providers/oauth2: allow protected_resource_view when method is OPTIONS

2021-03-05 16:57:37 +01:00 · 2021-03-05 16:57:37 +01:00 · c6de4e47d7
parent 0e9e378bdf
commit c6de4e47d7
2 changed files with 5 additions and 2 deletions
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -101,7 +101,9 @@ def protected_resource_view(scopes: list[str]):
    This decorator also injects the token into `kwargs`"""

    def wrapper(view):
-        def view_wrapper(request, *args, **kwargs):
+        def view_wrapper(request: HttpRequest, *args, **kwargs):
+            if request.method == "OPTIONS":
+                return view(request, *args, **kwargs)
            try:
                access_token = extract_access_token(request)
                if not access_token:
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -19,6 +19,7 @@ from authentik.providers.oauth2.models import (
    ResponseTypes,
    ScopeMapping,
 )
+from authentik.providers.oauth2.utils import cors_allow_any

 LOGGER = get_logger()

@ -108,5 +109,5 @@ class ProviderInfoView(View):
    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        # Since this view only supports get, we can statically set the CORS headers
        response = super().dispatch(request, *args, **kwargs)
-        response["Access-Control-Allow-Origin"] = "*"
+        cors_allow_any(request, response)
        return response