Allow CORS on discovery endpoint

cmd/dex/config.go

@@ -98,10 +98,11 @@ type OAuth2 struct {
 
 // Web is the config format for the HTTP server.
 type Web struct {
-	HTTP    string `json:"http"`
-	HTTPS   string `json:"https"`
-	TLSCert string `json:"tlsCert"`
-	TLSKey  string `json:"tlsKey"`
+	HTTP                    string   `json:"http"`
+	HTTPS                   string   `json:"https"`
+	TLSCert                 string   `json:"tlsCert"`
+	TLSKey                  string   `json:"tlsKey"`
+	DiscoveryAllowedOrigins []string `json:"discoveryAllowedOrigins"`
 }
 
 // GRPC is the config for the gRPC API.

cmd/dex/serve.go

@@ -179,20 +179,24 @@ func serve(cmd *cobra.Command, args []string) error {
 	if c.OAuth2.SkipApprovalScreen {
 		logger.Infof("config skipping approval screen")
 	}
+	if len(c.Web.DiscoveryAllowedOrigins) > 0 {
+		logger.Infof("config discovery allowed origins: %s", c.Web.DiscoveryAllowedOrigins)
+	}
 
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }
 
 	serverConfig := server.Config{
-		SupportedResponseTypes: c.OAuth2.ResponseTypes,
-		SkipApprovalScreen:     c.OAuth2.SkipApprovalScreen,
-		Issuer:                 c.Issuer,
-		Connectors:             connectors,
-		Storage:                s,
-		Web:                    c.Frontend,
-		EnablePasswordDB:       c.EnablePasswordDB,
-		Logger:                 logger,
-		Now:                    now,
+		SupportedResponseTypes:  c.OAuth2.ResponseTypes,
+		SkipApprovalScreen:      c.OAuth2.SkipApprovalScreen,
+		DiscoveryAllowedOrigins: c.Web.DiscoveryAllowedOrigins,
+		Issuer:                  c.Issuer,
+		Connectors:              connectors,
+		Storage:                 s,
+		Web:                     c.Frontend,
+		EnablePasswordDB:        c.EnablePasswordDB,
+		Logger:                  logger,
+		Now:                     now,
 	}
 	if c.Expiry.SigningKeys != "" {
 		signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys)