I'm trying to authenticate via ajax from a different domain of my jhipster instance but I get this error:
XMLHttpRequest cannot load http://dev.xxx.it:9090/xxx-server-2.0.0/. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://beta.xxx.it' is therefore not allowed access.
Here you can find an example: https://jsfiddle.net/rpdyr97j/3/
I think you'd need to add a CORS filter of some kind to allow requests from other domains. See this: https://spring.io/guides/gs/rest-service-cors/#_filter_requests_for_cors
Related
I get now the Access Token from Lumen-API-JWT (Backend) but the question is how can i work with that in the laravel-8-Client (frontend) project
Any Idea ?
In generally when we working with HTTP API or call need to authentication the user, Server will return the Access Token (JWT or whatever). Every API Request you need to bind that access token along with the header. Ex. Authorization: Bearer {{access_token}}.
When you fail to bind the access token server will return unauthenticated HTTP status code with the relevant message.
Please refer below links,
https://www.loginradius.com/blog/async/everything-you-want-to-know-about-authorization-headers
I implemented an Oauth2 authentication in a GraphQL/Spring Boot API and I want to consume it from the VueJS app using Apollo client ,
Currently, I am able to do that using Postman. But I have an error in Chrome about CORS :
Access to fetch at 'https://server/as/authorization.oauth2?response_type=code&client_id=DEV_CLIENT&scope=api%20profile%20openid&state=sW2aJRg-ZA8vomsiuynS-nS1QobOUJY1Ytrji_gSFz8%3D&redirect_uri=http://localhost:5000/login/oauth2/code&nonce=' (redirected from 'http://localhost:5000/pdp/api/graphql') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
I implemented CORS config in the API like this :
http.cors().and().csrf().disable()
I contacted the support team, theu told me this : " you are trying to send a CORS request to OIDC services. Please note, we do not have CORS enabled on federation servers. The solution will be to not make any CORS request. "
1 - How can I retrieve the Access Token from the API and use it in the front end in this case (Oauth2) ?
2 - How can I bypass CORS Policy of the server, knowing that they told my it is disabled ?
Thank you
If you cannot control/set the CORS origin policy in the server then there is nothing much you can do from a VUEJS app from the browser. Its the browser which restricts this. You can also ask them if they have jsonp support. Here is a link how to do that.
https://www.freecodecamp.org/news/use-jsonp-and-other-alternatives-to-bypass-the-same-origin-policy-17114a5f2016/
If everything fails, then write up a small backend service which retrieves the Access Token from the API and can pass the token to the VUEJS app in the browser.
i have this problem in production enviromment, it's happened because i'm trying to redirect user to federation to authenticate,
i'm using SAML authentication && IBM IHS
console log of cors
Are you using ADFS? Where is it in the picture?
ADFS does not handle CORS and there is no way to add this header.
You need to do this via a proxy.
I am making an ajax call from my client to the google oauth 2 API 'https://accounts.google.com/o/oauth2/auth?redirect_uri=http://blah.com&response_type=token&client_id....' to get the access token, but i get following error:
Response to preflight request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://blah-blah.com' is therefore not allowed
access
I want the call to be ajax so that the user is not disturbed when the call is made through url or window.location.href or in other words, how can i get the access token such that the whole page does not load, and is it possible to resolve the above error???
OAuth2 auth endpoint doesn't support AJAX by design. It's an entry point to the authentication system, so you must get there by redirect. The result of the authentication is again a redirect to the URL you provide, so AJAX doesn't make much sense there.
Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.
After lots of googling, the relation between CORS and Basic Auth from the client is still not clear to me . (if there is any relation...)
Does it make sense to have to enable CORS on the server if it already requires Basic Auth from client?
Is Basic Auth supposed to "by-pass" CORS, meaning the server shouldn't have to provided CORS headers as the request from the client is authenticated?
Are CORS and Basic Auth not related at all?
Thanks!
Do I need to activate CORS on my API's server (i.e. return appropriate header in response) if the client connecting to it already provides Basic Auth information.
Yes (assuming you want to allow cross-origin requests).
Auth is there to make that that when Alice's browser requests some data from Bob's website, that Alice is authorised to get that data.
The Same Origin Policy stops Mallory's website from using JavaScript to make Alice's browser request that data from Bob's website and then pass it back to Mallary without Alice knowing.
CORS lets you selectively disable the Same Origin Policy so that Mallory's website can be given permission to get that data.
Are CORS and Basic Auth not related at all?
Correct. They are not.
Further reading