This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

CORS policy: Response to preflight request doesn't pass access control check

Posted on 06-19-2023 06:13 PM
liux99
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am using current GCP apigee X.

I have OAuth V2 token checking on the proxy, and I configured the proxy policy as:

  <PreFlow name="PreFlow">
    <Condition>request.verb != "OPTIONS" </Condition>
    <Request>
      <Step>
        <Name>verify-oauth-v2-access-token</Name>
      </Step>
      <Step>
        <Name>remove-header-authorization</Name>
      </Step>
    </Request>
    <Response>
    </Response>
  </PreFlow>
 
<DefaultFaultRule name="DefaultFaultRule">
    <Step>
      <Name>add-cors</Name>
    </Step>
    <AlwaysEnforce>true</AlwaysEnforce>
  </DefaultFaultRule>
But when I debug the flow, the verify-oauth-v2-access-token still get executed and throw error of invalid token, and I expect the DefaultFaultRule would handle the error and  add Cors in the response header, but apparently it doesn't.

Always got followng error:  CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Any idea?

1 3 3,231
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

A PreFlow is a special type of flow that will always execute first. Either use the condition against the policy or create a new conditional flow rather than trying to make the PreFlow conditional.

0 Likes

Posted on --/--/---- --:-- AM
liux99
Bronze 1
Bronze 1
In response to dknezic
Reply posted on --/--/---- --:-- AM

Thanks for your reply.  Following your suggestion, I made following change but still got cors error:   Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.   Looks like the OptionsPreFlight flow is either not effective or overwritten by next flow.  The cors headers are not added on the response.

 

<ProxyEndpoint name="default">
  <Flows>
    <Flow name="OptionsPreFlight">
      <Request>
        <Step>
          <Name>add-cors</Name>
        </Step>
      </Request>
      <Response>
      </Response>
      <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
    </Flow>
    <Flow name="OauthFlow">
      <Condition>request.verb != "OPTIONS" </Condition>
      <Request>
        <Step>
          <Name>verify-oauth-v2-access-token</Name>
        </Step>
        <Step>
          <Name>remove-header-authorization</Name>
        </Step>
      </Request>
      <Response>
      </Response>
    </Flow>
  </Flows>
    <RouteRule name="NoRoute">
    <Condition>request.verb == "OPTIONS"</Condition>
  </RouteRule>
  <RouteRule name="default">
    <TargetEndpoint>default</TargetEndpoint>
  </RouteRule>
  <DefaultFaultRule name="DefaultFaultRule">
    <Step>
      <Name>add-cors</Name>
    </Step>
    <AlwaysEnforce>true</AlwaysEnforce>
  </DefaultFaultRule>
</ProxyEndpoint>
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am coming late to this conversation, but ... I think you are not using the CORS policy correctly.  

If you are using the CORS policy, you don't need Conditions checking for OPTIONS and so on. You don't' need a dedicated flow.  Just drop in the CORS policy in the Request Preflow, and configure it.  Prior to the CORS policy, you had to use AssignMessage to generate the headers that are required for a CORS response, and that required a bunch of conditions and checks.  But that should be gone now, as far as I am ware. 

View a screencast overview of the CORS policy and how it works, here

 

0 Likes
Top Solution Authors
View all