Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Continue investigating Vireo 4 Batch export #80

Open
jsavell opened this issue May 30, 2024 · 0 comments
Open

Continue investigating Vireo 4 Batch export #80

jsavell opened this issue May 30, 2024 · 0 comments
Assignees
@jsavell

Comments

@jsavell
Copy link
Member

jsavell commented May 30, 2024

The CORS error causing the export problem is solvable by narrowing the scope of the shibboleth apache/nginx configuration to exclude the refresh auth endpoint. This works, but depending on the Weaver auth implementation, could create a scenario where Weaver users log into CAS/IDP once, then keep their Weaver session alive via refresh even after their central CAS session has expired. Investigation is needed to rule this scenario in or out.

It may also be possible to solve the CORS error by re-configuring Vireo and auth to expect and allow credentials to be passed via xhr as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

This would avoid the concerns with the first solution, but hasn't been shown to work yet and would introduce some security questions of its own that need investigation.
@jsavell jsavell self-assigned this May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsavell jsavell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jsavell