i have this problem in production enviromment, it's happened because i'm trying to redirect user to federation to authenticate,
i'm using SAML authentication && IBM IHS
console log of cors
Are you using ADFS? Where is it in the picture?
ADFS does not handle CORS and there is no way to add this header.
You need to do this via a proxy.
Related
Istio supports AuthZ and AuthN services, but is there a way to implement a token validation via a proxy?
Example: User/Client sends a request to Service-A, the request hits to istio-ingressGateway and Gateway validates the token via another service (Validation Service) if the token is valid user/client can get the user data if not send an error equivalent response.
You can write a micro-gateway service using Netflix Zuul which will be the landing service from your Istio Gateway. It can do quick token validation using Zuul filters and then forward the request to the desired service or return a token error response. You can use this service for issuing tokens and also hosting the JWK keys for JWT tokens.
I've written a Java implementation for the same.
Otherwise, you can use an internal Nginx server as a landing for all your request and then use http_auth_request_module to do a quick auth and then proxy forward to other services. You can find it on Nginx documentation.
Unfortunately, I didn't find anything as such provided by Istio as of now.
Posted community wiki answer for better visibility. As Tushar Mistry mentioned in the comments - problem is solved based on this article:
This was the second blog I found while searching oauth2-proxy with istio, he uses Envoy Filter for authorization, but latest istio provides external authorization Today I was successful in redirecting unauthorized request to oauth-proxy2 with istio external authorization, now facing problem after authentication says login failed CSRF token not found
and later:
Implemented this method sucessfully will share a blog if got time.
See also Better External Authorization.
My setup is as follows:
Rest APIs (Spring boot)
Front-end application (Angular 8)
Auth Server (Keycloak)
Current scenario:
User enters the username and password in the angular login page.
Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
In all subsequent request to rest api server(which is bearer only), the access token is passed in
header as "Authorization: Bearer <ACCESS_TOKEN>"
Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.
What I want:
To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.
Issue:
When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.
I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.
For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.
I implemented an Oauth2 authentication in a GraphQL/Spring Boot API and I want to consume it from the VueJS app using Apollo client ,
Currently, I am able to do that using Postman. But I have an error in Chrome about CORS :
Access to fetch at 'https://server/as/authorization.oauth2?response_type=code&client_id=DEV_CLIENT&scope=api%20profile%20openid&state=sW2aJRg-ZA8vomsiuynS-nS1QobOUJY1Ytrji_gSFz8%3D&redirect_uri=http://localhost:5000/login/oauth2/code&nonce=' (redirected from 'http://localhost:5000/pdp/api/graphql') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I implemented CORS config in the API like this :
http.cors().and().csrf().disable()
I contacted the support team, theu told me this : " you are trying to send a CORS request to OIDC services. Please note, we do not have CORS enabled on federation servers. The solution will be to not make any CORS request. "
1 - How can I retrieve the Access Token from the API and use it in the front end in this case (Oauth2) ?
2 - How can I bypass CORS Policy of the server, knowing that they told my it is disabled ?
Thank you
If you cannot control/set the CORS origin policy in the server then there is nothing much you can do from a VUEJS app from the browser. Its the browser which restricts this. You can also ask them if they have jsonp support. Here is a link how to do that.
https://www.freecodecamp.org/news/use-jsonp-and-other-alternatives-to-bypass-the-same-origin-policy-17114a5f2016/
If everything fails, then write up a small backend service which retrieves the Access Token from the API and can pass the token to the VUEJS app in the browser.
I have a problem with logout API. I use SSO Authentication as HTTP headers mode. I can login successfully but when I want to logout. It keeps me login in Sonarqube server.
Sonarqube version 6.7
By definition, when you're using the HTTP authentication header, the login/logout is delegated to your reverse proxy, or any tool you're using to set the HTTP headers.
Please have a look at the documentation for more info about this feature.
Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.
After lots of googling, the relation between CORS and Basic Auth from the client is still not clear to me . (if there is any relation...)
Does it make sense to have to enable CORS on the server if it already requires Basic Auth from client?
Is Basic Auth supposed to "by-pass" CORS, meaning the server shouldn't have to provided CORS headers as the request from the client is authenticated?
Are CORS and Basic Auth not related at all?
Thanks!
Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.
Yes (assuming you want to allow cross-origin requests).
Auth is there to make that that when Alice's browser requests some data from Bob's website, that Alice is authorised to get that data.
The Same Origin Policy stops Mallory's website from using JavaScript to make Alice's browser request that data from Bob's website and then pass it back to Mallary without Alice knowing.
CORS lets you selectively disable the Same Origin Policy so that Mallory's website can be given permission to get that data.
Are CORS and Basic Auth not related at all?
Correct. They are not.
Further reading