By: Denis Souza user 07 Jun 2021 at 1:38 p.m. CDT

8 Responses

Hello, I'm running a local react application and using a generic openid lib (https://github.com/bjerkio/oidc-react) and following its example. ### Expect Behavior The react app must redirect to gluu's login screen, which responds with the authorization_code and then a new request to get the token is sent. Gluu responds with the Token and ends the flow. ### Actual Behavior The react app must redirect to gluu's login screen, which responds with the authorization_code, then the token request fails with a CORS error: ```Access to XMLHttpRequest at 'https://mygluu.poc.com/oxauth/restv1/token' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.``` ### Example React APP `App.js` ``` import React from 'react'; import { AuthProvider } from 'oidc-react'; import logo from './logo.svg'; import './App.css'; import LoggedIn from './LoggedIn'; const oidcConfig = { onSignIn: async (user) => { alert('You just signed in, congratz! Check out the console!'); console.log(user); window.location.hash = ''; }, authority: 'https://mygluu.poc.com', clientId: 'myclietid', redirectUri: process.env.NODE_ENV === 'development' ? 'http://localhost:3000' : 'https://cobraz.github.io/example-oidc-react', }; function App() { return ( <AuthProvider {...oidcConfig}> <div className="App"> <header className="App-header"> <img src={logo} className="App-logo" alt="logo" /> <p>OIDC React</p> <LoggedIn /> </header> </div> </AuthProvider> ); } export default App; ``` `LoggedIn.js` ``` import React from 'react'; import { useAuth } from 'oidc-react'; const LoggedIn = () => { const auth = useAuth(); if (auth && auth.userData) { return ( <div> <strong>Logged in! </strong><br /> <button onClick={() => auth.signOut()}>Log out!</button> </div> ); } return <div>Not logged in! Try to refresh to be redirected to Gluu.</div>; }; export default LoggedIn; ``` `Gluu client config` OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** gluu-test-auth - **Client ID:** XXXXXXXXXXX - **Subject Type:** public - **ClientSecret:** XXXXXXXXXXX - **Client Uri:** http://localhost:3000 - **Application Type:** web - **Persist Client Authorizations:** false - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_basic - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [http://localhost:3000] - **Scopes:** [profile, openid, email] - **Grant types:** [authorization_code, implicit, password, refresh_token] - **Response types:** [code, token, id_token] `CORS Filter config` ```filterName CorsFilter corsEnabled true corsAllowedOrigins * corsAllowedMethods GET,POST,HEAD,OPTIONS corsAllowedHeaders Origin,Authorization,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers corsExposedHeaders corsSupportCredentials true corsLoggingEnabled false corsPreflightMaxAge 1800 corsRequestDecorate true ``` `/opt/gluu/jetty/oxauth/logs/oxauth.log` ``` 2021-06-07 17:47:54,878 ERROR [qtp1590550415-713] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:284) - Failed to get session attributes 2021-06-07 17:47:54,880 INFO [qtp1590550415-713] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:224) - Authentication failed for 'admin' 2021-06-07 17:48:21,792 INFO [qtp1590550415-10] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:666) - Attempting to redirect user: SessionUser: SessionId {dn='12c5015d-7caa-4a92-9645-42a3d5ef1342', id='12c5015d-7caa-4a92-9645-42a3d5ef1342', lastUsedAt=Mon Jun 07 17:48:21 UTC 2021, userDn='inum=0538ad1d-fa53-424f-b8d0-247410197c6b,ou=people,o=gluu', authenticationTime=Mon Jun 07 17:48:21 UTC 2021, state=authenticated, sessionState='7f523ba93e5039e61628e32e6615f5a5f6460208bfbfef9d44a1b43884d39386.baa73b99-964a-4af0-9341-45a6c1fd9189', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={1001.a751667e-b318-46af-b503-4974dfe520e7=false}}, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=37f78f95-f393-48b7-a79a-f4f5804bc04c, response_type=code, nonce=6205161b-e009-43fe-8b79-3cc82f447df0, client_id=1001.a751667e-b318-46af-b503-4974dfe520e7, auth_step=1, acr=simple_password_auth, remote_ip=189.57.175.29, auth_user=admin, scope=openid profile email user_name, acr_values=simple_password_auth, redirect_uri=https://gluu-poc.luizalabs.com/identity/authcode.htm, state=7cd42c38-e191-4abc-a03a-cb377b148921}, persisted=true} 2021-06-07 17:48:21,793 INFO [qtp1590550415-10] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:674) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@62a1f9c 2021-06-07 17:48:21,794 INFO [qtp1590550415-10] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:432) - Authentication success for User: 'admin' 2021-06-07 17:48:24,616 INFO [qtp1590550415-714] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:277) - Authentication success for Client: '1001.a751667e-b318-46af-b503-4974dfe520e7' 2021-06-07 18:00:31,972 INFO [qtp1590550415-714] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:666) - Attempting to redirect user: SessionUser: SessionId {dn='d761cb81-c0ae-4006-a6a5-20e218943cd8', id='d761cb81-c0ae-4006-a6a5-20e218943cd8', lastUsedAt=Mon Jun 07 18:00:31 UTC 2021, userDn='inum=c72b9081-99ea-457e-a4f9-13d3ccf2de80,ou=people,o=gluu', authenticationTime=Mon Jun 07 18:00:31 UTC 2021, state=authenticated, sessionState='15c9c38bd2c35bcf81b686c69160adecfa25d3550de9de7da0a2c47d7f953b22.f2331a4f-ef82-40f0-89ae-241eb76f1fcc', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={35faf008-fa9e-4fb4-ab08-33020481a342=false}}, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=93fd22f4-13a7-4a5a-b3f3-7338f71094ef, response_type=code, code_challenge_method=S256, client_id=35faf008-fa9e-4fb4-ab08-33020481a342, response_mode=query, auth_step=1, acr=simple_password_auth, remote_ip=200.170.150.210, auth_user=dt_souza, scope=openid, redirect_uri=http://localhost:3000, state=f283628c7ba64c2aad947ea8b74b1b8e, code_challenge=_QIdyaY6xEnr_fTYW2pzQHiO8tMecmC8otRwuoGTCyg}, persisted=true} 2021-06-07 18:00:31,972 INFO [qtp1590550415-714] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:674) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@75a39a96 2021-06-07 18:00:31,973 INFO [qtp1590550415-714] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:432) - Authentication success for User: 'dt_souza' 2021-06-07 18:10:59,629 INFO [qtp1590550415-11] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:666) - Attempting to redirect user: SessionUser: SessionId {dn='7cb9cd34-ed42-4d9d-9677-c8acf10703a7', id='7cb9cd34-ed42-4d9d-9677-c8acf10703a7', lastUsedAt=Mon Jun 07 18:10:59 UTC 2021, userDn='inum=c72b9081-99ea-457e-a4f9-13d3ccf2de80,ou=people,o=gluu', authenticationTime=Mon Jun 07 18:10:59 UTC 2021, state=authenticated, sessionState='4664c4b708e4382ee396fc8d60d7d41c890e8264dc5fa1737d9d009aaacb49d6.a29ac26b-3486-4e47-8984-966e4f2bdd6d', permissionGranted=null, isJwt=false, jwt=null, permissionGrantedMap=SessionIdAccessMap{permissionGranted={35faf008-fa9e-4fb4-ab08-33020481a342=false}}, involvedClients=null, sessionAttributes={auth_external_attributes=null, opbs=ff86f8f6-b4aa-4314-a14c-c157151dd9b0, response_type=code, code_challenge_method=S256, client_id=35faf008-fa9e-4fb4-ab08-33020481a342, response_mode=query, auth_step=1, acr=simple_password_auth, remote_ip=200.170.150.210, auth_user=dt_souza, scope=openid, redirect_uri=http://localhost:3000, state=0e2b55eae2a64084a212bbda18957a47, code_challenge=4iizQBT-slVnhaT06_lqYaBor1Uo3MtFKwjGfNZlD_g}, persisted=true} 2021-06-07 18:10:59,630 INFO [qtp1590550415-11] [org.gluu.oxauth.service.AuthenticationService] (AuthenticationService.java:674) - Attempting to redirect user: User: org.gluu.oxauth.model.common.User@57bb2f1f 2021-06-07 18:10:59,630 INFO [qtp1590550415-11] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:432) - Authentication success for User: 'dt_souza' ``` The other logs are empty.

Gluu 4.1.1 CentOS 7.20210512

closed

By Aliaksandr Samuseu staff 07 Jun 2021 at 2:05 p.m. CDT

Copy

Hi, Denis. Thanks for the detailed data, but could you also record a network trace for your failing flow, and upload it somewhere, providing a link to it here? You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that task, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page.

By Denis Souza user 07 Jun 2021 at 3:08 p.m. CDT

Copy

Hi, Aliaksandr I uploaded it to my google drive, see if you can download it. The strange thing was that in chrome I was able to make the complete flow from authentication to failure in the token request, but by firefox it didn't go beyond well_know/configuration. https://drive.google.com/file/d/1iCPZAjev0a_Z4kW7rfdmuoV3PjegKSo0/view?usp=sharing

By Jose Gonzalez staff 07 Jun 2021 at 3:19 p.m. CDT

Copy

Once I dealt with a similar cors problem... Since your `https://gluu-poc.luizalabs.com` is probably protected by a self-sign cert, you have to explicitly visit that url (or the well-known...) in FF and make your browser know that you want to proceed (ie. give consent that browsing such site is safe). Afterwards, you many run your javascript code.

By Denis Souza user 07 Jun 2021 at 3:26 p.m. CDT

Copy

Thanks, Jose, with this tip I was able to record the flow in firefox: https://drive.google.com/file/d/12HO1g56lm7_sJVrF90hvV0vGB-LKvHaO/view?usp=sharing

By Aliaksandr Samuseu staff 07 Jun 2021 at 4:50 p.m. CDT

Copy

Thanks for the tip, Jose. Denis, I indeed don't see any CORS headers in response coming from `/token` endpoint in the last HAR - but it's not a successful response either, but "client authentication failed" instead. Though it still does seem weird that the headers are missing in the error response, but I wonder whether they'll be there if we'll resolve the underlying issue with client authentication? As far as I can see in your HAR, your client doesn't include "Authorization" HTTP header in `/token` request - are you sure your source code is correct? I don't see client secret mentioned in your `oidcConfig` object there, neither there is a reference to what auth method it should use (does it resort to default in such case? what is the default auth method then)?

By Aliaksandr Samuseu staff 07 Jun 2021 at 5:02 p.m. CDT

Copy

In fact, there is more than that. Here is what it sends in request's body: ``` client_id=35faf008-fa9e-4fb4-ab08-33020481a342& code=ad3e1919-dfae-4d09-a41b-580fd84907c2& redirect_uri=http://localhost:3000& code_verifier=252f9dbb8f364bebb18c4e22b1792b8f23c6ac5a81cf4d4f8e2a4ac76f7fc9d61b930165312440cd9ef08a13ab10b985& grant_type=authorization_code ``` Note it contains `client_id` parameter. This only should happen when client uses "client_secret_post" method - while accroding to your configuration, yours is using "client_secret_basic" (that expects client's creds to be sent in "Authorization" header). So two things need to be fixed: 1. Make sure your code uses client secret for `/token` endpoint 2. Change "Authentication method for the Token Endpoint" property in Gluu Server to "client_secret_post" for your client.

By Denis Souza user 08 Jun 2021 at 7:17 a.m. CDT

Copy

Thanks Aliaksandr, it worked! I was pretty sure there the problem was just misconfiguration and by making these two steps as you mentioned is running correctly. I have a history with keycloak and in public clients there is no need for client_secret, in fact, it is not even generated in these cases. I really appreciate the help.

By Aliaksandr Samuseu staff 08 Jun 2021 at 9:59 a.m. CDT

Copy

Hi, Denis. Great, thanks for confirming. Closing it.

You need to Login in order to post an answer

Cors error on token request

By: Denis Souza user 07 Jun 2021 at 1:38 p.m. CDT

Answers

By Aliaksandr Samuseu staff 07 Jun 2021 at 2:05 p.m. CDT

By Denis Souza user 07 Jun 2021 at 3:08 p.m. CDT

By Jose Gonzalez staff 07 Jun 2021 at 3:19 p.m. CDT

By Denis Souza user 07 Jun 2021 at 3:26 p.m. CDT

By Aliaksandr Samuseu staff 07 Jun 2021 at 4:50 p.m. CDT

By Aliaksandr Samuseu staff 07 Jun 2021 at 5:02 p.m. CDT

By Denis Souza user 08 Jun 2021 at 7:17 a.m. CDT

By Aliaksandr Samuseu staff 08 Jun 2021 at 9:59 a.m. CDT

Post an answer