By: Karla Cardoso user 10 Jan 2018 at 7:25 a.m. CST

4 Responses
Karla Cardoso gravatar


I installed a Gluu Server for study. I want to test the authentication endpoint with a JS client using Implicit flow. I registered this OpenID Connect client via the oxTrust Administrative GUI.

When sending GET request the error below occurs: XMLHttpRequest cannot load https://gluuserver/oxauth/restv1/authorize. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://<myclient>:8080' is therefore not allowed access. The response had HTTP status code 403.

I read the documentation at and I saw that CORS Filter is already registered on the server.

In the client I am using jquery code, as below:

function createCORSRequest (method, url) {   var xhr = new XMLHttpRequest ();   if ("withCredentials" in xhr) { (method, url, true);     alert ('withCredentials'); // show this message to me   } else if (typeof XDomainRequest! = "undefined") {     xhr = new XDomainRequest (); (method, url);   } else {     xhr = null;     alert ('CORS is not supported by the browser');   }   return xhr; }

function sendRequest (method, url, redirect_uri, client_id) {   var xhr = createCORSRequest (method, url);   if (! xhr) {      throw new Error ('CORS not supported');   }   xhr.setRequestHeader ('response_type', 'id_token token');   xhr.setRequestHeader ('client_id', client_id);   xhr.setRequestHeader ('scope', 'email');   xhr.setRequestHeader ('redirect_uri', redirect_uri);   xhr.setRequestHeader ('nonce', 'anytext');   xhr.setRequestHeader ('display', 'page');   xhr.setRequestHeader ('prompt', 'login');      // Response handlers.   xhr.onload = function () {     var text = xhr.responseText;     var title = getTitle (text);     alert ('Response from CORS request to' + url + ':' + title);   };

xhr.onerror = function () {     alert ('Woops, there was an error making the request.'); // show this message to me   };

xhr.send (); }

My headers (Inspect Chrome):

General Request URL:https://gluuserver/oxauth/restv1/authorize Request Method:OPTIONS Status Code:403 Forbidden Remote Address: Referrer Policy:no-referrer-when-downgrade

Response Headers Connection:Keep-Alive Content-Type:text/plain Date:Wed, 10 Jan 2018 12:56:35 GMT Keep-Alive:timeout=5, max=100 Server:Jetty(9.3.15.v20161220) Strict-Transport-Security:max-age=31536000; includeSubDomains Transfer-Encoding:chunked X-Content-Type-Options:nosniff X-Xss-Protection:1; mode=block

Request Headers Accept:/ Accept-Encoding:gzip, deflate, br Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4 Access-Control-Request-Headers:client_id,display,nonce,prompt,redirect_uri,response_type,scope Access-Control-Request-Method:GET Connection:keep-alive Host:gluuserver Origin:http://<myclient>:8080 Referer:http://<myclient>:8080/hello/ User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.104 Safari/537.36

Can you help me fix it? Via Postman works as expected...


By Aliaksandr Samuseu staff 10 Jan 2018 at 8:06 a.m. CST

Aliaksandr Samuseu gravatar

Hi, Karla.

I can ensure you that CORS filter works without issues in my own test setup, and in setup of a customer I'm cursory familiar with (both using some kind of implicit flows). Please also note that we usually don't provide support for custom scripts/clients development to our community users. If you'll manage to gather enough evidence that CORS implementation in Gluu is faulty, we'll do our best to fix it asap and provide some workaround to you. You could start from checking its behaviour against CORS specifications you can find in the net.

By Aliaksandr Samuseu staff 10 Jan 2018 at 8:10 a.m. CST

Aliaksandr Samuseu gravatar

Why won't you try to configure a test setup using our suggested implicit client, to get a hang of it? You can then compare requests they generate and perhaps see the cause of your issue.

By Karla Cardoso user 16 Jan 2018 at 6:55 a.m. CST

Karla Cardoso gravatar


I have identified an error in the code above. In fact I was not passing the parameters correctly. I changed sendRequest function:

function sendRequest(method, url, redirect_uri, client_id) { var params = { response_type: 'id_token token', client_id: client_id, scope: 'openid profile email', redirect_uri: redirect_uri, nonce: 'qualquertexto3', display: 'page', state: 'testestate3' }; url += '?' + jQuery.param( params );

var xhr = createCORSRequest(method, url); if (!xhr) { throw new Error('CORS not supported'); }

// Response handlers. xhr.onload = function() { var text = xhr.responseText; alert('Response from CORS request to ' + url + ' => '+text); };

xhr.onerror = function() { alert('Woops, there was an error making the request.'); };

xhr.send(); }

But CORS error still continues to occur:

XMLHttpRequest cannot load https://gluuserver/oxauth/authorize?scope=openid+profile+email&display=page…=%40%2157E7.F422.1BEC.8661%210001%212917.B555%210008%211057.2149.C76E.504A. Redirect from 'https://gluuserver/oxauth/authorize?scope=openid+profile+email&display=page…=%40%2157E7.F422.1BEC.8661%210001%212917.B555%210008%211057.2149.C76E.504A' to 'https://gluuserver/oxauth/login' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://myserver:8443' is therefore not allowed access.

I've already tested earlier the suggested alternative using implicit client (openidconnect.js). But the CORS problem is just bypassed right? It will not occur because it is not done through ajax call. The onClick of the button calls the OIDC.login return url directly:

<button onClick="OIDC.login( {scope : 'openid profile email', response_type : 'token id_token'} );" type="button" class="btn btn-success" >Authenticate</button>

I was able to go a little further in authenticating with openidconnect.js. However when displaying callbackpage.html the exception below occurs:

"Unable to get the ID Token from the current page URL: OidcException: Unable to verify the ID Token signature: OidcException: Unsupported JWS signature algorithm HS256"

Can you help me solve one of the two solutions?


By Aliaksandr Samuseu staff 19 Jan 2018 at 8:14 p.m. CST

Aliaksandr Samuseu gravatar

Hi, Karla.

Please create a HAR file with a capture of a full flow in which you observe issue with CORS and share here. Regarding the other issue signature verification - I'll try to check steps in this doc for myself.