add notes on CORS

1 files changed, 45 insertions, 1 deletions

diff --git a/learn/authz/README.md b/learn/authz/README.md
index f847cf7..ad701f3 100644
--- a/learn/authz/README.md
+++ b/learn/authz/README.md
@@ -107,7 +107,7 @@ Content-Type: application/json
 }
 ```
 
-Example Flow:
+## API Gateway Example Flow
 
 ```plaintext
                 ||======================================================||
@@ -234,6 +234,47 @@ Propagating User Context
 ||=====================|========================||
 ```
 
+
+* The API Gateway pattern is used to expose microservices to client applications
+  as APIs.
+* The API gateway helps to expose microservices of different flavors by using a
+  consistent and easy-to-understand interface to the consumers of these
+  services.
+* Protocols such as basic authn and mTLS are not sufficient to secure API's.
+* An access token can be a reference token or a self-contained token (JWT). If
+  it is a reference token, the gateway has to talk to the issuer to validate it.
+* Self contained tokens need short TTL's mitigate token revocation.
+
+### Same Origin Policy
+
+Cross origin resource sharing (CORS) is the exception to the same-origin policy.
+It allows an app running on `localhost:4200` to access resources on
+`localhost:8080`. Web browsers use the `OPTIONS` HTTP method along with special
+HTTP headers to determine whether to allow or deny a cross-origin request.
+
+Before sending a request to a different origin the browser will send an HTTP
+`OPTIONS` request to the resource on the particular origin. This is known as a
+_preflight request_. The request includes the following HTTP headers:
+
+* `Access-Control-Request-Headers`: indicates the HTTP headers that the request
+  is about to send to the server.
+* `Access-Control-Request-Method`: indicates the HTTP method about to be
+  executed by the request (e.g. `GET`).
+* `Origin`: indicates the origin of the web application. (e.g. `http://localhost:4200`)
+
+The server responds to the preflight request with the following headers:
+
+* `Access-Control-Allow-Credentials`: indicates whether the server allows the
+  request originator to send credentials in the form of authorization headers,
+  cookies, or TLS client certificates. (e.g. `true` or `false`)
+* `Access-Control-Allow-Headers`: indicates the list of headers allowed by the
+  particular resource on the server.
+* `Access-Control-Allow-Methods`: indicates the list of HTTP methods allowed by
+  the particular resource on the server.
+* `Access-Control-Allow-Origin`: indicates the cross-origin allowed by the
+  server.
+* `Access-Control-Max-Age`: indicates for how long to cache the preflight request.
+
 ## Glossary
 
 * PAP: Policy Administration Point.
@@ -246,6 +287,9 @@ Propagating User Context
 * OP: OpenID Provider is the OAuth 2.0 Authorization Server that is capable of
   Authn and providing claims to a RP about the authn event and User.
 * STS: Security Token Service
+* `X-Forwarded-For` HTTP header field is a common method for identifying the
+  originating IP address of a client connecting to a web server through an HTTP
+  proxy or load balancer.
 
 [1]: https://datatracker.ietf.org/doc/html/rfc7662#section-2
 [2]: https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens