Is your feature request related to a problem? Please describe.
Yes. When using IDPs that:
- Don't expose .well-known/openid-configuration due to CORS restrictions
- Are behind a WAF/Gateway that blocks discovery endpoints
- Have non-standard discovery URLs
- Are in environments where the discovery endpoint is unreachable from the browser
The library currently always attempts to fetch .well-known, even when authWellknownEndpoints is fully configured. This causes errors like:
Access to XMLHttpRequest at 'https://idp.example.com/.well-known/openid-configuration' has been blocked by CORS policy
Describe the solution you'd like
Option A: Explicit flag
{
skipDiscovery: true, // New option
authWellknownEndpoints: {
issuer: '...',
authorizationEndpoint: '...',
tokenEndpoint: '...',
// ...
}
}Option B: Auto-detect
Skip discovery automatically if authWellknownEndpoints contains the minimum required endpoints (issuer, authorizationEndpoint, tokenEndpoint):
// In AuthWellKnownDataService.getWellKnownEndPointsForConfig()
const hasRequiredEndpoints = authWellknownEndpoints.issuer &&
authWellknownEndpoints.authorizationEndpoint &&
authWellknownEndpoints.tokenEndpoint;
if (hasRequiredEndpoints) {
this.loggerService.logDebug(config, 'Skipping .well-known discovery - using provided endpoints');
return of(authWellknownEndpoints);
}Describe alternatives you've considered
- Proxy the discovery endpoint, adds infrastructure complexity
- Patch the library, not maintainable, breaks on updates
- Use a different library, migration cost
Additional context
It's a common issue with enterprise IDPs behind security gateways. The endpoints static, but the .well-known endpoint isn't browser-accessible outside
Related issues:
Is your feature request related to a problem? Please describe.
Yes. When using IDPs that:
The library currently always attempts to fetch .well-known, even when authWellknownEndpoints is fully configured. This causes errors like:
Access to XMLHttpRequest at 'https://idp.example.com/.well-known/openid-configuration' has been blocked by CORS policyDescribe the solution you'd like
Option A: Explicit flag
Option B: Auto-detect
Skip discovery automatically if authWellknownEndpoints contains the minimum required endpoints (issuer, authorizationEndpoint, tokenEndpoint):
Describe alternatives you've considered
Additional context
It's a common issue with enterprise IDPs behind security gateways. The endpoints static, but the .well-known endpoint isn't browser-accessible outside
Related issues: