Cors Response does not have Origin headers on 401/500 errors

[jsona91]

Hi All,

I have setup as below. When client calls protected link using Cors then if there is any error like refreshing token Or access token is expired then mod_auth_openidc returns 401 or 500 back to client. But it does not return Access-Control-Allow-Origin in Response back to client. In successful access token validation of cors requests, it does returns Access-Control-Allow-Origin back to client in Response.

So can you please suggest how can Access-Control-Allow-Origin returned back on error in Response.

<Location /protected1>
AuthType openid-connect
Require valid-user
OIDCUnAuthAction auth true

<Location /protected2>
AuthType openid-connect
Require valid-user
OIDCUnAuthAction 401

In case of /protected2 endponint, if OIDCUnAuthAction fails with 401 then it does not return Access-Control-Allow-Origin returned back to client in Response.

Thanks

[zandbelt]

assuming you're setting those headers yourself, you'll need to apply the always attribute to add the headers to error responses as well ass "succesful" response, i.e. use Header always set