Allow CORS on /oauth/token

changelogs/unreleased/pkce-cors.yml

+---
+title: Allow cross-origin requests on /oauth/token
+merge_request: 52641
+author:
+type: fixed

config/application.rb

@@ -289,6 +289,14 @@ module Gitlab
           methods: :any,
           expose: headers_to_expose
       end
+
+      # Cross-origin requests must be enabled for the Authorization code with PKCE OAuth flow when used from a browser.
+      allow do
+        origins '*'
+        resource '/oauth/token',
+          credentials: false,
+          methods: [:post]
+      end
     end
 
     # Use caching across all environments

spec/requests/oauth/tokens_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Oauth::TokensController do
+  it 'allows cross-origin POST requests' do
+    post '/oauth/token', headers: { 'Origin' => 'http://notgitlab.com' }
+
+    expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
+    expect(response.headers['Access-Control-Allow-Methods']).to eq 'POST'
+    expect(response.headers['Access-Control-Allow-Headers']).to be_nil
+    expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
+  end
+end