Remove "Authorization" as Accepted Headers on CORS, small fixes

Signed-off-by: Bernd Eckstein <[email protected]>

server/handlers.go

@@ -785,7 +785,6 @@ func (s *Server) calculateCodeChallenge(codeVerifier, codeChallengeMethod string
 		shaSum := sha256.Sum256([]byte(codeVerifier))
 		return base64.RawURLEncoding.EncodeToString(shaSum[:]), nil
 	default:
-		s.logger.Errorf("unknown challenge method (%v)", codeChallengeMethod)
 		return "", fmt.Errorf("unknown challenge method (%v)", codeChallengeMethod)
 	}
 }
@@ -813,6 +812,7 @@ func (s *Server) handleAuthCode(w http.ResponseWriter, r *http.Request, client s
 	if providedCodeVerifier != "" && codeChallengeFromStorage != "" {
 		calculatedCodeChallenge, err := s.calculateCodeChallenge(providedCodeVerifier, authCode.PKCE.CodeChallengeMethod)
 		if err != nil {
+			s.logger.Error(err)
 			s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
 			return
 		}

server/server.go

@@ -287,8 +287,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		var handler http.Handler = h
 		if len(c.AllowedOrigins) > 0 {
 			corsOption := handlers.AllowedOrigins(c.AllowedOrigins)
-			corsHeaders := handlers.AllowedHeaders([]string{"Authorization"})
-			handler = handlers.CORS(corsOption, corsHeaders)(handler)
+			handler = handlers.CORS(corsOption)(handler)
 		}
 		r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, handler))
 	}