CORS Issue with oauth2 authentication (ClientCredentials) #5104
Comments
|
Hi @kishm! See these docs for more information on CORS: https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/cors.md |
|
Same issue here with clientCredentials login. In the chrome console: Access to fetch at 'https://sso.company.com/auth/realms/XYZ_Public/protocol/openid-connect/token' from origin 'http://localhost:8080' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Cross-Origin Read Blocking (CORB) blocked cross-origin response https://sso-sso.company.com/auth/realms/XYZ_Public/protocol/openid-connect/token with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details. |
|
Same issue with the clientCredentials login. Whenever we click on authorize and fill he client id and client secret we get the following: However when I try to authorize using the following url "https://demo.identityserver.io/connect/token" from the swagger ui it works. |
|
I'm having the same issue - I thought it would be resolved after my app was deployed to my dev server so the origin was an actual URL instead of localhost but no such luck |
|
I have found out a couple of things.
|
Notice that the auth server is the one returning the cors issue. I some cases the auth server is not the same server where the swagger ui is hosted. In this case would be awesome if swagger supports a configuration param to actually send the request in no-cors mode, which will make it work in most of the cases.. for now, swagger doesn't supports this, so I think there is not fix for that. |
|
Hi Just put it in front of our authaddress and it should work. I used clientcridentials on Microsoft azure ad with oauth2 and had same problems. As Said a no-cors mode would be nice. |
Very nice, Will test it, thanks |
Can you describe a little more in detail, give an example? Please. |
|
Hi I used it to get tokens for the client credentials in a dev enviroment |
|
I'm also having the same problem right now. Our authentication server does not support the OPTIONS request and I'm in no control to fix it. I also agree with a comment on a similar issue #4930 (comment). Having a proxy would fix the issue, but as we deploy our apps in different environment it becomes a huge hazzel to also have to deploy an configure an proxy for each instance... So in the end, I cannot say it is a good solution to the problem for our case. @shockey, I don't think this is just "support" as it is labeled right now. Any thoughts? |
|
Same issue here with CORS trying to authenticate with Identity Server 4. Be good to get a solution here. From a security perspective, we can't go through a proxy but it's good to test that this is the issue. EDIT: As a workaround, I got this working by putting the web app and identity server on the same custom domain. I.e App-1.customDomain.com and identityserver.customDomain.com |
|
Same problem here. And it's impossible to have the Swagger UI on the same domain as the authorization server... |
|
@yllevanten I don't think it must be too high IQ level to notice why your suggestion is a bad idea |
|
when i use keycloak i have similar cors problem
it solve my problem. |
Hi,
I am new to SpringBoot, Springfox and Swagger2 as well. I am trying to generate Swagger2 API documentation with the help of Springfox.
I have gone through the documentation 'http://springfox.github.io/springfox/docs/current/' and able to generate API documentation.
But i am having issue to integrate with oauth2 authentication. I am trying to Implement oauth2 token to work on tryout option of each controller. With oauth/token (Client Credentials) implementation, able successfully connect my app login URL, but upon authentication the redirect URL is failing due to the following error.
The following exception is shown in browser"
Access to fetch at 'https://myauthserver/authserver/oauth/token' from origin 'http://myapp' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
The authentication server resides in a different domain. My app is running in different domain on same network.
Any Idea what causing the problem and how to add to allowed filter list in CORS to allow redirect URL successfully to Swagger UI.
Thank you
The text was updated successfully, but these errors were encountered: