By: Thomas W. user 27 Feb 2019 at 9:29 a.m. CST

6 Responses
Thomas W. gravatar
Hello. I am attempting to get the OpenID configuration from our Gluu installation in an Angular project but I am experiencing an issue where the necessary the CORS headers are not returned from Gluu. # Example If I attempt to retrieve the OpenID configuration (`https://example.com/.well-known/openid-configuration`), an error is produced in the browser's console (in this case, Chrome): ``` Access to XMLHttpRequest at 'https://example.com/.well-known/openid-configuration' from origin 'http://example2.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` I've tried to retrieve the configuration with [Postman](https://www.getpostman.com/), which succeeds, but also shows that the `Access-Control-Allow-Origin` header is not set on the response. Furthermore, for simplicity's sake, I tried getting the configuration with a local HTML document making an XMLHttpRequest, resulting in the same error output in the browser console. I've read the [CORS documentation for Gluu](https://gluu.org/docs/ce/3.1.4/admin-guide/cors/) but I must admit that I didn't glean much information from that. (On a slightly unrelated note, the documentation also seems to have mixed together the explanations for the fields `corsAllowedHeaders` and `corsExposedHeaders`.) I tried adding `,Access-Control-Allow-Origin` to the already existing values in the field `corsAllowedHeaders` in `oxTrust UI -> JSON Configuration -> oxAuth Configuration -> corsConfigurationFilters` just to see if it had any effect, but it did not. # Possibly related issue(s) There's an [older issue posted](https://support.gluu.org/customization/2490/access-control-allow-origin-header/) which seems to be about the same issue, where the linked GitHub issue shows that the issue should be solved. However, since it is some years old, I don't know if it still applies, it seems it does not. There is a mention of using a Tomcat CORS filter, but I'm not sure how to apply that. I hope you are able to provide a hint as to what is wrong here. If any further information is necessary, please let me know.

By Javier Rojas staff 27 Feb 2019 at 9:36 p.m. CST

Javier Rojas gravatar
Hello Thomas, Please review your cors config, and double check whether you have the corsEnabled set to True. (See the attached image). Also you can use the tool at test-cors.org pointing to your own server to perform a quick test and send me the result. For example, testing ce-dev3 server: https://www.test-cors.org/#?client_method=GET&client_credentials=false&server_url=https%3A%2F%2Fce-dev3.gluu.org%2F.well-known%2Fopenid-configuration&server_enable=true&server_status=200&server_credentials=false&server_tabs=remote Best Regards -- Javier

By Thomas W. user 28 Feb 2019 at 3:47 a.m. CST

Thomas W. gravatar
Hi Javier. Thanks for the response. # corsEnabled For some reason I do not have the `corsEnabled` option in my settings (see linked image). Additionally, I checked the LDAP configuration under `gluu -> appliances -> <ID> -> configuration -> oxauth -> oxAuthConfDynamic` and the CORS related section looks like this ``` "corsConfigurationFilters": [ { "filterName": "CorsFilter", "corsAllowedOrigins": "*", "corsAllowedMethods": "GET,POST,HEAD,OPTIONS", "corsAllowedHeaders": "Origin,Authorization,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin", "corsExposedHeaders": "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin", "corsSupportCredentials": true, "corsLoggingEnabled": false, "corsPreflightMaxAge": 1800, "corsRequestDecorate": true } ], ``` Could this be a problem? # test-cors.org I ran the test on test-cors.org against our Gluu installation and got the following response ``` Sending GET request to https://example.com/.well-known/openid-configuration Fired XHR event: loadstart Fired XHR event: readystatechange Fired XHR event: readystatechange Fired XHR event: progress Fired XHR event: readystatechange Fired XHR event: load XHR status: 200 XHR status text: OK XHR exposed response headers: content-type: application/json access-control-allow-origin: https://www.test-cors.org Fired XHR event: loadend ``` # CORS headers On a different note, just for testing, I tried using the Gluu installation you used for test-cors.org, `https://ce-dev3.gluu.org/.well-known/openid-configuration`, for a request, and I see the same error in the browser console (Chrome) as I originally posted: ``` Access to XMLHttpRequest at 'https://ce-dev3.gluu.org/.well-known/openid-configuration' from origin 'http://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` It seems to me like Gluu is not setting `Access-Control-Allow-Origin: '*'` for the `/.well-known/openid-configuration` endpoint (possibly others as well?).

By Michael Schwartz staff 28 Feb 2019 at 10:41 p.m. CST

Michael Schwartz gravatar
You can modify the Apache httpd config to suite your needs. Also note that for Angular applications, you should look at [AppAuth-JS](https://github.com/openid/AppAuth-JS) This library is more secure because it uses PKCE and the code flow.

By Thomas W. user 01 Mar 2019 at 8:18 a.m. CST

Thomas W. gravatar
Hello Michael. Thanks for your response. I managed to add the `Access-Control-Allow-Origin: "*"` header by adding ``` <LocationMatch "/.well-known/openid-configuration"> ProxyPass http://localhost:8081/oxauth/.well-known/openid-configuration Header set Access-Control-Allow-Origin "*" </LocationMatch> ``` to the file `/etc/apache2/sites-available/https_gluu.conf`. This alleviated the problem with the browser complaining about the CORS headers. However, I am now receiving a `403 Forbidden` response. This only happens when trying to retrieve the endpoint via XMLHttpRequest, if I open the endpoint directly in the browser, there is no problem. The output in the browser console is ``` GET https://example.com/.well-known/openid-configuration 403 (Forbidden) ``` And the only output relating to this that I've been able to find is in `/var/log/apache2/other_vhosts_access.log` which outputs the following ``` example.com:443 <IP> - - [01/Mar/2019:14:13:20 +0000] "GET /.well-known/openid-configuration HTTP/1.1" 403 528 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" ``` Is this something you could happen to have some input on? Also, thanks for your input on the library for Angular, I'll consider whether this is something I should implement. Currently, I am working with the [angular-oauth2-oidc library](https://github.com/manfredsteyer/angular-oauth2-oidc).

By Thomas W. user 05 Mar 2019 at 8:28 a.m. CST

Thomas W. gravatar
For the record, which I forgot to mention earlier, I also tested with the [openid-implicit-client](https://github.com/GluuFederation/openid-implicit-client) provided by you guys with a simple HTML page: ``` <html> <head> <script src="https://cdn.rawgit.com/GluuFederation/openid-implicit-client/master/openidconnect.js"></script> </head> <body> <script> var providerInfo = OIDC.discover('https://example.com'); </script> </body> </html> ``` Two outputs in the browser console: ``` GET https://example.com/.well-known/openid-configuration 403 (Forbidden) ``` ``` Uncaught OidcException { message: "Unable to perform discovery: OidcException: Unable to retrieve JSON file at https://example.com/.well-known/openid-configuration : OidcException: fetchJSON - 403 Forbidden" name: "OidcException" } ``` Which is basically the same result as my homegrown test posted earlier.

By Thomas W. user 13 Mar 2019 at 9:51 a.m. CDT

Thomas W. gravatar
Figured this out, it was an amalgamation of two unrelated things. First, it *seems* that Chrome blocks CORS requests from a local file and shows some output that I, personally, find confusing/misleading. The `403 Forbidden` error might be caused that block. Second, there was an implementation error in an Angular interceptor, which overwrote all headers for all requests, thus messing up the requests to Gluu. After fixing that, the Angular app was able to retrieve the discovery document. Unfortunately, these two issues just output very similar errors, which threw me off.