Cerner OpenID Connect

[Muteeb Ahmad]

I'm trying to get open-id configuration from Cerner's Authorization server. But I'm getting CORS error on the get call.

When I tried to access the URL from browser tab or postman, it works fine.

[Matt Randall (Cerner)]

Neither OIDC or webfinger (RFC 5785) dictates that the .well-known endpoint provide CORS headers (the existing system would have to be enhanced to allow it).  Is there something specific you are attempting to do from the browser?  Usually, the discovery document is retrieved by a backend server as part of the token validation process.  I'm not seeing much of a reason for it to be used from the frontend given that the actual SMART launch process uses the SMART discovery endpoint for declaring the authorization endpoints.

[Muteeb Ahmad]

This is how I'm calling the endpoint from JS. I'm testing it on localhost.

[Matt Randall (Cerner)]

It's still not clear as to what you are attempting to accomplish.  This code appears to be calling some kind of server-side validation endpoint, which that endpoint would need to fetch the .well_known configuration document to determine the JWK endpoint and associated keys for verifying the token.  The server can't trust the client side to perform any of those functions.