René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"OIDC token endpoint returns 400 'origin not allowed for client' for CDN-loaded apps","articleBody":"## Problem\n\nWhen Mashlib is loaded from CDN (unpkg.com), the Solid-OIDC login flow fails at the token exchange step with:\n\n```\n400 Bad Request\norigin not allowed for client\n```\n\n## Root Cause\n\nThe `oidc-provider` library validates CORS requests against the client's registered redirect URIs by default. When a web app like Mashlib is loaded from a CDN domain (unpkg.com) but makes token requests to the Solid server (jss:4000), the origin doesn't match.\n\n## Solution\n\nConfigure `clientBasedCORS` in the OIDC provider to allow all origins:\n\n```javascript\nclientBasedCORS: () =\u003e true,\n```\n\nThis is appropriate for Solid servers because:\n- Solid servers are public and should accept requests from any web app\n- Web apps can be hosted anywhere (CDNs, local development, etc.)\n- The Solid ecosystem relies on apps being able to authenticate against any pod\n\n## Affected Files\n\n- `src/idp/provider.js`\n\n## Testing\n\n1. Start JSS with `--mashlib-cdn --idp` flags\n2. Navigate to a protected resource\n3. Click \"Sign In\" in Mashlib\n4. Complete the login flow\n5. Verify token exchange succeeds","author":{"url":"https://github.com/melvincarvalho","@type":"Person","name":"melvincarvalho"},"datePublished":"2025-12-29T07:32:09.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":2},"url":"https://github.com/10/JavaScriptSolidServer/issues/10"}