Problem

When Mashlib is loaded from CDN (unpkg.com), the Solid-OIDC login flow fails at the token exchange step with:

400 Bad Request
origin not allowed for client

Root Cause

The oidc-provider library validates CORS requests against the client's registered redirect URIs by default. When a web app like Mashlib is loaded from a CDN domain (unpkg.com) but makes token requests to the Solid server (jss:4000), the origin doesn't match.

Solution

Configure clientBasedCORS in the OIDC provider to allow all origins:

clientBasedCORS: () => true,

This is appropriate for Solid servers because:

• Solid servers are public and should accept requests from any web app
• Web apps can be hosted anywhere (CDNs, local development, etc.)
• The Solid ecosystem relies on apps being able to authenticate against any pod

Affected Files

• src/idp/provider.js

Testing

1. Start JSS with --mashlib-cdn --idp flags
2. Navigate to a protected resource
3. Click "Sign In" in Mashlib
4. Complete the login flow
5. Verify token exchange succeeds