I've written a JavaScript app to use Google's OpenID-Connect provider for authentication. I've registered the app at Google's developer console.
I'm using the oidc-client-js library to handle the interactions with Google and also passed my app's client_id to the configuration, so that it is passed to Google to authenticate my app.
My configuration:
My dev server runs on https://localhost:8080 (with a self-signed dev certificate). I've registered this URL & redirect URI at Google as an authorized host for my app, so Google knows about my dev server. When I try to access Google's OpenID-Provider I get the following error:
XMLHttpRequest cannot load https://accounts.google.com/.well-known/openid-configuration. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://localhost:8080' is therefore not allowed access.
EDIT: I've narrowed the issue down to Google's endpoint not having any CORS headers set in its response. Authentication works if I disable Chrome's CORS security settings. This is not desireable by any means, but it also means that CORS is the real culprit here.
Is there any way for me to use CORS with Google's OpenID discovery document? Do I have to register a CORS origin for my server at Google?