providers/oauth2: allow protected_resource_view when method is OPTIONS

# Conflicts:
#	authentik/providers/oauth2/views/provider.py

authentik/providers/oauth2/utils.py

@@ -101,7 +101,9 @@ def protected_resource_view(scopes: list[str]):
     This decorator also injects the token into `kwargs`"""
 
     def wrapper(view):
-        def view_wrapper(request, *args, **kwargs):
+        def view_wrapper(request: HttpRequest, *args, **kwargs):
+            if request.method == "OPTIONS":
+                return view(request, *args, **kwargs)
             try:
                 access_token = extract_access_token(request)
                 if not access_token:

authentik/providers/oauth2/views/provider.py

@@ -19,6 +19,7 @@ from authentik.providers.oauth2.models import (
     ResponseTypes,
     ScopeMapping,
 )
+from authentik.providers.oauth2.utils import cors_allow_any
 
 LOGGER = get_logger()
 
@@ -103,9 +104,10 @@ class ProviderInfoView(View):
         provider: OAuth2Provider = get_object_or_404(
             OAuth2Provider, pk=application.provider_id
         )
-        response = JsonResponse(
-            self.get_info(provider), json_dumps_params={"indent": 2}
-        )
-        response["Access-Control-Allow-Origin"] = "*"
+        return JsonResponse(self.get_info(provider), json_dumps_params={"indent": 2})
 
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        # Since this view only supports get, we can statically set the CORS headers
+        response = super().dispatch(request, *args, **kwargs)
+        cors_allow_any(request, response)
         return response