I have run into this problem a number of times when using the OAuth2 policy for token validation. The issue seems to be that when validation fails and a 401 should be returned it is essentially raising an exception to short circuit the rest of the policies. This seems to include the response for a proxy end point. I added the AddCORS policy to the response and it doesn't appear to be executed.
When the token is valid I had to add the Preflight Options check and that fixed normal usage. And this works.
My question is: Is there any way to execute the AddCORs policy for the response when the token is expired?
I had read a little bit about changing/writing my own policy to perform validation to change how it proceeds upon exception, but I was hoping to avoid this path. Is this the way I need to proceed?
Solved! Go to Solution.
If you put the AddCORS policy before your Oauth Verify policy it should still execute. However, once it hits the OAuth policy, it will return a 401, even and especially before hitting your backend.
If you put the AddCORS policy before your Oauth Verify policy it should still execute. However, once it hits the OAuth policy, it will return a 401, even and especially before hitting your backend.
Thanks I will give it a shot!
hey guys, I implemented something like that and it served me correctly.
In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS
<PreFlow name="PreFlow">
<Request>
<Step>
<Name>FC-CORS</Name>
</Step>
<Step>
<Name>FC-OAuth2</Name>
</Step>
</Request>
<Response/>
</PreFlow>
Definition of flowcallout, where we invoke the sharedflow
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout async="false" continueOnError="false" enabled="true" name="FC-CORS">
<DisplayName>FC-CORS</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>OPTIONS-CORS-Headers-Response</SharedFlowBundle>
</FlowCallout>
definition of sharedflow
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlow name="default">
<Step>
<Name>OPTIONS-CORS-Headers-Response</Name>
<Condition>request.verb == "OPTIONS"</Condition>
</Step>
</SharedFlow>
definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="OPTIONS-CORS-Headers-Response">
<DisplayName>OPTIONS CORS Headers Response</DisplayName>
<Properties/>
<FaultResponse>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin,
x-requested-with, accept, ucsb-api-key, ucsb-api-version,
authorization</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
<Payload contentType="text/plain"/>
<StatusCode>200</StatusCode>
<ReasonPhrase>OK</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>
angular:
const httpOptions2= { headers:newHttpHeaders({ 'Authorization':'Bearer token' }) };
obtenerCatalogos():Observable<any> { return this.httpClient.get<any>(uriApigee+'endpointapigee',httpOptions2); }
Regars
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |