AJAX requests with the oidc golib and keymaster

[atran-brex]

We have a service using the oidc golib package and keymaster for auth and would like to make AJAX requests to the service from a client-side JS app.

Currently, if the user has not gone through the auth flow to get a cookie set for the service, our AJAX POST request to the service will get redirected to the keymaster login, which will proceed to get blocked by CORS as it has no CORS headers on the response and prevent the browser from showing anything about the response.

Is there any way we could either set those headers for keymaster (not sure if thats actually what we want or how the flow would work in that case), be able to go through the flow in an iframe, or have the oidc golib package return a 401 Unauthorized with a link to the keymaster auth on AJAX requests (denoted by some header) so that we can manually redirect the user?

[cviecco]

keymasterd already supports CORS iff the PKCE auth0 client is enabled (not by default). It seems like you have an JS app that also tries to login. Please enable this flow and if it does not work please write down the message flow so that I understand the issue.

At this moment I think is just missing configuration (I know bad docs). Please let us know if this fixes your issues.

[rgooch]

@atran-brex Ping?