Accept/Add OPTIONS Preflight Request handling on OIDC UserInfo Endpoint #1212
Description
Is your feature request related to a problem? Please describe.
When attempting to perform a GET request on the userinfo endpoint from a browser based public client/SPA, this triggers a browser preflight options request on the endpoint for valid operations (standard browser behavior when doing "complex" CORS request). Rauthy currently returns 404 for this preflight which prevents the subsequent GET request from being sent, which results in a total inability for an authenticated SPA's to call the /userinfo endpoint directly.
Describe the solution you'd like
A small addition endpoint handling to accommodate the universal browser behavior when handling GET requests.
Describe alternatives you've considered
I've tried to manually construct the request to somehow prevent the preflight, but the browser detects the Authorization Bearer token in the headers and flags the CORS request as complex, resulting in the preflight. I did this because without the preflight request (using POSTMAN or even server to server), the endpoint returns the expected data.
Additional context
Tested an OPTIONS Request with token in POSTMAN, and it also returns 404.
Based on a quick peruse through the code for the user endpoint, it seems to be a strict GET or POST only acceptance check. All others fallback to 404.
If this was an explicit design choice, could you please elaborate?
Thank you for your time.