scopes: list[str]): This decorator also injects the token into `kwargs`""" def wrapper(view): - def view_wrapper(request, *args, **kwargs): + def view_wrapper(request: HttpRequest, *args, **kwargs): + if request.method == "OPTIONS": + return view(request, *args, **kwargs) try: access_token = extract_access_token(request) if not access_token: diff --git a/authentik/providers/oauth2/views/provider.py b/authentik/providers/oauth2/views/provider.py index ab28e8db3..12bf1c118 100644 --- a/authentik/providers/oauth2/views/provider.py +++ b/authentik/providers/oauth2/views/provider.py @@ -19,6 +19,7 @@ from authentik.providers.oauth2.models import ( ResponseTypes, ScopeMapping, ) +from authentik.providers.oauth2.utils import cors_allow_any LOGGER = get_logger() @@ -103,9 +104,10 @@ class ProviderInfoView(View): provider: OAuth2Provider = get_object_or_404( OAuth2Provider, pk=application.provider_id ) - response = JsonResponse( - self.get_info(provider), json_dumps_params={"indent": 2} - ) - response["Access-Control-Allow-Origin"] = "*" + return JsonResponse(self.get_info(provider), json_dumps_params={"indent": 2}) + def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse: + # Since this view only supports get, we can statically set the CORS headers + response = super().dispatch(request, *args, **kwargs) + cors_allow_any(request, response) return response