I am making an ajax call from my client to the google oauth 2 API 'https://accounts.google.com/o/oauth2/auth?redirect_uri=http://blah.com&response_type=token&client_id....' to get the access token, but i get following error:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://blah-blah.com' is therefore not allowed
access
I want the call to be ajax so that the user is not disturbed when the call is made through url or window.location.href or in other words, how can i get the access token such that the whole page does not load, and is it possible to resolve the above error???
OAuth2 auth endpoint doesn't support AJAX by design. It's an entry point to the authentication system, so you must get there by redirect. The result of the authentication is again a redirect to the URL you provide, so AJAX doesn't make much sense there.
Related
I confuse session id and CSRF token. so I search about that and understand a little bit.
Session IDs are used to verify a user. CSRF tokens are used to verify request itself.
My question is when server send CSRF token to user?
For example
when client visit www.sample.com first time, sever send session id to client.(is that right?) client want to change his password. so he come to www.sample.com/change where client can change password and is located change button(post). And that time(when client visit www.sample.com/change) sever send CSRF token to client? or when client post their data then middleware send CSRF and compare before server got post data?
The server sends the CSRF token when the client visit the www.sample.com/change page. Usually, the CSRF token is embedded in the HTML file as a hidden html element such as <meta> tag or hidden <input> tag. Therefore, when the client sends a GET request to retrieve the www.sample.com/change page, the CSRF token will be returned as part of the HTML page.
Resources:
https://portswigger.net/web-security/csrf/tokens
Additional Consideration
Let's say we take the "middleware" approach described in your question. In that case, the CSRF token will be generated in the server upon receiving a POST/PUT request. Then, the server cannot discern whether the request is generated by the legitimate site (www.sample.com) or the impersonating site (www.malicious.com) because both requests can look exactly the same (note here that the malicious site can spoof request headers such as origin). Therefore this approach cannot prevent CSRF attack. The CSRF token needs to be sent from the client so that the server can identify the requests originating from the legitimate website.
I get now the Access Token from Lumen-API-JWT (Backend) but the question is how can i work with that in the laravel-8-Client (frontend) project
Any Idea ?
In generally when we working with HTTP API or call need to authentication the user, Server will return the Access Token (JWT or whatever). Every API Request you need to bind that access token along with the header. Ex. Authorization: Bearer {{access_token}}.
When you fail to bind the access token server will return unauthenticated HTTP status code with the relevant message.
Please refer below links,
https://www.loginradius.com/blog/async/everything-you-want-to-know-about-authorization-headers
I implemented an Oauth2 authentication in a GraphQL/Spring Boot API and I want to consume it from the VueJS app using Apollo client ,
Currently, I am able to do that using Postman. But I have an error in Chrome about CORS :
Access to fetch at 'https://server/as/authorization.oauth2?response_type=code&client_id=DEV_CLIENT&scope=api%20profile%20openid&state=sW2aJRg-ZA8vomsiuynS-nS1QobOUJY1Ytrji_gSFz8%3D&redirect_uri=http://localhost:5000/login/oauth2/code&nonce=' (redirected from 'http://localhost:5000/pdp/api/graphql') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I implemented CORS config in the API like this :
http.cors().and().csrf().disable()
I contacted the support team, theu told me this : " you are trying to send a CORS request to OIDC services. Please note, we do not have CORS enabled on federation servers. The solution will be to not make any CORS request. "
1 - How can I retrieve the Access Token from the API and use it in the front end in this case (Oauth2) ?
2 - How can I bypass CORS Policy of the server, knowing that they told my it is disabled ?
Thank you
If you cannot control/set the CORS origin policy in the server then there is nothing much you can do from a VUEJS app from the browser. Its the browser which restricts this. You can also ask them if they have jsonp support. Here is a link how to do that.
https://www.freecodecamp.org/news/use-jsonp-and-other-alternatives-to-bypass-the-same-origin-policy-17114a5f2016/
If everything fails, then write up a small backend service which retrieves the Access Token from the API and can pass the token to the VUEJS app in the browser.
I am implementing an oauth2 authorization server for providing access to our apis.
Our application is a single page application, with the a jwt token in the authentication header to provide access.
We want to setup an oauth2 Authorization Code flow like,
User is on external site and wants to get access to our apis
External site redirects to our site/spa with oauth2 params, client_id etc.
SPA checks authentication, users needs to login to continue
User sees page for confirming access
User confirms access, code is returned and redirected to external site
External site does backchannel call to obtain token from code
My problem is in 4 and 5, in standard Spring setup this is provided by
org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint,
on /oauth/authorize GET oauth params are stored in the session and the confirmation page is shown, and on post of that the code is returned in the redirect.
But I cannot find any guidance/examples on how to do this with a page hosted in a SPA.
You have to be authenticated in this endpoint and I cannot really use the top level page that /oauth/authorized provides because we use header based authentication on rest api calls only, all our top level calls are unauthenticated.
Is there some obvious way to make this work?
I think I do not want to put my authentication token in a cookie.
I was thinking of just then creating a controller that sort of does what the AuthorizationEndpoint does and returning a redirect to the redirect in Javascript. But I am not sure if I would be breaking some other security requirement.
I'm trying to authenticate via ajax from a different domain of my jhipster instance but I get this error:
XMLHttpRequest cannot load http://dev.xxx.it:9090/xxx-server-2.0.0/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://beta.xxx.it' is therefore not allowed access.
Here you can find an example: https://jsfiddle.net/rpdyr97j/3/
I think you'd need to add a CORS filter of some kind to allow requests from other domains. See this: https://spring.io/guides/gs/rest-service-cors/#_filter_requests_for_cors