OAuth2 and CORS

Not applicable

I have run into this problem a number of times when using the OAuth2 policy for token validation. The issue seems to be that when validation fails and a 401 should be returned it is essentially raising an exception to short circuit the rest of the policies. This seems to include the response for a proxy end point. I added the AddCORS policy to the response and it doesn't appear to be executed.

When the token is valid I had to add the Preflight Options check and that fixed normal usage. And this works.

My question is: Is there any way to execute the AddCORs policy for the response when the token is expired?

I had read a little bit about changing/writing my own policy to perform validation to change how it proceeds upon exception, but I was hoping to avoid this path. Is this the way I need to proceed?

Solved Solved
0 3 1,207
1 ACCEPTED SOLUTION

Not applicable

If you put the AddCORS policy before your Oauth Verify policy it should still execute. However, once it hits the OAuth policy, it will return a 401, even and especially before hitting your backend.

View solution in original post

3 REPLIES 3

Not applicable

If you put the AddCORS policy before your Oauth Verify policy it should still execute. However, once it hits the OAuth policy, it will return a 401, even and especially before hitting your backend.

Not applicable

Thanks I will give it a shot!

jovaniac
Participant II
hey guys, I implemented something like that and it served me correctly.
In the proxy enpoint we must place in the preflow the next call of a Flowcallout to invoke a sharedflow which will have the policy of CORS

<PreFlow name="PreFlow">
<Request>
<Step>
<Name>FC-CORS</Name>
</Step>
<Step>
<Name>FC-OAuth2</Name>
</Step>
</Request>
<Response/>
</PreFlow>

Definition of flowcallout, where we invoke the sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout async="false" continueOnError="false" enabled="true" name="FC-CORS">
<DisplayName>FC-CORS</DisplayName>
<FaultRules/>
<Properties/>
<SharedFlowBundle>OPTIONS-CORS-Headers-Response</SharedFlowBundle>
</FlowCallout>

definition of sharedflow

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlow name="default">
<Step>
<Name>OPTIONS-CORS-Headers-Response</Name>
<Condition>request.verb == "OPTIONS"</Condition>
</Step>
</SharedFlow>

definition of the policy of raisefull, where we will indicate the headers of Access-Control-Allow-Origin with * that will allow the invocation from our browser

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="OPTIONS-CORS-Headers-Response">
<DisplayName>OPTIONS CORS Headers Response</DisplayName>
<Properties/>
<FaultResponse>
<Set>
<Headers>
<Header name="Access-Control-Allow-Origin">*</Header>
<Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, ucsb-api-key, ucsb-api-version, authorization</Header>
<Header name="Access-Control-Max-Age">3628800</Header>
<Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
</Headers>
<Payload contentType="text/plain"/>
<StatusCode>200</StatusCode>
<ReasonPhrase>OK</ReasonPhrase>
</Set>
</FaultResponse>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

angular:

const httpOptions2= { headers:newHttpHeaders({ 'Authorization':'Bearer token' }) };

obtenerCatalogos():Observable<any> { return this.httpClient.get<any>(uriApigee+'endpointapigee',httpOptions2); }

Regars