CORS Origin Validation for Token Endpoint #235
Description
Problem
The OAuth 2.1 spec mentions CORS support for token endpoints (Section 3.2) but doesn't specify how authorization servers should validate the Origin header in CORS requests.
Context
Related to #133 which addressed broader CORS recommendations. While that issue covered which endpoints need CORS support, the specific implementation approach for origin validation wasn't addressed.
Current Implementation Gap
Most implementations likely extract origins from registered redirect URIs (e.g., https://myapp.com/callback → allow https://myapp.com), but this approach isn't documented in the spec.
Question
Should the spec recommend:
- Extract origins from redirect URIs (covers 90% of use cases)
- Separate "allowed origins" registration (handles edge cases like microservices)
- Both approaches with guidance on when to use each
Example Scenario
- Client registers redirect URI: https://myapp.com/oauth/callback
- Token request comes from origin: https://myapp.com
- Should this be automatically allowed, or require separate origin registration?