The /_/invoke/tenant/<tenantId>/<path> is essentially a passthrough proxy to the target module. In order to allow mod-login-saml to set cookies - as part of CSRF prevention, we would like that module to perform it's own CORS handling. It's currently invoked via the aforementioned passthrough proxy API.
See https://wiki.folio.org/display/DD/SAML+CSRF+Prevention for details.
- The module descriptor allows you to optionally specify whether or not to delegate CORS handling to the target module when invoked via /_/invoke/tenant/<tenantId>/<path>
- CORS handling is conditionally handled in OKAPI based on the target module's descriptor (only when invoked via /_/invoke/tenant/<tenantId>/<path>)
- OKAPI guide is updated with details