Re: Preflight request with OAUTH

GopalTelstra · 10-13-2021 07:29 PM

Hi All,

I got a requirement to use OAUTH to a preflight request. But while using OAUTH all the time I am getting 401 invalid token error. Could you please help in fixing this issue?

It is with cross origin .

Thanks

Gopal

inankanbur

A Preflight request, which is an HTTP OPTIONS request, is automatically fired by the browser to check with the server if the HTTP method which is about to be used as well as any non-CORS-safelisted request headers are ok with the server.

It includes the headers Access-Control-Request-Method, Access-Control-Request-Headers and Origin. A preflight request fired by the browser would never include an Authorization header, hence no access token.

GopalTelstra

Thanks for your reply.

For preflight OAUTH will not work with Authorization header. is my understanding is correct?

shuhaib_arkn

Since Preflight Request should not be validated you need add conditional flow in your proxy to handle the Preflight.
specifically you can use the Condition

<Condition>(request.verb = "OPTIONS")</Condition>

the above condition will handle any option http verb that incoming to your proxy . then you can return required headers to the browser in the response flow

Example Assign Message Policy Response For Preflight:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="Add-Cors-Options">
    <DisplayName>Add-Cors-Options</DisplayName>
    <Properties/>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Access-Control-Allow-Origin">{AccessRequestOrigin}</Header>
            <Header name="Access-Control-Allow-Headers">{AccessRequestHeaders}</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Add>
    <set>
        <StatusCode>204</StatusCode>
    </set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

to make response like this u need to get the request.header.Access-Control-Request-Headers and make response accordingly .

Hope this will be helpful

GopalTelstra

thanks, @shuhaib_arkn, the above logic is implemented, but still, it not working for OAUTH token. If I remove OAUTH, then it is working fine and with OAUTH it having issue. Is there any way to validate OAUTH token to preflight the request?

dchiesa1

Access-Control-Allow-Credentials

I believe you need to add this. A request-for-token according to the OAuth framework typically passes an Authorization header. That amounts to "credentials". CORS by policy blocks passing credentials unless it is allowed explicitly by that header I mentioned. so I suggest:

<AssignMessage name="AM-Add-Cors-Options">
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">{AccessRequestOrigin}</Header>
            <Header name="Access-Control-Allow-Headers">{AccessRequestHeaders}</Header>
            <Header name="Access-Control-Allow-Credentials">true</Header>
            <Header name="Access-Control-Max-Age">600</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Set>
</AssignMessage>

Check the docs for CORS for more details.

Also - you will want to be thoughtful about the Access-Control-* headers. Don't just copy/paste things. Talk it over with your other stakeholders to determine what makes sense for your organization.

shuhaib_arkn

@GopalTelstra You need to make the CORS option support on OAUTH Proxy also ,
you are calling the oAuth proxy first then the intended proxy So Both of your proxy[ should Support CORS prefilght options .

Also Use the Cors Access-Control Headers Wisely according to your organization security policies.