By: Sthitaprajna Das named 03 Feb 2020 at 9:04 a.m. CST

13 Responses
Sthitaprajna Das gravatar
## Expected behavior User info details should show after logging in and clicking on get user details button in a SPA sample app. ## Actual error Fetching userinfo details errros saying 'No-Access-Control-Allow-Origin' header is present on the requested resource. We have tried with PKCE flow mostly. We are seeing that user is able to login. Able to fetch the code and access token.Access token we are able to print on the page. ## Minimized Example Basically we have tried with multiple angular and ionic sample applications and libraries(identity Server , oidc-angular-client and others too) that claim to do authentication using openid/oauth. All of them working fine if we try other Identity providers like Okta and Auth0 , but when we use Gluu, CORS error is coming. We have also enabled CORS and also addedd the header in our corsAllowedHeader property there. Attached our CORS configuration page. Also attached error details.We getting this in both Gluu 3.16 and Gluu 4.00. The sample code we been using can be found from github at - https://github.com/wi3land/ionic-appauth-ng-demo ## Way to simulate 1. Clone the code from above link 2. In file https://github.com/wi3land/ionic-appauth-ng-demo/blob/master/src/app/core/auth.service.ts , provide details like client id , redirect url etc. 3. npm install and then ng serve Please note that we also been trying with other sample angular apps and for implicit or PKCE flow but same CORS issue is coming . As suggested in other tickets like https://support.gluu.org/other/6720/missing-cors-headers/ by Mike to use app auth js library , since our traget app is an ionic one we found that ionic app auth is just the ionic version of app auth js library so we decided to try out the above code base. We seek a standard approach for this problem. We not able to figure out if we are needed make any code change at any place as these libraries abstract endpoint calls. Request quick help on this. All attachemnts at - https://drive.google.com/drive/folders/1Ax7BtGLAH7OW3g1yDu3FXo3wMiUns83d?usp=sharing

By Aliaksandr Samuseu staff 03 Feb 2020 at 9:25 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Sthitaprajna. Ok, let us try this out. A word of advice: you should have your account added to Centroxy's main group at Support Boards, otherwise we can't guarantee a timely response, for tickets marked as Community tickets.

By Sthitaprajna Das named 03 Feb 2020 at 9:31 a.m. CST

Sthitaprajna Das gravatar
Thanks Aliaksandr , I am checking how i can add me to centroxy main group. Meantime just wanted to say that we also tried a proxy approach mentioned at https://github.com/ionic-team/ionic-proxy-example

By Michael Schwartz staff 03 Feb 2020 at 9:53 a.m. CST

Michael Schwartz gravatar
Did you read the section about CORS [https://gluu.org/docs/ce/4.0/admin-guide/cors/#configure-cors](https://gluu.org/docs/ce/4.0/admin-guide/cors/#configure-cors)

By Sthitaprajna Das named 03 Feb 2020 at 1:04 p.m. CST

Sthitaprajna Das gravatar
Hi Mike, Good Morning!! Yes i have been through those configuration details. We have tried tweaking things there.For example added headers to 'allowed headers' and 'exposed headers' . And also allowed CORS url field to * or http://localhost:8100 (for ionic ). Are we still missing something!!

By Sthitaprajna Das named 04 Feb 2020 at 4 a.m. CST

Sthitaprajna Das gravatar
Hi , I have already shared the CORS config page at https://drive.google.com/drive/folders/1Ax7BtGLAH7OW3g1yDu3FXo3wMiUns83d?usp=sharing Do you suggest any changes there? Regards, Sthita

By Aliaksandr Samuseu staff 04 Feb 2020 at 12:24 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Sthitaprajna. Do you think you could record that flow with browser’s dev console, and share HAR file with us? I reached a point when I’m getting some error when I click “Get user details” button on the demo app’s page - but it doesn’t seem to do anything with CORS, more like the demo app using an incorrect request to token endpoint (the demo app seems to use implicit flow, but then tries to acquire refresh token from `/token` enpoint, which isn't supported for this flow; at that point it fails). I haven't seen CORS error so far, may be because our setups still differ somehow. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page.

By Aliaksandr Samuseu staff 07 Feb 2020 at 10:38 a.m. CST

Aliaksandr Samuseu gravatar
Here is the summary of the data that has been gathered so far in chat talks with Centroxy team. All screenshots and logs are shared under gdrive folder: [link](https://drive.google.com/drive/folders/13FxSqgGU7EC3Iufg9URGiDLnOeTlNxPW) 1. Centroxy has two Gluu Server instances, 4.0 and 3.1.6; both have similar CORS issues when coupled with the demo app in question; it's been mentioned that 3.1.6 sometimes doesn't have it, and sometimes does, though 2. No CORS headers in HARs and http log Centroxy provided; looks like CORS filter is disabled at these instances, while according to screenshots it's enabled (it's also should be enabled OOTB anyway, normally you don't see any CORS issues due to this) 3. Centroxy gathered oxAuth start up log at TRACE level so Javier could try to find some clues pointing to some code failing to initialize

By Aliaksandr Samuseu staff 07 Feb 2020 at 11:47 a.m. CST

Aliaksandr Samuseu gravatar
@Javier.Rojas An important detail: after double-checking the http log Centroxy provided, I now see that `access-control-*` cors header are not totally absent, they are actually present on responses coming from `/oxauth/.well-known/openid-configuration` metadata endpoint! But they are absent from any regular responses generated during an actual OIDC flow.

By Aliaksandr Samuseu staff 07 Feb 2020 at 12:33 p.m. CST

Aliaksandr Samuseu gravatar
As a temporary workaround, you could try next: 1. Move into container 2. Enable `mod_rewrite`: - For CentOS / RHEL: edit `/etc/httpd/conf/httpd.conf` and add one more "LoadModule" directive to it around the rest of them: `LoadModule rewrite_module modules/mod_rewrite.so` - For Ubuntu / Debian: `# a2enmod rewrite` 3. Preserve original config file to roll back your changes easier later: - CentOS / RHEL: `# cp /etc/httpd/conf.d/https_gluu.conf /etc/httpd/conf.d/https_gluu.conf.orig` - Ubuntu / Debian: `# cp /etc/apache2/sites-enabled/https_gluu.conf /etc/apache2/sites-enabled/https_gluu.conf.orig` 4. Open Gluu's Apache config for editing: - CentOS / RHEL: `/etc/httpd/conf.d/https_gluu.conf` - Ubuntu / Debian: `/etc/apache2/sites-enabled/https_gluu.conf` 5. Find the `<Location /oxauth>` section in the file and add all the "Header" and "Rewrite*" clauses to make it look like this: ``` <Location /oxauth> ProxyPass http://localhost:8081/oxauth retry=5 connectiontimeout=60 timeout=60 Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS" Header always set Access-Control-Max-Age "1800" Header always set Access-Control-Allow-Headers "authorization,origin,x-requested-with,access-control-request-headers,content-type,access-control-request-method,accept" RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=204,L] Order deny,allow Allow from all </Location> ``` 6. Add the new element provided below somewhere before `<Location /oxauth>` section: ``` <LocationMatch "/.well-known/openid-configuration"> ProxyPass http://localhost:8081/oxauth/.well-known/openid-configuration retry=5 connectiontimeout=60 timeout=60 Header set Access-Control-Allow-Origin "*" </LocationMatch> ``` 7. Restart "httpd" service ("apache2" for Ubuntu / Debian)

By Aliaksandr Samuseu staff 10 Feb 2020 at 1:46 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Sthitaprajna. How is it going? Have you tried the workaround suggested [above](https://support.gluu.org/7935/#at56557)? I believe Sobhan said you needed it to be operational this Monday, and that you'll be trying the hot-fix last Saturday - but haven't heard from him since then.

By Sobhan Panda named 11 Feb 2020 at 1:53 p.m. CST

Sobhan Panda gravatar
HI alex, Here are the files you asked for. Please check it.

By Aliaksandr Samuseu staff 11 Feb 2020 at 6:11 p.m. CST

Aliaksandr Samuseu gravatar
Hi, thanks. I've shared some thoughts in the chats.

By Sobhan Panda named 13 Feb 2020 at 8:36 a.m. CST

Sobhan Panda gravatar
Hi Alex, Since that particular application was having an invalid token request, we now have tried with another application which is Angular. Here we are trying for authorization code flow. But issue remains same .While hitting token endpoint we are seeing CORS error(attached error detail) . Please note that we are also getting CORS error sometimes which complains '*' and localhost:8080 (application URL) can not both be assigned in ProxyPass. Since within Gluu UI we are already setting allowed Host to * , another entry in https_gluu.conf is showing issue too. Please note that in this application grant type is correctly set as 'authorization_code' when token endpoint is hit. Okta and Auth0 are working fine for this application!! Please suggest next steps.