使用Custom-Allowed-Origin-Header-1的OneLogin的CORS问题

时间:2019-03-20 15:33:12

标签: cors onelogin

我们在进行API调用以生成OAuth令牌时遇到问题。我们的呼叫看起来像这样:

// Reusable variables
var oneloginURL = "https://api.us.onelogin.com";
var oneloginSessionURL = "https://rxsense.onelogin.com";

// Axios objects for AJAX calls, For onelogin calls only
var ONELOGIN_API = axios.create({baseURL: oneloginURL})
var ONELOGIN_SESSION_API = axios.create({baseURL: oneloginSessionURL})

const REQUIRED_CONFIG = {
    ONE_LOGIN: {
        LOGIN: {
            BASE: "https://api.us.onelogin.com",
            METHOD: "POST",
            ROUTE: "/api/1/login/auth"
        },
        TOKEN: {
            BASE: "https://api.us.onelogin.com",
            METHOD: "POST",
            ROUTE: "/auth/oauth2/v2/token"
        },
        SESSION_TOKEN: {
            BASE: "https://rxsense.onelogin.com",
            METHOD: "POST",
            ROUTE: "/session_via_api_token"
        }
    },
}

const services = {
    BASE_URL: baseURL,
    ACCESS: REQUIRED_CONFIG,
    sendRequestForOneLogin: function(service = ONELOGIN_API, method, route, params, config) {
        switch(method) {
            case 'GET': return service.get(route, params);
            case 'POST': return service.post(route, {params,config});
            case 'PUT': return service.put(route, params);
        }
    },
}

// Methods calling the services
generateOneLoginToken: function() {
    let params = {
        'grant_type': 'client_credentials',
    }
    let config = {
        auth: {
            username: "clientname",
            password: "clientsecret",
        },
        headers: {
            "Custom-Allowed-Origin-Header-1": "http://localhost:8080"
        }
    }
    return this.sendRequestForOneLogin(
        ONELOGIN_API,
        this.ACCESS.ONE_LOGIN.TOKEN.METHOD,
        this.ACCESS.ONE_LOGIN.TOKEN.ROUTE,
        params,
        config
    );
},
loginOneLogin: function() {
    let params = {
        'username_or_email': 'uname1',
        'password': 'pass@123',
        'subdomain': 'mydomain'
    }
    let config = {
        headers: {
            "Custom-Allowed-Origin-Header-1": "http://localhost:8080",
            "Authorization": 'bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        }
    }
    return this.sendRequestForOneLogin(
        ONELOGIN_API,
        this.ACCESS.ONE_LOGIN.LOGIN.METHOD,
        this.ACCESS.ONE_LOGIN.LOGIN.ROUTE,
        params,
        config
    );
},

正在显示的错误是:

“Access to XMLHttpRequest at 'https://api.us.onelogin.com/auth/oauth2/v2/token' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.”

使用本地主机作为URL是否存在问题?我知道有文档建议使用Custom-Allowed-Origin-Header-1标头来解决此问题,但我们仍然会看到它。如果我们不能使用localhost作为CORS URL的参数,是否可以使用进行呼叫的服务器的私有IP地址?

1 个答案:

答案 0 :(得分:0)

不应从客户端javascript完成获取访问令牌的请求,因为这意味着您已经将client_secret暴露给了互联网。

OneLogin仅支持CORS生成会话令牌。同样,您不应该从客户端javascript发出原始登录请求,但可以通过在此请求上设置“ Custom-Allowed-Origin-Header-1”标头来实现正确的想法。

然后,您将基于第一个请求返回的令牌发出请求以生成会话。实际上,这是一个客户端调用,该调用返回cookie以启用SSO。 https://developers.onelogin.com/api-docs/1/login-page/create-session-via-token

如果必须从客户端对用户进行身份验证,则不建议使用此方法。请使用OpenId Connect Implicit flowAuthorization Code flow + PKCE