Dynamic Configuration of OidcTrustedDomains.js

[timurscribe]

We currently have an app that retrieves configuration variables from the initial information request, which are then used to configure all endpoints and authentication URLs. Unfortunately, setting OidcTrustedDomains dynamically is not possible at the moment. It would be beneficial to have the ability to configure this dynamically.

[jw265982]

Support

[guillaume-chervet]

Hi @timurscribe @jw265982 ,

Thank you for your issue.
It is possible to build it dynamicaly from your server side.
This his only secure way i know to do it.

[timurscribe]

1. Why is setting up a trusted domain on the client side not secure?
2. How about a Post message to the web worker that provides a trusted domain and initiates the authorization process?
   Thanks in advance.

[meesvandongen]

1. Why is setting up a trusted domain on the client side not secure?

Part of the goal of using a service worker is that if someone evil has gained the ability to execute javascript on the page of the user, they would not be able to steal the access token (as they cannot execute JS inside the service worker). If they can configure the domain, they can work around this by sending the token to their own server.