add a reference to CORS headers on token endpoint

closes #43
oauth-wg · Oct 24, 2022 · 5f4d28a · 5f4d28a
1 parent 7303716
commit 5f4d28a
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/draft-ietf-oauth-v2-1.md b/draft-ietf-oauth-v2-1.md
@@ -1036,6 +1036,17 @@ Parameters sent without a value MUST be treated as if they were
 omitted from the request. Request and response parameters
 defined by this specification MUST NOT be included more than once.
 
+Authorization servers that wish to support browser-based applications
+(applications running exclusively in client-side JavaScript without
+access to a supporting backend server) will need to ensure the token endpoint
+supports the necessary Cross-Origin Resource Sharing (CORS) headers.
+If the authorization server provides additional endpoints to the application, such
+as metadata URLs, dynamic client registration, revocation, introspection, discovery or
+user info endpoints, these endpoints may also be accessed by the browser-based
+application, and will also need to have the CORS headers defined to allow access.
+See {{I-D.ietf-oauth-browser-based-apps}} for further details.
+
+
 ### Client Authentication {#token-endpoint-client-authentication}
 
 Confidential clients MUST