CORS issue in oauth2 authorizationCode flow #6081
Comments
|
The authorization server needs to be set up to allow CORS for this to work. However, even with an authorization server set up for CORS this sometimes fails because it unnecessarily adds "X-Requested-With" header to Token endpoint call, and that "upgrades" the request to require preflight. And as Token request is generally a simple request, some authorization servers don't handle preflight at all. |
|
Unfortunately i don't have control over the authorization server..It's a managed service which I leveraged. Are there any workarounds that can be done? |
|
@aldredb you can use |
|
@hkosova What about laurynasr comment about removing the X-Requested-With header? This break CORS for us. Looking at OIDC library on github neither appauth-js or oidc-client-js need preflight for this. It's all done with simple request. |
|
The original problem that the I'd argue that the header should be removed, or at least made configurable so that people who have issues with CORS can disable it. |
|
In particular, PR #4934 concerns an oauth2 server that returns a header of |
…S preflight Simple requests are described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Examples_of_access_control_scenarios Fixes swagger-api#6081
|
@aldredb @BeChaRem can you check whether the changes in this branch on my fork fix the problem for you? https://github.com/SpoonMeiser/swagger-ui/tree/fix-cors-issue Turns out that it doesn't fix the problem I'm having, but these changes add a test that the request is a "simple" request, so might be worth making a PR if it fixes someone's problem. |
|
It fix the issue for us. No preflight and a successful call to the token endpoint. |
What exactly resolved the issue for you? |
Removing the "X-Requested-With": "XMLHttpRequest" Headers for the Token request as seen in SpoonMeiser commit. |
Ok. Thank you. How exactly can I reference @SpoonMeiser fork as a nuget package? |
|
I don't know. I pulled his branch and tested locally to confirms the fix. I didn't go farther than that. |
How exactly did you test locally? How did you reference a local version of swaggerUI without a nuget reference? The reason I dont believe this is a solution is because I am encountering the exact same issue and have used a Chrome extension to remove the X-Requested-With header. Even after removing the header using the extension, it still has the same error message. Therefore, its hard for me to validate this is in fact the solution. |
|
SwaggerUI have a standalone page in ./dist when you build it. Steps I did to verify @SpoonMeiser branch:
Only 1 GET request was done to the token endpoint. No pre-flight. |
|
1 workaround I have found for me is to use Chrome Extension and force the response header Even though I have a proxy that returns this same exact header, using a chrome extension to force modify the header strangely allows me to workaround the issue. For me, changing/modifying the X-Requested-With header did not resolve the issue. |
Our IdP reflect the origin, instead of replying with *. I don't know if this makes a difference.
|
I dont believe it makes a difference since I can workaround the issue by using https://localhost:44386 or * The million dollar question for me is : Why exactly would using a chrome plugin to set the value of access-control-allow-origin to the exact same value as the server response change the outcome of how the browser treats the response? There is no difference whatsoever in the value returned from the server or from the plugin. They are the same value! Diff shown below So in summary: I experienced the exact same issue that the author of this issue experienced. My temporary workaround ( certainly not permanent since API developer/customers are not going to want to download a plugin just for using an API) is to use a chrome plugin to override the value of the response header "access-control-allow-origin" to either "*" or "https://localhost:44343" , which is the exact same value returned from the server response. Therefore, I dont believe a proxy is necessarily the solution. |
|
We are facing the same problem with an IdentityServer which does not support CORS for Most swagger implementations (we are using With this we were able to workaround the issue by using this code window.fetch = function (fetch) {
return function () {
var req = arguments[1];
if(req.headers["X-Requested-With"]) {
delete req.headers["X-Requested-With"];
}
return fetch.apply(window, arguments);
};
}(window.fetch);Hth someone else. |
This javascript solution does work, but what is the security risk of implementing this workaround? |
|
Backreference, gitlab.com's oauth implementation has the same issue: https://gitlab.com/gitlab-org/gitlab/-/issues/300077#note_975798994 |
|
Gitlab is not going to adjust CORS behaviour. Is there a chance to adjust it in the swagger-ui? :) |
|
Any chance to get #4934 reverted? |
|
Try this .NET package: AspNetCore.Proxy. Add this code to your program.cs file after app.MapControllers().RequireAuthorization() and before app.Run() here is my flows parameter: |
Q&A (please complete the following information)
Content & configuration
Example Swagger/OpenAPI definition:
Swagger-UI configuration options:
Describe the bug you're encountering
I used the
authorization_codegrant flow to receive my grant code, however, during token retrieval i received error:Auth ErrorTypeError: Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.Screenshots
The text was updated successfully, but these errors were encountered: