堆栈内存溢出
  简体   繁体   English

CORS 已阻止从源“xxxx”访问“xxx/.well-known/openid-configuration”处的 XMLHttpRequest

[英]Access to XMLHttpRequest at 'xxx/.well-known/openid-configuration' from origin 'xxxx' has been blocked by CORS

 原文  2019-12-19 03:05:16       angular/ cors/ openid-connect/ okta/ okta-api

问题描述

I am using the okta oAuth to do the authentication and authorization with angular 8 application.我正在使用 okta oAuth 对 angular 8 应用程序进行身份验证和授权。 Since getting the ' https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration is causing the issue由于获取 ' https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration导致问题

可信来源

I have added the redirect URL in the okta trusted origin.我在 okta 可信源中添加了重定向 URL。 I can't add the URLs in the CORS because of company policy.由于公司政策,我无法在 CORS 中添加 URL。

How can I solve the issue CORS我该如何解决 CORS 问题

Access to XMLHttpRequest at 'https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration' from origin 'https://localhost:44307' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

However, in the network I can see但是,在网络中我可以看到

在此处输入图片说明

3 个解决方案

解决方案1
 1  2019-12-20 17:24:39

The preferred option is to add your web domain to Okta under API / trusted origins - as in step 7 of my write up首选选项是在 API/可信来源下将您的 Web 域添加到 Okta - 就像我写的第 7 步一样

单页应用程序身份验证流程所需的设置

CORS is needed in order to implement open id connect for SPAs to latest security standards via Authorization Code Flow (PKCE) .需要 CORS 才能通过授权代码流 (PKCE)实现 SPA 的开放 id 连接到最新的安全标准。

There is an alternative option in OIDC client, which is to avoid supplying the authority url and supply the redirect endpoint and token signing keys explicitly. OIDC 客户端中有一个替代选项,即避免提供授权 url 并显式提供重定向端点和令牌签名密钥。 An example of this is in my Azure code sample where I prevent a JWKS lookup by supplying the token signing keys explicitly.我的 Azure 代码示例中,我通过显式提供令牌签名密钥来防止 JWKS 查找。

However, you will be restricted to the implicit flow, which is no longer recommended, so you are weakening the security of your app - which is not in your company's interests - and also adding considerable complexity to your code.但是,您将被限制在不再推荐的隐式流程中,因此您削弱了应用程序的安全性 - 这不符合您公司的利益 - 并且还为您的代码增加了相当大的复杂性。

Maybe as a next step forward my response to your stakeholders - and try to convince them to do the sensible thing of updating to the recommended industry standard security settings也许作为下一步我对您的利益相关者的回应 - 并尝试说服他们做更新到推荐的行业标准安全设置的明智之举

解决方案2
 0  2019-12-19 23:08:16

Question needs more details.问题需要更多细节。 Especially preflight request/response headers, request/response headers.特别是预检请求/响应头,请求/响应头。 Don't use localhost (because mentioned browser issue) and http (because prod setup with https requires different CORS config).不要使用localhost (因为提到浏览器问题)和 http(因为使用 https 设置 prod 需要不同的 CORS 配置)。

Primitive curl preflight test:原始卷曲预检测试:

curl -H "Origin: https://acme.com" \
 -H "Access-Control-Request-Method: GET" \
 -H "Access-Control-Request-Headers: X-Requested-With, :method" \
 -X OPTIONS -k https://dev-166545.okta.com/oauth2/aus1igd7yewoAs4xa357/.well-known/openid-configuration \
 --silent --verbose 2>&1 | grep Access-Control

=> give you idea what is requested and what is returned. => 让您了解请求的内容和返回的内容。

Type CORS != type Redirect + valid origin is for example http://localhost:8080 and not http://localhost:8080/ -> it is not clear how did you configure CORS types. Type CORS != type Redirect + valid origin is 例如http://localhost:8080而不是http://localhost:8080/ -> 不清楚你是如何配置 CORS 类型的。

解决方案3
 0  2019-12-26 23:39:33

getClientSettings(configuration: IOpenIdOptions): UserManagerSettings {
    return {
      authority: configuration.authority + '/',
      client_id: configuration.clientId,
      redirect_uri: configuration.redirectUri,
      post_logout_redirect_uri: configuration.redirectUri,
      response_type: configuration.responseType, // "id_token token",
      scope: "openid profile email " + configuration.apiResourceId,
      filterProtocolClaims: true,
      loadUserInfo: false,
      automaticSilentRenew: true,
      monitorSession: true,
      silent_redirect_uri: configuration.silentRedirectUri,
      accessTokenExpiringNotificationTime: 20, //default 60
      checkSessionInterval: 5000, //default 2000
      silentRequestTimeout: 20000, //default: 10000 
      // When CORS is disabled, token signing keys cannot be retrieved
      //  Manual the metadata and singinKeys for okta auth
      metadata: {
        // Magic happen here. Confugure to local host 
        jwks_uri: configuration.jwksUri,
        authorization_endpoint: `${configuration.authority}/v1/authorize`,
        issuer: configuration.authority
      },
    };
  }

Appsetting.json应用设置.json

 "openId": {
    "authority": "https://dev-166545.okta.com/oauth2/xxxxxxxxxxxxxx",
    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "apiResourceId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "redirectUri": "https://localhost:44307/auth-callback",
    "silentRedirectUri": "https://localhost:44307/assets/silent-renew.html",
    "responseType": "id_token token",
    "jwksUri" : "https://localhost:44307/assets/jwks.json"
  }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法从 well-known/openid-configuration 获取配置 - Unable to obtain configuration from well-known/openid-configuration Angular 9:CORS 策略已阻止从来源“http://localhost:4200”访问位于“xxx”的 XMLHttpRequest - Angular 9: Access to XMLHttpRequest at 'xxx' from origin 'http://localhost:4200' has been blocked by CORS policy 从源访问 xmlhttprequest 已被 Angular 6 中的 cors 策略阻止 - Access to xmlhttprequest at from origin has been blocked by cors policy in Angular 6 Laravel 从源访问 XMLHttpRequest 已被 CORS 策略阻止 - Laravel Access to XMLHttpRequest at from origin has been blocked by CORS policy CORS策略已阻止从来源“ http:// localhost:4200”访问“ https://login.microsoftonline.com/xxx”处的XMLHttpRequest - Access to XMLHttpRequest at 'https://login.microsoftonline.com/xxx from origin 'http://localhost:4200' has been blocked by CORS policy 访问 XMLHttpRequest at.' 从原产地。 已被 CORS 策略阻止:不存在“访问控制允许来源”header - Access to XMLHttpRequest at .' from origin . has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present 从CORS策略阻止从源“ localhost”访问“ production_api_url”处的XMLHttpRequest - Access to XMLHttpRequest at 'production_api_url' from origin 'localhost' has been blocked by CORS policy 来自'http:// localhost / api from origin'http:// localhost:8000'的XMLHttpRequest访问已被CORS策略阻止 - Access to XMLHttpRequest at 'http://localhost/api from origin 'http://localhost:8000' has been blocked by CORS policy 从源“http://localhost:4200”访问 XMLHttpRequest 已被 CORS 策略(Angular,WebApi)阻止 - Access to XMLHttpRequest from origin 'http://localhost:4200' has been blocked by CORS policy (Angular, WebApi) 从源“http://localhost:8080”访问“API_URL”的 XMLHttpRequest 已被 CORS 策略阻止: - Access to XMLHttpRequest at 'API_URL' from origin 'http://localhost:8080' has been blocked by CORS policy:
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM