Configure CORS

Overview

Cross-origin resource sharing (CORS) lets user agents make cross-domain server requests. For example, CORS lets your web application make requests to other websites from the browser.

By default, a CORS service is configured between Identity Cloud the the ForgeRock SDKs. You can add additional CORS configurations, for example, for your own APIs or SDK.

Configure CORS by using the AM REST APIs. Or, you can use the Identity Cloud Admin UI described in the following sections.

cors config

View CORS configurations

  1. Open the Tenant settings menu, and choose Tenant settings.

  2. On the Tenant Settings page, click Global Settings > Cross-Origin Resource Sharing (CORS).

Add a new CORS configuration

  1. Open the Tenant settings menu, and choose Tenant settings.

  2. On the Tenant Settings page, click Global Settings > Cross-Origin Resource Sharing (CORS).

  3. Click + New CORS Configuration.

  4. On the New CORS Configuration dialog box, choose a configuration type.

    Configuration types:

    ForgeRock SDK

    Choose this option when you want to work with the ForgeRock SDK.
    Identity Cloud pre-configures accepted origins, methods, and headers for you. You can modify the configuration in the next step.

    Custom

    Choose this option when you want to use your own SDK, APIs, or other software components.

  5. Click Next.

  6. In the New CORS Configuration dialog box, provide CORS details.

    CORS details:

    Name

    Default is ForgeRock SDK.
    Enter a display name. Use only numerals, letters, and hyphens (-).

    Accepted Origin

    Required. Accepted origins that will be allowed to make requests to ForgeRock from your application in a cross-origin context. Wildcards are not supported. Each value should be identical to the origin of the CORS request.
    Example: ` https://myapp.example.com:443`

    Accepted Methods

    Defaults are POST and GET. The set of (non-simple) accepted HTTP methods allowed when making CORS requests to ForgeRock. Use only uppercase characters.

    Accepted Headers (optional)

    Accepted header names when making requests from the above specified trusted domains.
    Header names are case-insensitive. By default, the following simple headers are explicitly accepted: Cache-Control, Content-Language, ExpiresLast-Modified, Pragma.
    If you don’t specify values for this element, then the presence of any header in the CORS request, other than the simple headers listed above, will cause the request to be rejected.

    Advanced settings:

    Exposed Headers (optional)

    Add the response header names that ForgeRock returns.
    The header names are case-insensitive. User agents can make use of any headers that are listed in this property, as well as these simple response headers: Cache-Control, Content-Language, Expires, Last-Modified, Pragma, and Content-Type. User agents must filter out all other response headers.

    Enable Caching

    Max age is the maximum length of time, in seconds, that the browser is allowed to cache the pre-flight response. The value is included in pre-flight responses, in the Access-Control-Max-Age header.

    Allow Credentials

    Enable this property if you send Authorization headers as part of the CORS requests, or need to include information in cookies when making requests.

    When enabled, AM sets the Access-Control-Allow-Credentials: true header.

  7. Click Save CORS Configuration.

Activate or Deactivate CORS Configuration

  • To activate or deactivate all CORS configurations:

    1. Open the Tenant settings menu, and choose Tenant settings.

    2. On the Tenant Settings page, click Global Settings > Cross-Origin Resource Sharing (CORS).

    3. On the CORS Configurations page, in the upper right side, click Activate or Deactivate.

  • To deactivate an individual CORS configuartion:

    1. Open the Tenant settings menu, and choose Tenant settings.

    2. On the Tenant Settings page, click Global Settings > Cross-Origin Resource Sharing (CORS).

    3. On the CORS Configurations page, find the name of the configuration you want to edit.

    4. Click its More () menu, and choose Edit > Deactivate.

Edit a CORS configuration

  1. Open the Tenant settings menu, and choose Tenant settings.

  2. On the Tenant Settings page, click Global Settings > Cross-Origin Resource Sharing (CORS).

  3. On the CORS Configurations page, find the name of the configuation you want to edit.

  4. Click its More () menu, and choose Edit.

  5. From the Edit menu:

    • Edit opens an edit window. See Add a new CORS configuration for edit details.

    • Deactivate deactivates only this configuration.

    • Delete removes this configuration. This cannot be undone.

More Information