I received the following
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at <my-ip-address> (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
after calling the rest server from my angular app, the code was working perfect when I was using local rest server
Related
I have a Flash backend using flask-dance in order to allow a web app to authenticate users with Google provider.
In my local dev environment, the backend runs from https://localhost:5000, while my local frontend is at https://local.mydomain.com
I have a backend endpoint at https://localhost:5000/login/google which redirects the user to the Google OAuth flow:
#app.route('/login/<provider>')
def login(provider: str):
# here we store the page the user has come from with the referrer value
session["return_to"] = request.referrer
if provider == 'google':
return redirect(url_for("google.login"))
return False
If I access this URL directly in the browser, I'm redirected to Google and the OAuth flow completes successfully.
If, however, I add a button on the frontend that redirects to that URL, the OAuth flow fails midway and the browser prints the following errore:
Access to XMLHttpRequest at 'https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=580945975384-0mqduo9k8dchc0ho7tnd7g6ejo70jrlb.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fauth%2Fgoogle%2Fauthorized&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&state=tWt5b2pkp0jfjxtXD8aHlMwsKyuCJw' (redirected from 'https://localhost:5000/login/google') from origin 'https://local.mydomain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
index.js:1 Error: Network Error
at createError (createError.js:16)
at XMLHttpRequest.handleError (xhr.js:117)
xhr.js:210 GET https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=580945975384-0mqduo9k8dchc0ho7tnd7g6ejo70jrlb.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Flocalhost%3A5000%2Fauth%2Fgoogle%2Fauthorized&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&state=tWt5b2pkp0jfjxtXD8aHlMwsKyuCJw net::ERR_FAILED 200
This is the failed request:
The Flask backend app has CORS enabled.
Why is this happening?
I suspect that running the backend locally from a different domain has something to do with it, but I couldn't quite figure out exactly what is going on and how to fix this.
The Google OAuth URL you request (https://accounts.google.com/o/oauth2/auth) is the starting point for their authentication process - it requires a full browser - it needs to display a credentials form, consent and then to redirect the browser back to your application. That's why you cannot use XMLHttpRequest for accessing it.
Your backend CORS settings cannot help it - Google would have to enable it on their endpoint, but it still would not work for the reasons mentioned before.
I am using react for the front end and Ruby on Rails for the back end. I am using version 2.6.1 for ruby on rails.
When I started my application I am getting an error saying...
"Access to fetch at 'http://localhost:3000/profile' from origin 'http://localhost:3001' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
I have received the error message while working with Angular 7
localhost/:1 Access to XMLHttpRequest at 'http://localhost:58523/api/DashboardLoaderService/1' from origin 'http://localhost:59484' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
I'm using a C9 AWS instance to run an API REST written in ruby on rails, and i'm consuming the resources from an Ionic App with simple http calls.
When i make a http request from the ionic app, the server response with this message:
Failed to load https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8100' is therefore not allowed access. The response had HTTP status code 404.
How can I enable the CORS in the Cloud 9 instance ?
I have already enable the CORS in rails with the rack-cors gem
The call to https://the_server.vfs.cloud9.us-east-2.amazonaws.com/resource is being handled by a proxy. To allow CORS, you need to call the server directly. You can do that
by connecting to the server IP address, and opening the correct ports. It's described here: https://docs.aws.amazon.com/cloud9/latest/user-guide/app-preview.html?icmpid=docs_ac9_ide#app-preview-share
I have a Javascript SPA that uses access tokens to talk to a backend API / Auth server. I'm using OpenIddict and JWT Bearer authentication on our combined API / Authorization server. We are using the Implicit flow.
For the time being, I am not using SSL - all requests are just http.
Everything has been configured and works correctly on my dev machine. When I publish these 2 sites to IIS everything still works fine when using an IP addresses for the 2 websites that are set up (there is 1 website for the Javascript SPA, and 1 website for the API / Auth server).
So basically I have 2 websites at the same IP address running on 2 different ports:
1) SPA 192.168.1.50:3000
2) AuthServer 192.168.1.50:5959
Now I want to enable hostnames for these sites. I now have edited the IIS bindings in order to bind these 2 sites to a host name like so:
1) SPA app.mycompany:3000
2) AuthServer app.mycompany:5959
When I do this, I am getting a message about not being able to access the .well-known/openid-configuration endpoint and am getting a JWT Bearer exception when trying to hit the UserInfo endpoint.
I can hit my SPA, get redirected to the Auth Server's login page and then successfully login. By looking at the web requests in Fiddler I see that I can hit the authorize end point and now have an access_token. As soon as the discovery step happens though things break.
The discovery end point can't be found and then immediately after that the userinfo endpoint is prevented from being hit because the bearer authentication fails.
By examining my logs I can see that JWT Bearer token fails to validate on the the UserInfo endpoint.
When this discovery endpoint is requested:
app.mycompany:5959/.well-known/openid-configuration
This is the error message I am getting:
IDX10803: Unable to obtain configuration from: 'http://app.mycompany.com:5959/.well-known/openid-configuration
And in my logs this is what I'm seeing at the point where the UserInfo controller is requested:
2017-11-09 14:12:35.7510|1|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request starting HTTP/1.1 OPTIONS http://app.mycompany:5959/connect/userinfo
2017-11-09 14:12:35.7510|1|DEBUG|Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware|OPTIONS requests are not supported
2017-11-09 14:12:35.7510|1|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request is a preflight request.
2017-11-09 14:12:35.7510|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'.
2017-11-09 14:12:35.7510|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful.
2017-11-09 14:12:35.7510|9|DEBUG|Microsoft.AspNetCore.Server.Kestrel|Connection id "0HL97NQJHQ576" completed keep alive response.
2017-11-09 14:12:35.7510|2|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request finished in 6.2953ms 204
2017-11-09 14:12:35.7510|1|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request starting HTTP/1.1 GET http://app.mycompany:5959/connect/userinfo
2017-11-09 14:12:35.7510|4|DEBUG|Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware|The request path /connect/userinfo does not match a supported file type
2017-11-09 14:12:35.7510|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'.
2017-11-09 14:12:35.7510|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful.
2017-11-09 14:12:35.7510|0|DEBUG|OpenIddict.OpenIddictHandler|The default userinfo request handling was skipped from user code.
2017-11-09 14:12:35.7664|9|DEBUG|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Identity.Application was not authenticated.
2017-11-09 14:12:35.7664|1|DEBUG|Microsoft.AspNetCore.Routing.Tree.TreeRouter|Request successfully matched the route with name '(null)' and template 'connect/userinfo'.
2017-11-09 14:12:35.7664|1|DEBUG|Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker|Executing action ApiAuthServer.Controllers.UserinfoController.Userinfo (ApiAuthServer)
2017-11-09 14:12:35.7664|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'.
2017-11-09 14:12:35.7664|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful.
2017-11-09
14:12:35.7664|3|ERROR|Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler|Exception occurred while processing message. IDX10803: Unable to obtain configuration from: 'http://app.mycompany:5959/.well-known/openid-configuration'.
If I navigate directly to app.mycompany:5959/.well-known/openid-configuration from outside the server in a browser, I can hit that discovery endpoint and see the json data. It works.
But if I try to access that endpoint from within the IIS server I get the same error message. I can't seem to access that on the IIS box. But if I remove the host name binding and go back to IP addresses, I can successfully hit the discovery endpoint even on the IIS box and the app works fine.
So I am really at a loss of what the problem is. Not sure if there is some IIS setting I need to tweak, or if this is a bug in the JWT Bearer middleware or if it is something to do with OpenIddict.
I just want to be able to use hostnames on IIS for my app(s)