CORS errors when using client-side webapp

[RichardLindhout]

I'm writing a native app and webapp with in reactJS and react-native.

At the moment I'm struggling with the webapp sending preflight requests.
When the webapp is doing a OPTIONS request to /dex/token
It keeps returning

{"error":"invalid_client","error_description":"Invalid client credentials."}

Since the browsers automatically strips the Authorization headers for preflight requests I would like if the OPTIONS request won't be authenticated anymore.

Source:
https://www.w3.org/TR/cors/#preflight-request

(...) using the method OPTIONS, and with the following additional constraints:

(...)
Exclude the author request headers.
Exclude user credentials.
(...)

[bkleef]

Current (dirty) workaround for NGINX proxy:

if ($request_method = OPTIONS ) {
    add_header Access-Control-Allow-Origin "*";
    add_header Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE";
    add_header Access-Control-Allow-Credentials "true";
    add_header Access-Control-Allow-Headers "Authorization";
    return 200;
}

[ericchiang]

Possibly resolved by documenting the existing CORS setup #1025 ?

[RichardLindhout]

Probably better, but still not resolved since the options request should respond with something like

Access-Control-Allow-Origin: http://example.org
Access-Control-Max-Age: 2520
Access-Control-Allow-Methods: PUT, DELETE, 

Instead of that I got a redirect. It looks like dex does handle options request with an authentication flow or something.

https://stackoverflow.com/questions/22972066/how-to-handle-preflight-cors-requests-on-a-go-server

[RichardLindhout]

@ericchiang Probably fixed with this commit. We are checking this in production today.

profects@2f67841